Addressing the Business Risk of Fraud of 2012 and Beyond Sheila Moran Keefe, CFE, CPA
Addressing the Business Risk
of Fraud of 2012 and Beyond
Sheila Moran Keefe, CFE, CPA
2
681 enforcement cases in FY 2010
$2.8 billion in penalties and disgorgement,
Much of the financial wrongdoings fell
under the general oversight of audit
committee activities.
-SEC’s 2010 Performance and Accountability Report
Business Case to Address Fraud Risk
2
3
Business Case to Address Fraud Risk
Duty of Care
Caremark International Inc. suggests
that directors must ensure that
corporate information and reporting
systems exist, including compliance
programs
Not turn a blind eye to fraud
3
4
InfoGroup
AC chair deficiencies in the investigation: • Found insufficient documentation and explanations
related to some of the CEO’s expenses
• Assured IA director that conversations would be had with
CEO that were allegedly never had
• Didn’t communicate to the Board concerns of second IA
director
• After 10 day “in-depth” investigation, asserted to wrong-
doing
4
5
DHB Industries
The SEC charged three ex-directors who
served on DHB Industries Inc.'s audit
committee for being "willfully blind to
numerous red flags" of fraud.
5
6
KPMG Fraud Survey 2009
Polled 200 senior executives from organizations
with at least $250 million in annual revenues
65% of respondents perceived fraud to be a
significant risk
Most significant perceived fraud risk: asset
misappropriation
Nearly one-third of respondents anticipate an increase
in fraud in the coming year.
75% expect the increased anti-fraud resources to
increase in the next year
7
Risk Management
28% report their risk management
implementation is “systematic, robust, and
repeatable” with regular reporting to the
board
60% report risk tracking is:
Mostly informal and ad hoc
Tracked within individual silos, not enterprise-
wide
COSO 2010 report
8
Risk Management
Almost half of survey respondents described
their risk management processes as “very
immature or “somewhat immature”
35% are “minimally” or “not at all satisfied”
2010 COSO report
9
Risk Management
Half of organizations reported there was no
board oversight of risk oversight activities
performed by management
Two-thirds reported that while they report
entity’s top risk exposures to the board
regularly, that form of board risk oversight
appears to be casual and unstructured
Just under half noted that there was either no or
only minimal processes for identifying and
tracking risks 2010 COSO report
10
Assemble the right team
Risk identification and prioritization
Risk response and report findings
Monitor key controls
Fraud Risk Management Strategy
11
Assemble the Right Team
Investigation Internal Finance/ Executive Line Risk Legal Public Employee
Action Required Unit Audit Accounting Mgmt Mgmt Mgmt Relations Relations
1. Controls to Prevent Fraud S S S SR SR S S S S
2. Incident Reporting P S S S S S S S S
3. Investigation of Fraud P S S S
4. Referrals to Law Enforcement P S
5. Recovery of Monies Due to Fraud P
6. Recommendations to Prevent Fraud SR SR S S S S S S S
7. Internal Control Reviews P
8. Handle Cases of a Sensitive Nature P S S S S S
9. Publicity/Press Releases S S P
10. Civil Litigation S S P
11. Corrective Action/Recommendations
to Prevent Recurrences
SR
SR
S
SR
S
S
12. Monitor Recoveries S P
13. Proactive Fraud Auditing S P
14. Fraud Education/Training P S S S
15. Risk Analysis of Areas of
Vulnerability
S
S
P
16. Case Analysis P S
17. Hotline P S
18. EthicsLine S S P
P (Primary Responsibility), S (Secondary Responsibility), SR (Shared Responsibility)
12
Risk Identification
Interviews
Focus groups
Surveys
13
Risk Assessment Survey
Business
Function Risk
Process
Control
Personnel
Assigned? Past Incident?
14
Explore Fraud Risk Scenarios
Who in the organization is
likely to commit financial
statement fraud?
How they are likely to
carry it out?
15
ACFE’s 2010 Report to the Nations
16
Demographics from 2010 RTTN -
Department of Perpetrator
-5%
0%
5%
10%
15%
20%
25%
30%
$- $200,000 $400,000 $600,000 $800,000 $1,000,000
Legal
Sr. Mgmt.
BOD
Purch
Finance
Accounting
Sales
Operations
Customer Service,
R&D, IT, HR, et al.
17
Risk Identification
What could go wrong?
How could someone steal from the department?
What decisions require the most judgment?
What activities are most complex?
What activities are regulated?
