This chapter covers ethics, compliance, fraud deterrence, and fraud prevention. Franco Frande, former Chief of Financial Investigations for the U.S. Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) often cited the anecdotal 10–80–10 Rule of Ethics: 10% of the population will commit bad acts whenever the opportunity presents itself (consistent with the notion of predators), 80% of the population might commit bad acts, depending on the circumstances (consistent with the notion of situational fraudsters), and the remaining 10% of the population will never commit fraud.1
In a 2018 report from ABC affiliate KTRK Channel 13 Action News in Houston and USA Today, a megachurch pastor and a Louisiana financial planner were accused of defrauding investors of more than $1 million.2 According to the news sources, a federal grand jury indicted Gregory Alan Smith, 55, of Shreveport, La., and Kirbyjon H. Caldwell, 64, of Houston, on six counts of wire fraud, four counts of money laundering, and one count each of conspiracy to commit wire fraud and conspiracy to commit money laundering.
Apparently, the pair offered quick and impressive returns on prerevolutionary Chinese bonds dating back to the 1940s, allegedly collecting as much as $3.5 million from investors. The indictment suggests that the bonds were worthless. To keep investors on the hook, the defendants made frequent calls and promises of pay back to investors, suggesting that they “keep the faith.” Rather than invest their client’s funds, the defendants were alleged to have used the money to pay personal loans, credit card balances, mortgages, vehicle purchases, and other personal expenses.
Caldwell had been the pastor of Windsor Village United Methodist Church, a 14,000-member megachurch in Windsor Village in Houston. News sources also indicate that Caldwell led the benediction at both inaugurations for former president George W. Bush and officiated at Jenna Bush’s wedding in 2008. If convicted, Smith and Caldwell could face fines of $1 million and up to twenty years in prison.
News reports, such as this, suggest that fraud is possible across all socioeconomic classes and even (some would say especially) among the most trusted individuals. Yet, with an ethical commitment and an understanding of compliance and strong fraud deterrence and prevention efforts, organizations can minimize the likelihood of fraud and other bad acts and minimize its impact when it does occur. In this chapter, the authors examine these topics across several modules. Those modules, along with the learning objectives, include the following:
Many of the topics in compliance, fraud deterrence, and fraud prevention were also examined with regard to fraud detection, a topic covered in Chapters 8 and 9.
Oreo Linderhoof, Loss Prevention Manager, takes a videotape labeled Store 522 Backroom Surveillance and carefully places the videotape on top of his desk near the guest chairs. Jim Thomas, Store Manager for retail location 522, arrives for his interview with Oreo. When Jim arrives, Oreo escorts Jim to his office and almost immediately is interrupted by a call. He asks Jim to please excuse the interruption and heads out of the office. Oreo returns fifteen minutes later and Jim “spills his guts.” He confesses to the theft of inventory, signs a written statement, and is taken from headquarters in handcuffs by the local police.
The rest of the story …
Oreo knows that Jim Thomas has been stealing high-value inventory from the store but he doesn’t know how. Based on examination of daily inventory counts correlated with scheduling over weeks, Oreo has concluded that Jim is the only person with the opportunity to have committed the theft. Despite surprise inventory counts, store surveillance, and other loss prevention techniques, Oreo cannot figure out how Jim is perpetrating the theft. Surveillance suggests that the inventory is not leaving through the front door and that Jim does not have an accomplice. Cash register analysis suggests that Jim is not taking cash through voids and refunds, a method that would also leave the inventory short.
Oreo hatches a scheme to catch Jim …
Oreo calls Jim at the store and schedules an interview at corporate headquarters. Store employees being called to corporate headquarters is never a good sign, and Oreo is hoping that this visit will make Jim nervous. In advance, Oreo instructs the receptionist to call him as soon as he and Jim are in his office. After excusing himself, Oreo goes to the break room, gets a cup of coffee, and then visits with several fellow employees. Essentially, he wants Jim to see the videotape labeled Store 522 Backroom Surveillance, and as noted above, his approach works. As soon as Jim sees the videotape, he believes that he has been caught “red-handed.” The issue: the videotape was blank; there was no backroom video surveillance. Oreo, being one of the best professionals in his field, caught his man.
Question: Was Oreo’s scheme to obtain Jim’s confession ethical?
The above scenario highlights some of the ethical dilemmas faced by professionals confronting individuals who perpetrate financial crimes. Ethics, trust, and responsibility are at the heart of compliance, fraud examination, and forensic accounting.
Ethics is defined as the branch of philosophy dealing with values relating to human conduct, with respect to rightness and wrongness of actions and the goodness and badness of motives and ends.4 Ethics has certain key elements:
A discussion of ethics goes hand-in-hand with that of criminology because fraudsters often make poor ethical decisions prior to committing criminal acts. Consider, for example, financial statement fraud: perpetrators frequently find themselves on an ethical slippery slope, using an accounting choice as a tool for earnings management to maximize bonuses and influence financial returns and the financial markets. When earnings management isn’t enough, the individual finds himself at a point of no return, moving from the slippery slope of earnings management to fraudulent financial statements.
When does the fraud examiner or forensic accountant face an ethical dilemma? Whenever there are several choices, all outcomes have somewhat negative effects, and the correct choice is not obvious. Such dilemmas arise when many people could be harmed and some may benefit while others will not.
Consider another scenario: is it ethical for a fraud examiner or forensic accountant to lie to a perpetrator during an interview to elicit a confession? Most people agree that lying is wrong. Most also agree that an embezzler should not get away with their crime. If lying is the only way to get a white-collar criminal to confess, is lying ok? The answer isn’t obvious because both choices are imperfect: (1) not lying, but the perpetrator gets away; (2) lying and the perpetrator confesses. In either case, the fraud examiner or forensic accountant must choose from a flawed set of options.
