Tag Archives: ethics

An Ethical Toolbox

As CFE’s we know organizations that have clearly articulated values and a strong culture of ethical behavior tend to control fraud more effectively. They usually have well-established frameworks, principles, rules, standards, and policies that encompass the attributes of generally accepted fraud control. These attributes include leadership, an ethical framework, responsibility structures, a fraud control policy; prevention systems, fraud awareness, third-party management systems, notification systems, detection systems, and investigation systems.

CFE’s are increasingly being called upon to assist in the planning for an assessment of a client organization’s integrity and ethics safeguards and then as active members of the team performing the engagement. The increasing demand for such assessments has grown out of the increasing awareness that a strong ethical culture is a vital part of effective fraud prevention.  Conducting such targeted research within the client organization, within its industry; and its region will help determine the emerging risk areas and potential gaps in most organizational anti-fraud safeguards. Four key elements of integrity and ethics safeguards have emerged over the past few years.  These are the fraud control plan, handling conflicts of interest, shaping ethical dealings with third parties, and natural justice principles for employees facing allegations of wrongdoing.

The need for a fraud control plan is borne out by an organization’s potential fraud losses; typically, about five percent of revenues are lost to fraud each year, according to the ACFE’s 2016 Report to the Nations on Occupational Fraud and Abuse. A fraud control plan typically will articulate an organization’s fraud risks, controls, and mitigation strategies, including:

–Significant business activities;
–Potential areas of fraud risk;
–Related fraud controls;
–Gaps in control coverage and assurance activities;
–Defined remedial actions to minimize fraud risks;
–Review mechanisms evaluating the effectiveness of fraud control strategies.

Management should review and update the fraud control plan periodically and report the results to the audit committee and senior management. Thus, the role of the board and of the audit committee of the board are vital for the implementation of any ethically based fraud control plan. The chairman of the board is, or should be, the chief advocate for the shareholders, and completely independent of management. It is the chairman’s primary job to direct the company’s executives and drive oversight of their activities in the name of the shareholders. An independent and highly skilled audit committee chairman is essential to maintain a robust system of checks and balances over all operations. To be truly effective, the chairman must be independent of those he or she is charged with watching.  The chairmen of the board and the audit committee must devote material time to their duties. While the board can use the company’s oversight functions to maintain a checks and balances process, there is no substitute for personal, direct involvement. The board must be willing to direct inquiries into allegations of misconduct, and have unquestioned confidential spending authority to conduct reviews and investigations as it deems necessary.

One of the most effective compliance tools available to the board is the day-to-day vigilance of the company’s employees. When an individual employee detects wrongdoing, he or she must have an effective and safe method to report observations, such as a third-party ethics hotline that reports to the chairman of the board and audit committee. All employees must be protected from retribution to avoid any possibility of corrupting the process.

A zero-based budgeting process, requiring that the individual elements of the company’s budget be built from the bottom up, reviewed in detail, and justified, can identify unusual spending in numerous corporate and operating units. This provides an in-depth view of spending as opposed to basing the current year’s spending, in aggregate, on last year’s spending, where irregularities may be buried and overlooked.

In organizations with an internal audit division the overall review would typically be performed by Director of Internal Audit (CAE) whom the CFE and other specialists would support. This review should be integrated into the organization’s wider business planning to ensure synergies exist with other business processes, and should link to the organization-wide risk assessment and to other anti-fraud processes.

The ACFE tells us that there is a growing consensus that managing conflicts of interest is critical to curbing corruption. Reports indicate that unmanaged conflicts of interest continue to cost organizations millions of dollars. To minimize these risks, organizations need a clear and well-understood conflict of interest policy, coupled with practical arrangements to implement and monitor policy requirements. Stated simply, a conflict of interest occurs when the independent judgment of a person is swayed, or might be swayed, from making decisions in the best interest of others who are relying on that judgment. An executive or employee is expected to make judgments in the best interest of the company. A director is legally expected to make judgments in the best interest of the company and of its shareholders, and to do so strategically so that no harm and perhaps some benefit will come to other stakeholders and to the public interest. A professional accountant is expected to make judgments that are in the public interest. Decision makers usually have a priority of duties that they are expected to fulfill, and a conflict of interests confuses and distracts the decision maker from that duty, resulting in harm to those legitimate expectations that are not fulfilled. Sometimes the term apparent conflict of interest is used, but it is a misnomer because it refers to a situation where no conflict of interest exists, although because of lack of information someone other than the decision maker would be justified in concluding (however tentatively) that the decision maker does have one

A special or conflicting interest could include any interest, loyalty, concern, emotion, or other feature of a situation tending to make the decision maker’s judgment (in that situation) less reliable than it would normally be, without rendering the decision maker incompetent. Commercial interests and family connections are the most common sources of conflict of interest, but love, prior statements, gratitude, and other subjective tugs on judgment can also constitute interest in this sense.

The perception of competing interests, impaired judgment, or undue influence also can be a conflict of interest. Good practices for managing conflicts of interest involve both prevention and detection, such as:

–Promoting ethical standards through a documented, explicit conflict of interest policy as well as well-stated values and clear conflicts provisions in the code of ethics;
–Identifying, understanding, and managing conflicts of interest through open and transparent communication to ensure that decision-making is efficient, transparent, and fair, and that everyone is aware of what to do if they suspect a conflict;
–Informing third parties of their responsibilities and the consequences of noncompliance through a statement of business ethics and formal contractual requirements;
–Ensuring transparency through well-established arrangements for declaring and registering gifts and other benefits;
–Ensuring that decisions are made independently, with evidence that staff and contractors routinely declare all actual, potential, and perceived conflicts of interests, involving at-risk areas such as procurement, management of contracts, human resources, decision-making, and governmental policy advice;
–Establishing management, internal controls, and independent oversight to detect breaches of policy and to respond appropriately to noncompliance.

