Recent corporate scandals, each perpretrated by very senior management and involving billions of dollars, have highlighted the effect that fraud can have on corporate financial strength. Fraud prevention quickly jumped to the top of the corporate agenda.
In order to establish fraud prevention controls that will function as planned, you must understand the business operation. What expectations must those employees and agents meet for those controls to operate as intended? Do the business's employees and agents understand those controls and how those controls relate to their day-to-day activities?
Let's step back and consider the historical context for the effort and what such controls should be able to do. The accounting and other corporate scandals of the past few years represented ethics failures of the companies involved. Enron, for example, had adopted a well-written, comprehensive ethics policy, yet its senior management included at least some individuals who determined to enrich themselves at the expense of the company, its employees and other stakeholders. The actions that undermined Enron and those that weakened WorldCom and other companies were not simply the acts of one individual in each case. They required, if not the active involvement of multiple employees, at least the passivity of employees who may have observed the aberrant behavior but did not act to stop or to report it.1
Fraud prevention controls, then, should include more than after-the-fact auditing processes and controls that constitute a "look back" at already completed acts. After all, an audit only examines a sample of transactions to test whether the reported results accurately reflect the details. A means of preventing erroneous or fraudulent behavior far better serves the company's interests than a program that relies totally on after-the-fact correction of such problems. To fail to include pro-active, preventive aspects in a program of fraud prevention controls would constitute a serious, costly oversight. What might such steps entail and how would they relate to fraud prevention?
Training - The Unappreciated Aspect Of Fraud Prevention
When considering fraud prevention, most people probably think about audits, internal controls and similar processes. We should not overlook the role that training can and should play in a business's fraud prevention efforts.
Corporate behavior that complies with legal and other standards also constitutes quality behavior. "No matter how hard we try to design our products and processes so that the quality of our products and services are less dependent upon our people, our reputation will always be a direct reflection of them. The real key to quality is the behavior or our people. To bring the level of quality that is required to survive in the 21st century we need to change the way our people - all people, from the boardroom to the boiler room - think, act and behave."2 Fraud is an intentional breakdown in quality performance. The prevention of fraud must rely on employees and others, who might observe or otherwise learn about fraudulent activity to report such activity to appropriate authorities within the organization.
The SEC promulgated regulations to implement 404 of the Sarbanes-Oxley Act and many companies have gone to great and expensive lengths to integrate the requirements of those regulations into their corporate structures. To fully realize the benefits of such efforts, however, they must also train their employees and other agents to fully appreciate and understand those efforts. Such training might include (1) the need for accuracy in books and records, (2) the role of internal controls in assuring that a company's financial statements are accurate and that its reporting to shareholders, regulators and the public is transparent, (3) financial integrity and the role of all employees in its achievement and (4) the implications, for the organization and the individual, of failure to properly and accurately respond to government inquiries.
In essence, a vigorous training protocol seeks to enlist all employees and agents of a company as a network of "financial sensors" throughout the organization. Individuals who contemplate committing fraud against a company likely would reconsider their chances of success if they know that other employees or agents of the company, who are not involved in the possible fraud and might become aware of it, have received training that would enable them to detect that fraud and report it.
The Deficit Reduction Act of 2005, passed in February 2006, highlights the relationship between employee awareness to fraud prevention. Congress declared that organizations that receive Medicaid reimbursement must provide their employees, agents and contractors detailed information about Medicaid fraud and its prevention, among other topics. See 6032 of Public Law No. 109-171.
Can such training work? Can it lead to the prevention or discovery of fraud?
Not long ago, a company provided training to many of its employees using Integrity Interactive's financial integrity course. Deployed over the Internet to specific employees and agents selected by the client, that course includes interactive, story-based lessons on (i) financial reporting, (ii) sales and revenue issues, (iii) cost and expense issues, (iv) books and records, (v) financial controls and (vi) reporting procedures. After completing that course, one employee alerted the company to a situation that did not comport with applicable requirements described in the course. After investigation, the company learned of fraudulent activity within one of its overseas regions. That report and the investigation enabled the company to satisfactorily resolve that problem much more quickly and effectively than it likely would have through auditing or other means.
