fraud and compliance: a robust 360° approach

©2015

FRAUD AND COMPLIANCE: A ROBUST 360° APPROACH

Fraud is widespread across all business lines, and the most cost-effective method to address this

growing concern is prevention. Data-driven detection is a close second, followed by

investigation. Combined, these three techniques are designed to combat fraud and guarantee

regulatory compliance. Does your organization have a robust 360° approach to this $3.7 trillion

problem? This session, led by an industry expert, will deliver best-practice methodologies and

proven techniques highlighted by case studies and thought-provoking discussion.

You will learn how to:

Create, implement, manage, and improve the essential elements of an effective fraud,

compliance, and ethics program.

Comply with anti-fraud laws and regulations, including the Foreign Corrupt Practices Act,

commercial bribery statutes, Sarbanes-Oxley Act, anti-trust regulations, and industry-specific

legislation.

Identify best practices through case studies.

Mitigate the risk for penalties under the Federal Sentencing Guidelines.

R. A. (Andy) Wilson, CFE, CPP

VP Fraud & Compliance

Sedgwick Claims Management Services Inc.

Memphis, TN

For more than 25 years, Andy Wilson has conducted and supervised criminal, civil, and financial

investigations for the government and as a corporate consultant. His major focus includes

financial fraud investigation and employee dishonesty schemes. He is an expert in fidelity

insurance claims and recovery, and has assisted financial institutions, corporations, and

organizations with multimillion-dollar recoveries on a global basis. In an effort to prevent fraud

and provide early warning signs of workplace dishonesty, he designed a 100-Point Fraud

Examination, which has been used by companies to detect fraud and abuse.

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the

ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of

this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without

the prior consent of the author.


26th

Annual ACFE Fraud Conference and Exhibition ©2015 1

NOTES Twenty-five years ago, the Federal Sentencing Guidelines

for Organizations (FSGO) went into effect. The FSGO

recognizes that organizations, like individuals, can be

found guilty of criminal conduct, like fraud, tax offenses,

anti-trust, and more. While organizations cannot be

imprisoned, courts can measure their punishment for

felonies by fines, probation (with monitoring), and

collecting restitution, among others. The FSGO was

designed to have two purposes: (1) fraud deterrence and (2)

just punishment. The FSGO allows for a scale of just

punishment relative to the “blameworthiness of the

offender,” and incentives for organizations that prevent and

detect fraud. An FSGO overview is an attachment to this

paper (See Appendix A). The FSGO and other laws like

SAS 82, the Sarbanes-Oxley Act, and SAS 99, among

others, have led organizations to create and constantly

improve their fraud and compliance initiatives.

Overview of Fraud and Compliance

There are two ways someone can illegally take something

from someone else. The first is by force, often referred to

as robbery; the second is by trickery, also known as fraud.

Often, robbery receives notoriety in the media, though it is

fraud that causes the most damage through significant

losses of assets, and sometimes corporate destruction.

Fraud is defined by Webster’s New World Dictionary as “a

generic term that embraces all the multifarious means

which human ingenuity can devise which are resorted to by

one individual, to get an unfair advantage over another by

false representations. No definite and invariable rule can be

laid down as a general proposition in defining fraud, as it

includes surprise, trickery, cunning and unfair ways by

which others are cheated. The only boundaries defining

fraud are those which limit human knavery.”


26th


NOTES Webster’s defines compliance as “giving in to a request,

wish, or demand; acquiescence.” This is true; however,

compliance can also be described as being in accordance

with federal regulations, state statutes, and municipal

ordinances and their requirements.

Best practices include: (1) national and international

organizations are increasingly recognizing the importance

of fraud and compliance programs, and (2) leadership of

these programs are moving from mid-level managers to the

executive level, signaling the elevated importance of the

overall fraud and compliance mission.

Why Do We Focus on Both?

