36 FRAUDMAGAZINE www.fraud-magazine.com

Companies struggle to determine exactly who owns the proactive and reactive responses to fraud within their organizations. Here are some practical ways to determine who owns fraud and accelerate anti-fraud programs within any company.

Who Owns Fraud?Uniting Everyone to Effectively Manage the Anti-Fraud Program

DAN TORPEY, CPA ;MIKE SHERROD, CFE, CPAJanuary/February 2011

January/February 2011 FRAUDMAGAZINE 37

ron Works America (IWA) is a manufacturer of steel beams used in the construction of large commercial buildings. IWAs internal audit director, George Franklin, is responsible for monitoring the companys fraud hotline for allegations of misconduct made by employees. One day, Franklin received a hotline message from a sales manager in the Columbus, Ohio, offi ce, who claimed he had proof that an employee in the Cleveland offi ce had created a fake vendor scheme,

received kickbacks from one of his suppliers, and was embez-zling a signifi cant amount of money through a complex revenue recognition scheme.

Franklin and his team quickly planned the initial stages of an investigation based on the allegations. However, Franklin soon received a call from IWAs human resources manager who said she received a message from the sales manager in the Co-lumbus offi ce who reported a violation of the code of conduct to her. As a result of this message, her department launched an in-ternal investigation with assistance from IWAs general counsels offi ce two days before Franklin received the hotline message.

Franklin and his internal audit team members believed that others in the company were encroaching on their responsi-bilities because IWAs charter directed their department to man-age all internal fraud examinations. Franklin became even more frustrated when he learned that IWAs chief compliance offi cer was discussing, with the members of the audit committee, plans to conduct a companywide fraud awareness training campaign as the beginning of a comprehensive fraud risk assessment process. The chief compliance offi cer wanted to accomplish this training campaign in the upcoming year. However, he hadnt discussed it with Franklin to get his perspective on how to structure the process because he thought the chairman of the audit commit-tee had asked Franklin to include a fraud risk assessment in his internal audit plan for the year.

This fi ctitious example might seem extreme, but its not uncommon as companies struggle to determine exactly who owns the proactive and reactive responses to fraud within their organiza-tions. In fact, nearly half of respondents to the 2010 Ernst & Young Global Fraud Survey said that their organizations didnt have well-defi ned roles for different groups (internal audit, compliance, risk and legal) when responding to reports of possible fraud.

MULTIPLE PEOPLE, MULTIPLE CONCERNSMany companies struggle to determine wholl be responsible for managing fraud examinations and fraud risks. In a perfect world, a company would designate one person to handle its anti-fraud program responsibility such as the chief fi nancial offi cer, chief compliance offi cer or general counsel. However, often a company might not designate one person as the owner of its anti-fraud efforts. As a result, confusion can reign, causing a lack of trust in the proactive anti-fraud program for management and employ-ees, a dangerous defi ciency in sharing of knowledge, and inef-fi cient responses to fraud.

MODEL FOR AN ANTI-FRAUD GROUPThe good news is that many companies now realize that fraud challenges need to be addressed. The bad news is that those same companies might not be able to overcome inconsistencies, du-plicative efforts, and a lack of communication because those re-sponsible for anti-fraud efforts often operate independent of each other and not in a coordinated way.

We recommend that the ownership of anti-fraud efforts should be shared by a select group of individuals who each have, as part of their responsibilities, a role in addressing fraud proac-tively and reactively. The shared responsibilities of the overall anti-fraud program would ensure that the roles of the team mem-bers would be more effective to the overall group. Each individ-ual would then have a specifi c goal and greater accountability to the group. This approach also would give comfort to the board or executive management within the company that the anti-fraud program was effective and effi cient in its approach to fraud risk management.

The group should select a chairperson who will shep-herd the group to the goals they want to establish and ultimately achieve. The chairpersons overall role is to ensure that the ele-ments established for the anti-fraud program are being met and the responsible individuals are working together to ensure that the elements are being implemented and monitored. The chair-person would also work with the group to determine any needed modifi cations to the overall anti-fraud program.

38 FRAUDMAGAZINE www.fraud-magazine.com

Tim Pearson, executive director of the Institute for Fraud Prevention (www.theifp.org/), believes that a chief compliance or integrity offi cer is best suited to chair the team and meet regu-larly with the committee representatives to report anti-fraud co-ordination efforts.

Fraud is more likely to go undetected when the responsi-bilities for education, monitoring and risk management are dif-fused across reporting lines so no one individual or group can truly get a handle on the fraud risks facing an organization, Pearson said. We want everyone in an organization to support anti-fraud initiatives, but someone must craft and share a vision on how fraud can best be prevented.

