Effective Fraud Risk Management: The Last Word

Sunday, April 1, 2007 - 00:00

Editor: Mr. Hedley, would you tell our readers something about your professional experience?

Hedley: I am a partner at KPMG, and I have been with the firm for seven years. I am the national forensic service line leader. Prior to joining KPMG I was at another Big Four firm, and before that I was a university professor.

I am a certified public accountant and a certified fraud examiner. I have a bachelor degree in accounting, a master in accounting and a doctorate in public management (accounting and control).

Editor: Please tell us about your practice at KPMG.

Hedley: You can look at the forensic practice in two ways. One way concerns the reactive work we do. This involves investigating a variety of things, including fraudulent financial reporting, the misappropriation of assets and many kinds of misconduct. The other side of the practice is proactive. This is essentially fraud risk management, and we are engaged in helping organizations design, implement and evaluate programs and controls to prevent, detect and respond to fraud and misconduct.

Editor: How do these services connect to 404's attestation requirement on public accounting firms with respect to management's internal control assessment?

Hedley: If you think about management's internal control assertions under 404, you have management-driven efforts to establish a basis for asserting that anti-fraud controls are effective. In addition to those efforts, you have auditors making their own judgment on whether management's assertion is fairly stated, and reaching their own conclusions on the effectiveness of the controls.

In our forensic practice we participate in both aspects of this particular undertaking. We will work with the board of directors and the senior executive group of non-audit clients to develop an organizational structure for management's conduct toward the fraud and misconduct risk, including human resources policies and procedures. It is in developing and validating controls that management appears to be looking for guidance and support from us.

One of the issues that arises from regulatory frameworks is that they require the company to take efforts to prevent, detect and respond to fraud and misconduct, but they do not tell the company how to go about it. That is where we come in.

Editor: What are the most common types of fraud that an organization is exposed to?

Hedley: Principally, we look for fraud in financial reporting or for asset misappropriation. The risk and potential harm resulting from fraudulent financial reporting are typically much greater than what results from an asset misappropriation. An organization that experiences fraudulent reporting of its revenues is going to suffer terrible losses in the financial markets, far greater than anything that might be lost through an asset misappropriation.

Let me add, however, that most organizations deal with asset misappropriation as the most common type of fraud. Most of the time this entails people simply stealing money from the organization and seldom rises to the level where the very existence of the organization is at stake. There are instances of very significant theft, however.

Editor: What types of controls should a company have in place to detect and hopefully prevent fraud?

Hedley: Fraudulent financial reporting originates in very complicated circumstances. You understand, people do not typically commit fraudulent financial reporting simply because the opportunity presents itself. Very often there is pressure within the organization - often very subtle pressure - to put the right spin on things. It is necessary to have controls in place that address the kind of mindset that is willing to distort the truth to enhance the company's prospects. In such a case I start with the message being sent down from senior management. Is that message one of lip-service, or is it sincere? Is it perceived as sincere? In addition, I try to establish the right kind of upstream reporting mechanisms, and I want to ensure that the employees know they have an affirmative obligation to report on anything they believe to be inappropriate or untoward.

With asset misappropriation, I am looking for something else. Is there, for example, some evidence that points to, say, a gambling or drug abuse problem that is driving someone to steal? Is there evidence indicative of opportunistic theft? Sometimes people steal because they have an opportunity to do so, and they cannot resist the temptation. If so, the gaps in the system must be shut down.

Editor: Why is it critical for an organization to have the proper tone coming from top management?

Hedley: In my experience, many of the most egregious frauds have occurred in organizations where the code of conduct, the compliance program and all of the controls appear to have been right on target. If you look at what the senior executives were saying, however, a different story emerges. A comment such as, "I don't care what it takes, we must make the numbers" tells you everything. Those at the top cannot set expectations that are impossible to meet without running very substantial risks.

Editor: How do you get the message across that senior management is really sincere about doing the right thing?

Hedley: That is a critical component of a risk assessment. Among the tools I use to get at whether the message is getting through are confidential interviews with the rank-and-file and confidential surveys. Often, these inquiries disclose a disconnect between what senior management thinks and what is perceived at ground level.

Editor: Is there any way a company can protect itself against unscrupulous employees?

