Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Helping the Board Set Its Risk Tolerance for Fraud

Matt Kelly | February 25, 2010

Earlier this week I had the privilege of co-hosting an executive roundtable in Atlanta with a dozen ethics and compliance officers, this time with the audit firm Crowe Horwath where the topic was fraud. The discussion was excellent and Compliance Week will have full coverage of it in a newsletter in another week or two, but I do want to share one of our more spirited moments here.

I was curious about the board’s role in monitoring and addressing fraud. In theory, after all, the board sets its tolerance for various types of risk—including fraud—and then executives strive to ensure that the business operates within those boundaries. That implies that boards should be willing to ignore some small frauds to focus on the bigger picture.

So, I asked the CCOs at the forum—is that how it really works?

The answer was a diplomatic but clear “no.” Many boards and audit committees tend to establish a risk tolerance for fraud at zero. Sometimes they do that deliberately; other times they do so by accident, grilling CCOs or internal auditors about every fraud that comes along, and sending the message that they have zero tolerance for fraud. That’s not good, and it’s incumbent on compliance and governance officers to know how to talk board directors out of that attitude.

Roundtable attendees had a few good ideas on that score. One person spoke of how she had a matrix to classify fraud problems by location, management level of fraudster, monetary amount, and so forth. Each element in that matrix carried a certain value, and if the total value was great enough she brought the fraud to the attention of the audit committee. Another executive said he puts an emphasis on “new fraud”—that is, a fraud that happened in some way nobody had seen before, regardless of the dollar amount. That makes a lot of sense, since a new fraud runs the risk of being a control failure, where the next errant employee could run the same scam on a much larger scale. Others said frauds in chronically corrupt nations (that’s a polite way of saying “China”) received priority, or sudden spates of fraud where a flock of immaterial problems could add up to a material headache.

Regardless of the solution that might fit your specific company, I do worry that boards can set an obsessive tone at the top about fraud. The plain truth is that boards can only do so much, and at some point must let executives do their jobs. Part of that job is exercising good judgment on when to bring a matter to the board’s attention—and when to understand that no matter how hard you try to prevent it, sometimes fraud happens.