Closely associated with ethics is the concept of values. Values are the personal and social criteria that influence choice—family, friends, peer groups, nationality, culture, and economic and social classes. Values are learned beginning in childhood and are the conventions upon which choices are evaluated.
The law and rules is one approach to resolving an ethical dilemma. Most professional associations’ codes of conduct, for example, require that professionals avoid breaking the law. This is a practical approach, and a starting point for determining if certain conduct should be avoided. The law, however, is the lowest threshold for ethical decision-making.
It may happen that a law might permit an action that is prohibited by a profession’s code of ethics. As an example, for years the American Institute of Certified Public Accountants (AICPA) had rules of ethics that prohibited advertising by its members. The profession believed that dignity and objectivity were enhanced by keeping practitioners out of this aspect of the commercial world. The U.S. Federal Trade Commission and the U.S. Department of Justice, however, disagreed. They decided that the prohibitions against advertising violated the laws barring restraint of trade. The government forced the profession to eliminate its rules against advertising. This example illustrates the triumph of one set of values (the government’s belief that competition through advertising would benefit consumers) over another set (the profession’s belief that dignity should be preserved).
A second approach to ethics suggests that it is ok to “fight fire with fire.” As Sean Connery’s character, Malone, asks Elliott Ness (Kevin Costner) in The Untouchables, “What are you prepared to do? … You wanna know how to get Capone? They pull a knife, you pull a gun. He sends one of yours to the hospital; you send one of his to the morgue.” Essentially, this is an outcome-based ethical framework. This has the purpose of justifying actions that otherwise could be considered immoral, unethical, or illegal. The problem with means–ends analyses is that they are often superficial, ending with the needed justification but failing to fully consider other aspects and consequences of the actions.5
Ethical principles, on the other hand, refer to the process upon which an ethical decision is analyzed or evaluated. Inherently, values are incorporated into the principles that help guide choice. The imperative principle is one of three ethical principles that provide a framework for ethical decision-making and is based on the work of philosopher Immanuel Kant. Although the following characterization is overly simplistic, Kantian philosophy tends to ignore outcomes by providing directives and rules without exception that are in the best interest of society as a whole. For example, under Kantian imperatives, “lying is always wrong.” A society cannot exist if it is based on lies. Furthermore, society should value telling the truth over lying because society cannot exist if everyone is told to lie all the time (the alternative imperative is to never tell a lie).
This unconditional obligation assumes that all people are aware of the rule and all agree to follow the rule. The Kantian imperative is very strict but provides an easy-to-understand framework for ethical decision-making. However, Kant himself recognizes that at times, all general rules must have exceptions. While the Kantian imperative is almost impossible to follow all of the time, in practice, when a person is faced with violating an imperative, it alerts persons that they are faced with an ethical problem. Once the dilemma is identified, then the fraud examiner or forensic accountants can seek out additional consideration for weighing the consequences.
The utilitarian principle, championed by John Stuart Mills, suggests that ethical problems should be solved by weighing the good consequences and the bad consequences. The correct course of action is that which provides the most good or minimizes the bad. Like Kantian imperatives, the consequences to society are generally more important than those to individuals. Mills identifies two forms of utilitarianism, “act” and “rule.” Act utilitarianism suggests that it is the consequences of the act that matter. For example, “honesty (an action) is the best policy,” subject to the evaluation of the specific circumstances, might suggest that an alternative action, lying, provides better consequences in this particular situation. Individuals making the decision have the power to decide, so their value system drives the evaluation process of possible outcomes (consequences) and the final decision.
In contrast, rule utilitarianism emphasizes the benefits to society of general rules (similar to a Kantian imperative) and suggests that the decision to break a rule is one that requires very careful consideration. Rule utilitarianism requires that society as a whole be able to determine which rules are important and ought to be followed. Rules then are also influenced by history, nationality, culture, social goals, and, at some level, economics.
The difficulty with utilitarianism is the variation in outcomes. In any situation, almost any act can be justified and the choice is always a product of from where a person (act) or society (rule) came: family, friends, peer groups, nationality, ethnic background, and economic and social classes. Furthermore, it is difficult for everyone to agree on universal principles.
The generalization principle is an attempt to marry Kantian imperatives with utilitarianism and was proposed by Marcus G. Singer. The generalization argument is as follows:
If all relevantly similar persons acting under relevantly similar circumstances were to act a certain way and the consequences would be undesirable, then no one ought to act in that way without a reason.
More simplistically, the generalization argument poses the following questions as a first assessment:
What if everyone acted that way?
If the outcome is considered undesirable, then that conduct ought to be avoided unless the person has a very good reason. Generalization provides the flexibility needed to address the shortcomings of Kant and the specific direction that seems to be missing from utilitarianism. Of course, the success of the generalization argument is dependent on the specific value assessments of the individual decision-makers. Furthermore, generalization is invalid when an argument is either invertible or reiterable. Invertibility occurs when both doing something and not doing something lead to bad consequences. In such a circumstance, no generalization argument can be formulated. Reiterability occurs when arbitrary times, places, persons, or other factors can be inserted into a generalization in such a way as to make the generalization outcome nonsensical.
Although the preceding principles provide a framework for ethical decision-making, alternative decisions may result in variations of good and bad consequences. Therefore, the task is a difficult one and the choice must be left to individuals. It is impossible to provide a blueprint for every situation with laws, rules, and exceptions. The bottom line is that civilized societies are grounded in trust with underlying values and implicit codes of conduct that guide behavior. The decision process is difficult, and the range of possible outcomes suggests that the right choice is not always obvious. Though doing the right thing can be difficult, as members of society, we have a responsibility to reach for that goal every day, without exception.
