Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

Transcription

1 Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

2 Overview In late 2006 and 2007, Protiviti commissioned a study to gauge the fraud risk management (FRM) capabilities of FORTUNE 1000 companies and large not-for-profit organizations. The goal of the study was to better understand how FRM is operationalized, given the heightened awareness of fraud in today s corporate environment. This was accomplished by assessing how the nation s largest public companies and nonprofit organizations have addressed FRM and the maturity of related efforts to evaluate, mitigate and monitor fraud risk. After analyzing the results, three key points became clear: 1. Organizations are at different maturity points in their capabilities to evaluate, mitigate and monitor fraud risk. 2. Organizations are struggling to understand what FRM means in the context of their daily operations. 3. Education and awareness are critical issues that need greater attention in order to successfully manage fraud risk. Key Findings Discussion The following is a more in-depth look at the key points outlined above and what they mean for organizations: 1. Organizations are at different maturity points in their capabilities to evaluate, mitigate and monitor fraud risk. Many still are striving to define their fraud prevention, deterrence and detection strategies. Fraud risk assessments often are limited in the consideration of certain types of fraud risk. Anti-fraud controls need to be better monitored at the process level. FRM STRATEGY CONTINUUM Less defined 9% Reactive 1% Undefined no strategy 2% Defined 39% Very well defined 49% Most executives believe their organizations have a strategy in place for addressing fraud risk. However, only 49 percent said that their strategies are very well defined, in that they identify fraud risks proactively, and have corresponding anti-fraud programs and controls that are agreed upon, monitored and measured by a board and senior management on an ongoing basis. Looking at the FORTUNE 1000 companies alone, results surprisingly were not much better even after the impact of the Sarbanes-Oxley Act of 2002 with just 52 percent of those surveyed indicating they have very well defined FRM strategies. The majority of the remaining respondents said their efforts are defined: Anti-fraud programs and controls are agreed upon, monitored and measured by a board and senior management, but no formal strategy has been implemented. What is included typically within FRM? The vast majority of executives said financial processes are a key component. Approximately three-quarters cited operational processes and compliance with laws and regulations. Many organizations formally refresh their fraud risk assessment processes at least annually; however, of concern are the one-quarter of companies that do so only periodically, potentially leaving themselves open to using outdated and ineffective anti-fraud strategies. Those most vulnerable to suffering undetected fraud losses are the 16 percent who conduct a fraud risk assessment at neither the entity nor process level. 1

3 Is your organization s fraud risk assessment process informal and occurring periodically, formal and refreshed at least annually, or neither? Informal, occurs periodically 24% Don t know 1% Neither 6% Formal, refreshed at least annually 69% Does your organization have a defined fraud risk assessment process at the entity level, process level, both, or neither? Don t know 4% Process 13% Neither 16% Entity 22% Both 45% There also is much room for improvement when it comes to monitoring anti-fraud controls at the process level. Nearly 20 percent of executives said anti-fraud controls are not actively monitored or identified at the process level, or reported they did not know what was being done in this area. Those who do employ monitoring strategies primarily incorporate them within Sarbanes-Oxley or internal audit testing activities, use computer-assisted audit techniques or manually review documents such as spreadsheets and reports. And 40 percent of the FORTUNE 1000 companies surveyed do not utilize computer-assisted audit techniques actively and routinely to identify potential fraud indicators. Oversight of fraud risk is another area in which different capabilities are exemplified. While nearly two-thirds (61 percent) of organizations have a single individual designated with daily ownership and responsibility for fraud risk at the senior management level, 39 percent said no single person is assigned the role at that level. Those without designated ownership may find that they waste valuable resource time and program dollars due to an overlap in anti-fraud efforts. They also may have heightened exposure to fraud risk because of potential gaps resulting from uncoordinated FRM activities. 2

