Fraud Risk Management: Best Practices For Building An Integrated Strategy

Thursday, April 17, 2014 - 12:11

The Editor interviews Richard H. Girgenti, National Forensic Practice Leader, and Timothy P. Hedley, Fraud Risk Management Network Leader, both of KPMG Forensic, about the KPMG white paper “Fraud Risk Management,” which draws in part from the KPMG Integrity Survey.

Editor: You mention in your white paper that there appears to be a convergence of regulations across international jurisdictions. Would you elaborate on this? How might this context ultimately help boards and senior management move beyond check-the-box compliance?

Girgenti: In an effort to address a variety of forms of financial crimes and misconduct, what we’ve seen over the last 10 to 15 years is that the laws and regulations of countries particularly outside of the United States have increased dramatically and that the appetite for enforcement and the cooperation amongst global enforcement authorities has similarly increased. As a result, our clients are more often than not doing business in an ever-expanding number of jurisdictions where they face a myriad of laws, regulations and enforcement.

Hedley: Although these laws and regulations are addressed to similar problems, they do not set the same expectations for our clients, and none is very prescriptive. As a result, a checklist, one-size-fits-all approach generally will not work well. Companies will need to adopt a comprehensive, integrated approach that takes into account all applicable control criteria. For example, under the Foreign Corrupt Practices Act, there is consideration for facilitating payments, whereas under the UK Bribery Act, there is no exemption for facilitating payments. So, if you have a compliance program designed to comply with the Foreign Corrupt Practices Act, you could run afoul of the UK Bribery Act.

Editor: How meaningful to employees is the tone at the top among C-suite and senior management? How would you characterize their attitude toward compliance, based on the results of the KPMG Integrity Survey?

Girgenti: It is clearly imperative for top executives to set the ethical tone for their organizations. In addition, it’s critical that the board, in fulfilling its responsibilities, has oversight and ensures that the right tone is being set by the chief executive and other C-level officers. It’s crucial that senior management be knowledgeable about ethical issues and approachable if employees or middle management has questions or concerns. However, I should emphasize that the tone at the top is not the only thing that’s critical. You need to have the right tone at the middle and, in particular, at the bottom – among your frontline, grassroots employees who work for and look to their supervisors and middle management for guidance and support. Essentially, companies need to focus on creating a culture of integrity that is part of the strategy and business operations of the organization at all levels.

Hedley: If the organization has an effective ethics and compliance program, the vast majority of employees believe the CEO and other senior executives set the right tone at the top. Conversely, if there’s not an ethics and compliance program in place, about half as many employees believe that the CEO and others in senior management set the right tone. Furthermore, in organizations where there is an ethics and compliance program, employees are more than twice as likely to apply the right values to their decisions and behaviors and to share a commitment to integrity.

Editor: What are the basic stages of a fraud risk management strategy?

Girgenti: When we look at an organization’s fraud risk management strategy (or help it develop one), we consider four stages. The first is assessing the risk and the needs of the organization, and we begin with identifying the nature of integrity risks that they face. This might mean one thing for a domestic corporation and another for a multinational corporation; it might be different for a financial services company versus a consumer or retail corporation. Then we assess the sufficiency of existing controls. Do the controls that are in place match the risks that organization has?

The second stage is the designing of policies, programs and controls to address three different elements – prevention, detection, and response – with respect to the identified risks. This is done in a manner consistent with whatever regulatory criteria or regulatory framework the company operates within.

The third stage is deploying a process for implementing the new controls.

Finally, the fourth stage is making sure that you are continuously evaluating and monitoring the design and operating effectiveness of the controls, policies and procedures. It does little good to have the “right” policies and procedures if they are either implemented incorrectly or flawed in their execution such that they are not effective when they’re put in place.

Editor: The survey indicated that 59 percent of respondents reported that if employees and managers were to violate standards of conduct, it would be because they believed they would be rewarded for the results; the same percentage reported it would be because they lack familiarity with the relevant standards. How might this be addressed?

Hedley: The fact that the percentages are the same is coincidental. Having said this, they may be considered related. I think part of the solution is that organizations should design and implement communication and training programs that help enhance employee awareness of risks and increase their ability to identify, assess and report such risks. In addition, they should set an appropriate tone across the organization that sends the message that inappropriate behavior will not be tolerated.

Editor: Please describe the components of a robust code of conduct. How should codes of conduct be crafted such that they are taken to heart by employees?