To be successful, professionals in the specialized field of fraud examination and forensic accounting must have an ethical framework for appropriate decision-making. Although the preceding material has suggested approaches to solving ethical problems, the fraud and forensic professional needs to strive for the highest degree of ethics and moral conduct. This perspective requires that the individual think about possible difficult situations and develop his or her own framework for decision-making, to the extent possible, in advance. Next, the individual needs to make the commitment required to follow his or her ethical values in all cases except those that have extreme consequences.
In practice, antifraud and forensic professionals can start with rules, laws, and Kantian imperatives to identify ethical situations (ethical dilemmas) that require more in-depth evaluation. Once the ethical problems have been identified, the evaluation process begins and professionals can use an appropriate framework for ethical problem solving, including using personal rules and processes for decision-making. The antifraud and forensic professional is not alone, and should solicit the input and opinions of other practicing professionals. In some cases, guidance and advice from professional organizations and associations can assist the individual in making the best decision. After careful consideration of the alternative outcomes and a decision is made, the professional can then move forward to implement that decision. This process will help to ensure that the anticipated goals are realized while also attempting to mitigate any negative consequences.
Students who are considering entering the field of fraud examination and forensic accounting must consider decisions that they made in the past. For example, some may have past criminal convictions that might exclude them from entry into the profession. While most offenses may not prevent a prospective student from exploring his or her options, he or she should be aware that honesty is the best policy. Get caught in a lie, and your career could be over. Tell the truth and explain the facts and circumstances of a less than perfect past, and at least the individual (applicant) will have created a foundation of trust to repair the damage caused by prior conduct.
Professions are set apart by five characteristics6:
These characteristics impose responsibility on both the profession and the individual professional. Normally, such responsibilities are captured in the profession’s code of conduct. For example, Certified Fraud Examiners (CFE), as designated by the Association of Certified Fraud Examiners (ACFE), have the following code of ethics7:
Forensic accounting professionals and the valuation community have professional bodies, such as the AICPA’s Forensic and Valuation Services (FVS) Section and the National Association of Certified Valuation Analysts (NACVA) that provide a vast array of resources, tools, and information for members and credential holders—CFF, ABV, CVA, etc.
Whereas the prior sections dealt with ethics at the individual and professional level, ethics are an important part of organizational behavior. In fact, ethics is the foundation for fraud deterrence and prevention both by individuals within an organization and by the organization itself.
Ethics at the organizational level starts with corporate governance. The Board of Directors, the Audit Committee, executives, managers, clerical support, and line personnel are the living, breathing embodiment of ethics within the organization. The Board of Directors, Audit Committee, and corporate officers set the “tone at the top.” Tone at the top refers to a culture that is open, is honest, and communicates the values of the organization to persons at all levels, both internal and external to the organization.
The first step in developing an ethical culture is a code of ethics signed by all personnel. In addition, the company’s position on ethics should be posted in visible places, such as lunchrooms, and communicated across the organization. Employee awareness programs, such as periodic ethics training, are effective tools and, of course, leaders lead by example. Employees will take their cues from their managers, managers from executives, and executives from their interaction with board members, audit committee members, and auditors. It is important that individuals in leadership positions must not only communicate the value of ethical actions, but also practice what they preach. Furthermore, individuals at the top must be willing to listen to those operating at lower levels within the organization; because even when an organization has an ethical tone among its senior managers, that culture may not be reflected in the values of middle and lower management—sometimes referred to as “mood in the middle” and “buzz at the bottom.”
Second, the organization should be committed to hiring honest executives, managers, and staff. While most organizations attempt to contact prior employers and resume references, many organizations provide only minimal information about former employees and are remiss to provide any negative feedback for fear of legal retribution. References provided by prospective employees are typically friends and professional acquaintances, so prospective employers should seek out prior supervisors. Although costly, organizations should consider background checks on prospective employees. Due to cost constraints, organizations may want to restrict the positions for which background checks are completed. To avoid charges of discrimination, prospective employers need to complete such checks in a consistent manner and in compliance with corporate policy.
Once individuals are hired, they need to be properly supervised. The most common excuse by managers for inadequate supervision is time constraints. Although “too much to do, in too little time” is a common complaint in today’s business environment, proper supervision is essential to maintaining good internal controls.
Training is another area that needs adequate attention. Many companies spend a considerable amount of time and resources developing their employees’ technical abilities, but little time or resources are generally spent developing supervisory skills.
Once an organization has created the infrastructure to minimize fraud opportunities, the system has to be maintained. Supporting the antifraud environment requires continuing education of fraud awareness. The fraud triangle indicates that one of the factors necessary for fraud to occur is rationalization. Failing to maintain a work environment that discourages fraud may enable an employee to justify unethical or illegal actions. Such rationalizations may include an employer’s failure to recognize a job well done, an employee’s overall job dissatisfaction, an employee’s perception that they are inadequately compensated for their work, an employee’s perception that the company owes them, and the misperception that no one is being hurt by their actions.
Another part of a good antifraud maintenance program is to provide assistance for employees with problems. In smaller companies, the human resources department may serve this function. In larger companies, there may be specific personnel devoted to assisting employees in exploring their options to solve a problem. This gives the employees the comfort to know that they are not alone and that their problem is “shareable.”
Part of maintaining a strong antifraud environment includes appropriate disciplinary procedures, such as prosecuting fraudsters where evidence suggests that such action is warranted. Effective discipline requires a well-defined set of sanctions for inappropriate behavior and strict adherence to those sanctions to avoid claims of discriminatory conduct.
