Corporate Resiliency E-Book

Table of Contents

Title Page

Copyright Page

Foreword

Preface

Acknowledgements

Introduction

Talk is cheap, fraud is not

Economy down; fraud up?

What you don’t know can hurt you

Risk comes at you faster every day

Manage different categories of risk differently

“Mind the gap”

Technology is a tool—use it (wisely)

Who’s on first?

PART I - FRAUD AND CORRUPTION TODAY

CHAPTER 1 - Can We Eliminate Fraud and Corruption?

Not a pretty picture

Focusing on the larger picture

Potential for catastrophe

Why now?

Resiliency as a corporate goal

CHAPTER 2 - The Growing Risk of Fraud and Corruption

Why should my company be especially concerned about fraud and corruption now?

Local problems, global pain

Awareness is crucial

Common sense and observable reality

Tailoring efforts to avert damage

CHAPTER 3 - The Costs of Fraud and Corruption

Higher stakes

Casting a shadow on the future

Cost and availability of capital

Bad news travels even faster than before

Don’t expect a slap on the wrist

PART 2 - ON BECOMING RESILIENT: STRATEGIES FOR AVOIDING AND MINIMIZING THE ...

CHAPTER 4 - Building a Resilient Corporation

What determines survivability?

Reducing vulnerability

Traits of a resilient corporation

Three key characteristics of resiliency

Why resiliency is achievable

Learn from the experience of others

What are the benefits of fraud and corruption risk management?

Five principles of fraud risk management

The first line of defense

How can companies use the new guidance?

Building resiliency by enhancing fraud and corruption risk management

Corporate resiliency self-assessment tool

CHAPTER 5 - Fraud and Corruption Risk Assessment

Behind the facade

What is a fraud and corruption risk assessment?

How important is a good fraud and corruption risk assessment?

Implementing fraud and corruption risk assessments

Risk assessment reports: the good, the bad, and the invisible

Four quadrants; four risk management strategies

Questions to ask about your fraud and corruption risk assessment

CHAPTER 6 - Company-wide Anti-Fraud Controls: The Role of the Control ...

Creating an anti-fraud control environment

What exactly is a control environment and why is it important?

Tone at the top

The control environment as a bulwark

The control environment and governance

Put it in writing

Setting the tone

Internal audit’s role

Measuring tone at the top

Written code of ethics/conduct

Why is a code important?

Excerpts from Deloitte Code of Ethics and Professional Conduct

How does management create a successful code of ethics/conduct?

Ethics training for all employees—including management

Hotlines, helplines and whistle-blower programs

The role of human resources—employee selection and discipline

Other general strategies of which fraud risk management is a component

Enterprise risk management

Fundamentals of ERM

Achieving risk intelligence

Fundamentals of GRC

Complicated, but worth the effort

Integrated versus nonintegrated GRC

Survey results show desire for integrated GRC

Key attributes of companies with robust GRC strategies

PACI, anti-corruption, and the control environment

CHAPTER 7 - Preventive Controls: Particular Fraud and Corruption Avoidance ...

Getting down to brass tacks

Confronting fraud and corruption risks

Background checks and enhanced due diligence

Automation can be essential

Preventive controls and three broad categories of risk

Monitoring and evaluating preventive controls

Continuous controls monitoring

Correcting deficiencies

The roles of ERM and GRC

CHAPTER 8 - Detective Controls and Transaction Monitoring

The importance of monitoring and detection

Monitoring and detection tactics

Whistle-blower hotlines

Risk-based internal audits as a fraud detection tactic

Manual monitoring

Technology-based detection tactics

Examples of fraud detection using data interrogation techniques

Continuous fraud monitoring

Is CFM for everyone?

The importance of lookbacks as a control check

Questions to ask about monitoring and detection

CHAPTER 9 - Preparing for Fraud and Corruption Investigations and Remediation

Be prepared

An ounce of planning . . .

What to do when regulators come knocking . . .

