Category Archives: Internal Control

Using Control to Foster a Culture of Honesty

One of the most frequent questions we seem to receive as practicing CFEs from clients and corporate counsel alike regards the proactive steps management can take to create what’s commonly designated a ‘culture of honesty’. What kinds of programs and controls can an entity implement to create such a culture and to prevent fraud?

The potential of being caught most often persuades likely perpetrators not to commit a contemplated fraud. As the ACFE has long told us, because of this principle, the existence of a thorough control system is essential to any effective program of fraud prevention and constitutes one of the most vital underpinnings of an honest culture.

Corporations and other organizations can be held liable for criminal acts committed as a matter of organizational policy. Fortunately, most organizations do not expressly set out to break the law. However, corporations and other organizations may also be held liable for the criminal acts of their employees if those acts are perpetrated in the course and scope of their employment and for the ostensible purpose of benefiting the corporation. An employee’s acts are considered to be in the course and scope of employment if the employee has actual authority or apparent authority to engage in those acts. Apparent authority means that a third party would reasonably believe the employee is authorized to perform the act on behalf of the company. Therefore, an organization could be held liable for something an employee does on behalf of the organization even if the employee is not authorized to perform that act.

An organization will not be vicariously liable for the acts of an employee unless the employee acted for the ostensible purpose of benefiting the corporation. This does not mean the corporation has to receive an actual benefit from the illegal acts of its employee. All that is required is that the employee intended to benefit the corporation. A company cannot seek to avoid vicarious liability for the acts of its employees by simply claiming that it did not know what was going on. Legally speaking, an organization is deemed to have knowledge of all facts known by its officers and employees. That is, if a prosecutor can prove that an officer or employee knew of conduct that raised a question as to the company’s liability, and the prosecutor can show that the company willfully failed to act to correct the situation, then the company may be held liable, even if senior management had no knowledge or suspicion of the wrongdoing.

In addition, the evolving legal principle of ‘conscious avoidance’ allows the government to prove the employer had knowledge of a particular fact which establishes liability by showing that the employer knew there was a high probability the fact existed and consciously avoided confirming the fact. Employers cannot simply turn a blind eye when there is reason to believe that there may be criminal conduct within the organization. If steps are not taken to deter the activity, the company itself may be found liable. The corporation can be held criminally responsible even if those in management had no knowledge of participation in the underlying criminal events and even if there were specific policies or instructions prohibiting the activity undertaken by the employee(s). The acts of any employee, from the lowest clerk on up to the CEO, can impute liability upon a corporation. In fact, a corporation can be criminally responsible for the collective knowledge of several of its employees even if no single employee intended to commit an offense. Thus, the combination of vicarious or imputed corporate criminal liability and the current U.S. Sentencing Guidelines for Organizations can create a risk for corporations today.

Although many of our client companies do not realize it, the current legal environment imposes a responsibility on companies to ferret out employee misconduct and to deal with any known or suspected instances of misconduct by taking timely and decisive measures.

First, the doctrine of accountability suggests that officers and directors aware of potentially illegal conduct by senior employees may be liable for any recurrence of similar misconduct and may have an obligation to halt and cure any continuing effects of the initial misconduct.

Second, the Corporate Sentencing Guidelines, provide stiff penalties for corporations that fail to take voluntary action to redress apparent misconduct by senior employees.

Third, the Private Litigation Securities Reform Act requires, as a matter of statute, that independent auditors look for, and assess, management’s response to indications of fraud or other potential illegality. Where the corporation does not have a history of responding to indications of wrongdoing, the auditors may not be able to reach a conclusion that the company took appropriate and prompt action in response to indications of fraud.

Fourth, courts have held that a director’s duty of care includes a duty to attempt in good faith to assure corporate information and reporting systems exist. These systems must be reasonably designed to provide senior management and the board of directors timely, accurate information which would permit them to reach informed judgments concerning the corporation’s compliance with law and its business performance. In addition, courts have also stated that the failure to create an adequate compliance system, under some circumstances, could render a director liable for losses caused by non-compliance with applicable legal standards. Therefore, directors should make sure that their companies have a corporate compliance plan in place to detect misconduct and deal with it effectively. The directors should then monitor the company’s adherence to the compliance program. Doing so will help the corporation avoid fines under the Sentencing Guidelines and help prevent individual liability on the part of the directors and officers.

