Tag Archives: fraud recovery plan

Using Control to Foster a Culture of Honesty

One of the most frequent questions we seem to receive as practicing CFEs from clients and corporate counsel alike regards the proactive steps management can take to create what’s commonly designated a ‘culture of honesty’. What kinds of programs and controls can an entity implement to create such a culture and to prevent fraud?

The potential of being caught most often persuades likely perpetrators not to commit a contemplated fraud. As the ACFE has long told us, because of this principle, the existence of a thorough control system is essential to any effective program of fraud prevention and constitutes one of the most vital underpinnings of an honest culture.

Corporations and other organizations can be held liable for criminal acts committed as a matter of organizational policy. Fortunately, most organizations do not expressly set out to break the law. However, corporations and other organizations may also be held liable for the criminal acts of their employees if those acts are perpetrated in the course and scope of their employment and for the ostensible purpose of benefiting the corporation. An employee’s acts are considered to be in the course and scope of employment if the employee has actual authority or apparent authority to engage in those acts. Apparent authority means that a third party would reasonably believe the employee is authorized to perform the act on behalf of the company. Therefore, an organization could be held liable for something an employee does on behalf of the organization even if the employee is not authorized to perform that act.

An organization will not be vicariously liable for the acts of an employee unless the employee acted for the ostensible purpose of benefiting the corporation. This does not mean the corporation has to receive an actual benefit from the illegal acts of its employee. All that is required is that the employee intended to benefit the corporation. A company cannot seek to avoid vicarious liability for the acts of its employees by simply claiming that it did not know what was going on. Legally speaking, an organization is deemed to have knowledge of all facts known by its officers and employees. That is, if a prosecutor can prove that an officer or employee knew of conduct that raised a question as to the company’s liability, and the prosecutor can show that the company willfully failed to act to correct the situation, then the company may be held liable, even if senior management had no knowledge or suspicion of the wrongdoing.

In addition, the evolving legal principle of ‘conscious avoidance’ allows the government to prove the employer had knowledge of a particular fact which establishes liability by showing that the employer knew there was a high probability the fact existed and consciously avoided confirming the fact. Employers cannot simply turn a blind eye when there is reason to believe that there may be criminal conduct within the organization. If steps are not taken to deter the activity, the company itself may be found liable. The corporation can be held criminally responsible even if those in management had no knowledge of participation in the underlying criminal events and even if there were specific policies or instructions prohibiting the activity undertaken by the employee(s). The acts of any employee, from the lowest clerk on up to the CEO, can impute liability upon a corporation. In fact, a corporation can be criminally responsible for the collective knowledge of several of its employees even if no single employee intended to commit an offense. Thus, the combination of vicarious or imputed corporate criminal liability and the current U.S. Sentencing Guidelines for Organizations can create a risk for corporations today.

Although many of our client companies do not realize it, the current legal environment imposes a responsibility on companies to ferret out employee misconduct and to deal with any known or suspected instances of misconduct by taking timely and decisive measures.

First, the doctrine of accountability suggests that officers and directors aware of potentially illegal conduct by senior employees may be liable for any recurrence of similar misconduct and may have an obligation to halt and cure any continuing effects of the initial misconduct.

Second, the Corporate Sentencing Guidelines, provide stiff penalties for corporations that fail to take voluntary action to redress apparent misconduct by senior employees.

Third, the Private Litigation Securities Reform Act requires, as a matter of statute, that independent auditors look for, and assess, management’s response to indications of fraud or other potential illegality. Where the corporation does not have a history of responding to indications of wrongdoing, the auditors may not be able to reach a conclusion that the company took appropriate and prompt action in response to indications of fraud.

Fourth, courts have held that a director’s duty of care includes a duty to attempt in good faith to assure corporate information and reporting systems exist. These systems must be reasonably designed to provide senior management and the board of directors timely, accurate information which would permit them to reach informed judgments concerning the corporation’s compliance with law and its business performance. In addition, courts have also stated that the failure to create an adequate compliance system, under some circumstances, could render a director liable for losses caused by non-compliance with applicable legal standards. Therefore, directors should make sure that their companies have a corporate compliance plan in place to detect misconduct and deal with it effectively. The directors should then monitor the company’s adherence to the compliance program. Doing so will help the corporation avoid fines under the Sentencing Guidelines and help prevent individual liability on the part of the directors and officers.

The control environment sets the moral tone of an organization, influencing the control consciousness of the organization and providing a foundation for all other control components. This component considers whether managers and employees within the organization exhibit integrity in their activities. COSO envisions that upper management will be responsible for the control environment of organizations. Employees look to management for guidance in most business affairs, and organizational ethics are no different. It is important for upper management to operate in an ethical manner, and it is equally important for employees to view management in a positive light. Managers must set an appropriate moral tone for the operations of an organization.

