14
Antifraud and Compliance Efforts: Ethics, Prevention, and Deterrence

This chapter covers ethics, compliance, fraud deterrence, and fraud prevention. Franco Frande, former Chief of Financial Investigations for the U.S. Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) often cited the anecdotal 10–80–10 Rule of Ethics: 10% of the population will commit bad acts whenever the opportunity presents itself (consistent with the notion of predators), 80% of the population might commit bad acts, depending on the circumstances (consistent with the notion of situational fraudsters), and the remaining 10% of the population will never commit fraud.1

In a 2018 report from ABC affiliate KTRK Channel 13 Action News in Houston and USA Today, a megachurch pastor and a Louisiana financial planner were accused of defrauding investors of more than $1 million.2 According to the news sources, a federal grand jury indicted Gregory Alan Smith, 55, of Shreveport, La., and Kirbyjon H. Caldwell, 64, of Houston, on six counts of wire fraud, four counts of money laundering, and one count each of conspiracy to commit wire fraud and conspiracy to commit money laundering.

Apparently, the pair offered quick and impressive returns on prerevolutionary Chinese bonds dating back to the 1940s, allegedly collecting as much as $3.5 million from investors. The indictment suggests that the bonds were worthless. To keep investors on the hook, the defendants made frequent calls and promises of pay back to investors, suggesting that they “keep the faith.” Rather than invest their client’s funds, the defendants were alleged to have used the money to pay personal loans, credit card balances, mortgages, vehicle purchases, and other personal expenses.

Caldwell had been the pastor of Windsor Village United Methodist Church, a 14,000-member megachurch in Windsor Village in Houston. News sources also indicate that Caldwell led the benediction at both inaugurations for former president George W. Bush and officiated at Jenna Bush’s wedding in 2008. If convicted, Smith and Caldwell could face fines of $1 million and up to twenty years in prison.

News reports, such as this, suggest that fraud is possible across all socioeconomic classes and even (some would say especially) among the most trusted individuals. Yet, with an ethical commitment and an understanding of compliance and strong fraud deterrence and prevention efforts, organizations can minimize the likelihood of fraud and other bad acts and minimize its impact when it does occur. In this chapter, the authors examine these topics across several modules. Those modules, along with the learning objectives, include the following:

  • Module 1 provides an overview of ethics and its important role in setting a solid foundation upon which compliance and antifraud efforts can be built. Module 1 has two overarching objectives: (a) Identifying ethical issues, conflicts of interest, and noncompliance with corporate policies and procedures in the context of decision-making and (b) discuss alternative courses of action in a given scenario within the framework of appropriate ethical conduct.
  • Module 2 dives deeper into organizational compliance—the process of making sure the organization and its employees follow ethical practices, laws, regulations, standards, policies, and procedures. While deterring and preventing fraud is consistent with the notion of compliance, it has a greater role that, properly implemented, helps organizations avoid civil and criminal litigation and reputation-damaging acts. The goal of module 2 is for readers to be able to articulate the role of compliance efforts and apply those in organizational decision-making.
  • Module 3 examines fraud deterrence efforts. In short, deterrence is not about preventing bad acts but rather about creating environments where bad acts are less likely. The learning outcomes for module 3 include the ability to identify major categories of fraud deterrence and evaluate organizational deterrence efforts.
  • Module 4 considers fraud prevention. No organization can prevent all fraud from occurring; however, when properly designed, organizations can reduce the risk of certain categories of fraud. The design of fraud prevention controls tends to rely heavily on the separation of duties for transaction initiation, authorization, recording, and asset safeguarding. This suggests that even the best fraud prevention efforts are at risk from management override and collusion. The objective for module 4 is for the reader to be able to evaluate an organization’s fraud prevention efforts and identify potential weaknesses in the system.

Many of the topics in compliance, fraud deterrence, and fraud prevention were also examined with regard to fraud detection, a topic covered in Chapters 8 and 9.

Module 1: Ethics3

Oreo Linderhoof, Loss Prevention Manager, takes a videotape labeled Store 522 Backroom Surveillance and carefully places the videotape on top of his desk near the guest chairs. Jim Thomas, Store Manager for retail location 522, arrives for his interview with Oreo. When Jim arrives, Oreo escorts Jim to his office and almost immediately is interrupted by a call. He asks Jim to please excuse the interruption and heads out of the office. Oreo returns fifteen minutes later and Jim “spills his guts.” He confesses to the theft of inventory, signs a written statement, and is taken from headquarters in handcuffs by the local police.

The rest of the story …

Oreo knows that Jim Thomas has been stealing high-value inventory from the store but he doesn’t know how. Based on examination of daily inventory counts correlated with scheduling over weeks, Oreo has concluded that Jim is the only person with the opportunity to have committed the theft. Despite surprise inventory counts, store surveillance, and other loss prevention techniques, Oreo cannot figure out how Jim is perpetrating the theft. Surveillance suggests that the inventory is not leaving through the front door and that Jim does not have an accomplice. Cash register analysis suggests that Jim is not taking cash through voids and refunds, a method that would also leave the inventory short.

Oreo hatches a scheme to catch Jim …

Oreo calls Jim at the store and schedules an interview at corporate headquarters. Store employees being called to corporate headquarters is never a good sign, and Oreo is hoping that this visit will make Jim nervous. In advance, Oreo instructs the receptionist to call him as soon as he and Jim are in his office. After excusing himself, Oreo goes to the break room, gets a cup of coffee, and then visits with several fellow employees. Essentially, he wants Jim to see the videotape labeled Store 522 Backroom Surveillance, and as noted above, his approach works. As soon as Jim sees the videotape, he believes that he has been caught “red-handed.” The issue: the videotape was blank; there was no backroom video surveillance. Oreo, being one of the best professionals in his field, caught his man.

Question: Was Oreo’s scheme to obtain Jim’s confession ethical?

The above scenario highlights some of the ethical dilemmas faced by professionals confronting individuals who perpetrate financial crimes. Ethics, trust, and responsibility are at the heart of compliance, fraud examination, and forensic accounting.

Ethics is defined as the branch of philosophy dealing with values relating to human conduct, with respect to rightness and wrongness of actions and the goodness and badness of motives and ends.4 Ethics has certain key elements:

  1. Ethics involves questions requiring reflective choice and their consequences to the individual and others (decision problems).
  2. Ethics considers the rules and regulations that are in place to guide behavior as well as the consequences for breaking those rules and regulations.
  3. Ethics often relies on moral principles to guide choices of right and wrong. (These ethical frameworks are discussed in more detail below.)
  4. Ethics is concerned with outcomes, the assigned impact associated with making a decision where the impact reflects the underlying values of individuals and organizations.

A discussion of ethics goes hand-in-hand with that of criminology because fraudsters often make poor ethical decisions prior to committing criminal acts. Consider, for example, financial statement fraud: perpetrators frequently find themselves on an ethical slippery slope, using an accounting choice as a tool for earnings management to maximize bonuses and influence financial returns and the financial markets. When earnings management isn’t enough, the individual finds himself at a point of no return, moving from the slippery slope of earnings management to fraudulent financial statements.

When does the fraud examiner or forensic accountant face an ethical dilemma? Whenever there are several choices, all outcomes have somewhat negative effects, and the correct choice is not obvious. Such dilemmas arise when many people could be harmed and some may benefit while others will not.

Consider another scenario: is it ethical for a fraud examiner or forensic accountant to lie to a perpetrator during an interview to elicit a confession? Most people agree that lying is wrong. Most also agree that an embezzler should not get away with their crime. If lying is the only way to get a white-collar criminal to confess, is lying ok? The answer isn’t obvious because both choices are imperfect: (1) not lying, but the perpetrator gets away; (2) lying and the perpetrator confesses. In either case, the fraud examiner or forensic accountant must choose from a flawed set of options.

Closely associated with ethics is the concept of values. Values are the personal and social criteria that influence choice—family, friends, peer groups, nationality, culture, and economic and social classes. Values are learned beginning in childhood and are the conventions upon which choices are evaluated.

Approaches to Ethical Problem Solving

Is It Legal, or Does the Conduct Violate Known Rules?

The law and rules is one approach to resolving an ethical dilemma. Most professional associations’ codes of conduct, for example, require that professionals avoid breaking the law. This is a practical approach, and a starting point for determining if certain conduct should be avoided. The law, however, is the lowest threshold for ethical decision-making.

It may happen that a law might permit an action that is prohibited by a profession’s code of ethics. As an example, for years the American Institute of Certified Public Accountants (AICPA) had rules of ethics that prohibited advertising by its members. The profession believed that dignity and objectivity were enhanced by keeping practitioners out of this aspect of the commercial world. The U.S. Federal Trade Commission and the U.S. Department of Justice, however, disagreed. They decided that the prohibitions against advertising violated the laws barring restraint of trade. The government forced the profession to eliminate its rules against advertising. This example illustrates the triumph of one set of values (the government’s belief that competition through advertising would benefit consumers) over another set (the profession’s belief that dignity should be preserved).

The Means versus the Ends

A second approach to ethics suggests that it is ok to “fight fire with fire.” As Sean Connery’s character, Malone, asks Elliott Ness (Kevin Costner) in The Untouchables, “What are you prepared to do? … You wanna know how to get Capone? They pull a knife, you pull a gun. He sends one of yours to the hospital; you send one of his to the morgue.” Essentially, this is an outcome-based ethical framework. This has the purpose of justifying actions that otherwise could be considered immoral, unethical, or illegal. The problem with means–ends analyses is that they are often superficial, ending with the needed justification but failing to fully consider other aspects and consequences of the actions.5

Ethical Principles

The Imperative Principle

Ethical principles, on the other hand, refer to the process upon which an ethical decision is analyzed or evaluated. Inherently, values are incorporated into the principles that help guide choice. The imperative principle is one of three ethical principles that provide a framework for ethical decision-making and is based on the work of philosopher Immanuel Kant. Although the following characterization is overly simplistic, Kantian philosophy tends to ignore outcomes by providing directives and rules without exception that are in the best interest of society as a whole. For example, under Kantian imperatives, “lying is always wrong.” A society cannot exist if it is based on lies. Furthermore, society should value telling the truth over lying because society cannot exist if everyone is told to lie all the time (the alternative imperative is to never tell a lie).