Evaluating the allegation

Assembling the right investigation team

When to call for help

Establishing investigation protocols up front

Collecting and preserving crucial data

Newer challenges, newer technologies

Communication—enough but not too much

The benefits of a case management system

Remediation—getting more value from investigations

CHAPTER 10 - The Players’ Roles (Including Yours)

New rules, new responsibilities

The value of a cross-functional committee

The role of the compliance officer

Fraud and corruption risk management is everyone’s business

Conclusion: What the Future May Hold

Good fraud and corruption risk assessment is crucial

Embracing new roles and responsibilities

Measuring performance

We won’t predict the future, but . . .

Take your first steps now

Afterword

Appendix: Examples of Fraud Risk Factors

Recommended Reading

References

Disclosure

About the Authors

Index

Copyright © 2009 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800- 762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Bishop, Toby J.

Corporate resiliency : managing the growing risk of fraud and corruption / Toby J. Bishop, Frank E. Hydoski. p. cm.

Includes bibliographical references and index.

eISBN : 978-0-470-48085-4

1. Fraud. 2. Corruption. 3. Risk management. I. Hydoski, Frank E.

II. Title.

HV6691.B476 2009

658.4’73—dc22

2008052097

Foreword

This book is for those of you who participate in corporate governance and management, and are grappling with your organization’s need to manage fraud and corruption risk in your operations and strategic planning. It is for those of you who do not have the time, and whose companies do not have the resources, to spend on investigating and defending major fraud or corruption incidents in your organization.

If you hold, or have held, any senior role in corporate management or governance, you may already understand that you are doing so at a time when scrutiny of your role and the expectation that your organization will operate transparently and ethically have never been higher. The world’s economy and markets, steadily shrinking, have never provided so little in the way of resources or revenue to do so. And these circumstances have only increased political and public intolerance of corporate misfeasance and mismanagement, especially in the areas of fraud and corruption.

Add to this a revolution in global enforcement and regulation, which now follows commerce across borders with lightning speed. Ten years ago, it would have taken months for local or national prosecutors to obtain the attention, much less the assistance, of colleagues on another continent. But in the beginning of this century the war on terrorism required instant international communication among law enforcement agencies, and corporate investigations and prosecutions rapidly adopted these practices. By 2006, when the investigation of the United Nations Oil-for-Food Programme had been completed, prosecutors and regulators from dozens of countries were regularly meeting to sort out dozens of corruption cases.

The time needed to investigate a single cross-border matter has now shrunk from years to weeks. Simultaneous raids of corporate offices in multiple countries are no longer unusual events. Multiple fines and sanctions, levied as on a single company, regularly exceed hundreds of millions of dollars and can wipe out a year’s worth of profits with the swipe of a pen.

You may have already witnessed first hand the cost of the investigation and defense of a fraud or corruption incident in your organization. The costs often rival the fines your organization hoped to avoid. Some employees, officers, or board members may have been held personally responsible. And you and your colleagues may have already realized that something far less costly could have been done to avoid this, if the organization had been sensitive to the risks that your company faced.

In this book, Toby Bishop and Frank Hydoski distill for senior managers and board members their experience in the most effective ways in which businesses can build and develop strong fraud and corruption risk management strategies. The authors, who have conducted investigations and evaluations of hundreds of organizations, are recognized as leading authorities in fraud risk management and innovators in forensic accounting and risk management practices. Toby co-authored the Institute of Internal Auditors/ AICPA/ACFE 2008 paper, Managing the Business Risk of Fraud. Frank has led two of the largest international investigations of fraud and corruption, the investigations of the Holocaust-era accounts held by Swiss banks and of the United Nations Oil-for-Food Programme. He was instrumental in formulating recommendations on UN operations following the latter.

In keeping with their reputations, the authors of Corporate Resiliency provide a new approach borne from their extensive insight and common sense. The traditional, reactive view of corporate fraud and corruption risk management is often that of the media, prosecutors, regulators, and legislators who arrived at the scene of the crimes, or sometime afterword. To be useful, these stories need to be rewound to find the circumstances that led up to them, and then fast-forwarded to test the processes a company put in place after the fact to see if the processes actually reduce the risk of these incidents occurring. Bishop and Hydoski employ a deliberate review of this cycle to demonstrate the value of developing corporate resiliency through the ability of a corporation to prevent, detect, investigate, and remediate these risks, and to test and adjust risk management systems to account for the constantly changing signature of these risks. What the authors demonstrate is that this is not guesswork, but a strategy that can be successfully applied by you and your company and that can reap real bottom-line benefits for the organization.

