Editor: Please tell our readers about your background and professional experience.
Zikmund: I spent the first ten years of my career working in various law enforcement capacities, the last few years working on white-collar crime investigations. For the next 10 or 11 years I managed internal corporate investigation teams with Union Carbide, Dow Chemical, Nortel Networks and Tyco International. For the past four years I have been working in the consulting profession. I lead our firm's Fraud & Forensic Services practice. We provide fraud risk management solutions relating to detection, deterrence and investigation of fraud.
Editor: Many companies take a reactive approach to fraud prevention and respond to fraud events only after the fact. Could you describe a more proactive approach you would recommend to reduce the risk of fraud occurring in the first place?
Zikmund: Sure. The reactive approach is a quite common approach that many companies take. This is similar to what happened with the corporate security profile after September 11, 2001 - until that point corporate security or asset protection was really looked upon as a cost center, but after 9/11 companies encouraged a much more proactive approach to corporate security. We have seen some of this in the area of corporate fraud post-Tyco, WorldCom and Enron and following the enactment of Sarbanes-Oxley, but overall we are still finding the reactive approach the most common. Generally, there may be an event or an allegation of misconduct and an ensuing investigation, but once the investigation is resolved, remedial or preventative action is unlikely in many instances. Rather than ignoring or forgetting lessons learned during the investigation, I encourage a more proactive approach where companies consider a comprehensive approach to implementing effective anti-fraud programs and controls. These programs include fraud risk assessment, training and awareness programs, fraud detection, continuous monitoring, a formalized response program to address any allegations of misconduct and fraud policies. Companies that implement those types of programs position themselves to not only respond to misconduct but also to deter fraud from occurring within their organizations.
Editor: So, you recommend that companies implement a fraud policy?
Zikmund: I think that they absolutely should, and for several reasons. Number one, a fraud policy in and of itself, once it is published and communicated internally, elevates the awareness of fraud and also defines what is considered to be unacceptable behavior. "Fraud" is a very broad term, and many employees may not fully understand what it may or may not entail. Formalizing a fraud policy provides employees with a basic understanding of what behaviors and actions are not tolerated by the company. Fraud policies also go one step further by defining the roles and responsibilities of those who must respond to allegations of misconduct. Many companies have an inconsistent approach, and a formalized policy helps establish an effective response program. Well-written fraud policies also include steps relating to disciplinary action. So, having a policy and procedure in place, in my opinion, will help companies develop a more consistent approach.
Editor: Does this risk setting too high a bar for itself, in the sense of possible consequences for failure to fully follow or enforce its own policy?
Zikmund: No. Most policies include language such as "violation of this policy may result in disciplinary action, up to and including termination and prosecution," so the companies leave themselves some flexibility; they don't always terminate individuals or prosecute. So, I don't think it would raise the bar to a degree that couldn't be met, provided it is written properly.
Editor: Would you agree that there is a higher incidence of fraud during an economic downturn?
Zikmund: I would agree, and there is empirical evidence to support that. The Association of Certified Fraud Examiners released a survey a few weeks ago discussing this very point. Compliance Week also published an article highlighting the results of a recent survey, which discovered an expected increase in fraud cases in 2009 considering the current economic downturn. Donald Cressey, a famous criminologist, described the "Fraud Triangle" concept - where there is opportunity, motivation created by frustration and financial pressure, and people are able to rationalize their behavior, the potential for fraud increases tremendously. These three elements are becoming more and more prevalent in today's downward economy, which I believe drives the risk for fraud.
Editor: One of your colleagues at Amper, Gary Master, has written an article discussing internal controls to prevent fraud which focused on three fundamental principles; segregation of duties, multiple approvals of transactions and cross checking of documents. Would you care to comment on these?
Zikmund: Those are excellent controls that will minimize the risk of fraud once they are put in place. There is an old "20-60-20" rule that says that 20 percent of the people will do the right thing all the time, 20 percent of the people will do the wrong thing in most instances if given the opportunity, and the other 60 percent can be swayed either way. If you consider the economic downturn, you've got a lot of individuals who could make the wrong decision. Internal controls reduce the opportunity for employees to commit fraud, but people still can develop ways to circumvent those controls to be able to perpetrate fraud schemes that impact the company. So, while those controls are a very minimum requirement, you still need monitoring and management oversight - management by walking around and being visible to help strengthen the controls.