4 Internal audit (56 percent) is most commonly responsible for conducting fraud risk assessments, followed by the Sarbanes-Oxley compliance team (25 percent). Given the typical duties of internal audit and Sarbanes-Oxley teams, results indicate many organizations may be overlooking key risks by limiting their assessments to certain types of financial fraud that may result only in a material misstatement of the financial statements. Sixty percent of executives said their audit committees have responsibility for the oversight of fraud risk. However, what that actually means, and the impact it has within the context of the organization, is unclear. Our client experience indicates this responsibility often is not stated explicitly in the audit committee charter, and interaction with management on fraud risk issues is not readily transparent. Which one entity within your organization is primarily responsible for conducting your fraud risk assessment? Internal audit 56% 56% Sarbanes-Oxley compliance team 25% 28% Corporate compliance 8% 8% General counsel/ Legal 5% 4% None of these Don t know 5% 3% 1% 1% All F1000 0% 10% 20% 30% 40% 50% 60% All organizations surveyed have adopted a code of ethics or code of conduct, and two-thirds require all management and employees to certify compliance with these rules. However, the majority of organizations do not require their board of directors to affirm compliance with their code, which raises concern as to the commitment of those responsible for ensuring that management sets an appropriate tone at the top. Nearly all executives said their codes are readily accessible within their organizations, but only six in 10 are providing the same degree of transparency in their business principles to external parties. Many have not made the effort to translate their code of ethics or code of conduct into foreign languages, raising further concern about whether information is communicated adequately to employees, especially in organizations in which multiple languages are spoken in U.S. and overseas locations. 3

5 A Look at Organizations With a Very Well Defined Fraud Risk Strategy: 10 Things They Do Differently Among the executives who participated in this survey, nearly half (n=49) indicated that their organizations have a very well defined fraud risk strategy. In comparing the survey results from this group virtually all of whom are from FORTUNE 1000 companies against those of the other respondents (n=51), there are a number of notable differences in how these very well defined strategy organizations address FRM: 1. When examining the question of ownership and responsibility for FRM, the findings indicate that there is a lower tendency among the very well defined strategy group to have just one individual from the ranks of senior management, rather than multiple individuals, designated with ownership and responsibility for FRM. This suggests that assigning a greater number of executives and business owners to coordinate FRM responsibilities may lead to more effective fraud risk practices and processes. 2. There is a greater tendency to have active and defined oversight of FRM by the organization s board of directors, suggesting FRM efforts and strategies benefit from such guidance. Additionally, there is a clear trend among the very well defined strategy group to inform the audit committee of all allegations, as well as investigations, involving accounting, auditing and internal control matters. 3. A notably higher percentage of the very well defined strategy group has a defined risk management process at both the entity and process levels, as suggested through authoritative guidance and leading practice. 4. A slightly higher percentage indicated they have a standalone fraud risk management process. As would be expected, this explicit and focused view on fraud risk likely brings greater definition to FRM strategy. Similarly, the very well defined strategy group clearly trends toward having a formal FRM process that is refreshed annually. 5. The very well defined strategy group trends toward including operational processes for consideration within fraud risk assessment. 6. A higher percentage of the very well defined strategy group indicated internal audit as the most common entity within an organization responsible for conducting fraud risk assessment. 7. A higher percentage of the very well defined strategy group not only offers a form of ethics and fraud awareness training, but also requires all employees to attend it. In addition, there is a greater likelihood among these organizations to include, as part of ethics and fraud awareness training, general fraud awareness, as well as fraud prevention techniques. 8. The very well defined strategy group more frequently uses both manual techniques (e.g., review of spreadsheets, reports, etc.) and computer-assisted audit techniques (e.g., data analysis, etc.) to monitor anti-fraud controls at the process level. 9. To support the reporting of concerns regarding potential fraud and misconduct, a higher percentage of the very well defined strategy group has created multiple reporting mechanisms for the reporting of concerns and complaints involving fraud, employing hotlines run by an external service provider, electronic mailboxes and P.O. boxes. Further, this group has a greater tendency to actively utilize these reporting mechanisms. 10. The survey results suggest that effective communication in support of the organization s code of conduct translates into more effective FRM. There is a higher tendency among the very well defined strategy group to have the organization s code of ethics or code of conduct readily accessible externally (for example, on the public website), as well as to have these materials translated into foreign languages. In addition, there is a slightly higher tendency to require that all management and employees certify or affirm compliance with the code of conduct. 4

