Late on a Friday evening, many of the executive team members of a packaging firm, Divayo Inc., were in the office preparing for a Monday board of directors’ meeting. Stephen, a CFE at a local accounting firm that worked for Divayo, exited the elevator in the company’s building and followed a swirling sea of cigar smoke to the corner office of Doug, Divayo’s general counsel. He had his feet up on his desk, a Churchill-style cigar in one hand and a Scotch in the other. The board’s briefing binder sat unopened on his desk. Doug stared off into space. Stephen introduced himself, and they engaged in small talk. Doug seemed only mildly interested in Stephen’s responsibility to follow up on an anonymous tip about fraudulent activity at Divayo. Stephen, obviously, didn’t disclose that Doug was the subject of the tip.
The following week, Stephen and a colleague interviewed Doug about a long list of issues, including his approval of unauthorized travel expenses, the awarding of bonuses and pay increases to himself, and conspiring with the company’s CFO to cover cash advances to his personal bank account. Doug said he was innocent, but the document trail was so detailed and compelling that Divayo terminated him after Stephen’s interview.
Unfortunately, Doug wasn’t the only executive at Divayo engaged in fraudulent conduct. Over the course of the next month, Stephen discovered that the company’s entire executive team was committing various frauds.
This is an extreme example of what can happen when fraudulent activity goes unchecked. (This is an actual case, but all names have been changed.) Divayo’s French parent company had long suspected problems at its U.S. subsidiary. Over the years, it had placed a great deal of trust in its executive team to run the business as it saw fit. Yet the U.S. subsidiary always failed to meet the French company’s expectations. Only when the anonymous tip arrived did it have enough information to launch an investigation.
Shortly after it received Stephen’s report detailing widespread fraud, the French parent company — citing its lack of experience helping a company recover from such an incident — made the decision to close Divayo and exit the U.S. market entirely.
Thankfully, in many situations, experiencing fraud doesn’t spell the end of an organization’s existence. With careful planning and an ongoing commitment to fraud prevention and deterrence, organizations can survive and thrive in the aftermath of fraud.
While the French firm viewed its U.S. subsidiary as rotten to the core and beyond saving, it certainly didn’t help that Stephen’s firm lacked experience helping companies recover from fraud — beyond investigating an allegation and sharing its findings.
Some professional accounting firms offer services to help companies recover from fraud and improve their internal controls to prevent more losses, but many more don’t. These firms often don’t see a profit motive in providing these fraud-recovery services because organizations routinely encounter tremendous resistance to any mention of investment in fraud prevention.
Admittedly, it’s a tough sell convincing an organization to spend any money on fraud prevention. However, when fraud happens, many companies end up adrift and unable to regain their financial footing, which, for some, signals a slow descent to insolvency.
So, why do companies struggle to justify investments in fraud prevention in the first place? “It’s been my experience that companies generally don’t believe that they will be victims of fraud,” says Janet McHard, CFE, CPA, CFF, the founding partner of McHard Accounting Consulting LLC. “For business owners, fraud only happens to ‘the other guy.’ The problem with this common mindset is that fraud can and, statistically, will happen to every organization at some point.”
McHard knows from experience that while companies need justifications for spending money on fraud prevention, it’s impossible to run a cost-benefit assessment on fraud prevention initiatives because no one can say exactly how many dollars would be lost to fraud in the absence of fraud prevention. And while surveys exist to help companies justify investment in fraud prevention, according to McHard, the underlying problem remains in that individual companies can’t see their own actual individual fraud loss amounts in the survey.
“So, between a mindset that ‘it won’t happen to us’ and not being able to quantify the actual cost savings from fraud prevention, it’s hard to justify spending money on fraud prevention,” McHard says.
Brian Webster, CFE, CPA, CFF, a senior manager with the Business Advisory Group at Schneider Downs, shares similar experiences to McHard when it comes to selling fraud prevention services. In the aftermath of a fraud, his team works hard to convince companies to invest in fraud prevention by appealing to their sense of logic. “You had this problem, you don’t want it to happen again because if it does it’s going to cost you a lot more money on the back end,” says Webster. “Let us sit down with you guys for two to three days, review your controls, review your processes. We’ll give you recommendations, and then hopefully you don’t have these issues anymore,” Webster adds.
It's been my experience that companies generally believe that they will be victims of fraud ... For business owners, fraud only happens to ‘the other guy.’