In recent years, fraud and compliance professionals

have found great harmony in working together. After

all, fraud practitioners spend their time focused on:

Prevention through awareness and training

Detection using analytical based testing

Investigation focused on internal and external

perpetrators and their schemes

Meanwhile, compliance professionals focused on the:

Implementation of programs to adhere to regulatory

and/or statutory compliance aimed at anti-fraud,

licensing, privacy, and a host of other issues

Assurance that controls are capable of detecting

patterns of illegal, unethical, or improper conduct

by employees, agents, contractors, or others

working for the organization

Certification that the enterprise has effective

mechanisms to identify responsible persons who

have the propensity to violate federal, state, or local

laws or regulations or engage in unethical conduct


26th


NOTES Gosh, they sound a lot alike. While both areas certainly

deal with much, much more, they have very similar

goals, ideas, and strategies.

Best practices include: (1) a large transition of national

and international organizations—including public,

private, and nonprofit—are moving to blend the efforts

of fraud and compliance initiatives.

Good Corporate Culture Is Essential

Corporate culture is not a program designed by

management. Nope! Culture is the way “things are”

inside an organization. In most organizations, culture is

pervasive—that is, employees emulate the actions of

their supervisors, and new employees take on the traits

and actions of others. Leaders might articulate what

they want the culture to be, but it is the actions that they

take and the journey they walk that will help to define

an organization’s culture.

Yes, the “tone at the top” sets the framework for the

entire organization. Leaders who understand the

difference between desired culture and actual culture

are moving down a path toward success. However, the

factors that influence the enterprise might not be the

same for all. For example, cultural factors that affect

organizational leaders might differ in impact from the

middle manager to the line employee, which brings us

to discuss the: (1) tone at the top, (2) mood in the

middle, and (3) buzz at the bottom.

The tone must go further that just following the same

rules as others. Leadership actions must show positive

behaviors that reduce fraud risks and model respect for

the law (i.e., regulations, statutes, policies, and

procedures, etc.). To be effective, this behavior must be


26th


NOTES visible in action, word, and deed. Middle managers

drive the mood at all organizations—good, bad, or ugly.

The middle manager also has the greatest pressure,

placed upon them because they often are squeezed

between the top leadership edicts and the realities of the

worker. Many will recall that pressure is one of the

elements in the fraud triangle (see Donald R. Cressey,

Other People’s Money, Montclair: Patterson Smith,

1973).

Pressure can cause friction between the middle

managers and workers and, if combined with other

elements of the fraud triangle (opportunity and

motivation), might create a negative effect on the

culture and create an environment ripe for fraud.

Employees generate the buzz! Most employees spend

much of their day out of the sight of their manager. So,

does culture dictate that they lie, cheat, or steal?

Hopefully not! Culture plays a very significant role in

shaping the day-to-day perceptions of employees and

the relationship that they have with the organization’s

fraud and compliance efforts, internal controls, and

other initiatives. When tone, mood, and buzz are

working in a harmonistic fashion, positive outcomes

occur.

Best practices include: (1) create a positive work

environment though the proper tone, mood, and buzz,

(2) hire honest people, (3) provide fraud-awareness

training, and (4) provide employee-assistance

programs.

Blending the Professions to Achieve Excellence

After nearly three decades in the making, the natural

marriage of the fraud and compliance professions is


26th


NOTES coming of age in the form of executive leadership

positions within organizations. These professionals are

(1) highly educated, through advanced degrees, (2) well

trained, and (3) experienced broadly in organizational

and industry concerns and share this knowledge

through publishing articles and speaking professionally.

Many hold professional certifications like the:

Certified Fraud Examiner (CFE) by the Association

of Certified Fraud Examiners

Certified Compliance & Ethics Professional

(CCEP) by the Society of Compliance & Ethics

Professionals

Today, professional associations and organizations are

overlapping continuing educational programs, and

higher learning is getting into the act by offering fraud

and compliance degrees.

Best practices include: (1) professionals with advanced

degrees, (2) continuing education and professional

seminars, (3) sharing the body of knowledge by writing

articles and speaking at professional associations and

organizations, and (4) obtaining certifications.