Corporate Resiliency offers managers and directors a holistic approach to the management of fraud and corruption risk that speaks to the same measures of productivity and profitability used in more conventional business processes. It walks the reader through the relationships among the board of directors, the audit committee, senior management and staff in the process of fraud risk management, with a clear eye toward the intent and direction of fast-changing legislation and regulatory guidance.

It makes clear the value of the continuous development of a comprehensive, self-evaluating fraud and corruption risk management program that operates with and through existing business processes and that is championed by the board and management. It outlines the essential role of the internal audit function in the regular assessment of compliance programs, the risk of management override of corporate controls, and the monitoring of fraud and corruption risk programs.

It points out, tellingly, that courts and government regulators faced with instances of corruption and fraud will not simply focus on whether a company has a process to manage that risk, but on the effectiveness of the process and on how well tended it is by the corporation’s board, management, and risk professionals.

Continuous, self-evaluative risk management processes are not new, but Corporate Resiliency is one of the few works that explains the essentials of this risk management structure, and in doing so makes it obvious that today’s directors and managers ignore the management of fraud and corruption risks at their own peril.

Mark G. Califano

Head of Litigation

GE Capital Finance

Preface

A recent article in the Wall Street Journal carried the headline, “U.S., Other Nations Step Up Bribery Battle.” Only a few weeks earlier, an article titled “Guilty Plea to Bribery Sets Legal Landmark” ran in the Financial Times. About a year before those articles were published, CFO.com ran an article with the title, “Count’ Em: 63 CFOs Convicted in Past Five Years.”

These are only three data points among thousands demonstrating the global trend toward stricter enforcement of anti-fraud and anti-corruption laws. Investigations are increasing, prosecutors are getting tougher, fines are becoming heavier, settlements more expensive, and violators are going to jail with far greater frequency than in the past.

Tolerance of bribery as an accepted business practice is diminishing rapidly as more countries acknowledge the tremendous downside risks of corruption and the fraud that almost always accompanies it.

The Sarbanes-Oxley Act (“Sarbanes-Oxley”), the Patriot Act, and the U.S. Foreign Corrupt Practices Act have armed U.S. prosecutors with a formidable arsenal of legal weapons. New support from the global community has boosted U.S. efforts, greatly extending the power and reach of numerous governmental agencies tasked with combating fraud and corruption.

At the same time, there are no indications that attempts to perpetrate acts of fraud and corruption are abating. If anything, the creativity and willfulness of people involved in fraud and corruption seems inexhaustible. “What every senior executive needs to know about anti-fraud strategy is that you’re never going to be able to plug all the holes in your organization,” says Elizabeth Truelove McDermott, director of internal audit at DeVry Inc. “There’s always going to be somebody that finds a hole that no one knew was there.”

Like time and tide, fraud and corruption are apparently perpetual phenomena. That doesn’t mean that we excuse them or accept them. It means that we need to develop better systems and strategies for dealing with them. It means that we need to acknowledge that the piecemeal, shotgun approaches often relied on in the past to reduce fraud and corruption are unlikely to be effective in today’s environment.

The revelation in December 2008 of an alleged $50 billion fraud at Bernard Madoff Investment Securities seems strong evidence of that, especially since the alleged fraud was reportedly simply a classic Ponzi scheme and yet it apparently deceived some substantial investors.

Some readers, no doubt, will argue that programs and techniques for combating fraud and corruption have advanced markedly since the passage of Sarbanes-Oxley in 2002. To some extent, they are correct.

For example, corporate governance is no longer a phrase bandied about largely by academics. New technologies make it possible to automate some anti-fraud controls on a truly global scale. Cross-functional, enterprise-wide approaches to managing fraud risks have become more common across the corporate landscape. It is increasingly rare to find a large company that does not have a written code of ethics and conduct.

