Shop Talk: Fostering a Strong Anti-Fraud Effort

On Feb. 23, 2010, Compliance Week and Crowe Horwath presented an exclusive editorial roundtable, which focused on fraud risks and challenges—especially third-party risks—facing companies today. The event was moderated by CW Editor Matt Kelly and co-hosted with Crowe Partner-in-Charge of Fraud & Ethics Jonathan Marks. The following article is an in-depth look at that discussion.

THE PANELISTS

The following executives participated in the Feb. 23, 2010, roundtable on combating third-party fraud risk.

Mark Burns,

Global Compliance Group Manager,

United Parcel Service

Elizabeth Chandler,

General Counsel & Corporate Secretary,

Asbury Automotive Group

Jay Cohen,

SVP & Chief Compliance Officer,

Assurant

Alejandro Diaz,

Chief Ethics and Compliance Officer,

Coca-Cola Enterprises

Robert Frisbee,

Ethics and Compliance Director,

Southern Co.

Stephen Hellrung,

General Counsel & Secretary,

Graphic Packaging Holding

Julia Houston,

General Counsel, CCO, and Corporate Secretary,

Mirant Corp.

Jonathan Marks,

Partner-in-Charge of Fraud & Ethics,

Crowe Horwath

Kathleen Mayton,

General Counsel,

Rollins Inc.

Christopher Miller,

Associate General Counsel,

Southern Company

Brad Nesmith,

Director of Corporate Compliance,

Home Depot

Paul Shlanta,

General Counsel, Chief Ethics & Compliance Officer,

AGL Resources

Tim Tripp,

Chief Audit Executive,

Newell Rubbermaid

Cliff Zoller,

Chief Audit Executive,

Ryder System

Statistics differ over whether or not fraud rises in a difficult economy. For ethics and compliance officers, however, the true answer is also somewhat beside the point: the challenges of fighting fraud are rising, regardless.

At a Feb. 23 editorial roundtable hosted by Compliance Week and accounting firm Crowe Horwath, attendees gave a laundry list of worries: accuracy in financial reporting; employees who tend to “push the envelope” on performance, either to get more compensation or simply to keep their jobs; misuse of corporate purchasing cards for personal items; operations in geographically dispersed locations, especially where cultural norms about fraud differ or activity happens beyond the eye of central management.

Then come more worries about briefing senior executives and the board on fraud activity, and about training employees and devising systems to thwart the possible frauds that might happen.

Roundtable participants did agree that economic unrest does give employees an easier path to commit fraud if they’re so inclined. But Jonathan Marks, head of the fraud and ethics practice at Crowe Horwath, argued that the motives that propel fraudsters in the first place don’t change much depending on broad economic trends: people still need to feed personal addictions, appear competent, and broadly “keep up with the Joneses,” he said.

Marks also said that large frauds often spring from smaller frauds, as an employee keeps trying to cover up misdeeds. For example, he said, a person might commit financial reporting fraud (potentially disastrous for a business) to cover up an asset theft (unwanted, certainly, but often immaterial to overall company health).

Top of mind at the roundtable, however, were the fraud risks posed by third parties—resellers, partners, suppliers, and the like—and especially third parties in other parts of the world. Several attendees said they depend on right-to-audit clauses in contracts with third parties, and do exercise that right when necessary. All said they wish for a central clearinghouse of information about vendors, so corporations can share research and better determine which outside parties they should avoid.

Another popular tactic to manage third parties was distribution of company Codes of Conduct. Both Southern Co. and Mirant Corp., for example, require third parties to go though a registration process and agree to their codes. And Home Depot, with its vast network of contractors and homebuilders circulating through its stores every day, goes even further with a separate hotline solely for vendors and suppliers to report possible ethical misconduct.

Calls into that hotline regularly result in action taken against either an associate or a supplier, proving its effectiveness, said Brad Nesmith, Home Depot’s director of compliance. “It’s very impactful to have that option.”

While all participants said they depend on whistleblowers to help uncover fraud, they did also cite drawbacks to relying on a hotline. First, simply waiting for an employee to use the hotline and then investigating the tip can take months, “so that’s a big risk unto itself,” said Mark Burns, group manager of compliance and ethics at United Parcel Service.

Nor does every culture like to use hotlines. In China and Britain, for example, they prefer to communicate via e-mail, Burns said. “Generally, if someone spends the time to send an e-mail, and they give you enough description, there is probably a lot of merit in it,” he said.

