Proactive Fraud Prevention

Part One of a Two-Part Article

Way back in the 80s, companies in the U.S. Defense industry determined that it was in their best interests to band together and develop the Defense Industry Initiatives as a method of policing themselves during a time when their industry was fraught with fraud and corruption. As an aftermath, ethics and compliance programs have been developed and implemented by the majority of U.S. companies. To further entice companies to establish an effective and proactive program designed to detect and, to the extent possible, prevent violations of law The Federal Sentencing Guidelines for Organizations, passed in late 1991, rewards these companies with relief when sentenced for violations of law.

While these programs have been primarily designed to demonstrate that a company is serious about acting ethically and within the law, we have seen a record number of financial restatements in the past year. One can surmise that this is due to a lapse in the effectiveness of those companies' ethics and compliance efforts.

Now, along comes the Sarbanes-Oxley Act, which contains a specific provision requiring chief financial and chief executive officers of SEC registrants to make certifications concerning their company's quarterly and annual reports that, if found to be made knowingly or willfully false, may subject the signing officer to criminal penalties. On October 22, 2002, the SEC issued rule proposals that, if adopted, would also require certifying officers to design, establish, maintain evaluate and report the effectiveness of the company's 'internal controls and procedures for financial reporting.' The SEC proposes that 'internal controls and procedures for financial reporting' mean controls that pertain to the preparation of financial statements for external purposes that are prepared and presented to conform with generally accepted accounting principles (GAAP) as described in the Codification of Statements on Auditing Standards section 319. This section describes internal controls as 'a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurances regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.' This certainly sheds new light on the importance of a company's ethics and compliance efforts.  Corporate executives now have a never-before seen level of professional and personal interest in insuring that ethics and compliance programs, as well as the entire internal control structure, operates effectively at all times.

The Spotlight Is on You

If that is not enough to convince you that the spotlight is shining brightly on ethics and compliance programs, Sarbanes-Oxley also has a provision that provides Federal protection for employees of SEC registrants, who report wrongdoing to the government and/or law enforcement. In the past, these whistleblowers have been a by-product of the provisions of the False Claims Act that allows a private individual to bring a lawsuit against a company on behalf of the Government. Typically, these whistleblowers (also known as qui tam relators) were protected from retaliation by their employers under state statutes. Sarbanes-Oxley has created a situation in which anyone who reports wrongdoing to the government and/or law enforcement is protected from employer retaliation under Federal Statute. The scary proposition about the whistleblower provision under the Sarbanes-Oxley Act is that an SEC registrant can now find himself or herself with an employee who is a whistleblower, and who they probably cannot terminate. Unlike the relators, who will either prevail in their lawsuit or not, the Sarbanes-Oxley whistleblower will likely not have filed a lawsuit and probably will not stand to gain monetarily. A company may now find itself facing the prospect of having a whistleblower as an employee for life.

More Reasons

So what are the other reasons why ethics and compliance programs are important to companies today? Aside from the fact that their development and implementation is the right thing to do, these programs may also help to spare a company from an 'Enron' type situation. Additional and important by-products of an effective ethics and compliance program are that company officials required to sign certifications may rest easier knowing that there is a mechanism in place to identify problems while also acting to prevent (or at least minimize) the likelihood of an employee becoming a Sarbanes-Oxley whistleblower. To determine whether a company's ethics and compliance program is effective, it should be periodically assessed. This is not necessarily a new concept, but is one area where the stakes are high enough to warrant revisiting. Let's look at some questions and considerations for companies when assessing the effectiveness of their ethics and compliance efforts:

Program Design, Board of Directors and Senior Management

• Is there a written compliance and ethics program that states in plain English what the company's position is vis-'-vis compliance and ethics along with clearly stated employee expectations?  Does the program also cover company agents?
• Does the company's Board of Directors and senior management embrace the tenets of the ethics and compliance program through their actions and words? Do they 'walk the talk?'
• Was the program developed to include the parameters suggested by the Federal Sentencing Commission in its Federal Sentencing Guidelines for Organizations? Was other industry-specific (ie, health care) guidance incorporated?
• Was the original program subjected to legal review?
• Has responsibility to monitor the compliance program and investigate violations of law and company policies and procedures been assigned to specific individuals within high-level personnel of the organization? Does that individual have direct access to the CEO and Board of Directors?
• Has a mechanism been set up to ensure that all allegations are followed up? Is there a protocol for oversight of investigations that is dependent upon the severity of the allegation?
• Does the company provide counseling programs to address and reduce personal issues such as substance abuse, stress and family problems, all of which could lead to an employee's decision to engage in improper activity?
• Have the ethics and compliance standards been consistently enforced (without regard to level or position within the organization) through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense? For example, does the company's human resources department maintain statistics and mechanisms regarding all disciplinary actions for use by line managers when metering out discipline to insure consistency?
• As a deterrent factor, has the company publicized the types of offenses addressed and the respective disciplinary action taken (on a no-name basis would be acceptable)?
• After an offense has been detected, has the company taken all reasonable steps to respond appropriately (including self-reporting and referral to law enforcement as appropriate) including making necessary modifications to the program designed to detect and minimize the likelihood of violations of law and company policies and procedures?
• Has the company considered mandatory fraud training for upper management to heighten their awareness regarding their fiduciary responsibility to prevent, deter and detect fraud?
• Has the company considered specialized and industry specific fraud training for specific departments? (For example, procurement personnel would get awareness training regarding procurement fraud schemes.)
• Does the company have a proactive fraud prevention program in place that is designed to minimize the likelihood of fraud occurring?
• Are fraud and illegal acts risk assessments performed within appropriate business units and operating departments to identify those areas where the company may be subjected to improper acts? Are tests performed and analytical reports produced, based on the risk assessments, to identify anomalies that may indicate potential fraud?