Despite these real gains—or perhaps because of them—we believe that many organizations may have developed a false sense of security. They may have been lulled into believing that by “checking the boxes,” they have somehow eliminated or greatly reduced the chances that fraud or corruption will happen to them.

For example, Sarbanes-Oxley requires publicly held companies to have a confidential reporting mechanism, such as a whistleblower hotline. It is a key control, especially for dealing with the management override of controls that is a common feature in many of the largest corporate frauds. Yet at some companies, the hotline is underused compared with industry averages. Does that mean there is no fraud or corruption at those companies?

Well, it can mean that. Or it can mean that employees are not aware of the hotline, or that for a variety of cultural reasons, they are afraid to use it. Or maybe the hotline is not getting any calls because it is available only from 9 A.M. to 5 P.M. and employees do not want to be overheard calling from their cubicle. Or perhaps the hotline is only operated in English, creating obstacles for employees who speak other languages.

“When you peel back the layers of the onion, you find all kinds of reasons why people are not using the whistle-blower hotline,” notes our colleague Donna Epps. “Just because you have a hotline set up does not mean it is working effectively.”

The illusion of security may be amplified by a general lack of transparency and the absence of strong, universal standards that might enable organizations to accurately measure the effectiveness of their anti-fraud efforts. As Donna puts it, “There really has not been a detailed framework for comparing anti-fraud programs, and as a result, there has been a real diversity of practice—not all of it good.”

The wide range of practices, the absence of explicit standards, the dizzying array of fraud and corruption schemes, in addition to the speed with which new schemes arise make it tempting for some organizations to view compliance as an acceptable end-point. After all, they might reason, if it is impossible to eradicate fraud and corruption entirely, why take the trouble to go beyond the required minimums?

In some instances, no doubt, achieving a state of regulatory compliance might be considered to be an adequate defense against many types of fraud and corruption risks. But for the vast majority of organizations, merely complying with the existing regulations will not be enough to mitigate the risks posed by fraud and corruption.

If you are really serious about effectively managing the risks of fraud and corruption, we recommend that you take a business approach and focus more on performance and effectiveness rather than just compliance. You will also need a better strategy.

Under the umbrella of this better strategy, you would identify your key fraud and corruption risks and implement processes to manage each of those key risks. Different risks may be best dealt with using different tactics, but your approach would be coordinated, efficient, and transparent to those charged with governance. It would involve many people and become a part of everyone’s responsibility. It would require new kinds of thinking, along with more effective involvement of senior management.

As we will show in this book, the downside risks of fraud and corruption more than justify the efforts required to develop a workable fraud risk management strategy. We will build a case for managing fraud and corruption risks on a strategic level. We will show you how fraud and corruption have become too expensive and too dangerous to manage the old way.

When management books describe the characteristics of successful companies, they tend to use words and phrases such as innovative, customer-centric, first-to-market, disruptive, world-class, and ultracompetitive. We would like to add a word to that list. The word is resilient.

We believe that in the 21st century global economy, organizations need to be more than smart, sharp, and fast. They also need to be resilient in regard to the risks of fraud and corruption. Companies can achieve resiliency by identifying the risks they face and developing strategies for managing those risks effectively.

We honestly do not think that you can count on being successful for very long without being resilient. That is the basic premise of this book.

The views expressed in this publication are solely those of the authors and not necessarily those of Deloitte Financial Advisory Services LLP. We hope you will nevertheless find useful the observations and insights we offer. As used in this book, “we,” “our” and “us” refer to the authors. We would be happy to receive your feedback and suggestions for enhancements to this book. We can be contacted through the Deloitte Forensic Center at www.deloitte.com/forensiccenter.

—Toby J.F. Bishop and Frank E. Hydoski

Acknowledgments

Although this book reflects our years of collective experience in forensic accounting and forensic technology, we could not have written it without tapping into the knowledge, insight, and wisdom of many colleagues, clients, and friends. To them we are indebted deeply. We thank them sincerely for their time, their energy, their support, and their patience.

