Create an Anti-Fraud Corps
Print Issue: April 2012
FRAUD IS A SIGNIFICANT THREAT facing businesses around the world. Recent studies indicate that approximately 20 percent of companies have experienced a significant instance of fraud in the past two years. Further, the Securities and Exchange Commission (SEC) reported a record year for fraud enforcements in 2011 and has announced that it expects even more in 2012. Based on these statistics, it is likely that most companies will have to deal with allegations of internal fraud at some point. Therefore, companies should have a consistent and well-documented fraud response program that can be activated to handle the investigation. Such an effort should have two key components: the team and the plan.
It must be clear who within the company has responsibility for evaluating and responding to allegations of fraud. One approach is to establish a fraud, risk, and investigations oversight committee with representation from compliance, internal audit, general counsel, IT, human resources, and security. Typically, this committee is chaired by someone in the compliance, general counsel, or security department. This team’s first task will be to develop a plan for dealing with fraud (more on that ahead).
Team members should also be trained and ready to assist in the various aspects of these investigations. Which members will be involved in each case will vary according to the type of incident. Formulating a sound fraud response oversight plan will help the oversight committee determine who should be involved with each investigation and how the company should respond.
The investigations oversight committee can begin by researching and sharing best practices on how to conduct investigations and, more broadly, how to deal proactively to prevent fraud and reactively in response to reports of fraud.
As part of the plan, the committee should consider how incidents are reported, how information is gathered on those incidents, who has the responsibility for investigating, how to report the findings of the investigation, and how to conduct remediation. The committee may want to consult attorneys and accountants for expert advice as well.
The group must ultimately develop investigative protocols that can be followed as part of an overall corporate compliance program. This will ensure that the company has a consistent framework for investigating fraud. That can help to reduce the risk of costly settlements. The failure of an ineffective corporate compliance program has been one of the themes noted in recent Department of Justice prosecution agreements under the Foreign Corrupt Practices Act (FCPA).
Incident reporting. A company must have an effective process by which employees can report suspected fraud, and management must make sure that employees are aware of that process. That is even more true since the implementation of the whistleblower provision in the the Dodd-Frank Act, which has led companies to want to ensure that their employees are aware of their own internal hotline process and will first exercise that option as opposed to calling the U.S. government’s hotline.
More and more companies are sending out surveys, conducting webinars, and using other internal communications to ensure that awareness is raised and that employees are comfortable calling the internal hotline or using other internal mechanisms to raise potential allegations.
As the global footprint for companies expands, they also have to consider the impact and accessibility of hotlines in the various global regions in which they operate. One issue is whether that is an acceptable tool in every region or whether employees in some regions feel more comfortable raising issues personally to management.
Public companies will need to notify their audit committee and external auditors if it is considered a serious incident of material fraud. There are additional requirements for the CEO and the CFO to make disclosures of such events in reports to the SEC.
Information. Once the company has been notified of a fraud allegation, it needs to ensure that it has a process in place for preserving relevant information. “Efficiently culling through the volumes of information involved in an investigation is critical to the overall success of the effort. That means knowing what data to review as well as having the right personnel with the necessary computer forensic, e-discovery, investigative, and data-analytics skills and the appropriate tools and methods to identify, collect, analyze, and review such information,” says Dan Torpey, a partner with Ernst and Young, who specializes in investigations.
Responsibilities. Who leads the investigative team will depend on the nature of the alleged fraud being investigated. The members of the team will also depend on the type of fraud and the level at which it was committed.
Types. When the fraud oversight committee is first presented with the information gathered, it must evaluate the information and make key strategic decisions. The first step is to place the case into one of three categories, representing the most common types of fraud: fraudulent statements, misappropriation of assets, and corruption.
Fraudulent statements can include revenue recognition fraud, such as reporting fictitious sales, and alterations to financial reports. Misappropriation of assets can include anything from physical theft to setting up fake vendors, payroll fraud, and theft of data. Corruption can include conflicts of interest, bribery, and bid-rigging.
While there is some commonality among these types of fraud schemes, they often require different skill sets from investigators. Based on the type of fraud, the committee will determine which