Contemporary business models increasingly involve third parties, with external supplier costs now representing one of the most significant lines of expenditure for many organizations. Such interactions can provide an opportunity for fraud and corruption. An enterprise’s strong commitment to ethical values needs to be communicated to suppliers through a Statement of Business Ethics. Many forward-thinking organizations already have codes of ethics in place that set out the values and ethical expectations of both their board members and staff. The board code of conduct should define the behavioral standards for members, while the staff code of conduct should detail standards for employee conduct and the sanctions that apply for wrongdoing. Similar statements also are appropriate for third parties such as suppliers, service providers, and business partners.

A statement of business ethics outlines both acceptable and unacceptable practices in third-party dealings with an organization. Common features include:

–The CEO’s statement on the organization’s commitment to operating ethically;
–The organization’s values and business principles;
–What third parties can expect in their dealings with the organization and the behaviors expected of them;
–Guidance related to bribery, gifts, benefits, hospitality, travel, and accommodation; conflicts of interest; confidentiality and privacy of information; ethical communications; secondary employment; and other expectations.
–Contact information for concerns, clarification, reporting of wrongdoing, and disputes.

Once established, the organization needs to implement a well-rounded communication strategy for the statement of business ethics that includes education of staff members, distribution to third parties, publication on the organization’s website, references to it in the annual report, and inclusion in future tender proposals and bid packs.

Engaged and capable employees underpin the success of most organizations, yet management does not always recognize the bottom-line effects and employee turnover costs when innocent employees are the subject of allegations of fraud and other wrongdoing. About 60 percent of allegations against employees turn out to be unsubstantiated, according to the ACFE. A charter of rights compiles in a single document all the information that respondents to allegations of wrongdoing may require. Such a charter should be written in an easy-to-understand style to meet the needs of its target audience. It should:

–Outline the charter’s purpose, how it will operate, how it supports a robust complaints and allegations system, and how it aligns with the organization’s values;
–Describe how management handles workplace allegations and complaints, and ensure principles of natural justice and other legislative obligations, such as privacy, are in place;
–Provide a high-level overview diagram of the allegation assessment and investigation process, including the channels for submitting allegations; the distinct phases for logging, assessing, and investigating the allegations; and the final decision-making phase;
–Include details of available support such as contact information for human resource specialists, details about an external confidential employee help line, and processes for updates throughout the investigation;
–Illustrate the tiered escalation process for handling allegations that reflects (at one end) how issues of a serious, sensitive, or significant nature are addressed, and encourages (at the other end) the handling of low level localized issues as close to the source as possible;
–Provide answers to frequent questions that respondents might have about the process for dealing with allegations, such as “What can I expect?” “Are outcomes always reviewable?” “What does frivolous and vexatious mean?” “What will I be told about the outcome?” and “What happens when a process is concluded?”;
–Outline the options for independent reviews of adverse investigation outcomes.

For Appearance Sake

By Rumbi Petrozzello, CPA/CFF, CFE
2017 Vice-President – Central Virginia Chapter ACFE

Last Thursday, the 15th of June 2017, the New York State Senate Committee on Ethics and Internal Governance met. The previous sentence reads like a big yawn with which no one, beyond perhaps the members of the committee itself, would be concerned. However, this meeting was big news. The room was packed with members of the media and every member of the committee was in attendance. Why? Because this was the first meeting the committee had empaneled since 2009, as confirmed by the committee’s published archive of events. It turns out that it was indeed a big deal that all committee members were in attendance because, for eight years straight, none of the committee members had attended a single meeting.

If you are thinking that the ethics committee did not meet for eight years because there were no ethical issues to discuss and our state’s legislative leadership practiced only ethical and upright behavior, you would be sorely mistaken. John Sampson, the State Senator who chaired the committee at that last meeting in 2009 was found guilty, of obstruction of justice and of lying to federal agents in 2015 and sentenced to jail time in January 2017. Evidently, taking their cues from the tone at the top evidenced by the leadership of their ethics committee, during the same eight-year meeting hiatus, seven other state senators were convicted on charges that included mail fraud, looting a nonprofit and bribery.

So, you might ask, what happened at the meeting last week? The committee had come together to discuss stipends, that are supposed to go to committee chairs, that were apparently also being paid to committee vice-chairs (and, in one case, to a deputy vice-chair, whatever that is). There was a motion proposed to stop making these payments to anyone but the committee chair. It seems that just coming together was more than enough work for the committee and, therefore, they tabled the motion, a motion that would not even have been binding, until its next meeting. It should be noted that two of the senators receiving this chair stipend, as vice-chairs, serve on the ethics committee and both voted to postpone voting on the motion. It would be laughable if it were a laughing matter.

Think about where you work and about all the clients with whom we work, as fraud examiners and forensic accountants. We work with our clients and with those who employ us to suggest comprehensive policies that cover good business practices and ethical behaviors and actions. Reading about the shenanigans of the State Senate Committee on Ethics recalled several thoughts:

The assumption that personnel will automatically be motivated to behave as corporate owners want is no longer valid. People are motivated more by self-interest than in the past and are likely to come from backgrounds that emphasize different priorities of duty. As a result, there is greater need than ever for clear guidance and for identifying and effectively managing threats to good governance and accountability.

Even when different employee backgrounds are not an issue, personnel can misunderstand the organization’s objectives and their own role and fiduciary duty. For example, many directors and employees at Enron evidently believed that the company’s objectives were best served by actions that brought short term profit:

—through ethical dishonesty, manipulation of energy markets or sham displays of trading floors;
—through book keeping that was illusory;
—through actions that benefited themselves at the expense of other stakeholders.

Frequently, employees are tempted to cut ethical corners, and they have done so because they believed that their top management wanted them to; they were ordered to do so; or they were encouraged to do so by misguided or manipulative incentive programs. These actions occurred although the board of directors would have preferred (sometimes with hindsight) that they had not. Personnel simply misunderstood what was expected by the board because guidance was unclear or they were led astray and did not understand that they were to report the problem for appropriate corrective action, or to whom or how.

