Editor: Rich, what kinds of corporate fraud and misconduct are most prevalent in your experience at KMPG, considering we're coming off one of the worst economic slumps in memory?
Girgenti: Corporate fraud and misconduct has evolved over the last decade. Going back to 2000 and 2001, we were plagued with a rash of financial reporting crimes, followed by major reforms embodied in the Sarbanes-Oxley Act and the amended Sentencing Guidelines. In light of these reforms, the story for the first decade of the 21st century might have been one of weathering a crisis.
However, in 2008-2009, the financial crisis hit. Even with all of the reforms before and during the current economic slump, we continued to experience major forms of corporate misconduct and fraud. However, the more recent episodes are somewhat different than what we had seen in the earlier part of the last decade.
With the economic crisis came the unraveling of a number of fairly infamous Ponzi schemes, including Stanford and Madoff. In 2009, the number of Ponzi schemes revealed was nearly four times the number uncovered in 2008.
We also saw a spike in mortgage fraud reports in the first quarter of this year. Much of this relates to misconduct that occurred in the origination of many of the mortgages that led to the financial crisis. At the same time, we are seeing a marked increase in reports of misconduct related to foreclosures that were triggered by the earlier misconduct around mortgage origination. The Treasury Department's Financial Crimes Enforcement Network reported that the number of suspicious mortgage activities reports grew 31 percent.
There are many other events that have also put fraud and misconduct front and center. The federal government and nations across the globe have taken a much harder look at the issues of anti-bribery and corruption. In the last five to six years, we've seen unprecedented numbers of investigations, settlements and fines triggered by enforcement of the Foreign Corrupt Practices Act (FCPA). And, other countries have jumped in. With the adoption of the UK Bribery Act, which took effect on July 1, for example, the United Kingdom has implemented legislation that is even more sweeping than the FCPA in that it covers commercial bribery of private individuals as well as the bribery of public officials.
The spotlight is also on fraud and misconduct relating to healthcare. Much of the record spending on healthcare is related to reimbursement for Medicare and Medicaid. With recent healthcare reform legislation, the U.S. government is now focusing more intensely on controlling healthcare costs.
Fraud and other misconduct make up a big piece of that cost. It has been estimated that the federal government loses between $45 billion and $75 billion each year as a result of healthcare fraud. In 2009, the federal government recovered $2.5 billion from healthcare fraud cases. With increased funding for enforcement in 2010, investigations into healthcare fraud resulted in record recoveries of approximately $4 billion, of which more than half related to False Claims Act matters.
Recently, the federal government has made it clear that investment fraud is another major area of focus for enforcement. The administration has created the Financial Fraud Enforcement Task Force, and the SEC and Department of Justice have focused on trading on the basis of inside information, particularly by hedge funds. In fiscal year 2010, the SEC's Division of Enforcement brought 53 insider trading cases, up from 37 cases the prior year. The recent prosecution of Raj Rajaratnam was evidence of the government's focus and intent. What was also remarkable about this case were the techniques that the government employed, including surveillance and wiretaps, techniques that were once limited to organized crime and terrorist cases.
In this second decade of the 21st century, crime, misconduct and corporate fraud remain front and center issues for most organizations. The types of fraud and misconduct that we're seeing continue to evolve. In this second decade, cybercrime will be one of the areas that will receive increasing attention. Companies are very concerned about protecting the security of their data and making sure that they are living up to their privacy obligations.
Editor: What can companies do to help prevent and detect misconduct within their organizations?
Girgenti: Organizations must think in terms of taking a comprehensive and proactive approach. Trying to respond on an individual-case basis or waiting for a problem to occur first is a prescription for trouble. Companies need to have in place compliance programs that go beyond a check-the-box approach. They must create a culture of integrity within the organization while at the same time putting in place processes and controls to respond to fraud and misconduct, as well as to prevent and detect such activities.
Moreover, many organizations have not adequately assessed the risk of fraud or misconduct affecting their organizations. As a result, they have not designed and implemented the controls and processes they need to prevent and detect fraud and misconduct. Unfortunately, too often they lack the understanding about how to investigate misconduct and how to remediate its effects. Those involved in the investigation also need to be disciplined to follow established protocols set up as part of their investigative framework.
Editor: When you find there has been fraud or misconduct, how can companies best respond to it?
