Tag Archives: COSO

Governance and Fraud Detection

Originally, the business owner had the most say in decisions regarding the enterprise. Then, corporate structures were put in place to facilitate decision making, as ownership was spread over millions of shareholders. Boards of directors took over many responsibilities. But with time, the chief executive officer (CEO) ended up having a large say in the composition of the board and, in many instances, ruled and controlled the company and its strategy. The only option for shareholders appeared to be to sell their shares if they were not happy with the performance of a specific organization. Many anti-fraud professionals think that this situation contributed significantly to business demises such as that of Enron and to the horrors consequent to the mortgage meltdown and accompanying fiscal crisis.

Proposals were made to re-equilibrate the power structure by giving more power and responsibilities to the board and to specific committees, such as the audit committee, to better deal with internal control and fair financial reporting or the remuneration committee to better deal with the basis for the type and the level of remuneration of the CEO. New legislation was put into place, such as the US Sarbanes-Oxley Act and Basel II. Compliance with these pieces of legislation consumed a lot of attention, energy and cost.

Enterprises exist to deliver value to their stakeholders. This is accomplished by handling risk advantageously and using resources responsibly. Speedy direction setting and quick reaction to change are essential in such a situation so decision making must be shared among many. Therefore, governance comes into play. Successful enterprises implement an over-arching system of governance that facilitates the achievement of their desired outcomes, both at the enterprise level and at each level within the enterprise; this is especially true with regard to the problem of fraud detection.  In this context, a holistic definition of enterprise governance is in order: Governance is the framework, principles, structure, processes and practices to set direction and monitor compliance and performance aligned with the overall purpose and objectives of an enterprise.

This definition is initially implemented by the answers to and actions on the following governance related questions:

Who is accountable and responsible for enterprise governance? Stakeholders, owners, governing bodies and management are responsible and accountable for governance.

What do they do, and how and where do they do it? They engage in activities (set direction, monitor compliance and performance) in relationship with others and use enablers (frameworks, principles, structures, processes, practices) within the governance view appropriate to them (governance of the enterprise; of an organizational entity within the enterprise such as a business unit, division or function; and of a strategic asset within the enterprise or within an organizational entity).

Why do they do it? They institute governance to create value for their enterprise, determine its risk appetite, optimize its resources and use them responsibly.

In summary, accountability and stewardship are delegated to a governance body by the owner/stakeholder, expecting it to assume accountability for the activities necessary to meet expectations. In alignment with the overall direction of the enterprise, management executes the appropriate activities within the context of a control framework, balancing performance and compliance in achieving the governance objectives of value creation, risk management and resource optimization.

Fraud detection (within the context of a fully defined fraud prevention program) is a vital business process of the over-hanging governance function and can be implemented by numerous generally accepted procedures.  But a few examples …

One way to increase the likelihood of the detection by the governance function of fraud abuses is the conduct of periodic external and internal audits, as well as the implementation of special network security audits. Auditors should regularly test system controls and periodically “browse” data files looking for suspicious activities. However, care must be exercised to make sure employees’ privacy rights are not violated. Informing employees that auditors will conduct a random surveillance not only helps resolve the privacy issue, but also has a significant deterrent effect on computer assisted fraud exploits.

Employees witnessing fraudulent behavior are often torn between two conflicting feelings. They feel an obligation to protect company assets and turn in fraud perpetrators, yet they are uncomfortable in a whistleblower role and find it easier to remain silent. This reluctance is even stronger if they are aware of public cases of whistleblowers who have been ostracized or persecuted by their coworkers or superiors, or have had their careers damaged. An effective way to resolve this conflict is to provide employees with hotlines so they can anonymously report fraud. The downside of hotlines is that many of the calls are not worthy of investigation. Some calls come from those seeking revenge, others are vague reports of wrongdoing, and others simply have no merit. A potential problem with a hotline is that those who operate the hotline may report to people who are involved in a management fraud. This threat can be overcome by using a fraud hotline set up by a trade organization or commercial company. Reports of management fraud can be passed from this company directly to the board of directors.

