When Your Compliance Program Fails

The steps to take when an employee compes forward with a fraud tip, whether the allegations are false or not.

Tracy L. Coenen – CFO Magazine

You think your company has a robust compliance program to prevent financial-statement fraud, asset misappropriation, Foreign Corrupt Practices Act violations, and other financial frauds. There are checks and balances in place, with lawyers, internal auditors, executives, and the board of directors keeping an eye on things.

Still, the unthinkable happens. Reports of a major internal fraud surface, and the scheme may involve several members of middle or upper management. The information – received through an employee’s whisper, an internal hotline, or the rumor mill – has enough substance to be deemed credible, yet not enough to know exactly who is involved, how wide-reaching the fraud may be, the amount of money stolen, or the exposure to government action and penalties.

What should the recipient of the tip do? First, realize that compliance programs fail. Despite a company’s best efforts, a risk may exist that its executives didn’t anticipate, or a hole that they didn’t see. There is no time for lamenting what went wrong. What matters is what a company does next, in terms of getting a handle on whether fraud occurred and keeping regulators at bay. With that premise in mind, here are the steps a company should take:

Evaluate the allegation. The first step for any company looking into a report of suspicious activity or discovery of a questionable situation is to determine whether it is credible. Are there specific allegations with sufficient information to be believable? Does the fact pattern make sense in light of what is known about the company, its operations, and its employees? The more specific the allegations, the more credible a whistle-blower report often is.

Consider the chain of command. Ideally, a company should have a person or department that handles initial reports of fraud. Typically, corporate security or internal audit will do an initial inquiry into potential fraud. In companies without such resources, the inquiry may be overseen by a divisional controller, the corporate controller, or even the CFO. Of course, companies should have a formal backup plan in case that person or department is implicated in a fraud scheme, or if other unusual circumstances exist. They should also consider the seriousness of the allegations, which determines the level of leadership that needs to be involved. Keep in mind, the higher the level of employee suspected, the higher the level of management that should oversee the case. If senior management is suspected, the board of directors should initiate and oversee the investigation.

Start an investigation right away. Companies that do so are looked upon favorably by the Securities and Exchange Commission, since they appear prepared and credible. One public company I’ve worked with jumped on an investigation as soon as a whistle-blower went to the SEC with claims of accounting fraud. Upper management convened and examined the specific allegations one-by-one. The company was already aware of the issues raised in the whistle-blower letter and had made appropriate disclosures and changes to the accounting system. If the company had not been as prepared by the time the SEC became officially involved, the findings might have been regarded as an attempt to sway the regulator.

Take all tips seriously. The preceding case demonstrates the need to take whistle-blower allegations seriously, even when management has substantial knowledge that the allegations are false. Management knew that the whistle-blower letter had sufficient detail that it could be considered credible by the SEC, and they were right. They took no chances and quickly engaged a forensic accountant to independently evaluate the allegations and report the findings to the board of directors.

Know when to look outside. If a full-blown fraud investigation is required, an early decision needs to be made on who will investigate. Corporate security or internal audit is often effective in the very early stages of an investigation, as both have access to information that can help them evaluate the level of risk. They also have knowledge of the company, its operations, and its procedures, and that background information can be helpful. However, the more serious the situation, the more likely it is that management should utilize other resources for fraud investigations.

Suspicions or allegations of serious fraud need the involvement of counsel, upper management, and probably the board of directors. These “serious” frauds include those with high dollars at risk, those that involve senior management, and those that expose the company to significant risk of a government investigation or action. Depending on the type of case, the external investigator could be an attorney, a private investigator, a computer analyst, or a forensic accountant. Since a third party does not rely on the company for day-to-day employment, such an outside investigator can ask hard questions and raise critical issues without danger of being fired. It is also less likely that the independent investigator will be improperly influenced by management.

Be forthcoming. After it has been determined that allegations of fraud could have merit, the process of gathering information begins. If specific parties or transactions have been identified, it may be easy to gather the related documentation to determine if something inappropriate happened. But in most cases, it will not be quite so simple. An investigation will be needed to thoroughly examine the potential fraud and possibly identify other areas of concern.

Protect the data. When using outside investigators, make sure to have outside counsel direct the work and receive the results. If outside counsel engages the investigators, the results of the investigation can be protected by the attorney-client privilege. The company may not need this extra layer of defense, but until you know more about the potential fraud, it is better to err on the side of caution and protect the work product. This protection is especially important if the company may become a target of a government investigation. Even if management thinks there is “nothing to hide,” it is still wise to guard the results of an investigation in case the government becomes involved.

Make corrections to processes. Even if the fraud claims turn out to be false, the tip may lead your company to realize that a certain process has been lax. By showing the company is making amends, regulators may look even more favorably on it. The company I referenced above put itself in an excellent position by taking substantial action to correct its accounting functions so that transactions would be recorded correctly on an ongoing basis.

Tracy L. Coenen, CPA, CFF, is a forensic accountant and fraud investigator with Sequence Inc. in Milwaukee and Chicago. She has conducted hundreds of high-stakes investigations involving corporate embezzlement, financial-statement fraud, securities fraud, investment fraud, tax fraud, and criminal defense. Tracy is the author of Expert Fraud Investigation: A Step-by-Step Guide and Essentials of Corporate Fraud, and has been qualified as an expert witness in both state and federal courts.

Leave a Reply