According to the“2010 Report to the Nations” by the Association of Certified Fraud Examiners, the most common asset fraud involves purchasing and vendor billing schemes. These frauds make up more than a quarter of all reported occurrences. By the time these schemes are uncovered they have, on average, been operating for two years and resulted in losses exceeding $125,000….regardless of the size or type of organization!
What are the first corrective actions that most organizations do after discovering fraud? They strengthen their internal controls. Why? Because internal controls are the processes management relies on to provide them assurance that their business objectives are being achieved. In the case of fraud, they are the processes that management implements to ensure that fraudulent activities are either prevented, or detected in a timely manner.
In order for fraud to occur, the perpetrator has to perceive a need, and have a justification, for the fraud. More critically, the perpetrator needs to have the opportunity to commit the fraud. Accounts payable fraud is usually a crime committed by an employee or an employee working with a vendor. After all, he or she knows how the company functions. Opportunity comes when no one is watching. An employee has the time and knowledge to figure out where that lack of attention exists.
If you want to address the risk of fraud, where should you start?
You will want to start by identifying the processes in which individuals handle multiple aspects of a job themselves, then break them apart.
An Example of Asset Fraud
For instance, let’s say your warehouse manager negotiates agreements with your vendors. Once that’s done he sets up the vendor accounts in the computer so you can receive their invoices and pay them. Eventually he orders inventory items from them, receives the goods when they arrive, and approves the invoices for payment. Your accounting department prints the check, matches the invoice to it, and you sign the check.
When you sign the check, you could either question who the vendor is, or what the order was for….or you could trust the invoice since it has been properly received and approved. The key word is trust. In this situation you are relying solely on the word and actions of the manager. You are trusting that the vendor he set-up actually exists and provides products to the company. You are also trusting that the goods were, in fact, received by the company and that the pricing was appropriate. No controls have been implemented that would verify the accuracy of any of the actions above. If the manager knows this, he could set up a fictitious company in the computer, falsify invoices and receiving reports and approve the bogus invoices for payment. If the vendor and the materials ordered appeared reasonable to the check signer, the transactions are unlikely to be questioned.
When you identify situations like this, you want to provide yourself with some sort of oversight. Depending on the resources available to you and your assessment of the likelihood and magnitude of the potential risk, there are different methods of internal controls you can exercise. You can insert other individuals in the process (segregation of duties), or have someone independently evaluate the warehouse manager’s activities (a management review). Segregation of duties puts a second individual in the position of routinely reviewing the actions of the other, and therefore provides an ongoing and timely control. It takes more people, but it is the strongest anti-fraud control. Management review, on the other hand, is always done after the fact, so it may not catch a problem in as timely a fashion. However, when you have a limited number of people available, it may be the best monitoring control you have.
In our example above, if the manager makes arrangements with the vendor and order materials, you would ideally like to have another individual set up the vendor information in your computers, and verify that the vendor really exists and that the billing addresses, phone number and tax identification numbers are accurate. You’d also like someone, other than the individual who made the order, to receive the materials when they arrive. That way, when you receive the vendor’s invoice, you can verify with certainty that you have actually received what you are paying for. Finally, it would be good to have another individual, unrelated to the other activities, approve the invoices for payment.
If you cannot separate all the processes above, separate as many as you can. When segregation of duties is not possible or cost effective, establish a means of reviewing the transactions. If the warehouse manager is allowed to set up vendors, do a periodic review of all new vendors and their billing addresses to make sure you know who these vendors are and what you are buying from them.
If you have to let the manager receive materials, design analytical tests on inventory or job costs to insure that the materials were received into inventory or used on projects, and that the quantities and prices make sense. You might notice that you’re buying more than you need, paying more than you should, or be paying for products that weren’t delivered. If the manager is the vendor, or is working with the vendor, all of those things might occur. Don’t assume, verify.
The point is, when individuals know that others are observing their actions, they know their opportunities will be limited and, in many cases, they will be completely deterred. But, never assume that you can prevent fraud. If truly motivated, the fraudster will find an opportunity to exploit. Instead, you should devise ways to detect those actions in a timely fashion, and be able to react quickly. That requires oversight, review and verification.
A Quick Check-Up: Things You Can Do
Where are you likely to see fraud in accounts payable?
· Vendor with similar but different names (UPS Company, instead of UPS, Inc.), and shell companies that provide a front for the employee’s actual activities.
· Company addresses that are PO Boxes or that match employee addresses.
· Falsified purchase requisitions, and receiving documents.
· Overpricing on items shipped, and overbilling for unshipped items.
· Received items being diverted after receipt.
· Items shipped to alternative locations.
· Charges for unexplained and unauthorized (personal) items.
· Forged, altered or diverted checks.
What are some red flags?
· Can purchases be made without requisitions, or before requisitions are approved?
· Are purchasing, accounting, and shipping/receiving independent of each other?
· Does the company have an approved vendor list for the main products you purchase?
· Are receiving reports furnished to both accounting and purchasing, and kept on file in receiving?
· Is a log maintained of all receipts?
· Are procedures adequate for verifying receipt and rebilling of drop shipped items?
· Are records of goods returned to vendors matched to vendor credit memos?
· Are receipts under blanket PO’s monitored? Are quantities > authorized returned to vendor?
· Are procedures adequate for the proper accounting for partial and backordered deliveries?
· Are three way matches completed prior to payment?
· Are invoices verified as to price, extension, footing, freight, allowances and credit terms?
· Are purchases recorded in computer systems prior to payment?
· Are accounts reconciled timely?
What can you do?
· Document and adhere to procedures for PO’s invoicing and payments.
· Review additions to the AP vendor master file and periodically review AP Vendor list for strange vendors and addresses.
· Review payment codings for abnormal descriptions.
· Analyze vendor purchases for abnormal levels on both a monthly and yearly basis.
· Compare and analyze purchases and inventory levels.
· Implement system controls for identifying duplicate invoice and PO #’s.
· Establish segregation of duties among authorization, purchasing, receiving, accounting and shipping.
· Review shipping and receiving documents for completeness and accuracy.
· Review and compare payments, receiving documents and purchase orders.
· Scrutinize JE’s to inventory accounts.
· Conduct spot audits.
· Maintain purchase trails on assets.