Designing a Robust 360⁰ Approach

360 and robust are musts! But where is one to start? That is

easy! Start, wherever you are. The task might look

daunting, but the option of not having an aggressive,

enterprise-based fraud and compliance program could be

extremely costly, through regulatory fines, penalties, or

worse corporate convictions and even business failure!

Gain Support and Commitment

Support, buy in, and commitment are key components.

It all starts with the board, as it is the governing

authority. We have discussed the importance of the tone


26th


NOTES at the top being critical. There can be no program of

fraud and compliance at all, much less an effective one

without the vision, support, and guidance of the board.

The support by the board should trickle down to the

management, professionals, and employees.

Management plays a critical and influencing role in

making fraud and compliance relevant. When people in

these roles demonstrate personal commitment to the

initiative, it goes a long way in enhancing the enterprise

commitment. When managers and supervisors lead by

example, their actions speak louder than words.

Many industries revolve around key professionals who

hold influential positions within the organization. These

professionals can be of great value in establishing

culture and helping to champion fraud and compliance

initiatives. More important, these professionals can

effectively model best practices to incorporate fraud

and compliance into the job functions of others.

While it is not a crime to make a mistake, it is a crime

to see a mistake and do nothing. Well, it is not

technically a crime, but if this occurs, it could be

detrimental. Effective fraud and compliance programs

require that everyone assume responsibility and take

action. This is of absolute importance because

employees are in the best position to see something

wrong. Support and commitment on the part of

employees will directly correlate to the organization’s

ability to foster an environment of trust.

Best practices include: (1) fraud and compliance

programs that require support at all levels, including

the board, management, professionals, and employees.


26th


NOTES Establish Financial Support

Everything comes with a cost. The board and senior

leadership must be willing to make a financial

commitment to preventing fraud and ensuring

compliance. This includes staffing and space, among

other expenditures. An organization unwilling to

commit the necessary resources is not demonstrating

the importance of fraud and compliance.

Unquestionably and unfortunately, this message will

filter down throughout the enterprise.

Best practices include: (1) financial support of the

fraud and compliance initiative.

Develop a Code of Conduct and Organizational Rules

The cornerstone of a robust fraud and compliance

program is the organization’s Code of Conduct, as this

sets the standards and attitudes for all representatives of

the organization. This includes the board, management,

employees, vendors, independent contractors, and the

like. The Code of Conduct provides the proper process

for corporate decision-making and a commitment to

doing the right thing. Accompanying this article are

examples of Codes of Conduct for:

American Express: “My Company, My Code” (See

Appendix B)

International Paper: “Ethical Behavior and Personal

Integrity are the Core of Our Culture,” (See

Appendix C)

Bank of America: “The Code,” (See Appendix D)

Each is written in a plain and concise manner and

designed to provide an emphasis on fraud; compliance;

ethics; all applicable laws and regulations; and internal

and external policies and procedures, including


26th


NOTES expectations for employee actions and explanations of

management’s responsibility to enforce the code.

Best practices include: (1) having a well thought out

and designed written Code of Conduct reflecting the

organization’s standards and attitudes.

Organizational Authority and Responsibilities

While the FSGO called for organizations to have a

compliance officer, the authority of this position rests

with the backing of the board of directors, while often

reporting to the chief legal officer, who is tasked with

corporate governance.

Individuals entrusted to manage fraud and compliance

programs must be of impeccable character and trust.

This is where the blend of fraud and compliance is

occurring, as there are many, many closely related

objectives, including responsibilities to the public,

corporation, and the industry at large. Some

organizations are combining the fraud and compliance

positions into one, while others have separate positions

with the individuals working closer together to aim at

robust initiatives.

Best practices include: (1) having a fraud and

compliance officer, or (2) having someone from each

discipline work closely together to form organizational

initiatives, and (3) the fraud and compliance role must

have the authority to act.