The control environment sets the moral tone of an organization, influencing the control consciousness of the organization and providing a foundation for all other control components. This component considers whether managers and employees within the organization exhibit integrity in their activities. COSO envisions that upper management will be responsible for the control environment of organizations. Employees look to management for guidance in most business affairs, and organizational ethics are no different. It is important for upper management to operate in an ethical manner, and it is equally important for employees to view management in a positive light. Managers must set an appropriate moral tone for the operations of an organization.

In addition to merely setting a good example, however, COSO suggests that upper management take direct control of an organization’s efforts at internal controls. This idea should be regularly reinforced within the organization. There are several actions that management can take to establish the proper control environment for an organization and foster a culture of honesty. These include:

–The establishment of a code of ethics for the organization. The code should be disseminated to all employees and every new employee should be required to read and sign it. The code should also be disseminated to contractors who do work on behalf of the organization. Under certain circumstances, companies may face liability due to the actions of independent contractors. It is therefore very important to explain the organization’s standards to any outside party with whom the organization conducts business.

–Careful screening of job applicants. One of the easiest ways to establish a strong moral tone for an organization is to hire morally sound employees. Too often, the hiring process is conducted in a slipshod manner. Organizations should conduct thorough background checks on all new employees, especially managers. In addition, it is important to conduct thorough interviews with applicants to ensure that they have adequate skills to perform the duties that will be required of them.

–Proper assignment of authority and responsibility. In addition to hiring qualified, ethical employees, it is important to put these people in situations where they are able to thrive without resorting to unethical conduct. Organizations should provide employees with well-defined job descriptions and performance goals. Performance goals should be routinely reviewed to ensure that they do not set unrealistic standards. Training should be provided on a consistent basis to ensure that employees maintain the skills to perform effectively. Regular training on ethics will also help employees identify potential trouble spots and avoid getting caught in compromising situations. Finally, management should quickly determine where deficiencies in an employee’s conduct exist and work with the employee to fix the problem.

–Effective disciplinary measures. No control environment will be effective unless there is consistent discipline for ethical violations. Consistent discipline requires a well-defined set of sanctions for violations, and strict adherence to the prescribed disciplinary measures. If one employee is punished for an act and another employee is not punished for a similar act, the moral force of the company’s ethics policy will be diminished. The levels of discipline must be sufficient to deter violations. It may also be advisable to reward ethical conduct. This will reinforce the importance of organizational ethics in the eyes of employees.

Monitoring is the process that assesses the quality of a control environment over time. This component should include regular evaluations of the entire control system. It also requires the ongoing monitoring of day-to-day activities by managers and employees. This may involve reviewing the accuracy of financial information, or verifying inventories, supplies, equipment and other organization assets. Finally, organizations should conduct independent evaluations of their internal control systems. An effective monitoring system should provide for the free flow of upstream communication.

You Can’t Prevent What You Can’t See

uncle-samThe long, rainy Central Virginia fourth of July weekend gave me a chance to review the ACFE’s latest Report to the Nations and I was struck by what the report had to say about proactive data analytics as an element of internal control, especially as applicable to small business fraud prevention.

We’re all familiar with the data analytics performed by larger businesses of which proactive data analytic tests form only a part.  This type of analysis is accomplished with the use of sophisticated software applications that comb through massive volumes of data to determine weak spots in the control system. By analyzing data in this manner, large companies can prevent fraud from happening or detect an ongoing fraud scheme. The Report to the Nations reveals, among other things that, of the anti-fraud controls analyzed, proactive data monitoring and analysis appears to be the most effective at limiting the duration and cost of fraud schemes. By performing proactive data analysis, companies detected fraud schemes sooner, limiting the total potential loss. Data analysis is not a new concept, but, as we all know, with the increasing number of electronic transactions due to advances in technology, analyzing large volumes of data has become ever more complex and costly to implement and manage.

