The Sarbanes-Oxley Act was enacted to help fight corporate fraud. Public companies have spent untold millions to comply and hired compliance and ethics officers ostensibly to ensure that the law is adhered to.
Yet, somehow, at the end of the day, fraud is still here.
However comprehensive your code of ethics may be, and however many policies you have, realize this one truth: Your organization could be the next one to hit the headlines. Simply saying, “We strive for the highest ethical standards in our business,” and passing that off as your “tone at the top” will never deter a morally challenged insider from ripping you off. Insider fraud is always a threat, and a company must always police against it. Once you understand that, it’s just a matter of a modest investment of financial and human resources to implement and enforce policies and procedures with teeth.
Establishing A Robust Anti-Fraud Program
Some companies have significantly lower levels of misappropriation of assets and are less susceptible to fraudulent financial reporting than others. Why? Because they aggressively take steps to prevent and detect fraud. At these exemplary companies, management is responsible for designing and implementing systems and procedures for the prevention and detection of fraud—and, along with the board of directors, for ensuring a culture and environment that promotes honesty and ethical behavior.
Fraud can range from minor staff theft to misappropriation of assets and fraudulent financial reporting. It also can include embezzlement, identity theft, vendor fraud, conspiracy, and theft of proprietary information. Material financial-statement fraud also can wreak havoc on an organization’s market value, reputation, and ability to achieve its strategic objectives.
The risk of fraud can be reduced through a combination of prevention, deterrence, and detection measures. Organizations need to adopt tough anti-fraud policies, strong internal controls, accountability on the part of all managers, training of employees in fraud awareness, liaison with law enforcement, and other “brass tacks” measures. Consider putting on the management committee’s monthly agenda a standing discussion of what the organization is doing to reduce the occurrence of fraud, and schedule a formal internal audit of the organization’s anti-fraud program in 2007.
Evaluate Anti-Fraud Controls Regularly
Establishing an anti-fraud program is one thing, but there is nothing worse than having a policy that nobody follows. Identifying and measuring fraud risk is one of the first steps in implementing a robust anti-fraud program. Certain fraud risks also can be reduced by making improvements to the organization’s policies, procedures, or processes, and fraud-risk assessments and fraud-risk management efforts contribute to the improvement effort.
Periodically conducting an internal audit of the anti-fraud program is very productive as an independent and objective assessment of current policies and practices. To do this, first conduct the fraud-risk assessment; then identify the key fraud controls and any control gaps; and finally test the effectiveness of the controls. Continuous monitoring by management and continuous auditing by the auditors are also very effective in tackling fraud directly. Many organizations are establishing continuous monitoring and continuous auditing efforts for their critical transactions and information systems; you should, too.
Risk Of Management Override
Yet another fraud risk threatens to undermine all of these efforts that have been discussed thus far: management override. A company can have stellar procedures to block fraud, but they won’t do much good if the top brass simply allows some improper transaction to circumvent those procedures. To help address this risk, a landmark paper was written called “Management Override of Internal Control: The Achilles’ Heel of Fraud Prevention.” It provides extensive guidance for the audit committee and others interested in getting their anti-fraud effort working on all cylinders and assistance for protecting their organizations from harm. A second must-read paper is “Management Antifraud Programs and Controls: Guidance to Help Prevent and Deter Fraud,” which provides extensive guidance that companies can use. (To download copies of these papers and others, please see the Related Resources box, above right.)
Even without reading and digesting the papers, consider having the internal audit department independently review the month- and year-end accounting activities for any unusual transactions, such as suspect journal entries or reversals. You also should consider having an open debate at the audit-committee meeting on what the committee and the company itself are doing to reduce the risk of management override.
An Appropriate Oversight Process
The audit committee should evaluate management’s identification of fraud risks, implementation of antifraud measures, and creation of an appropriate “tone at the top.” Active oversight by the audit committee also will help reinforce management’s commitment to creating zero tolerance for fraud.
The audit committee plays a critical role in helping the board of directors fulfill its oversight responsibilities for financial reporting and other governance activities. To assess risks of things like forgery, credit-card fraud, conspiracy, computer sabotage, Internet-based fraud and so forth, the organization and the audit committee should consider obtaining the advice of specialists, using internal or contracted resources to compile detailed reports regarding vulnerabilities and recommend fraud exposure-reducing actions.
The audit committee also needs to beware of enterprise-threatening fraud risks. While management must cover the entire spectrum of fraud risks, the board needs to be focused on the significant fraud risks and ensuring that an effective risk-management strategy and supporting processes have been implemented.
Having an ongoing debate about what the oversight process should be is a good thing, and evaluation of its effectiveness is even better. The parties contributing to oversight efforts include the board, senior management, the internal auditors, the external auditors, and (on occasions) certified fraud examiners. Knowing who is responsible for what, and when to lean on their expertise, will ensure a winning team effort.
Creating An Ethical Culture
The company is responsible for creating a culture of honesty and strong ethics and for communicating clearly the acceptable behavior and expectations of each employee. Directors and officers of the organization set the tone at the top for ethical behavior within the organization.
Employees should be given the opportunity to obtain advice internally before making decisions that could have significant legal or ethical implications. They also should be encouraged and given the ability to communicate about potential violations of the entity’s code of conduct, anonymously if need be (such as via a confidential hotline service). The Open Compliance and Ethics Group’s Hotline & Helpline guide provides a wealth of guidance for implementing this important fraud reduction measure. It has been proven that the ability for staff to safely report issues will reduce the incidence and impact of fraud.
We also need to make managers more accountable for their operations, that is, we should not be waiting for audits to make changes. Management is responsible for the organization’s system of internal control, and the effectiveness of its operation, and I strongly encourage managers to evaluate their own results. (It’s called operational monitoring and process improvement.)
An open discussion among the key stakeholders, and ideally prior to any front page news, is always recommended. Setting clear expectations for everyone involved (regarding your anti-fraud efforts) is half the battle. Being diligent in your efforts is the other half. To truly fight fraud, we need a firm policy that must be enforced, and violators must be investigated and action taken.
Fraud-risk management is here to stay—has your organization implemented an effective strategy for fraud prevention, detection, and response? At the end of the day, are you part of the problem or part of the solution?