The economic upheaval and corporate scandals of recent years have shaken the confidence of everyone from investors to business leaders. Some organizations, instead of responding with closer self-scrutiny, develop an "it can't happen here" mindset. Others delay grappling with fraud risk until a major incident happens. But ignoring the potential for fraud can prove costly for organizations.
A recent study by the Association of Certified Fraud Examiners estimated that the typical organization loses about seven percent of its annual revenues to fraud.1 Widely publicized cases of massive fraud, growing public expectations for companies to manage their risks better and heightened regulatory demands have all contributed to a more urgent need for businesses to identify fraud risks and address them effectively.
The Sarbanes-Oxley compliance efforts of the past decade, while improving transparency regarding internal controls, do not immunize companies against fraud risks, which have proven capable of causing severe damage to a company, or even an industry. In the wake of the global financial crisis, fraud risk has garnered much of the attention paid to enterprise risk management. Fear of a financial restatement has motivated many companies to look more closely at fraud, and boards and management have become more inquisitive about fraud risks and the controls in place. Some organizations recognize the importance of fraud risk management (FRM), but lack sufficient internal investigative expertise. Many now partner with outside firms to create or implement anti-fraud programs.
The increasing focus on fraud provides corporate counsel with an opportunity to play a more active role in its prevention and detection. By becoming familiar with the current FRM landscape, counsel can better collaborate with internal audit (IA), as well as any needed outside resources, to help the organization protect its reputation, meet its obligations and improve its bottom line.
Higher Stakes, Higher Expectations
Reputational damage due to the exposure of fraud represents a serious risk even in favorable economic conditions. In an atmosphere characterized by tight credit and wary investors, the cost of a compromised corporate reputation can far exceed damage to customer relationships. Such notoriety can halt funding, threatening an organization's ability to continue operating.
Meanwhile, an increasingly assertive regulatory environment is leading to more serious consequences for organizations that run afoul of fraud and corruption mandates. In recent years there has been a substantial increase in Foreign Corrupt Practices Act enforcement actions alone, including unprecedented fines and penalties. Regulatory agencies also continue to issue enforcement actions addressing anti-money laundering compliance. And the Fraud Enforcement and Recovery Act, signed into law in May 2009, expanded the federal government's ability to investigate and prosecute fraud against the government.
Despite all the factors nudging organizations toward stronger anti-fraud programs, it's important not to underestimate the natural resistance to such programs. It can be quite a leap from acknowledging the possibility of fraud in the abstract to establishing a vigorous anti-fraud program organization-wide. The impulse to stop discussing fraud is strong. No one wants to believe it's happening. That's why having an active, clearly articulated and broadly communicated FRM program is so important.
Motivation And Opportunity On The Rise
The global financial crisis has fueled fraud concerns in part because high-profile cases of fraud and misconduct were exposed when the credit crunch removed the financial cover concealing massive investment losses from Ponzi schemes and other fraudulent activity. But difficult economic conditions may also help bring about more favorable conditions - and more urgent motivations - for employees to commit fraud.
Financial distress may contribute to individuals' ability to rationalize unethical behavior and increase their temptation to engage in fraudulent behavior. According to a 2009 research report by Vangent, "as financial pressures on job candidates and employees increase so too does the risk of unethical and counterproductive behavior in employees who might otherwise never have considered engaging in an illicit act at work."2
Under difficult economic conditions, there also may be pressure within an organization, whether explicit or not, to spin unpleasant financial realities in the most favorable light, making misrepresentation more tempting. And in the wake of reduced staff sizes and broadened responsibilities, segregation of duties can be diminished, potentially making it easier for an individual to commit fraud. This phenomenon affects not only small businesses, but also large corporations' smaller offices and outposts.
Government stimulus funding also creates opportunities for waste, fraud and abuse - not only in organizations that directly receive an infusion of cash, but also for their vendors. Controls designed to monitor much lower levels of spending are simply inadequate for the funds many organizations will receive. A control environment built to monitor $2 million in annual spending, for example, will prove inadequate to monitor $20 million in spending. It may take significant time to implement controls commensurate with the new spending level.