18
19
ACFE’s 2010 Report to the Nations
20
ACFE’s 2010 Report to the Nations
21
Cost of Financial Statement Fraud
COSO Report—Fraudulent Financial Reporting:
1998–2007, An Analysis of U.S. Public
Companies
347 victim organizations examined
Cumulative misstatement of $120 billion
Mean of $400 million per case
Median of only $12.1 million
22
Financial Statement Fraud
Waste Management Founder, Five Other
Former Top Officers Sued for Massive Fraud
Defendants Inflated Profits by $1.7 Billion to
Meet Earnings Targets; Defendants Reap
Millions in Ill-Gotten Gains While Defrauded
Investors Lose More Than $6 Billion
– SEC press release
23
Cost of Financial Statement Fraud
COSO Report—Fraudulent Financial Reporting:
1998–2007, An Analysis of U.S. Public
Companies
Announcement of fraud led to 16.7 percent decrease in
stock price in the surrounding two days
24
Humboldt Creamery
Ex-CEO deceived the auditors: Allegedly stacked packaged milk powder
Provided false financial information and supporting documents
To secure an extension of an existing loan
Top valuation of $100 million
Sold at auction for $19.25 million
25
Common F/S Frauds
Revenue misstatements
Expense misstatements
Management Estimates
26
Revenue Misstatements
Years from $10B to $100B in Revenue
Enron: 4 years
Exxon Mobil: 17 years
Wal-Mart: 10 years
General Motors: 25+ years
Ford Motors: 25+ years
General Electric: 25+ years
Financial Shenanigans
Schilit and Perler
27
Revenue Schemes
Front-loading sales: Coca-cola, Computer
Associates
Fictitious Sales: ZZZZ Best
Shipping goods without customer authorizations:
Florafax International
AAERS, 1982-2005
28
Revenue Schemes
Channel stuffing
Bill-and-hold sales
Early delivery
Premature recognition on percentage completion
projects
Mischaracterized consignment arrangements
Recording sales before lapse of right-to-return
29
Expense Schemes
Aggressive capitalization of expenses:
Worldcom hid $3.8B in expenses
Manipulations of cost of goods sold and
inventory
Liability/expense omissions
29 of 17
30
Consider Higher Risk Transactions
Cash Receipts
Consultant Payments and Other Payments for
Services
Purchase Exemptions (sole source, below scope)
Travel Expenditures
Global operations, FCPA
Judicial enforcement, Sentencing Guidelines
31
FCPA Exposure: Double Trouble
Salesmen paid illicit payments via different
acceptable invoices recorded as different
expenses, distorting the financial statements
32
FCPA Anti-Bribery Penalties
Fines both civil and criminal
Civil penalties up to $10,000 per violation
Maximum corporate liability: $2 million
Maximum individual penalty
$250,000 fine
5 years’ imprisonment
33
FCPA Accounting Provisions—
Penalties
Entities: Civil: up to $500,000
Criminal: up to $25 million
Individuals: Civil: up to $100,000
Criminal:
20 years’ imprisonment
Up to $5 million
34
FCPA — Accounting Provisions
Recordkeeping provision aimed at reducing:
Failure to record IMPROPER transactions
FALSIFICATION of records to conceal improper
transactions
Failure to specify QUALITATIVE aspects of
transaction to conceal true purpose of payment
35
White collar crime: • Mortgage fraud, real estate fraud
• Mail fraud, wire fraud, internet fraud
• Tax fraud
• Securities fraud
Minimum sentencing can be: • Reduced by as much as 95%
• Increased by as much as 400%
Federal Sentencing Guidelines
35
36
Importance of Sentencing Guidelines
In 2009, Pfizer made a $2.3 billion settlement,
by far the largest fraud-related fine in the history
of the Department of Justice. The fine was so
high because the DOJ found that Pfizer acted
with indifference to the laws in place. The
sentencing guidelines place a high premium on a
sincere attempt to comply with the law.
