Who Owns Fraud?

Uniting Everyone to Effectively Manage

the Anti-Fraud Program

DAN TORPEY, CPA ;MIKE SHERROD, CFE, CPA

January/February 2011

Companies struggle to determine exactly who owns the proactive

and reactive responses to fraud within their organizations. Here are
some practical ways to determine who owns fraud and accelerate
anti-fraud programs within any company.

36

FRAUDMAGAZINE

www.fraud-magazine.com

ron Works America (IWA) is a manufacturer of steel beams

used in the construction of large commercial buildings. IWAs
internal audit director, George Franklin, is responsible for
monitoring the companys fraud hotline for allegations of
misconduct made by employees. One day, Franklin received
a hotline message from a sales manager in the Columbus,
Ohio, office, who claimed he had proof that an employee
in the Cleveland office had created a fake vendor scheme,
received kickbacks from one of his suppliers, and was embezzling a significant amount of money through a complex revenue
recognition scheme.
Franklin and his team quickly planned the initial stages
of an investigation based on the allegations. However, Franklin
soon received a call from IWAs human resources manager who
said she received a message from the sales manager in the Columbus office who reported a violation of the code of conduct to
her. As a result of this message, her department launched an internal investigation with assistance from IWAs general counsels
office two days before Franklin received the hotline message.
Franklin and his internal audit team members believed
that others in the company were encroaching on their responsibilities because IWAs charter directed their department to manage all internal fraud examinations. Franklin became even more
frustrated when he learned that IWAs chief compliance officer
was discussing, with the members of the audit committee, plans
to conduct a companywide fraud awareness training campaign as
the beginning of a comprehensive fraud risk assessment process.
The chief compliance officer wanted to accomplish this training
campaign in the upcoming year. However, he hadnt discussed
it with Franklin to get his perspective on how to structure the
process because he thought the chairman of the audit committee had asked Franklin to include a fraud risk assessment in his
internal audit plan for the year.
This fictitious example might seem extreme, but its not
uncommon as companies struggle to determine exactly who owns
the proactive and reactive responses to fraud within their organizations. In fact, nearly half of respondents to the 2010 Ernst & Young
Global Fraud Survey said that their organizations didnt have welldefined roles for different groups (internal audit, compliance, risk
and legal) when responding to reports of possible fraud.

January/February 2011

MULTIPLE PEOPLE, MULTIPLE CONCERNS

Many companies struggle to determine wholl be responsible for
managing fraud examinations and fraud risks. In a perfect world,
a company would designate one person to handle its anti-fraud
program responsibility such as the chief financial officer, chief
compliance officer or general counsel. However, often a company
might not designate one person as the owner of its anti-fraud
efforts. As a result, confusion can reign, causing a lack of trust in
the proactive anti-fraud program for management and employees, a dangerous deficiency in sharing of knowledge, and inefficient responses to fraud.
MODEL FOR AN ANTI-FRAUD GROUP
The good news is that many companies now realize that fraud
challenges need to be addressed. The bad news is that those same
companies might not be able to overcome inconsistencies, duplicative efforts, and a lack of communication because those responsible for anti-fraud efforts often operate independent of each
other and not in a coordinated way.
We recommend that the ownership of anti-fraud efforts
should be shared by a select group of individuals who each have,
as part of their responsibilities, a role in addressing fraud proactively and reactively. The shared responsibilities of the overall
anti-fraud program would ensure that the roles of the team members would be more effective to the overall group. Each individual would then have a specific goal and greater accountability to
the group. This approach also would give comfort to the board or
executive management within the company that the anti-fraud
program was effective and efficient in its approach to fraud risk
management.
The group should select a chairperson who will shepherd the group to the goals they want to establish and ultimately
achieve. The chairpersons overall role is to ensure that the elements established for the anti-fraud program are being met and
the responsible individuals are working together to ensure that
the elements are being implemented and monitored. The chairperson would also work with the group to determine any needed
modifications to the overall anti-fraud program.

FRAUDMAGAZINE

37

WHO OWNS FRAUD?

Tim Pearson, executive director of the Institute for Fraud
Prevention (www.theifp.org/), believes that a chief compliance
or integrity officer is best suited to chair the team and meet regularly with the committee representatives to report anti-fraud coordination efforts.
Fraud is more likely to go undetected when the responsibilities for education, monitoring and risk management are diffused across reporting lines so no one individual or group can
truly get a handle on the fraud risks facing an organization,
Pearson said. We want everyone in an organization to support
anti-fraud initiatives, but someone must craft and share a vision
on how fraud can best be prevented.
Weve found that this might vary from company to company depending on the corporate structure and the overall corporate governance model in place (i.e, internal audit charter,
corporate compliance program, code of conduct) or the experience or expertise of the team members. This anti-fraud team

should clearly define its overall ownership and responsibility of

the implementation and continued oversight of the program.
The graphic Who Owns Fraud? below demonstrates this
collective ownership model for an anti-fraud team and the recommended processes for proactive and reactive approaches to
fraud risk management.
The team members must possess diverse skill sets to address the complexities of fraud cases and proactive fraud risk initiatives. Therefore, the team should include representation from
executive management, the audit committee, the investigations
group, the compliance department, the controllers group, the
internal audit department, information technology, security, the
general counsels office and the human resources department.
The team must clearly articulate each members role and
responsibilities to avoid duplication of effort and ensure that the
process will achieve the desired outcomes.