In addition to merely setting a good example, however, COSO suggests that upper management take direct control of an organization’s efforts at internal controls. This idea should be regularly reinforced within the organization. There are several actions that management can take to establish the proper control environment for an organization and foster a culture of honesty. These include:

–The establishment of a code of ethics for the organization. The code should be disseminated to all employees and every new employee should be required to read and sign it. The code should also be disseminated to contractors who do work on behalf of the organization. Under certain circumstances, companies may face liability due to the actions of independent contractors. It is therefore very important to explain the organization’s standards to any outside party with whom the organization conducts business.

–Careful screening of job applicants. One of the easiest ways to establish a strong moral tone for an organization is to hire morally sound employees. Too often, the hiring process is conducted in a slipshod manner. Organizations should conduct thorough background checks on all new employees, especially managers. In addition, it is important to conduct thorough interviews with applicants to ensure that they have adequate skills to perform the duties that will be required of them.

–Proper assignment of authority and responsibility. In addition to hiring qualified, ethical employees, it is important to put these people in situations where they are able to thrive without resorting to unethical conduct. Organizations should provide employees with well-defined job descriptions and performance goals. Performance goals should be routinely reviewed to ensure that they do not set unrealistic standards. Training should be provided on a consistent basis to ensure that employees maintain the skills to perform effectively. Regular training on ethics will also help employees identify potential trouble spots and avoid getting caught in compromising situations. Finally, management should quickly determine where deficiencies in an employee’s conduct exist and work with the employee to fix the problem.

–Effective disciplinary measures. No control environment will be effective unless there is consistent discipline for ethical violations. Consistent discipline requires a well-defined set of sanctions for violations, and strict adherence to the prescribed disciplinary measures. If one employee is punished for an act and another employee is not punished for a similar act, the moral force of the company’s ethics policy will be diminished. The levels of discipline must be sufficient to deter violations. It may also be advisable to reward ethical conduct. This will reinforce the importance of organizational ethics in the eyes of employees.

Monitoring is the process that assesses the quality of a control environment over time. This component should include regular evaluations of the entire control system. It also requires the ongoing monitoring of day-to-day activities by managers and employees. This may involve reviewing the accuracy of financial information, or verifying inventories, supplies, equipment and other organization assets. Finally, organizations should conduct independent evaluations of their internal control systems. An effective monitoring system should provide for the free flow of upstream communication.

The Class Action Machine

lawsuitThe recent troubles at Wells Fargo raised a number of questions in the mind of one of our Chapter members about the class action lawsuits that seem to immediately follow public announcement of such financially involved frauds.  Specifically, she asked about who among the various classes of defendants in a typical financial fraud case are most likely to get sued after the fact.

As I’m sure most financial professionals know, a class action is a type of lawsuit in which a single representative individual is permitted to sue on behalf of an entire group of similarly situated individuals known as a “class.” A class action theoretically comes about when an aggrieved shareholder (or in Wells Fargo’s case a shareholder or perhaps a type of defrauded account holder) contacts a lawyer and explains that s/he has been harmed. The law then generally permits that single party to sue on behalf of all similar share or account holders. Although the common conceptual justification for class action litigation begins with a single aggrieved affected individual reaching out to a lawyer to seek redress, the reality is somewhat different. As our Chapter member indicated she is aware, shareholder class action litigation tends to be prosecuted by a small number of highly specialized law firms and, over the years, these firms have developed practices and relationships that enable them to take the lead in commencing shareholder litigation almost on their own. A practical consequence is that, within days after issuance of a press release revealing financial fraud, the class action lawyers will normally have their lawsuits already prepared.

The catalyst for commencement of the litigation will often be the company’s initial press release announcing the fraud. Among other things, the lawyers may glean from the press release that accounting irregularities have surfaced, that earlier SEC filings are false, which line items on the financial statements are affected, and the board of directors’ preliminary information as to how far back the accounting irregularities go. With that information in hand, the class action lawyers will quickly extract from their word processors an earlier complaint filed in a similar case and quickly insert the specifics regarding the particular company at hand. In their haste to be the first firm to file a lawsuit, the process of revision is not always completely thorough and factual errors are common in almost all initial filings.

Although an exposition in detail of all the steps involved in such a suit are beyond the scope of this short post, the following are the typical steps that unfold during the process:

  • The company’s initial press release;
  • The company’s receipt of a series of complaints;
  • Production of a single consolidated complaint;
  • Motion to dismiss by the defendant company;
  • Document productions;
  • Depositions;
  • Settlement (if necessary);
  • Trial (almost never).