· Review bank statements for out of place vendors and endorsements.
· Review credit card statements for irregularities.
· Verify validity of invoices that have remittance to PO Boxes.
· Install proper controls for the receipt and handling of return-to-sender checks.
Wherever there is money to be made, there is the risk of fraud. Individuals have been committing these acts for as long as records have been kept. So, although you cannot prevent the occurrence of fraud, you can reduce its risk and impact by implementing fraud controls.
Remember, every fraud programs starts with management oversight. If you aren’t paying attention, the fraudster knows, and will take advantage of the opportunity. If you are, the fraudster knows that, too, and will be more cautious, and maybe even deterred completely. Hope is not a strategy. If you want to protect yourself, you have to take action.
Wednesday, August 25, 2010
Monday, June 14, 2010
Deconstructing Sarbanes Oxley
After eight years, we have come full circle. As so often happens in the market, we are back where we began.
By the time you read this, the Wall Street Reform Act will be on the verge of providing small public companies with a permanent exemption from Section 404(b) of the Sarbanes-Oxley Act of 2002. That subsection of the law simply required management’s internal control environment to be audited. By providing this exemption, Congress will have sent the market back to the pre-Sarbanes Oxley era. Once again, officers of public companies will be providing their investors the assurance that their companies have an effective internal control environment, without proof or verification.
What this recent change will create is, effectively, what the Foreign Corrupt Practices Act enacted, in 1977. That law required public companies to:
“Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that: 1) transactions are executed in accordance with management’s general or specific authorization; 2)transactions are recorded as necessary, 3) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and 4)to maintain accountability for assets”
However, that law also stated that:
“No criminal liability shall be imposed for failing to comply with the requirements “ (of the Act) so long as “No person shall knowingly circumvent or knowingly fail to implement a system of internal accounting controls or knowingly falsify any book, record, or account”.
In effect, the law stated that public companies had to have, by law, a “system of internal controls” but had no criminal liability for “failing to comply”. Even then, if you look back, the market complained bitterly that the cost of these controls was too high and was damaging the competitiveness of American businesses. The Act was amended in 1988, in response to the numerous criticisms, and softened some of its ‘harsh’ requirements
Of course, a little less than 20 years later, Enron, Worldcom and Adelphia became household buzzwords as billions of dollars of investor wealth disappeared due to the financial failures (and fraudulent reporting) of those entities. Congress concluded that these (and other) firms might not, in actuality, have been complying with the Foreign Corrupt Practices Act, as we had been assured. So, in 2002, the Sarbanes-Oxley Act was passed into law. This law did impose criminal liability if a company failed to comply, and built in a mechanism to insure that companies actually did comply….the requirement that the internal controls be audited (subsection 404(b)).
Under Sarbanes-Oxley the principal executive officer and the principal financial officer are required to publicly certify that they have:
· “Designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known”
· “Have evaluated the effectiveness of the (issuer’s) internal controls as of a date within 90 days prior to the report”;
· And, “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.”
This time, the law attached serious personal liability for a failure to comply, including: personal fines (millions), jail time (years) , disbarment from serving as a public company officers or directors, and claw-back of profits and bonuses. It also enacted a clause (404(b)) that mandated:
· “Each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.”
The amendments proposed in the Wall Street Reform Act changes one thing, and one thing only: it removes the requirement for the audit attestation. All the other requirements, and penalties, are still in force! A few audit dollars have been saved, and we have been returned to the past: where the word of business management must be trusted on faith. Caveat Emptor!
But we live in a capitalist economy where profits are the goal. History tells us that profits, or the appearance of profits, trump regulation….because, as we all know, regulation creates inefficiencies, costs more than it saves, and restricts entrepreneurial growth. So, there should be no surprise in the passage of this most recent exemption.
But, before we bury Sarbanes-Oxley as the epitome of bad and oppressive regulation, I’d like to give that heavily maligned piece of legislation its due. The market complained vehemently that the cost of auditing what management was already doing (supposedly) was simply not cost-effective or value driven. That is where all the focus went. Cost. However, the Act also provided some of these other pearls that are too often forgotten.
· It established a requirement that each member of the audit committee be a member of the board of directors, but otherwise independent. It also required that at least one member of that audit committee be a financial expert (or disclose that no one was!). It appears odd today that we had to legislate something like that.
· It required that audit committees to establish procedures for the handling of complaints, and the ability to maintain anonymity (whistleblower hotlines).
· It required that the officers of a company actually take responsibility to read and sign the financial statements, and certify that they are materially correct. Apparently, reading the public financial statements was optional prior to this.
· Made it illegal to ‘fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant”, and required companies to establish a Code of Ethics for senior financial officers, (or disclose that they didn’t have a Code of Ethics). Apparently, prior to Sarbanes-Oxley lying to your auditors wasn’t illegal!
· Created personal liability (civil and criminal) for corporation officers who misrepresented, intentionally or not, the financial condition of their company’s to the investing public. No longer was the corporation solely responsible for the misbehavior of its officers. These liabilities included personal fines (millions), jail time (years) , disbarment from serving as a public company officer or director, and claw-back of profits and bonuses.
· Made it illegal for insiders to trade during ‘blackout periods’.
· Created the Public Company Accounting Oversight Board (PCAOB) so that the accounting profession was no longer self-regulated, thereby fostering greater auditor independence and improved audit quality. We should remember, although management got an audit exemption, the auditors’ work is still audited by the PCAOB.
· Created rules governing auditor independence to avoid conflicts of interest, or the appearance of such, by prohibiting certain activities, and requiring greater disclosures and pre-approvals of non-services provided.
· …and more…(there were, after all, sixty-nine separate sections under the Act).
We have all heard the argument: “Sarbanes-Oxley didn’t solve the problems it tried to address. It was another example of failed regulation.”
Maybe.
Most of what it set out to do was logical, and important, and is now just part of the way we do business. Sadly, we had to create laws to make these things happen. Management didn’t do any of these things just because they were good business practices. Lie to the auditors? Read the financial statements you issue? Have someone who understands accounting on the audit committee? Those require laws?
Apparently they did.
I believe that anyone blaming a law for the failures of people is simply looking for a scapegoat. Laws define acceptable (or non acceptable) behavior by citizens and corporations based on what the current society deems proper. Enforcement is the punishment of those who don’t follow those instructions. The law never fails (though there may be good and bad laws based on your views). People and enforcement fail.