One of the most effective antifraud deterrents is a hotline to receive anonymous tips from employees, customers, suppliers, vendors, contractors, and others. According to the 2016 ACFE Report to the Nations, tips and accidental discovery (candidates for tip reporting) account for almost 40% of fraud detection. Thus, anonymous tip hotlines are a tool that should be in place at all organizations of any size.
In cases where tips are made by employees, especially lower-level employees who report wrongdoing by their supervisors, whistle-blower protections should be in place. Unfortunately, even those whistle-blower protections that are established by law may not protect an employee from subtle, informal retribution, such as exclusion from meetings or marginalization—not giving him or her important information necessary to do his or her job.
Creating an antifraud environment also means minimizing opportunities for fraud. To accomplish this goal, companies need to establish and maintain a good internal control environment; monitor employee relationships for collusive potential; alert vendors and contractors to company policies; create tip hotlines; create expectations that fraudsters will get caught and will be punished; and proactively audit for fraud.8 Best practices to deter fraud include job rotation, surprise audits and reviews, open-door policies by upper-level management, and periodic testing of internal controls. Actively creating an antifraud environment means considering the following questions before fraud occurs:
In a March 2018 article, the Morgantown, WV Dominion Post noted that the producers of the film, “The Wolf of Wall Street,” agreed to a $60 million civil litigation settlement with the U.S. Government. According to the article, the production company benefited from a “massive Malaysian corruption scandal.” The case was part of a larger effort to recover losses from a Malaysian investment fund scheme designed to enrich the fund’s leadership and possibly the Malaysian Prime Minister. Ironically, the movie “The Wolf of Wall Street” was about a crooked stock trader.10
This textbook covers forensic accounting and fraud examination. Topics such as business valuation, forensic economics (e.g., employment issues and damages), and civil litigation are within the domain of forensic accounting. Compliance is an important consideration in helping to prevent fraud and mitigating losses when it does occur.
Civil litigation allows one party to sue another in most situations where something bad has happened, the defendant shares at least some liability, and the victim or injured party can prove damages. A good compliance program can minimize the risk of bad things happening and help to minimize the impact on all parties involved. In short, avoiding litigation is generally the preferred option, if possible.
A robust compliance program helps an organization to proactively identify risks and improve ethical behavior. Many think of risk and compliance in terms of fraud. However, risks come in many forms, including the following:
Organizations tend to face increasing competition from old rivals and unexpected new market entrants, products, and services. Acquiring and maintaining customers is an on-going challenge common across all organizations. Political changes and geo-political upheavals are common and require early identification and management.
At the same time, society expects ethical organizational behavior, and the U.S. Federal government and regulators have increased civil and criminal penalties. Some of the laws and regulations are as follows:
The expectation of good governance and compliance efforts requires the attention of the organization’s board of directors, or equivalent oversight body, to ensure overall ethical behavior in the organization, regardless of the type of organization (public, private, government, or not-for-profit) and regardless of relative size or industry.
At the same time, fiduciary responsibility to stakeholders, including shareholders, employees, customers, vendors, governmental entities, community organizations, and media have increased. All organizations are subject to risk. When bad things happen, the organization incurs costs, such as erosion of confidence in the organization, negative impact on reputation, brand, and image (locally, nationally, and internationally), legal costs of civil and criminal prosecution, incarceration of key individuals, and in some cases, those costs have been material enough to result in the downfall of entire organizations.
The compliance program isn’t meant to address each of these categories but is developed to help ensure that the organization is in compliance with laws, regulations, and its own processes, codes of conduct, ethical standards, and controls. Every organization needs to have a compliance strategy in place to proactively identify risks, develop a means to mitigate significant and material risk in a timely manner, and a protocol for thoughtful, effective, and efficient action. Compliance needs to start at the entity level but also reach into the organization’s departments and process levels where compliance violations and issues can often pose a threat to organizational integrity. Processes and departments to consider might include the following:
Multijurisdictional organizations whose operations span local, state, and national domains need to consider compliance in each locale. Compliance programs, processes, and technologies need to be in place to identify, prioritize, examine, and manage compliance violations and risks before they become significant events and material crises.
Robust policies and processes are critical elements of compliance efficiency and effectiveness. In fact, having a strong corporate compliance program helps organizations maintain compliance with external regulations, as well as internal policies and processes. Training employees on policies also goes a long way toward ensuring an ethical environment.
The organizational compliance protocol should start by categorizing potential, identified, and reported threats and risks. Next, compliance efforts need to gather relevant preliminary evidence to confirm the validity of allegations. Once confirmed, compliance leadership needs to evaluate the severity of the allegations. How significant is the threat in terms of dollars and cents, but also in terms of reputation and brand?
Those compliance violations deemed significant need to be escalated to appropriate levels of leadership so that the investigation can proceed. Lesser compliance concerns can be resolved where the compliance transgression arose. Some issues identified through the compliance program are likely to be beyond the scope of compliance or the domain of compliance leadership. In such cases, the issue needs to be referred to other responsible leadership in the organization (e.g., legal).
At this point the allegation, having been preliminarily confirmed with evidence and within the purview of compliance, the organization needs to conduct additional fact-finding and examination of the issue. Most compliance issues face some level of time sensitivity. Further, examinations, to the extent possible, need to be conducted with confidentiality in mind and to protect organizational legal privileges. As with all examinations, evidence-based decision-making and objectivity are most important.
Upon completion of the examination, steps need to be identified to resolve or close the investigation. Resolution may include notification of regulators, law enforcement, insurers, and external auditors. Administrative considerations are also important, including the following:
Generally, compliance issues need to be examined at one level higher than the level of the allegation. For example, alleged violations by executive leadership would be examined by the Board of Directors. Professionals who participate in allegations of compliance violations might include the following people:
Best practices for compliance include being proactive, as well as
Given a robust compliance program, if and when a bad issue occurs, the organization’s compliance efforts should result in more efficient identification and resolution.