Fraud Prevention And The Sentencing Guidelines
The United States Sentencing Commission (the "Sentencing Commission") first promulgated the Sentencing Guidelines for Organizational Defendants (the "Guidelines") in 1991 to achieve Congress' goal of greater certainty and uniformity of sentences for organizations convicted of federal crimes, as expressed in the Sentencing Reform Act of 1984.3 The Guidelines have contributed to the growth, maturation and development of corporate compliance and ethics programs.4
How do the Guidelines relate to fraud prevention? Some elements of an "effective compliance and ethics program," as the Sentencing Commission defined that term, contribute to fraud prevention efforts or provide a mechanism by which to enhance those efforts. Those elements and their relationships to fraud prevention follow:
The organization shall establish standards and procedures to prevent and detect criminal conduct.
Standards and procedures, such as a code of conduct or business practices that sets out the general standards of behavior that an organization expects its employees and agents to follow, should prohibit fraudulent activity (among other things). Many business organizations also prepare more specific guidance for their representatives that provides instructions or standards for the particular industry context in which those companies operate.
Without such codes, many types of unwanted behavior could escape the organization's fraud prevention efforts. Moreover, the absence of such a code might make much more difficult punishment for such illicit behavior unless the organization is willing to involve public crime prevention and punishment authorities (if the behavior violates the law) and those authorities elect to pursue the matter when brought to them.
The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
The most effective anti-fraud approach is to avoid hiring individuals who have demonstrated a propensity for fraud or myopia toward its appearance within the organization. In effect, "an ounce of prevention is worth a pound of cure." Accordingly, an organization's hiring standards should reflect its commitment to an ethical workforce and an ethics-based, compliance-focused environment and conduce toward the employment of a workforce that likely would not commit fraud. This is particularly important in terms of the higher levels of personnel within an organization.
The Sentencing Commission believed that it needed to highlight this simple and self-evident standard in the Guidelines. Clearly, an individual who had previously engaged in illegal activity or otherwise exhibited behavior that conflicted with legal requirements or demonstrated unethical standards, if employed as one of an organization's "substantial authority personnel,"5 would more likely commit fraud or at least serve as an example to all employees that the organization does not value highly ethical behavior.
The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures and other aspects of the compliance and ethics program to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals' respective roles and responsibilities.6
Compliance with legal requirements created by public agencies and institutions and with ethical and other behavioral standards adopted by the company depends on the day-to-day actions of a company's employees and agents.7 Accordingly, the success of any firm's efforts to comply with those standards rises and falls on its ability to educate its employees and agents about those standards and how those standards relate to and affect those individuals' responsibilities. For that reason, the company itself should devote adequate resources to its training efforts. That reason also explains the Sentencing Commission's decision in 2004 to clarify that training as a mandatory means of satisfying the Guidelines' requirement of effective communication of an organization's compliance- related standards and procedures, not just an example of how to do so.8
How does training relate directly to fraud prevention? The content of the training must include material that stresses how fraudulent activity harms the company's customers and clients, the company itself and employees. Employees and agents should learn how to identify fraud so they can serve as the company's front-line troops in the fraud prevention-and-identification efforts.
The organization shall take reasonable steps - to ensure that the organization's compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; to evaluate periodically the effectiveness of the organization's compliance and ethics program; and to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization's employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
Merely adopting policies and procedures regarding compliance, fraud or any other topic will not have a very significant impact on organizational behavior. Enforcement mechanisms, including monitoring and auditing, must be parts of the compliance and ethics program.
The organization's compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
Because an organization's behavior can only reflect the behavior of its employees and agents through whom it acts, the Sentencing Commission included among the elements of an effective compliance and ethics program appropriate incentives for acceptable and desired behavior and punishments for noncompliant acts. The consistent application of those incentives and disciplinary measures will affect how well they and the compliance and ethics program are perceived by employees.
After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar conduct, including making any necessary modifications to the organization's compliance and ethics program.
Fraudulent activity violates criminal laws. An organization must react appropriately to criminal conduct that it discovers in its operations, as did the Integrity client cited above. The organization's response should minimize the possibility of recurrence.
An organization that discovers fraud should want to correct that problem. Applying lessons learned in the discovery of fraud makes the organization more capable of preventing repetition.
The implementation of fraud prevention mechanisms, like any part of a corporate compliance and ethics program, must satisfy the authorities who might review them that they do not represent merely a "paper" effort to comply. If, however, a firm takes steps that, while they might appear on paper to provide the benefits that the Sentencing Commission hoped a program would yield, do not change corporate behavior due to inadequate resources or insufficient support by senior management, that firm might be worse off than if it had done nothing.
