Nipping fraud losses in the bud
By James Hunter
Over the past few years, high profile tales such as Satyam, Madoff, Stanford, and Livent have claimed the headlines with allegations of widespread fraud and corrupt individuals engaged in corporate greed. These stories have fueled the fire for investors and shareholders to demand that organizations address and mitigate the risk of fraud and take proactive measures to bring fraud to light, should it occur.
When public companies were forced to adopt entity-level accounting and governance controls with the arrival of Sarbanes-Oxley legislation in 2002, private companies were still exposed and vulnerable. Although segregations of controls — where more than one person is involved in making, checking, approving and recording a transaction or series of transactions — remains one of the most effective types of strong internal controls, it may not be a feasible option for smaller private companies. However, there are three entity-level controls that should be considered by all companies because they can have a major impact in the detection and prevention of fraud.
These controls are:
1. An effective whistleblower hotline
2. A robust and properly implemented code of business conduct
3. A consistently applied and thorough system to pre-screen new hires
While a robust system of internal controls certainly meets regulatory requirements and may pass muster for audit purposes, a determined fraudster is always able to circumvent internal controls, of which they generally have intimate knowledge. The three entity-level controls that we discuss below make it all the more difficult for the fraudster to proceed and, in many cases, may trigger early detection along the way.
A whistleblower line serves as a mode of safe upstream communication, allowing concerned employees to speak up and voice their concerns regarding wrongdoing, abuse or waste. An effective whistleblower line should provide assurance to the persons who speak up that their comments will remain anonymous and confidential. Fostering an open channel of communication is vital to ensuring that employees feel comfortable in coming forward with what they know. Studies and experience have consistently shown that concerned employees have the best vantage point in seeing or suspecting wrongdoing, and fraud is usually detected when they come forward with their knowledge or suspicions.
Regardless of the size of an entity, everyone who works there should know and understand the expected standards of behaviour. Given the cultural diversity of Canada and the wealth of experiences that people bring with them when they are hired, companies should not take for granted that employees will know what to do on ambiguous issues, such as conflicts of interest, giving and receiving gifts, or speaking up when wrongdoing is suspected. The values of how a company operates on a day-to-day basis have to be articulated, shared, and discussed; employees need to be regularly reminded. This knowledge is best communicated in a robust and properly implemented code of business conduct that guides the moral framework for business decisions. Ideally, it should originate from the most senior executives of a company, and there should be visible and vocal evidence of mandatory adherence.
While it is a truism that trust should be earned through deeds, companies commonly entrust stewardship and supervisory powers to new hires with only a cursory review of their references. Some employers may rely on only one or two references obtained over the telephone, which offer no help when trying to identify fraudsters or people with other problems whose employment will not be helpful to the organization.
A fraudster will have no compunction about falsifying a resume or otherwise providing incomplete information during an interview in order to gain a position of trust. While a background check may weed out a convicted offender, it does not protect against someone who has a history of fraudulent behaviour but no criminal record. At a minimum, companies should implement checks into an applicant’s credit and bankruptcy history, criminal records, verification of education and professional designations, references, past performance, litigation history, and media checks as more indicative sources of credentials. To keep the bad apples out of the barrel, organizations should develop policies and procedures concerning background checks for new hires at different levels of responsibilities.
In addition to new hires, it is also important for a company to know with whom they are doing business by conducting third party due diligence. This is especially important when companies are considering investing in or doing business with entities in developing markets or companies with very limited history. Proper diligence early on can save a company time and resources, along with avoiding personal and business risk.
The past decade has seen investors demand more accountability of company executives into preventing fraud. While these three entity-level controls strengthen a company’s ability to protect itself, more can still be done. Comprehensive fraud and misconduct risk assessments are often performed in large companies to provide a balanced review of the controls central to preventing fraud and misconduct. These plans include proper training of employees to ensure they are aware of the nature of fraud, and active auditing and monitoring plans so that higher risk issues are given priority. An effective emerging strategy in fraud risk management has been proactive data analysis, which takes information companies collect in the normal course of business and applies highly specialized tools to identify potential fraud by making a series of comparisons and other aggregations that may detect anomalies traditionally indicative of fraud or other misconduct.
These measures, taken together, form an effective defence against fraud both in terms of prevention and early detection.
The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of KPMG LLP. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.