Identify Staffing Needs

The industry, size of the organization, and other factors

have a direct influence on the size and specific needs of

fraud and compliance teams. The team might include:

(1) training personnel, (2) paralegals to monitor laws


26th


NOTES and regulations, (3) analysts, (4) auditors and monitors,

and (5) investigators, among others.

Best practices include: (1) having the proper staff to

support the organization’s mission.

Conduct a Risk Assessment

One of the first things to do is to assess the current

landscape of the organization. This snapshot in time

helps determine the actual and potential risks of the

organization from a fraud and compliance perspective.

This risk assessment can be conducted by internal

personnel or outside experts. The decision on how to

proceed depends upon the organization’s size and

culture.

Best practices include: (1) conducting a fraud and

compliance risk assessment to determine the

organization’s current landscape.

Communicating Across the Enterprise

With the support of the board and senior leadership,

financial resources, a Code of Conduct, authority to act,

a support staff, and an understanding of the active and

potential risks, the fraud and compliance program is

ready to begin its work. This work includes (1) fraud

prevention, (2) ensuring compliance with industry

regulations and laws as well as corporate policies and

procedures, (3) implementation and enforcement, (4)

continued risk assessment reviews and compliance

monitoring, and (5) constant improvement.

Fraud Prevention and Ensuring Compliance

Education, communication, and awareness; each is

significant and essential to a robust fraud and

compliance program. Instilling the awareness of fraud


26th


NOTES and compliance initiatives may be the single most

important factor in preventing fraud and ensuring

compliance across the organization. This is the most

cost effective method too; others such as detection,

investigation, and resolution are significantly more

costly. Unfortunately, a one-time exposure to a concept,

such as fraud or compliance or even ethics falls way

short of what is necessary to be robust. Some

organizations provide this awareness when one is hired,

and it is never discussed again. Instead, industry best

practices include fraud and compliance training on an

annual basis to all employees, along with reaffirmation

of the principals of the Code of Conduct.

Communicating across the enterprise is also very

effective, which positions fraud and compliance at the

forefront of the organization’s philosophy, encouraging

employees to do the right thing. The opposite position

is not discussing fraud, and playing like it does not

exist—which is a recipe for disaster.

Best practices include: (1) robust education, (2)

effective and ongoing communications, and (3)

concentrated awareness programs held on an annual

basis.

Implementation and Enforcement

With a program at hand, how is it to be administered?

Fraud and compliance professionals must make certain

that there is a means by which insiders and outsiders

can share their concerns. The method of reporting

should be clear and simple. Some organizations handle

this function internally through emails or telephone

calls to specific individuals, while others use tip lines to

accomplish the process. Some organizations use a

hybrid of both. Regardless, there must be a means by


26th


NOTES which to report potential problems or raise concerns.

For any of the reporting methods to be effective, it must

be confidential and free from retaliation or retribution.

A complaint in hand must be investigated. The failure

to do so shows apathy and will clearly affect future

reporting. The buzz will be “there is no need to report

fraud, because nothing is ever done.” Rest assured that

anyone who close enough to see and report a potential

fraud or compliance issue will very likely know if an

organization looks into the reported matter or not. The

degree of the issue can affect how the matter is handled

or how it may be escalated.

The uniform, fair, and equitable treatment of all

conduct is important in dealing with infractions. Other

stakeholders, like personnel or operations, might need

to be engaged for appropriate resolution. This will

assist in bringing consistency across the enterprise.

Best practices include: (1) simple reporting processes,

(2) anonymous tip lines, (3) investigations generated

with actionable information, and (4) fair and consistent

resolutions.

Continually Assessing Risk and Monitoring

Compliance

Determining risk is a moving continuum and is always

a work in process. Yes, risk changes with each new

employee, each vendor, and each acquisition. The

opportunity and possibility for fraud might be created

by a promotion or with the next invoice submitted.

Risks should be constantly evaluated and tested, and

reevaluated and retested again. Monitoring efforts

should be constant as well.