Think about that the next time you hear someone denigrate Sarbanes-Oxley. It wasn’t a law about internal control audits. It was a law about better corporate governance and disclosure. Only the audit section has gone back to the past.
By the time you read this, the Wall Street Reform Act will be on the verge of providing small public companies with a permanent exemption from Section 404(b) of the Sarbanes-Oxley Act of 2002. That subsection of the law simply required management’s internal control environment to be audited. By providing this exemption, Congress will have sent the market back to the pre-Sarbanes Oxley era. Once again, officers of public companies will be providing their investors the assurance that their companies have an effective internal control environment, without proof or verification.
What this recent change will create is, effectively, what the Foreign Corrupt Practices Act enacted, in 1977. That law required public companies to:
“Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that: 1) transactions are executed in accordance with management’s general or specific authorization; 2)transactions are recorded as necessary, 3) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and 4)to maintain accountability for assets”
However, that law also stated that:
“No criminal liability shall be imposed for failing to comply with the requirements “ (of the Act) so long as “No person shall knowingly circumvent or knowingly fail to implement a system of internal accounting controls or knowingly falsify any book, record, or account”.
In effect, the law stated that public companies had to have, by law, a “system of internal controls” but had no criminal liability for “failing to comply”. Even then, if you look back, the market complained bitterly that the cost of these controls was too high and was damaging the competitiveness of American businesses. The Act was amended in 1988, in response to the numerous criticisms, and softened some of its ‘harsh’ requirements
Of course, a little less than 20 years later, Enron, Worldcom and Adelphia became household buzzwords as billions of dollars of investor wealth disappeared due to the financial failures (and fraudulent reporting) of those entities. Congress concluded that these (and other) firms might not, in actuality, have been complying with the Foreign Corrupt Practices Act, as we had been assured. So, in 2002, the Sarbanes-Oxley Act was passed into law. This law did impose criminal liability if a company failed to comply, and built in a mechanism to insure that companies actually did comply….the requirement that the internal controls be audited (subsection 404(b)).
Under Sarbanes-Oxley the principal executive officer and the principal financial officer are required to publicly certify that they have:
· “Designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known”
· “Have evaluated the effectiveness of the (issuer’s) internal controls as of a date within 90 days prior to the report”;
· And, “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.”
This time, the law attached serious personal liability for a failure to comply, including: personal fines (millions), jail time (years) , disbarment from serving as a public company officers or directors, and claw-back of profits and bonuses. It also enacted a clause (404(b)) that mandated:
· “Each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.”
The amendments proposed in the Wall Street Reform Act changes one thing, and one thing only: it removes the requirement for the audit attestation. All the other requirements, and penalties, are still in force! A few audit dollars have been saved, and we have been returned to the past: where the word of business management must be trusted on faith. Caveat Emptor!
But we live in a capitalist economy where profits are the goal. History tells us that profits, or the appearance of profits, trump regulation….because, as we all know, regulation creates inefficiencies, costs more than it saves, and restricts entrepreneurial growth. So, there should be no surprise in the passage of this most recent exemption.
But, before we bury Sarbanes-Oxley as the epitome of bad and oppressive regulation, I’d like to give that heavily maligned piece of legislation its due. The market complained vehemently that the cost of auditing what management was already doing (supposedly) was simply not cost-effective or value driven. That is where all the focus went. Cost. However, the Act also provided some of these other pearls that are too often forgotten.
· It established a requirement that each member of the audit committee be a member of the board of directors, but otherwise independent. It also required that at least one member of that audit committee be a financial expert (or disclose that no one was!). It appears odd today that we had to legislate something like that.
· It required that audit committees to establish procedures for the handling of complaints, and the ability to maintain anonymity (whistleblower hotlines).
· It required that the officers of a company actually take responsibility to read and sign the financial statements, and certify that they are materially correct. Apparently, reading the public financial statements was optional prior to this.
· Made it illegal to ‘fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant”, and required companies to establish a Code of Ethics for senior financial officers, (or disclose that they didn’t have a Code of Ethics). Apparently, prior to Sarbanes-Oxley lying to your auditors wasn’t illegal!
· Created personal liability (civil and criminal) for corporation officers who misrepresented, intentionally or not, the financial condition of their company’s to the investing public. No longer was the corporation solely responsible for the misbehavior of its officers. These liabilities included personal fines (millions), jail time (years) , disbarment from serving as a public company officer or director, and claw-back of profits and bonuses.
· Made it illegal for insiders to trade during ‘blackout periods’.
· Created the Public Company Accounting Oversight Board (PCAOB) so that the accounting profession was no longer self-regulated, thereby fostering greater auditor independence and improved audit quality. We should remember, although management got an audit exemption, the auditors’ work is still audited by the PCAOB.
· Created rules governing auditor independence to avoid conflicts of interest, or the appearance of such, by prohibiting certain activities, and requiring greater disclosures and pre-approvals of non-services provided.
· …and more…(there were, after all, sixty-nine separate sections under the Act).
We have all heard the argument: “Sarbanes-Oxley didn’t solve the problems it tried to address. It was another example of failed regulation.”
Maybe.
Most of what it set out to do was logical, and important, and is now just part of the way we do business. Sadly, we had to create laws to make these things happen. Management didn’t do any of these things just because they were good business practices. Lie to the auditors? Read the financial statements you issue? Have someone who understands accounting on the audit committee? Those require laws?
Apparently they did.
I believe that anyone blaming a law for the failures of people is simply looking for a scapegoat. Laws define acceptable (or non acceptable) behavior by citizens and corporations based on what the current society deems proper. Enforcement is the punishment of those who don’t follow those instructions. The law never fails (though there may be good and bad laws based on your views). People and enforcement fail.
Think about that the next time you hear someone denigrate Sarbanes-Oxley. It wasn’t a law about internal control audits. It was a law about better corporate governance and disclosure. Only the audit section has gone back to the past.
Friday, June 4, 2010
Going in Circles
The Foreign Corrupt Practices Act required public executives to certify that they had effective internal controls….and management issued those certifications from 1977 forward. No one…not the SEC or the auditors….verified whether those certifications were truthful or based on anything….we just trusted that business leaders wouldn’t certify something that wasn’t really true….of course having real controls costs some money, so there was little incentive.