Many private and public organizations use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems through the performance of system penetration testing.  The consultants are paid to try everything possible to compromise an enterprise’s system(s). To get into offices so they can look for passwords or get on computers, they masquerade as janitors, temporary workers, or confused delivery personnel. They also employ software based hacker tools (readily available on the Internet) and social engineering techniques.  Using such methods, some outside consultants claim that they can penetrate 90% or more of the companies they “attack” to a greater or lesser degree.

All financial transactions and activities should be recorded in a log. The log should indicate who accessed what data, when, and from which location. These logs should be reviewed frequently to monitor system activity and trace any problems to their source. There are numerous risk analysis and management software packages that can review computer systems and networks and the financial transactions they contain. These packages evaluate security measures already in place and test for weaknesses and vulnerabilities. A series of reports are then generated to explain any weaknesses found and suggest improvements. Cost parameters can be entered so that a company can balance acceptable levels of vulnerability and cost effectiveness. There are also intrusion-detection programs and software utilities that can detect illegal entry into systems along with software that monitors system activity and helps companies recover from fraud and malicious actions.

People who commit fraud tend to follow certain patterns and leave tell-tale clues, often things that do not make sense. Software is readily available to search for these fraud symptoms. For example, a health insurance company could use fraud detection software to look at how often procedures are performed, whether a diagnosis and the procedures performed fit a patient’s profile, how long a procedure takes, and how far patients live from the doctor’s office.

Neural networks (programs that mimic brain activity and can learn new concepts) are quite accurate in identifying suspected fraud. For example, Visa and MasterCard operations employ neural network software to track hundreds of millions of separate account transactions daily. Neural networks spot the illegal use of a credit card and notify the owner within a few hours of its theft. The software can also spot trends before bank investigators do.

Each enterprise needs to determine its appropriate overall governance system and the fraud detection approaches it decides to implement in support of that system. To help in that determination, mapping governance frameworks, principles, structures, processes and practices, currently in use, is beneficial. CFE’s and forensic accountants are uniquely qualified to assist in this process given their in-depth knowledge of all types of fraud scenarios and the tailoring of the anti-fraud controls most appropriate for the control of each within a specific company environment.

Fraud, ERM & Wells Fargo

wells-fargo_2Could a fully functional Enterprise Risk Management (ERM) program have prevented or otherwise somehow mitigated the Wells Fargo fraud?

As a concept Enterprise Risk Management (ERM) is almost four decades old now and has been repeatedly battle-tested in both private and public organizations around the world as a proven approach to addressing risk in organizations of all sizes by effectively and efficiently concentrating management’s attention on the areas of highest risk to the critical business processes of the enterprise. I don’t have to tell readers of this blog that today’s fiscal realities call for continual and increased efforts to both reduce costs and still deliver optimal customer service; both objectives have a direct impact on fraud prevention because they increase the pressure on management, especially financial and marketing management to meet ever higher sales and earnings performance standards.  The ongoing debacle at Wells Fargo is a case in point of such pressures out of control at seemingly every level of the organization.

ERM was introduced as a management concept in 1974 when a Swedish state risk manager, Gustav Hamilton, identified four elements that are inextricably connected in a risk management process: assessment, control, financing and communications. He called this comprehensive view “the circle of risk” and the concept has continued to evolve in the years since. In September 2004, COSO issued, Enterprise Risk Management—Integrated Framework, a method to systematically consider and manage risk across an enterprise. COSO’s premise is that value is maximized when management sets strategy and objectives to strike a balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. COSO’s bottom line is that ERM helps an entity get to where it wants to go and avoid pitfalls and surprises like what has overtaken Wells Fargo along the way.  The ultimate goal of ERM for fraud prevention is two-fold: remediate risks (especially the risk of fraud, waste and abuse) to acceptable levels, and eliminate unnecessary controls, processes and ideally, costs. Potential benefits, such as improved service delivery, increased control and cost savings are just some of those documented in the literature. At the heart of ERM is a holistic, integrated, future-focused and process- oriented approach that facilitates the management of risk across an enterprise as opposed to looking at it only within siloed organizational entities. The ERM process focuses on “the right things” and can identify processes and procedures that do not measure up to performance, cultural standards and cost-benefit ratios defined by the entity.

