Proactive Fraud Prevention

The Spotlight Is On You

If that is not enough to convince you that the spotlight is shining brightly on ethics and compliance programs, Sarbanes-Oxley also has a provision that provides Federal protection for employees of SEC registrants who report wrongdoing to the government and/or law enforcement. In the past, these whistleblowers have been a by-product of the provisions of the False Claims Act that allows a private individual to bring a lawsuit against a company on behalf of the Government. Typically, these whistleblowers (also known as qui tam relators) were protected from retaliation by their employers under state statutes. Sarbanes-Oxley has created a situation in which anyone who reports wrongdoing to the government and/or law enforcement is protected from employer retaliation under Federal Statute. The scary proposition about the whistleblower provision under the Sarbanes-Oxley Act is that an SEC registrant can now find himself or herself with an employee who is a whistleblower, and who they probably cannot terminate. Unlike the relator, who will either prevail in their lawsuit or not, the Sarbanes-Oxley whistleblower will likely not have filed a lawsuit and probably will not stand to gain monetarily. A company may now find itself facing the prospect of having a whistleblower as an employee for life.

More Reasons

So what are the other reasons why ethics and compliance programs are important to companies today? Aside from the fact that their development and implementation is the right thing to do, these programs may also help to spare a company from an “Enron” type situation. Additional and important by-products of an effective ethics and compliance program are that company officials required to sign certifications may rest easier knowing that there is a mechanism in place to identify problems while also acting to prevent (or at least minimize) the likelihood of an employee becoming a Sarbanes-Oxley whistleblower. To determine whether a company's ethics and compliance program is effective, it should be periodically assessed. This is not necessarily a new concept, but is one area where the stakes are high enough to warrant re-visiting. Let's look at some questions and considerations for companies when assessing the effectiveness of their ethics and compliance efforts:

Program Design, Board of Directors and Senior Management

Is there a written compliance and ethics program that states in plain English what the company's position is vis-a-vis compliance and ethics along with clearly stated employee expectations? Does the program also cover company agents?

Does the company's Board of Directors and senior management embrace the tenets of the ethics and compliance program through their actions and words? Do they “walk the talk?”

Was the program developed to include the parameters suggested by the Federal Sentencing Commission in its Federal Sentencing Guidelines for Organizations? Was other industry-specific (ie, health care) guidance incorporated?

Was the original program subjected to legal review?

Has responsibility to monitor the compliance program and investigate violations of law and company policies and procedures been assigned to specific individuals within high-level personnel of the organization? Does that individual have direct access to the CEO and Board of Directors?

Has a mechanism been set up to ensure that all allegations are followed up? Is there a protocol for oversight of investigations that is dependent upon the severity of the allegation?

Does the company provide counseling programs to address and reduce personal issues such as substance abuse, stress and family problems, all of which could lead to an employee's decision to engage in improper activity?

Have the ethics and compliance standards been consistently enforced (without regard to level or position within the organization) through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense? For example, does the company's human resources department maintain statistics and mechanisms regarding all disciplinary actions for use by line managers when metering out discipline to insure consistency?

As a deterrent factor, has the company publicized the types of offenses addressed and the respective disciplinary action taken (a no-name basis would be acceptable)?

After an offense has been detected, has the company taken all reasonable steps to respond appropriately (including self-reporting and referral to law enforcement as appropriate), including making necessary modifications to the program designed to detect and minimize the likelihood of violations of law and company policies and procedures?

Has the company considered mandatory fraud training for upper management to heighten their awareness regarding their fiduciary responsibility to prevent, deter and detect fraud?

Has the company considered specialized and industry specific fraud training for specific departments? (For example, procurement personnel would get awareness training regarding procurement fraud schemes.)

Does the company have a proactive fraud prevention program in place that is designed to minimize the likelihood of fraud occurring?