Hedley: It is essential to hire the right people. In my experience, many organizations do not do enough with respect to background checks. Simply calling a prospective employee's references is not sufficient. There are, however, ways to ask about a person's background that give you a sense of their ethical capacity. A full media search can be undertaken, as well as a criminal background check, and it is surprising how often the prospective employer doesn't bother to do this. Sometimes the oversight is innocent enough. Someone may be hired for a low level position without anyone having done a credit check. The person does well and is promoted to a higher position in accounts receivable, where, say, problems begin to surface. It is essential to recognize - and recognize going in - that the more responsibility is given to a person, the greater the risk.

Editor: What clues should employees look for when they believe a co-worker may be engaged in fraudulent activities?

Hedley: With respect to asset misappropriation, there are many things to look for. A person who works odd hours, who does not take vacations or who is overly protective of his workspace, for example. None of these things means that a person is committing fraud, but they can be a red flag.

Another warning sign is the employee with a grievance, real or otherwise. Often such a person believes he has been treated badly and may use that perception to rationalize stealing from the company.

A lifestyle that is suddenly inconsistent with an employee's salary is also an indicator that something untoward may be underway. The desire to flaunt new-found wealth seems to be a common human weakness.

Editor: What are some of the common mistakes that organizations make with respect to fraud investigations?

Hedley: The first mistake that companies make is not getting the right professional to perform the investigation. Many do not have in-house investigative capabilities, and if so, it is essential to retain the right experts from outside the organization. Rushing to get the investigation underway without the right people in charge - for starters, general counsel and the legal department, in addition to the appropriate human resources staff - can land the organization in hot water. A poorly conducted investigation may be far more damaging than if the organization did nothing at all. Finally, a failure to seek legal advice on the investigation may result in its not being protected by the attorney-client privilege.

Editor: KPMG recently released a white paper on effective fraud risk management. Would you take us through some of the high points?

Hedley: In the white paper we attempt to provide the company with some clear directives of what needs to be done in designing, implementing and evaluating the appropriate controls for preventing, detecting and responding to fraud and misconduct.

By clear directives, for example, I mean that a code of conduct should include an affirmative obligation for employees to report code violations.

There should also be a code of conduct certification process that includes a requirement that each employee annually certify that he or she has read the code, has undergone training on it and agrees to adhere to it.

We discussed due diligence on employee hiring. It is important to understand that due diligence extends to persons outside the organization. Fraud is committed both internally and externally, and background checks on vendors should be built into the process.

To have an effective program an organization needs both downstream and upstream communication, and that means that the CEO must convey a message of how essential compliance behavior is to all of the employees and then respond appropriately when that message generates a response from below. Hotlines and whistleblowing policies are all part of the upstream communication process. In order for them to be effective, they must be perceived to be effective. Training is not the entire answer, but it helps to constantly reinforce the program.

Editor: Would you say something about forensic data analysis?

Hedley: Proactive forensic data analysis is a hot topic right now. Companies possess all kinds of data. In the past if you were asked to conduct an investigation of, say, the company's accounts receivable, you could randomly select a representative group of vendors for audit and a certain budget level. Today we have the technology to help us find the patterns and the examples of unexpected behavior. For example, there are routines available that will help you look for mail drop box sites. A vendor with a mail drop location box for a mailing address is often a red flag. There are also routines that help to identify ghost employees, people on the company's payroll who do not exist.

Another interesting example is Benford's Law. This is a mathematical phenomenon that indicates that in naturally occurring data sets numbers occur with predictable frequency in the digits of a number. Without getting too involved in trying to explain this, I will say that Benford's Law can point the finger of suspicion at fraud. It permits you to analyze all kinds of transactions and graph them out in a way that will show you the expectation and the spikes. It is the latter that should be examined.

I suspect that fraud is going to be with us for some time to come. Technology has given us a number of extremely effective tools with which to address fraud. Success depends, ultimately, on the people utilizing those tools, however. In the end, a culture of compliance is built on having the right people in place. If the right technology is in place as well, I think the organization is going to be in a very good position to develop an effective fraud risk management process.

Please email the interviewee at thedley@kpmg.com with questions about this interview.