26th


NOTES Best practices include: (1) reassessments of fraud and

compliance initiatives should be revaluated and

retested on a regular basis, and (2) effective monitoring

of ongoing initiatives is essential to confirm

compliance.

Constant Improvement

No matter where an organization is in its fraud and

compliance initiatives, it might never be enough. This is

because for all the good that can be accomplished with

conduct codes, awareness, communication, training, tip

lines, investigation, monitoring, and the like, it might

only take one event to crash an organization. Therefore,

it is important to move the goal post each and every day

by showing thorough diligence and professionalism and

by escalating matters of importance while using

organizational best practices.

Navigating Legal Risks

There are dangerous legal waters facing organizations of all

shapes and sizes, and the risks associated with fraud are

global and pervasive. This article is not meant to be

focused specifically all of the possible fraud and

compliance legal issues; however, we should understand

that numerous frauds and the failure of internal controls

within organizations have created laws to ensure fairness,

honesty, and transparency.

However, some laws form the foundation for fraud and

compliance programs. For example, in 1985, the

Committee of Sponsoring Organizations (COSO) was

created. The COSO dedicated efforts to improving the

quality of financial reporting through business ethics,

effective internal controls, and corporate governance. In

1987, the Report of National Commission on Fraudulent

Financial Reporting (also known as the Treadway


26th


NOTES Commission) identifying the causal factors that can lead to

fraudulent financial reporting and the steps to reduce

incidents. In the early 1990s, the FSGO, created the

guidelines to hold organizations accountable by applying

“just punishment” for criminal actions and “deterrence

incentives” to prevent and detect fraud.

Statement on Auditing Standards (SAS) 82 was written in

1996. SAS 82 provided guidance to auditors for detecting

fraud when conducting audits, and replaced previously used

terms of errors and irregularities with the word fraud! In

2002 came the Public Company Accounting Reform and

Investor Protection Act, named the Sarbanes-Oxley (SOX)

Act after the authors of the law. This landmark legislation,

the most significant in 60 years, provided notable changes

to the U.S. securities laws. SOX affects all publicly traded

organizations and many of the initiatives have become best

practices for private and nonprofit organizations as well.

Specific Fraud and Compliance Risks

When operating a fraud and compliance program, there are

specific risks that management must consider and work to

prevent. The United States and the United Kingdom, along

with several other countries, promulgated laws that require

organizations to mitigate fraud risks. These risks often

center on anti-corruption and anti-bribery, anti-money

laundering, anti-trust, conflicts of interest, consumer

protections, and government contracting.

Foreign Corrupt Practices Act

The United States led the way with the Foreign Corrupt

Practices Act (FCPA) to prohibit bribing and corrupting

foreign officials so that business can operate without

improper advantage. The United Kingdom followed

suit with the UK Bribery Act. Both laws are of


26th


NOTES significance to the areas of fraud and compliance.

These global fraud initiatives are designed to:

Prevent and detect bribery situations at an

organization.

Establish the best position for an organization that is

the subject of an investigation.

These initiatives require risk assessments aimed at

preventing bribery and corruption, specific wording in

an organization’s policies and procedures, continual

monitoring, auditing, and reassessments.

Anti-Money Laundering

Money laundering is frequently associated with

organized crime through hiding drug proceeds, human

trafficking, and smuggling weapons. While this is true,

money laundering also supports terrorism. It is a

process used to clean ill-gotten money and reintroduce

the money into an organization for legitimate use

without government detection. Money is laundered in

three stages:

Placement

Layering

Integration

Placement involves placing dirty cash obtained from

illegal activities into the banking system. The cash

deposits are usually below $10,000 to avoid cash

reporting requirements. Layering is a process that

distances the deposits from the initial source. This is

accomplished by writing checks or sending wires to

other organizations (usually a shell). The final stage of

integration reintroduces the money into the financial

system as legitimate money. Anti-money laundering

(AML) efforts are used to combat this growing

problem.


26th


NOTES Significant AML efforts are required of all financial

institutions, as part of the Bank Secrecy Act (BSA).