This unconditional obligation assumes that all people are aware of the rule and all agree to follow the rule. The Kantian imperative is very strict but provides an easy-to-understand framework for ethical decision-making. However, Kant himself recognizes that at times, all general rules must have exceptions. While the Kantian imperative is almost impossible to follow all of the time, in practice, when a person is faced with violating an imperative, it alerts persons that they are faced with an ethical problem. Once the dilemma is identified, then the fraud examiner or forensic accountants can seek out additional consideration for weighing the consequences.

The Utilitarian Principle

The utilitarian principle, championed by John Stuart Mills, suggests that ethical problems should be solved by weighing the good consequences and the bad consequences. The correct course of action is that which provides the most good or minimizes the bad. Like Kantian imperatives, the consequences to society are generally more important than those to individuals. Mills identifies two forms of utilitarianism, “act” and “rule.” Act utilitarianism suggests that it is the consequences of the act that matter. For example, “honesty (an action) is the best policy,” subject to the evaluation of the specific circumstances, might suggest that an alternative action, lying, provides better consequences in this particular situation. Individuals making the decision have the power to decide, so their value system drives the evaluation process of possible outcomes (consequences) and the final decision.

In contrast, rule utilitarianism emphasizes the benefits to society of general rules (similar to a Kantian imperative) and suggests that the decision to break a rule is one that requires very careful consideration. Rule utilitarianism requires that society as a whole be able to determine which rules are important and ought to be followed. Rules then are also influenced by history, nationality, culture, social goals, and, at some level, economics.

The difficulty with utilitarianism is the variation in outcomes. In any situation, almost any act can be justified and the choice is always a product of from where a person (act) or society (rule) came: family, friends, peer groups, nationality, ethnic background, and economic and social classes. Furthermore, it is difficult for everyone to agree on universal principles.

The Generalization Principle

The generalization principle is an attempt to marry Kantian imperatives with utilitarianism and was proposed by Marcus G. Singer. The generalization argument is as follows:

If all relevantly similar persons acting under relevantly similar circumstances were to act a certain way and the consequences would be undesirable, then no one ought to act in that way without a reason.

More simplistically, the generalization argument poses the following questions as a first assessment:

What if everyone acted that way?

If the outcome is considered undesirable, then that conduct ought to be avoided unless the person has a very good reason. Generalization provides the flexibility needed to address the shortcomings of Kant and the specific direction that seems to be missing from utilitarianism. Of course, the success of the generalization argument is dependent on the specific value assessments of the individual decision-makers. Furthermore, generalization is invalid when an argument is either invertible or reiterable. Invertibility occurs when both doing something and not doing something lead to bad consequences. In such a circumstance, no generalization argument can be formulated. Reiterability occurs when arbitrary times, places, persons, or other factors can be inserted into a generalization in such a way as to make the generalization outcome nonsensical.

Ethics, Trust, and Responsibility

Although the preceding principles provide a framework for ethical decision-making, alternative decisions may result in variations of good and bad consequences. Therefore, the task is a difficult one and the choice must be left to individuals. It is impossible to provide a blueprint for every situation with laws, rules, and exceptions. The bottom line is that civilized societies are grounded in trust with underlying values and implicit codes of conduct that guide behavior. The decision process is difficult, and the range of possible outcomes suggests that the right choice is not always obvious. Though doing the right thing can be difficult, as members of society, we have a responsibility to reach for that goal every day, without exception.

Ethics and Values as Drivers of Personal Behavior

To be successful, professionals in the specialized field of fraud examination and forensic accounting must have an ethical framework for appropriate decision-making. Although the preceding material has suggested approaches to solving ethical problems, the fraud and forensic professional needs to strive for the highest degree of ethics and moral conduct. This perspective requires that the individual think about possible difficult situations and develop his or her own framework for decision-making, to the extent possible, in advance. Next, the individual needs to make the commitment required to follow his or her ethical values in all cases except those that have extreme consequences.

In practice, antifraud and forensic professionals can start with rules, laws, and Kantian imperatives to identify ethical situations (ethical dilemmas) that require more in-depth evaluation. Once the ethical problems have been identified, the evaluation process begins and professionals can use an appropriate framework for ethical problem solving, including using personal rules and processes for decision-making. The antifraud and forensic professional is not alone, and should solicit the input and opinions of other practicing professionals. In some cases, guidance and advice from professional organizations and associations can assist the individual in making the best decision. After careful consideration of the alternative outcomes and a decision is made, the professional can then move forward to implement that decision. This process will help to ensure that the anticipated goals are realized while also attempting to mitigate any negative consequences.

Students who are considering entering the field of fraud examination and forensic accounting must consider decisions that they made in the past. For example, some may have past criminal convictions that might exclude them from entry into the profession. While most offenses may not prevent a prospective student from exploring his or her options, he or she should be aware that honesty is the best policy. Get caught in a lie, and your career could be over. Tell the truth and explain the facts and circumstances of a less than perfect past, and at least the individual (applicant) will have created a foundation of trust to repair the damage caused by prior conduct.

Professional Conduct

Professions are set apart by five characteristics6:

  1. A specialized body of knowledge
  2. Admission governed by standards and qualifications
  3. Recognition and acceptance by society (a characteristic that inflicts social responsibility back on the profession)
  4. Standards of conduct for dealing with the public, other professionals, and clients
  5. An organizational body devoted to the advancement and responsibilities of the profession

These characteristics impose responsibility on both the profession and the individual professional. Normally, such responsibilities are captured in the profession’s code of conduct. For example, Certified Fraud Examiners (CFE), as designated by the Association of Certified Fraud Examiners (ACFE), have the following code of ethics7:

  1. A Certified Fraud Examiner shall at all times demonstrate a commitment to professionalism and diligence in the performance of his or her duties.
  2. A Certified Fraud Examiner shall not engage in any illegal or unethical conduct, or any activity which would constitute a conflict of interest. (Note that the Certified Fraud Examiner has no exception for cases where they may be unaware that a particular law exists.)
  3. A Certified Fraud Examiner shall, at all times, exhibit the highest level of integrity in the performance of all professional assignments, and will accept only assignments for which there is reasonable expectation that the assignment will be completed with professional competence.
  4. A Certified Fraud Examiner will comply with lawful orders of the courts, and will testify to matters truthfully and without bias or prejudice.
  5. A Certified Fraud Examiner, in conducting examinations, will obtain evidence or other documentation to establish a reasonable basis for any opinion rendered. No opinion shall be expressed regarding the guilt or innocence of any person or party.
  6. A Certified Fraud Examiner shall not reveal any confidential information obtained during a professional engagement without proper authorization.
  7. A Certified Fraud Examiner shall reveal all material matters discovered during the course of an examination, which, if omitted, could cause a distortion of the facts.
  8. A Certified Fraud Examiner shall continually strive to increase the competence and effectiveness of professional services performed under his or her direction.

Forensic accounting professionals and the valuation community have professional bodies, such as the AICPA’s Forensic and Valuation Services (FVS) Section and the National Association of Certified Valuation Analysts (NACVA) that provide a vast array of resources, tools, and information for members and credential holders—CFF, ABV, CVA, etc.

Ethics at Client Entities: The Foundation for Fraud Prevention and Deterrence

Whereas the prior sections dealt with ethics at the individual and professional level, ethics are an important part of organizational behavior. In fact, ethics is the foundation for fraud deterrence and prevention both by individuals within an organization and by the organization itself.

Tone at the Top and a Culture of Ethical Behavior

Ethics at the organizational level starts with corporate governance. The Board of Directors, the Audit Committee, executives, managers, clerical support, and line personnel are the living, breathing embodiment of ethics within the organization. The Board of Directors, Audit Committee, and corporate officers set the “tone at the top.” Tone at the top refers to a culture that is open, is honest, and communicates the values of the organization to persons at all levels, both internal and external to the organization.

The first step in developing an ethical culture is a code of ethics signed by all personnel. In addition, the company’s position on ethics should be posted in visible places, such as lunchrooms, and communicated across the organization. Employee awareness programs, such as periodic ethics training, are effective tools and, of course, leaders lead by example. Employees will take their cues from their managers, managers from executives, and executives from their interaction with board members, audit committee members, and auditors. It is important that individuals in leadership positions must not only communicate the value of ethical actions, but also practice what they preach. Furthermore, individuals at the top must be willing to listen to those operating at lower levels within the organization; because even when an organization has an ethical tone among its senior managers, that culture may not be reflected in the values of middle and lower management—sometimes referred to as “mood in the middle” and “buzz at the bottom.”

Second, the organization should be committed to hiring honest executives, managers, and staff. While most organizations attempt to contact prior employers and resume references, many organizations provide only minimal information about former employees and are remiss to provide any negative feedback for fear of legal retribution. References provided by prospective employees are typically friends and professional acquaintances, so prospective employers should seek out prior supervisors. Although costly, organizations should consider background checks on prospective employees. Due to cost constraints, organizations may want to restrict the positions for which background checks are completed. To avoid charges of discrimination, prospective employers need to complete such checks in a consistent manner and in compliance with corporate policy.

Once individuals are hired, they need to be properly supervised. The most common excuse by managers for inadequate supervision is time constraints. Although “too much to do, in too little time” is a common complaint in today’s business environment, proper supervision is essential to maintaining good internal controls.

Training is another area that needs adequate attention. Many companies spend a considerable amount of time and resources developing their employees’ technical abilities, but little time or resources are generally spent developing supervisory skills.

Maintain an Environment Dedicated to Fraud Prevention and Deterrence

Once an organization has created the infrastructure to minimize fraud opportunities, the system has to be maintained. Supporting the antifraud environment requires continuing education of fraud awareness. The fraud triangle indicates that one of the factors necessary for fraud to occur is rationalization. Failing to maintain a work environment that discourages fraud may enable an employee to justify unethical or illegal actions. Such rationalizations may include an employer’s failure to recognize a job well done, an employee’s overall job dissatisfaction, an employee’s perception that they are inadequately compensated for their work, an employee’s perception that the company owes them, and the misperception that no one is being hurt by their actions.

Another part of a good antifraud maintenance program is to provide assistance for employees with problems. In smaller companies, the human resources department may serve this function. In larger companies, there may be specific personnel devoted to assisting employees in exploring their options to solve a problem. This gives the employees the comfort to know that they are not alone and that their problem is “shareable.”

Part of maintaining a strong antifraud environment includes appropriate disciplinary procedures, such as prosecuting fraudsters where evidence suggests that such action is warranted. Effective discipline requires a well-defined set of sanctions for inappropriate behavior and strict adherence to those sanctions to avoid claims of discriminatory conduct.