Among our clients, lack of proper guidance or reporting mechanisms may have been the result of directors and others not understanding their duties as fiduciaries. Directors owe shareholders and regulators several duties, including obedience, loyalty, and due care. Recognition of the increasing complexity, volatility and risk inherent in modern corporate interests and operations, particularly as their scope expands to diverse groups and cultures has led to the requirement for risk identification, assessment and management systems.

  • If our client businesses want to do an excellent job at implementing effective ethics programs, orientation of new employees should always involve a review of the code of ethical practice by the staff tasked with compliance and with enforcing policies. How many entities are actively practicing what they preach during such sessions? The values that a company’s directors wish to instill to motivate the beliefs and actions of its personnel need to be conveyed to provide the required guidance. Usually, such guidance takes the form of a code of conduct that states the values selected, the principles that flow from those values, and any rules that are to be followed to ensure that appropriate values are respected.
  • After orientation, what steps are companies taking to maintain their ethics programs on an on-going basis? Principles are more useful to employees than just rules because principles facilitate interpretation when the precise circumstances encountered do not exactly fit the rules prescribed. A blend of principles and rules is often optimal in maintaining of a code of conduct in the long term.
  • Is leadership periodically coming together to talk about where their firm stands when it comes to ethics and compliance? A code on its own may be nothing more than ‘ethical art’ that hangs on the wall but is rarely studied or followed. Experience has revealed that, to be effective, a code must be reinforced by a comprehensive ethical culture.
  • Is anyone reviewing how whistleblowing claims are being dealt with? Does the company even have a whistleblower program? If so, does the staff even know about it and how it works? Whistle-blowers are part of a needed monitoring, risk management and remediation system.
  • Is leadership setting a positive tone at the top and displaying the behaviors that it is demanding from employees? The ethical behavior expected must be referred to in speeches and newsletters by top management as often as they refer to their health and safety programs, or to their antipollution program or else it will be viewed as less important by employees. If personnel never or rarely hear about ethical expectations, they will perceive them as not a serious priority.

Once, I worked at a company where senior management smoked in the office; behavior that is illegal and was, on paper, not allowed. When staff members complained to human resources, no corrective action was taken. Frustrated, some staff members called the city hotline to file a report. Following visits from the city, human resources put up no smoking signs and then notices encouraging employees to keep reports of inappropriate staff smoking internal. By only paying lip service to policy, this company’s management seemed populated by future candidates for the State’s Senate Ethics Committee. But my former employer doesn’t stand alone as evidenced by frauds at Wells Fargo and at others. A company can pull out screeds of rules and regulations, but what matters most is what the staff knows and what the leadership does.

In the case of the New York State Senate Committee on Ethics and Internal Governance, what it did was delay a vote on the issues before it until the next meeting. And when will the next meeting be? After taking eight years to set up its last meeting, the committee was in no hurry to set a date for the next. They adjourned without scheduling the next one. They did, however, take a moment to congratulate themselves on attending this meeting. You can’t forget the important stuff.

Tone Deaf

tone-deafThe sensational bribery and corruption cases all over the news recently mean that tone at the top as a concept is yet again in the eye of the financial press.   Journalists of every stripe and persuasion opine on its importance as a vital control but always seem to fall short on the specifics of just how the notion can be practically applied and its strength evaluated once implemented.  One of the problems is that there are so many facile definitions of the concept in popular use.  The one I like the most is one of the simplest declaring it to be the message, the attitude and the ethical culture the board of directors and upper management disseminate throughout the organization. It’s best described as the consistency among statements, assertions and explanations of the management and its actions. In summary, tone at the top is seen by some as a part of and by others as equal to the internal control environment.

The rub comes in because tone at the top is not only far more complicated than the above definition would lead a casual reader of trade press articles to believe, but also because its invisible to the standard tests of an outside auditor or fraud examiner. So a baseline would be a valuable addition not only for fraud examiners and financial auditors, but also for all types of assurance professionals.

To determine a baseline, one first needs to define the different aspects of the target concept. Thus, a baseline might provide reviewers with a starting point to begin improving their analyses of tone at the top. ACFE studies of hundreds of companies tell us that an enriched tone at the top can not only prevent fraud through its implementation of a well-functioning internal control system, but can also have a positive impact on the financial results of an organization. Organizations with an effective corporate governance policy just perform better than those that don’t. In my own practice as an auditor and fraud examiner, I’ve found COSO’s Enterprise Risk Management (ERM) a useful framework to use in the actual practice of evaluating the effectiveness of internal controls (including tone at the top) during fraud risk assessments.

Tone at the top is based on two schools of thought in management literature: the corporate governance school and the management control systems (MCS) school. These schools of thought share three fundamental theories: the agency theory, the transaction cost economics theory and the stakeholder theory. The agency theory views an organization as a nexus of contracts. Separation of ownership and control is essential for this theory.  The agent (the manager) is in control of the organization; however, he or she does not own the organization; the organization is owned by the principal (stakeholders).  Measures (i.e., corporate governance) need to be taken to ensure that the agent will strive to achieve the goals of the principal.

Transaction cost economics (TCE) is based on the concepts of bounded rationality and of homo economicus: a person chooses the best option based on the available information.  TCF aims to explain how firms are formed.  Firms are created to minimize transaction costs.  The domain of TCE has proven useful to explain management control structures.  The performance evaluation needs to be behavioral based, with non-financial subjective measures.  Output controls are low with TCE.  Individual contributions to the organization (individual performance) are analyzed as the outcomes of contracts between the employer and the employee.