6 Nearly all executives surveyed said their code of ethics or code of conduct is evaluated on a periodic basis for relevant content. Most organizations monitor these codes through an affirmation/confirmation process. Most likely, this is because the monitoring of codes by management, the audit committee or board is an explicit consideration by external auditors during their review of the control environment. 2. Organizations are struggling to understand what FRM means in the context of their daily operations. Senior management does not always support anti-fraud initiatives. Accountability for fraud risk is not widespread. Audit committees often receive filtered information about fraud allegations and concerns. Organizations face considerable challenges in proactively managing fraud risk. Executives surveyed noted that their greatest obstacles include fraud and misconduct not being considered a high risk within the organization; a no fraud here mentality; availability and alignment of internal resources (i.e., decentralized, focused on other corporate priorities); adequacy of funding for anti-fraud programs and initiatives; and the laws and regulations or cultural norms in non-u.s. locations. Ensuring that senior management supports proactive management of fraud risk in words and actions clearly needs to be a higher priority for many organizations. Challenges in Managing Fraud Risk Rankings Fraud and misconduct not considered high risk within the organization (tie) No fraud here mentality (tie) Availability and alignment of internal resources Adequacy of funding for anti-fraud program and initiatives Laws and regulations or cultural norms in non-u.s. locations Proactive FRM is not a corporate priority No proactive FRM focus on incident response No unified FRM strategy No member of senior management designated with ownership and responsibility for FRM Many organizations seem unclear about what to include within written anti-fraud or FRM policies, and tend to take a generic or high-level approach to their efforts. Less than half of the organizations surveyed address key issues in their written policies, such as providing an anti-fraud program overview, a definition of fraud, roles and responsibilities regarding FRM, tolerance toward fraud and misconduct, and anti-fraud program components. Less than half of the executives polled claim their organizations define the fraud risk assessment process at both the entity and process levels. This may signal a notable deficiency, given that fraud risk assessment should be both robust and sustainable, and further, should occur using a top-down approach as recommended in authoritative guidance. 5

7 Two-thirds of organizations incorporate fraud risk assessment within another initiative, primarily internal audit planning or Sarbanes-Oxley compliance. In these situations, our client experience indicates that fraud risk can become so far embedded within these other initiatives that it may become difficult to differentiate from all other categories of risk, may not be given explicit consideration or may be overlooked completely. Just 18 percent of executives surveyed said fraud risk assessment is incorporated within enterprise risk management modules much lower results than anticipated. A significant finding was that even in this post-sarbanes-oxley environment, one-third of FORTUNE 1000 companies polled have no documented investigative policies or procedures, one-half have no incident response plan, and six out of 10 do not use escalation or decision trees to help treat concerns or complaints when they are received. Organizations with mechanisms in place for reporting allegations regarding potential fraud and misconduct rely primarily on hotlines, electronic mailboxes and designated members of senior management to support the reporting of allegations regarding potential fraud and misconduct. Percentage of policies and processes that DO NOT EXIST within organizations to support the review or investigation of concerns/complaints regarding potential issues involving fraud and misconduct. (Multiple responses permitted.) Documented investigative protocols and procedures Incident response plan Escalation or decision trees Informal investigative protocols and procedures Case management system 37% 47% 65% 70% 78% The filtering of information to the audit committee involving accounting, auditing and internal control matters raises questions about management s interpretation and execution of their audit committee s Sarbanes- Oxley Section 301 procedures, particularly in terms of what types of concerns and complaints are shared, the method of prioritization, timeliness of notification and the independence of those managing the process. Executives also appear to be uncertain about how human resource activities can support their FRM efforts, and fail to use fraud prevention as a performance or management metric. Only 54 percent of organizations hold management accountable for the actions of employees, explicitly state accountability for fraud prevention in job descriptions or roles and responsibilities, or incorporate ethics or fraud prevention goals within performance management. 3. Education and awareness are critical issues that need greater attention in order to successfully manage fraud risk. Although ethics and fraud awareness training is prevalent, there is significant room for growth. Training sessions often fail to address key topics. Individuals responsible for implementing FRM strategies typically are excluded from training. 6

8 Does your organization offer ethics and fraud awareness training? Don t know 3% No 25% IF YES: Percentage of topics NOT covered in ethics and fraud awareness training. Code of conduct General fraud awareness 11% 36% Yes 72% Fraud prevention techniques Fraud detection techniques Specialized training 43% 49% 65% It is encouraging that three out of four organizations provide ethics and fraud awareness training. While this comprises a majority of companies, 25 percent acknowledge a notable weakness in their fraud prevention efforts, as they do not provide such training. This is significant, given that education is the cornerstone of a healthy control environment. Thirty percent of those providing training hold relevant sessions less than once a year. Only 46 percent of the FORTUNE 1000 companies polled rely on in-person training; the majority turns to online methods. Survey findings suggest many organizations need to enhance their training programs to ensure appropriate topics are addressed. Approximately half of the organizations do not cover fraud detection techniques, 36 percent do not cover general fraud awareness, 43 percent do not address fraud prevention techniques, and 11 percent do not train on the code of conduct. Nearly three-quarters of companies 72 percent require all employees to attend ethics and fraud awareness training, which is essential in building a healthy control environment. However, among all organizations polled, only 13 percent of audit committees and less than 10 percent of board members the individuals most responsible for the oversight of FRM activities are required to attend ethics and fraud awareness training. Implications for Organizations Fraud risk is dynamic and evolves in conjunction with an organization s people and processes. Combating such risk requires a collective effort from all ranks no single executive or employee stands alone on the front lines as there is no one-size-fits-all approach that will result in the successful management of fraud risk. The artificial or mechanical consideration of fraud and the use of a checklist approach will not provide adequate answers to the identification and resolution of the incentives, pressures, opportunities and rationalizations that create fraudulent behavior. Fraud prevention, deterrence and detection strategies need to evolve in the context of, and in alignment with, an organization s fraud risk. Due to the nature of fraud, corporate executives need to understand and accept that intentional misconduct can happen anywhere, at any time and in any organization. Adopting a no fraud here mentality is, in and of itself, a critical risk one that may lead to imminent failure of an organization s FRM program. By embracing an open, robust and sustainable top-down approach to the evaluation of fraud risk and corresponding programs and controls, management s efforts to evaluate, mitigate and monitor the risk of fraud can be vigorous and, also, can specifically address strategic issues that truly jeopardize an organization s governance, reputation and enterprise value. 7

9 Survey Methodology and Demographics The study was conducted by an independent research firm via a phone survey of 100 executives (with strategic responsibilities for FRM and reporting to the board of directors at their organizations) and equivalents at not-for-profits. The margin of error is 9.8 percent. Respondents Organizations FORTUNE 1000 (84 percent public and 6 percent private) Not-for-profits N-Size Respondents Job Titles Chief executive officer Chief financial officer Executive vice president or senior vice president (or equivalent) Vice president or equivalent Managing director or equivalent Director or equivalent Manager or equivalent All (percent) About Protiviti Protiviti ( is a leading provider of independent risk consulting and internal audit services. We provide consulting and advisory services to help clients identify, assess, measure and manage financial, operational and technology-related risks encountered in their industries, and assist in the implementation of the processes and controls to enable their continued monitoring. We also offer a full spectrum of internal audit services to assist management and directors with their internal audit functions, including full outsourcing, co-sourcing, technology and tool implementation, and quality assessment and readiness reviews. Protiviti, which has more than 60 locations in the Americas, Asia-Pacific and Europe, is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. Our Fraud Risk Management, Financial Investigations, and Litigation Consulting Services Our consulting products include fraud risk management, financial investigations, and litigation consulting services. We help companies and their legal advisors measure, manage and mitigate risks, and are committed to helping protect and enhance enterprise value. As a result, organizations protect their reputations, improve their bottom lines, and achieve their fiduciary and regulatory responsibilities. For more information about the topics covered in this survey or our FRM, financial investigations, and litigation consulting services, please contact: John Cherpock Managing Director john.cherpock@protiviti.com Paul Sachs Managing Director paul.sachs@protiviti.com Pam Verick Stone Director pam.verick.stone@protiviti.com 8

10 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. protiviti.com Protiviti Inc. An Equal Opportunity Employer. PRO0308