Then came the meltdowns in felonious financial reporting at Enron, Worldcom and Adelphia….and Congress decided to put some verification to the certifications (404(b)) by having auditors test those certifications…..(something the SEC, despite their lack of oversight, had been pushing for for 25 years)…..
…and the cost to ACTUALLY implement controls was HUGE (an average of $4 million for the accelerated filers)….consequently, we got the pushback that has existed ever since
..now it looks like we will let small public companies behave as companies did under the old FCP Act rules….certify to having controls without having to prove it….because it costs too much….and, obviously, (one must conclude) business profits are more important than investor confidence.
So I guess we’ve come full circle. Given the billions in market value that investors lost due the shenanigans of Enron and their ilk…..I can only think that Caveat Emptor….let the buyer beware….is now the catchphrase if you want to invest in small public companies….I just get confused…why do we care less about the investors in small companies….and wouldn’t robust investment in small companies help them? Of course, you have to believe that having good controls over the reliability of the financial information you provide to the public is important. If you don’t, then all of this is moot. Just seems to me we spent the last 8 years whining about cost so we can get back to the environment that fostered the problems in the first place……ahhh Capitalism
Then came the meltdowns in felonious financial reporting at Enron, Worldcom and Adelphia….and Congress decided to put some verification to the certifications (404(b)) by having auditors test those certifications…..(something the SEC, despite their lack of oversight, had been pushing for for 25 years)…..
…and the cost to ACTUALLY implement controls was HUGE (an average of $4 million for the accelerated filers)….consequently, we got the pushback that has existed ever since
..now it looks like we will let small public companies behave as companies did under the old FCP Act rules….certify to having controls without having to prove it….because it costs too much….and, obviously, (one must conclude) business profits are more important than investor confidence.
So I guess we’ve come full circle. Given the billions in market value that investors lost due the shenanigans of Enron and their ilk…..I can only think that Caveat Emptor….let the buyer beware….is now the catchphrase if you want to invest in small public companies….I just get confused…why do we care less about the investors in small companies….and wouldn’t robust investment in small companies help them? Of course, you have to believe that having good controls over the reliability of the financial information you provide to the public is important. If you don’t, then all of this is moot. Just seems to me we spent the last 8 years whining about cost so we can get back to the environment that fostered the problems in the first place……ahhh Capitalism
Friday, May 14, 2010
I collect fraud case studies.
Why? Because it is my job to understand how fraud occurs, how it is discovered, and how much damage it causes. I have a responsibility to help my clients prevent these situations, or at least mitigate the damages. I analyze and observe the circumstances surrounding fraudulent activity. I pay close attention to how management acts, both before and after the fraud is discovered. I incorporate that knowledge in my practice.
One of my most frustrating observations is this: fraud is almost certain to occur, and create significant loss, whenever Management assumes that somebody else will take the responsibility for fraud prevention. Repeatedly, I have seen Management convince themselves that their risks of business fraud will mitigate without their direct involvement. They look to government, regulators, auditors, internal auditors, and even basic employee integrity to provide the protection that they haven’t put in place themselves.
It simply does not work! The only effective solution rests solely with the leadership and its consistent commitment to addressing the risks of loss. No one else can be as effective as Management.
Fraud risks are not inconsequential. The ACFE’s 2008 Report to the Nation estimates that there are 5.7 million fraud incidents a year, resulting in losses approaching $1 trillion! That is almost 7% of all annual business revenues. The median fraud loss approximates $175,000…regardless of the size of the company. Fraud by your long time employees and managers increases those losses significantly. If you run a small business, or a nonprofit, those losses can be devastating. The organizational damage will take months, if not years to repair.
The elements of fraud, Need, Opportunity and Rationalization , are always present. We live in a capitalist society where the differences between need and greed are often hard to distinguish. We incentivize those who take risks. We encourage the competitive desires of our workers to strive for something better. We venerate the successful and the wealthy. In doing so, we reinforce need and rationalization, two of those three basic fraud elements.
Yet, we continue to be surprised when those super stimulated elements coalesce into the taking of an opportunity…. the commission of fraud. The statistics published by the Association of Certified Fraud Examiners (ACFE) indicate that the perpetrator is frequently a trusted, experienced employee or colleague who knows how ‘the system’ works. By the time we discover what has been done, it’s usually been going on for a year or two. And when the shock is over, the recriminations begin:
“The auditors should have caught it.”
“Don’t we have any internal controls?”
“Why wasn’t the audit committee paying closer attention?”
“What do I pay my internal auditors for?”
“Why didn’t the SEC investigate?”
Sadly, the recriminations only voice the frustrations of the victims. They come too late to do anything constructive. The damage is done. However, we don’t hear these cries from those who took responsibility for their own protection. They either haven’t been victimized, or have been able to react fairly quickly to minimize their losses. Planning and vigilance will do that.
Studies have shown that management can decrease fraud opportunities, reduce rationalization, create ongoing monitoring tools that identify fraud indicators, and reduce fraud losses. The tools are available to anyone who wants to invest a little time and effort. If you don’t choose to be one of the victims, you simply can’t leave the responsibility to others.
I’ve managed and consulted in businesses of all kinds for more that thirty-five years. In all those years, I have never found an effective shortcut for good management. The Sarbanes-Oxley Act attempted to put some regulation into “The Tone at the Top”. COSO, the organization that created the most accepted guidance on control frameworks, addressed a myriad of management best practices. MBA schools teach all the right techniques. Consultants make millions trying to improve corporate cultures. They create roadmaps for action.
But only management can effectively execute those actions.
You can never dictate good behavior and good business practices. If management doesn’t believe in the importance of what is being done, it will not follow through, and the initiative will fail. Employees know what management cares about. They see it in the daily words and actions of their leaders. No policies, procedures or good ideas will ever succeed without persistent reinforcement. If your employees know you care, and are going to check up and follow through….because you care….they will gladly follow. Convincing them requires conviction, attention, and consistent behavior. Initially, that isn’t easy. However, once your employees begin to accept your commitment, they will quickly perpetuate your programs and goals throughout the organization.