Who Owns Fraud? Having a Seat at the Table

38

FRAUDMAGAZINE

www.fraud-magazine.com

WHO OWNS FRAUD?

DEVELOPING AN EFFECTIVE ANTI-FRAUD PROGRAM
Once the right team is in place, it should develop an effective
anti-fraud program. The objective of this program, as shown in
the Who owns fraud? graphic, is to provide the framework for
an organization to prevent, detect, report and investigate internal and external fraud.
As weve worked with companies in various industries to
develop programs, weve used a wide array of approaches to unify
companies fraud teams. To illustrate this point, well continue
with our case study from the beginning of the article. Due to
George Franklins frustrations, IWA put into place a fraud task
force made up of compliance, general counsel, internal audit, human resources and the controllers group to create, implement
and monitor its anti-fraud program.
Based on numerous meetings to design the process and assess the skill sets of the task force members, the group determined
that internal audit and compliance would be responsible for
the companywide fraud risk assessment. The controllers group
would be responsible for controls monitoring to address the fraud
risks identified from the fraud risk assessment. General counsel,
human resources and internal audit would be responsible for ensuring that any fraud investigations were handled properly. All
task force members would be responsible for creating effective
elements to develop the tone and culture within IWA. As you
can see, these elements of the program build upon each other
and the entire anti-fraud program framework is more effective
because of the collaboration of the members of the task force.
That framework, of course, cant provide absolute assurance that fraud wont occur within a company or that all fraud
will be identified proactively. However, a strong anti-fraud
program will provide management and employees with opportunities, guidance and support to:

proper tone, proactive steps and reactive steps. The elements

to set the proper tone include: the code of conduct or code of
ethics, fraud prevention policies, and communication and training. The proactive elements include: a fraud risk assessment and
monitoring controls. The reactive steps include: a fraud response
plan and ownership over the entire anti-fraud program. (See the
graphic, Seven Elements of an Effective Anti-Fraud Program
on page 40.)
SETTING THE TONE WITH A CODE OF CONDUCT,
POLICIES AND TRAINING
When setting the proper tone, management must go beyond stating that we hire good people, or we operate our company with
integrity. It must demonstrate how these principles are tactically
embedded into the companys daily operations to create a culture
of constant integrity.

Understand the expectations of the company and practice

them every day
Recognize unacceptable behavior and encourage that action
be taken
Prioritize fraud risks and determine those risks that warrant
attention
Install controls to mitigate identified risks or suspected fraud
risks
Formulate actions to take once fraud is detected
Ensure that these actions are followed if an investigation
begins
Share leading practices across business functions and
segments
In other words, a strong and well-conceived anti-fraud
program helps place a greater emphasis on the companys oversight and provides a framework for responding when issues arise.
Weve identified seven elements of an effective anti-fraud
program, which fall into three overall categories: setting the

January/February 2011

FRAUDMAGAZINE

39

WHO OWNS FRAUD?

Seven Elements of an Effective Anti-Fraud Program

Promote honest and ethical conduct
Provide full, fair, accurate, timely
and understandable disclosure in
reports and documents
Comply with applicable governmental
laws, rules and regulations

Be speci c to the individual

organization and its operations
Guide employees through complex
issues
Provide a channel for employees
or third parties to report fraud

Educate employees regarding the

organizations code of ethics
Understand the protocols for
reporting suspicious activity

Establish procedures to govern the

escalation of fraud allegations,
guiding important resource decisions
Provide support and protection
for whistleblowers

Communicate the disciplinary actions

that may be taken in the event of
fraud
Raise awareness of fraud schemes
and scenarios that are specic to the
company

Create a road map for future areas to

analyze with analytics and determine
if controls are sufcient to mitigate

Specify fraud schemes that are

industry- and sector-specic as well
as geographic

Provide annual and real-time updates to

fraud risk assessment work plan to address change in business environment,
acquisitions, current issues, etc.