Girgenti: First, codes of conduct should define acceptable behavior in an organization. They should be built around the organization’s core values, and they must be accompanied by effective communication and training. Most importantly, the code should stress the affirmative obligation to report wrongdoing. What you don’t want is a document that just sits on a shelf. It should be a living document reflecting the values of the organization. We find that in those organizations that have that kind of living document as well as the proper tone at the top, the codes of conduct are taken more seriously.

Editor: What are some best practices for communication and training to raise awareness around what constitutes misconduct and how it should be handled if detected?

Hedley: Communication and training should integrate organizational core values, publicize reporting mechanisms and use realistic examples – for example, identifying what kinds of conversations would be appropriate (and what would be inappropriate) when speaking to a competitor. In addition, training and communication should be available in local languages. Organizations should use varied methods such as email, town hall meetings, newsletters and speeches by senior management. However, probably the most important thing that organizations should do is to monitor the effectiveness of their training efforts.

Editor: How can an organization optimize the chances that fraud will be detected as early as possible?

Girgenti: Your frontline of defense in fraud detection is your employees. The first thing you have to do is hire the right people. Organizations that employ due diligence and screening in the interviewing process in order to get the right people are already ahead of the game. Second, you have to understand that because your employees are your first line of defense, you must make sure that they can recognize unacceptable behavior and that they know they have an affirmative obligation to report wrongdoing. The third measure I would cite as a way to optimize the chances that fraud will be detected is to instill in your workforce the sense that they are stakeholders for the organization. Those organizations that have a sense of purpose beyond the mere operations of the organization, beyond what affects the bottom line – for example, to be a green company or a good corporate citizen – are often better able to instill a stakeholder mentality where employees are proud of the organization. Such employees are more likely to view anyone who violates the values of an organization more seriously than those who lack that sense of purpose or ownership in the organization.

Editor: We so often hear about corporate social responsibility in the context of shareholder opinion, so it’s compelling to learn that corporate social responsibility can play such an important role in employee morale – and consequently, fraud detection.

Girgenti: There is in my mind – and I think for most people who are in this business – a direct correlation between integrity and performance. Those organizations with high integrity will more often have high performance.

Editor: What kinds of technology are available to assist in the detection of fraud?

Hedley: Some technologies can run in real time, while others are designed to be used retrospectively. These technologies can calculate a number of statistical parameters, such as measures of central tendency, performance metrics and probability distributions for business activities. These applications can do time series analysis, clustering, and pattern matching to find anomalies and unexpected associations.

The more sophisticated predictive tools employ statistical techniques and algorithms not only to detect anomalies in behavior, but also to make predictions. These predictive models are constantly in a process of refinement and learning to eliminate false positives, to adapt to maturing fraud schemes, and to predict future trends.

Of course, you need to have the right people operating these technologies. I really think the present and the future of detecting fraud, integrity breakdowns and other kinds of organizational misconduct are highly dependent upon individuals who can use sophisticated data analytic routines.

Editor: In the event that fraud is detected and confirmed, how can organizations ensure that their response is appropriate and that it may serve to help head off fraud in the future?

Girgenti: I think three things are imperatives here: first, organizations must be able to respond quickly and appropriately; second, organizations should have a clear, understandable and fair process for rewarding proper behavior and disciplining those who violate the law or the policies of the company; and third, there should be a feedback loop into the organization so that there are lessons learned. Particularly in this environment, in which fraud is increasingly committed through the Internet, the importance of speed and thoroughness has never been greater.

Organizations need to set up investigative protocols in advance; they can’t be figuring out what they have to do as an investigation unfolds. They need to know who has responsibility for what. Those protocols should include how an initial assessment of the allegations will take place and how and to whom the right and sufficient investigative resources should be assigned. The protocols should cover the preparation of work plans, the collection of documents and records, preservation of the digital evidence, the conducting of interviews by skilled interviewers, the proper maintenance of records, and documentation and reporting of the findings.

To help head off fraud in the future, organizations must have a process to remedy the harm caused and decide on appropriate and consistent disciplinary actions, and they must communicate to their employees that there will be consequences for bad behavior and rewards for good behavior. Finally, organizations must implement monitoring and control enhancements to correct any deficiencies and gaps that the investigation may have uncovered.

Please email the interviewees at rgirgenti@kpmg.com or thedley@kpmg.com with questions about this interview.