Automated Methods Gain Momentum
Effective FRM is not a "one-size-fits-all" matter. It must be built around the particular risks that carry the highest potential of threatening an organization's stability. A structured fraud risk assessment (FRA) serves as a starting point by enabling management to identify these risks and begin managing them more effectively.
As budget restrictions have encouraged organizations to employ more cost-effective methods of detecting fraud, automated auditing capabilities have become increasingly popular. Over the past several years, internal auditors have focused more on continuous auditing, a technology-driven process that automatically performs control and risk assessments.
Such methods have become key priorities for IA leaders. Protiviti's 2009 Internal Audit Capabilities and Needs Survey questioned more than 700 IA executives and professionals. Asked to rate the areas in which they needed to improve, respondents cited "Continuous Auditing" and "Computer-Assisted Audit Techniques" as the two areas most in need of improvement - despite reporting relatively high competency in both. This suggests a growing appreciation for the results these methods can deliver.
Continuous auditing transforms monitoring from a process of intermittent reviews to ongoing testing of all transactions. Key business systems are monitored for anomalies in real time, rather than being sampled. This provides a cost-effective way to uncover fraudulent activity early, before it becomes large enough to pose a major threat to the organization.
But companies can't just put automated methods in place and then forget about them until trouble arises. Improved monitoring constitutes only a small part of an effective FRM program. Clearly communicated and reiterated policies, as well as ethics and fraud training, are necessary to sustain involvement from employees organization-wide. Without that involvement, an anti-fraud program can easily become static and unable to respond to unforeseen threats. The program must be as dynamic as the risks the company faces.
Internal Audit: From "Should" To "Must"
Regulators and law enforcement have long emphasized risk assessment as a crucial component of mitigating fraud risk, and IA has generally participated in that process. The degree of participation is changing, however. In January 2009, the IIA - the IA profession's most authoritative source of standards and guidance - released its revised International Professional Practices Framework, including revisions to the organization's International Standards for the Professional Practice of Internal Auditing. Five standards were added, and many existing standards were reworded more forcefully.
One of the new standards, 2120.A2, reads: "The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk."
IA is now required to play a central role in evaluating fraud risk, as well as the organization's FRM program. The change reinforces a shift in IA, as organizations rely more heavily on their internal auditors to execute FRAs. In terms of fraud risk and the controls in place, the stance of IA has moved from "you should think about this" to "you must think about this." Professionals with IA responsibilities are seeking training and ramping up their capabilities around FRAs and fraud controls.
Protiviti's 2009 Internal Audit Capabilities and Needs Survey also suggests IA professionals are keenly interested in improving FRM capabilities: "Interestingly, skill areas related to fraud (Monitoring, Detection/Investigation and Auditing) rank in the top five ... This underscores just how important anti-fraud activities are for today's internal audit functions, particularly in the eyes of leadership."
Defining Roles And Responsibilities
One of the challenges in maintaining a strong FRM program is that responsibility is often shared among many individuals. While this arrangement may be necessary, it's important for organizations to define responsibilities organization-wide.
In light of the corporate scandals and intensified regulatory activity of recent years, corporate counsel has become more focused on the control environment, including the organization's ability to qualify for some regulations' safe harbor provisions. This growing focus on internal controls, coupled with increasing awareness of fraud risk, provides an opportunity for counsel to help protect organizations from some of the most dangerous risks.
By staying abreast of developments in the fraud risk environment, including the current IIA Standards and technological trends, corporate counsel can better prepare to work closely and effectively with internal and external resources to protect organizations' financial, operational and brand stability.
Such a concerted effort helps create a culture in which risk is met with action rather than fear. Fraud thrives when any member of the organization looks away, instead of closer. That's why FRM should not be approached only as a matter of satisfying regulatory requirements or meeting investor expectations. Organizations that embrace FRM as an essential part of their operations can face uncertainty with confidence. 1Association of Certified Fraud Examiners , 2008 Report to the Nation on Occupational Fraud & Abuse.
2Vangent , Organizational Ethics and Counterproductivity Risks During an Economic Downturn: Causes and Mitigation, 2009.
Published November 2, 2009.