One of the most effective antifraud deterrents is a hotline to receive anonymous tips from employees, customers, suppliers, vendors, contractors, and others. According to the 2016 ACFE Report to the Nations, tips and accidental discovery (candidates for tip reporting) account for almost 40% of fraud detection. Thus, anonymous tip hotlines are a tool that should be in place at all organizations of any size.

In cases where tips are made by employees, especially lower-level employees who report wrongdoing by their supervisors, whistle-blower protections should be in place. Unfortunately, even those whistle-blower protections that are established by law may not protect an employee from subtle, informal retribution, such as exclusion from meetings or marginalization—not giving him or her important information necessary to do his or her job.

Creating an antifraud environment also means minimizing opportunities for fraud. To accomplish this goal, companies need to establish and maintain a good internal control environment; monitor employee relationships for collusive potential; alert vendors and contractors to company policies; create tip hotlines; create expectations that fraudsters will get caught and will be punished; and proactively audit for fraud.8 Best practices to deter fraud include job rotation, surprise audits and reviews, open-door policies by upper-level management, and periodic testing of internal controls. Actively creating an antifraud environment means considering the following questions before fraud occurs:

What?
  • What could go wrong?
  • What assets are most susceptible?
Who?
  • Who has the opportunity to commit fraud?
  • Who has partial opportunity and who might they collude with to commit fraud?
How?
  • How could fraud be committed—asset misappropriation and financial statement fraud?
  • How effective is the internal control environment—policies and procedures?
  • How susceptible is the company to management override?
When(timing)?
  • When is fraud most likely to occur?
Where?
  • Where would the fraud occur?
  • Where would red flags (symptoms) manifest themselves?
Why?
  • Why might fraud occur? that is, pressures (nonshareable problems) created internally such as performance bonus plans
  • Why might certain employees be driven to commit fraud? that is, pressures (nonshareable problems) observed in certain employees (e.g., gambling problems, debt, drug or alcohol abuse, or marital issues)
  • The who, what, where, when, how, and why are questions fraud examiners and forensic professionals often investigate once fraud is discovered. Those same attributes need to be considered, proactively, as companies develop their antifraud environment.

Five-Step Approach to Compliance, Fraud Prevention, Deterrence, and Detection

  1. Know the exposures (brainstorming, risk assessment, audit planning).
  2. Translate exposure into likely symptoms.
  3. Always be on the lookout for symptoms.
  4. Build controls, audit procedures, and data-mining programs to look for symptoms (red flags).
  5. Pursue symptoms to their logical conclusion and ground examination conclusions in the evidence (evidence-based decision-making).

Module 2: Compliance

In a March 2018 article, the Morgantown, WV Dominion Post noted that the producers of the film, “The Wolf of Wall Street,” agreed to a $60 million civil litigation settlement with the U.S. Government. According to the article, the production company benefited from a “massive Malaysian corruption scandal.” The case was part of a larger effort to recover losses from a Malaysian investment fund scheme designed to enrich the fund’s leadership and possibly the Malaysian Prime Minister. Ironically, the movie “The Wolf of Wall Street” was about a crooked stock trader.10

This textbook covers forensic accounting and fraud examination. Topics such as business valuation, forensic economics (e.g., employment issues and damages), and civil litigation are within the domain of forensic accounting. Compliance is an important consideration in helping to prevent fraud and mitigating losses when it does occur.

Civil litigation allows one party to sue another in most situations where something bad has happened, the defendant shares at least some liability, and the victim or injured party can prove damages. A good compliance program can minimize the risk of bad things happening and help to minimize the impact on all parties involved. In short, avoiding litigation is generally the preferred option, if possible.

A robust compliance program helps an organization to proactively identify risks and improve ethical behavior. Many think of risk and compliance in terms of fraud. However, risks come in many forms, including the following:

  • Economic: recessions, depressions, market volatility, currency exchange rates, and interest rates
  • Regulatory: occupational safety, environmental, and financial reporting
  • Cyber threats
  • Operational: challenges to quality, an efficient and effective workforce
  • Emerging technology: big data analytics, artificial intelligence, and robotic process automation (RPA)
  • Reputational and brand risks
  • Sustainability across all organizational dimensions

Organizations tend to face increasing competition from old rivals and unexpected new market entrants, products, and services. Acquiring and maintaining customers is an on-going challenge common across all organizations. Political changes and geo-political upheavals are common and require early identification and management.

At the same time, society expects ethical organizational behavior, and the U.S. Federal government and regulators have increased civil and criminal penalties. Some of the laws and regulations are as follows:

  • U.S. Foreign Corrupt Practices Act of 1977 (FCPA)
  • 1997 Organization for Economic Co-operation and Development Anti-Bribery Convention
  • U.S. Sarbanes–Oxley Act of 2002
  • U.S. Federal Sentencing Guidelines of 2005
  • Dodd–Frank Wall Street Reform and Consumer Protection Act 2010

The expectation of good governance and compliance efforts requires the attention of the organization’s board of directors, or equivalent oversight body, to ensure overall ethical behavior in the organization, regardless of the type of organization (public, private, government, or not-for-profit) and regardless of relative size or industry.

At the same time, fiduciary responsibility to stakeholders, including shareholders, employees, customers, vendors, governmental entities, community organizations, and media have increased. All organizations are subject to risk. When bad things happen, the organization incurs costs, such as erosion of confidence in the organization, negative impact on reputation, brand, and image (locally, nationally, and internationally), legal costs of civil and criminal prosecution, incarceration of key individuals, and in some cases, those costs have been material enough to result in the downfall of entire organizations.

The compliance program isn’t meant to address each of these categories but is developed to help ensure that the organization is in compliance with laws, regulations, and its own processes, codes of conduct, ethical standards, and controls. Every organization needs to have a compliance strategy in place to proactively identify risks, develop a means to mitigate significant and material risk in a timely manner, and a protocol for thoughtful, effective, and efficient action. Compliance needs to start at the entity level but also reach into the organization’s departments and process levels where compliance violations and issues can often pose a threat to organizational integrity. Processes and departments to consider might include the following:

  • Accounts payable
  • Accounts receivable
  • Anti-money laundering and know your customer programs (e.g., client acceptance)
  • Cash disbursement
  • Cash management
  • Insurance risks and claims
  • Contract management
  • General accounting and financial reporting
  • Fixed asset acquisition and management
  • Human resources
  • Inventory
  • Information technology
  • Loan operations
  • Debt management
  • (Each) Operations area
  • Payroll
  • Procurement
  • Project management
  • Revenue generation
  • Security
  • Treasury

Multijurisdictional organizations whose operations span local, state, and national domains need to consider compliance in each locale. Compliance programs, processes, and technologies need to be in place to identify, prioritize, examine, and manage compliance violations and risks before they become significant events and material crises.

Robust policies and processes are critical elements of compliance efficiency and effectiveness. In fact, having a strong corporate compliance program helps organizations maintain compliance with external regulations, as well as internal policies and processes. Training employees on policies also goes a long way toward ensuring an ethical environment.

The organizational compliance protocol should start by categorizing potential, identified, and reported threats and risks. Next, compliance efforts need to gather relevant preliminary evidence to confirm the validity of allegations. Once confirmed, compliance leadership needs to evaluate the severity of the allegations. How significant is the threat in terms of dollars and cents, but also in terms of reputation and brand?

Those compliance violations deemed significant need to be escalated to appropriate levels of leadership so that the investigation can proceed. Lesser compliance concerns can be resolved where the compliance transgression arose. Some issues identified through the compliance program are likely to be beyond the scope of compliance or the domain of compliance leadership. In such cases, the issue needs to be referred to other responsible leadership in the organization (e.g., legal).

At this point the allegation, having been preliminarily confirmed with evidence and within the purview of compliance, the organization needs to conduct additional fact-finding and examination of the issue. Most compliance issues face some level of time sensitivity. Further, examinations, to the extent possible, need to be conducted with confidentiality in mind and to protect organizational legal privileges. As with all examinations, evidence-based decision-making and objectivity are most important.

Upon completion of the examination, steps need to be identified to resolve or close the investigation. Resolution may include notification of regulators, law enforcement, insurers, and external auditors. Administrative considerations are also important, including the following:

  • Processes and procedures to collect and preserve evidence, information, and data
  • Listing types of information that should be kept confidential
  • Defining how the investigation will be documented
  • Managing and retaining documents and information

Generally, compliance issues need to be examined at one level higher than the level of the allegation. For example, alleged violations by executive leadership would be examined by the Board of Directors. Professionals who participate in allegations of compliance violations might include the following people:

  • Fraud examiners
  • Internal auditors
  • External auditors
  • Forensic accountants
  • Legal and compliance personnel
  • Human resources personnel
  • Security or loss prevention personnel
  • Information technology personnel
  • Computer forensics specialists
  • Management representative(s)

Best practices for compliance include being proactive, as well as

  • Communicating expectations
  • Training employees in areas important for organizational compliance
  • Making available a variety of reporting mechanisms, including anonymous tip hotlines

Given a robust compliance program, if and when a bad issue occurs, the organization’s compliance efforts should result in more efficient identification and resolution.

Module 3: Fraud Deterrence

Will Gerken and his coauthors completed a study that looked at the finance industry and what happens when you introduce a bad employee—someone who’s committed some kind of misconduct—to a new team. The authors found that bad behavior can spread. More specifically, Gerken examined the financial advisory industry and found that when employees are exposed to a colleague who is engaging in bad business practices, the employees become about 40% more likely to engage in similar bad practices. According to Gerken, employees who are behaving well before they’re exposed to the bad acts appear to update their beliefs about the possible consequences of bad behavior.

