Sarbanes-Oxley has done little to curb corporate malfeasance. Therefore, CFOs should implement a range of fraud-prevention measures.
Laton McCartney – CFO Magazine
As a convicted felon, Sam E. Antar, the former CFO for the now-defunct consumer-electronics chain Crazy Eddie, no doubt has regrets. Among them: he is no longer in the game at a time when corporate fraud is experiencing a resurgence. “If I were out of retirement today, I’d be bigger than Bernie Madoff,” he boasts.In conjunction with CEO Eddie Antar (his cousin), Sam Antar helped mastermind one of the largest corporate frauds in the 1980s, bilking investors and creditors out of hundreds of millions of dollars. Today, he makes a living lecturing about corporate fraud (and shorting the stocks of companies he thinks may have inflated earnings).
Antar says that despite the antifraud provisions of the Sarbanes-Oxley Act of 2002 and the recently enacted Dodd-Frank Wall Street Reform and Consumer Protection Act, it remains as easy today for bad guys, both internal and external, to loot corporate coffers as it was during the Enron and WorldCom days. “Nothing’s changed,” he says. “Wall Street analysts are just as gullible, internal controls remain weak, and the SEC is underfunded and, at best, ineffective. Madoff only got caught because the economy tanked.”Antar won’t get much of an argument from organizations that monitor corporate fraud. In fact, the consensus today is that financial shenanigans are markedly on the increase. “There’s a lot more employee fraud and embezzlement today then there was 10 years ago, and this past year there was much more than a year ago,” says Steve Pedneault of Forensic Accounting Services. “People blame the economy, but much of the fraud and embezzlement that’s coming to the surface now was in the works for 4 or 5 years before the recession hit.”
Last year, the Committee of Sponsoring Organizations of the Treadway Commission’s report on corporate fraud concluded that fraud continues to increase in depth and breadth despite Sarbanes-Oxley; the methods of committing financial fraud have not materially changed; and traditional measures of corporate governance have limited impact on predicting fraud.
In other words, same old same old, only worse: in its 2010/2011 Global Fraud Report, risk consulting firm Kroll found that business losses due to fraud increased 20% in the last 12 months, from $1.4 million to $1.7 million per billion dollars of sales. The report, based on a survey of more than 800 senior executives from 760 companies around the world, also found that 88% of the respondents reported being victims of corporate fraud over the past 12 months. If fraud were the flu, this would qualify as a pandemic.
The most likely targets by industry are financial services, media, technology, manufacturing, and health care. Small and midsize companies are also more vulnerable. “Many of these organizations typically rely on a small accounting department, especially in today’s economy,” says Pedneault. They simply don’t have the resources to catch fraudsters.
That challenge becomes all the more daunting when one considers the many varieties of fraud that exist. Aside from various forms of embezzlement and outright theft, and the growing risk of information theft (think hackers), two other kinds of corporate malfeasance have come to the fore in recent years: fraud in the business model and fraud in the business process.
The former is defined by a company selling illegal or worthless wares. “If the pharmaceutical industry sells alleged off-label drugs that have not been approved by the FDA, or the financial-services industry is offering worthless subprime mortgages, that can constitute business-model fraud,” says Toby J. F. Bishop, director of the Deloitte Forensic Center for Deloitte Financial Advisory Services.
Fraud of the business-practice variety, Bishop explains, can range from corporations ignoring or turning a blind eye to environmental or safety laws to the ever-popular practice of engaging in “window dressing” at the end of the quarter.
An Action Plan
With fraud on the rise, and with all parties that could possibly be tempted feeling more pressure to cross the line, how should companies respond? First, the bad news: “Most fraud today is uncovered by whistle-blowers, or by accident — a tip, a rogue piece of mail, or by happenstance,” says Tracy L. Coenen, a forensic accountant and fraud investigator who heads up Sequence, a forensic accounting firm.