Fraud risk programs align well with ERM concepts. Fraud risk programs start with establishing the risk appetite of the enterprise and are governed by policies that articulate the goals and objectives, ethical conduct standards, roles and responsibilities, strategies and tactics of implementation specific to addressing fraud risk. As with other types of ERM programs, fraud programs include deterrence strategies, preventive internal controls, routine measurement of performance and results, as well as program accountability and transparency to stakeholders. Additionally, there is special emphasis on cyber fraud, given the reliance on information technology to carry out the mission of today’s typical organization. Partnerships between organizational and program management are strong, given the linkage between the programs and their associated fraud risks. ERM also strongly supports whistleblower programs, another area of increasing attention and stakeholder priority.

News reports tell us that those Wells Fargo employees who attempted to fill the whistleblower role at many points in the employee initiated fraud were first disciplined for their efforts and then terminated.

COSO’s ERM framework is premised on four underlying principles. How might each (and all collectively) have benefited Wells Fargo beforehand to avoid the present mess?

–Every entity exists to provide stakeholder value.
Sales goals that are all but impossible to meet and which force employees to sign up customers for services they neither ordered or needed provide no value to the customer, to the employees, to Wells Fargo stockholders or to the public at large.

–All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. This translates to making trade-offs in establishing the level of acceptable risk to assume.
By fostering a culture of corruption among its employees by firing them for not making unrealistic sales goals, it can be argued that Wells Fargo failed to accurately assess both its level of fraud risk and its appetite for such risk.

–Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to more effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Under the COSO model Wells Fargo failed to prioritize risks that might jeopardize its corporate mission, effectiveness and efficiency. It also appears that it lacked a mechanism to take prompt action to stop the basic employee fraud scenario from persisting and spreading to more and more employees.  Only after the fact did it halt its program of unrealistic employee sales goals.

–Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.
The application of this principle features ongoing monitoring of the performance of the risk model.  Clearly, at the first signs of the fraud, Wells Fargo would have reassessed risk, set risk to the maximum and taken immediate steps to shut down the identified fraud scenario(s).

As a fraud examiner and auditor there are a number of questions I ask my corporate clients to ask themselves that are, in my opinion, critical to both identifying the risk involved with ERM generally and the business processes vulnerable to fraud specifically.

–What keeps you up at night?
–What do we not want to see on the news or in blogs?
–What are the expectations of stakeholders?
–What do we want to make sure happens and happens well?
–What problems have developed or emerged in other organizations that could be a problem in our company as well?
–What controls are now in place? What do we know about how they are working? What do we know about their cost and benefit?
–What level of control can we reasonably afford and how do we get the most bang for the buck?
–What changes have taken place in the company or external to the it that may have introduced new risks?

Would ERM have helped Wells Fargo?  I don’t know whether the bank presently has an ERM program or not but clearly the process as defined by COSO would have helped in providing a risk monitoring and immediate remediation mechanism to reassess risk in responding to the first whistleblower call alerting to the existence of the employee assisted fraud.  And there is no doubt that the forensic accounting and CFE community can play an important role in providing needed leadership and technical assistance to any organization implementing a dynamic, ERM supported, fraud response plan.  As the Wells Fargo experience and so many other instances suggest, the time has come to use the full potential of enterprise risk management as a tool to assist in the identification and rapid remediation of frauds before the costs to all stakeholders become unacceptably high.

Tone Deaf

tone-deafThe sensational bribery and corruption cases all over the news recently mean that tone at the top as a concept is yet again in the eye of the financial press.   Journalists of every stripe and persuasion opine on its importance as a vital control but always seem to fall short on the specifics of just how the notion can be practically applied and its strength evaluated once implemented.  One of the problems is that there are so many facile definitions of the concept in popular use.  The one I like the most is one of the simplest declaring it to be the message, the attitude and the ethical culture the board of directors and upper management disseminate throughout the organization. It’s best described as the consistency among statements, assertions and explanations of the management and its actions. In summary, tone at the top is seen by some as a part of and by others as equal to the internal control environment.