Consider a colleague who’s engaging in these practices, that colleague may get an extra bonus because they’re aggressively selling to their clients, or they might get a slap on the wrist; in this context, seemingly good employees update their own beliefs and become more likely to engage in bad behavior. In the same situation, Gerken and his coauthors were unable to document a reduction of misbehavior on the part of a bad employee when put in an ethical environment. Gerken suggests that the biggest practical takeaway for hiring managers is: there are spillover effects of hiring a new employee with a prior history of less than desirable acts.11

Internal controls and fraud prevention efforts are not always cost-effective. In essence, the perceived benefits of prevention do not, or may not, exceed the costs of setting up robust prevention efforts. In some cases, while the cost of prevention is known, the benefits of prevention are much harder to quantify. Practically speaking, organizations will be able to effectively and efficiently prevent some frauds, while others are not considered sufficiently likely to occur or of significant magnitude to warrant specific prevention efforts. Given such issues, fraud prevention efforts need to be wrapped in fraud deterrence—efforts to help stakeholders make the right decision even when they are not required to do so or prevented from making a poor decision. Anecdotally, fraud deterrence is centered on two ideas:

  • The fear of getting caught
  • The fear of getting punished

While research has yet to sort out the relative deterrent power of getting caught versus fear of punishment, practitioners in the field strongly feel that these concepts drive fraud deterrence. Interestingly, the awareness that fraud prevention controls are in place serves as one aspect of fraud deterrence (getting caught and punished). Deterrence efforts also include detection controls (e.g., supervisory reviews, surprise audits). Such efforts create the perception that would-be fraudsters are likely to be caught. Fraud detection is addressed in a separate chapter and will be afforded little additional coverage here.

The Perception of Detection

As noted in the meta-model in Figure 14-1, a would-be fraudster faced with the fraud triangle elements of perceived pressure, opportunity, and rationalization examine the necessary elements of fraud—the fraud act, the required concealment, and especially the conversion (the benefit to the fraudster). It’s likely that the perceived benefit drives much of the fraudster’s decision. However, between the potential fraudster and the actual commission of the fraud are organizational antifraud efforts to deter, detect, and prevent frauds. Presumably, some frauds do not occur because the would-be fraudster perceives the antifraud efforts to be effective and his or her chances of success—in terms of committing and concealing the scheme and realizing the benefit—are at risk because of organizational antifraud efforts.

Schematic of meta-model of fraud
and white-collar
crime

FIGURE 14-1 Meta-model of fraud and white-collar crime

Fraud deterrence goals and objectives are in line with those of the overall fraud risk management. The deterrence program should outline and explain the organization’s perspectives on fraud and, in broad strokes, outline the organization’s fraud risk program. Communications should also identify those fraud risks of high likelihood and impact. Given high-risk frauds, deterrence efforts also communicate to potential fraudsters that fraud prevention measures are in place.

One key aspect of effective deterrence is that the organization’s antifraud efforts need to be communicated. Without personnel awareness, deterrence will not be effective. As such, the organization can use a variety of mechanisms to make staff aware of the following:

  • Whistleblower hotlines
  • Compliance risk management processes and procedures in place
  • Fraud risk management processes and procedures in place
  • Types of fraud and misconduct to look for
  • Awareness of symptoms (red flags) that might indicate others are misbehaving

In addition to effective communication, leadership behavior that is consistent with an ethical environment is important. More recently, compliance and antifraud professionals have emphasized that it’s more than just “tone at the top,” it’s the conduct of those at the top that is more effective in encouraging personnel at all levels to act appropriately—“actions speak louder than words.” In essence, the tone and actions of personnel at every level of the organization are critical to produce a culture of ethical behavior; it sets the standard for tolerance, or intolerance of bad behavior, and creates an environment where making the right decision is embedded in the culture of the organization. Managers in the middle of an organization take their cues from the leaders at the top and play a critical role in communicating and reinforcing the desired behavior. Middle management’s acceptance or resistance to living the corporate culture initiatives has been called “the mood in the middle.” An organization’s culture can easily be observed in the buzz of everyday hallway chats, day-to-day meetings, and in emails, and has come to be known as “the buzz at the bottom.” As Lou Gerstner, former IBM chairman once said, “Culture isn’t just one aspect of the game, it is the game.”12

According to a COSO study, “Fraudulent Financial Reporting: 1998–2007,” one of the critical findings was that the SEC named the CEO and/or CFO for some level of involvement in 89% of the financial statement fraud cases, up from 83% of cases in 1987–1997. Within two years of the completion of the SEC’s investigation, about 20% of CEOs and/or CFOs had been indicted, and more than 60% of those indicted were convicted. While the authors found relatively few differences in board of director characteristics between firms engaging in fraud and similar firms not engaging in fraud, 26% of the fraud firms changed auditors between the last clean financial statements and the last fraudulent financial statements, whereas only 12% of no-fraud firms switched auditors during that same time. About 60% of the fraud firms that changed auditors did so during the fraud period, while the remaining 40% changed in the fiscal period just before the fraud began.13

The board of directors, the audit committee, executives, and management are responsible for the corporate governance environment in an organization. The primary role of corporate governance is to protect investors, create long-term shareholder value, ensure investor confidence, and support strong and efficient capital markets.14 Most of the board’s work regarding governance is discharged through committees. To effectively carry out its primary functions, a committee must ensure its independence. A good corporate governance environment will set the “tone at the top” by creating a culture of honesty and integrity, with the leadership of the organization practicing what they preach. As the saying goes, “a fish rots from the head down,” and if corporate leadership doesn’t act in a responsible manner, it is doubtful that their subordinates will act differently.

Corporate leadership should also strive to create a positive work environment with efforts to increase employee morale, hire and promote employees who follow the company’s ethical guidelines, provide adequate compensation and professional development, and establish and monitor antifraud programs and controls. Effective corporate governance mechanisms include the following:

  • An organizational code of conduct supported by an embedded culture of honesty and ethical behavior
  • An independent and empowered board of directors
  • An independent and empowered audit committee
  • Organizational policies and reward systems that are consistent with espoused ethical values
  • Confidential disclosure methods
  • Effective legal and regulatory compliance and risk assessment

Responsibility for dealing with fraud risk resides with personnel at all levels of the organization, including leadership, line employees, staff, and internal and external auditors. Key players that are integral to fraud deterrence efforts include the following people:

  • Board of directors
  • Board of directors—audit committee
  • Senior/executive organizational leadership
  • Accounting personnel
  • Human resources
  • Business unit and operational personnel (line employees and staff)
  • Legal and compliance
  • Internal audit
  • External consultants (if needed to fill gaps)

Board of Directors

The board of directors plays a critical role in compliance and deterrence. The board sets the tone at the top, the standard for organizational intolerance of bad behavior. Effective boards also monitor the actions of senior management, organizational performance, and key strategic issues. Some best practices for boards are as follows:

  • A code of conduct specific to the board
  • A code of conduct specific to senior management
  • Emphasis on board independence
  • Ownership and control of their agendas
  • Information flow that ensures timely access to relevant data, analysis, and reports
  • Access to multiple layers of management, line employees, and staff (as appropriate for important board-level issues)
  • Monitoring to ensure effective whistleblower hotlines and reporting mechanisms
  • Independent board nomination processes
  • Independent board compensation processes
  • Effective senior management team, ensuring that evaluations, performance measurement, compensation, and succession planning are in place and effective

Audit Committee

The audit committee is a board of directors’ committee. The audit committee assists the board of directors in fulfilling its corporate governance and oversight responsibilities, relative to an entity’s financial reporting, internal control system, risk management system, and internal and external audit functions. Audit committees also monitor litigation and regulatory compliance risks through interactions with organization lawyers and compliance leadership and through reports authored by the legal and compliance offices.

A critical role of the audit committee is to monitor the effectiveness of the internal control system, internal audit (if such a separate department exists), and external audit. Internal control includes the policies and practices used to control the operations, accounting, and regulatory compliance of the entity. In general, separation of duties—for those responsible for initiating, authorizing, recording, and safeguarding the organization’s assets—is a key internal control in any area of organization operations.

The audit committee is also integral to organizational risk management. It is responsible to identify and address risks that threaten the organization and its ability to achieve its strategic and tactical objectives. The audit committee fulfills its risk management responsibility by monitoring the organization’s effort to identify, prioritize, and respond to organizational risks.

To address the risk of fraud, the audit committee acts proactively. At least one member of the audit committee should have a financial background (e.g., accounting). The members of this committee typically meet more frequently than the board of directors and need to have an understanding of the risks associated with management override and collusion. The audit committee communicates to the board the status of any fraud allegations, communicates with the external auditor, and reviews the auditor’s plan with respect to fraud risks. It also provides oversight of management’s efforts to prevent, deter, and detect fraud and seeks the advice of legal counsel, as needed.

Organizational Leadership

The organization’s culture plays an important role in preventing, detecting, and deterring fraud. Like the board of directors, the organization’s executive leadership sets the tone at the top by acting ethically and following policies and procedures. The conduct of the leaders within an organization creates an environment that sets an example for others. The organization’s leadership is also responsible for the design and implementation of the fraud risk management program. The words and actions of organizational leadership need to communicate the following:

  • Compliance is expected.
  • Fraud is not tolerated.
  • Fraudulent/unethical behavior is dealt with swiftly and decisively.
  • Whistleblowers will not suffer retribution.

In addition, organizational leadership needs to implement effective internal controls, including documenting fraud risk management policies and procedures. Once in place, organizational leaders need to evaluate the effectiveness of controls by compiling information from various areas of the organization. Armed with this information, leadership needs to regularly report its efforts to the board of directors, including the following information:

  • What actions have been taken to manage compliance and fraud risks
  • The effectiveness of the fraud risk management program
  • Any remedial steps that are needed for an effective fraud risk program
  • Any actual frauds
  • Any actual violations of laws or regulations

If external auditors discover fraud involving senior leadership and/or officers, the auditor should report such incidents to the audit committee/board of directors.