Rank fraud schemes identied within

the risk assessment

Report the results of the action plans

to executive management and/
or the audit committee

Establish investigation protocols

Coordinate remediation action steps
across business units
Maintain consistent disciplinary
procedures

FRAUD
FRAUDMAGAZINE
MAGAZINE

Be accountable for adherence to

the code and the sanctions to be
imposed

Identify common types of fraud

schemes that could occur within any
organization

Develop action plans to assess,

improve, and/or monitor the controls
associated with the risks identied

40
40

Report internal violations of the code

promptly

Challenge prior year controls and

analytics protocols to update with
current state issues and effective
use of technology

Help set the tone within the

organization with respect to fraud
Develop investigation protocols for
internal and external resources

www.fraud-magazine.com
www.fraud-magazine.com

WHO OWNS FRAUD?

A code of conduct or code of ethics establishes the guiding
principles of a company. Among other things, it should promote
honest and ethical conduct, compliance with applicable laws
and regulations, and prompt reporting of violations of the code.
Clearly establishing fraud policies and procedures helps
employees understand acceptable conduct and how to report suspected violations. Fraud awareness training another significant
and often overlooked aspect of an anti-fraud program is a key
element in setting the proper tone within an organization.
Companies that have anti-fraud training often spend too
much time focusing on occupational fraud, such as stealing assets from the company (i.e., inventory and petty cash), because
participants can easily visualize and understand these crimes.
However, they often overlook other important areas such as corruption, financial statement fraud, vendor due diligence, misconduct and fraud when dealing with third parties, and theft of intellectual property and sensitive data.
One size doesnt fit all. Companies are creating fraud
awareness training programs for all employees on a general level
and then providing more specific, comprehensive training dealing with relevant risks for different groups or business areas. Another overlooked aspect of an effective fraud awareness training
program is ensuring that the training reaches these different
business areas within the company. Its important that employees
understand why the training is relevant and that they comprehend the information presented. Post-training assessments can
assist with determining this comprehension by making sure the
employees captured the information and the objectives of the
training were met.
All employees should receive annual fraud awareness
training as part of the new-hire orientation process and as a component of the integration process for newly acquired companies,
joint ventures or subsidiaries. Sophisticated training includes
modules taught by the companys internal audit, technology,
compliance and security professionals. The emphasis should be
on detecting schemes such as fake vendor schemes, bribery and
corruption issues, and accounting fraud and revenue recognition
awareness. This is another way to encourage synergies from the
results of the fraud risk assessment by creating training programs
to address the specific risks identified.
Employees, vendors, customers and other stakeholders
who dont learn a companys anti-fraud policies and procedures,
compliance and ethics programs, reporting protocols, and fraud
risks wont know the organizations acceptable behavior. They
can expose the company to major problems because they dont
know how to effectively report suspected fraudulent activities.
Many companies are taking anti-fraud training programs a step further by educating their top executives and then
evaluating them on their character development. Vincent Higgins, president of the Institute for Effective Leadership (www.
effective-leadership.com), a company that provides training to
C-suite executives, says organizations are increasingly hiring his
firm to help evaluate executives leadership abilities and train

January/February 2011

them in understanding integrity issues. While companies or recruiters cant predict who might engage in fraud, they can limit
their exposure by enhancing the training of their highest executives on such important issues.
We find that the best anti-fraud strategy is creating an
integrity culture, Higgins says. Processes follow culture, not
the other way around. And culture is determined primarily by
the leaders attitudes and choices. Therefore, the integrity component must be an essential part of the equation in executive
search; it must be developed constantly at the individual and
executive team levels, and it must be rewarded as a requisite for
advancement and compensation. Otherwise an organization is
treating symptoms rather than causes.
PROACTIVELY ASSESSING FRAUD RISK AND
MONITORING CONTROLS
Execution of a robust fraud risk assessment is the first proactive
step management can undertake. The assessments purpose is
to identify and prioritize areas that pose a higher risk of fraud.
Keep in mind that individuals commit fraud, not IT systems or
business processes. Therefore, when executing a fraud risk assessment, management must understand the reasons people commit
fraud pressure, opportunity and rationalization as well as direct or indirect vulnerabilities.
The next proactive step is to identify and monitor internal
controls to mitigate the risks. Action plans should be developed
to document and evaluate the controls that mitigate any fraud
risks found during the assessment. These plans should specify
wholl be responsible for monitoring and testing the controls,
and wholl review the results of their work.
BEING PREPARED TO REACT TO FRAUD AND
DEFINING ROLES AND RESPONSIBILITIES
Of course, fraud will still occur even though management sets
the proper tone, trains their people on spotting problems, executes a robust fraud risk assessment, and designs internal controls
to prevent and detect fraud. Therefore, the anti-fraud team has
to establish reactive elements for the anti-fraud program.
The cornerstone of any reactive element in an anti-fraud
program is a timely response to the suspected fraud with the right
team. The team should establish, review, approve, and maintain
policies and procedures regarding the companys responses to
fraudulent activities. The fraud response plan should encompass
investigations, remediation and uniform disciplinary processes.
The team also should establish an investigation protocols
framework for management. The protocols should state that all
suspected frauds, regardless of sources, will be reviewed and investigated. The team will determine wholl lead the investigations if
external assistance is needed, such as outside forensic assistance
with fraud experience, and the results of the investigations will
be communicated to the audit committee in a timely manner.

