Be proactive: A guide to internal fraud investigations
Practical steps to take to recognize, investigate and report fraud
While there is no absolute defense against fraud, companies that reward ethical behavior—not just financial or sales performance—tend to have fewer cases of illicit activity. Similarly, business leaders who understand how to identify early signs of fraud, apply best practices in an internal investigation and take proactive steps to coordinate external reporting can reduce the financial impact of fraud and often have a better chance to improve their outcomes with regulatory or legal agencies. On the other hand, when an organization’s leadership team is not prepared or does not understand its risk factors, the consequences are often expensive.
As noted in our recent global corruption law compliance report, the U.S. Department of Justice (DOJ) significantly ramped up enforcement actions in 2015 and 2016, with a specific focus on individual actors—not just corporations. And although new leadership is in place at both the DOJ and the Securities and Exchange Commission, there is no expectation that government scrutiny will diminish under the new administration. Accordingly, executives should remain vigilant and carefully monitor how prosecution and enforcement priorities evolve among these agencies, especially as it relates to the Foreign Corrupt Practices Act, the Bank Secrecy Act, and other laws and regulations aimed at punishing fraudulent actions.
Identifying threats and vulnerabilities: Assessing fraud risk
The steps to identifying the potential for fraudulent activity begin with a candid, clear-eyed view of the business and its operating landscape. When assessing fraud risk at the employee or department level, it is helpful to identify the areas of greatest opportunity. For instance, since sales representatives often receive the majority of their compensation by meeting or exceeding revenue targets, there is an inherent incentive for these individuals to engage in bribery, kickback or other corruption schemes. Accounting departments are another high-risk zone for most privately held and middle market businesses, given potential control deficiencies that may exist in billing, expense reimbursement, payroll and financial statement processes. And warehouse and procurement employees working for businesses that carry a great deal of inventory—such as manufacturers, distributors and retailers—represent a potential threat for asset misappropriation schemes and non-cash frauds. In the majority of cases, higher risk correlates with loose or nonexistent internal controls typically found in smaller businesses.
Given the range of potential industry and workforce threats, a third-party risk assessment can be a sound investment. When developed in collaboration with business leaders, a third-party risk assessment can apply industry-specific data analytics and forensic investigative techniques to stress test internal fraud defenses and controls. The assessment can also identify company-specific fraud vulnerabilities based on business segment, geographic operations, government interactions and supply chain in addition to other critical factors. When the investigative portion of the assessment is complete (after any course corrections mutually agreed upon midstream), company leaders typically develop a fraud risk matrix, which highlights operational and control strengths and weaknesses, shows how the company performs against industry peers, outlines corrective action recommendations, and offers specific steps to help the company conduct ongoing fraud risk monitoring.
Preparing for the worst: Developing a fraud response plan
RSM’s Global Corruption Law Compliance Survey found that companies with a clear, documented fraud response strategy were over seven times more likely to initiate investigations versus firms that had no such road map. Without such a plan, an organization’s reaction to allegations or identification of fraud can be unnecessarily chaotic, disjointed and stressful. Needless to say, a coherent fraud response plan can offer business leaders a road map to follow in what is many times a fast-moving, reactionary situation, and allow for considerable savings for the organization in terms of professional fees to investigate the fraud and the time spent by internal resources that would have otherwise been allocated to other important business initiatives.
While a written first-response strategy is highly advisable, note that it must contain key specifics that can be quickly read—and understood—when a fraud event occurs. For example, the strategy should identify a decision-making chain of command, as well as tangible (and agreed-upon) action steps to be taken by senior executives and corporate directors. The fraud response strategy should also clearly state what information beyond initial discovery will be communicated, to whom it will be communicated and under what circumstances. Having this level of prior planning available in the event of a fraud event will help ensure that the initial response is thoughtful, coordinated and timely. This can help the company avoid potentially negative financial, legal and reputational issues that can arise when resolving internal fraud.
Addressing the situation: Responding to fraudulent activity
If evidence of internal or external fraud is discovered despite a company’s best efforts to prevent such actions, there are a number of items that management must consider to minimize the impact to business operations. And while a fraud response plan—along with input from senior executives—should address a variety of potential concerns and questions, the following are three steps executives can take to investigate fraudulent activity:
Stop the bleeding. When any suspicion or evidence of fraud is reported, ensure that a response plan is in place. This plan should enable leaders in any specific company location to quickly assess the root cause of the fraud, stop the illicit activity to prevent further damage and determine what legal or regulatory exposure the company may have. The response plan should also cover how fraud-related information is escalated to senior corporate officials and employees (if necessary), and when outside professionals should be contacted and retained. If business leaders do not take quick action when a fraud is identified, it leaves the company open to potential fines, legal issues and reputational damage.
