May 20, 2014 Articles

    Fighting Fraud: Detecting, Investigating, and Managing Fraud Risk

    By Kerry Francis and Phebe Neely Ciulla

    The alarm could be a whistleblower’s allegation left on a tip line. Or, it could be the “aha!” moment of discovering an issue during a routine audit. However it comes to light, the possibility of fraud is one of the scarier scenarios for almost any organization.

    To help reduce fraud risk, companies with leading practices make significant investments in designing anti-fraud programs and instructing internal auditors or internal accountants to be alert for red flags that serve as fraud indicators. While there is no exact science to finding fraud or creating a perfect antifraud program, the experiences of organizations that have faced the problem can provide in-house and external counsel with useful guidance in advising their management team or clients. This article shares practical tips for identifying and managing fraud risk, improving the efficiency and effectiveness of a fraud investigation, and implementing an anti-fraud program.

    Detect Possible Fraud
    When it comes to identifying fraud, many set out to find that ever-elusive “smoking gun.” Fraud specialists tend to use three principal lenses when looking for the subtle clues of fraud: incentives/pressures, opportunities, and attitudes/rationalizations. The following are examples of risk factors in each of these three areas:

    Incentives/Pressures

    • Rapid growth or unusual profitability, especially compared with that of other companies in the same industry

    • High degree of competition or market saturation, accompanied by declining margins

    • High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates

    • Need to obtain additional financing to stay competitive

    • Profitability or trend level expectations of investment analysts, investors, or creditors

    Opportunities

    • Notable related-party transactions with related entities

    • A strong financial presence or ability to dominate the industry sector that allows the entity to dictate terms with suppliers or customers

    • Use of significant estimates that involve uncertainties that are difficult to observe

    • Major operations located across international borders in jurisdictions with differing business environments

    • Significant, unusual, or highly complex transactions

    Attitudes/Rationalizations

    • Casual attitudes toward the entity’s control environment

    • Excessive interest by management in maintaining or increasing the entity’s stock price or earnings trend

    • Nonfinancial management’s excessive participation with determining significant estimates

    • Strained relationship between management and auditors

    As these risk factors cover a broad range of situations, not all of them may be relevant to specific circumstances. Some may be of greater or lesser significance in entities of different size, ownership characteristics, or circumstances. Even the company’s industry itself will determine which risk factors are more or less relevant. Therefore, before hunting for these clues, a reasonable understanding of the entity’s background, historic business practices, and industry risk factors is necessary.

    Plan and Conduct an Investigation
    A whistleblower tip, an internal audit finding, or some other source indicating potential fraud may be the impetus for an investigation. Fraud investigations run from the simple to the complex—one size doesn’t fit all. While every investigation should be tailored to the particular situation, some basic elements are characteristic of a well-designed investigative plan:

    Decide who should conduct the investigation. There are pros and cons to having the investigation conducted in-house or by external resources. Internal resources might benefit from intimate knowledge of the company, but internal political challenges and reporting structure might impede the process. Using external resources might bring independence and objectivity to the task, but cost may become an issue. If the allegations involve senior management or appear to involve significant and material financial accounting, reporting and disclosure items, external resources would be appropriate to investigate objectively. Ultimately, the choice may come down to which approach best addresses the allegations, reduces risk, and accelerates the investigation.

    Consider attorney-client privilege. Invoking attorney-client privilege may seem an obvious step to help maintain confidentiality and keep an investigation out of the public eye. However, deciding to waive attorney-client privilege and opting for full or substantial information disclosure can demonstrate willingness to cooperate with regulators or other third parties. The right choice will depend on the circumstances of the situation.

    Collect and secure all evidence. Newsand rumorstravel fast within and beyond an organization, and important evidence might just as quickly begin to disappear. Making sure nothing is destroyed is a crucial first step in any investigation. The company should consider a legal hold to secure electronic and paper documentation. Digital forensics may be used to gather emails, instant communication or “chats,” “hidden” documents, and recently created or deleted files. Other steps might include obtaining forensic images of data on computers and mobile devices, capturing transactional data related to allegations, and interviewing people who could potentially have information. While the interviews are likely to focus on key figures such as executives and staff directly involved in the allegations, invaluable insights may be obtained from others who are considered to have just been following orders.

    Analyze the evidence. Once information has been gathered, the next step is to evaluate the facts around the alleged fraud scheme. Does the evidence confirm that the transaction occurred? When did it occur? How deeply did it penetrate the organization? Who was involved? How extensive were the losses? A review of company policies and procedures is important in evaluating remedial measures. In a regulatory investigation, such review can provide evidence of the company’s control environment to establish a compliance mindset and atmosphere, which might be invaluable if sentencing or fines are to be meted out, as well as in the eyes of the media and public.

    Present evidence in an appropriate manner. Evidence obtained from the investigation should introduce facts, not conclusions. Consider whether to make a written report, including the level of detail, who should receive it, and the possibility that it may end up in the hands of people other than the intended recipients. Consider disclosing evidence to regulatory authorities. Finally, identify improvements in process policies, controls, and appropriate remedial measures.

    Implement an Effective Anti-Fraud Program
    The most effective way to avoid the need for a fraud investigation in the first place is to implement a robust anti-fraud program. Basic components to any effective program include the following:

    Governance. Establish oversight, clear accountability and ownership, and a culture of trust that encourages employees to come forward. A culture of trust should include, among other things, an ethical atmosphere, hiring and promoting appropriate employees, and discipline.

    Policies. Establish policies, a code of ethics, and a whistleblower program. Determine the best distribution vehicles throughout the organization, such as posting online, face-to-face meetings, and translation to different languages if necessary.

    Controls implementation and monitoring. Fraud can only occur when there is a perceived opportunity to commit and conceal the act. Organizations should be proactive in reducing these perceived opportunities by conducting periodic risk assessments. After identifying and measuring vulnerabilities, steps should be taken to enhance mitigation plans, as well as to implement and monitor preventative and detective internal controls. For example, one effective mechanism is to conduct periodic reviews of ethics hotlines and whistleblower programs.

    Communication and training. Establish clear and consistent messaging and a tone of accountability at the top. Carry that tone to the middle by nurturing these values in mid-tier management ranks. New employees should be trained upon hire about the entity’s values and code of ethics. This training should explicitly cover expectations of all employees regarding (1) their duty to communicate certain matters; (2) a list of the types of matters, including actual or suspected fraud, to be communicated along with specific examples; and (3) how to communicate those matters. Employees should also receive refresher training periodically.

    Fraud response plan. Document the protocols that need to be followed for an investigation, including who is to be notified and when, and who will perform the investigation.

    Be Ready For Anything
    Even if everyone is alert to possible fraud indicators and an anti-fraud program is well established, organizations might still find themselves dealing with an anonymous tip or an internal audit finding. Having a well-scoped investigation plan in place, a commitment to thorough discovery, and the ability to act quickly and decisively can help an organization weather a fraud incident and maintain its reputation, performance, and viability.

    Keywords: woman advocate, litigation, fraud, fraud detection, fraud investigations, anti-fraud program

    Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).