The stakeholder theory is based on the belief that besides shareholders, there are others with interest in the organization.  Corporate governance should not only solve conflicts between management and shareholders but also between the organization and other stakeholders.  Tone at the top represents a form of cultural control to the MCS school.  Cultural controls stimulate employees to monitor and stimulate each other’s behavior.  Cultural controls rely on group pressure; if a person deviates from the group’s values, the group will put the person under pressure to convert him or her back to the dominant values.  Cultural controls are usually translated in corporate governance codes.  Corporate governance codes are mainly formulated to prevent/minimize fraudulent activities in organizations by means of internal control.  Five methods of cultural controls, namely code of conduct, group rewards, transfers, physical and social controls, and tone at the top have been identified.

Tone at the top forms an important part of corporate governance codes.  Management behavior should coincide with the culture it tries to form; managers fulfill an example function. An important factor is implementing and operating a whistleblower policy; if staff at any level observes fraudulent activities they can report them and be protected against possible retaliation.

Each of our above theories concludes that an organization needs to have a corporate governance code to minimize transaction cost, manage stakeholder interest and, thereby, increase shareholder value.  However, recent well publicized corruption cases have led to calls in the popular press for a more formal approach.  So, what might such a formal, COSO based, approach look like?

First, management and the CEO need to demonstrate inspiring leadership, set the right ethical example and focus on people skills. They also need to display integrity.  Their risk awareness, actions and messages need to coincide with the dominant culture.  It is also important for managements to formally commit to competence.

As to culture, an independent and active risk culture is necessary for tone at the top to be successful.  Also, employees need to be empowered to make the right decisions.  The reward systems and the culture need to reward desired behavior and be compliant with the norms.  In the event of something going wrong despite these cultural aspects, there needs to be an effective policy present to protect whistleblowers.

Finally, the risk appetite should be linked to the strategy.  The supervisory board needs to be independent, active and involved.  Responsibilities need to be defined, and management needs to receive adequate information.

All three of the above aspects are an integral part of what the experts currently define as tone at the top.  According to the ACFE, tone at the top can assist in averting fraud throughout every level of an organization. It’s, therefore, necessary to include its assessment in the scope of the fraud examiners fraud risk assessment and to formally schedule its periodic re-evaluation.

Singing into the Hurricane

StormCloudsDuring the last few weeks, when I can find the time, I’ve been reading chapters of former Fed Chairman Ben Bernanke’s recent book on the financial crisis. It’s a sobering experience.  What’s most striking to me as a fraud examiner and auditor is how apparently flawed the corporate cultures of the banking and insurance firms involved in the crisis were. But tone at the top and culture weren’t problems for banks and insurance companies alone, as the book makes clear. Time and again, boards across America apparently decided what the tone in their organizations should be, but seemed to fail to communicate it to people lower down the chain. Perhaps their audience didn’t understand the message. Perhaps staff members just decided to ignore it. Other times the message was completely clear, and adhered to by everyone, just completely wrong ethically, and that individual business, along with so many others, simply sailed ahead on a fixed collision course with the whirlwind.

The Chairman makes clear that the challenge is not only to set the right tone at the top, but also to ensure that it’s in harmony with what he calls the ‘tune in the middle’ – the unwritten real world rules that describe how people further down the organization should behave and work. For a business to thrive – or to simply survive – everyone in the organization needs to sing from the same piece of ethical sheet music.  On page after page of Bernanke’s  book, as the unfolding of the crisis was described, it occurred to me again and again that there’s a lot CFE’s and other control assurance professionals can do to assist our clients to fore-stall the risk of any future, similar crisis.

I think the first time I saw the term ‘tone at the top’ was in a 1987 report on fraudulent financial reporting from the Treadway Commission, which paved the way for the commission’s Committee of Sponsoring Organizations’ (COSO’s) Internal Control-Integrated Framework.  As I recall the framework said, and still says, the CEO has to take ownership of the organization’s control system. Part of the CEO’s responsibility is to set a tone at the top that will enable a positive control environment. That includes providing direction to senior managers and checking how they’re controlling the business. Senior managers, in turn, assign responsibility for more specific internal control policies and procedures to their subordinates. The idea is that the right tone will cascade all the way down through the organization, from top to bottom. But the CEO isn’t the only person responsible for setting the tone. COSO says the full board and audit committee (if there is one) have an important role, as well.  Eventually, further COSO guidance, published for small public companies, fleshed out what a good tone at the top might sound like. And in its most recent guidance on monitoring controls, COSO puts even more emphasis on tone at the top. All COSO publications stress the importance of establishing a culture in which managers are aware of the risks in their part of the business, monitor the controls designed to mitigate them, and take action if those controls aren’t working.

There’s no shortage of guidance on what a good tone at the top should look and sound like, yet this remains, for Bernanke, an issue that many organizations, to this day, still get badly wrong. The banking and insurance sectors are just one example. Official reports like the Chairman’s into the causes of the credit crunch, and such as the one published years ago by the Financial Stability Forum, a group of central bankers, criticize banks for their poor risk management, and point to organizational cultures that failed to recognize the importance of risk management and internal control functions. Many of the banks that failed literally “disempowered” their risk functions.

A lack of support for the value of risk and control functions wasn’t the only indicator that tone at the top in the financial industry had gone generally awry. Another significant one is the controversy over executive pay in the sector. According to Bernanke, the size of bankers’ pay awards and bonuses, the apparent failure to link rewards to performance, and the refusal to forgo or repay bonuses led to the current global political drive to reintroduce a degree of control over pay. Directors’ pay is the litmus test of tone at the top, because pay is the most significant issue over which the interests of shareholders can directly conflict with those of boards of directors. The former want pay levels set in the company’s best long-term interests, while the directors must fight the temptation to line their pockets with short term rewards. Any company with a chief executive who has pay that is considered offensive by colleagues, owners, or the wider society has failed that fundamental test.