Webster’s team has also run across a lack of interest from boards of directors. In another case, the board pushed for a quick resolution to a fraud investigation involving the head of the accounting department. “You could tell the board of directors just wanted it over with,” notes Webster. “For some reason, they weren’t thinking, ‘Hey, we could be in trouble because of this; this happened under our watch.’ ” Instead, the board aimed to blame the executive team by questioning whether they asked for the right financial reports to detect the fraud.
McHard finds that companies place too much reliance on their external auditors. “Companies believe that the external auditors who perform the annual financial statement audit are sufficient,” McHard says. “This, I think, represents a long-standing disconnect between business owners’ expectations for what external auditors can do and what external auditors are actually tasked with under the assurance standards; external auditors are specifically not tasked with finding fraud during audits, but companies often mistakenly rely on external auditors for that regardless of the standards,” adds McHard.
McHard finds that an organization often only invests in fraud prevention when it has a real need, or, as she puts it a real “pain.”
“In many cases, we find that a company calls us asking for a fraud prevention engagement only after fraud has been discovered,” McHard says. “Then they understand that fraud happens and, more importantly, that fraud can happen to them.
“More often though, the company finds itself in the position to try to figure out how to keep going, despite the fraud losses, and they don’t have the time or the money to invest in fraud prevention,” says McHard.
Despite the general malaise surrounding fraud prevention, what if Stephen’s firm had pitched its services to Divayo to help it recover and shore up its internal controls as soon as it completed the investigation? Given Stephen’s familiarity with the case, he could help deploy controls to prevent the fraud schemes perpetrated by every member of the executive team.
Stephen also could ask the company to agree to a quarterly walkthrough of their facilities plus one-on-one meetings with the members of the incoming executive team. Divayo could raise its perception of detection by sending out a brief email to its employees explaining that the CFE’s walkthrough is part of the company’s effort to combat fraud. The message could also encourage anyone with concerns to submit a report to the company’s ethics line or to contact the CFE directly.
At the beginning of the engagement and every year after, Stephen’s firm could administer an internal controls self-assessment to generate a list of areas to address — ranked according to each risk. Stephen and Divayo could then use this list as a road map to strengthen the company’s defenses.
If Stephen’s firm pursued this approach with additional clients, the number of companies completing a self-assessment would grow along with the potential to establish benchmarks by company size and industry. Knowing how other firms of similar sizes within their industries tackle fraud prevention could help organizations justify the investment in fraud prevention.
Regardless of how a firm approaches fraud prevention, organizations must know how to improve their defenses. “At the end of each fraud examination we offer the client a separate report that lays out for them the issues we noted during our examination along with recommendations to fix those issues,” McHard says. Her firm’s reports frequently note that internal controls have been eroded over time because organizations didn’t fill positions for accounting personnel who’ve left.
Sometimes organizations haven’t considered technological changes that led to ineffective fraud prevention methods. “Sometimes the fraud prevention methods we recommend are simple and free or nearly free,” McHard says. “Other times our recommendations are to hire personnel who are better educated or more experienced than current personnel, which is neither simple nor low cost.”
In every case where no hotline is present, McHard says her team recommends that organizations institute anonymous reporting mechanisms and give all employees anti-fraud education so they can understand when to call hotlines.
Sometimes firms incorporate too many controls to fight fraud. Consequently, while a CFE might uncover a lack of controls, or the overriding of existing ones, they might also uncover examples of too much red tape. For example, requiring six people to approve a new vendor is excessive yet not unusual. The organization could speed up the vendor- acceptance process without increasing the potential for fraud by reducing the number of people to three or four.
Instead of putting off or avoiding the cost of fraud prevention, successful organizations build it into their budgets throughout the year by engaging CFEs to conduct quarterly walkthroughs and frequent fraud assessments.
In retrospect, Stephen found Doug’s behavior on that Friday night odd. The packaging firm was in deep financial trouble. Employees were leaving in droves and despite a booming economy and a long list of customers, the company was operating in the red. Something was wrong, yet the company’s general counsel seemed quite content.
While it was too late to save Divayo, CFEs can help save plenty of organizations. All it might take is a willingness to pitch the idea of proactive fraud prevention at just the right time.
Paul McCormack, CFE, is a freelance writer specializing in fraud, security and compliance. He previously worked for SunTrust, EY, PricewaterhouseCoopers and Delta Air Lines. Contact him at paul@mccormackwrites.com.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