Are fraud and illegal acts risk assessments performed within appropriate business units and operating departments to identify those areas where the company may be subjected to improper acts? Are tests performed and analytical reports produced, based on the risk assessments, to identify anomalies that may indicate potential fraud?

Employees

Has the company taken steps to ensure that it has not delegated substantial discretionary authority to individuals whom the organization knows, or should have known through the exercise of due diligence, has a propensity to engage in illegal activities (pre-employment background checks)? Are periodic background investigation updates conducted particularly when employees are promoted?

Have all employees received ethics and compliance training? Is there evidence of that training? Are there periodic updates/reminders regarding the company's stance regarding ethics and compliance (e-mails, posters, pamphlets, CEO communications, etc.)?

Have employees been required to state in writing that they received training, understand their responsibilities and have reported all wrongdoing that they are aware of to the company? Are employees required to sign a conflict of interest statement on a yearly basis?

Does the program include a convenient mechanism for employees to report wrongdoing? Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized? Is use of that mechanism monitored to determine frequency of use and quality of complaints received? Have employees been polled to determine their awareness of the reporting mechanism?

Are exit interviews conducted and are specific questions asked regarding the exiting employees' knowledge of improprieties?

Are employees required to take annual vacations?

Is ethical activity linked to performance expectations for all employees?

Vendors/Customers

Does the company perform due diligence procedures on new suppliers and large customers to gain an acceptable comfort level regarding the company's integrity?

Has the company developed guidelines for dealing with vendors and suppliers? Has the company set out specific guidance regarding the acceptance of gifts and gratuities from vendors and suppliers? Have the company's ethical expectations been communicated to those vendors and suppliers?

Does the program include a convenient mechanism for vendors and customers to report wrongdoing? Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized? Is use of that mechanism monitored to determine frequency of use and quality of complaints received? Have vendors and customers been polled to determine their awareness of the reporting mechanism?

Effecting the Assessment

Now that the questions have been asked, how is the assessment done? I believe that an effective assessment should be conducted by an independent, objective and uninterested third party. The following is a list of general procedures likely to be performed when assessing a company's ethics and compliance program:

Identify and obtain a complete understanding of the business and compliance risks associated with the business, the ways noncompliance may occur and the conditions that give rise to them. Activities would include:

• Assessment of the control environment to identify high-risk areas.
• Identification of applicable statutes and regulations affecting the company and its industry.
• Assessment of the current understanding and adherence to compliance related policies and procedures.

Review the company's existing systems, practices and procedures to determine whether they have been designed to achieve and maintain reasonable assurance of compliance with applicable statutes and regulations affecting the company. This review should focus not only on the written policies and procedures, but also on the actual practices and processes in place. Activities would include:

• Analysis of the company's organizational structure and mechanism for reporting violations of law and/or the company's policies and procedures.
• Assessment of the company's communication of the ethics and compliance program within and outside the organization, as appropriate.
• Assessment of the company's criteria and methods for providing ethics and compliance related training and the methods utilized to assess the effectiveness of the training.

Perform a detailed assessment of the company's financial, management and other practices related to each of the compliance risk areas under review. Activities would include:

• Interviews with key employees regarding ethics and compliance related risks.
• The design and performance of tests to determine adherence to the company's ethics and compliance program policies and procedures.
• Documentation of internal controls and procedures that act as mitigators to the compliance risks identified.
• Assessment of the strength and effectiveness of the compliance related practices.
• Development of proposed recommendations for compliance program enhancement.

Implementation of proposed enhancements to the ethics and compliance program, resulting from the findings in number three, would be addressed jointly by the third party conducting the review, company management and legal counsel. Activities would include:

• Identification of refinements to the compliance program based upon the findings above.
• Development of a corrective action plan to implement the refinements.
• Identification of necessary changes to procedure, policies, training and company systems to implement the corrective action plan items.
• Implementation of the policy changes identified above.
• Development and/or updating of training and communication materials to reflect the ethics and compliance program enhancements.
• Conduct of training.