We are especially thankful for the support and guidance provided to us by Frank Piantidosi, Chief Executive Officer, Deloitte North American Financial Advisory LLC.

Over the course of researching and writing this book, we benefited greatly from the assistance of many wonderful clients and friends, including those quoted in this book: Martin Biegelman, Nancy Zucker Boswell, Dr. Olivier Brasseur, Mark Califano, Bill Coleman, Barry Goldsmith, Hugh Hooker, Gavin Ingram, Christian Kammer, Paul Lucas, Elizabeth Truelove McDermott, Mike Novosel, Ed Rosenberg, Duleep Thomas, Paul Volcker, and Joseph Wells.

As Isaac Newton famously remarked, “If I have seen further it is by standing on the shoulders of Giants.” With that thought in mind, we thank all of our colleagues at Deloitte who have been key to helping us shape and write this book, particularly Mohammed Ahmed, who provided insightful assistance to us throughout. We would not have been able to write Corporate Resiliency without the participation and cooperation of all our colleagues.

We owe special thanks to our Deloitte Forensic Center colleagues Kimberley Davis, Beth de Turo, Jo Ann Hernandez, Reena Panchal, Shaunna Randolph, Edward vanEckert, and Christopher Wharton. Their unflagging efforts were critical to the successful completion of the project.

We also specially thank Mike Barlow, who helped guide the writing process and who shared his editorial expertise with us throughout the endeavor.

All writers, of course, need many additional pairs of eyes. We were especially fortunate to work with Tim Burgard and Sheck Cho, our editors at John Wiley & Sons, who had faith in the value of our project.

We also thank our spouses, who put up with the anxieties and difficulties projects like this always entail. We hope the result is worth their efforts as well as the efforts of our colleagues noted above.

Introduction

This book is written expressly for executives and others responsible for managing fraud and corruption risks in corporations. It is a concise overview of both the challenges posed by fraud and corruption to modern corporations in a global economy and the techniques for addressing them.

In addition to highlighting categories of fraud and corruption risks, we present a brief series of focused operational strategies that can be deployed to manage these risks and reduce the harmful consequences of fraud and corruption when they occur.

It would be naive to assume that any set of strategies, no matter how rigorous or complex, could totally eliminate fraud and corruption. It would be equally foolhardy, and potentially disastrous, to adopt a fatalistic attitude.

Although we believe that fraud and corruption cannot be fully eradicated, we know that some opportunities for committing them can be shut down. We also believe that many companies can do a better job of identifying fraud risks generally and managing them. In addition to preventing some occurrences of fraud, companies can minimize the damaging effects of fraudulent events and curtail their impact on the corporation.

This book uses the concept of resiliency to provide a practical framework for achieving these objectives. Resiliency is the quality of returning to form following stress. With respect to fraud and corruption, we believe resiliency means a combination of avoiding problems through appropriate planning and risk management, reducing vulnerabilities such as by using early warning systems, and limiting impact by establishing processes that help effect a quick return to business. We suggest that the appropriate goal of companies is the adoption of policies and processes that lead to resiliency in regard to the risks of fraud and corruption.

When we think of corporate fraud, we tend to think of the cases that are currently making headlines and those that arose within the past several years. It is likely that the ones you have heard about are the tip of the iceberg. Data analyzed by government agencies such as the U.S. Securities and Exchange Commission (SEC) and professional organizations such as the Association of Certified Fraud Examiners (ACFE) reveals that fraud drains billions of dollars from the economy each year.

In addition to reducing profits, fraud can lead to a host of other negative consequences, including losses of reputation, customer support, access to capital, brand power, market position, competitive advantage, momentum, innovation, and talent. The same, of course, can be said about corruption.

In today’s highly leveraged global economy, major fraud or corruption can set off a chain reaction resulting in serious corporate harm or failure.

Since the “Crash of 2008” led to economic conditions softening dramatically around the globe, fraud risks for businesses appear to be on the rise. A slowing economy may increase pressure on corporate executives to meet performance goals set in rosier times, or to demonstrate that the current executive team should be retained by shareholders. Individual managers may feel a much greater risk of job loss than usual, potentially making them eager to avoid having to report a performance shortfall in their operating unit.