Employees

• Has the company taken steps to ensure that it has not delegated substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, has a propensity to engage in illegal activities (pre-employment background checks)? Are periodic background investigation updates conducted particularly when employees are promoted?
• Have all employees received ethics and compliance training? Is there evidence of that training? Are there periodic updates/reminders regarding the company's stance regarding ethics and compliance (e-mails, posters, pamphlets, CEO communications, etc.)?
• Have employees been required to state in writing that they received training, understand their responsibilities and have reported all wrongdoing that they are aware of to the company? Are employees required to sign a conflict of interest statement yearly?
• Does the program include a convenient mechanism for employees to report wrongdoing?  Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized?  Is use of that mechanism monitored to determine frequency of use and quality of complaints received?  Have employees been polled to determine their awareness of the reporting mechanism?
• Are exit interviews conducted and are specific questions asked regarding the exiting employees' knowledge of improprieties?
• Are employees required to take annual vacations?

Conclusion

Now more than ever effective compliance programs, and their related controls, are the number one tools that companies have at their disposal to ensure that the potential for violations of law are minimized and ethical behavior is instilled within the business organization.

Next month's article will discuss  vendors and customers, the assessment, and ongoing monitoring systems.

Bert F. Lacativo is the Managing Director of FTI, a consulting firm locating in Irving, TX. The views expressed herein are those of Lacativo himself, and not necessarily those of FTI. He can be reached at 888-997-1992.

Part One of a Two-Part Article

Way back in the 80s, companies in the U.S. Defense industry determined that it was in their best interests to band together and develop the Defense Industry Initiatives as a method of policing themselves during a time when their industry was fraught with fraud and corruption. As an aftermath, ethics and compliance programs have been developed and implemented by the majority of U.S. companies. To further entice companies to establish an effective and proactive program designed to detect and, to the extent possible, prevent violations of law The Federal Sentencing Guidelines for Organizations, passed in late 1991, rewards these companies with relief when sentenced for violations of law.

While these programs have been primarily designed to demonstrate that a company is serious about acting ethically and within the law, we have seen a record number of financial restatements in the past year. One can surmise that this is due to a lapse in the effectiveness of those companies' ethics and compliance efforts.

Now, along comes the Sarbanes-Oxley Act, which contains a specific provision requiring chief financial and chief executive officers of SEC registrants to make certifications concerning their company's quarterly and annual reports that, if found to be made knowingly or willfully false, may subject the signing officer to criminal penalties. On October 22, 2002, the SEC issued rule proposals that, if adopted, would also require certifying officers to design, establish, maintain evaluate and report the effectiveness of the company's 'internal controls and procedures for financial reporting.' The SEC proposes that 'internal controls and procedures for financial reporting' mean controls that pertain to the preparation of financial statements for external purposes that are prepared and presented to conform with generally accepted accounting principles (GAAP) as described in the Codification of Statements on Auditing Standards section 319. This section describes internal controls as 'a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurances regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.' This certainly sheds new light on the importance of a company's ethics and compliance efforts.  Corporate executives now have a never-before seen level of professional and personal interest in insuring that ethics and compliance programs, as well as the entire internal control structure, operates effectively at all times.

The Spotlight Is on You

If that is not enough to convince you that the spotlight is shining brightly on ethics and compliance programs, Sarbanes-Oxley also has a provision that provides Federal protection for employees of SEC registrants, who report wrongdoing to the government and/or law enforcement. In the past, these whistleblowers have been a by-product of the provisions of the False Claims Act that allows a private individual to bring a lawsuit against a company on behalf of the Government. Typically, these whistleblowers (also known as qui tam relators) were protected from retaliation by their employers under state statutes. Sarbanes-Oxley has created a situation in which anyone who reports wrongdoing to the government and/or law enforcement is protected from employer retaliation under Federal Statute. The scary proposition about the whistleblower provision under the Sarbanes-Oxley Act is that an SEC registrant can now find himself or herself with an employee who is a whistleblower, and who they probably cannot terminate. Unlike the relators, who will either prevail in their lawsuit or not, the Sarbanes-Oxley whistleblower will likely not have filed a lawsuit and probably will not stand to gain monetarily. A company may now find itself facing the prospect of having a whistleblower as an employee for life.