However, non-financial organizations may also be

subjected to money laundering too. While non-financial

organizations are not required to follow the BSA

entirely, they are required to report transactions larger

than $10,000 for individuals or organizations:

With accounts at foreign banks

When transporting currency into or out of the

United States

Fraud and Compliance: Making it Robust

Fraud and compliance must be sold to others, but it is never

a one-time sell. Fraud and compliance is an ongoing

process and requires the ability to convince others to do the

right thing. Selling the program goes with the territory, and

is required to keep the initiatives relevant and the

commitment energized. Included below are 10 tips that can

be mixed and matched to assist in making fraud and

compliance programs robust.

Tip 1

Bad things can happen—there are dark waters with

horrible consequences in the business world. Protecting

the organization from legal pitfalls is important, and the

fear of such pitfalls can be an effective tool for

advancing fraud and compliance programs. Preventing

trouble from happening and avoiding violations of the

law can be a powerful motivator to organizations. This

is especially true in the United States, where we tend to

use criminal law more and more as a regulatory tool.

Raising fraud awareness and enacting a simple

reporting mechanism is an essential method to learn of

potential criminal or civil liability; which allows action

to be taken before the government enters the equation.


26th


NOTES Tip 2

Protect the brand—reputation is important. Bad news

about an organization can severely punish and even

cripple the brand. This loss of reputation caused by

fraud or lack of compliance is much more important

than the fines and penalties an organization could

receive through litigation.

Tip 3

Protect the board from prosecution or other litigation—

another compelling reason to have an effective fraud

and compliance program. Board members are

influenced by what they have seen in the news and

heard from others. It is very satisfying to all concerned

that board members know that the organization is on

top of fraud and compliance issues.

Tip 4

Fraud and compliance fits our corporate strategy—it is

easy to tie fraud and compliance initiatives into an

organization’s strategy. For example, it easily fits into

the Code of Conduct, good management techniques,

and best practices. Fraud and compliance initiatives are

the meat and potatoes of effective best practices. These

initiatives must extend into all areas of the organization

and culture, and must be a permanent feature.

Tip 5

Protect the company from fraud and theft—one of the

biggest benefits of compliance efforts is the fact that it

uses the same initiatives to protect the organization

from fraud and theft that anti-fraud programs use. This

is the reason that fraud and compliance programs are

finding common ground and merging.


26th


NOTES Tip 6

Trends are powerful—no one wants to be left out of a

good thing or to be left behind. All public

organizations, and most private and nonprofits, are

embracing the need for fraud and compliance programs

as set out in Sarbanes-Oxley. The advantage of industry

competitiveness combined with the regulatory

environment is mandating forward-thinking efforts.

Tip 7

It is the right thing to do—and many believe that doing

the right thing is important.

Tip 8

“Fraud can’t happen at our organization”—in reality,

this is a flawed statement. If an organization has had

few or no problems, management might think there is

no reason to worry. It might say trouble hits other

companies and other industries; however, leaders could

be in for a rude and costly awakening. Fraud is

pervasive and can strike anywhere.

Tip 9

Go on offense (not defense)—having an effective fraud

and compliance program has advantages for the

organization. Leaders should not see the initiatives as a

cost, but instead as an opportunity to add value to the

organization. This offers a more positive and exciting

reason for endorsing the company’s fraud and

compliance program. Having a good program can help

in recruiting and retaining good people, from the board

to employees. The customers have an interest too, as do

suppliers. Additionally, there is a large, tangible,

commercial benefit to having an effective fraud and

compliance program.


26th


NOTES Tip 10

Go all in—to leverage existing efforts toward a robust

fraud and compliance program. Most organizations

have a lot already in place. While it might be fractured,

or exist in organizational silos, pieces of fraud and

compliance initiatives are there, so it is not like starting

from scratch. Instead, evaluate what is already in place

and in practice at the organization, and piggyback on

these efforts to move forward in a comprehensive

method.

fraud and compliance: a robust 360° approach

Documents