To be effective, fraud risk management needs to be assigned to a leader who is a senior member of management. The fraud risk management leader should do the following:

  • Regularly evaluate the effectiveness of the antifraud program and its management
  • Adjust the tools, techniques, controls, and other aspects of fraud risk management as required
  • Report through the appropriate channels, details of any modification necessary or any technique that becomes ineffective
  • Document and communicate adjustments to fraud risk management

Internal Auditors

The Institute of Internal Auditors (IIA) states that internal auditing is an (a) independent, (b) objective assurance, and (c) consulting activity designed to (a) add value and (b) improve an organization’s operations. Internal audit fulfills this assignment through a systematic, disciplined approach to the evaluation and improvement of

  • Risk management
  • Controls
  • Governance processes

Related to fraud risk management, internal audit provides objective assurance that fraud controls are sufficiently designed and are functioning effectively. Further, internal audit can be integral in assessing the risk of management override and collusion. Optimally, members of this department have regular interactions with the organization’s fraud risk management personnel. Similar to external auditors, internal auditors are expected to exercise professional skepticism:

  • A recognition that fraud, illegal acts, and unethical behavior may be present
  • An attitude that includes a questioning mind and a critical assessment of audit evidence to carefully examine red flags
  • A commitment to persuasive evidence (whether or not fraud or some other bad act is present)

Internal audit may be involved early in suspected fraud concerns and may lead fraud examinations. Even if fraud examinations are completed by others, internal audit may assist the remediation process by conducting root cause analysis, identify control improvements, monitor the reporting/whistleblower hotline, and provide ethics, compliance and antifraud training. An inherent assumption is that internal auditors working on compliance and antifraud issues have subject matter expertise—sufficient antifraud knowledge, skills, and competencies, including the following:

  • Knowledge of fraud schemes
  • Examination skills, tools, and techniques
  • A general understanding of the legal environment surrounding allegations, the rights of individuals, and familiarity with other relevant legal considerations

Accounting Personnel

Accounting personnel are in a unique position to deter and prevent fraud. Accounting educational requirements typically include basic accounting, auditing, and systems courses that devote considerable time to internal controls. As such, in terms of closing down the fraud triangle role of “opportunity,” accountants, properly trained and motivated, are integral to effective compliance and antifraud efforts. They also ensure that the financial statements properly reflect, to the best of their ability, the economic performance and financial condition of the organization. The accounting department also contributes to tax compliance efforts, such as filing payroll and income tax forms with taxing authorities. Income tax filings usually include reconciliation between taxable income and financial income—very useful in most forensic accounting engagements. In general, the role of accounting personnel includes:

  • Having an understanding of opportunity, fraud schemes, concealment, and conversion (the elements of fraud)
  • Familiarity with red flags suggestive of noncompliance and fraud
  • Ability to generate, review, and draw conclusions from analytical work, including big data and financial analyses across time and in comparison to competitors and the industry
  • Understanding their critical role within the internal control framework, especially separation of duties
  • Recognizing that many accounting processes and procedures are designed to reduce fraud and noncompliance risks
  • Knowledge that failure to complete reconciliations of accounting records to those of independent third parties and other operating units in a timely manner may create an opportunity for fraud to occur and/or go undetected
  • Understanding whistleblower roles, responsibilities, and protections
  • Understanding requirements to act ethically and report suspicions or incidences of noncompliance and fraud
  • Contributing to thorough and complete examinations

Human Resources

One of the keys to fraud deterrence is to prevent, to the extent possible, applicants who have a demonstrated track record of improper conduct, unethical behavior, or prior frauds to become employees. This requires proper personnel policies, through background checks and a complete set of reference checks. Upon entrance into the organization, compliance and antifraud training should be standard requirements for all employees at all levels. Such training should be tailored to the types of duties the employee will have and the associated risks. Periodic performance evaluations and compensation systems should be designed to reinforce ethical behavior in compliance with organizational policies, procedures, and best practices. Finally, all terminated employees should be required to complete an exit interview with a human resources representative, who is independent of the department in which the employee worked.

Anonymous Communications

The organization should have opportunities for employees, vendors, customers, and other stakeholders to report compliance issues. Reporting mechanisms should include an “open-door” policy where employees are encouraged to report to direct supervisors, where appropriate. In some situations, however, employees may need to report issues further up the chain of command, if their immediate supervisor is part of the problem. Employers should also provide reporting opportunities that are anonymous (e.g., whistleblower hotline). Best practices for reporting compliance issues, including suspected fraud, demonstrate the following characteristics:

  • Perceived by employees and others as safe and include option for anonymous allegation reporting
  • Available to employees, vendors, customers, and other stakeholders.
  • Availability must be communicated and widely known.
  • Open to any type of inappropriate behavior.
  • Recipients of allegations must be trained to attempt to obtain a complete story and identify relevant evidence that addresses important examination elements of who, what, when, where, how, and possibly why.
  • Recipients of allegations must take the allegations seriously and vet them thoroughly.
  • Examination of allegations needs to protect the privacy and rights of the accused.
  • Policies and conduct must ensure that no retaliation is taken against whistleblowers.

Line Employees and Staff

All organizational personnel contribute to effective compliance and antifraud programs. In general, line employees and staff play the following roles:

  • Having a basic understanding of fraud
  • Being aware of the red flags suggestive of noncompliance and fraud
  • Understanding their specific role and responsibility within the internal control framework
  • Recognizing that some job requirements are designed to reduce fraud and noncompliance risks
  • Knowledge that failure to complete their assignments in a timely manner may create an opportunity for fraud to occur and/or go undetected
  • Reading and understanding policies and procedures associated with their position
  • Understanding whistleblower roles, responsibilities, and protections
  • Agreeing to report suspicions or incidences of fraud
  • Cooperating in examinations

Properly motivated and tasked line employees and staff help create a strong control environment.

Legal and Compliance

The role of legal and compliance is to ensure that the organization is conducting business to meet external requirements such as legal and regulatory guidelines and be in line with the organization’s internal ethical expectations and culture. Legal and compliance guidelines partially depend on the context in which a company operates such as local, state, national, and global jurisdictions as well as its industry. Written company policies and procedures outline compliance standards and expectations. Properly executed, compliance and legal also act to enhance the organization’s reputation while minimizing the risk of civil and criminal lawsuits. Compliance and legal personnel may also help educate organization personnel regarding important compliance, legal, regulatory, policy and procedure requirements, best practices to avoid compliance issues, and organizational expectations.

Fraud Risk Management and Compliance Program

An effective fraud risk management and compliance program is at the heart of fraud deterrence. According to the Fraud Risk Management Guide,15 first published as Managing the Risk of Fraud: A Practical Guide,16 such a program has ten key points of focus.

First, the organization and its leadership must demonstrate a commitment to compliance and an antifraud environment. This commitment starts with visible actions and words communicated by the board of directors and organizational leadership, including a code of conduct. Relevant documents are shared with employees, vendors, and customers.

Second, the program emphasizes awareness. Organizational leadership visibly conveys compliance and fraud risk management expectations and alerts organizational stakeholders to specific fraud and misconduct schemes. Compliance and fraud risk assessment efforts are visible through assessment, training, and communication efforts.

Third, organizational leaders and stakeholders are asked to acknowledge and affirm their commitment to compliance and effective antifraud efforts by reading, understanding, complying, and signing documentation. Personnel and stakeholders who refuse to participate face consequences.

Fourth, the organization expects conflict-of-interest disclosure when such situations arise. A conflict of interest involves “a situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity.” Disclosure does not result in automated action. Rather, several outcomes are possible:

  • Terminate the activity or leave the organization
  • Recognize the conflict of interest, monitor it but take no other immediate action
  • Impose certain constraints on activities associated with the conflict of interest
  • Document and disclose conflicts of interest with legal counsel

Fifth, the organization systematically completes its compliance and fraud risk assessment on a recurring basis. The efforts to manage risks, including the involvement of appropriate personnel throughout the organization, consider relevant fraud schemes and scenarios and maps those to mitigating controls. The communication of the existence of the compliance and fraud risk assessment process may act as a deterrent. Research has suggested that brainstorming, properly deployed, can facilitate the identification of noncompliance and fraud risks. Upon completion, the assessment should be shared with the Board of Directors and Audit Committee. Other relevant attributes of effective noncompliance and fraud risk assessments are as follows:

  • Considering concealment risks, in addition to possible schemes and violations
  • Identifying relevant incentives and pressures that might be conducive to noncompliance and fraud
  • Considering conversion—the magnitude of the benefit to the fraudster derived from their acts—and the corresponding damage to the organization
  • Identifying the population of fraud risk, scaled to manageable and actionable levels
  • Ensuring that personnel involved in compliance and antifraud efforts have the requisite knowledge of compliance, fraud schemes, and risk symptoms (red flags)

Sixth, the organization has reporting procedures (e.g., hotline) and whistleblower protection, zero tolerance for compliance violations, and the expectation that suspected compliance violations and suspected fraud will be reported immediately. Those reporting channels are clearly defined and communicated to employees, vendors, and customers. The protections afforded to individuals reporting suspected issues are also communicated to those in a position to act on it.

Seventh, the organization has a documented protocol for handling reported allegations and a review process. Personnel involved with the review or investigation of allegations understand the rules of evidence, the chain of custody, reporting mechanisms to those charged with governance, and the relevant regulatory requirements and legal issues.

Eight, the compliance and fraud risk management program includes remediation. Remediation includes the following:

  • Efforts to collect restitution for losses
  • Support for any legal actions: arbitration, mediation, criminal court, civil court
  • A postmortem to identify control weaknesses that allowed the compliance violation or fraud
  • Modification of operational processes, procedures, and internal controls to minimize the chances of a similar noncompliance or fraud recurring

Ninth, compliance and fraud risk management evaluation and improvement activities are designed to ensure high-quality programs. At the same time, stakeholders need to understand that compliance and fraud risk management does not mean that the organization has 100% noncompliance and fraud prevention, but rather, that there is still some risk of noncompliance and fraud.

Tenth, an iterative feedback loop to ensure continuous monitoring and improvement.

Fraud Action/Reaction AFTER Discovery

Once an allegation of noncompliance or a compliance violation is received or identified through detection efforts, the response needs to be systematic, prompt, examined by competent personnel, and confidential. Other considerations for the examination include the need to

  • Preserve evidence
  • Protect access to computerized information
  • Have trained specialist(s)
  • Consult with human resources
  • Consult with legal counsel

As discussed in prior chapters, to properly examine allegations of noncompliance may require any or all of the following:

  • Exploiting technology, such as results of continuous auditing, big data analytics, email and text searching/analysis
  • Identifying hidden relationships among people, organizations, and events
  • Identifying suspicious transactions
  • Assessing the effectiveness of internal controls in the area of the allegation

The organization should have a tracking or case management system to monitor on-going allegations.

The goals of the reporting process are to improve loss recovery and minimize litigation and reputational damage. Reporting is based on monitoring of MEASURABLE criteria that might include the following metrics:

  • Number of known noncompliance and fraud schemes committed against the organization
  • Number and status of noncompliance and fraud allegations received by the organization that required investigation
  • Number of noncompliance and fraud investigations resolved
  • Number of employees who have/have not signed the corporate ethics statement
  • Number of employees who have/have not completed ethics training sponsored by the organization
  • Number of whistleblower allegations received via the organization’s hotline
  • Number of allegations that have been raised by other means
  • Number of messages supporting ethical behavior delivered to employees by executives
  • Number of vendors who have/have not signed the organization’s ethical behavior requirements
  • Benchmarks with global compliance and fraud surveys, including the type of noncompliance and fraud experienced and average losses associated with such acts
  • Number of customers who have signed the organization’s ethical behavior requirements
  • Number of fraud audits performed by internal auditors
  • Results of employee or other stakeholder surveys concerning the integrity or culture of the organization
  • Resources committed by the organization to compliance and antifraud activities
  • Issue resolution time (average number of days to resolve an issue)
  • Repeat incidents (number of current period incidents that are similar in nature to incidents in earlier periods)
  • Value of losses recovered and estimate of future losses prevented

React to Early Warning Signs

The last aspect of a good fraud deterrence program requires that the organization react appropriately to symptoms of fraud, red flags, badges of fraud, and other early warning signals. Dr. Steve Albrecht references six types of anomalies that should be investigated at the earliest point of recognition: accounting anomalies, weak internal controls, analytical anomalies, lifestyle symptoms, behavior symptoms, and tips from potential informants. The following early warning signs are not compelling fraudulent indicators but are consistent with fraudulent behavior. Further, the listings are not meant to be exhaustive.

ACCOUNTING ANOMALIES

  • Missing supporting documents
  • Number and amount of reconciling items increasing
  • Reconciling items without documentary support
  • Reconciling items remain for more than one accounting cycle (generally appear on more than one reconciling)
  • Excessive register voids and “no sale” transactions
  • Excessive accounts receivable write-offs
  • Excessive customer discounts or credits
  • Same/similar vendor and employee address
  • Altered documents
  • Duplicate payments
  • Missing second endorsement on checks
  • Check out of sequence
  • Vendor invoices out of sequence
  • Sales invoices out of sequence
  • Handwriting concerns
  • Photocopied documents where originals are anticipated
  • Errors with unexplained, unusual, unreasonable sources
  • Journal entries without proper documentation
  • Journal entries without proper approval
  • Journal entries posted at unusual days of the week
  • Journal entries posted at unusual times of the day
  • Vendor complaints concerning payments
  • Customer complaints concerning invoices, discounts, credits, postings to accounts receivable in a timely manner
  • Unusual, frequent, or unaccounted for cash shortages
  • Vendor invoices that lack details: quantities, prices, descriptions of goods and service purchased; addresses: phone numbers
  • Vendor or customers that lack websites
  • Vendors whose address is fictitious, a residence, storage facility
  • Vendors whose payment usually states “hold for pick-up”
  • Vendors with sequential invoice numbers suggesting only one or a limited number of clients
  • Vendor invoices with differing payment addresses or instructions
  • Employees that are being paid through payroll who no longer work for the organization
  • Expense reimbursements without supporting documentation

INTERNAL CONTROL CONCERNS

  • Reconciliations are not reviewed and formally approved
  • Reconciliations not completed within thirty days of end of the month
  • Lack of timely reconciliations of general ledger accounts to subledgers
  • Lack of timely reconciliations to nonaccounting sources of data
  • Lack of timely reconciliations to independent sources of data
  • No periodic search for employee and vendor address matches
  • No periodic search for duplicate payments (same invoice number, same invoice amount)
  • No periodic search of missing second endorsement on checks
  • No periodic search for journal entries without proper documentation
  • No periodic search for journal entries without proper approval
  • No periodic search for journal entries posted at unusual days of the week
  • No periodic search for journal entries posted at unusual times of the day
  • No periodic search for duplicate payments
  • No periodic inventory of organization procurement/credit cards
  • Lack of segregation of duties: less than four persons associated with the process (required: person authorized to initiate a transaction; person authorized to approve a transaction; person authorized to record a transaction; person authorized to safeguard the asset postacquisition)
  • Lack of segregation of duties: four or more persons associated with the process but allocation of duties is inconsistent with segregation of duties (person authorized to initiate a transaction; person authorized to approve a transaction; person authorized to record a transaction; person authorized to safeguard the asset postacquisition)
  • No periodic inventory of organizational property, plant, and equipment items
  • Lack of searches for overriding internal controls and collusion:
    • Missing reviews
    • Lack of surprise audits
    • Lack of journal entry review
    • Lack of review and approval of estimates
    • Lack of review and approval of unusual transactions
  • International transactions:
    • Lack of consideration of FCPA issues
    • Lack of audit specific to FCPA concerns
    • Lack of operational and financial oversight in international locales
  • Related parties transactions

ANALYTICAL ANOMALIES

  • Inventory: inventory write-offs exceed industry metrics
  • Inventory: inventory write-offs increasing across time
  • Inventory: unexplained/unusual inventory write-offs
  • Employee turnover greater than x%
  • Unexplained/unusual specification issues
  • Unexplained/unusual quality issues
  • Unexplained/unusual production scrap
  • Excess purchasing
  • Unexplained/unusual debit memos
  • Unexplained/unusual credit memos
  • Unexplained/unusual changes in account balances
  • Cash shortages
  • Unexplained/unusual vendor late charges
  • Unexplained/unusual travel expenses
  • Unexplained/unusual procurement card usage
  • Unexplained/unusual account relationships: increasing revenues; lack of A/R increases
  • Unexplained/unusual account relationships: A/R increases in excess of revenue increases
  • Unexplained/unusual account relationships: increasing revenues; lack of inventory increases
  • Unexplained/unusual account relationships: increasing revenues; lack of operating cash flow increases
  • Unexplained/unusual account relationships: increasing net income; lack of operating cash flow increases
  • Unexplained/unusual account relationships: increasing inventory; lack of A/P increases
  • Unexplained/unusual account relationships: increasing inventory; lack of warehouse cost increases
  • Unexplained/unusual account relationships: increasing sales volume; lack of decreasing cost per unit
  • Unexplained/unusual account relationships: increasing sales volume; aging receivables
  • Unexplained/unusual account relationships: increasing sales volume; decreasing scrap
  • Unexplained/unusual account relationships: arising from unit and sales dollar volume per store, per employee, per cubic foot of sales space, per sales transaction, per customer
  • Unexplained/unusual account relationships: financial performance out of line with industry metrics
  • Unexplained/unusual account relationships: financial performance out of line with key competitor metrics
  • Unexplained/unusual account relationships: tax return doesn’t reconcile to financial statements
  • Unexplained/unusual account relationships: patterns
  • Unexplained/unusual account relationships: pattern changes
  • Unexplained/unusual account relationships: round numbers
  • Unexplained/unusual account relationships: unusual cash transactions
  • Unexplained/unusual account relationships: unusually large transactions
  • Unexplained/unusual account relationships: unusual transaction timing
  • Account line items that significantly exceed budget
  • Account line items that significantly exceed industry or key competitor norms, especially for services
  • Account line items that significantly increase from one year to the next that are out of step with company growth in revenues
  • Unusual vendor payments in terms of quantity, frequency, and types of service inconsistent with sound business decisions
  • Unusual vendor payments where the organization lacks records of the service provided
  • Unusual vendor payments where the organization appears to be overcharged
  • Unexplained increases in the quantity of goods purchased
  • Unexplained inventory shortages and shortage trends
  • Vendors with payments regularly falling just below enhanced approval requirements
  • Payments to select vendors much faster than normal A/P turnaround
  • Excessive vendor double payments
  • Excessive vendor disbursement errors
  • Unusual purchasing activity by employees
  • Excessive A/P debit memos by employees
  • Excessive manual check disbursements
  • Unusual disbursements written to employees
  • Excessive vendor disbursements written to “cash”
  • Identification of employees with similar and identical names
  • Employees whose payroll hours exceed norms
  • Employees whose payroll wages exceed norms
  • Employees whose payroll salaries exceed norms
  • Payroll expense in excess of budget

LIFESTYLE SYMPTOMS

  • Extravagant
    • Clothing
    • Automobiles
    • Vacations
    • Number of homes
    • Size and cost of home(s)
    • Weekend trips
    • Gambling habits
  • New or high-priced house
  • Expensive jewelry
  • High-end recreational toys, such as boats, vacation homes, motor homes

BEHAVIOR SYMPTOMS

  • Recent changes in employee behavior
  • Suspected infidelity
  • Symptoms of high levels of stress:
    • Alcohol abuse
    • Drug abuse
    • Unusual/newly observed insomnia, irritability, inability to relax, nervousness, inability to look others in the eyes, embarrassment, defensiveness, argumentativeness, belligerence, intimidating others, excessive sweating
  • Confession
  • Excuses for performance issues

RECEIPT OF TIPS FROM POTENTIAL INFORMANTS

  • (including Employees, Customers, Suppliers, Family and Friends)

    Red-flag mitigation questions. Assuming that employees, supervisors, managers, leaders, antifraud professionals, auditors, and others will likely observe red flags, what is the next step? In general, red flags must be examined with evidence until the professional determines that the issue has a reasonable explanation, is an error that needs to be fixed, or is consistent with noncompliance or a fraudulent act and needs to be further examined to develop evidence around who, what, where, when, and how. Key red flag questions to consider include the following:

    • Does the anomaly have supporting documentation?
    • Does the documentation appear to be authentic (i.e., not falsified, altered, or fictitious)?
    • Do the transaction and its reflection in the financial statements make sense?
    • Does the transaction make sense in light of the company’s operations, goals, and objectives?
    • Does the totality of this and similar transactions make sense, analytically, when evaluated in comparison to the economy, the industry, key competitors, and other related accounting numbers within the organization?
    • Does the transaction have proper approval at proper authority levels?
    • Does the approval appear authentic?
    • Are there other aspects about the red flag that make it appear suspicious?

Module 4: Fraud Prevention

According to AD Colony, fraud prevention pays. The organization conducted a survey of 250 advertisers and agencies and identified seven perks of fraud prevention in the advertising industry. According to AdColony’s website, “while honest partners are working diligently to combat and prevent ad fraud, others are simply dragging their feet, which does the entire ecosystem a disservice. After all, when ad fraud prevention is improved, so is overall ad effectiveness.” More specifically, the website identified seven benefits of ad fraud prevention17:

  • More efficient ad spending
  • Better campaign insights
  • Improved return on ad spending
  • Increased engagement
  • More efficient use of marketing staff
  • Improved ability to optimize messaging
  • Lower risk in experimentation

Fraud prevention involves deploying tools and techniques designed to ensure that a particular fraud cannot occur. Fraud in its totality cannot be prevented across an organization. The cost of fraud prevention would likely exceed the corresponding benefits. In line with this observation, fraud prevention efforts are usually focused to avoid key fraud risks, especially those with a high likelihood and/or a large impact. Even if the fraud prevention efforts are defeated, antifraud activities should mitigate possible impacts on the organization.

Where fraud deterrence is about establishing an antifraud environment where fraud is less likely, primarily because controls are not always cost-effective, fraud prevention tends to be focused on specific antifraud controls. To determine and prioritize which frauds to attempt to prevent, the organization needs to evaluate both materiality thresholds and fraud frequency concerns—the probability that a particular material fraud may occur. Once designed and in place, the prevention controls need to be examined and tested for effectiveness by examining an appropriate population of transactions.

Fraud prevention controls also tend to be focused on individuals and preventing individuals from perpetrating key fraud. As noted by the AICPA in 2005, collusion and management override remain risks to the organization, even in the face of strong prevention controls. The fundamental internal controls are designed and implemented based on the separation of duties among four “employees”:

  1. The person authorized to initiate a transaction
  2. The person authorized to approve a transaction
  3. The person authorized to record a transaction
  4. The person authorized to safeguard the asset postacquisition

Given the foundational role of separation of duties, assuming that such separation is (a) incomplete, (b) some employees may collude to defeat separation controls, or (c) leadership acts to override preventive controls, fraud is still possible. In the absence of fraud prevention controls, or when such controls are inherently weak or incomplete, or concerns exist regarding management override and collusion, process controls help to fill the gaps. Process controls are consistent with the notion of deterrence, including the perception that fraud acts will be discovered. As noted in the fraud deterrence module, basic process controls include the following:

  • (Accounting) reconciliations
  • Independent reviews, approvals, and sign-offs
  • Physical inspections/counts
  • Analyses (expectations/relationships)
  • Audits (periodic and surprise)

The following are some key controls related to specific fraud categories, including skimming, cash larceny, noncash asset misappropriation, billing schemes including shell companies, nonaccomplice vendor frauds, check tampering, payroll schemes, expense reimbursement schemes, register transactions, and corruption including bribery associated with kickbacks and bid rigging. These listings are considered key controls that help ensure the separation of duties. Further, the listings are not intended to be an exhaustive listing of all controls required to prevent fraud in a particular organization.

SKIMMING

  • Employees who handle incoming cash should not record the transaction,
  • Employees who handle incoming cash should not make the deposit,
  • Employees who handle incoming cash should not reconcile deposits to transactions captured electronically,
  • Employees who handle incoming cash should not post, without supervisory approval, customer refunds, discounts, and voids.
  • The cash receipt process should be subject to video surveillance.
  • Two employees should initially open mail and receive incoming checks.
  • Persons who handle cash and checks should not be able to back-date transactions.
  • The person who reconciles cash and checks to deposits should examine the mix of cash and checks.
  • The A/R system should automatically send notices for past due accounts.
  • Customers should be encouraged to obtain a receipt.
  • Electronic systems for capturing cash and checks should have user name and password requirements and appropriate automatic log-offs associated with inactivity.
  • Cash and check activity subledgers and IT feeder systems should be reconciled to cash deposits.
  • Customer statements should be prepared and mailed automatically and from a location separate from those handling cash and checks.
  • Customer complaints and service issues should be resolved separately from those handling cash and checks.
  • Unusual customer complaints and service issues should be investigated thoroughly and separately from those handling cash and checks.

CASH LARCENY

  • Examination of unusual, frequent, or unaccounted for cash shortages
  • Proactive search for patterns of cash shortages
  • Surprise cash counts
  • Examination of cash receipt documentations for alterations and falsification
  • Examination of reconciliations of cash deposits to transaction records and systems
  • Examination of cash receipt sequencing
  • Examination of cash receipt documentation for destruction of records to prevent reconciliations
  • The deposit receipt from bank is tied to cash receipts records
  • Timely reconciliations of cash deposits to transaction records and systems
  • Examination of deposits in transit
  • Examination to ensure that the person(s) receiving and logging deposits is not the person preparing (safeguarding) the deposit
  • Examination of journal entries to cash accounts

NONCASH MISAPPROPRIATION OF ASSETS

  • Examination of paper and electronic usage logs
  • Reconciliation of paper and electronic usage logs to equipment activity
  • Examination of paper and electronic usage records for alteration and tampering
  • Examination of paper and electronic usage records for falsification
  • Examination of inventory shortages (including merchandise, equipment, materials, and supplies)
  • Operational and effective tip hotline
  • Control of keys and other physical access tools
  • Monitoring mailroom activity for unusual mail activity
  • Monitoring unusual return activity by employee
  • Monitoring unusual transfers and movement of assets
  • Monitoring purchasing activity for excess purchases and purchases with no business purpose
  • Monitoring receiving activity and documentation for accuracy, completeness, lack of alterations, fabrications, etc.
  • Reconciliations of inventory shipping activity to sales documentation for accuracy, completeness, alterations, fabrications, etc.
  • Counting inventory
  • Reconciling counted inventory to units and dollar value records to identify shrinkage
  • Monitoring inventory write-offs and adjustments
  • Monitoring sales and related A/R write-offs
  • Matching vendor invoices to purchase orders and receiving records
  • Matching sales invoices to customer orders and shipping records
  • Review of journal entries to sales, purchases, and inventory
  • Review of adjustments to the inventory system
  • Compare invoice shipping addresses to employee address files
  • Compare invoice shipping addresses to company-owned or company-controlled locations
  • Compare inventory prices to retail (inventory prices should be less than retail)
  • Monitor scrap write-offs
  • Monitor inventory for obsolescence
  • Monitor inventory for obsolete designations
  • Compare system access records to lists of authorized users

BILLING SCHEMES, INCLUDING CORRUPTION: BRIBERY/KICKBACKS (COLLUSIVE BILLING SCHEMES)

  • Employees who disburse cash should not record the transaction
  • Employees who disburse cash should not make changes to the vendor master file
  • Employees who disburse cash should not have authority to approve purchases of goods and services
  • Employees who disburse cash should not receive and document the receipt of goods and services
  • Employees who disburse cash should not have authority to approve payments
  • Employees who disburse cash should not reconcile disbursements to transactions captured electronically
  • Employees who disburse cash should not post, without supervisory approval, vendor refunds, discounts, and adjustments
  • Compare system access records to lists of authorized users
  • Threshold for which purchases must be bid

BILLING SCHEME: SHELL COMPANY

  • Approval of new vendors added to vendor master file
  • Review of new vendors for name and address, and compare to employee information from the human resources files
  • Review of new vendors for Secretary of State listing
  • Review of new vendors for professional websites
  • Review of new vendors—trace key vendor personnel to social media websites such as LinkedIn
  • Review of the vendor master list to ensure that new vendors are approved, old vendors are removed, etc.
  • Monitor the business purpose for a vendor
  • Monitor vendor pricing for comparison to alternative vendors
  • Individuals who approve new vendors to the vendor master file should not also review and approve invoices for payment
  • Review of approved invoices for alteration, forged approval, false approval documentation

BILLING SCHEME: NONACCOMPLICE VENDORS AND PERSONAL PURCHASES

  • Periodic review of disbursements for invoice double payments
  • Periodic review and analysis of disbursement errors (e.g., pay invoice to wrong vendor, overpay invoices)
  • Flagging and reporting of electronic (automatic) duplicate invoices
  • Review, prior to approval, of invoices and statements for types of items purchased

CHECK TAMPERING

  • Control over (blank) check stock
  • Periodic audit of (blank) check stock controls, processes, and procedures including handling of checks after preparation (until mailing)
  • Identification of vendor disbursements written to employees
  • Identification of vendor disbursements written to “cash”
  • Control over access to automatic check-signing equipment
  • Control over access to user name and password of the organization’s bank
  • Separation of duties to prepare, sign, and deliver checks
  • Mailroom controls to collect and log returned checks
  • Reconciliation of mailroom’s returned checks log to accounting treatment
  • Review of canceled checks during the reconciliation process
  • Dual signature for checks in excess of a threshold amount

PAYROLL SCHEMES

  • Separation of duties:
    • Adding personnel to payroll master file
    • Person who submits hours, wages, and salary
    • Person who issues checks
    • Person who delivers checks
  • Separation of duties: hiring personnel and payroll processing
  • Personnel records separate from payroll records
  • Hiring process requires background and reference checks
  • Periodic reconciliation of personnel to payroll records
  • Periodic reconciliation of personnel pay rate to payroll pay rate
  • Controls over the access to payroll master file
  • Review of payroll records for similar and identical names
  • Controls to report terminated employees
  • Controls to reconciled budgeted employees to employees in payroll master file
  • Controls to identify multiple employees with same direct deposit account
  • Controls to collect and track hourly employee hours (e.g., timecard, electronic collection)
  • Supervisory approval of hourly employee hours (e.g., timecard, electronic collection)
  • Controls to periodically provide employee listing to process owners for review and approval
  • Controls to periodically identify employees with the same home address
  • Controls to periodically identify employees with the same Social Security numbers
  • Controls to periodically identify employees with no home address or Social Security number
  • Controls to periodically identify employees with no payroll deductions
  • Controls to periodically identify employees with deductions greater than pay
  • Supervisory review and approval of vacation time
  • Supervisory review and approval of sick and personal leave time
  • Report for each payroll: changes to rates of pay
  • Controls over sales tabulations used as a basis for commissions
  • Controls over sales prices for commission sales
  • Controls over sales and A/R that exceed credit limit for commission sales
  • Controls over duplicate sales for commission sales
  • Compare commission sales customer names to revenue customer names
  • Controls to periodically analyze commission sales adjustments, credits, and write-offs
  • Reconciliation of sales tabulations used as a basis for commissions to customers and accounts receivable records
  • Reconciliation of time-keeping system hours to payroll hours
  • Reconciliation of current year payroll master file to prior year payroll master file

EXPENSE REIMBURSEMENT SCHEMES

  • Match expense reimbursement request to receipts and supporting documentation
  • Examination of expense reimbursement requests for complete and detailed supporting documentation
  • Direct supervisor review and approval process for expense reimbursements
  • Examination of expense reimbursement supporting documentation for alteration

REGISTER DISBURSEMENTS

  • Refunds automatically posted to customer account (e.g., credit cards, customers A/R)
  • Periodic analysis of customer credits by date, employee, location, customer, time of day, and account number
  • Periodic analysis of customer voids by date, employee, location, customer, time of day, and account number
  • Periodic analysis of adjustments to inventory by date, employee, location, customer, time of day, and account number