At the same time, employees may be under greater personal financial pressure, whether due to potential foreclosure on their home, the loss of a spouse’s income due to layoffs, or other impacts of the economic downturn.

Add in the possible weakening of internal controls that can inadvertently be caused by corporate layoffs and you have a potent recipe for a potential increase in fraud.

Gavin Ingram, corporate counsel Asia for BlueScope Steel, the leading steel company in Australia and New Zealand, recognizes that the risks of business conduct issues may increase during downturns in the economic cycle. He says, “Tough times are when the organization becomes more susceptible to business conduct issues. This is probably the time we’re at the highest risk of these sorts of issues happening. At such a time it is necessary to remind employees of the importance and expectation around business conduct compliance. People within the company must take an even more active role in reinforcing the message around business conduct.”

We concur. While a simple inverse relationship between economic activity and fraud would be an oversimplification, our experience suggests that we may have entered a new cycle of revelations of fraud that could last for several years.

In early 2008, the UK’s Financial Services Authority published its annual Financial Risk Outlook in which it stated that, “Tighter economic conditions could increase the incidence or discovery of some types of financial crime or lead to firms’ resources being diverted away from tackling financial crime.” With the benefit of hindsight, that looks like prescient guidance.

Managing the risk of fraud and corruption requires an ongoing commitment to acquiring fresh knowledge and putting it to work. Quite often this fresh knowledge must be obtained from outside your company. Organized criminal groups constantly evolve new fraud schemes to part companies from their money. Customer and vendor frauds develop new twists, taking advantage of new technologies.

Entering new markets creates new business opportunities, but also new risks that may be outside your previous experience. You will need a proactive strategy for staying abreast of new fraud risks as they emerge, and a process for sharing critical knowledge across the company as it becomes available.

Ignorance, whether accidental or willful, will not help your company manage the risks of fraud and corruption.

The speed at which fraud risks evolve is accelerating and will likely continue to do so. All we can offer in terms of solace is advice to get used to it and to embrace techniques, which we will describe in this book, to reduce risk and minimize impact.

Thanks to the rapid emergence of global markets, the rise of high-speed digital information technologies, and the ubiquity of the Internet, fraud can now evolve, mutate, and spread with mind-numbing speed. Companies need to be able to adapt with similar speed. Yesterday’s processes may not be agile enough.

Despite their sheer numbers, fraud schemes can be divided into a handful of risk categories based on the degree of threat they represent to your company. Each category can be managed effectively with different strategies, helping companies focus their anti-fraud and anti-corruption resources to mitigate risk efficiently. Simple frameworks can help manage fraud risks across companies, large or small.

This is the key takeaway: Fraud and corruption risks can be better managed, and the practical frameworks for managing fraud risks effectively already exist.

Even the best and most practical strategies for managing fraud risks will not be effective if they are not deployed properly across the company.

Our work has identified a gap in important areas of fraud risk management at many companies. The upside of this gap is that many of these companies have significant opportunities for greatly improving their fraud risk management processes—and achieving advantages over their competitors.

The gap can be a benefit for nimble companies that recognize their fraud risks and develop strategies to deal with them effectively. By the same token, the gap can be a competitive disadvantage for companies that either ignore their fraud risks or fail to deploy rational fraud risk management programs.

As suggested above, the danger of fraud has been amplified by the ability of fraudsters to leverage modern technologies such as computers and the Internet.

Conversely, the ability of companies to monitor business processes for potential fraud and to respond quickly when fraud events occur has been greatly enhanced by the availability of technologies such as anti-money laundering (AML) software, advanced analytics, and enterprise financial management systems.

Technologies such as these do more than just level the playing field in the fight against fraud—they help companies enforce higher standards of compliance, transparency, and efficiency.

While it would be unwise to rely solely on technology to manage fraud risks, it is fair to say that technology will play a crucial role in your company’s anti-fraud efforts. As an executive, it’s important to understand both the potential benefits of advanced technology, and its inherent limitations.