Girgenti: Like any emergency or crisis situation, your response will be better if you're prepared for it. Therefore, organizations should establish protocols ahead of time and define roles and responsibilities within the organization. They should have a process to quickly identify reports of fraud or misconduct that need more investigation. Being able to effectively sort those situations out as soon as fraud or misconduct surface is essential. It is important to vet and train your investigative resources to ensure consistency. A quick, disciplined response is essential to limiting operational and reputational risks, and potentially also mitigating governmental sanctions.
It is also important to know when and whom you need to bring in from outside the company to assist with an internal investigation. Invariably, these outside resources will include law firms, accounting and investigative firms, as well as public relations and crisis management support.
The costs of investigations and of responding to litigation and governmental inquiries are very high. It is essential to know when and what to disclose to the government to ensure that the organization is cooperating to solve the problem, rather than being viewed as impeding government efforts to get to the heart of the matter. Hence, transparency and disclosure are important considerations as part of any investigation. An ineffective investigation that failed to uncover a problem or the full extent of the problem can hurt a company even more than the original allegation. Take a Foreign Corrupt Practices Act investigation, for example. If it was found that there were some issues in one part of the world, it would be remiss on the part of a company not to consider if there are similar problems in other parts of the world and in other divisions of the company.
Editor: What are the challenges that organizations face today that make dealing with the risk of fraud and misconduct more difficult?
Girgenti: Business leaders will tell you that managing the complexity of their businesses is a major challenge. With globalization, a corporate headquarters could be almost anywhere in the world. Customers, suppliers, manufacturing plants or other facilities may be scattered throughout the globe. Companies not only need to manage the risk of fraud and misconduct in the United States, but in emerging markets and third world countries.
Another source of complexity is the proliferation of new regulations and enforcement mechanisms. The Dodd-Frank whistleblower provisions are a good example. Companies need to constantly evaluate the adequacy of their compliance programs. Do they have robust enough systems so that they have some degree of confidence that people within their organizations who see fraud or misconduct will report what they observe through the internal compliance mechanisms? If not, whistleblowers will be encouraged to go directly to the government without giving the organization an opportunity to correct the problem first.
Organizations involved in litigation, an investigation or a government enforcement action will need to have hold and preservation policies in place and be able to retrieve all relevant documents, including electronically stored information. Organizations need to be proactive about finding ways to respond to such requirements.
A well-thought-out compliance plan, therefore, serves as a roadmap not only in preventing and detecting misconduct, but also in ensuring that appropriate actions are taken when the inevitable misconduct occurs.
Editor: What functions within an organization are particularly important in assuring compliance?
Girgenti: Each part of an organization has an important role to play in helping manage fraud and misconduct. They all have to be integrated and work in conjunction with each other to get the most effective response.
Boards of directors have the overall authority and responsibility to be knowledgeable about the content and operation of a compliance and ethics program. They must exercise reasonable oversight as contemplated by the most recent amendments to the Federal Sentencing Guidelines.
Top management has an important responsibility in that high-level personnel must ensure that an organization has an effective compliance program and that the proper tone is set within an organization.
Today, organizations have risk committees and compliance departments.These functions must be able to look across an enterprise to ensure that they're doing all that they can to identify key risks. Internal audit also plays an important role in monitoring the effectiveness of compliance programs and ferreting out fraud and misconduct.
The general counsel and legal department play a vital role in an organization's compliance program. The general counsel and members of legal departments are often found today as key participants on risk and compliance committees. Because of their ongoing close relationship with all levels of management, they are able to provide valuable legal advice to ensure that management is addressing the right issues. The general counsel's office can also conduct legal risk assessments, provide updates on relevant laws and regulations to the appropriate compliance staff, ensure the legal content of compliance training and communications, and coordinate internal investigations. Counsel will also assist in the critical decision of if and when to make voluntary disclosure to the government.
While the general counsel sits as a member of the management team, in many ways, his or her responsibilities are a bit different since the general counsel has a fiduciary responsibility to shareholders and often needs to report to the board in order to discharge those duties. Therefore, the role of general counsel is indispensible in an organization's compliance program.
Editor: You are the author with KPMG Partner Tim Hedley of Managing the Risk of Fraud and Misconduct - Meeting the Challenges of a Global, Regulated, and Digital Environment . It delves in great depth into the issues and provides sage advice. Based on my experience, the book should be required reading for every general counsel and most corporate counsel. Congratulations. The book has just been published by McGraw-Hill, and is being sold on Amazon.com and Barnes & Noble.com. Please visit these sites to purchase the book.