The final aspect of the ethics and compliance program assessment is development of an ongoing monitoring process. Activities would include:

• The design of periodic tests to insure adherence to the company's ethics and compliance policies, procedures and processes.
• Testing and validation, along with an overall assessment of the operation, of the compliance program and the related policies, procedures and processes.

This ongoing assessment process could be accomplished by utilizing a company's internal audit group. Periodic review of the internal auditor's work by an independent, objective third party is an option for a company to consider.

As an additional consequence of recent accounting-related irregularities, it is more likely that a company's independent auditor will be required to examine, assess and perhaps opine on the quality of a company's fraud prevention efforts; including the company's ethics and compliance program.

Now more than ever, effective compliance programs, and their related controls, are the number one tools that companies have at their disposal to ensure that the potential for violations of law are minimized and ethical behavior is instilled within the organization.

Bert F. Lacativo is the Managing Director of FTI, a consulting firm locating in Irving, TX. The views expressed herein are those of Lacativo himself, and not necessarily those of FTI. He can be reached at 888-997-1992.

Way back in the 80s, companies in the U.S. Defense industry determined that it was in their best interests to band together and develop the Defense Industry Initiatives as a method to police themselves during a time when their industry was fraught with fraud and corruption. As an aftermath, ethics and compliance programs have been developed and implemented by the majority of U.S. companies. To further entice companies to establish an effective and proactive program designed to detect and, to the extent possible, prevent violations of law The Federal Sentencing Guidelines for Organizations, passed in November 1991, rewards these companies with relief when sentenced for violations of law.

While these programs have been primarily designed to demonstrate that a company is serious about acting ethically and within the law, we have seen a record number of financial restatements in the past year. One can surmise that this is due to a lapse in the effectiveness of those companies' ethics and compliance efforts.

Now, along comes the Sarbanes-Oxley Act, which contains a specific provision requiring chief financial and chief executive officers of SEC registrants to make certifications concerning their company's quarterly and annual reports that, if found to be made knowingly or willfully false, may subject the signing officer to criminal penalties. On October 22, 2002, the SEC issued rule proposals that, if adopted, would also require certifying officers to design, establish, maintain, evaluate and report the effectiveness of the company's “internal controls and procedures for financial reporting.” The SEC proposes that “internal controls and procedures for financial reporting” mean controls that pertain to the preparation of financial statements for external purposes that are prepared and presented to conform with generally accepted accounting principles (GAAP) as described in the Codification of Statements on Auditing Standards section 319. This section describes internal controls as “a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurances regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.” This certainly sheds new light on the importance of a company's ethics and compliance efforts. Corporate executives now have a never-before seen level of professional and personal interest in insuring that ethics and compliance programs, as well as the entire internal control structure, operates effectively at all times.

The Spotlight Is On You

If that is not enough to convince you that the spotlight is shining brightly on ethics and compliance programs, Sarbanes-Oxley also has a provision that provides Federal protection for employees of SEC registrants who report wrongdoing to the government and/or law enforcement. In the past, these whistleblowers have been a by-product of the provisions of the False Claims Act that allows a private individual to bring a lawsuit against a company on behalf of the Government. Typically, these whistleblowers (also known as qui tam relators) were protected from retaliation by their employers under state statutes. Sarbanes-Oxley has created a situation in which anyone who reports wrongdoing to the government and/or law enforcement is protected from employer retaliation under Federal Statute. The scary proposition about the whistleblower provision under the Sarbanes-Oxley Act is that an SEC registrant can now find himself or herself with an employee who is a whistleblower, and who they probably cannot terminate. Unlike the relator, who will either prevail in their lawsuit or not, the Sarbanes-Oxley whistleblower will likely not have filed a lawsuit and probably will not stand to gain monetarily. A company may now find itself facing the prospect of having a whistleblower as an employee for life.