And the nature of the financial crisis, according to the Chairman, also tells us something else generally about tone at the top in the financial services industry. While the rocket scientists inside banks and insurance companies were inventing increasingly complicated financial products, their boards failed to ask the intellectually naive but important questions that might have told them that trouble was brewing.  These would have been simple questions, such as “Do housing prices always go up?” and “Can we always trust the opinions of rating agencies?” In failing to ask such questions, boards set a tone of what Bernanke styles “mindless compliance” – and it’s this tone that cascaded down the organization. That meant that the tune in the middle was not right. Middle managers weren’t applying their minds, only singing into the storm. For banks, this failure of middle management’s tune was as damaging as the poor board-level tone. Clearly, culture isn’t just a question of what board directors say and do; there are leaders throughout every part of the organization.  They range from heads of departments, business unit directors, and project team managers, to shop floor supervisors and shift leaders. Every one of them sets an example, for good or bad. Wherever there is someone in a leadership role, there is an opportunity for a gap to emerge between the stated aspirations of the board and what actually happens.

Tone at the top is often categorized as an issue of business ethics (we’ve repeatedly so categorized it in this blog), but the example of the banking and insurance industries during the crisis, demonstrates that it’s clearly about more than just that. Ethics are universal, applying to all companies; don’t steal, act honestly, and don’t mislead the board. Tone at the top includes how the company should relate to all of its stakeholders, such as its employees, shareholders, suppliers, customers, and the wider community.  So tone at the top symbolizes what the leadership of the business believes the ethical priorities are for that business at this point in time. It’s a question of how senior people expect the organization to be run and organized. That would include the kind of ethical conduct that Bernanke describes, but also the reputational risk appetite associated with every individual project and product sale.

To my mind, Ben Bernanke’s book is the very best on the financial crisis for financially literate readers.  I whole-heartedly recommend it as must reading for all practicing fraud prevention and control assurance professionals.

If You See Something …

If-You-See-Something“We are again honored to have another guest post from our friend and Richmond Chapter 2015 Vice-President, Rumbi Bwerinofa, CFE/CPA/CFF. Rumbi is a Director of the Queens/Brooklyn Chapter of the New York State Society of CPAs and a member of the NYSSCPA Litigation Services Committee. She is the editor of TheFStudent.com, where she discusses financial forensic issues.

Our Chapter members and other professional readers of this blog are encouraged to submit blog posts for publication here … in addition to publication credit, you establish yourself as an expert in the field of fraud examination and help other practitioners by sharing your valuable expertise!” – Charles Lawver-2015 RVACFES Chapter President…

“If you see something, say something” Almost every time I ride the subway, I hear or read that message somewhere. The message is accompanied by instructions on exactly how to go about saying something. It’s tedious, no doubt, to hear the same message over and over again but, when I’m not being irritated, I appreciate that, should I spot something that looks out of place, I know exactly whom to tell about it.

Year after year, the ACFE’s Report to the Nations finds that, by far, the most common way frauds are detected is via a tip. According to the 2014 report, tips are described as the most common fraud detection method over all others by two to one. In addition, the report found that companies operating a whistle-blower hotline are the most likely to detect fraud. So, hands down, a tip is the most effective method of detecting fraud; and having a clear and simple method to report that tip results in earlier fraud detection accompanied by superior loss reduction than is experienced by companies without whistle-blower reporting programs. On top of all this, as we all know, since small businesses tend to lack comprehensive systems of internal controls, they also tend to be disproportionately the victims of all kinds of devastating frauds.

We, as forensic accountants and Certified Fraud Examiners have a duty to help our clients understand how important (and cost effective) it is for a company to establish a whistle-blower program as a key component of its strategic loss prevention plan. Sarbanes-Oxley requires that companies that are listed on the stock exchange establish a system whereby employees can anonymously report corporate wrongdoing. And even though such a program is not a requirement for unlisted companies, it’s important for us to let our client companies know the benefits, and many potentially positive impacts of this vital anti-fraud control. If employees and others know that any fraud will be caught and caught early due to a tip, doesn’t it make sense that it’s foolish for any management not to institute such a rational, cost effective, deterrent?

The form that a whistle-blowing program takes will always vary, based on many company specific factors, including the size of the business and its overall personnel resources. However, there are a number of common characteristics to keep in mind:

  • Employees and others must be able to report their tip anonymously. People feel more comfortable with anonymity when it comes to reporting a tip, for obvious reasons. If anonymity is not possible, then confidentiality, at the very least, must be assured.
  • There must be no retaliation for reporting a tip. Fear of exposure and retaliation often keep a prospective tipster from reporting fraud.
  • There should be various options for reporting a tip – for example, a phone line, a dedicated website or US mail are all viable options. Different people are comfortable reporting in different ways and so a business should take steps to make sure that it’s providing its people reporting options among which to select those with which they’re most comfortable.
  • Those making a tip should be able to get a case number, should they want one, in order to follow up on the progress of the resultant investigation.
  • The process of reporting suspected fraud should be simple and straightforward; a whistle-blower should not have to go through a complicated process in order to provide his or her information.

Once this whistle-blower program has been established, it’s essential that employees and parties with whom the business habitually works, such as vendors, are aware of the program and are encouraged to use it. This is a vital part of creating a whistle-blower program whose importance is often overlooked. Education about the program should be included as a component of the company’s employee orientation training on business’s ethics and overall fraud prevention. All too often, when employees are hired and receive training on their new positions, there is little or no training on either fraud prevention or the reporting of suspicious activity.  New and existing employees should receive instruction on:

  • how fraud and waste can negatively impact the company’s jobs, profits and reputation; that they are encouraged to come forward with any information regarding fraud, waste or abuse;
  • how they can make reports anonymously or confidentially and that reports do not need to be made to their immediate superiors;
  • how there will be no retaliation against them for making these reports and that all reports will be promptly and thoroughly investigated;
  • how to go about making a report;
  • how much the business values each of its staff and urges each of them to say something when they see something;
  • how the business does not support any type of unethical or fraudulent behavior, and that those found perpetrating fraud will be promptly and appropriately punished not matter their position or status.