There are many actions that have been proven to reduce the impact of fraud. Surprise audits, job rotations, mandatory vacations, whistleblower hotlines, employee support programs, anti-fraud policies, defined codes of conduct and fraud training for executives and employees are just some of the most effective ones. There are a myriad of tools that are readily available on the internet, and from other sources. Those tools can assist you in designing and implementing useful control activities that can reduce or eliminate much of your risk.
Management should establish a “no tolerance” attitude toward fraud. Provide your employees with the ability to report what they observe without recrimination (whistleblower policies). Studies show that employees need to know that reports of misbehavior by others will be addressed. They also want to know that they can report problems without directly confronting their supervisors. Make it easy for them to support you.
Treat your employees fairly and with respect. Set-up impersonal monitoring controls that will help you detect the indicators of fraud. Communicate your concerns and goals to your employees. Most of all, show up every day reinforcing where you stand….in words, and actions. No auditor, government regulator, or law enforcement official is ever going to be able to build or monitor the control environment that can mitigate your risks. Hoping that they can is an abdication of basic leadership responsibility. Hope is not a strategy!
Figuring out what to do isn’t hard. Implementing a comprehensive program…and keeping it running effectively…is! In the end, it is management’s commitment to create and maintain an effective anti-fraud environment that will keep your risks to a minimum.
So? Who are you going to trust? Will you rest easy hoping that someone else is watching over your business for you?
Can you afford to?
Why? Because it is my job to understand how fraud occurs, how it is discovered, and how much damage it causes. I have a responsibility to help my clients prevent these situations, or at least mitigate the damages. I analyze and observe the circumstances surrounding fraudulent activity. I pay close attention to how management acts, both before and after the fraud is discovered. I incorporate that knowledge in my practice.
One of my most frustrating observations is this: fraud is almost certain to occur, and create significant loss, whenever Management assumes that somebody else will take the responsibility for fraud prevention. Repeatedly, I have seen Management convince themselves that their risks of business fraud will mitigate without their direct involvement. They look to government, regulators, auditors, internal auditors, and even basic employee integrity to provide the protection that they haven’t put in place themselves.
It simply does not work! The only effective solution rests solely with the leadership and its consistent commitment to addressing the risks of loss. No one else can be as effective as Management.
Fraud risks are not inconsequential. The ACFE’s 2008 Report to the Nation estimates that there are 5.7 million fraud incidents a year, resulting in losses approaching $1 trillion! That is almost 7% of all annual business revenues. The median fraud loss approximates $175,000…regardless of the size of the company. Fraud by your long time employees and managers increases those losses significantly. If you run a small business, or a nonprofit, those losses can be devastating. The organizational damage will take months, if not years to repair.
The elements of fraud, Need, Opportunity and Rationalization , are always present. We live in a capitalist society where the differences between need and greed are often hard to distinguish. We incentivize those who take risks. We encourage the competitive desires of our workers to strive for something better. We venerate the successful and the wealthy. In doing so, we reinforce need and rationalization, two of those three basic fraud elements.
Yet, we continue to be surprised when those super stimulated elements coalesce into the taking of an opportunity…. the commission of fraud. The statistics published by the Association of Certified Fraud Examiners (ACFE) indicate that the perpetrator is frequently a trusted, experienced employee or colleague who knows how ‘the system’ works. By the time we discover what has been done, it’s usually been going on for a year or two. And when the shock is over, the recriminations begin:
“The auditors should have caught it.”
“Don’t we have any internal controls?”
“Why wasn’t the audit committee paying closer attention?”
“What do I pay my internal auditors for?”
“Why didn’t the SEC investigate?”
Sadly, the recriminations only voice the frustrations of the victims. They come too late to do anything constructive. The damage is done. However, we don’t hear these cries from those who took responsibility for their own protection. They either haven’t been victimized, or have been able to react fairly quickly to minimize their losses. Planning and vigilance will do that.
Studies have shown that management can decrease fraud opportunities, reduce rationalization, create ongoing monitoring tools that identify fraud indicators, and reduce fraud losses. The tools are available to anyone who wants to invest a little time and effort. If you don’t choose to be one of the victims, you simply can’t leave the responsibility to others.
I’ve managed and consulted in businesses of all kinds for more that thirty-five years. In all those years, I have never found an effective shortcut for good management. The Sarbanes-Oxley Act attempted to put some regulation into “The Tone at the Top”. COSO, the organization that created the most accepted guidance on control frameworks, addressed a myriad of management best practices. MBA schools teach all the right techniques. Consultants make millions trying to improve corporate cultures. They create roadmaps for action.
But only management can effectively execute those actions.
You can never dictate good behavior and good business practices. If management doesn’t believe in the importance of what is being done, it will not follow through, and the initiative will fail. Employees know what management cares about. They see it in the daily words and actions of their leaders. No policies, procedures or good ideas will ever succeed without persistent reinforcement. If your employees know you care, and are going to check up and follow through….because you care….they will gladly follow. Convincing them requires conviction, attention, and consistent behavior. Initially, that isn’t easy. However, once your employees begin to accept your commitment, they will quickly perpetuate your programs and goals throughout the organization.
There are many actions that have been proven to reduce the impact of fraud. Surprise audits, job rotations, mandatory vacations, whistleblower hotlines, employee support programs, anti-fraud policies, defined codes of conduct and fraud training for executives and employees are just some of the most effective ones. There are a myriad of tools that are readily available on the internet, and from other sources. Those tools can assist you in designing and implementing useful control activities that can reduce or eliminate much of your risk.
Management should establish a “no tolerance” attitude toward fraud. Provide your employees with the ability to report what they observe without recrimination (whistleblower policies). Studies show that employees need to know that reports of misbehavior by others will be addressed. They also want to know that they can report problems without directly confronting their supervisors. Make it easy for them to support you.
Treat your employees fairly and with respect. Set-up impersonal monitoring controls that will help you detect the indicators of fraud. Communicate your concerns and goals to your employees. Most of all, show up every day reinforcing where you stand….in words, and actions. No auditor, government regulator, or law enforcement official is ever going to be able to build or monitor the control environment that can mitigate your risks. Hoping that they can is an abdication of basic leadership responsibility. Hope is not a strategy!
Figuring out what to do isn’t hard. Implementing a comprehensive program…and keeping it running effectively…is! In the end, it is management’s commitment to create and maintain an effective anti-fraud environment that will keep your risks to a minimum.
