Every company should want to prevent fraud from happening against their organization, and most companies will not readily admit that their organizations may be vulnerable to any significant fraud. The reality is that many individuals can commit fraud against any organization with a clever understanding of the company’s internal controls structure.
Black’s Law Dictionary1 defines fraud as “a false representation of a matter of fact…which deceives and is intended to deceive another”. Fraud can be perpetrated by an individual within an organization or external to the organization. It is generally described in three categories: asset misappropriation, fraudulent accounting and financial reporting, and corruption.
Fraud is a relevant issue worthy of discussion – particularly in today’s economy. As the price of a gallon of gasoline and the adjustable interest rates on certain home mortgages continue to rise, employment stability and incentive compensation payouts continue to decline2. This dichotomy can increase the pressures and incentives for individuals to concoct fraud schemes to perpetrate. These individuals often rationalize their fraudulent actions by supposing that a) the dollar amount is not significant enough to the company for management to care; b) their current salary is below market and they have “earned” this payoff; c) management is already considering layoffs and the severance packages will likely not cover their immediate expenses; and d) they’re too clever to get caught. With the appropriate amount of pressure/incentive and rationalization, history has shown that some individuals may turn their attention towards the opportunities that exist within a company’s internal control structure that could allow a fraud to be committed and, in the potential fraudster’s mind, not detected.
These three factors (pressures/incentives, opportunity, and rationalization) are commonly referred to as the fraud triangle3, and when all three of those conditions are present the risk of fraud being perpetrated can increase significantly. Of those three conditions, opportunity is the one condition that can most effectively be managed to address fraud risks. This condition is principally managed by designing and implementing a control environment that prevents, detects, and deters most fraudulent behavior, whether conducted by employees, vendors, consultants, or senior management. As part of such a control environment, there are five key anti-fraud controls that companies can implement, and it begins with the tone at the top.
Prevent: A Truly Independent and Empowered Audit Committee
Organizations that have stakeholders and shareholders independent of management (whether publicly traded or privately held) should also have an audit committee that is independent of management4. The audit committee should be knowledgeable of the company’s fraud risk exposure and aware of the steps management is taking to monitor and mitigate those risks. Truly independent audit committees may also maintain healthy levels of skepticism to promote continuous evaluations of the company’s anti-fraud programs and controls. The audit committee has the responsibility to monitor the results of the annual audits and quarterly reviews, and is also responsible for directing the activities of the internal audit department (if one exists within the organization).
According to the Association of Certified Fraud Examiners (ACFE) 2008 Report to the Nation, internal auditors and independent auditors accounted for approximately 29% of the occupational fraud discovered. The independent auditors have auditing standards that they follow to identify material misstatements due to fraud (SAS 99). However, empowered audit committees can play an active role in the direction, monitoring, and evaluation of the internal auditors to ascertain whether the procedures performed are in those areas that carry the most significant risks. Those significant risk areas can be effectively identified through conducting a fraud risk assessment.
Prevent: Conduct Detailed Fraud Risk Assessments
PCAOB Standard No. 5, released in 2007, encourages public companies to conduct annual risk assessments and use the results of those assessments to identify the key controls in the significant areas. PCAOB Standard No. 5 also made specific reference to fraud, encouraging management to identify those key controls that are specifically designed to address the risk of fraud.
One purpose of a fraud risk assessment is to help focus management’s attention on the significant fraud risks to be addressed. A fraud risk assessment can be recurring and systematic, and it can involve various levels of management across all functions of the business. An effective fraud risk assessment may include specific fraud schemes that could be perpetrated against the organization, including the people or departments within the organization that could commit each scheme, the likelihood of that scheme occurring against the company in the current year, and the magnitude of impact that the scheme would have on the organization.
The specific fraud schemes identified can be linked to existing internal controls within the organization that can mitigate the fraud risk. The fraud risk assessment can also include a gap analysis that includes a remediation plan for significant fraud risks that could not be linked to existing internal controls. Some companies may have the appropriate resources internally to apply effective interviewing techniques to identify the fraud schemes that could occur across the organization. However, many companies would be well-advised to consider the use of an external provider to assist in conducting the interviews and facilitating the brainstorming sessions so that the meetings are relevant and focused.
One of the advantages of conducting the fraud risk assessment throughout the organization is that it can increase the visibility of management’s attitudes towards managing fraud risks. The increase in management’s communication about fraudulent behavior typically results in greater employee sensitivity to the importance of acting in an appropriate manner (thereby, potentially reducing some of the rationalization that can occur) and the confidence to report suspicious or inappropriate activities.