Will Gerken and his coauthors completed a study that looked at the finance industry and what happens when you introduce a bad employee—someone who’s committed some kind of misconduct—to a new team. The authors found that bad behavior can spread. More specifically, Gerken examined the financial advisory industry and found that when employees are exposed to a colleague who is engaging in bad business practices, the employees become about 40% more likely to engage in similar bad practices. According to Gerken, employees who are behaving well before they’re exposed to the bad acts appear to update their beliefs about the possible consequences of bad behavior.
Consider a colleague who’s engaging in these practices, that colleague may get an extra bonus because they’re aggressively selling to their clients, or they might get a slap on the wrist; in this context, seemingly good employees update their own beliefs and become more likely to engage in bad behavior. In the same situation, Gerken and his coauthors were unable to document a reduction of misbehavior on the part of a bad employee when put in an ethical environment. Gerken suggests that the biggest practical takeaway for hiring managers is: there are spillover effects of hiring a new employee with a prior history of less than desirable acts.11
Internal controls and fraud prevention efforts are not always cost-effective. In essence, the perceived benefits of prevention do not, or may not, exceed the costs of setting up robust prevention efforts. In some cases, while the cost of prevention is known, the benefits of prevention are much harder to quantify. Practically speaking, organizations will be able to effectively and efficiently prevent some frauds, while others are not considered sufficiently likely to occur or of significant magnitude to warrant specific prevention efforts. Given such issues, fraud prevention efforts need to be wrapped in fraud deterrence—efforts to help stakeholders make the right decision even when they are not required to do so or prevented from making a poor decision. Anecdotally, fraud deterrence is centered on two ideas:
While research has yet to sort out the relative deterrent power of getting caught versus fear of punishment, practitioners in the field strongly feel that these concepts drive fraud deterrence. Interestingly, the awareness that fraud prevention controls are in place serves as one aspect of fraud deterrence (getting caught and punished). Deterrence efforts also include detection controls (e.g., supervisory reviews, surprise audits). Such efforts create the perception that would-be fraudsters are likely to be caught. Fraud detection is addressed in a separate chapter and will be afforded little additional coverage here.
As noted in the meta-model in Figure 14-1, a would-be fraudster faced with the fraud triangle elements of perceived pressure, opportunity, and rationalization examine the necessary elements of fraud—the fraud act, the required concealment, and especially the conversion (the benefit to the fraudster). It’s likely that the perceived benefit drives much of the fraudster’s decision. However, between the potential fraudster and the actual commission of the fraud are organizational antifraud efforts to deter, detect, and prevent frauds. Presumably, some frauds do not occur because the would-be fraudster perceives the antifraud efforts to be effective and his or her chances of success—in terms of committing and concealing the scheme and realizing the benefit—are at risk because of organizational antifraud efforts.
Fraud deterrence goals and objectives are in line with those of the overall fraud risk management. The deterrence program should outline and explain the organization’s perspectives on fraud and, in broad strokes, outline the organization’s fraud risk program. Communications should also identify those fraud risks of high likelihood and impact. Given high-risk frauds, deterrence efforts also communicate to potential fraudsters that fraud prevention measures are in place.
One key aspect of effective deterrence is that the organization’s antifraud efforts need to be communicated. Without personnel awareness, deterrence will not be effective. As such, the organization can use a variety of mechanisms to make staff aware of the following:
In addition to effective communication, leadership behavior that is consistent with an ethical environment is important. More recently, compliance and antifraud professionals have emphasized that it’s more than just “tone at the top,” it’s the conduct of those at the top that is more effective in encouraging personnel at all levels to act appropriately—“actions speak louder than words.” In essence, the tone and actions of personnel at every level of the organization are critical to produce a culture of ethical behavior; it sets the standard for tolerance, or intolerance of bad behavior, and creates an environment where making the right decision is embedded in the culture of the organization. Managers in the middle of an organization take their cues from the leaders at the top and play a critical role in communicating and reinforcing the desired behavior. Middle management’s acceptance or resistance to living the corporate culture initiatives has been called “the mood in the middle.” An organization’s culture can easily be observed in the buzz of everyday hallway chats, day-to-day meetings, and in emails, and has come to be known as “the buzz at the bottom.” As Lou Gerstner, former IBM chairman once said, “Culture isn’t just one aspect of the game, it is the game.”12
According to a COSO study, “Fraudulent Financial Reporting: 1998–2007,” one of the critical findings was that the SEC named the CEO and/or CFO for some level of involvement in 89% of the financial statement fraud cases, up from 83% of cases in 1987–1997. Within two years of the completion of the SEC’s investigation, about 20% of CEOs and/or CFOs had been indicted, and more than 60% of those indicted were convicted. While the authors found relatively few differences in board of director characteristics between firms engaging in fraud and similar firms not engaging in fraud, 26% of the fraud firms changed auditors between the last clean financial statements and the last fraudulent financial statements, whereas only 12% of no-fraud firms switched auditors during that same time. About 60% of the fraud firms that changed auditors did so during the fraud period, while the remaining 40% changed in the fiscal period just before the fraud began.13
The board of directors, the audit committee, executives, and management are responsible for the corporate governance environment in an organization. The primary role of corporate governance is to protect investors, create long-term shareholder value, ensure investor confidence, and support strong and efficient capital markets.14 Most of the board’s work regarding governance is discharged through committees. To effectively carry out its primary functions, a committee must ensure its independence. A good corporate governance environment will set the “tone at the top” by creating a culture of honesty and integrity, with the leadership of the organization practicing what they preach. As the saying goes, “a fish rots from the head down,” and if corporate leadership doesn’t act in a responsible manner, it is doubtful that their subordinates will act differently.
