In the current climate of aggressive regulatory enforcement against fraud, bribery, and a host of other corporate transgressions, compliance officers need to make sure that they aggressively detect and deter misconduct at their organizations.
To that end, compliance officers can learn a great deal from auditors with experience in the Federal Bureau of Investigation and other law-enforcement agencies.
The FBI has recently built up its forensic accounting team to pursue fraud at companies. “When I left the FBI back in 2005, there were only between 250 and 400 FBI agents who were CPAs—now it's my understanding that there are 2,500 CPAs in the FBI, out of approximately 14,000 agents,” says Alton Sizemore, director of investigations at Forensic/Strategic Solutions, who retired from the bureau after 25 years. The FBI also recently added a program for forensic accountants, he says.
Given the increased focus on forensics in law enforcement, forensic accounting should play a bigger role in companies' compliance programs, Sizemore says. “Following the financial statements, following the money, will give a very clear window into the company's level of compliance, the amount of money they're spending on compliance, and how effective the compliance program is,” he says.
First, compliance officers should learn to be “professionally skeptical,” Sizemore says: not distrusting people automatically, but not trusting them implicitly, either. “If compliance officers see a compliance issue, instead of just going to the person and saying, ‘You allegedly have violated that policy. What happened?' and then taking their word for it, look behind it,” he says. “Look at the documents, find out from other individuals in the same area if that makes sense, and if it is in compliance with the company's rules, policies, and regulations, or with the industry's standards.”
Following up on minor issues is crucial Sizemore says. “I've seen many, many cases where a small non-compliance issue was really just the tip of the iceberg,” he says. “The small compliance issues need to be dealt with quickly and appropriately and they need to be followed up on, because they could just be an indication of something more serious.”
BEHAVIORAL ELEMENTS
The following excerpt is from "Putting the Freud in Fraud," a new white paper provided exclusively to Compliance Week by Crowe Horwath:
Individuals who exhibit or have a combination of the following social characteristics might be more likely than others to stray from the straight and narrow:
1.Lack of a moral compass. Former UBS investment banker Igor Poteroba received a 22-month jail term in March 2011 after pleading guilty to insider trading charges. The banker told the judge before sentencing, “I made some very bad mistakes and made some very bad decisions. I lost my moral compass.” All organizations must rely to some extent on individuals' moral compasses to guide behavior in the workplace. F. Clark Power in the book Moral Education explains that the term “moral compass” is often used as a synonym for conscience. Without a conscience, an individual might not have the ability to determine right from wrong.
Antar explains, “Criminals typically compensate in their outward personality for any lack of morals.” He says this duplicity can make detecting someone's lack of a moral compass difficult unless there is a pattern of questionable personal behavior. A pattern of questionable personal lifestyle choices – in areas such as spending or salacious conduct, for example – can indicate an individual's willingness to lie or otherwise demonstrate a lack of scruples. As much as corporations would like to maintain a separation between the personal and professional lives of their employees, the two are linked when it comes to unethical actions on the business front.
2.Troubling friends, family, and relationships. As Warren Buffett has observed, “There's seldom just one cockroach in the kitchen.” Trouble tends to attract trouble. For assistance with committing crime, fraudsters often look for people who share the same social background or ambitions or are gullible and easily manipulated. Scott Green in his 2005 book Sarbanes-Oxley and the Board of Directors: Techniques and Best Practices for Corporate Governance noted, “Those who are willing to commit fraud recruit from the corporate employee pool weak or needy personalities and go to lengths to reward and protect them.”
3.Deception. In our experience, fraud is not about obstruction; it is about deception. Deception and cover-up are the hallmarks of white-collar crime. White-collar criminals know that people live on the hope of a better financial future, and their goal is to feed people's hope with spin and lies. The white-collar criminal hopes that no one will verify what he says. Even if people do attempt to verify the criminal's information, their skepticism about his answers might be offset by their high level of comfort with him – so they accept deceptive answers as factual.