And regardless of the utility of hotlines, they can never replace in-person communication—even though the personal touch is also more expensive. “Only then do [compliance departments] get an understanding of exactly what it is you’re trying to say, the kinds of risks there really are, how those risks play out, and a face of somebody they feel like they can trust to send that e-mail to,” said Jay Cohen, chief compliance officer at Assurant. “It’s a very difficult sell, but I think it’s indispensable.”

Fraud Ownership

Another grand theme from the roundtable was that no single corporate department should “own” anti-fraud enforcement. At Mirant, for example, patrolling for fraud is a coordinated effort between internal audit and the chief risk officer, said Julia Houston, the energy company’s chief compliance officer.

Others said their senior management and board roll fraud risks into a greater enterprise risk management program. “We talk about [fraud] as an element of risk management, because it’s an element of total risk to the enterprise,” said Stephen Hellrung, general counsel and corporate secretary at Graphic Packaging Holding Co.

Jay Cohen of Assurant Corp. makes a point as Julia Houston of Mirant Corp. listens.

Jonathan Marks, head of the fraud and ethics practice at Crowe Horwath, argued for “the fraud pentagon.”

The discussion about fraud was wide-ranging and lasted two hours.

When a fraud is uncovered at Graphic Packaging, for example, “we shine a spotlight all over that,” Hellrung said. It gets the attention of the general counsel, chief executives, internal auditor, and the audit committee, “because we want to know how it happened, how it was discovered, how to remediate it, and what to do with the individual who committed it.”

Boards do still struggle to keep that perspective about fraud. Too often, roundtable participants said, boards or audit committees will slip into a zero-tolerance attitude about fraud and panic at any incident of it at all. It falls to chief compliance officers to talk those directors off the ledge.

“They immediately think there’s been a control breakdown,” said Paul Shlanta, general counsel and chief ethics and compliance officer of AGL Resources. “Trying to explain that those controls work—and in fact were the way that we identified the fraud—is a major process to get them comfortable.”

That duty, however, leads to the related question of how much information about fraud should be shared with the board. Houston said she errs on the side of giving abundant information so directors aren’t surprised; others were inclined to give the bare and necessary details, to avoid inundating directors with too much, too often.

Participants had various tools and techniques to help them decide what should be reported to the board. One attendee said his rule was to report any fraud perpetrated by methods the company hadn’t seen before, since they could suggest a control failure that warrants board attention.

And Elizabeth Chandler, general counsel and corporate secretary at the Asbury Automotive Group, said she devised a “notification matrix.” In one column are the biggest risks that get reported immediately; in another are less important risks that get reported at the next board meeting, and remaining smaller risks are rolled up into metrics and reported on an aggregate basis, she explained.

New Elements of Fraud

Marks argued at the roundtable that compliance and internal audit executives should have an expanded view of what drives fraud. The three traditional elements of “the fraud triangle”—opportunity, pressure, and rationalization—all do exist, he said. But he also cited two other elements: competence (having the skill and authority to manipulate events) and arrogance (believing that you can get away with the scam).

In reality, Marks said, the elements of fraud are shaped more like a pentagon than a triangle, and they are deeply driven by the fraudster’s psychology. “To have an effective anti-fraud program, you have to ‘put Freud in fraud,’ or be at risk of getting deceived into a false sense of trust, which leads to little or no substantiation, and sometimes fraud,” he said. “The warning signs are usually there for those who look beyond the numbers.”

Houston said she particularly worries about employees looking to protect their jobs, since the pressure to downsize in today’s economy can create a “culture of fear.” Employees’ instincts to cover up mistakes to protect their jobs is a big concern, she said.

Others worried about the challenge of complacency in their organization; that is, if a fraud or another incident hasn’t happened in a while, the company risks developing a lax attitude based on the comfort of controls already in place.

Several roundtable participants said they consider deterrence a valuable tool and will sometimes take far-reaching steps to implement it. One attendee said his company has arrested employees in front of peers, even when the fraud in question is small—simply so coworkers will see that the company takes fraud seriously.

Another attendee said that any time a whistleblower raises concerns about fraud but the company can’t find enough evidence to take action, the company will still have a discussion about it with the target of the alleged misdeed. “So even if we weren’t sure if something was going on or not, we’re pretty sure it’s not going to go past that, because they know we’re looking,” the executive said.