By Tom McLeod, Managing Consultant, McLeod Governance
It was to be my pièce de résistance. Not six months into a new role, I had diligently, thoroughly and proudly investigated an expense reimbursement fraud and all that was left to do was to present my findings to the audit committee and to bask in the glow of the congratulations of my esteemed and learned colleagues for a job well done.
The narrative of the fraud was as basic as they come – a previously high-performing manager diverted by the temptations of forbidden flesh turns to corporate misadventure to fund the associated cost that maintaining two lives imposes.
What started as an over-claiming of a travel allowance soon escalated into the fabrication of work and expenses and the embellishment of stories to ensure that they had a (claimable) work-related angle. By the time it came to my attention, the manager had wasted his career (and no doubt the trust of those that he held dear) for the sake of about $40,000.
As I sat before the audit committee that day, I laid out the facts and the conclusion in a most self-evident manner. And then the question came.
“Tom,” the single syllable reverberated around the room with a perverse grim determination to end a (my) career that had barely then started, “how much did you spend investigating this fraud?”
It was then – and remains to this day – a question that I dread. It is not that I am not prepared to share the information with the audit committee but rather that far fewer audit committees than should be the case don’t readily understand that there is no specific correlation between the impost of the misadventure and the cost of the related investigation.
“Mr Chairman,” I replied, “the cost of the investigation was in the order of about $80,000.”
Even before the final articulation of the number left the safety of my mouth I could hear – and to be honest, feel – the gasps of the combined directorial and senior management audience.
I was super-imposing on them what I assumed that they were thinking: “How could you spend twice as much on investigating this matter as was the original cost to the company? What was this auditor thinking?”
Just at that moment when I was going to defend myself but yet my voice probably would go mysteriously absent at that crucial time, I heard the chairman say: “Everyone – can I just clear something up. In my mind there is no correlation between the cost of the investigation and the underlying impost of the initial fraud. We will wear what is appropriate to investigate.”
I very nearly broke all the decorum protocols of an audit committee by leaping over the table to hug and then prostrate myself at the feet of this all-knowledgeable (and career-saving) chairman.
“But,” he added, forcing me to again consider an immediate career change, “in future, Tom if you have $100 to spend on fraud-related matters I want you to spend $90 on prevention; $8 on detection and $2 on investigation.”
He continued: “We want to have a fraud-resilient organisation; not a fraud-investigation organisation.”
The audit committee had issued my team a challenge and we set about delivering. Firstly, however, we had to determine whether we were already a fraud-resilient organisation. I suspected not but had no evidence to support my conclusion. It was an opinion, not a fact – something that I regularly told my teams to avoid in the area of fraud assessment.
So we devised a test of sorts. We engaged professional actors and dramatised and filmed the expense reimbursement fraud for future viewing on the intranet by our organisation’s workforce.
The segment was not, however, a ‘how to commit expense reimbursement fraud’ lesson but rather an interactive experience to assess whether the watcher understood what fraud was.
“What started as an over -claiming of a travel allowance soon escalated into the fabrication of work and expenses”
We embedded into the story seven instances of expense reimbursement fraud – some as obvious as the handing over of a corporate credit card to pay for drinks at an establishment of ill repute through to the less obvious of the development of a fake tax invoice.
Our hypothesis was that we could consider ourselves a fraud-resilient organisation if the many thousands of respondents identified on average five out of the seven instances of misadventure. At or above this level we knew that we had an organisation that had in place the structures and people that would prevent, detect – and in time, investigate – fraud.
Below this level, it meant that we had an organisation that could not even see fraud in front of it even when they were told that they were doing a fraud detection survey where they were required to identify instances of fraud. In short, if we got below five out of seven we had the antithesis of a fraud-resilient organisation.
After a nervous couple of weeks as respondents completed the interactive survey, the results came back in. Out of a possible seven instances of misadventure the collective had identified, on average, a miserly two.
We were so, so far from being a fraud-resilient organisation that – momentarily – I felt the urge to send an all-employees email suggesting that anyone who was planning to commit a fraud against their employer would be well served to do so in the current environment as there was no reasonable chance that their manager would detect the wrongdoing by anything other than sheer luck.
It was a lesson – and a story – that I have never forgotten and one that I continue to share with all my audit teams and investigators and especially when I have the privilege to speak with students and colleagues who are passionate about this area of business.