In a sense, companies (at least those that are publicly traded) were supposed to self-insure against fraud by implementing, at great expense, the controls framework included in Sarbanes-Oxley. But a framework still requires an enforcer, and at many companies there is none. “There’s often no single entity for oversight,” says Deloitte’s Bishop. “Many companies have no compliance or risk management at all.”
Even when they do, there’s the issue of how effective it can be. It’s not a job that wins friends and influences fellow workers. “The compliance officer is the most hated person in the company,” notes Thomas Quilty, CEO of BD Consulting and Investigations. “Companies often retaliate against them,” adds Antar.
“Compliance staff frequently end up pushing paper [just] so it looks like the company has tried to do the right thing in case there’s an investigation,” says Coenen. “They’re not effective.”
As for what to do, while no one has yet come up with a silver bullet, experts point to seven useful steps that all companies can take:
1. Start at the top. “It’s critical for both the board of directors and executive management to set the tone for the corporation and its operating units,” says James Davidson, managing director at Avant Advisory Group and a certified fraud examiner. In fact, this may be the most important component of the control environment necessary for deterring fraud and fostering transparency. Plenty of lip service has been paid to the importance of tone at the top, of course, and it is often cited as the key to the success of…well, almost everything. But when it comes to curtailing fraud, it really does matter, because without it, an “entire culture of workplace fraud” can take root, according to the Association of Certified Fraud Examiners (ACFE).
2. Educate employees. The ACFE also maintains that employee education is the foundation for preventing and detecting occupational fraud (defined as “the use of one’s occupation for personal enrichment through the deliberate misuse or application of the employing organization’s resources or assets”), because employees are a company’s top fraud-detection resource. They must be trained in what constitutes fraud, how it hurts everyone in the company, and how to effectively report any questionable activity.
3. Change the culture ASAP. After it was hit by a $550 million fine by the Securities and Exchange Commission last July for its role in the collateralized-debt-obligation debacle, Goldman Sachs, which has a reputation of functioning as a “black-box” organization, recently announced plans to change its culture. The investment-banking firm claims it will become more transparent and ensure its business processes put customer interests first. That’s easier said than done, however. “It’s difficult to bring about a far-reaching cultural change in well-established companies,” says Quilty of BD Consulting and Investigations. “That’s not true, however, for first-generation or even second-generation companies, where the employees have a stake in the company and are more motivated to protect it from fraud.” More-established companies face a larger hurdle. “Current employees didn’t build the company,” Quilty says, “so they’re less interested in protecting it against fraudsters.”
4. Surprise! We’re having an audit. Another effective, yet underutilized, tool in the fight against fraud — at least according to the ACFE — is surprise audits. Fewer than 30% of victim organizations in the ACFE’s recent studies conduct surprise audits. Those that do, however, tend to have lower fraud losses and detect fraud more quickly. While surprise audits can be useful in detecting fraud, their most important benefit is in preventing fraud by creating a perception that it will be detected. Generally speaking, occupational-fraud perpetrators commit fraud only if they believe they will not get caught.
5. Check (and double-check) employee backgrounds. Due diligence is essential in evaluating the credentials and competence of new hires and becoming aware of any issues regarding personal integrity. That means, at a minimum, that companies should confirm an applicant’s work history and education as detailed on his or her résumé and follow up thoroughly with all references provided. Any embellished or false information or undisclosed history may be a red flag. The same scrutiny should be applied to new and existing suppliers, customers, and business partners, Deloitte’s Bishop says. (A number of outside security and risk-management firms, such as Kroll, will perform extensive background checks on a company’s behalf.) Finally, the ACFE recommends that after someone joins your staff, an evaluation of the new employee’s compliance with company ethics and antifraud programs should be incorporated into his or her regular performance reviews.