This becomes apparent from the more recent instructions that the United States Department of Justice issued to guide United States Attorneys around the country in their decisions as to whether and how to prosecute and charge corporations implicated in federal criminal violations.9 DOJ noted that
Prosecutors should therefore attempt to determine whether a corporation's compliance program is merely a "paper program" or whether it was designed and implemented in an effective manner. In addition, prosecutors should determine whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation's compliance efforts. In addition, prosecutors should determine whether the corporation's employees are adequately informed about the compliance program and are convinced of the corporation's commitment to it. This will enable the prosecutor to make an informed decision as to whether the corporation has adopted and implemented a truly effective compliance program that, when consistent with other federal law enforcement policies, may result in a decision to charge only the corporation's employees and agents.10
A well designed compliance program with appropriate training as its central element can contribute to effective fraud prevention. Time and effort devoted to designing and implementing such a program should yield positive results and represent a very cost-effective part of fraud prevention.
Fraud appears in the absence of adequate controls to prevent. One of the most important controls consists of efforts to train employees and agents on fraud-related subjects. They need to understand what fraud is, how it affects them and the organization and how they can assist in preventing and controlling its appearance.
With insufficient attention to training, fraud prevention efforts will be hampered, with less chance of preventing the occurrence of fraud. Proper training, however, empowers an organization's employees and agents as an "early warning system" of possible fraudulent activity.
1 Allegations by the plaintiffs in the securities action regarding the WorldCom bankruptcy highlight this: "WorldCom's finance employees made large improper accounting entries after the close of many quarters in order to report that the company had achieved the unrealistic revenue growth targets set by [the CEO and CFO]. This process was directed by [the CFO] and involved the cooperation of many other finance personnel ." "Corrected First Amended Class Action Complaint of Lead Plaintiff Alan G. Hevesi, Comptroller of the State of New York, as Administrative Head of the New York State Retirement Systems and as Trustee of the New York State Common Retirement Fund, on behalf of purchasers and acquirers of all WorldCom, Inc., publicly traded securities," No. 02 Civ. 3288 et al. (United States District Court for the Southern District of New York), 96(a) (emphasis added).
2 Harrington, "Performance Improvement: Change Behaviors to Improve Quality," posted at http://www.qualitydigest.com/july99/html/body_perfrmnce.htm.
3 See Mistretta v. United States , 488 U.S. 361 (1989).
4 In "The Federal Sentencing Guidelines for Organizations: A Decade of Promoting Compliance and Ethics," 87 Iowa L. Rev. 697, 710 (2002), Hon. Diana E. Murphy, Circuit Judge on the United States Court of Appeals for the Eighth Circuit and former chair of the United States Sentencing Commission, reviewed the statutory background of the Sentencing Guidelines for Organizational Defendants and their first ten years of operation.
5 "'Substantial authority personnel' means individuals who within the scope of their authority exercise a substantial measure of discretion in acting on behalf of an organization." 8A1.2, Application note 3(c).
6 "The individuals referred to in subdivision (A) are the members of the governing authority, high-level personnel substantial-authority personnel, the organization's employees and, as appropriate, the organization's agents." 8B2.1(b)(4)(B).
7 After all, a company can act only through its human representatives. If those representatievs don't know about or don't understand the compliance-related expectations of the business, they won't be able to meet those expectations except by happenstance.
8 The group appointed by the Sentencing Commission to review the first ten years of the Guidelines in preparation for the Commission's planned revisions explained that "effective training has two components: (1) educating all employees about compliance requirements, and (2) motivating all employees to comply." Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines (October 7, 2003), p. 70.
9 See "Principles of Federal Prosecution of Business Organizations," dated January 20, 2003, from Larry D. Thompson, Deputy Attorney General, to Heads of Department Components, United States Attorneys, posted at http://www.usdoj.gov/dag/ cftf/corporate_guidelines.htm.
10. Id., at section VII.
Steven A. Lauer is Director of Integrity Research for Integrity Interactive Corporation, a provider of online training for corporate compliance and ethics programs and related services. Prior to joining Integrity, Mr. Lauer was a consultant to corporate law departments and law firms regarding how those departments and the law firms that represent the companies work together. Previously, he spent over thirteen years as an in-house counsel and six years in private practice.