FRAUDMAGAZINE

41

To illustrate our points on how paramount the success of

the fraud response plan is to the overall fraud risk assessment, we
continue our example with George Franklin and IWA. In previous
years, Franklin had a concern about the effectiveness of the fraud
response plan. His team would identify a fraud issue during the
course of its internal audits and raise this issue to management,
but his team would never receive updates on what happened or
where the control breakdown occurred. This truly represented a
breakdown in the effectiveness of the anti-fraud program. The
internal audit team would be much more effective on future audits if they were updated on identied and investigated issues. In
addition, the fraud awareness training program and the fraud risk
assessment process could benet from this knowledge.
For an effective fraud response plan to work, it has to communicate those wholl work on specic tasks from the moment
the allegation is identied to the point of reporting the results.
The anti-fraud program oversight team will be responsible for
reviewing the allegations and then determining, based on their
assessment, who should get involved, and to whom the results
should be reported. The team will do this on a case-by-case
basis, but the fraud response protocol will guide the team toward
a documented, consistent process.
THE ULTIMATE SUCCESS IS THROUGH SYNERGY
The teams key to success is to produce synergy among the team
members by developing excellent communication. The team
members should share a common goal and approach to fraud detection and response, which results in greater accountability in
executing a task.

In our opening scenario, Franklins frustrations escalated

when he became aware that other groups were involved in proactively and reactively dealing with fraud without his knowledge.
This dysfunctional atmosphere creates an environment of inefciencies and a lack of knowledge transfer, and impacts the ability
to effectively deal with fraud.
Fraud is an extremely complex issue, and an oversight
committee such as an anti-fraud program oversight team
thats committed to a common goal is often the best method
to deal proactively and reactively with these complexities.
The teams anti-fraud program can then become the channel
for the dissemination of messages from the top of the organization to all employees. This new environment will help
reinforce an atmosphere of constant integrity throughout the
company that will allow the company to more effectively deal
with fraud.
Companies that have built anti-fraud programs, which
include setting the proper tone, forming proactive and reactive measures, and clearly dening roles and responsibilities,
will stand the best chance of mitigating risks and effectively
addressing fraud.
The views expressed here are those of the authors and dont necessarily
reect the views of Ernst & Young LLP.
Dan Torpey, CPA, and Mike Sherrod, CFE, CPA, are
members of Ernst & Young LLPs Fraud Investigation & Dispute
Services practice. Their e-mail addresses are: daniel.torpey@ey.com
and mike.sherrod@ey.com.

Whats Driving the Focus on Anti-Fraud Efforts?

Effectively managing fraud in the most cost-effective way is paramount to the success of an anti-fraud program especially
in the current economic environment. Streamlining communications and aligning resources is critical to the process.
Added pressure is coming from several important regulatory and market drivers:
On June 20, 2007, the Securities and Exchange
Commission (SEC) published interpretive guidance on
managements report on internal control over nancial
reporting, including references to dealing with fraud risk.
The guidance indicated that management should consider
performing an analysis of their fraud risks.
In July 2008, the ACFE, the Institute of Internal Auditors,
the American Institute of Certied Public Accountants,
and representatives from the Big Four accounting rms
and other consulting businesses published Managing the
Business Risk of Fraud: A Practical Guide (ACFE.com/
documents/managing-business-risk.pdf). Also see
Managing the Business Risk of Fraud: Indispensable
Planning, by Grace B. Ghezzi, CFE, CPA/PFS, AEP, in the
January/February 2009 issue of Fraud Magazine.
In mid-2009, the SEC announced a reorganization and a
renewed emphasis on fraud-related enforcement including
specialist teams of enforcement ofcials.

42
42

FRAUD
FRAUDMAGAZINE
MAGAZINE

In November 2009, President Barack Obama announced

a new Financial Fraud Enforcement Task Force comprised
of representatives from more than 20 federal agencies,
which included the Departments of Justice, Treasury, and
Housing and Urban Development; and the SEC.
On April 7, 2010, the U.S. Sentencing Commission voted
to amend the Federal Sentencing Guidelines relating to
corporate compliance and ethics programs. These
amendments took effect on Nov. 1, 2010.
On Oct. 6, 2010, the Center for Audit Quality (CAQ)
issued a report entitled, Deterring and Detecting Financial
Reporting Fraud A Platform for Action, as part of its
anti-fraud initiative. The report contains a thoughtful
examination of the motivators behind fraudulent nancial
reporting and explores themes for mitigating the
conditions that can lead to fraud.

www.fraud-magazine.com
www.fraud-magazine.com