Call the Internal
Auditor, immediately!
Is this the lucky day for the Auditor?
The
headless chicken syndrome starts: have you seen when a chicken head is cut off
and how the body starts running? Well, companies act the same way: everybody runs…
meeting emergency requests… everybody is confused on what to do, but everybody gives
their point of view… Bottom line: who should be responsible for managing the
fraud? Is Internal Audit responsibility?
No. The
majority of the companies misunderstand the responsibility of fraud. Yes, Internal
Audit should be able to detect fraud depending upon its work and scope. But it
is a shared responsibility between: Internal Audit, Compliance and members of
their respective Committees, Legal, Human Resources and the CEO. This is the “basic”
members that should manage fraud or get together when it happens but…
Depending
upon the company structure and size it could also be added Security. It also could
be added some Directors (Executive Management) but this depends on who the
possible fraudster is. Obviously if the CEO or any other Executive is involved,
it should not be included in the fraud investigation meetings. This also
applies to any other area in the “basic” group.
Here are
tips worldwide to improve prevention and detection of fraud:
a) It is great that companies have a
hot-line but, who monitors? The company has three options: either internally,
externally or a mix of it. If it is internally it is important to assign it
either to Internal Audit (IA) and/or Compliance. Some companies give access to
other areas such as Legal or Human Resources. Do not do that. Remember that due
its nature, Internal Audit and Compliance have the qualifications to do it
(independent, objective and access to Committees if needed). If it is
externally monitor, determine together with the provider: the escalation system
and criteria to report it as urgent or normal. Both externally or a mix, the
company’s contact should be Internal Audit and/or Compliance. You do not want
indiscretion or gossip on the aisles.
b) Ok, you have brave people who
reports, is the company going to protect them? If people have the courage to
report then the company should be prepared to protect them, performed
investigations and improve internal controls so that experience does not
repeat. In other words, make something! Impunity happens and lasts because
people don’t see a change, don´t see the company really cares. If you are
thinking that everything is ok because in your company you run or work for,
there are no reports...sorry to let you know: you are wrong. Your company is
one more of the statistics: people do not talk because they are afraid, because
they think nothing will happen, because they do not want to lose their job. Result:
SILENCE…
c) Avoid ego. How many times have you
heard Human Resources started an internal investigation because they know of
some violation to the Code of Conduct? Areas encroached between each other’s responsibilities.
Neither Human Resources, Operations, Legal, Finance, etc. nor any other area
should start an internal investigation by themselves. Even IA or Compliance
should report it to their Committees and/or CEO. Surprisingly when there is a
fraud case everybody wants to participate, investigate and come up with the
fraudster. Leave ego aside and define clearly roles and responsibilities.
d) Rely on experts. Regardless the
company is going to imprison the fraudster it should be aware to involve legal
and labor lawyers. Many of the companies thinks that an investigation should be
made in-house…this is true at a certain point: IA and/or Compliance can
investigate using documents, data, camera recordings, files, inventories, etc.
But when the moment comes to interrogate the possible fraudster they need to
have advice from experts. Here come the attorneys who can help you on how to
manage the situation. For example: in Mexico if you interrogate someone in a
closed room the person could sue for unlawful deprivation of liberty. If the
criminals get advice, why not you? You don't want to be sued and loose the case
because of “a technicality” or ignorance.
e) Develop an anti-fraud program and a
fraud checkup. This should be the framework on what to do, how to do it, who is
responsible of what, investigations, etc. And the latest to monitor how
vulnerable the company is towards this risk.
f) Keep a record on red flags: how many
have been a trigger for investigations? How many have been repeated? Which have
been the repeated areas? (For example: operations, legal, accounting, etc.) Is
it the same job position? Make an inventory of these, which will help you to
improve your internal controls and detect possible frauds more easily.
g) Correct what has to be improved! Do
not copy what other companies do: their response to the fraud is to dismiss the
fraudster. Really? "Everything
remains the same” thinking hiring another person will solve the situation
but the internal control weakness prevails and then the story is repeated…
Lastly but
not least: train all employees. Emphasize the code of conduct and ethics and
encompass all types of fraud; do not refer only to stealing assets, for
example. They are your eyes and ears where you can’t be. Make them aware of
unacceptable behavior, encourage them to speak up and demonstrate that the
company takes it seriously. At the end it is everybody’s business: if the
company suffers a fraud, it has a consequence. We have seen so many fraud cases
that lead companies to bankruptcy. Nobody wants to lose its job because of
that…
By Mónica
Ramírez Chimal, México
Partner of
her own consultancy Firm, Asserto RSC: www.TheAssertoRSC.com
Author of
the books, “Don´t let them wash, Nor dry!” and “Make life yours!”
published in Spanish and English. She has written several articles about risks,
data protection, virtual currencies, money laundering. Monica is international
lecturer and instructor and has been Internal Audit and Compliance Director for
an international company.
No comments:
Post a Comment