Unfortunately, all too many businesses still believe they don’t need a whistle-blower program. They may tout their open-door policies and think that their management is friendly enough for any employee to step up and report whatever wrongdoing they come across. However, time and time again, we’re seen that this approach to fraud identification is a pipe dream. Numerous companies have reported that the implementation of a whistle-blower program results, in every case, in an increase in reported suspicious behaviors and in the prevention and resultant detection of instances of theft, waste and abuse. It’s been demonstrated, year after year, that over 40% of frauds are detected through whistle-blower tips; management review, which comes in second, accounted for the detection of only 16% of the total frauds reported in 2014. That’s an significant difference and yet, companies will invest more in additional layers of management as a fraud deterrent than they will in the creation of a far more cost effective whistle-blower program.

We need to work harder at educating management and owners on the benefits of instituting a whistle-blower program. It should be a standard component of any fraud prevention and detection program. And once it is, employees need to know how it works so well that it is almost irritating, like those subway train announcements.

Over and Over Again

ChalkBoard“We are again honored to have a ninth guest post from our friend and Richmond Chapter 2015 Vice-President, Rumbi Bwerinofa, CPA/CFF. Rumbi is a Director of the Queens/Brooklyn Chapter of the New York State Society of CPAs and a member of the NYSSCPA Litigation Services Committee. She is the editor of TheFStudent.com, where she discusses financial forensic issues.” – Charles Lawver-2015 RVACFES Chapter President…”

Every once in a while, I find myself being less than cutting edge. I tend to wait until version two (or later) to get a cellphone. Also, I waited until ten years after its release to watch Enron: The Smartest Guys in the Room. I can’t tell you what I was up to when it first came out, but I know that once I was ready to watch it, everyone had already seen it. So I waited… and waited… and waited. For ten years. I finally did get to watch it and it was eye opening, and very depressing.

Continuing education in ethics is an annual requirement for Certified Fraud Examiners and CPAs and, just about every time I attend an ethics session, I hear complaints, from fellow attendees, who don’t see why they need to be there. I’m surprised because the case studies presented during most of these sessions are intriguing. I’m also surprised because often the attendees don’t agree with one another on what the ethical approach to an issue is. These two factors alone have kept me interested during ethics training sessions! Watching The Smartest Guys in the Room hit home how important it is to not only have ethics training but also to refresh that training on a regular basis.

As CFEs and CPAs, we tell our clients about the importance of implementing fraud prevention and detection measures, such as:

  • A code of conduct;
  • Ethics training; and
  • A whistleblower hotline.

However, how many of us tell our clients that they should remind their employees of these policies and controls on a regular basis? Not once, at any of the places I’ve worked, following initial training, have I received any guidance on enterprise anti-fraud policies and procedures. The reminders that do manage to make the rounds are concerned with the company dress code and office hours. So, employers are telling employees that they need refreshers on issues regarding the routine of what they do every day but only need to be told once how to help detect and prevent fraud in the company? They need to be told only once how ethical behavior is valued by the company? And yet, the New York subway system knows to constantly remind us that if we “see something” we should “say something”. The Enron movie was a stark testament to how really wrong and dangerous that kind of corporate thinking about the importance of ethical conduct is.

Throughout the film, I saw how, from the launch of the company, the tone at the top at Enron was at first shaky and over time became fully ethically challenged. As long as the CEO, Kenneth Lay, and his company were not themselves the victims of management’s predatory actions and as long as the company profited, he turned a blind eye to, and even actively encouraged, theft and cheating to make money. He willfully hired those who blatantly looked down on and ridiculed ethical conduct and, not once in the company’s whole sad story was any kind of staff ethical training or any kind of fraud prevention/detection program undertaken. During the documentary, former employees spoke of instances of  blatantly unethical behavior to which they either turned a blind eye, or to which they became a part, mostly for personal financial gain. Even after everything fell apart employees who benefited from company actions found ways to rationalize what went awry.  If all this weren’t enough, potential inside whistle blowers found they had no channel by which to communicate what they knew to be wrong. So, for almost twenty years, unethical practices flourished. And yes, I’m sure that Enron employees received those reminders about dress code and office hours more frequently than they received any kind of reminders about the importance of their ethical conduct or responsibilities regarding  fraud detection and prevention.

As CFE’s and CPA’s we all need to make it a priority to get our clients to prioritize program of continuous ethics training to include staff responsibilities for  fraud prevention and detection. Employers and employees must be given forums to talk about ethics often and they should be reminded what steps to take when they see something, in order to say something. If staff need to be reminded how to dress and what time to get to work, don’t you think they need to be reminded about the importance and power of ethics?  The long term employment of all of us really does depend on it.

At Your Service

Lawyer“We are again honored to have an eighth guest post from our friend and Richmond Chapter 2015 Vice-President, Rumbi Bwerinofa, CPA/CFF. Rumbi is a Director of the Queens/Brooklyn Chapter of the New York State Society of CPAs and a member of the NYSSCPA Litigation Services Committee. She is the editor of TheFStudent.com, where she discusses financial forensic issues.” – Charles Lawver-2015 RVACFES Chapter President…”

I’ve written before about some of my experiences when I worked in audit. Some clients dreaded our arrival and treated us as though we were the enemy. We would be placed in the smallest, dingiest room they could find and had to beg for the tiniest morsel of information.

Getting information was like pulling teeth and would often come with a litany of complaints, from the clients, about how we were wasting their time and were an incredible burden to have around. To them, we were a necessary evil. It was often very easy to forget what our true purpose was.

Recently, I was reminded of those days. I was in a colleague’s office, a fellow CPA, helping her out during a particularly busy time. She offers her clients a full range of CPA services, from audit and attestation to tax services. The clock was ticking down to April 15th and she had a steady stream of clients coming through her door, seeking assistance, mostly with tax matters. People came to her believing that she could solve their problems, regardless of how large and complex the problems seemed to them to be. Some came to her almost in tears, others terrified because of some errors that either they or a prior tax preparer had made. Others came because mail from a state or federal authority regarding an impending audit or unpaid taxes had them concerned about possible fines, interest charges and even incarceration. They sought her help because they trusted her, as a CPA, to be ethical and professional. They trusted that she has both the expertise and commitment to serve their best interests, even when they don’t like what she has to say.