Weve found that this might vary from company to com-pany depending on the corporate structure and the overall cor-porate governance model in place (i.e, internal audit charter, corporate compliance program, code of conduct) or the expe-rience or expertise of the team members. This anti-fraud team

should clearly defi ne its overall ownership and responsibility of the implementation and continued oversight of the program.

The graphic Who Owns Fraud? below demonstrates this collective ownership model for an anti-fraud team and the rec-ommended processes for proactive and reactive approaches to fraud risk management.

The team members must possess diverse skill sets to ad-dress the complexities of fraud cases and proactive fraud risk ini-tiatives. Therefore, the team should include representation from executive management, the audit committee, the investigations group, the compliance department, the controllers group, the internal audit department, information technology, security, the general counsels offi ce and the human resources department.

The team must clearly articulate each members role and responsibilities to avoid duplication of effort and ensure that the process will achieve the desired outcomes.

WHO OWNS FRAUD?

Who Owns Fraud? Having a Seat at the Table

January/February 2011 FRAUDMAGAZINE 39

DEVELOPING AN EFFECTIVE ANTI-FRAUD PROGRAMOnce the right team is in place, it should develop an effective anti-fraud program. The objective of this program, as shown in the Who owns fraud? graphic, is to provide the framework for an organization to prevent, detect, report and investigate inter-nal and external fraud.

As weve worked with companies in various industries to develop programs, weve used a wide array of approaches to unify companies fraud teams. To illustrate this point, well continue with our case study from the beginning of the article. Due to George Franklins frustrations, IWA put into place a fraud task force made up of compliance, general counsel, internal audit, hu-man resources and the controllers group to create, implement and monitor its anti-fraud program.

Based on numerous meetings to design the process and as-sess the skill sets of the task force members, the group determined that internal audit and compliance would be responsible for the companywide fraud risk assessment. The controllers group would be responsible for controls monitoring to address the fraud risks identifi ed from the fraud risk assessment. General counsel, human resources and internal audit would be responsible for en-suring that any fraud investigations were handled properly. All task force members would be responsible for creating effective elements to develop the tone and culture within IWA. As you can see, these elements of the program build upon each other and the entire anti-fraud program framework is more effective because of the collaboration of the members of the task force.

That framework, of course, cant provide absolute assur-ance that fraud wont occur within a company or that all fraud will be identifi ed proactively. However, a strong anti-fraud program will provide management and employees with opportu-nities, guidance and support to:

Understand the expectations of the company and practicethem every day

Recognize unacceptable behavior and encourage that actionbe taken

Prioritize fraud risks and determine those risks that warrantattention

Install controls to mitigate identifi ed risks or suspected fraudrisks

Formulate actions to take once fraud is detected

Ensure that these actions are followed if an investigationbegins

Share leading practices across business functions andsegments

In other words, a strong and well-conceived anti-fraud program helps place a greater emphasis on the companys over-sight and provides a framework for responding when issues arise.

Weve identifi ed seven elements of an effective anti-fraud program, which fall into three overall categories: setting the

proper tone, proactive steps and reactive steps. The elements to set the proper tone include: the code of conduct or code of ethics, fraud prevention policies, and communication and train-ing. The proactive elements include: a fraud risk assessment and monitoring controls. The reactive steps include: a fraud response plan and ownership over the entire anti-fraud program. (See the graphic, Seven Elements of an Effective Anti-Fraud Program on page 40.)

SETTING THE TONE WITH A CODE OF CONDUCT, POLICIES AND TRAININGWhen setting the proper tone, management must go beyond stat-ing that we hire good people, or we operate our company with integrity. It must demonstrate how these principles are tactically embedded into the companys daily operations to create a culture of constant integrity.

WHO OWNS FRAUD?

40 FRAUDMAGAZINE www.fraud-magazine.com40 FRAUDMAGAZINE www.fraud-magazine.com

WHO OWNS FRAUD?

Seven Elements of an Effective Anti-Fraud Program

Promote honest and ethical conduct

Provide full, fair, accurate, timely and understandable disclosure in reports and documents

Comply with applicable governmental laws, rules and regulations

Report internal violations of the code promptly

Be accountable for adherence to the code and the sanctions to be imposed

Be speci c to the individual organization and its operations

Guide employees through complex issues

Provide a channel for employees or third parties to report fraud

Establish procedures to govern the escalation of fraud allegations, guiding important resource decisions

Provide support and protection for whistleblowers

Educate employees regarding the organizations code of ethics

Understand the protocols for reporting suspicious activity

Communicate the disciplinary actions that may be taken in the event of fraud

Raise awareness of fraud schemes and scenarios that are speci c to the company

Identify common types of fraud schemes that could occur within any organization

Specify fraud schemes that are industry- and sector-speci c as well as geographic

Create a road map for future areas to analyze with analytics and determine if controls are suf cient to mitigate

Provide annual and real-time updates to fraud risk assessment work plan to ad-dress change in business environment, acquisitions, current issues, etc.