It is also reasonable to suggest that the critical role of information technology argues in favor of a closer relationship between the chief information officer and the company officers responsible for managing fraud and corruption risks.

Whose job is it to prevent fraud and corruption? Ask that question and you might often hear, “Not me,” or “Internal Audit does that.”

But managing these risks effectively requires involvement and commitment from employees, managers, and executives in every part of the company. They are the eyes and ears of the company and are often in the best position to identify potential issues and take action to prevent or quickly put a halt to fraud and corruption. They need to be educated and supported to do this effectively.

In fact, we will argue that managing fraud and corruption risks also requires a level of commitment from partners and allies outside of your company.

As an executive, it is your responsibility to encourage a corporate culture that deals honestly and effectively with fraud risks. In addition to “walking the talk,” you are also expected to designate the appropriate resources, both capital and human, to ensure that fraud risk management strategies are developed, implemented, and accepted across the company.

Designating the right people for key positions and holding them accountable for managing fraud and corruption risks effectively are crucial parts of your role as a top executive. What gets measured gets done, so effective accountability requires good measurement processes, too.

Our goal in writing this book is to support your efforts to help your company achieve a state of resiliency in the face of fraud and corruption, helping it to survive and succeed in the increasingly risky conditions of the 21st century.

Corporate benefits

Individual benefits

Harmful impacts of fraud and corruption

PART I

FRAUD AND CORRUPTION TODAY

CHAPTER 1

Can We Eliminate Fraud and Corruption?

Key points:

It is quite likely that fraud has existed in one form or another since the earliest days of organized societies. Despite the fact that it is illegal in most countries, despite the vigorous enforcement of antifraud laws in many countries, despite corporate self-policing, and despite significant attempts in many companies to create more ethical cultures, fraud continues to be an inevitable and unpleasant component of modern life.

Duleep Thomas, former senior vice president and general auditor at Wyndham Worldwide Corporation, describes this harsh reality this way, “Senior management needs to acknowledge that fraud can occur anywhere, at any time, and at any company. It is not okay to say, ‘We operate in an environment of trust.’ Once you accept this reality, then you need to understand where fraud could be perpetrated—both internally and externally—with respect to the business.”

In general, fraud means taking financial advantage of another party through deception. Frauds affecting companies, the subject of this book, take a variety of forms. They can be threats from outside and carried out by members of the public. For example, they can be false claims made to a medical insurer, in which claims are made for injuries or ailments that the claimant does not suffer. They can also be threats from within and carried out by employees. An example of this would be procurement or vendor fraud, in which an employee sets up a false vendor in the company’s accounts payable, then submits bills for goods or services, and collects payments in an account controlled by the employee.

One of the most dangerous form of fraud for a company occurs when the fraud is committed in the name of the company. Examples are misleading claims about products, offering returns on investment that can never be realized, or false financial statements designed to mislead analysts and investors.

Fraud prevention remains an imperfect art for most companies, with less than perfect results. Fraud in the corporate world, therefore, seems an inevitable fact. This is the result of several factors. First, we need to accept the reality that some people will resort to deception if they see an opening. Second, and building on this psychological fact, we need to recognize the lag in time between when schemes are invented and applied, and when they are detected and placed into the knowledge base that fraud prevention techniques rest on.

Third, there is also the difference between what is generally known about fraud schemes and prevention techniques, on the one hand, and what is known and practiced by a particular company, on the other. To stop the fraud schemes that are generally known requires that companies learn about them, evaluate the risks they pose, and diligently apply lessons learned.

The creativity of those who commit fraud seems inexhaustible. As a result, fraud itself can seem more like a disease than a simple criminal phenomenon. Its tendency to mutate suggests a cancer-like quality. Its ability to mask or change its appearance suggests some sort of predatory virus.

However, as we learn about fraud schemes and their characteristics, we can act to prevent them. A significant part of this book is devoted to strategies for applying knowledge about fraud in order to try to prevent it, and certainly to detect and limit the effects of schemes.