We started that day of the receipt of the results on what is a never-ending journey of education and re-enforcement. We borrowed the line attributed to, among others, the United States military leader George Marshall that the price of peace is eternal vigilance.
For us the price of a fraud-resilient organisation was eternal education. But what is a fraud-resilient organisation?
The United States Government Accountability Office (GAO) has recently provided a very valuable addition to the literature in this area. The GAO is an independent, non-partisan agency that works for Congress. The GAO investigates how the United States federal government spends taxpayers’ dollars.
The GAO noted in the July 2015 release of its Fraud Risk Management Framework:
■ To help managers combat fraud and preserve integrity in government agencies and programmes, GAO identified leading practices for managing fraud risks and organised them into a conceptual framework called the Fraud Risk Management Framework (the Framework)
■ The Framework encompasses control activities to prevent, detect, and respond to fraud, with an emphasis on prevention, as well as structures and environmental factors that influence or help managers achieve their objective to mitigate fraud risks
■ In addition, the Framework highlights the importance of monitoring and incorporating feedback
It would be time well spent for all organisations to review the Framework and assess where they sit against the standards articulated by the GAO. An organisation that can honestly say that they satisfy the elements of the Framework is one that can be awarded the title of a fraud-resilient organisation. Everyone else is a pretender.
So what is in the Framework and how can organisations apply it? The Framework applies four key principles:
■ Commit to combating fraud by creating an organisational culture and structure conducive to fraud risk management
■ Plan regular fraud risk assessments and assess risks to determine a fraud risk profile
■ Design and implement a strategy with specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation
■ Evaluate outcomes using a risk-based approach and adapt activities to improve fraud risk management
Let’s look at each in more detail using the selected best practice provided by the GAO.
Commit to combating fraud by creating an organisational culture and structure conducive to fraud risk management
In many aspects the easiest to say, yet the hardest to do, the GAO advice is to demonstrate a senior-level commitment to combat fraud and involve all levels of the programme in setting an anti-fraud tone.
This is more than the chief executive sending out an email saying that fraud will not be tolerated. This is demonstrable action measured in the appropriate allocation of funding and the clear linkage between misadventure and consequence. Seniority cannot be a defence used to excuse fraudulent actions.
■ Designate an entity within the programme office to lead fraud risk management activities. Whoever that may function may be – designate it early and publicly. Not only tell the world that you are intolerant of fraud but that you have empowered that function with the appropriate human, technology and funding resources and authority to do its job
Plan regular fraud risk assessments and assess risks to determine a fraud risk profile
A fraud-resilient organisation is one that regularly scans the horizon to see what misadventure lurks, waiting to strike.
To do this scanning the GAO suggests that organisations:
■ Tailor the fraud risk assessment to the programme and involve relevant stakeholders
■ Assess the likelihood and impact of fraud risks and determine risk tolerance
■ Examine the suitability of existing controls, prioritise residual risks and document a fraud risk profile
In plainer English, this means determine what could kill you (fraudulently speaking – assess what could go wrong); when is it going to happen (assess the likelihood); and how much is it going to hurt when it does happen (assess the impact).
Doing this risk assessment in a vacuum is, however, like dancing with your sister. The actions may be there but there is no real benefit.
Just as you need to tell the world that you have empowered a function to oversee fraud risk assessment equally you have to broadcast that you are actively considering all the scenarios that a misplaced mind may be considering.
Design and implement a strategy with specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation
The GAO’s Framework then suggests that one focus on developing and communicating preventative control activities; developing a fraud response plan and developing (non-bribery) incentives that will ensure what you had planned to do is actually implemented.
The final element of a fraud-resilient organisation could be best summarised in three words: monitor and feedback.
The GAO advocates that the Framework is capable of outcome measurement, that data is collected and analysed to provide real-time monitoring of fraud trends and the adoption of a feedback loop for continuous improvement.
American drama series may not be made about fraud prevention – but it is the strongest and most important element in your armoury as you establish and maintain your fraud-resistant organisation.
About The Author:
Tom McLeod is considered one of the world’s leading Chief Audit Executives having been the Global Head of Internal Audit for Rio Tinto, one of the world’s largest mining companies and Head of Internal Audit and Fraud at one of Asia’s largest telecommunication companies. He now operates a boutique internal audit, corporate governance and fraud prevention consultancy called McLeod Governance which advises globally with Boards, Audit Committees and Chief Audit Executives.