Thursday, 9 February 2012

Planning is Key in Corporate Fraud Risk Management

Joseph Dooley is a forensic accountant who spent 21 years with the FBI. Most of that time he investigated white-collar crime—including financial institution fraud and asset misappropriation—and he also started the bureau’s computer crimes squad. The fallout from fraud can have a range of consequences for an organization, from financial losses and reputational damage to government penalties. 

During economically tough times, says Dooley, mounting pressure on both individuals and organizations can lead to acts of fraud. Now managing director at digital risk-management firm Stroz Friedberg, where he heads the forensic accounting practice, Dooley tells how an organization can both prevent and respond to acts of fraud. An edited version of that conversation follows.

CorpCounsel: How is the law department of an organization involved in a fraud case?
Joseph Dooley: The general counsel’s office would typically be involved in every response to a fraud scheme—and what I mean by response is an investigation of some kind. And the general counsel’s office should be involved from the beginning in the prevention of fraud by working with management to develop appropriate polices and procedures; a code of conduct and related standards; the rules with respect to employee and third-party due diligence—are we as an organization going to conduct a background investigation of every vendor and employee that we engage for our organization, and what are the legal ramifications for that? 

CC: It’s legal to conduct employee background checks?
JD: Each state has its own laws on how far an organization can go with respect to conducting background checks. The general counsel’s office for any organization should be familiar with the relevant laws that exist within the state that they operate in before they go down that path. But most organizations do some kind of background check on their employees before they’re hired. That’s definitely a critical part of a prevention program.

CC: How do you incorporate forensic accounting into monitoring for fraud?
JD: Years ago, accountants and forensic accountants would sample data. We would look at a certain set of transactions and see if there’s any type of fraud, waste, or errors that occur with respect to transactions. Nowadays, we have the technological ability to look at 100 percent of the data.

For example, we can look at transactions that flow out of a procurement department. We can look at payments to certain vendors, and bring in third-party or other internal information, such as a taxpayer identification number or social security number. You can compare those numbers against your HR data. Do we have vendors that share the same social security number as one of our employees? Do we have vendors that share the same address as one of our employees?

CC: How should an organization respond to fraud if it does occur?
JD: No matter how robust your fraud risk-management program is, every organization is going to get hit with some type of fraud. You should think about a response plan before you need to execute that plan.

Once you need to execute the plan—what are the protocols for your organization? Who’s going to be in charge of the investigation? That will depend on a number of factors. Is it a low-level fraud, conducted by the accounts payable clerk or the accounts receivable clerk? Or is it a financial reporting fraud conducted by the chief financial officer? That would determine who gets assigned to that investigation. If it’s senior management, your audit committee should be aware of and fully engaged in that investigation. 

Then, is it a criminal matter that we would consider self-reporting to the Justice Department and the SEC? Again, those are issues that an organization should discuss with its outside counsel. Is it something we’re going to handle internally? Do we need third-party assistance, or are we going to handle it ourselves?

CC: And once the dust has settled? 
JD: You look at fraud and say: What happened? How did they breach our defenses? You adjust and modify whatever controls you have in place. You add that to your communication and training of your employees, and you maintain a consistent disciplinary process against employees, even if it’s your top salesman. Otherwise, your employees will see that and think: If I’m a big seller, I get a pass. So consistent disciplinary procedures are critical, and it sets the tone within an organization.

No comments:

Post a Comment