Certified Fraud Examiners are held in high regard, not only because of the rigorous training we go through in order to attain and maintain our credential, but also because of the high ethical standards required of us. The CFE Code of Professional Standards states that it’s our duty to serve our client, the public interest and each other. It also states that at all times we must maintain our integrity. The ACFE works hard to maintain its standards, disciplining those who violate them and providing resources to members to assist them with wither work.

It’s essential for us to adhere to these standards, most especially when what we have to say or do will not make us popular. Just the other day, I was reading an article about a study that has shown flawed analyses in forensic hair comparison. In the cases reviewed the examiners overstated the accuracy of their analysis and skewed their opinions in favor of prosecutors. At the time, the examiners must have felt good, giving testimony that made prosecutors happy. However, their actions may now occasion long reaching outcomes, and not of a positive nature.

People should not turn to us because they know we are going to say what they want to hear. They should come to us because they know we are applying the standards of our profession and performing with integrity. They should come to us because they believe that, in the long term, the results of our work will stand review. They should come to us, not because we are popular but because we are honest, ethical and professional. We should be the gold standard, even if that sometimes has us working in a tiny, stuffy and windowless office.

Ethics 2014 & the Fraud Triangle

Car1Last Thursday, on August 28th, our Chapter and our partners, the Virginia State Police and Old Dominion University (ODU) co-sponsored our annual three hour seminar on professional ethics for practicing CPA’s and fraud examiners.

Our speaker, Dr. Douglas Ziegenfuss, head of the accounting department at ODU, heavily emphasized the importance of organizational tone at the top and of understanding the elements of the ACFE’s fraud triangle as key fraud prevention components during the vigorous ethics related question and answer session following his main presentation.

In response to a question about the Enron frauds submitted by one of our on-line Chapter members, Dr. Ziegenfuss commented that fraudulent financial reporting and misappropriation of assets are two types of financial misstatement that often involve organizational management.   Fraudulent reporting comprises intentional misstatements, including omissions of amounts or disclosures designed to deceive financial statement users that are not presented in conformity with generally accepted accounting principles (GAAP).  Dr. Z. emphasized that that reporting may involve rationalizing a material misstatement, such as an aggressive rather than indefensible interpretation of complex accounting rules, or a temporary misstatement (as with Enron)  to be corrected when results “improve”.  This type of activity often involves management over-ride of controls, hence presenting itself as an issue involving corporate culture and tone at the top.

The ethical implications involved in these situations appear cut and dried when viewed after the fact but can often be murky when assurance professionals like CPA’s and CFE’s confront them during actual practice situations.   Misappropriation of assets comprises external and internal schemes, embezzlement, payroll fraud, and theft of assets.  These abuses are often minor and are typically committed by employees, though the same frauds committed by managers and top executives are often more costly because of their ability to conceal such activity.  Misappropriation may also include expenditures and liabilities for improper purposes in the form of commercial and official bribery.  Although misappropriation of assets often is not material to the financial statements, it can still result in substantial losses to the organization.  Since even the smallest detected fraud may be only the tip of an iceberg, it can be argued that no detected fraud, whatever its dollar amount, is really ever immaterial.

As the ACFE has so long told us, fraud involves incentives or pressure to commit a fraudulent act, a perceived opportunity to do so and some rationalization; for Dr. Z. the rationalization part represents the heart of the ethical dilemma confronting the fraudster as well as the practicing financial assurance professional striving to detect its results.

According to Dr. Z’s presentation, factors that drive individuals to commit financial fraud include excessive pressure to meet financial targets and unrealistically optimistic annual report messages.  In addition, a firm may be threatened by heavy competition, market saturation or rapid change, takeover, the need for extra financing, or cash flow problems.  Even otherwise honest individuals can resort to the commission of  fraud in an environment that imposes such threats or related pressures.

Ineffective controls, the absence of controls, or the ability of management to override controls can all provide an opportunity for the ethically challenged to commit fraud. These factors may be directly related to insufficient monitoring of management activities, or they may stem from ineffective board of directors or audit committee oversight of the processes of financial reporting and internal control.  So, fraudulent financial reporting can arise from numerous opportunities, including significant related party transactions (as at Enron) that are outside the scope of the ordinary course of business.  A strong financial presence in the market or the ability to dominate a certain industry, enabling the enterprise to dictate terms to suppliers or customers, may also lead to inappropriate transactions.  In addition, according to Dr. Z., opportunities for fraud may also derive from the content and presentation of the financial statements themselves, such as when estimates or assets, liabilities, revenues or expenses are uncertain, subjective, or difficult to corroborate.  Some transactions, especially those close to period end, often pose difficult substance over form questions and provide opportunities for upper management to engage in fraudulent reporting.

Finally, as the third element of the fraud triangle, we have the rationalization so important to the justification process of the ethically challenged. Fraudsters must possess a particular mindset that enables them to justify or rationalize the act of the fraud.  The greater the incentive or pressure, the more likely an individual will be to devise a fitting rationalization.  Dr. Z. commented that detecting the risk factors that make board members, management, or employees prone to such rationalizations can be difficult.  Danger signs include excessive interest by management in stock price or earnings trends, or unrealistic financial report objectives.  Other risk factors include management failure to correct known reporting conditions timely, or non-financial management’s excessive preoccupation with the determination of significant estimates.

In conclusion, to combat fraud prone rationalizations at all levels, organizations should maintain comprehensive fraud risk identification processes that include an assessment of the incentives, pressures and opportunities to commit financial fraud.  Our Chapter’s thanks to Dr. Z. for pointing out, as a component of a stimulating discussion of CPA and CFE 2014 ethical practice requirements, that the fraud risk identification process should go beyond addressing only those fraud risks that could have a material impact on the financial statements to include a broad consideration, by the assurance professional, of the entire ethical culture of the client organization.