From the perspective of the board of directors, the result will be that, within several days of the issuance of the company’s initial press release, the company will begin receiving a number of seemingly duplicative lawsuits in which the only significant difference seems to be the name of the representative shareholder seeking to represent the interests of the class. In truth, a shareholder gains no meaningful strategic advantage over the defendants in rushing to be named the class representative. In the end, only one class of similarly situated shareholders will be certified and only one complaint ordinarily will survive.  Rather than trying to get a strategic advantage over the defendants, the interest of a plaintiff in rushing to be named the class representative is to get an advantage over the other plaintiff shareholders—or, more precisely, their lawyers. For a class action plaintiff’s lawyer, having one’s client named the class representative opens the door to the lion’s share of the legal fees.

So, to answer our reader’s question, who are the main candidates most likely to get sued in one of these actions?

  • The company. The corporate entity will almost inevitably be named a defendant. Also named may be a parent company or holding company. The plaintiffs will argue that the corporate entity or entities are responsible for the wrongdoing of their individual officers and directors;
  • Officers who have resigned, been terminated, or placed on leave. It may be that the initial press release will have identified particular officers who have resigned, been terminated by the board, or been placed on paid or unpaid leave. The plaintiffs’ lawyers will infer from any such corporate action the officers’ complicity in wrongdoing;
  • The CEO and the CFO. Prime candidates to be included as defendants are the chief executive officer and the chief financial officer. The plaintiffs will infer from their positions some level of complicity. Also, they will have signed what have now turned out to be incorrect SEC filings, such as a Form 10-K or Forms 10-Q;
  • Particular officers. Beyond the CEO and CFO, other officers may be named as defendants depending on the nature of the fraud (as described in the press release) and a particular officer’s proximity to it. For example, if the fraud involved improper revenue recognition (on fraudulently opened accounts, for example), the plaintiffs may seek to include as a defendant the officer or officers with responsibility in the new account generation area. Similarly, if the fraud involved improprieties at some remote location, those responsible for operations or the financial reporting function of that location may be named;
  • Outside directors. These days, outside directors tend not to be included as defendants. Historically, all outside directors would be named as defendants almost as a matter of course. Congress’s passage of federal securities law tort reform in the mid-1990s, however, has operated as an important impediment to the inclusion of the entire board—at least in the absence of evidence suggesting an individual director’s knowledge or complicity;
  • Underwriters. Where the company has publicly issued stock within the last three years, the underwriters may be included. For the corporate issuer, this is particularly unfortunate insofar as typical underwriting documents will provide for corporate indemnification of the underwriter in the absence of the underwriter’s own wrongdoing;
  • Selling shareholders. An issuance of public stock within the prior three years may also open the door to the inclusion as defendants of shareholders who participated as sellers in the offering. Plaintiffs may seek to show their complicity based on inferences drawn from their natural desire to see the stock price sustained or increased during the period prior to their sale;
  • The outside auditor. Several years ago, inclusion of the outside auditor in an accounting irregularities case occurred as a matter of course. Today, the inclusion of the outside auditor as a defendant, at least in the first complaint, has become less automatic. As with the inclusion of outside directors, the federal securities law tort reform legislation in the mid-1990s erected barriers to naming the outside auditor, at least without particularized facts showing auditor complicity. However, the auditor may not be left out forever. An important objective of the plaintiffs will be assembling detailed evidence sufficient to make claims against the auditor stick.

As to the outcome of these type of suits, in the great majority of cases, the parties will come (sooner or later) to a negotiated settlement dollar number.  A canned form of a settlement agreement will emerge from the files of the plaintiff’s law firm marked up to meet the circumstance of the present case and signed, effectively ending the process.

Our thanks to our Chapter member for a thought provoking question!  Please, keep them coming!

After the Deluge

delugeFew events are more devastating to a firm’s reputation than a well-publicized fraud and even more so if the fraud extends to a circle of one or more trusted business partners.

The ACFE tells us that a fraud can impact an organization’s reputation in many ways; and that reputation is based on how well the firm meets the expectations of diverse stakeholders such as customers and investors. Events like a fraud that indicate the organization may have fallen short of such expectations can impact the bottom line directly in terms of sales, expenses, and capital availability.  Surviving and moving forward from such an event and, more importantly, restoring confidence and ensuring that reputational damage is not extended or repeated depends on the policies and people the organization has in place to manage its damaged reputation moving forward.

What’s essential is that every organization have some sort of formal plan in place, preferably prior to a fraud event, to manage the post event fall out; if it doesn’t have such a plan, it behooves every enterprise to develop one as a critical component of its overall fraud prevention program.

The nature of the reputational risk specific to the organization, its risk appetite, and its major reputational risk management activities are all important pieces of information used to craft the overall fraud response plan. Defining the focus and output of the response plan is a critical step not only to development of the plan itself, but also to craft the timing of effective communications to stakeholders, pre and post any fraud event, addressed by the plan. Determining these details up front will give management the substance needed to create a road map that yields compelling results both through the after-fraud period and into the future.

