Global anti-fraud and compliance enforcement is on the rise, and regulators want proof that fraud risk management programs are effective. Here we look at some of the hard questions organizations need to ask and some examples of how companies have updated their systems to tackle fraud in the post-COVID environment.
As the new year dawned, Susan felt good about what she and her team had accomplished in 2021 with their fraud risk management program. As the head of internal audit and investigations at a mid-sized manufacturing company, she was confident her program aligned to the five principles described in the ACFE/COSO Fraud Risk Management Guide (FRMG). (See ACFE.com/fraudrisktools.) But now, a few months into the new year, Susan is struggling to find a solid, data-driven answer for her chief compliance officer and chief financial officer, who are ask- ing how the program is actually working, in practice.
Supply-chain issues, new hybrid working models (with many employees working remotely) and other changes to the business environment brought on by the COVID-19 pandemic have altered her company’s fraud risk landscape. How can Susan ensure her program is relevant; and, even more important, how can she and her team measurably demonstrate anti-fraud and compliance effectiveness via key performance indicators? Susan and her company are fictional, but these are dilemmas cur- rently on the minds of many anti-fraud
“Innovation Update,” by Vincent M. Walden, Fraud Magazine, November/December 2021, tinyurl.com/2p9aft3c.)
In the legal and compliance arena, practitioners often look to the U.S. Department of Justice’s (DOJ) “Evaluation of Corporate Compliance Programs (Updated June 2020),” which carries some weight as it’s what prosecutors use, in part, to decide on an offending organization’s culpability and potential penalties. (See tinyurl.com/yyw9lcc2.)
Kara Brockmeyer, a partner with Debevoise & Plimpton LLP and former chief of the SEC Enforcement Divi- sion’s FCPA Unit, advises clients on how to improve their anti-fraud and anti-corruption programs and points to 10 key questions from the above DOJ guidance. I’ve collaborated with Brock- meyer in the past to organize some of the DOJ guidance’s key questions that focus on how organizations can mea- surably demonstrate the effectiveness of a compliance/anti-fraud program. She’s summarized them on page 13.
As you read them, ask yourself: “How well can my organization answer these questions?”
Leading guidance provides framework
As CFEs, we come from many different disciplines: accounting, internal audit, law, compliance, law enforcement, finance, government and business, to name a few. Each of these disciplines has its own guidance on mitigating fraud risks.
Perhaps best known to CFEs and anti-fraud practitioners is the aforementioned FRMG. COSO’s Fraud Risk Task Force is currently updating the FRMG, with an expected release later this year. COSO, short for the Committee of Sponsoring Organizations of the Treadway Commission, generally sets forth the expectations for an effective internal controls environment. (See “Innovation Update,” by Vincent M. Walden, Fraud Magazine, November/December 2021, tinyurl.com/2p9aft3c.)
In the legal and compliance arena, practitioners often look to the U.S. Department of Justice’s (DOJ) “Evaluation of Corporate Compliance Programs (Updated June 2020),” which carries some weight as it’s what prosecutors use, in part, to decide on an offending organization’s culpability and potential penalties. (See tinyurl.com/yyw9lcc2.) Kara Brockmeyer, a partner with Debevoise & Plimpton LLP and former chief of the SEC Enforcement Division’s FCPA Unit, advises clients on how to improve their anti-fraud and anti-corruption programs and points to 10 key questions from the above DOJ guidance. I’ve collaborated with Brockmeyer in the past to organize some of the DOJ guidance’s key questions that focus on how organizations can measurably demonstrate the effectiveness of a compliance/anti-fraud program. She’s summarized them on page 13. As you read them, ask yourself: “How well can my organization answer these questions?”
Going back to our fictional example, Susan evaluated her own organization in the context of the DOJ questions on page 13 and found many couldn’t be fully answered. This was especially a concern with respect to how her company conducted risk assessments and managed third parties. For example, her company conducted extensive due diligence on third parties during the vendor setup process. However, risk indicators, such as contract terms or thresholds for spending were never migrated into the financial accounting system that actually paid and tracked those vendors.
Don’t overlook in-house resources
Fortunately, there’s hope for Susan — and others in her position looking to measurably demonstrate an effective compliance and anti-fraud program. If you have a marketing department, finance department, information technology team or some other business function where the analysis of data requires them to utilize business intelligence, data warehouse or data visualization tools to help them make decisions, you may be able to leverage what’s already in place — without buying expensive software licenses or data warehouses. Whether those resources require major or minor modifications is typically based on the nature and complexity of the business. But in my experience working with a variety of clients in several industries, there are always some “quick-hit” wins and/or cloud-based solutions that you can rapidly deploy to improve transparency and address key fraud risks.
Here are examples of how some organizations are improving and updating their compliance and fraud risk management programs.
Amy Kulikowski is vice president, internal audit for Cooper Standard, a global supplier of sealing and fluid handling systems in transportation and industrial markets. Her team uses scripting (i.e., a programming language that automates certain tasks) and other self-operating tools with their financial accounting/enterprise resource planning (ERP) system to refresh monthly and quarterly data on all global procure to pay and T&E spending.
Hosted on a secure, third-party, cloud-based analytics platform, their fraud risk management and compliance-monitoring system assesses and monitors hundreds of thousands of payments each month, and ranks thousands of vendors and employees from highest to lowest risk based on over two dozen risk criteria.
Patricia Bradford is chief human resource officer at Elara Caring, a national skilled-home-healthcare, hospice care and personal-care-services organization. She uses scripting and automation tools to gain better insights into her organization’s employee payroll base by integrating over 1,200 distinct payroll files of over 25,000 full- and part-time employees. Working with her IT department and an outside consulting firm, Bradford leveraged the business intelligence tools already used in her organization to build dynamic, risk-scoring and anomaly detection dashboards that flag payments to terminated employees, statistically anomalous payments, potential overtime abuses, repeated hiring and termination patterns and off-cycle disbursements, among many other data-driven tests.
On a larger scale, who would’ve thought that the world’s biggest beer brewer also has one of the most mature anti-fraud and compliance-monitoring platforms? There isn’t enough room in this column to describe how Anheuser-Busch InBev uses in-house resources across its IT, data science, finance and legal departments to improve transparency in its businesses through its BrewRIGHT platform, but I encourage you to read more in The Wall Street Journal and Harvard Business Review. (See “AB InBev Taps Machine Learning to Root Out Corruption,” by Dylan Tokar, The Wall Street Journal, Jan. 17, 2020, tinyurl.com/d4abch3k; and “Designing a Compliance Program at AB InBev,” by Eugene Soltes, Harvard Business Review, March 28, 2018, tinyurl.com/2eta33x4.) For a visual primer, Dheeraj Thimmaiah, global director, ethics & compliance at Anheuser-Busch InBev, provides a summary of how the BrewRIGHT platform works globally. This is integration and data transparency at its best.
Make an impact this year
Regardless of your organization’s size or complexity, it’s important to bring transparency to your business, especially around company spending and/or sales. This is true not just for regulators — who are increasingly clamping down on organizations out of compliance — but for sustainability and business performance.
As you think about your goals for this year and next, consider how you can partner with other areas in your organization to measurably demonstrate that your fraud risk management program actually works, in practice.
This article was originally published on Fraud Magazine on April 2022.