Corporate leadership should also strive to create a positive work environment with efforts to increase employee morale, hire and promote employees who follow the company’s ethical guidelines, provide adequate compensation and professional development, and establish and monitor antifraud programs and controls. Effective corporate governance mechanisms include the following:
Responsibility for dealing with fraud risk resides with personnel at all levels of the organization, including leadership, line employees, staff, and internal and external auditors. Key players that are integral to fraud deterrence efforts include the following people:
The board of directors plays a critical role in compliance and deterrence. The board sets the tone at the top, the standard for organizational intolerance of bad behavior. Effective boards also monitor the actions of senior management, organizational performance, and key strategic issues. Some best practices for boards are as follows:
The audit committee is a board of directors’ committee. The audit committee assists the board of directors in fulfilling its corporate governance and oversight responsibilities, relative to an entity’s financial reporting, internal control system, risk management system, and internal and external audit functions. Audit committees also monitor litigation and regulatory compliance risks through interactions with organization lawyers and compliance leadership and through reports authored by the legal and compliance offices.
A critical role of the audit committee is to monitor the effectiveness of the internal control system, internal audit (if such a separate department exists), and external audit. Internal control includes the policies and practices used to control the operations, accounting, and regulatory compliance of the entity. In general, separation of duties—for those responsible for initiating, authorizing, recording, and safeguarding the organization’s assets—is a key internal control in any area of organization operations.
The audit committee is also integral to organizational risk management. It is responsible to identify and address risks that threaten the organization and its ability to achieve its strategic and tactical objectives. The audit committee fulfills its risk management responsibility by monitoring the organization’s effort to identify, prioritize, and respond to organizational risks.
To address the risk of fraud, the audit committee acts proactively. At least one member of the audit committee should have a financial background (e.g., accounting). The members of this committee typically meet more frequently than the board of directors and need to have an understanding of the risks associated with management override and collusion. The audit committee communicates to the board the status of any fraud allegations, communicates with the external auditor, and reviews the auditor’s plan with respect to fraud risks. It also provides oversight of management’s efforts to prevent, deter, and detect fraud and seeks the advice of legal counsel, as needed.
The organization’s culture plays an important role in preventing, detecting, and deterring fraud. Like the board of directors, the organization’s executive leadership sets the tone at the top by acting ethically and following policies and procedures. The conduct of the leaders within an organization creates an environment that sets an example for others. The organization’s leadership is also responsible for the design and implementation of the fraud risk management program. The words and actions of organizational leadership need to communicate the following:
In addition, organizational leadership needs to implement effective internal controls, including documenting fraud risk management policies and procedures. Once in place, organizational leaders need to evaluate the effectiveness of controls by compiling information from various areas of the organization. Armed with this information, leadership needs to regularly report its efforts to the board of directors, including the following information:
If external auditors discover fraud involving senior leadership and/or officers, the auditor should report such incidents to the audit committee/board of directors.
To be effective, fraud risk management needs to be assigned to a leader who is a senior member of management. The fraud risk management leader should do the following:
The Institute of Internal Auditors (IIA) states that internal auditing is an (a) independent, (b) objective assurance, and (c) consulting activity designed to (a) add value and (b) improve an organization’s operations. Internal audit fulfills this assignment through a systematic, disciplined approach to the evaluation and improvement of
Related to fraud risk management, internal audit provides objective assurance that fraud controls are sufficiently designed and are functioning effectively. Further, internal audit can be integral in assessing the risk of management override and collusion. Optimally, members of this department have regular interactions with the organization’s fraud risk management personnel. Similar to external auditors, internal auditors are expected to exercise professional skepticism:
Internal audit may be involved early in suspected fraud concerns and may lead fraud examinations. Even if fraud examinations are completed by others, internal audit may assist the remediation process by conducting root cause analysis, identify control improvements, monitor the reporting/whistleblower hotline, and provide ethics, compliance and antifraud training. An inherent assumption is that internal auditors working on compliance and antifraud issues have subject matter expertise—sufficient antifraud knowledge, skills, and competencies, including the following:
Accounting personnel are in a unique position to deter and prevent fraud. Accounting educational requirements typically include basic accounting, auditing, and systems courses that devote considerable time to internal controls. As such, in terms of closing down the fraud triangle role of “opportunity,” accountants, properly trained and motivated, are integral to effective compliance and antifraud efforts. They also ensure that the financial statements properly reflect, to the best of their ability, the economic performance and financial condition of the organization. The accounting department also contributes to tax compliance efforts, such as filing payroll and income tax forms with taxing authorities. Income tax filings usually include reconciliation between taxable income and financial income—very useful in most forensic accounting engagements. In general, the role of accounting personnel includes:
One of the keys to fraud deterrence is to prevent, to the extent possible, applicants who have a demonstrated track record of improper conduct, unethical behavior, or prior frauds to become employees. This requires proper personnel policies, through background checks and a complete set of reference checks. Upon entrance into the organization, compliance and antifraud training should be standard requirements for all employees at all levels. Such training should be tailored to the types of duties the employee will have and the associated risks. Periodic performance evaluations and compensation systems should be designed to reinforce ethical behavior in compliance with organizational policies, procedures, and best practices. Finally, all terminated employees should be required to complete an exit interview with a human resources representative, who is independent of the department in which the employee worked.
The organization should have opportunities for employees, vendors, customers, and other stakeholders to report compliance issues. Reporting mechanisms should include an “open-door” policy where employees are encouraged to report to direct supervisors, where appropriate. In some situations, however, employees may need to report issues further up the chain of command, if their immediate supervisor is part of the problem. Employers should also provide reporting opportunities that are anonymous (e.g., whistleblower hotline). Best practices for reporting compliance issues, including suspected fraud, demonstrate the following characteristics:
All organizational personnel contribute to effective compliance and antifraud programs. In general, line employees and staff play the following roles:
Properly motivated and tasked line employees and staff help create a strong control environment.