36
37
Importance of Sentencing Guidelines
Siemens, an industrial German company that violated the
Foreign Corrupt Practices Act: $800 million settlement in
2008
KBR/Halliburton, an oil company that violated the
Foreign Corrupt Practice Act: $580 million settlement in
2009
Electronics company LG: $400 million in an antitrust case
37
38
Opportunities to Commit Fraud
Lack of segregation of duties
Overriding of existing controls
Poor culture
39
Segregation of Duties
No one person should... Initiate the transaction
Approve the transaction
Record the transaction
Reconcile balances
Handle assets
Review report
40
Segregation of Duties for
Two-Person Office Bookkeeper
Record accounts receivable and general ledger entries
Receive cash
Disburse petty cash
Write and mail checks
Record ledger entries
Reconcile bank accounts
Approve payroll
Authorize purchase orders, check requests, and invoices for payment
Executive
Sign checks
Prepare deposit slips
Review bank
reconciliations
Reconcile petty cash
Approve and process
vendor invoices
Perform bank transfers
Distribute payroll
41
Segregation of Duties for
Three-Person Office
Bookkeeper
Write checks
Reconcile bank
and petty cash
accounts
Record accounts
receivable and
general ledger
entries
Office Manager
Authorize purchase orders, check requests, and invoices for payment
Approve and process vendor invoices
Receive cash
Disburse petty cash
Distribute payroll
Mail checks
Executive
Sign checks
Prepare deposit
slips
Review bank
reconciliations
Perform bank
transfers
42
Lean Accounting
Lean…dropping processes that don’t
add value
JIT inventory allows some organizations
to post only two rather than three
transactions, no WIP
E.g., Dell’s one-day turn-around
43
Lean Accounting
Mazda’s use of IT-based controls • Only five payables clerks
• IT controls force segregation of duties
• Directly links receiving goods with cutting checks
44
Management Override
Manager requests vendor disbursement without adequate
supporting documentation.
Manager requests purchases without obtaining appropriate
authorization.
Senior finance manager requests a significant journal entry
without basis.
Significant information technology changes are made without
appropriate approval or by bypassing the change-
management process.
Manager hires an employee without obtaining appropriate
senior management authorizations.
Source: www.royco.ca
45
Business Case for Strong Culture
Source: Ethisphere Institute (http://ethisphere.com/wme2011/)
46
Culture: Discussion Question
On a scale of 1 to 10 (1 being lowest and 10
being highest), how much emphasis does your
organization place on preventing fraud?
Detecting fraud? Investigating known
instances of fraud?
47
Fraud Deterrence Scorecard
48
Fraud Deterrence Scorecard
Source: ACFE 2010 Report to
the Nations
49
How To Report Fraud: Hotlines
Source: www.es.northropgrumman.com
50
Whistleblower: Anti-Retaliation Policies
Matthew Lee, a 14-year Lehman veteran, first raised concerns on May 16, 2008, when he sent a letter to senior Lehman management about his concerns over the firm's valuations of illiquid investments and the quality of its accounting controls.
After he sent his letter, Lee said he was pulled out of a meeting and fired on the spot. Lehman has said he was let go as part of a broader work-force cuts.
Source: Wall Street Journal, Mar. 15 and Dec. 21, 2010
51
Whistleblower: Anti-Retaliation Policies
During a June 2008 interview with Ernst & Young, Lee raised concerns that the securities firm was temporarily moving $50 billion in assets off its balance sheet.
“Colorable claims exist that Ernst & Young did not meet professional standards, both in investigating Lee’s allegations and in connection with its audit and review of Lehman’s financial statements,” the examiner said.
Source: Wall Street Journal, Mar. 15 and Dec. 21, 2010
52
Tips for Whistleblowers
Courts frown on wild accusations and those who go to media prematurely, denying protection
In 2006, informant brought office gossip about possible fraudulent misstatements by Northwestern University for a loan renewal
In Tides v. The Boeing Co., court expected informant to go to supervisors, law enforcement and Congress first
In 2009, an Air Marshall went to media first when expressing concerns over budget cuts
53
What Does a Strong Corporate Culture
Look Like?
Cult-like cultures Fervently held ideology
Indoctrination
Tightness of fight, enforcement of fit
Elitism, pride
Jim Collins and Jerry Porras, Built to Last
54
What Does a Strong Corporate Culture
Look Like?
Hallmarks of cult-like cultures Orientation and ongoing training programs
Internal “universities” and training centers
On-the-job socialization by peers and immediate
supervisors
Rigorous up-through-the-ranks policies:
Hiring young
Promoting from within
Jim Collins and Jerry Porras, Built to Last
55
Hallmarks of cult-like cultures (continued): Exposure to a pervasive mythology of “heroic deeds”
Unique language—Disney “cast members”
Corporate songs—Wal-Mart staff meeting cheers
Tight screening process—Google numerous interviews
Tolerance for honest mistakes that do not breach company’s
ideology
Buy-in mechanisms—stock options, bonus pool
Constant verbal and written emphasis on corporate values
Jim Collins and Jerry Porras, Built to Last
What Does a Strong Corporate Culture
Look Like?