More Reasons

So what are the other reasons why ethics and compliance programs are important to companies today? Aside from the fact that their development and implementation is the right thing to do, these programs may also help to spare a company from an 'Enron' type situation. Additional and important by-products of an effective ethics and compliance program are that company officials required to sign certifications may rest easier knowing that there is a mechanism in place to identify problems while also acting to prevent (or at least minimize) the likelihood of an employee becoming a Sarbanes-Oxley whistleblower. To determine whether a company's ethics and compliance program is effective, it should be periodically assessed. This is not necessarily a new concept, but is one area where the stakes are high enough to warrant revisiting. Let's look at some questions and considerations for companies when assessing the effectiveness of their ethics and compliance efforts:

Program Design, Board of Directors and Senior Management

• Is there a written compliance and ethics program that states in plain English what the company's position is vis-'-vis compliance and ethics along with clearly stated employee expectations?  Does the program also cover company agents?
• Does the company's Board of Directors and senior management embrace the tenets of the ethics and compliance program through their actions and words? Do they 'walk the talk?'
• Was the program developed to include the parameters suggested by the Federal Sentencing Commission in its Federal Sentencing Guidelines for Organizations? Was other industry-specific (ie, health care) guidance incorporated?
• Was the original program subjected to legal review?
• Has responsibility to monitor the compliance program and investigate violations of law and company policies and procedures been assigned to specific individuals within high-level personnel of the organization? Does that individual have direct access to the CEO and Board of Directors?
• Has a mechanism been set up to ensure that all allegations are followed up? Is there a protocol for oversight of investigations that is dependent upon the severity of the allegation?
• Does the company provide counseling programs to address and reduce personal issues such as substance abuse, stress and family problems, all of which could lead to an employee's decision to engage in improper activity?
• Have the ethics and compliance standards been consistently enforced (without regard to level or position within the organization) through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense? For example, does the company's human resources department maintain statistics and mechanisms regarding all disciplinary actions for use by line managers when metering out discipline to insure consistency?
• As a deterrent factor, has the company publicized the types of offenses addressed and the respective disciplinary action taken (on a no-name basis would be acceptable)?
• After an offense has been detected, has the company taken all reasonable steps to respond appropriately (including self-reporting and referral to law enforcement as appropriate) including making necessary modifications to the program designed to detect and minimize the likelihood of violations of law and company policies and procedures?
• Has the company considered mandatory fraud training for upper management to heighten their awareness regarding their fiduciary responsibility to prevent, deter and detect fraud?
• Has the company considered specialized and industry specific fraud training for specific departments? (For example, procurement personnel would get awareness training regarding procurement fraud schemes.)
• Does the company have a proactive fraud prevention program in place that is designed to minimize the likelihood of fraud occurring?
• Are fraud and illegal acts risk assessments performed within appropriate business units and operating departments to identify those areas where the company may be subjected to improper acts? Are tests performed and analytical reports produced, based on the risk assessments, to identify anomalies that may indicate potential fraud?

Employees

• Has the company taken steps to ensure that it has not delegated substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, has a propensity to engage in illegal activities (pre-employment background checks)? Are periodic background investigation updates conducted particularly when employees are promoted?
• Have all employees received ethics and compliance training? Is there evidence of that training? Are there periodic updates/reminders regarding the company's stance regarding ethics and compliance (e-mails, posters, pamphlets, CEO communications, etc.)?
• Have employees been required to state in writing that they received training, understand their responsibilities and have reported all wrongdoing that they are aware of to the company? Are employees required to sign a conflict of interest statement yearly?
• Does the program include a convenient mechanism for employees to report wrongdoing?  Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized?  Is use of that mechanism monitored to determine frequency of use and quality of complaints received?  Have employees been polled to determine their awareness of the reporting mechanism?
• Are exit interviews conducted and are specific questions asked regarding the exiting employees' knowledge of improprieties?
• Are employees required to take annual vacations?

Conclusion

Now more than ever effective compliance programs, and their related controls, are the number one tools that companies have at their disposal to ensure that the potential for violations of law are minimized and ethical behavior is instilled within the business organization.

Next month's article will discuss  vendors and customers, the assessment, and ongoing monitoring systems.

Bert F. Lacativo is the Managing Director of FTI, a consulting firm locating in Irving, TX. The views expressed herein are those of Lacativo himself, and not necessarily those of FTI. He can be reached at 888-997-1992.