Is this the lucky day for the Auditor?
The headless chicken syndrome starts: have you seen when a chicken head is cut off and how the body starts running? Well, companies act the same way: everybody runs… meeting emergency requests… everybody is confused on what to do, but everybody gives their point of view… Bottom line: who should be responsible for managing the fraud? Is Internal Audit responsibility?
No. The majority of the companies misunderstand the responsibility of fraud. Yes, Internal Audit should be able to detect fraud depending upon its work and scope. But it is a shared responsibility between: Internal Audit, Compliance and members of their respective Committees, Legal, Human Resources and the CEO. This is the “basic” members that should manage fraud or get together when it happens but…
Depending upon the company structure and size it could also be added Security. It also could be added some Directors (Executive Management) but this depends on who the possible fraudster is. Obviously if the CEO or any other Executive is involved, it should not be included in the fraud investigation meetings. This also applies to any other area in the “basic” group.
Here are tips worldwide to improve prevention and detection of fraud:
a) It is great that companies have a hot-line but, who monitors? The company has three options: either internally, externally or a mix of it. If it is internally it is important to assign it either to Internal Audit (IA) and/or Compliance. Some companies give access to other areas such as Legal or Human Resources. Do not do that. Remember that due its nature, Internal Audit and Compliance have the qualifications to do it (independent, objective and access to Committees if needed). If it is externally monitor, determine together with the provider: the escalation system and criteria to report it as urgent or normal. Both externally or a mix, the company’s contact should be Internal Audit and/or Compliance. You do not want indiscretion or gossip on the aisles.
b) Ok, you have brave people who reports, is the company going to protect them? If people have the courage to report then the company should be prepared to protect them, performed investigations and improve internal controls so that experience does not repeat. In other words, make something! Impunity happens and lasts because people don’t see a change, don´t see the company really cares. If you are thinking that everything is ok because in your company you run or work for, there are no reports...sorry to let you know: you are wrong. Your company is one more of the statistics: people do not talk because they are afraid, because they think nothing will happen, because they do not want to lose their job. Result: SILENCE…
c) Avoid ego. How many times have you heard Human Resources started an internal investigation because they know of some violation to the Code of Conduct? Areas encroached between each other’s responsibilities. Neither Human Resources, Operations, Legal, Finance, etc. nor any other area should start an internal investigation by themselves. Even IA or Compliance should report it to their Committees and/or CEO. Surprisingly when there is a fraud case everybody wants to participate, investigate and come up with the fraudster. Leave ego aside and define clearly roles and responsibilities.
d) Rely on experts. Regardless the company is going to imprison the fraudster it should be aware to involve legal and labor lawyers. Many of the companies thinks that an investigation should be made in-house…this is true at a certain point: IA and/or Compliance can investigate using documents, data, camera recordings, files, inventories, etc. But when the moment comes to interrogate the possible fraudster they need to have advice from experts. Here come the attorneys who can help you on how to manage the situation. For example: in Mexico if you interrogate someone in a closed room the person could sue for unlawful deprivation of liberty. If the criminals get advice, why not you? You don't want to be sued and loose the case because of “a technicality” or ignorance.
e) Develop an anti-fraud program and a fraud checkup. This should be the framework on what to do, how to do it, who is responsible of what, investigations, etc. And the latest to monitor how vulnerable the company is towards this risk.
f) Keep a record on red flags: how many have been a trigger for investigations? How many have been repeated? Which have been the repeated areas? (For example: operations, legal, accounting, etc.) Is it the same job position? Make an inventory of these, which will help you to improve your internal controls and detect possible frauds more easily.
g) Correct what has to be improved! Do not copy what other companies do: their response to the fraud is to dismiss the fraudster. Really? "Everything remains the same” thinking hiring another person will solve the situation but the internal control weakness prevails and then the story is repeated…
Lastly but not least: train all employees. Emphasize the code of conduct and ethics and encompass all types of fraud; do not refer only to stealing assets, for example. They are your eyes and ears where you can’t be. Make them aware of unacceptable behavior, encourage them to speak up and demonstrate that the company takes it seriously. At the end it is everybody’s business: if the company suffers a fraud, it has a consequence. We have seen so many fraud cases that lead companies to bankruptcy. Nobody wants to lose its job because of that…
By Mónica Ramírez Chimal, México
Partner of her own consultancy Firm, Asserto RSC: www.TheAssertoRSC.com
Author of the books, “Don´t let them wash, Nor dry!” and “Make life yours!” published in Spanish and English. She has written several articles about risks, data protection, virtual currencies, money laundering. Monica is international lecturer and instructor and has been Internal Audit and Compliance Director for an international company.