Editor: Who should be involved in designing and administering the fraud prevention program, and what role should senior levels of management play?
Zikmund: Senior management is responsible for designing and implementing internal controls to prevent and detect fraud. They are responsible for insuring a strong tone at the top and establishing the proper ethical culture, so it is really incumbent upon them to design and administer this program. This responsibility generally tends to be assigned to the vice president of human resources, the general auditor or the chief legal counsel. I have seen it reside in HR, and I have seen the CFO own this responsibility. But if you don't have someone from the very top to champion these programs and controls they are more likely to get lost in the shuffle. Not having the right amount of support from senior management will often lead to an incomplete or ineffective program because the rank-and-file employees just won't buy into it.
Editor: What would you generally consider to be the most critical elements of an effective fraud prevention program?
Zikmund: A few come immediately to mind. Number one is establishing the right tone at the top with a code of conduct and making sure it is communicated throughout the organization. But it is not enough just to have a code of conduct in place; the employees have to understand it, they have to be held accountable for it and they have to be regularly updated on changes. I strongly recommend an annual recertification program reminding employees of their responsibilities to the organization, the shareholders, the customers and the vendors.
Second, fraud risk assessment is rightly becoming a lot more prevalent in our business environment. Fraud risk assessment will help companies identify risk factors that increase opportunities for fraud within their organizations. The ultimate goal of fraud risk assessment is to identify residual risk. Every company has an inherent risk for fraud. If you operate in a country where bribery and corruption are very common, for example, you have an obvious risk of FCPA violations, and with strong internal controls you can reduce that risk. What is left, then, is residual risk and you want that risk quite low. Without conducting a formal fraud risk assessment it is very difficult for companies to define and understand risks that are unaffected by internal controls.
Third, it is really important for companies to conduct training and awareness programs. When you conduct fraud training and awareness throughout the organization you heighten awareness of fraud and possible red flags; employees know what to look for and understand how to respond appropriately if red flags are uncovered. Training really goes a long, long way. We have done a lot of training with organizations and the benefits are tremendous.
Finally, many or most companies are going to experience some type of a fraud at some point in their lifetime. Effectively and efficiently responding to those allegations is critical. Investigating allegations of fraud is a high-risk engagement. There is the risk for wrongful termination and lawsuits. There is a risk of reputation to the company and to the employee. Organizations who respond inconsistently or inappropriately, in my opinion, increase their legal liability. Having a formal response plan and a single point of contact who owns that process is critical.
Editor: Once the program is created, communicated and implemented, what are appropriate metrics by which to measure its success? It cannot be as simple as quantifying the number of incidents.
Zikmund: That's correct. Frequently, the number of allegations will rise after a comprehensive program is implemented due to the fact that awareness is raised within the organization. If you elevate the awareness of what to look for and what to do if you come across those red flags, then people become more engaged and more willing to report those allegations. So, you might actually have an uptick in the number of reported incidents. This doesn't mean your program is failing; in fact, in my opinion, it means the program is working well. In the long term, as the program matures, you would expect to see a decline in the number of incidents as controls are strengthened and management's zero tolerance approach begins to gain traction. Employees contemplating fraudulent acts will be deterred to a greater degree in an environment that seeks to identify and respond to misconduct than in an environment that promotes or ignores unethical behavior.
You may also consider investigative response time. Companies with a robust, comprehensive program generally respond to incidents in a timely manner, resolve them appropriately and move on. When allegations of misconduct are not investigated in a timely manner, the issues linger and may expose the company and the employee to unnecessary legal liability.
And, last but not least, is continuous measurement of residual risk that can only be effectively determined by conducting frequent fraud risk assessments. They should be conducted on at least an annual or bi-annual basis. Companies should quantify their residual risk to determine if it is increasing or decreasing in different areas over time. An increase indicates that internal controls aren't working.
Companies should note that quantifying the metrics to determine the success of a program is not an easy task. Some of the largest benefits are not quantifiable. They are more qualitative in nature, such as raising awareness, building ethics and integrity, and encouraging reporting of misconduct. These benefits are of greater importance than just measuring the number of incidents of fraud.
Published June 1, 2009.