Rank fraud schemes identi ed within the risk assessment

Develop action plans to assess, improve, and/or monitor the controls associated with the risks identi ed

Report the results of the action plans to executive management and/or the audit committee

Challenge prior year controls and analytics protocols to update with current state issues and effective use of technology

Establish investigation protocols

Coordinate remediation action steps across business units

Maintain consistent disciplinary procedures

Help set the tone within the organization with respect to fraud

Develop investigation protocols for internal and external resources

January/February 2011 FRAUDMAGAZINE 41

A code of conduct or code of ethics establishes the guiding principles of a company. Among other things, it should promote honest and ethical conduct, compliance with applicable laws and regulations, and prompt reporting of violations of the code.

Clearly establishing fraud policies and procedures helps employees understand acceptable conduct and how to report sus-pected violations. Fraud awareness training another signifi cant and often overlooked aspect of an anti-fraud program is a key element in setting the proper tone within an organization.

Companies that have anti-fraud training often spend too much time focusing on occupational fraud, such as stealing as-sets from the company (i.e., inventory and petty cash), because participants can easily visualize and understand these crimes. However, they often overlook other important areas such as cor-ruption, fi nancial statement fraud, vendor due diligence, miscon-duct and fraud when dealing with third parties, and theft of intel-lectual property and sensitive data.

One size doesnt fi t all. Companies are creating fraud awareness training programs for all employees on a general level and then providing more specifi c, comprehensive training deal-ing with relevant risks for different groups or business areas. An-other overlooked aspect of an effective fraud awareness training program is ensuring that the training reaches these different business areas within the company. Its important that employees understand why the training is relevant and that they compre-hend the information presented. Post-training assessments can assist with determining this comprehension by making sure the employees captured the information and the objectives of the training were met.

All employees should receive annual fraud awareness training as part of the new-hire orientation process and as a com-ponent of the integration process for newly acquired companies, joint ventures or subsidiaries. Sophisticated training includes modules taught by the companys internal audit, technology, compliance and security professionals. The emphasis should be on detecting schemes such as fake vendor schemes, bribery and corruption issues, and accounting fraud and revenue recognition awareness. This is another way to encourage synergies from the results of the fraud risk assessment by creating training programs to address the specifi c risks identifi ed.

Employees, vendors, customers and other stakeholders who dont learn a companys anti-fraud policies and procedures, compliance and ethics programs, reporting protocols, and fraud risks wont know the organizations acceptable behavior. They can expose the company to major problems because they dont know how to effectively report suspected fraudulent activities.

Many companies are taking anti-fraud training pro-grams a step further by educating their top executives and then evaluating them on their character development. Vincent Hig-gins, president of the Institute for Effective Leadership (www.effective-leadership.com), a company that provides training to C-suite executives, says organizations are increasingly hiring his fi rm to help evaluate executives leadership abilities and train

them in understanding integrity issues. While companies or re-cruiters cant predict who might engage in fraud, they can limit their exposure by enhancing the training of their highest execu-tives on such important issues.

We fi nd that the best anti-fraud strategy is creating an integrity culture, Higgins says. Processes follow culture, not the other way around. And culture is determined primarily by the leaders attitudes and choices. Therefore, the integrity com-ponent must be an essential part of the equation in executive search; it must be developed constantly at the individual and executive team levels, and it must be rewarded as a requisite for advancement and compensation. Otherwise an organization is treating symptoms rather than causes.

PROACTIVELY ASSESSING FRAUD RISK AND MONITORING CONTROLS Execution of a robust fraud risk assessment is the fi rst proactive step management can undertake. The assessments purpose is to identify and prioritize areas that pose a higher risk of fraud. Keep in mind that individuals commit fraud, not IT systems or business processes. Therefore, when executing a fraud risk assess-ment, management must understand the reasons people commit fraud pressure, opportunity and rationalization as well as di-rect or indirect vulnerabilities.

The next proactive step is to identify and monitor internal controls to mitigate the risks. Action plans should be developed to document and evaluate the controls that mitigate any fraud risks found during the assessment. These plans should specify wholl be responsible for monitoring and testing the controls, and wholl review the results of their work.

BEING PREPARED TO REACT TO FRAUD AND DEFINING ROLES AND RESPONSIBILITIESOf course, fraud will still occur even though management sets the proper tone, trains their people on spotting problems, exe-cutes a robust fraud risk assessment, and designs internal controls to prevent and detect fraud. Therefore, the anti-fraud team has to establish reactive elements for the anti-fraud program.

The cornerstone of any reactive element in an anti-fraud program is a timely response to the suspected fraud with the right team. The team should establish, review, approve, and maintain policies and procedures regarding the companys responses to fraudulent activities. The fraud response plan should encompass investigations, remediation and uniform disciplinary processes.