The role of legal and compliance is to ensure that the organization is conducting business to meet external requirements such as legal and regulatory guidelines and be in line with the organization’s internal ethical expectations and culture. Legal and compliance guidelines partially depend on the context in which a company operates such as local, state, national, and global jurisdictions as well as its industry. Written company policies and procedures outline compliance standards and expectations. Properly executed, compliance and legal also act to enhance the organization’s reputation while minimizing the risk of civil and criminal lawsuits. Compliance and legal personnel may also help educate organization personnel regarding important compliance, legal, regulatory, policy and procedure requirements, best practices to avoid compliance issues, and organizational expectations.
An effective fraud risk management and compliance program is at the heart of fraud deterrence. According to the Fraud Risk Management Guide,15 first published as Managing the Risk of Fraud: A Practical Guide,16 such a program has ten key points of focus.
First, the organization and its leadership must demonstrate a commitment to compliance and an antifraud environment. This commitment starts with visible actions and words communicated by the board of directors and organizational leadership, including a code of conduct. Relevant documents are shared with employees, vendors, and customers.
Second, the program emphasizes awareness. Organizational leadership visibly conveys compliance and fraud risk management expectations and alerts organizational stakeholders to specific fraud and misconduct schemes. Compliance and fraud risk assessment efforts are visible through assessment, training, and communication efforts.
Third, organizational leaders and stakeholders are asked to acknowledge and affirm their commitment to compliance and effective antifraud efforts by reading, understanding, complying, and signing documentation. Personnel and stakeholders who refuse to participate face consequences.
Fourth, the organization expects conflict-of-interest disclosure when such situations arise. A conflict of interest involves “a situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity.” Disclosure does not result in automated action. Rather, several outcomes are possible:
Fifth, the organization systematically completes its compliance and fraud risk assessment on a recurring basis. The efforts to manage risks, including the involvement of appropriate personnel throughout the organization, consider relevant fraud schemes and scenarios and maps those to mitigating controls. The communication of the existence of the compliance and fraud risk assessment process may act as a deterrent. Research has suggested that brainstorming, properly deployed, can facilitate the identification of noncompliance and fraud risks. Upon completion, the assessment should be shared with the Board of Directors and Audit Committee. Other relevant attributes of effective noncompliance and fraud risk assessments are as follows:
Sixth, the organization has reporting procedures (e.g., hotline) and whistleblower protection, zero tolerance for compliance violations, and the expectation that suspected compliance violations and suspected fraud will be reported immediately. Those reporting channels are clearly defined and communicated to employees, vendors, and customers. The protections afforded to individuals reporting suspected issues are also communicated to those in a position to act on it.
Seventh, the organization has a documented protocol for handling reported allegations and a review process. Personnel involved with the review or investigation of allegations understand the rules of evidence, the chain of custody, reporting mechanisms to those charged with governance, and the relevant regulatory requirements and legal issues.
Eight, the compliance and fraud risk management program includes remediation. Remediation includes the following:
Ninth, compliance and fraud risk management evaluation and improvement activities are designed to ensure high-quality programs. At the same time, stakeholders need to understand that compliance and fraud risk management does not mean that the organization has 100% noncompliance and fraud prevention, but rather, that there is still some risk of noncompliance and fraud.
Tenth, an iterative feedback loop to ensure continuous monitoring and improvement.
Once an allegation of noncompliance or a compliance violation is received or identified through detection efforts, the response needs to be systematic, prompt, examined by competent personnel, and confidential. Other considerations for the examination include the need to
As discussed in prior chapters, to properly examine allegations of noncompliance may require any or all of the following:
The organization should have a tracking or case management system to monitor on-going allegations.
The goals of the reporting process are to improve loss recovery and minimize litigation and reputational damage. Reporting is based on monitoring of MEASURABLE criteria that might include the following metrics:
The last aspect of a good fraud deterrence program requires that the organization react appropriately to symptoms of fraud, red flags, badges of fraud, and other early warning signals. Dr. Steve Albrecht references six types of anomalies that should be investigated at the earliest point of recognition: accounting anomalies, weak internal controls, analytical anomalies, lifestyle symptoms, behavior symptoms, and tips from potential informants. The following early warning signs are not compelling fraudulent indicators but are consistent with fraudulent behavior. Further, the listings are not meant to be exhaustive.
ACCOUNTING ANOMALIES
INTERNAL CONTROL CONCERNS
ANALYTICAL ANOMALIES
LIFESTYLE SYMPTOMS
BEHAVIOR SYMPTOMS
Red-flag mitigation questions. Assuming that employees, supervisors, managers, leaders, antifraud professionals, auditors, and others will likely observe red flags, what is the next step? In general, red flags must be examined with evidence until the professional determines that the issue has a reasonable explanation, is an error that needs to be fixed, or is consistent with noncompliance or a fraudulent act and needs to be further examined to develop evidence around who, what, where, when, and how. Key red flag questions to consider include the following:
According to AD Colony, fraud prevention pays. The organization conducted a survey of 250 advertisers and agencies and identified seven perks of fraud prevention in the advertising industry. According to AdColony’s website, “while honest partners are working diligently to combat and prevent ad fraud, others are simply dragging their feet, which does the entire ecosystem a disservice. After all, when ad fraud prevention is improved, so is overall ad effectiveness.” More specifically, the website identified seven benefits of ad fraud prevention17:
Fraud prevention involves deploying tools and techniques designed to ensure that a particular fraud cannot occur. Fraud in its totality cannot be prevented across an organization. The cost of fraud prevention would likely exceed the corresponding benefits. In line with this observation, fraud prevention efforts are usually focused to avoid key fraud risks, especially those with a high likelihood and/or a large impact. Even if the fraud prevention efforts are defeated, antifraud activities should mitigate possible impacts on the organization.