6. Prepare a data-breach response plan. With information loss and data breaches now the most common form of fraud, according to Kroll, it’s essential to establish a comprehensive response plan that will enable decisive action and prevent operational paralysis when a data breach occurs. Disseminate this plan throughout the company to ensure that everyone knows what to do in the event of a breach. In preparation, consider the following: Who will have a role in reviewing the policies and procedures on a predictable timetable? What are the physical security elements? When and how will they be tested? As additional motivation, consider that new regulations now impose severe penalties on firms that don’t have this aspect of security nailed down.
7. Make sure the board of directors plays its role. “Corporate governance is the joint responsibility of both the board of directors and management,” says Davidson of Avant Advisory Group. Now that the SEC has mandated greater board involvement in risk management, apprising the board of fraud risk and responses becomes a top priority for the CFO. It won’t be fun, and, as Davidson notes, if board directors are at the top of their game they will push back and demand even more information. But that kind of dialogue can be invaluable in uncovering vulnerabilities.
What Doesn’t Work
The value of implementing those kinds of organizational changes often fails to register with CFOs who, with some reason, have tended to rely on more-formal forms of enforcement: audits from the inside and investigations from the outside.
The ACFE maintains that audits are ineffective. “External audits were the control mechanism most widely used by the victims in our survey, [yet] they ranked comparatively poorly in detecting fraud and limiting losses,” it noted in last year’s study. But the group did acknowledge that audits can be of value when they are combined with management reviews, job rotation, the creation of a code of conduct, surprise audits, and hotlines. In short, the same sort of holistic approach spelled out above.
As for external help, only 347 fraud cases were prosecuted by the SEC in what might be thought of as the Madoff Era, 1998–2007. In 2009, President Obama appointed Mary Schapiro to head the SEC, and she pledged to “reinvigorate a financial regulatory system that must protect investors and…enforce the rules.” That pledge got a booster shot from the Dodd-Frank Act, which will, in theory, double the SEC budget to $2.25 billion by 2015. Schapiro has already indicated that she wants to invest in a technology upgrade, the hiring of 800 employees, and the leasing of one million square feet of new office space.
Yet no new funds have actually been dispersed, and the SEC has had to back out of the lease for new office space, isn’t hiring as planned, and won’t be getting the new technology it needs for enforcement, examination, risk assessment, and market oversight. It has even cut back sharply on travel by its current investigators.
It’s no wonder Sam Antar muses about getting back in the game.
Sidebar – Just Whistle?
There is one potential bright spot within the Dodd-Frank Wall Street Reform and Consumer Protection Act regarding fraud prevention: the law contains provisions that generously reward whistle-blowers. According to Toby J. F. Bishop, director of the Deloitte Forensic Center for Deloitte Financial Advisory Services, the Securities and Exchange Commission has already set aside more than $400 million for that purpose. The act also provides strong protective measures, expressly prohibiting employers from retaliating against employee tipsters. “The IRS set up a similar whistle-blower reward program three years ago,” Bishop notes, “but it hasn’t paid out anything to date, because it is waiting for all the appeals to be exhausted.”News of the SEC fund appears to have triggered a strong uptick in whistle-blowing, which, in turn, has had at least one unintended consequence: it has created confusion regarding the internal-controls provisions of Sarbanes-Oxley, which required a mechanism by which employees and third parties could, and should, report claims of fraud to management. If a whistle-blower is now bypassing compliance and sending reports of fraud directly to Washington, what’s the point of having internal ethics and compliance programs?
This is a question being posed by, among others, the National Association of Corporate Directors, which has decried the “chilling effect” of the SEC whistle-blower provisions in Dodd-Frank. “Unless the [provisions] are substantially altered, the collateral damage to corporate internal compliance programs — and ultimately the ethical culture that companies strive to obtain — could be harmed. These provisions offer too many incentives for a wide range of potential whistle-blowers to ignore a company’s existing internal reporting system and instead go directly to the SEC. Indeed, [such] enticement…will substantially damage the very systems that serve as the backbone for ethical corporate culture in companies today.” — L.McC.