Collect and organize information. The fraud team’s work begins with clarifying (as much as possible) the fraud’s point of origin, along with identifying potential internal and external actors involved in the illicit activity. This includes documenting the initial fraud response strategy, developing a chronology of the facts and allegations, identifying the circumvented controls that allowed for the fraud to exist, detailing any specific items unique and pertinent to the matter, determining if all relevant records have been gathered, and establishing an internal and (if necessary) external interview list for fact-finding purposes. These careful steps will help senior leaders understand core issues and chart next steps, which may include retaining third-party investigators to handle complex fraud situations. When high-quality information is gathered and documented early in a fraud discovery process, it strengthens the credibility of any future decisions the company may need to make regarding legal issues or regulatory self-reporting.
Protect management from baseless allegations. When a fraud incident gains visibility, a frequent knee-jerk response from external parties is that senior management is to blame for the situation. Consequently, it is critically important for any investigative team to concentrate on credible data and evidence, stay focused on the direction set by legal counsel or third-party resources, and make no statements about any potential involvement by leaders or staff until the fact-finding process is complete. That said, if the investigation reveals that senior management knew about the fraudulent activity—or took no credible actions to stop illicit behavior once uncovered and reported—then the investigative team should rely on legal counsel and human resources to chart a strategy for handling that situation.
Recognizing fraud complexity: Considering the use of outside professionals
No two fraud events are the same. Some schemes are relatively straightforward acts that can be clearly verified through documentation, surveillance or witnesses, and can be quashed with swift action by senior management. In such cases, the investigation can be handled by internal compliance, human resources, legal staff or other employees knowledgeable in fraud risks and characteristics, and experienced in conducting internal investigations. However, other cases involving a more complex web of illicit activity may well signal the tipping point for engaging qualified external resources, such as outside counsel and forensic accountants, who can provide a more focused, disciplined investigative approach.
The use of outside professionals can deliver several distinct advantages. For example, service providers well-versed in conducting investigations can offer unique perspectives, drawing on many years of experience responding to similar types of improper corporate activities. Similarly, qualified third-party firms typically have working relationships with other specialists (e.g., experts in data security, research, quantitative analytics, e-discovery, etc.) that may not be readily available to a company’s internal team members. And since outside consultants are not on the company’s payroll, they can provide a high degree of investigative objectivity, because they are free from job-related bias and politics. Further, professional fraud resources knowledgeable in the legal and forensic nature of their work are often best positioned to make recommendations on disclosures to regulators or other governmental agencies.
Communicating the issues: Reporting fraud to regulators and external parties
The decision of whether to self-report a fraud event or a potential violation to a government agency requires thoughtful consideration, because it involves the conveyance of highly sensitive company information. The release of such information can potentially generate negative fallout, such as reputational damage, criminal or civil actions, or monetary penalties. Thus, any such process must be guided by experienced internal and external resources that have deep experience dealing with the legal, regulatory or public relations issues that might arise.
As a general rule, a wise self-reporting policy should include sticking to defensible data or evidence; avoiding vague terms or references; communicating in clear, declarative sentences; and using fact-based visual elements (such as charts, graphs or tables) to help clarify key points. When companies can demonstrate that a fraud case was carefully investigated—and that clear steps were taken to reduce the risk of similar future activity—senior leaders can be reasonably confident in a decision to self-report the event.
Putting all the pieces together
From an internal viewpoint, tone at the top matters. For senior leaders, that means establishing clear, concise boundaries on what is—and what is not—acceptable ethical behavior. In addition to strong internal controls and a no-nonsense stance on holding offenders (at all levels) accountable for their actions, companies can also strengthen their compliance climate through the use of regular anti-fraud training programs and whistleblower hotlines. And when companies have proactively considered how they will handle the initial discovery, investigation and self-reporting of a fraud event or a potential violation to a government agency are in a far better position to navigate the complexities and potential issues that typically accompany illicit activity.
To learn more about how your company can reduce its fraud risks and investigate illicit activity, contact RSM’s Forensic Accounting and Fraud Investigations team.