More Reasons

So what are the other reasons why ethics and compliance programs are important to companies today? Aside from the fact that their development and implementation is the right thing to do, these programs may also help to spare a company from an “Enron” type situation. Additional and important by-products of an effective ethics and compliance program are that company officials required to sign certifications may rest easier knowing that there is a mechanism in place to identify problems while also acting to prevent (or at least minimize) the likelihood of an employee becoming a Sarbanes-Oxley whistleblower. To determine whether a company's ethics and compliance program is effective, it should be periodically assessed. This is not necessarily a new concept, but is one area where the stakes are high enough to warrant re-visiting. Let's look at some questions and considerations for companies when assessing the effectiveness of their ethics and compliance efforts:

Program Design, Board of Directors and Senior Management

Is there a written compliance and ethics program that states in plain English what the company's position is vis-a-vis compliance and ethics along with clearly stated employee expectations? Does the program also cover company agents?

Does the company's Board of Directors and senior management embrace the tenets of the ethics and compliance program through their actions and words? Do they “walk the talk?”

Was the program developed to include the parameters suggested by the Federal Sentencing Commission in its Federal Sentencing Guidelines for Organizations? Was other industry-specific (ie, health care) guidance incorporated?

Was the original program subjected to legal review?

Has responsibility to monitor the compliance program and investigate violations of law and company policies and procedures been assigned to specific individuals within high-level personnel of the organization? Does that individual have direct access to the CEO and Board of Directors?

Has a mechanism been set up to ensure that all allegations are followed up? Is there a protocol for oversight of investigations that is dependent upon the severity of the allegation?

Does the company provide counseling programs to address and reduce personal issues such as substance abuse, stress and family problems, all of which could lead to an employee's decision to engage in improper activity?

Have the ethics and compliance standards been consistently enforced (without regard to level or position within the organization) through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense? For example, does the company's human resources department maintain statistics and mechanisms regarding all disciplinary actions for use by line managers when metering out discipline to insure consistency?

As a deterrent factor, has the company publicized the types of offenses addressed and the respective disciplinary action taken (a no-name basis would be acceptable)?

After an offense has been detected, has the company taken all reasonable steps to respond appropriately (including self-reporting and referral to law enforcement as appropriate), including making necessary modifications to the program designed to detect and minimize the likelihood of violations of law and company policies and procedures?

Has the company considered mandatory fraud training for upper management to heighten their awareness regarding their fiduciary responsibility to prevent, deter and detect fraud?

Has the company considered specialized and industry specific fraud training for specific departments? (For example, procurement personnel would get awareness training regarding procurement fraud schemes.)

Does the company have a proactive fraud prevention program in place that is designed to minimize the likelihood of fraud occurring?

Are fraud and illegal acts risk assessments performed within appropriate business units and operating departments to identify those areas where the company may be subjected to improper acts? Are tests performed and analytical reports produced, based on the risk assessments, to identify anomalies that may indicate potential fraud?

Employees

Has the company taken steps to ensure that it has not delegated substantial discretionary authority to individuals whom the organization knows, or should have known through the exercise of due diligence, has a propensity to engage in illegal activities (pre-employment background checks)? Are periodic background investigation updates conducted particularly when employees are promoted?

Have all employees received ethics and compliance training? Is there evidence of that training? Are there periodic updates/reminders regarding the company's stance regarding ethics and compliance (e-mails, posters, pamphlets, CEO communications, etc.)?

Have employees been required to state in writing that they received training, understand their responsibilities and have reported all wrongdoing that they are aware of to the company? Are employees required to sign a conflict of interest statement on a yearly basis?

Does the program include a convenient mechanism for employees to report wrongdoing? Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized? Is use of that mechanism monitored to determine frequency of use and quality of complaints received? Have employees been polled to determine their awareness of the reporting mechanism?

Are exit interviews conducted and are specific questions asked regarding the exiting employees' knowledge of improprieties?