Deter & Detect: Promote the Tools for Effective Reporting of Suspicious or Inappropriate Activities
The Sarbanes Oxley Act requires audit committees to establish procedures for the receipt, retention, and treatment of employee complaints across a variety of issues, including fraud and misconduct, and a whistleblower hotline is one of the easiest and least expensive of such procedures. According to the 2008 ACFE Report to the Nation, approximately 46% of all fraud was uncovered through tips. However, the existence of a hotline may not be enough.
Management should also consider conducting periodic evaluations to determine whether the whistleblower hotline is effective, including benchmarking analysis against competitors. The company should consider the use of an experienced outside agency managing the whistleblower hotline to enhance the perception of confidentiality. If an outside agency is not used to manage the whistleblower hotline, the whistleblower complaints can be initially reviewed by an ethics committee of the company (or similar internal resource with direct access to the audit committee) and reported timely to individuals with the appropriate group best equipped to handle the matter.
Since fraud can also include bribery and corruption, access to the whistleblower hotline can be made available to vendors and customers as well as employees. For companies doing business globally, it is advisable for the hotline to be available 24 hours a day, 365 days a year and have multi-lingual capabilities. Most importantly, the availability of the hotline should be communicated on a regular basis, at least annually. As part of this communication the company should consider identifying for the employees the types of activities that should be reported.
Prevent & Deter: Anti-Fraud Policy and Appropriate Trainings
It is not uncommon for employees to be confused as to what activities constitute fraud or misconduct against the organization. Some employees may abuse the company’s reimbursement policy of requiring receipts for expenses greater than $20, and other employees may conduct side business during work hours using the organization’s resources. While these activities may not be regularly called out as significant fraud, they nonetheless misuse the company’s assets and resources. Further, it is important to remember that most fraud starts out small. As the fraud scheme continues over a period of time, the typical perpetrator begins to gain confidence in the fraud scheme and may move on to fraud schemes involving larger amounts.
The tolerance of these types of behavior within an organization could also send the wrong message about management’s lenience towards employee misconduct and fraudulent behavior. This misunderstanding can be addressed by drafting and publishing an anti-fraud policy that clearly defines fraud and misconduct. This definition of fraud can also include specific, relevant examples of behavior that is not acceptable within the organization. Once the anti-fraud policy is published, periodic trainings can be held throughout the organization to provide its employees with a forum to discuss the importance of ethical behavior. In addition to defining fraud, this policy can also address how the company intends to respond to fraud and misconduct allegations.
Deter & Detect: Response to Fraud Allegations
Regardless of the size of the fraud allegation or the individual involved, the organization should consider having a documented policy of how fraud allegations will be investigated and resolved. The policy would typically include procedures for documentation preservation and evidence gathering. The policy can address which individuals or departments should be responsible, accountable, consulted, and informed depending on the nature of the allegation. Similar to fraud risk assessments, there are many companies that may have certified fraud examiners, attorneys, and certified public accountants on the payroll who may be able to conduct an effective internal investigation. However, if the amounts involved are potentially material to the financial statements or might involve members of senior management, leading practices would suggest that in many cases the investigation be conducted by independent attorneys and other third-party specialists. In the event that the fraud allegation subsequently gains the interest of the Securities and Exchange Commission or Department of Justice, adherence to this documented policy could be especially helpful.
Unfortunately, fraud is inevitable in many organizations. Internal controls can deteriorate over time, either because of technological advances or human intervention (management override or collusion). The successful implementation of these five anti-fraud controls is not a guarantee that fraud will not occur. Nonetheless, these additions to an organization’s control environment can play a significant role in deterring individuals from perpetrating fraud because they often send the message that senior management is committed to preventing and detecting fraud committed against the organization.
1 – Source: Black’s Law Dictionary, 6th edition, 1990
2 – Source: Investment News, “Firms Hit Executives in Wallet,” April 21, 2008
3 – Source: Occupational Fraud Abuse, by Joseph T. Wells, 1997
4 – The Securities and Exchange Commission already requires companies, including small business issuers, whose securities are quoted on Nasdaq, or listed on the American Stock Exchange or New York Stock Exchange, disclose whether the audit committee members are independent.
This publication contains general information only and Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte Financial Advisory Services LLP shall not be responsible for any loss sustained by any person who relies on this publication.
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.