Earlier this week I had the privilege of co-hosting an executive roundtable in Atlanta with a dozen ethics and compliance officers, this time with the audit firm Crowe Horwath where the topic was fraud. The discussion was excellent and Compliance Week will have full coverage of it in a newsletter in another week or two, but I do want to share one of our more spirited moments here.
I was curious about the board’s role in monitoring and addressing fraud. In theory, after all, the board sets its tolerance for various types of risk—including fraud—and then executives strive to ensure that the business operates within those boundaries. That implies that boards should be willing to ignore some small frauds to focus on the bigger picture.
So, I asked the CCOs at the forum—is that how it really works?
The answer was a diplomatic but clear “no.” Many boards and audit committees tend to establish a risk tolerance for fraud at zero. Sometimes they do that deliberately; other times they do so by accident, grilling CCOs or internal auditors about every fraud that comes along, and sending the message that they have zero tolerance for fraud. That’s not good, and it’s incumbent on compliance and governance officers to know how to talk board directors out of that attitude.
Roundtable attendees had a few good ideas on that score. One person spoke of how she had a matrix to classify fraud problems by location, management level of fraudster, monetary amount, and so forth. Each element in that matrix carried a certain value, and if the total value was great enough she brought the fraud to the attention of the audit committee. Another executive said he puts an emphasis on “new fraud”—that is, a fraud that happened in some way nobody had seen before, regardless of the dollar amount. That makes a lot of sense, since a new fraud runs the risk of being a control failure, where the next errant employee could run the same scam on a much larger scale. Others said frauds in chronically corrupt nations (that’s a polite way of saying “China”) received priority, or sudden spates of fraud where a flock of immaterial problems could add up to a material headache.
Regardless of the solution that might fit your specific company, I do worry that boards can set an obsessive tone at the top about fraud. The plain truth is that boards can only do so much, and at some point must let executives do their jobs. Part of that job is exercising good judgment on when to bring a matter to the board’s attention—and when to understand that no matter how hard you try to prevent it, sometimes fraud happens.