So? Who are you going to trust? Will you rest easy hoping that someone else is watching over your business for you?
Can you afford to?
Wednesday, April 21, 2010
A Failure of Trust
I use this blog as an outlet for addressing fraud, fraud prevention, the value of controls in mitigating all types of business risk, and the critical nature of ethical managment behavior in all aspects of business life.
Today, however, a series of articles, courtesy of nakedcapitalism.com have moved my focus a bit. I don't think they are directly connected, any more than the fact that I'm addressing the local Chapter of the Association of Fraud Examiners this evening is connected...........
But, for me, it all fit together too perfectly.
The articles below, in the order they appear, are worthy of your time and thought.
Americans and Government (Joe Costello)
http://www.archein21.com/2010/04/americans-and-government.html
The T Word (Robert Cringely)
http://www.assetinternational.com/ASMW/PostDetail.aspx?id=876&blogid=226
and
GOP Seeks SEC Records on Goldman (Mike Allen)
http://www.assetinternational.com/ASMW/PostDetail.aspx?id=876&blogid=226
Joe Costello's item summarizes a recent Pew survey that looks at Americans' distrust of Government...and how it has grown over time....regardless of the political parties in power........as he says "The issue of disenfranchisement is essential to understanding America today."
After reading his, I stumbled onto Robert Cringely's brilliant article on the nature of Trust....empiricism and transparency. "Trust is present or it is absent. Grab a nerd and he’ll tell you that even the absence of trust is a measure of trust and that particular measure is zero. When trust is non-zero (which is better, believe me) it is based on one of two methodologies -- empiricism or transparency (the other T-word)."
His parallels between technology and current behaviors in the banking industry are frighteningly astute. For someone who addresses business ethics and fraud, I find his insights (depressingly) dead on.
The coup de grace of course was concluding my little sojourn into thoughts about political and leadership distrust with an article about Senators politicizing the regulators that are questioning Goldman's actions. Regardless of how you think you feel about the merits of the SEC's accusations (we all might want to question what we think at this point since so few facts of the case are yet known) the fact that a legal action is either seen as political, or has been turned into something political, only reinforces the first two articles.
So I'll talk about this to the fraud examiners tonight. I'll mention this to my peers and clients. I'll state again that regulating behavior is a failed hand....particularly without heavy investment in those who are supposed to regulate (something we have been consistently reluctant to do), though serious punishment can slow the perpetrators down. I'll hope that the 'facts' are uncovered without interference, in Goldman's case and others, and that we will judge the actions on their merits, not political agendas.
Tomorrow I will arise with the resigned cynicism of those who responded to the Pew survey...and go about trying to make my own small difference in the world....one deserving client at a time.
and wondering if we, as a people and a government, can ever learn that trust betrayed, is trust lost.
In closing I defer to a much smarter man than I, Peter Drucker:•
"Management is doing things right; leadership is doing the right things."
Today, however, a series of articles, courtesy of nakedcapitalism.com have moved my focus a bit. I don't think they are directly connected, any more than the fact that I'm addressing the local Chapter of the Association of Fraud Examiners this evening is connected...........
But, for me, it all fit together too perfectly.
The articles below, in the order they appear, are worthy of your time and thought.
Americans and Government (Joe Costello)
http://www.archein21.com/2010/04/americans-and-government.html
The T Word (Robert Cringely)
http://www.assetinternational.com/ASMW/PostDetail.aspx?id=876&blogid=226
and
GOP Seeks SEC Records on Goldman (Mike Allen)
http://www.assetinternational.com/ASMW/PostDetail.aspx?id=876&blogid=226
Joe Costello's item summarizes a recent Pew survey that looks at Americans' distrust of Government...and how it has grown over time....regardless of the political parties in power........as he says "The issue of disenfranchisement is essential to understanding America today."
After reading his, I stumbled onto Robert Cringely's brilliant article on the nature of Trust....empiricism and transparency. "Trust is present or it is absent. Grab a nerd and he’ll tell you that even the absence of trust is a measure of trust and that particular measure is zero. When trust is non-zero (which is better, believe me) it is based on one of two methodologies -- empiricism or transparency (the other T-word)."
His parallels between technology and current behaviors in the banking industry are frighteningly astute. For someone who addresses business ethics and fraud, I find his insights (depressingly) dead on.
The coup de grace of course was concluding my little sojourn into thoughts about political and leadership distrust with an article about Senators politicizing the regulators that are questioning Goldman's actions. Regardless of how you think you feel about the merits of the SEC's accusations (we all might want to question what we think at this point since so few facts of the case are yet known) the fact that a legal action is either seen as political, or has been turned into something political, only reinforces the first two articles.
So I'll talk about this to the fraud examiners tonight. I'll mention this to my peers and clients. I'll state again that regulating behavior is a failed hand....particularly without heavy investment in those who are supposed to regulate (something we have been consistently reluctant to do), though serious punishment can slow the perpetrators down. I'll hope that the 'facts' are uncovered without interference, in Goldman's case and others, and that we will judge the actions on their merits, not political agendas.
Tomorrow I will arise with the resigned cynicism of those who responded to the Pew survey...and go about trying to make my own small difference in the world....one deserving client at a time.
and wondering if we, as a people and a government, can ever learn that trust betrayed, is trust lost.
In closing I defer to a much smarter man than I, Peter Drucker:•
"Management is doing things right; leadership is doing the right things."
Friday, April 16, 2010
Goldman Sachs
I've been questioning why no fraud indictments have come out of the market meltdown that started two years ago. I mean, every bubble is fueled by greed, and greed has a tendency to fuel fraud. How could there not be fraud?
We seemed to think that Enron and Worldcom executives overstepped their ethical responsibilities enough to create indictments earlier in the decade. We even found the practice of option backdating heinous enough to require indictments of the perpetrators. So, I've been cynically curious as to why our leaders in the financial markets were being spared the same scrutiny.
Well, maybe the wait is over. As Yves Smith so nicely states:
"SEC Sues Goldman for Fraud
Oooh, things are starting to get interesting.
A number of journalists and commentators (yours truly included) have taken issue with the fact that some dealers (most notably Goldman and DeutscheBank) had programs of heavily subprime synthetic collateralized debt obligations which they used to take short positions. Needless to say, the firms have been presumed to have designed these CDOs so that their short would pay off, meaning that they designed the CDOs to fail. The reason this is problematic is that most investors would assume that a dealer selling a product it had underwritte was acting as a middleman, intermediating between the views of short and long investors. Having the firm act to design the deal to serve its own interests doesn’t pass the smell test (one benchmark: Bear Stearns refused to sell synthetic CDOs on behalf of John Paulson, who similarly wanted to use them to establish a short position. How often does trading oriented firm turn down a potentially profitable trade because they don’t like the ethics?)"
http://www.nakedcapitalism.com/2010/04/sec-sues-goldman-for-fraud.html
...so maybe, just maybe, we may see some people held accountable. Goldman, Lehman Brothers. Do we really think there were only two? It could be refreshing, for a short period, though as a fraud investigator, I can only figure that is it will be another footnote in capitalist history along a very long road.
But we need single out some of the worst each offenders each time a bubble creates these abuses. Without establishing some semblance of risk for the perpetrators, there really is no reason at all not to take advantage of the system
We seemed to think that Enron and Worldcom executives overstepped their ethical responsibilities enough to create indictments earlier in the decade. We even found the practice of option backdating heinous enough to require indictments of the perpetrators. So, I've been cynically curious as to why our leaders in the financial markets were being spared the same scrutiny.
Well, maybe the wait is over. As Yves Smith so nicely states:
"SEC Sues Goldman for Fraud
Oooh, things are starting to get interesting.
A number of journalists and commentators (yours truly included) have taken issue with the fact that some dealers (most notably Goldman and DeutscheBank) had programs of heavily subprime synthetic collateralized debt obligations which they used to take short positions. Needless to say, the firms have been presumed to have designed these CDOs so that their short would pay off, meaning that they designed the CDOs to fail. The reason this is problematic is that most investors would assume that a dealer selling a product it had underwritte was acting as a middleman, intermediating between the views of short and long investors. Having the firm act to design the deal to serve its own interests doesn’t pass the smell test (one benchmark: Bear Stearns refused to sell synthetic CDOs on behalf of John Paulson, who similarly wanted to use them to establish a short position. How often does trading oriented firm turn down a potentially profitable trade because they don’t like the ethics?)"
http://www.nakedcapitalism.com/2010/04/sec-sues-goldman-for-fraud.html
...so maybe, just maybe, we may see some people held accountable. Goldman, Lehman Brothers. Do we really think there were only two? It could be refreshing, for a short period, though as a fraud investigator, I can only figure that is it will be another footnote in capitalist history along a very long road.
But we need single out some of the worst each offenders each time a bubble creates these abuses. Without establishing some semblance of risk for the perpetrators, there really is no reason at all not to take advantage of the system
Wednesday, April 14, 2010
For more than thirty years I’ve been investigating fraud: figuring out how it happened, tabulating the costs, repairing the failed internal control systems and consoling the victims. Although the case studies vary, there is one constant: it is always a surprise! Even worse, Management’s response is invariably the same: “We never saw it happening. We never thought he/she could do something like that.”
The economic losses are often significant. The emotional and organizational impacts are always worse.
That’s the way it is with fraud. It is an act of betrayal by your own employee, and, unlike other losses, you can never fully shrug it off as “just part of the cost of doing business.” It is far too personal.
Yet in most of these cases, the company’s leaders had never implemented serious fraud prevention measures. They had addressed their other business risks, routinely scrutinizing business operations from a cost/benefit perspective and making control decisions accordingly. They bought property, liability and D&O insurance, even though they did not anticipate losses. But when it came to fraud protection, their standard evaluation methods were somehow forgotten, and they blithely plunged ahead without noticeable concern.
Why Does it Matter?
It matters because fraud risk is a constant in the marketplace. It matters because fraud’s impact on American business is staggering. It matters because I’ve seen the impact of these cases on my clients. It matters because Management can make an impact.
The statistics are sobering, if not downright scary. The Association of Certified Fraud Examiners (ACFE) estimates that U.S. organizations lose 7% of their annual revenues each year to fraud. That is approximately $994 billion, based on the ACFE’s estimates. In nonprofits, fraud accounts for $40 billion in losses each year—roughly 13% of all philanthropic giving! The median fraud loss is $175,000.That equates to over 5.7 million fraud incidents a year (228,000 in nonprofits alone)!
Who is at Risk?
Everyone. The median losses are approximately the same in all businesses: large corporations, small companies, governments and nonprofits. Of course, the impact of that $170,000 loss is much greater to the small company or nonprofit. In fact, if you are a small business with less than 100 employees, the news gets worse, as the median loss due to fraud is closer to $200,000 (look for check tampering and fraudulent billing schemes).
Who has Been Wreaking This Havoc?
The greatest losses are perpetrated by managers or officers who have been with the firm for more than five years. They are usually working alone and have no prior history of illegal activities. Accounting departments commit 29% of all fraud, executives another 18%. When the executives are involved, expect the median loss to exceed $850,000! If that isn’t bad enough, the average fraud usually covers an 18 to 30 month period before discovery, so the perpetrator may already be working his craft at your expense.
Why tell you this? Because your external auditors won’t find it for you. The police won’t find it for you. In fact, you’re as likely to discover fraud by accident as you are to discover it through internal audit. You can’t make it go away. If you haven’t taken action, tips are your best, and maybe only, hope.
Ways to Mitigate Risk
The sad truth is that no one has figured out how to eradicate fraud. As defined in Cressey’s “Fraud Triangle ,“ there are three elements that have to exist for fraud to be committed: Need, Opportunity, and Rationalization. So, how do you address these elements? As a manager, you have little control over a potential fraudster’s perceived need. You have some control over the rationalization process, but not a lot (it is harder to justify stealing from someone you like and respect than from someone you don’t). However, you do have a significant ability to control opportunity.
So if you want to reduce the risk of fraud loss, there are a couple of routes open to you. You can passively invest in dishonesty types of insurance policies and/or bond your employees. Or, you can actively spend a little bit of time improving your internal controls and internal auditing capabilities. Both solutions can reduce your financial risk. However, only the improvement in internal controls will reduce the likelihood of the fraud occurring at all, or at least allow you to detect it earlier.
Common Anti-Fraud Controls
In the fraud cases studied by the ACFE, lack of adequate internal controls was most commonly cited as the factor that allowed fraud to occur. In 78% of those cases, the victim organizations modified their anti-fraud controls after discovering that they had been defrauded.
There are fifteen common fraud-related controls that have proven effective at reducing the cost of fraud losses. Implementing job rotations and mandatory vacations, for example, reduced the median cost of fraud loss from $164,000 to only $64,000 which is a 61.0% decrease. You can review all of these in the ACFE's 2008 Report to the Nation.
Put some of these in place and it will make a difference. However, don’t confuse anti-fraud controls with SOX-related internal controls! Sarbanes-Oxley was passed in response to several large financial statement fraud schemes and is targeted toward preventing and detecting financial statement manipulation. Although those frauds are by far the most expensive, they are not the most prevalent. In fact, seven other categories of fraud (corruption, billing, skimming, non-cash, check tampering, expense reimbursements and cash on hand) are more frequent. If your goal is the reduction of all types of fraud, then the controls above will benefit you the most.
The Choice is Yours
You can buy insurance policies that will reduce the financial risk of a potential fraud. You pay a premium, take out a deductible and hope you are lucky. Or, you can invest some time (the labor premium) to strengthen your internal controls, and reduce both the likelihood of occurrence as well as the financial risk. Maybe if you do a little of both, you’ll rest easier and be better protected.
Prevention, deterrence and detection are the basis of risk management…and the basis of good business strategy. Don’t let fraud be the one risk you ignored.
The economic losses are often significant. The emotional and organizational impacts are always worse.
That’s the way it is with fraud. It is an act of betrayal by your own employee, and, unlike other losses, you can never fully shrug it off as “just part of the cost of doing business.” It is far too personal.
Yet in most of these cases, the company’s leaders had never implemented serious fraud prevention measures. They had addressed their other business risks, routinely scrutinizing business operations from a cost/benefit perspective and making control decisions accordingly. They bought property, liability and D&O insurance, even though they did not anticipate losses. But when it came to fraud protection, their standard evaluation methods were somehow forgotten, and they blithely plunged ahead without noticeable concern.
Why Does it Matter?
It matters because fraud risk is a constant in the marketplace. It matters because fraud’s impact on American business is staggering. It matters because I’ve seen the impact of these cases on my clients. It matters because Management can make an impact.
The statistics are sobering, if not downright scary. The Association of Certified Fraud Examiners (ACFE) estimates that U.S. organizations lose 7% of their annual revenues each year to fraud. That is approximately $994 billion, based on the ACFE’s estimates. In nonprofits, fraud accounts for $40 billion in losses each year—roughly 13% of all philanthropic giving! The median fraud loss is $175,000.That equates to over 5.7 million fraud incidents a year (228,000 in nonprofits alone)!
Who is at Risk?
Everyone. The median losses are approximately the same in all businesses: large corporations, small companies, governments and nonprofits. Of course, the impact of that $170,000 loss is much greater to the small company or nonprofit. In fact, if you are a small business with less than 100 employees, the news gets worse, as the median loss due to fraud is closer to $200,000 (look for check tampering and fraudulent billing schemes).
Who has Been Wreaking This Havoc?
The greatest losses are perpetrated by managers or officers who have been with the firm for more than five years. They are usually working alone and have no prior history of illegal activities. Accounting departments commit 29% of all fraud, executives another 18%. When the executives are involved, expect the median loss to exceed $850,000! If that isn’t bad enough, the average fraud usually covers an 18 to 30 month period before discovery, so the perpetrator may already be working his craft at your expense.
Why tell you this? Because your external auditors won’t find it for you. The police won’t find it for you. In fact, you’re as likely to discover fraud by accident as you are to discover it through internal audit. You can’t make it go away. If you haven’t taken action, tips are your best, and maybe only, hope.
Ways to Mitigate Risk
The sad truth is that no one has figured out how to eradicate fraud. As defined in Cressey’s “Fraud Triangle ,“ there are three elements that have to exist for fraud to be committed: Need, Opportunity, and Rationalization. So, how do you address these elements? As a manager, you have little control over a potential fraudster’s perceived need. You have some control over the rationalization process, but not a lot (it is harder to justify stealing from someone you like and respect than from someone you don’t). However, you do have a significant ability to control opportunity.
So if you want to reduce the risk of fraud loss, there are a couple of routes open to you. You can passively invest in dishonesty types of insurance policies and/or bond your employees. Or, you can actively spend a little bit of time improving your internal controls and internal auditing capabilities. Both solutions can reduce your financial risk. However, only the improvement in internal controls will reduce the likelihood of the fraud occurring at all, or at least allow you to detect it earlier.
Common Anti-Fraud Controls
In the fraud cases studied by the ACFE, lack of adequate internal controls was most commonly cited as the factor that allowed fraud to occur. In 78% of those cases, the victim organizations modified their anti-fraud controls after discovering that they had been defrauded.
There are fifteen common fraud-related controls that have proven effective at reducing the cost of fraud losses. Implementing job rotations and mandatory vacations, for example, reduced the median cost of fraud loss from $164,000 to only $64,000 which is a 61.0% decrease. You can review all of these in the ACFE's 2008 Report to the Nation.
Put some of these in place and it will make a difference. However, don’t confuse anti-fraud controls with SOX-related internal controls! Sarbanes-Oxley was passed in response to several large financial statement fraud schemes and is targeted toward preventing and detecting financial statement manipulation. Although those frauds are by far the most expensive, they are not the most prevalent. In fact, seven other categories of fraud (corruption, billing, skimming, non-cash, check tampering, expense reimbursements and cash on hand) are more frequent. If your goal is the reduction of all types of fraud, then the controls above will benefit you the most.
The Choice is Yours
You can buy insurance policies that will reduce the financial risk of a potential fraud. You pay a premium, take out a deductible and hope you are lucky. Or, you can invest some time (the labor premium) to strengthen your internal controls, and reduce both the likelihood of occurrence as well as the financial risk. Maybe if you do a little of both, you’ll rest easier and be better protected.
Prevention, deterrence and detection are the basis of risk management…and the basis of good business strategy. Don’t let fraud be the one risk you ignored.
Subscribe to:
Posts (Atom)