Are employees required to take annual vacations?

Is ethical activity linked to performance expectations for all employees?

Vendors/Customers

Does the company perform due diligence procedures on new suppliers and large customers to gain an acceptable comfort level regarding the company's integrity?

Has the company developed guidelines for dealing with vendors and suppliers? Has the company set out specific guidance regarding the acceptance of gifts and gratuities from vendors and suppliers? Have the company's ethical expectations been communicated to those vendors and suppliers?

Does the program include a convenient mechanism for vendors and customers to report wrongdoing? Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized? Is use of that mechanism monitored to determine frequency of use and quality of complaints received? Have vendors and customers been polled to determine their awareness of the reporting mechanism?

Effecting the Assessment

Now that the questions have been asked, how is the assessment done? I believe that an effective assessment should be conducted by an independent, objective and uninterested third party. The following is a list of general procedures likely to be performed when assessing a company's ethics and compliance program:

Identify and obtain a complete understanding of the business and compliance risks associated with the business, the ways noncompliance may occur and the conditions that give rise to them. Activities would include:

• Assessment of the control environment to identify high-risk areas.
• Identification of applicable statutes and regulations affecting the company and its industry.
• Assessment of the current understanding and adherence to compliance related policies and procedures.

Review the company's existing systems, practices and procedures to determine whether they have been designed to achieve and maintain reasonable assurance of compliance with applicable statutes and regulations affecting the company. This review should focus not only on the written policies and procedures, but also on the actual practices and processes in place. Activities would include:

• Analysis of the company's organizational structure and mechanism for reporting violations of law and/or the company's policies and procedures.
• Assessment of the company's communication of the ethics and compliance program within and outside the organization, as appropriate.
• Assessment of the company's criteria and methods for providing ethics and compliance related training and the methods utilized to assess the effectiveness of the training.

Perform a detailed assessment of the company's financial, management and other practices related to each of the compliance risk areas under review. Activities would include:

• Interviews with key employees regarding ethics and compliance related risks.
• The design and performance of tests to determine adherence to the company's ethics and compliance program policies and procedures.
• Documentation of internal controls and procedures that act as mitigators to the compliance risks identified.
• Assessment of the strength and effectiveness of the compliance related practices.
• Development of proposed recommendations for compliance program enhancement.

Implementation of proposed enhancements to the ethics and compliance program, resulting from the findings in number three, would be addressed jointly by the third party conducting the review, company management and legal counsel. Activities would include:

• Identification of refinements to the compliance program based upon the findings above.
• Development of a corrective action plan to implement the refinements.
• Identification of necessary changes to procedure, policies, training and company systems to implement the corrective action plan items.
• Implementation of the policy changes identified above.
• Development and/or updating of training and communication materials to reflect the ethics and compliance program enhancements.
• Conduct of training.

The final aspect of the ethics and compliance program assessment is development of an ongoing monitoring process. Activities would include:

• The design of periodic tests to insure adherence to the company's ethics and compliance policies, procedures and processes.
• Testing and validation, along with an overall assessment of the operation, of the compliance program and the related policies, procedures and processes.

This ongoing assessment process could be accomplished by utilizing a company's internal audit group. Periodic review of the internal auditor's work by an independent, objective third party is an option for a company to consider.

As an additional consequence of recent accounting-related irregularities, it is more likely that a company's independent auditor will be required to examine, assess and perhaps opine on the quality of a company's fraud prevention efforts; including the company's ethics and compliance program.

Now more than ever, effective compliance programs, and their related controls, are the number one tools that companies have at their disposal to ensure that the potential for violations of law are minimized and ethical behavior is instilled within the organization.

Bert F. Lacativo is the Managing Director of FTI, a consulting firm locating in Irving, TX. The views expressed herein are those of Lacativo himself, and not necessarily those of FTI. He can be reached at 888-997-1992.