Up for Grabs

It's so secret that corporate fraud has increasingly captured the attention of both regulatory officials and media outlets. Not to mention corporate boards.

It seems that the price tag that such fraud carries these days is hard to ignore. Averaging almost $3 million1 per incident globally, corporate fraud has grown 40 percent from only two years ago. On a cumulative basis, fraud losses today amount to billions annually.

Clearly, there is no immunity from fraud — not by industry, location, or size of company. It is a pervasive and consistent risk. However, it may be surprising to learn that successful fast-growing companies are often more ripe for fraud than less successful ones, simply because the risk of fraud often grows as companies expand into new markets, acquire new operations, or enter joint ventures. In short, many of the things successful companies routinely do to remain competitive at the same time make them vulnerable.

Meanwhile, regulatory oversight is also increasing, and with it the penalties exacted for breaking regulations such as the Foreign Corrupt Practices Act, the Exchange Act, and tax laws. Such violations put corporate reputations at risk, while negatively impacting staff morale as well as customer and vendor relationships.

Losses related to corporate fraud have continued to be widely reported by the press. For its part, PwC surveyed 5,400 companies in 40 countries and 17 industries and learned that the costs of incidents of fraud are almost twice as large when they occur in emerging market countries. Accordingly, now more than ever is the time to address fraud efficiently and effectively, on both a proactive and a reactive basis. Here are a few notes to help a company join the fight against fraud:

• Look for signs of environmental weakness A company should assess its programs for the prevention of fraud and develop or enhance them to suit its risk profile. For example, is the audit committee actively overseeing fraud prevention programs and incident investigation? Do the ethics codes and whistle-blower programs meet SEC standards? Does the company's internal audit department perform adequate antifraud activities? Is there a plan of action for allegations of fraud, including investigation and remediation? If these and similar questions get “no” answers, this is an indication of a business environment that is not attuned to fraud prevention.
• Develop a company-specific program Each company has a different risk profile based on its industry, products, size, organizational structure, geography, distribution methods, significance of intellectual property, number of accounting systems, growth rate, and acquisition strategy, among other factors.2 A company needs a program to suit its needs, not one from a competitor, regulators, others in the industry, or other companies in general. The program should consider the specific risks inherent in its business by undertaking to:
  • Identify and assess inherent fraud and misconduct risks;
  • Evaluate entry-level programs and preventive transaction level controls;
  • Develop monitoring and auditing procedures based on key fraud risk indicators;
  • Develop incident response and remediation procedures; and
  • Embed fraud and misconduct specialists into internal audit, finance, and operations.
• Fraud has many facets There is no single method by which fraud is best detected. In fact, companies with multiple defenses predictably detect more fraud. Among the best methods are an active, well-trained, globe-trotting internal audit department (internal audit detected 26 percent of all frauds reported in PwC's global survey) and a corporate culture that encourages the reporting of improprieties (which detects about 40 percent of incidents). Other controls such as suspicious transaction reporting, corporate security departments, personnel segregation, and rotation are important, but these detection statistics show that controls alone are not enough — corporate culture is a critical element of prevention.
• Stay the course Don't forget: Like any business process, a company's control programs should be continuously reassessed and updated as needed. This is especially true if an incident of fraud occurs. Companies should:
  • Identify changes in key fraud risk factors;
  • Identify key fraud indicators by deconstructing the fraud risk components and participants to identity potential red flags;
  • Design monitoring and auditing procedures to detect key fraud risk factors and indicators, rather than fraud and misconduct. Techniques include internal and third- party inquiries and interviews, financial analytics, journal- entry testing, and other targeted substantive procedures;
  • Apply technology wisely — it's a tool, not the Holy Grail;
  • Develop follow-up guidelines and processes for personnel to apply when fraud risk factors and indicators are first identified or change significantly; and
  • Not confuse investigation of specific allegations with a fraud auditing program — which tests for the possibility of fraud on a regular basis, absent any suspicions.
• Transparency is the best deterrent Fear of detection, not punishment, is the best preventative measure. Thus, quietly demoting or terminating an employee without appropriate public action such as criminal prosecution when warranted and internal communications about actions taken will send the wrong message to a company's employees. The message from management should be clear: Fraud is and will be discovered on a timely and consistent basis, the punishment will “fit the crime,” and the actions taken will be public.
• Sales practices can be a major risk Many companies do not appreciate that the FCPA and similar laws around the world regulate a very significant aspect of their business — sales practices. Many aspects of business life are based on relationships and, as a consequence, companies often give gifts, trips, seminars, training, facilities tours, samples, or other items of value during the sales process. While these are often legitimate, the line between acceptable and criminal is a fine one, and this is especially true when dealing with government officials. In some industries, the use of agents is common, and they may step over this line on your behalf, exposing your company to substantial regulatory risks. Companies doing business overseas need to pay attention not only to the FCPA, but also to local laws and regulations, which are often more stringent. How quickly can your company learn of and review payments in foreign operations or payments made by agents?
• The procurement process is an effective tool against fraud Fraud follows the money, so disbursement and procurement systems are always targets. Having a holistic approach to procurement can help to prevent fraud as it involves multiple groups within the company, thereby avoiding the concentration of relationships and authority that can lead to collusion. It also reduces the risk of RFPs prepared on specifications that favor one, and only one, supplier.
• Look where you least expect it As the saying goes, “Don't judge a book by its cover.” The same holds true when identifying fraud risk. To the surprise of many, the people committing fraud are not younger, poorly educated employees looking to make extra money. On the contrary, fraudsters are typically older (30+ years) and male, have above-average educations, are less likely to have a criminal record, and are in a position of trust. In fact, 26 percent of fraudsters are within the senior management of a company.3 Some frauds are rationalized as being for the benefit of the company, but a deeper look often discloses closely associated personal motives — such as promotion, bonuses, stock options, or the acclaim of peers.

The consequences to a company and its officers are too significant not to have a proper fraud detection and prevention program in place, along with a thorough plan to deal with instances of fraud. The risks to companies are not just limited to the amount of the fraud. By preventing fraud from happening in the first place, companies will protect not only the physical assets of the company, but also its intangible assets, such as brand value; minimize the risk of government sanctions; reduce audit costs; and avoid revenue leakage and reduce expenses.
Notes:

1. According to PricewaterhouseCoopers' 2007 Global Economic Crime Survey: People, Culture and Controls (www.pwc.com/crimesurvey).

2. These factors are key to a company's fraud risk profile according to PwC's 2007 Global Economic Crime Survey: People, Culture and Controls.

3. According to the 2007 Global Economic Crime Survey by PricewaterhouseCoopers.

Now watch Steven Skalak share some insights and best practices on how to build a fraud- repellent culture.