The team also should establish an investigation protocols framework for management. The protocols should state that all suspected frauds, regardless of sources, will be reviewed and inves-tigated. The team will determine wholl lead the investigations if external assistance is needed, such as outside forensic assistance with fraud experience, and the results of the investigations will be communicated to the audit committee in a timely manner.

WHO OWNS FRAUD?

42 FRAUDMAGAZINE www.fraud-magazine.com42 FRAUDMAGAZINE www.fraud-magazine.com

To illustrate our points on how paramount the success of the fraud response plan is to the overall fraud risk assessment, we continue our example with George Franklin and IWA. In previous years, Franklin had a concern about the effectiveness of the fraud response plan. His team would identify a fraud issue during the course of its internal audits and raise this issue to management, but his team would never receive updates on what happened or where the control breakdown occurred. This truly represented a breakdown in the effectiveness of the anti-fraud program. The internal audit team would be much more effective on future au-dits if they were updated on identi ed and investigated issues. In addition, the fraud awareness training program and the fraud risk assessment process could bene t from this knowledge.

For an effective fraud response plan to work, it has to com-municate those wholl work on speci c tasks from the moment the allegation is identi ed to the point of reporting the results. The anti-fraud program oversight team will be responsible for reviewing the allegations and then determining, based on their assessment, who should get involved, and to whom the results should be reported. The team will do this on a case-by-case basis, but the fraud response protocol will guide the team toward a documented, consistent process.

THE ULTIMATE SUCCESS IS THROUGH SYNERGYThe teams key to success is to produce synergy among the team members by developing excellent communication. The team members should share a common goal and approach to fraud de-tection and response, which results in greater accountability in executing a task.

In our opening scenario, Franklins frustrations escalated when he became aware that other groups were involved in proac-tively and reactively dealing with fraud without his knowledge. This dysfunctional atmosphere creates an environment of inef -ciencies and a lack of knowledge transfer, and impacts the ability to effectively deal with fraud.

Fraud is an extremely complex issue, and an oversight committee such as an anti-fraud program oversight team thats committed to a common goal is often the best method to deal proactively and reactively with these complexities. The teams anti-fraud program can then become the channel for the dissemination of messages from the top of the orga-nization to all employees. This new environment will help reinforce an atmosphere of constant integrity throughout the company that will allow the company to more effectively deal with fraud.

Companies that have built anti-fraud programs, which include setting the proper tone, forming proactive and reac-tive measures, and clearly de ning roles and responsibilities, will stand the best chance of mitigating risks and effectively addressing fraud.

The views expressed here are those of the authors and dont necessarily re ect the views of Ernst & Young LLP.

Dan Torpey, CPA, and Mike Sherrod, CFE, CPA, aremembers of Ernst & Young LLPs Fraud Investigation & Dispute Services practice. Their e-mail addresses are: daniel.torpey@ey.comand mike.sherrod@ey.com.

On June 20, 2007, the Securities and ExchangeCommission (SEC) published interpretive guidance onmanagements report on internal control over nancialreporting, including references to dealing with fraud risk.The guidance indicated that management should considerperforming an analysis of their fraud risks.

In July 2008, the ACFE, the Institute of Internal Auditors,the American Institute of Certi ed Public Accountants,and representatives from the Big Four accounting rmsand other consulting businesses published Managing theBusiness Risk of Fraud: A Practical Guide (ACFE.com/documents/managing-business-risk.pdf). Also seeManaging the Business Risk of Fraud: IndispensablePlanning, by Grace B. Ghezzi, CFE, CPA/PFS, AEP, in theJanuary/February 2009 issue of Fraud Magazine.

In mid-2009, the SEC announced a reorganization and arenewed emphasis on fraud-related enforcement includingspecialist teams of enforcement of cials.

In November 2009, President Barack Obama announceda new Financial Fraud Enforcement Task Force comprisedof representatives from more than 20 federal agencies,which included the Departments of Justice, Treasury, andHousing and Urban Development; and the SEC.

On April 7, 2010, the U.S. Sentencing Commission votedto amend the Federal Sentencing Guidelines relating tocorporate compliance and ethics programs. Theseamendments took effect on Nov. 1, 2010.

On Oct. 6, 2010, the Center for Audit Quality (CAQ)issued a report entitled, Deterring and Detecting FinancialReporting Fraud A Platform for Action, as part of itsanti-fraud initiative. The report contains a thoughtfulexamination of the motivators behind fraudulent nancialreporting and explores themes for mitigating theconditions that can lead to fraud.

Whats Driving the Focus on Anti-Fraud Efforts?Effectively managing fraud in the most cost-effective way is paramount to the success of an anti-fraud program especially in the current economic environment. Streamlining communications and aligning resources is critical to the process. Added pressure is coming from several important regulatory and market drivers: