Is this the lucky day for the Auditor? Everybody is looking for someone in the Internal Audit department. But it is not for thanking or acknowledging their work; it is because someone has robbed the company!
The headless chicken syndrome starts: have you seen when a chicken head is cut off and how the body continues moving? Well, companies act the same way: everybody runs… meeting emergency requests… everybody is confused on what to do, but everybody gives their point of view… Bottom line: who should be responsible for managing the fraud? Is it only Internal Audit responsibility?
No. The majority of the companies misunderstand the responsibility of fraud. Yes, Internal Audit should be able to detect fraud depending upon its work and scope. But it is a shared responsibility between: Internal Audit, Compliance and members of their respective Committees, Legal, Human Resources and the CEO. These are the “basic” members that should manage fraud or get together when it happens but…
Depending upon the company structure and size it could be added Security. It also could be added some Directors of other areas but this depends on which area the fraudster works. Obviously if it is known or suspect that the CEO or any other executive is involved in the fraud, they should not be invited in the investigation meetings. This also applies to any other area of the “basic” group.
Here are some tips to improve prevention and detection of fraud:
a) It is great that companies have a hot-line but, who monitors? The company has three options: either internally, externally or a mix of it. If it is internally it is important to assign it either to Internal Audit (IA) and/or Compliance. Some companies give access to other areas such as Legal or Human Resources. Do not do that. Remember that due its nature, Internal Audit and Compliance have the qualifications to do it (independent, objective and direct access to Committees if needed). If it is externally monitor, determine together with the provider: the escalation system and criteria to report it as urgent or normal. Both externally or a mix, the company’s contact should be Internal Audit and/or Compliance. You do not want indiscretion or gossip in the aisles.
b) Ok, you have brave people who reports, so…is the company going to protect them? If people have the courage to report then the company should be prepared to protect them, performed investigations and improve internal controls so that experience does not repeat. In other words, do something! Impunity happens and lasts because people don’t see a change, don´t see the company really cares. If you are thinking that everything is ok because in your company you run or work for, there are no reports...sorry to tell you this: you are wrong. Your company is one more of the statistics: people do not talk because they are afraid, because they think nothing will happen, because they do not want to lose their job. Result: SILENCE…
c) Avoid ego. How many times have you heard Human Resources started an internal investigation by its own, because they know of some violation to the Code of Conduct? Areas encroached between each other’s responsibilities. Neither Human Resources, Operations, Legal, Finance nor any other area should start an internal investigation by themselves. Even IA or Compliance should report it to their respective Committees and/or CEO. Surprisingly when there is a fraud case everybody wants to participate, investigate and come up with who the fraudster is. Leave ego aside and define clearly roles and responsibilities.
d) Rely in the experts. Regardless the company is going to imprison the fraudster it should be aware to involve legal and labor lawyers. Many of the companies thinks that an investigation should be made in-house…this is true at a certain point: IA and/or Compliance can investigate using documents, data, camera recordings, files, inventories, etc. But when the moment comes to interrogate the fraudster they need to have advice from experts. Here come the attorneys who can help you on how to manage the situation. For example: in Mexico if you interrogate someone in a closed room the person could sue for unlawful deprivation of liberty. If the criminals gets advice, why not you? You don't want to be sued and loose the case because of “a technicality” or ignorance.
e) Develop an anti-fraud program and a fraud checkup. The first one should be the framework on what to do, how to do it, which person is responsible of what, investigation process, etc. Whereas the checkup is to monitor how vulnerable the company is towards the fraud risk.
f) Keep a record on red flags: how many have been a trigger for investigations? How many have been repeated? Which have been the repeated areas? (For example: operations, legal, accounting, etc.) Is it the same job position? Make an inventory of this information, which will help you to improve your internal controls and detect possible frauds more easily.
g) Correct what has to be improved! Do not copy what other companies do: their response to the fraud is to dismiss the fraudster. Really? "Everything remains the same” thinking hiring another person will solve the situation but the internal control weakness prevails and then the story is repeated…
Lastly but not least: train all employees. Emphasize the code of conduct and ethics and that the training encompasses different types of fraud; do not refer to only one, for example stealing assets.
Keep in mind employees could be your eyes and ears where you can’t be. Make them aware of unacceptable behavior, encourage them to speak up and demonstrate that the company takes it seriously. At the end it is everybody’s business: if the company is victim of a fraud, it has a consequence. We have seen so many fraud cases that lead companies to bankruptcy, that nobody wants to lose its job because of that…