Some warning signs include individuals avoiding face-to-face conversations or overly relying on e-mail or other electronic ways to communicate – they might be shy, or they might be trying to hide dishonest behavior by maintaining distance. Alternatively, individuals might use a disarming personality to prevent others from detecting shady activities. Their charm can draw in the listener and lead to trust. A 2010 working paper by the Rock Center for Corporate Governance at Stanford University found that words contain clues to deception. Researchers studied the words of executives at companies that later had to restate earnings, a frequent occurrence after fraud detection. Identifying some key indicators of deception, the researchers found that lying executives tend to:
disavow ownership by using words like "the company" or "the team" when they talk about their company. They avoid saying "I.”
emphasize extreme positive emotions, using words such as "fantastic" instead of merely "good" or "solid" to mask a mediocre underlying performance.
answer questions indirectly with short, prepared statements to deal quickly with areas of deceit and then redirect conversation.
4.Arrogance. After an interview with the incarcerated former CEO of Enron, Jeffrey Skilling, Dr. Archelle Georgiou summed up the man in a 2010 Fortune magazine article: “Was he arrogant? Yes. But that's not a surprise. After all, arrogance springs from the same well of confidence that led him to the big chair at Enron.” To perpetrate fraud, an individual needs the confidence to pull it off. When that confidence and pride approach true arrogance, it might indicate an employee has what it takes to commit a crime. Excessive arrogance – an attitude of superiority and entitlement on the part of an employee who believes that corporate policies and procedures simply do not personally apply – should be checked and redirected.
5.Cleverness and creativity. Businesses commonly seek out clever and creative people. These same traits, though, have long been associated with dishonesty and unethical behavior. The link between creativity and moral laxness was the subject of a recent working paper released by Harvard Business School, which found that creativity might be a predictor of dishonest behavior. The authors concluded that creative people are motivated to think outside the box and are well-suited to change – two characteristics that also allow them to reinterpret their behavior and rationalize their moral transgressions. Thus, having on the payroll smart, savvy, and creative individuals with widespread access to corporate information can compound the risk of fraud. While companies need highly creative people, appropriate controls must be in place to keep creativity flowing in a positive direction.
Source: Jonathan Marks, Crowe Horwath.
Some examples of minor issues that could be masking huge compliance violations might be surprising. Somebody who never takes vacations could be an indication that the person is perpetrating a fraud and doesn't want to leave the office for fear his scam will be uncovered, Sizemore says. If a non-compliance issue arises where a person personally benefits from something in a small way, that could also be a warning sign. “I heard of a case just recently where a person in an organization was ordering a lot of a particular type of supplies. When the company went in to ask about it, the person immediately broke down and said, ‘OK, I've been buying these through the company and selling them on e-Bay',” Sizemore says.
In addition, compliance officers should be more aware of how quickly new frauds evolve, says Dan Stone, an accounting professor at the University of Kentucky. “There is no more classic example of evolution than in fraud,” he says. “Some of these frauds run for a period of weeks, and then the fraud changes up. It's the only way; if you're going to make a living as a fraudster, you have to constantly change the scam, because otherwise you get caught.”
Conducting Interviews
Law-enforcement techniques can be immeasurably useful to corporate anti-fraud investigators as well. “There's a lot of critical information that can be gleaned from doing the face-to-face interviews,” says Jonathan Marks, the fraud, ethics, and anti-corruption practice leader at audit firm Crowe Horwath. “Forensic accounting or auditing is much like detective work and every good detective desires to look his witness and suspects in the eye.”
Those interviews also yield a better understanding of the operations and the culture that exists within an organization, Marks says. For example, companies often will have employees sign off on a code of conduct or a policy; to make that process more robust, compliance officers should ask employees how they came to their answers. “The questions I usually ask are: Is this purely a paper exercise? What else is being done? Who is reviewing sign-offs? Is anybody going back to these people and asking them some tough questions?” he says. “Generally, the answer was, ‘No'.”
Follow-up of suspicious activity might be avoided for several reasons, Marks says. “Sometimes people are afraid of what they might find if they ask,” he says. “Sometimes it's just pure ignorance.”
Marks also argues for “testing the defense”—that is, playing the role of a potential fraudster to see what you could get away with. “Then you'll generally find the weaknesses in those controls, which, in most cases, will guide you down the same path taken by the suspected perpetrators,” He says.
Interviews alone are usually not enough. Analysis of bank statement reconciliations, scrutiny of all vendor contracts and payments, a review of tax returns, or review of public records, are a valuable part of the process. “If compliance officers don't have the necessary skill-set, they need to surround themselves with the people that do,” Marks says. “That may mean utilizing things that are right in front of them, like internal audit. A lot of big companies have a pretty robust internal audit shop that is able to help with some of these things.”
No comments yet