The first step in crafting a reputational risk component of the fraud response plan is to determine the specific nature of this type of risk at the CFE’s client organization. For example, a company that produces consumer products may need to consider its reputation in terms of:

–Consumers. Perceived product quality, value, and safety.
–Investors. Perceived future returns on investment resulting from the company’s innovations, strategy, and execution.
–Suppliers/vendors. Perceived reliability of orders and timeliness of payment.
–Employees. Perceived fairness of the treatment they receive while manufacturing, selling, and supporting the company and its products.
–Online community. Perceptions of stakeholders, including consumers’ product opinions, media reporting on company activities, and competitors.
–Regulatory entities. Perception that the company’s products comply with laws.
–Local community. Perception of the company as a responsible corporate citizen.

CFE’s need to identify the key reputational risks, work with business process experts to prioritize those risks based on the extent to which they could impact the bottom line, and then determine which risks will be included in the final plan. A plan that tries to cover all aspects of reputational risk in the manner of a check list may be too broad to execute; the enterprise’s specific reputational risks to be covered need to be identified and pre-agreed to with management up front.  As the CFE and management work to determine the reputational risk scope, both need to understand the organization’s reputational risk appetite. Many organizations conceive risk appetite solely in terms of financial impact, sometimes further defining it based on financial drivers such as customer loss or asset value reduction. Facilitating a discussion of reputational risk appetite among the enterprises business process owners is a valuable CFE contribution that not only will assist in the development of the response plan, but also in its acceptance by the business. Quantifying reputational risk appetite helps management understand the tangible impact of the risk and thus how much reputational risk executives are willing to bear. In addition, it allows the CFE to communicate the impact of the reputational review work in the individualized value terms defined by the organization’s leadership.

The value added by the up-front work to understand the major vehicles the organization presently uses to manage its reputational risk will depend on the factors affecting that risk and the nature of the business itself.  Some mitigation activities may be proactive, such as establishing a product quality department or monitoring the organization’s social media presence. Others may be reactive, such as having a sales refund plan.  It’s important to remember successful reputation management following a fraud does not hinge upon one person or process (like having a hotline of public relations function), but rather on a series of controls and processes across the entire organization that work together to form a wide pattern of reputational defense. Being aware of existing activities will prepare CFE’s to include an evaluation of them in the fraud response plan. The focus of a fraud response plan can vary based on the nature of the risk and the maturity of the reputational risk management infrastructure. If there is no formal existing plan, then the CFE might prepare and present a best practice fact finding of the present state of the controls over reputational risk. If some kind of response program does exist, then the CFE might focus on control enhancement and process improvement. Financial implications, including reputational damage impact modeling and the cost of risk mitigation, also could be made part of an existing response plan, as could regulatory compliance processes such as the steps involved in the reporting of data breaches.

When one or more of the victim enterprise’s business partners are involved in a fraud against it, the reputational challenge in the post-fraud period is further complicated.  Important questions to ask concerning such third-party relationships during and after the investigative and prosecutorial phases of the fraud are complete include:

–Is there a formal business contract?
–What requirements and rights regarding compliance, possible fraud and anti-corruption does the contract contain?
–Does the contract include an audit clause?
–Who owns the business partner?
–Has the partner disclosed all relevant third-party relationships?
–Have all of the partner’s operating locations been disclosed?
–Does the partner have ongoing litigation or unique governmental relationships that might create an adverse impression among existing customers or external regulators?

Where information is needed involving client response to post-fraud reputational impact, CFE’s can visit partner organizations to gather the appropriate data.  Red flags impacting reputational risk for the CFE to be aware of include limited information about the respective entities, inconsistent data points, operations in politically charged locales, prior regulatory sanctions, and connections to or ownership by politically exposed individuals or environments with uncertain economic or commercial laws or regulations. And while examination of these items falls within the purview of compliance or legal departments, and ultimately management, some opportunity exists for CFE’s to assist with the review of due diligence reports to assess the completeness and adequacy of information in support of management’s general reputation evaluation process and decision-making.

While supporting the preparation and on-going management of client fraud response plans, CFE’s can provide additional value as the organization experiences changes over time. As the company grows, changes its sourcing and marketing strategies, and acquires other businesses, new third parties that provide products and services to and on behalf of the company will be identified and should be considered for inclusion in the company’s reputational planning.  The company’s reputational management efforts need to keep pace with the organization, and CFE’s can help evaluate the scope and breadth of that program by assessing alignment with the company’s changing business and operational fraud prevention profile.

Acting within the framework of their knowledge of the client organization, business risk assessment competency, and mandate to evaluate the adequacy of design and overall effectiveness of anti-fraud related internal controls, CFE’s can help facilitate any company’s fraud recovery/reputational repair due diligence efforts.