CORRUPTION: BRIBERY (COLLUSIVE BID-RIGGING SCHEMES)

  • Controls to review and approve necessity of bid project during presolicitation phase
  • Controls to review and approve necessity and adequacy of specifications for bid project during presolicitation phase
  • Project owner approval of bid specifications
  • Controls to review and approve list of qualified bidders
  • Submitted bids are accepted and opened by two persons
  • Controls to log bid dates and times
  • Controls to ensure that bids are not opened in advance of approved time
  • Postbid analysis of key attributes of the bidding process
  • Postbid analysis of bid price compared to previous contracts, project budget, and alternative bids
  • Postbid analysis of bid change orders
  • Separation of bidding process from change order supervision and approval
  • Periodic analysis of bid outcomes by number of bidders, winning bidders, losing bidders, etc.
  • Periodic analysis of project subcontractors
  • Examination of bids for same/similar prices, quantities, language, etc.
  • Periodic analysis of follow-up with qualified bidders that did not bid on projects
  • Periodic analysis of total vendor project payments just under limits that require bidding
  • Periodic analysis of item prices across time

We have eight types of assignments for instructors to choose from:

  1. Critical Thinking
  2. Review Questions
  3. Multiple Choice Questions
  4. Fraud Casebook
  5. Brief Cases
  6. Major Case Investigation (MCI)
  7. IDEA Exercises
  8. Tableau Exercises

CRITICAL THINKING

  1. CT-1 Death in the Auto Zone. A man is found shot to death in the front seat of his car. All the windows are closed and the doors are locked; there are no bullet holes anywhere in the car and he did not commit suicide. How was he shot?
  2. CT-2 Black as Night. Black as Night. A black man dressed all in black, wearing a black mask, stands at a crossroads in a totally black-painted town. All of the streetlights in town are broken. There is no moon. A black-painted car without headlights drives straight toward him, but turns in time and doesn’t hit him. Why?

REVIEW QUESTIONS

  1. What are the key elements of ethics?
  2. Compare and contrast the ethical approaches of “it’s legal, therefore, it’s ok” and “the ends justify the means.” Are there similarities? Are there differences?
  3. Why is an ethical culture considered necessary for fraud prevention and deterrence?
  4. Several professionals are listed as being part of compliance efforts with regard to participation in the examination of potential compliance violations. Identify at least three other categories of nonemployee personnel or professionals who might be added to the listing in the right context.
  5. Do analytical efforts, big data examinations, and textual analyses impact compliance and fraud deterrence? Provide an explanation for your opinion.
  6. Fraud deterrence is centered on the fear of getting caught and the fear of getting punished. In your opinion, which is stronger and why?
  7. Describe the role of an organization’s personnel in compliance and antifraud efforts.
  8. Describe the six categories of early warning signs of potential fraud.
  9. Identify and describe the key attributes that might mitigate a red flag, suggesting that no bad act or compliance issues exist.

MULTIPLE CHOICE QUESTIONS

  1. Which of the following is an ethical principle?
    1. A. Legal
    2. B. Moral versus ethical choices for decision-making
    3. C. Generalization
    4. D. Personal behavior
  2. Which of the following is not a characteristic of a profession?
    1. A. Governed by rules
    2. B. Unique body of knowledge
    3. C. External recognition
    4. D. A body devoted to advancement and responsibility
  3. Which of the following departments can be exempted from compliance efforts?
    1. A. Legal and compliance because it implements and enforces compliance efforts
    2. B. Manufacturing and production because it is outside of accounting
    3. C. Information technology because it implements and enforces compliance efforts
    4. D. All of the above
    5. E. None of the above
  4. Select the statement that is least accurate:
    1. A. Risks come in many forms.
    2. B. RPA is an emerging technology consistent with artificial intelligence.
    3. C. The Foreign Corrupt Practices Act requirements are consistent with the actions of an ethical organization.
    4. D. Cyber threats are the primary risk facing organizations at this point in history.
  5. Which of the following statements about fraud prevention is most accurate?
    1. A. Fraud prevention eliminates fraud.
    2. B. Fraud in its totality cannot be prevented across an organization.
    3. C. Fraud deterrence is equivalent to fraud prevention.
    4. D. Preventive controls are typically designed to prevent threats associated with collusive and management override.
  6. Which of the following is most consistent with fraud deterrence?
    1. A. Improved ability to optimize messaging
    2. B. Employees who handle incoming cash may also record the transactions
    3. C. Surprise audits
    4. D. FCPA and international money laundering
    5. E. All of the above
  7. Which of the following is most consistent with fraud prevention?
    1. A. Project owner approval over bid specifications
    2. B. Separation of hiring personnel from payroll processing personnel
    3. C. Encouraging customers to obtain a receipt
    4. D. Review and approval of new vendors
    5. E. All of the above
  8. Which of the following statements is not a process control?
    1. A. Reconciliations
    2. B. Employees who disburse cash should not make changes to the vendor master file
    3. C. Analyses that include expectations and anticipated relationships
    4. D. Periodic audits
  9. Organizations can use a variety of mechanisms to increase the fear of getting caught. Which of the following is not one of those mechanisms?
    1. A. Conversion efforts
    2. B. Fraud risk management processes and procedures in place
    3. C. Compliance risk management processes and procedures in place
    4. D. Awareness of symptoms that might indicate others are misbehaving
  10. Which of the following statements with regard to the current ethical climate is accurate?
    1. A. Whistleblower protections appear to be in place and effective.
    2. B. Through cultural innovation and commitment to ethical behavior, employees feel less pressure to complete bad acts.
    3. C. Employees appear to be reporting misconduct more than ever before.
    4. D. Most employees feel that their organization acts ethically.

FRAUD CASEBOOK

ZZZZ Best

Read the following articles or other related articles regarding the ZZZZ Best case and then answer the questions below:

Sources:

Elmer-DeWitt, Philip, “ZZZZ Best May Be ZZZZ,” TIME in partnership with CNN, July 20, 1987.

Light, Larry, Oluwabunmi Shabi, and Kevin Kelly, “From Con to Convert,” Business Week, April 10, 1995.

Calabro, Lori, “Ten Questions for Barry Minkow,” CFO Magazine, January 1, 2005.

Ciulla, Joanne B., “Nothing But ZZZZ Best,” New York Times, August 8, 2008.

Short Answer Questions

1 What was Barry Minkow’s original business?

2 What business allowed Barry Minkow to grow the company?

3. After the fraud was cleared, how much income did ZZZZ Best earn?

4. When Barry Minkow was young, what crimes, if any, did he allegedly commit?

5. Who, if anyone (person or organization), was responsible for detecting this scheme?

6. Does U.S. District Judge Dickran Tevrizian believe that Barry Minkow is reformed?

Discussion Questions

1 In general, how was Barry Minkow able to execute and perpetuate his fraud for so long?

2. In your opinion, were the ZZZZ Best auditors at fault for not catching this fraud earlier? Why or why not?

3. Given that the ZZZZ Best fraud occurred in 1987, why is society still plagued by financial statement frauds?

4. Do you believe that Barry Minkow is reformed, or do you believe that once a fraudster always a fraudster? Explain your answer.

BRIEF CASES

1. Compliance and fraud deterrence

Use a chart or graphical tools and techniques to present a robust compliance and fraud deterrence environment. Include on the chart or graphic:

  1. The key players on the compliance and fraud risk assessment team.
  2. The key attributes of a robust compliance and fraud deterrence environment for each player.
  3. For the ten steps in a fraud risk management and compliance program, identify which are most closely aligned with which key players.

Student Material for step-by-step screenshots for completing the assignment are available from your instructor.

2. Fraud prevention and deterrence in action

Assume the following facts:

  1. The company invoices customers for sales with an expected thirty-day collection period.
  2. The invoice is used to post sales to the accounting system.
  3. Checks are received in the mailroom and logged into a deposits journal.
  4. The deposit is prepared and taken to the bank.
  5. The deposit slip is used as an original document to record cash in the accounting system.
  6. A copy of the deposits journal from the mailroom is used to credit customers for their payments.
  7. Assume three general ledger accounts: cash, accounts receivable, and revenue.

Instructions: Part 1

Draw a graphic to depict these activities and their impact on the general ledger accounts. Include the necessary personnel and at least ten fraud prevention and deterrence tools and techniques to PREVENT a skimming scheme, assuming no collusion or management override. Post the personnel and those tools and techniques on the graphic.

Instructions: Part 2

What if the organization owner only hired one mailroom/office employee, one accounting clerk, and one accounting supervisor (assume no controller, no internal audit, and an annual review and tax compliance—not an annual audit). How would you alter your approach to create a robust skimming prevention environment?

MAJOR CASE INVESTIGATION

The following is the “inventory” of items received to continue the examination at Johnson Real Estate. The goal is to focus on the missing deposits: who, what, when, where, and how.

  • Interview Excerpts: Hudson Creighton
  • Interview Excerpts: Joan Rogers
  • Document Set 8: Bank Credit Memo

These items will be provided by the course instructor. This is the last of the evidence.

Assignment:

Continuing to focus on evidence associated with the act, concealment, and conversion, use the evidentiary material to continue the examination. In addition, the examiner also starts to think of terms of who, what (did the person(s) do), when (during what period?), where (physical place, location in books and records), and how (perpetrated, hidden, and did the perpetrator benefit). Your primary assignment is to examine the information and activity in the invoice and emails in terms of what (scheme), how was the act be perpetrated, and what benefits are there, if any. As with any data, consider patterns, breaks in patterns, and anomalies. Your focus is what you can conclude from the evidence, understanding that cases are solved, not with an all-telling piece of evidence, the “smoking gun,” but rather by assembling small pieces of evidence into a coherent picture.

IDEA EXERCISES: ASSIGNMENT 14

idea Case background: See Chapter 1.

Question: Do the payroll disbursement hours comply with Benford’s Law?

Student task: Students should (a) present the Benford’s Law results and (b) discuss the finding and recommend investigative next steps.

Student Material for step-by-step screenshots for completing the assignment are available from your instructor.

TABLEAU EXERCISES: ASSIGNMENT 14

tableau Case tableau background: See Chapter 1.

Question: Do the payroll disbursement hours comply with Benford’s Law?

Student task: Students should (a) present a graphic of the Benford’s Law results and (b) discuss the finding and recommend investigative next steps.

Student Material for step-by-step screenshots for completing the assignment are available from your instructor.

Endnotes

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.9.82