Companies of all sizes are accountable not only to shareholders but to lenders and government regulators.  Although small businesses are not as highly regulated by the government since they are typically not publically financed, small business leaders share the same fiduciary duty as large businesses: to protect company assets. Since, according to the ACFE, the average company loses 5% of revenue to fraud, it stands to reason that preventing losses due to fraud could increase profitability by 5%. When viewed in this light, many small businesses would benefit from taking a second look at implementing stronger fraud prevention controls.  The ACFE also reports that small businesses tend to be victims of fraud more frequently than large businesses because small businesses have limited financial and human resources. In terms of fraud prevention and detection, having fewer resources overall translates into having fewer resources dedicated to strong internal controls. The Report also states that small businesses (less than 100 employees) experience significantly larger losses percentage-wise than larger businesses (greater than 100 employees). Since small businesses do not have the resources to dedicate to fraud prevention and detection, they’re not able to detect fraud schemes as quickly, prolonging the scheme and increasing the losses to the company.

The ACFE goes on to tell us that certain controls are anti-fraud by nature and can prevent and detect fraud, including conducting an external audit of a set of financial statements, maintaining an internal audit department, having an independent audit committee, management review of all financial statements, providing a hotline to company employees, implementing a company code of conduct and anti-fraud policy, and practicing pro-active data monitoring. While most of these controls are common for large companies, small businesses have difficulty implementing some of them, again,  because of their limited financial and human resources.

What jumped out at me from the ACFE’s Report was that only 15% of businesses under 100 employees currently perform proactive data analysis, while 41.9% of businesses over 100 employees do. This is a sign that many small businesses could be doing a basic level of data analysis, but aren’t. The largest costs associated with data analysis are software costs and employee time to perform the analysis. With respect to employee resources, data analysis is a control that can be performed by a variety of employees, such as a financial analyst, an accountant, an external consultant, a controller, or even the CFO. The level of data analysis should always be structured to fit within the cost structure of the company. While larger companies may be able to assign a full time analyst to handle these responsibilities, smaller companies may only be able to allocate a portion of their time to this task. Given these realities, smaller businesses, need to look for basic data analysis techniques that can be easily implemented.

The most basic data analysis techniques are taught in introductory accounting courses and aren’t particularly complex: vertical analysis, horizontal analysis, liquidity ratios, and profitability ratios. Large public companies are required to prepare these type of calculations for their filings with the Securities and Exchange Commission. For small businesses, these ratios and analyses can be calculated by using two of the basic financial statements produced by any accounting software:  the income statement and the balance sheet. By comparing the results of these calculations to prior periods or to industry peers, significant variances can point to areas where fraudulent transactions may have occurred. This type of data analysis can be performed in a tabular format and the results used to create visual aids. Charts and graphs are a great way for a small business analyst to visualize variances and trends for management.

I like to point out to small business clients that all of the above calculations can be performed with Microsoft Excel and Microsoft Access. These are off-the-shelf tools that any analyst can use to perform even analytical calculations of great complexity. The availability of computing power in Excel and Access and the relatively easy access to audit tools … known as Computer Assisted Audit Techniques (CAAT), have accelerated the analytical review process generally. Combined with access to the accounting server and its related applications and to the general ledger, CAATS are very powerful tools indeed.

The next step would be to consider using more advanced data analysis programs. Microsoft Excel has many features to perform data analysis, and it is probably already installed on many computers within small enterprises. CFE’s might suggest to their clients adding the Audit Control Language (ACL) Add-In to client Excel installations to add yet another layer of advanced analysis that will help make data analytics more effective and efficient. When a small business reaches a level of profitability where it can incorporate a more advanced data analysis program,it can add a more robust tool such as IDEA or ACL Analytics. Improving controls by adding a specialized software program will require financial resources to acquire it and to train employees. It will also require the dedication of time from employees serving in the role of internal examiners for fraud like internal auditors and financial personnel. Professional organizations such as the ACFE and AICPA have dedicated their time and efforts to ensuring that companies of all sizes are aware of the threats of fraud in the workplace. One suggestion I might make to these professional organizations would be to work with accounting software developers and the current developers of proactive data analysis tools to incorporate data analysis reports into their standard products. If a small business had the ability to run an anti-fraud report as a part of their monthly management review of financial statements without having to program the report, it would save a significant amount of company resources and improve the fraud prevention program overall.

To sum up, according to Joseph T. Wells, founder of the ACFE, “data analytics have never been more important or useful to a fraud examiner. There are more places for fraud to hide, and more opportunities for fraudsters to conceal it.” Clearly there are many resources available today for small businesses of almost any size to implement proactive data analysis tools. With the significant advances in technology, exciting new anti-fraud solutions appear on the horizon almost daily; the only thing standing between them and our clients is the decision to pick them up and use them.