56
Corporate Culture
Hewlett-Packard
The H-P Way—Bill and Dave
Performance bonuses
Employees shares
Ground-level decision making
Tuition support
Family accommodations—attending Little League
games
Patricia Dunn, Carly Fiorina, Mark Hurd
57
Corporate Culture
Facebook’s Mark Zuckerberg:
• Hacked dormitory ID images
• Hacked Crimson editors email accounts
• ‘Hacking’ at Facebook
• Beacon
58
Zero Tolerance
Tolerance undermines anti-fraud efforts:
Gives fraud perpetrators confidence they won’t be
punished
Tolerance of smaller items emboldens perpetrators
Having a public record, such as a police
report, of the incident can also be important
Future insurance claims
Employment law, references
59
Fraud Tolerance: Pamrapo
Bank Secrecy Act violations, forfeiting $5
million
Concealed its customers’ illegal or suspicious
activities by failing to file:
• Currency Transaction Reports
• Suspicious Activity Reports
Willfully failed to maintain adequate anti-
money laundering programs
60
Fraud Tolerance: Pamrapo
Managing Director
• Disgruntled by a pay cut
• Got permission by his dad/bank founder to
divert the commissions
No other officer or director of either the bank or
the subsidiary was aware of the arrangement
Jury convicted the former Managing Director of
33 counts of mail fraud
61
Publicize Offenses: Best Buy
A Best Buy store employee was terminated for a violation of the company’s Inappropriate Conduct Policy. The employee entered a friend’s RewardZone information when ringing up other customers’ purchase transactions. As a result, the employee’s friend was credited with additional purchases under the RewardZone program and received an incremental dollar amount of RewardZone certificates. (Source: http://www.kathleenedmond.com/2010/03/09/employee-terminated-for-defrauding-
rewardzone-program/)
62
Pressures to Commit F/S Fraud
Declining product demand
A slowdown for previously fast-growing companies
Unreasonable performance goals
Need to meet third party expectations
63
Reasonable Performance Goals
When evaluating how performance measurement
metrics affect employee behavior, consider:
Does the company have unrealistic productivity
measurements and expectations?
Is key employee compensation primarily based on
company performance?
Is there an incentive to use inappropriate means to
minimize earnings for tax reasons?
Is there excessive pressure to increase the company’s
stock price?
64
Discussion Question
Can you think of any performance goals set for
a division or unit manager in your organization
that might promote an incentive to commit
fraud?
65
Need to meet third-party expectations
Collapse in stock price
Accounting shenanigans
$50 million fine to the SEC – Forbes, August 4, 2009
66
Sample Fraud Risk Assessment Framework
Identified
Fraud Risks and
Schemes Likelihood Significance
People
and/or
Departments
Existing
Anti-
Fraud
Controls
Controls’
Effectiveness
Assessment
Residual
Risks
Fraud Risk
Response
Financial
Reporting:
Misappropriation
of Assets:
Corruption:
Other Risks:
67
Risk Response
Define risk appetite
Qualitatively (low, medium, high)
Quantitatively (numerically)
Prioritized by types or sources of fraud
Treat risk: Accept
Share
Mitigate
Avoid
68
Report Risk: Heat Map
69
Heat Map – Division Level
Insurance
Title
Development
Rentals
Brokerage
70
Monitor Key Controls
J F M A M J J A S O N D
Monthly statements to customers
Reconciling Shipping Tickets to Invoices
Supervisory Approval of Sales Discount
Supervisory Review of Credit Memos Issued
Continuous Monitoring of Expense Reports
Time Card Audits
Matching Invoices to Receiving Slip and P.O.
Vendor Evaluation Process
Control Operating Consistently and Effectively
Control Operating Effectively a Majority of the Time. No significant breaches noted.
Control NOT Operating Consistently. Significant breaches noted.
Mitigating Control
COMPLIANCE CHART
71
Discussion Question
How are fraud findings connected to
pervasive fraud risks?
72
Discussion Question
What information is communicated to
employees in your organization regarding
fraud risks and procedures for reporting
suspected fraud? What methods are used to
disseminate this information?
“Association of Certified Fraud Examiners,”
“Certified Fraud Examiner,” “CFE,” “ACFE,” and
the ACFE Logo are trademarks owned by the
Association of Certified Fraud Examiners, Inc.
The contents of this paper may not be
transmitted, re-published, modified, reproduced,
distributed, copied, or sold without the prior
consent of the author.