Controlling the Smartest Guy in the Room

police-lights-by-nightAccording to the ACFE’s recently published ‘Report to the Nations on Occupational Fraud & Abuse – 2014 Global Fraud Study’, there’s a strong correlation between a fraudster’s level of authority and the financial impact of the fraud in which s/he is involved.  In the ACFE’s 2014 data, owners/executives accounted for less than one-fifth of all frauds, but the median loss in owner/executive cases was $500,000, approximately four times higher than the median loss caused by managers and nearly seven times that of employees.  Thus, higher corporate authority tends to be strongly correlated with loss because high-level fraudsters generally have greater access to organizational assets of all kinds and are better able to evade or override controls than lower-level employees.  The amount of dollar losses involved in fraud schemes perpetrated by owner/executives is large enough to justify pursuit of the answer to the question as to why a single individual  (often arguably the most powerful executive in a company), would resort to high risk financial fraud, often seemingly against his or her own long-term best interests?

Contemporary discussions of fraud prevention and control most often focus narrowly on performance issues involving safeguards over the physical environment within the context of some given level of automation.  This is logical in that internal controls and technology, in and of themselves, can act only as a restraint without reaching the interior landscape (the moral ethical grounding) of any fraudster.  By themselves, the state of preventative/descriptive controls and related technology can help the fraud examiner explain how a fraud happened but can contribute little to why it happened.  Thus, the key to a fuller understanding of these most devastating and costly frauds, in most cases, boils down to developing an understanding of the behavior of a single individual.  The full investigation of these types of frauds entails somehow placing questions about individual ethical behavior at the center of the fraud paradigm.

To the philosopher Aristotle, the study of the ethics of individual citizens is a component of the study of politics, addressing issues of individual governance within the extended context of how best the citizen’s polis or city should best be governed.  This is because individual excellence (or its opposite) never occurs in a vacuum. There has to be some sort of wider context, the environment, or extended family, in which every human act is rooted.

Before resorting to a fraud scheme, the owner/higher executive’s personal assessment of the environment has to lead to the conviction that such a series of acts is feasible or, at least,  justifiable business practice  (this has certainly been the case in every major CEO involved fraud from Enron to the recent insider trading scandals on Wall Street).  The individual’s desire and corresponding motivation meet the conviction that the scheme can be pulled off without consequences (or, in a number of high profile recent cases, with affordable or manageable consequences). The desire to possess whatever gain provides the motivation to originally put the scheme in motion, combined with a belief regarding the control-ability  of the negative consequences, provides the self-assurance that, “If I do this, just this once, I will get that.”   The lure of ‘just this once’ was demonstrated by Kenneth Lay, Chairman, founder and CEO of Enron and by the actions of his management team; their every act to control the consequences of their multiple, inter-related and increasingly complicated fraud scheme(s) only dug the hole deeper until they collectively  buried  all the “smartest guys in the room”.   To view oneself as the smartest guy in the room is to adopt the kind of short term, narrow frame of reference that feeds narcissistic self-indulgence, one of the defining characteristics of many high-earning chief executives. On the other hand, those CEO’s who consider a wider frame of reference (a longer term consideration of the pooled consequences of opportunities and risks over time) seem to somehow successfully avoid entanglement in the snares of immediate bottom line gratification involved in such schemes as cooking the books.

Selfishness is a character trait that, depending on the circumstances, can serve any particular individual well or ill.   Owners and CEO’s inclined to put personal interests above everything else are the most inclined, in the presence of financial stressors, to pursue their ends, in the short run, by any means necessary; this has been demonstrated to experienced fraud examiners and forensic accountants time and time again.  On the other hand, board members and stockholders, by keeping the focus firmly on an appropriately balanced mix of short term and long term goals can assist their organizations by structuring their corporate environments to increase the likelihood that the inevitable upper management temptations will likely not be acted upon.

Strong ethical codes and involved audit committees can help but can only go so far; in the end considerations favoring behavior contrary to internalized ethics are simply silenced in the ethical person by the desire to put the interests of others above the immediate interests of the self; although s/he may experience inducement to vice, the ethical chief executive will not count them as reasons for action.

Fraud Examiners and other assurance professionals need to re-assure client managements that their best defense against the ethically challenged owner or CEO is a workforce provided by education with a firm understanding of the many reasons why the corporation chooses to operates in accordance with ethical values.  Even in the face of opportunities, ACFE research shows that a majority of an ethically informed workforce will not take advantage of circumstances even when they ascertain that the fraudulent act is feasible and the consequences, if any, can be controlled.  It’s not the opportunities, but rather temptations for short term gain that act like powerful magnets, sucking the smartest guys in the room into fraudulent acts.

Richmond ACFE Chapter Meeting Webcast – 9/22/2013 – The Foundations of Professional Ethics

MoneyWrenchEvery two weeks the Central Virginia Chapter of the Association  of Certified Fraud Examiners (ACFE) presents a webcast on a topic related to the practice of fraud examination and/or forensic accounting.  These webcasts are presented primarily for the benefit of Chapter members but are open to all with a general interest in improving the practice of auditing and fraud examination.

Members of the Central Virginia Chapter will have received an e-mail notifying them that the bi-weekly webcast is available at this site; the e-mail contains three questions which must be answered and returned for the award of one hour of continuing education credit.

If you are an audit professional or a student and would like to listen to these lectures as a Richmond Chapter member for continuing education credit, please visit our website at www.cpenet.net  and join our Chapter on-line by clicking on the first picture of a set of scales, registering as a site user and paying $15.00 annual dues.  We offer at least 20 hours of continuing education credit on fraud related topics for the one time annual fee.  You don’t have to be a resident of the Richmond area or even of Virginia to join… we have members all across North America.

This week’s webcast is fifty-five minutes in length, on the topic of The Foundations of Professional Ethics.