The rub comes in because tone at the top is not only far more complicated than the above definition would lead a casual reader of trade press articles to believe, but also because its invisible to the standard tests of an outside auditor or fraud examiner. So a baseline would be a valuable addition not only for fraud examiners and financial auditors, but also for all types of assurance professionals.

To determine a baseline, one first needs to define the different aspects of the target concept. Thus, a baseline might provide reviewers with a starting point to begin improving their analyses of tone at the top. ACFE studies of hundreds of companies tell us that an enriched tone at the top can not only prevent fraud through its implementation of a well-functioning internal control system, but can also have a positive impact on the financial results of an organization. Organizations with an effective corporate governance policy just perform better than those that don’t. In my own practice as an auditor and fraud examiner, I’ve found COSO’s Enterprise Risk Management (ERM) a useful framework to use in the actual practice of evaluating the effectiveness of internal controls (including tone at the top) during fraud risk assessments.

Tone at the top is based on two schools of thought in management literature: the corporate governance school and the management control systems (MCS) school. These schools of thought share three fundamental theories: the agency theory, the transaction cost economics theory and the stakeholder theory. The agency theory views an organization as a nexus of contracts. Separation of ownership and control is essential for this theory.  The agent (the manager) is in control of the organization; however, he or she does not own the organization; the organization is owned by the principal (stakeholders).  Measures (i.e., corporate governance) need to be taken to ensure that the agent will strive to achieve the goals of the principal.

Transaction cost economics (TCE) is based on the concepts of bounded rationality and of homo economicus: a person chooses the best option based on the available information.  TCF aims to explain how firms are formed.  Firms are created to minimize transaction costs.  The domain of TCE has proven useful to explain management control structures.  The performance evaluation needs to be behavioral based, with non-financial subjective measures.  Output controls are low with TCE.  Individual contributions to the organization (individual performance) are analyzed as the outcomes of contracts between the employer and the employee.

The stakeholder theory is based on the belief that besides shareholders, there are others with interest in the organization.  Corporate governance should not only solve conflicts between management and shareholders but also between the organization and other stakeholders.  Tone at the top represents a form of cultural control to the MCS school.  Cultural controls stimulate employees to monitor and stimulate each other’s behavior.  Cultural controls rely on group pressure; if a person deviates from the group’s values, the group will put the person under pressure to convert him or her back to the dominant values.  Cultural controls are usually translated in corporate governance codes.  Corporate governance codes are mainly formulated to prevent/minimize fraudulent activities in organizations by means of internal control.  Five methods of cultural controls, namely code of conduct, group rewards, transfers, physical and social controls, and tone at the top have been identified.

Tone at the top forms an important part of corporate governance codes.  Management behavior should coincide with the culture it tries to form; managers fulfill an example function. An important factor is implementing and operating a whistleblower policy; if staff at any level observes fraudulent activities they can report them and be protected against possible retaliation.

Each of our above theories concludes that an organization needs to have a corporate governance code to minimize transaction cost, manage stakeholder interest and, thereby, increase shareholder value.  However, recent well publicized corruption cases have led to calls in the popular press for a more formal approach.  So, what might such a formal, COSO based, approach look like?

First, management and the CEO need to demonstrate inspiring leadership, set the right ethical example and focus on people skills. They also need to display integrity.  Their risk awareness, actions and messages need to coincide with the dominant culture.  It is also important for managements to formally commit to competence.

As to culture, an independent and active risk culture is necessary for tone at the top to be successful.  Also, employees need to be empowered to make the right decisions.  The reward systems and the culture need to reward desired behavior and be compliant with the norms.  In the event of something going wrong despite these cultural aspects, there needs to be an effective policy present to protect whistleblowers.

Finally, the risk appetite should be linked to the strategy.  The supervisory board needs to be independent, active and involved.  Responsibilities need to be defined, and management needs to receive adequate information.

All three of the above aspects are an integral part of what the experts currently define as tone at the top.  According to the ACFE, tone at the top can assist in averting fraud throughout every level of an organization. It’s, therefore, necessary to include its assessment in the scope of the fraud examiners fraud risk assessment and to formally schedule its periodic re-evaluation.