Where fraud deterrence is about establishing an antifraud environment where fraud is less likely, primarily because controls are not always cost-effective, fraud prevention tends to be focused on specific antifraud controls. To determine and prioritize which frauds to attempt to prevent, the organization needs to evaluate both materiality thresholds and fraud frequency concerns—the probability that a particular material fraud may occur. Once designed and in place, the prevention controls need to be examined and tested for effectiveness by examining an appropriate population of transactions.
Fraud prevention controls also tend to be focused on individuals and preventing individuals from perpetrating key fraud. As noted by the AICPA in 2005, collusion and management override remain risks to the organization, even in the face of strong prevention controls. The fundamental internal controls are designed and implemented based on the separation of duties among four “employees”:
Given the foundational role of separation of duties, assuming that such separation is (a) incomplete, (b) some employees may collude to defeat separation controls, or (c) leadership acts to override preventive controls, fraud is still possible. In the absence of fraud prevention controls, or when such controls are inherently weak or incomplete, or concerns exist regarding management override and collusion, process controls help to fill the gaps. Process controls are consistent with the notion of deterrence, including the perception that fraud acts will be discovered. As noted in the fraud deterrence module, basic process controls include the following:
The following are some key controls related to specific fraud categories, including skimming, cash larceny, noncash asset misappropriation, billing schemes including shell companies, nonaccomplice vendor frauds, check tampering, payroll schemes, expense reimbursement schemes, register transactions, and corruption including bribery associated with kickbacks and bid rigging. These listings are considered key controls that help ensure the separation of duties. Further, the listings are not intended to be an exhaustive listing of all controls required to prevent fraud in a particular organization.
We have eight types of assignments for instructors to choose from:
Read the following articles or other related articles regarding the ZZZZ Best case and then answer the questions below:
Elmer-DeWitt, Philip, “ZZZZ Best May Be ZZZZ,” TIME in partnership with CNN, July 20, 1987.
Light, Larry, Oluwabunmi Shabi, and Kevin Kelly, “From Con to Convert,” Business Week, April 10, 1995.
Calabro, Lori, “Ten Questions for Barry Minkow,” CFO Magazine, January 1, 2005.
Ciulla, Joanne B., “Nothing But ZZZZ Best,” New York Times, August 8, 2008.
1 What was Barry Minkow’s original business?
2 What business allowed Barry Minkow to grow the company?
3. After the fraud was cleared, how much income did ZZZZ Best earn?
4. When Barry Minkow was young, what crimes, if any, did he allegedly commit?
5. Who, if anyone (person or organization), was responsible for detecting this scheme?
6. Does U.S. District Judge Dickran Tevrizian believe that Barry Minkow is reformed?
1 In general, how was Barry Minkow able to execute and perpetuate his fraud for so long?
2. In your opinion, were the ZZZZ Best auditors at fault for not catching this fraud earlier? Why or why not?
3. Given that the ZZZZ Best fraud occurred in 1987, why is society still plagued by financial statement frauds?
4. Do you believe that Barry Minkow is reformed, or do you believe that once a fraudster always a fraudster? Explain your answer.
Use a chart or graphical tools and techniques to present a robust compliance and fraud deterrence environment. Include on the chart or graphic:
Student Material for step-by-step screenshots for completing the assignment are available from your instructor.
Assume the following facts:
Instructions: Part 1
Draw a graphic to depict these activities and their impact on the general ledger accounts. Include the necessary personnel and at least ten fraud prevention and deterrence tools and techniques to PREVENT a skimming scheme, assuming no collusion or management override. Post the personnel and those tools and techniques on the graphic.
Instructions: Part 2
What if the organization owner only hired one mailroom/office employee, one accounting clerk, and one accounting supervisor (assume no controller, no internal audit, and an annual review and tax compliance—not an annual audit). How would you alter your approach to create a robust skimming prevention environment?
The following is the “inventory” of items received to continue the examination at Johnson Real Estate. The goal is to focus on the missing deposits: who, what, when, where, and how.
These items will be provided by the course instructor. This is the last of the evidence.
Assignment:
Continuing to focus on evidence associated with the act, concealment, and conversion, use the evidentiary material to continue the examination. In addition, the examiner also starts to think of terms of who, what (did the person(s) do), when (during what period?), where (physical place, location in books and records), and how (perpetrated, hidden, and did the perpetrator benefit). Your primary assignment is to examine the information and activity in the invoice and emails in terms of what (scheme), how was the act be perpetrated, and what benefits are there, if any. As with any data, consider patterns, breaks in patterns, and anomalies. Your focus is what you can conclude from the evidence, understanding that cases are solved, not with an all-telling piece of evidence, the “smoking gun,” but rather by assembling small pieces of evidence into a coherent picture.
Case background: See Chapter 1.
Question: Do the payroll disbursement hours comply with Benford’s Law?
Student task: Students should (a) present the Benford’s Law results and (b) discuss the finding and recommend investigative next steps.
Student Material for step-by-step screenshots for completing the assignment are available from your instructor.
Case tableau background: See Chapter 1.
Question: Do the payroll disbursement hours comply with Benford’s Law?
Student task: Students should (a) present a graphic of the Benford’s Law results and (b) discuss the finding and recommend investigative next steps.
Student Material for step-by-step screenshots for completing the assignment are available from your instructor.
3.141.31.116