taking the best route to managing fraud and …...taking the best route to managing fraud and...

Taking the Best Route to Managing Fraud and Corruption RisksThe Economic Crime and Justice Studies Department at Utica College and Protiviti Scrutinize the State of White-Collar Crime and the Frameworks Used to Manage Fraud and Corruption Risks

iTaking the Best Route to Managing Fraud and Corruption Risks

Introduction ......................................................................................................

Methodology .....................................................................................................

Fraud Risk Governance .......................................................................................

Fraud Risk Assessment ......................................................................................

Fraud Prevention Techniques ..............................................................................

Fraud Detection Techniques ...............................................................................

Corruption .........................................................................................................

Reporting, Investigation and Corrective Action ....................................................

In Closing ..........................................................................................................

Survey Demographics ........................................................................................

About Protiviti ...................................................................................................

About Utica College ...........................................................................................

TABLE OF CONTENTS

1

3

8

17

28

33

38

4

15

20

32

36

1Taking the Best Route to Managing Fraud and Corruption Risks

INTRODUCTION

“WHITE-COLLAR CRIME AND FRAUD ARE SIGNIFICANT RISKS TO SHAREHOLDERS AND A LIABILITY TO ORGANIZATIONS. YET, MANY ORGANIZATIONS ARE NOT INVESTING THE TIME AND RESOURCES TO GET IN FRONT OF THE RISK.”

– Scott Moritz, Managing Director, Protiviti

In September 2015, the U.S. Department of Justice (DOJ) put corporations on notice: When it comes to corporate fraud, the DOJ’s top priority is not financial recovery, but rather bringing the individuals responsible to justice. In a memorandum to federal prosecutors,1 Deputy Attorney General Sally Quillian Yates called for a more aggressive stance on holding individuals accountable for their crimes − and holding corporate officers and directors accountable for the environment in which those crimes occurred. To ensure adherence to this call to action, the so-called “Yates Memo” instructed prosecutors not to give corporate defendants cooperation credit unless they first identify the individuals responsible for the illegal conduct and not just scapegoats. As Yates stated in her public remarks about the memo: “We’re not going to be accepting a company’s cooperation when they just offer up the vice president in charge of going to jail.”

Given the dynamic nature of white-collar crime and fraud, it isn’t surprising that the Yates Memo is only the latest in a series of catalysts that prompted Protiviti and the Economic Crime and Justice Studies Department at Utica College to conduct a comprehensive survey of white-collar crime and the fraud risk management frameworks used to combat them.

Notable Findings

While there were a number of notable findings that emerged from our research, one thing seems quite clear: The majority of organizations are not well positioned to conduct investigations. Many organizations conducting investigations are under-resourced and are spending more time “putting out fires” than focusing on fraud detection and applying a consistent investigative approach. The majority of companies that are in this situation will very likely find it extremely difficult to identify the responsible parties and receive meaningful cooperation credit for having done so.

1 “Individual Accountability for Corporate Wrongdoing,” DOJ memorandum, September 9, 2015: www.justice.gov/dag/file/769036/download.

http://www.justice.gov/dag/file/769036/download

http://www.justice.gov/dag/file/769036/download

2 Taking the Best Route to Managing Fraud and Corruption Risks

Other notable findings that emerged from our research include the following, which we explore in more detail throughout our report:

• Most companies are still reactive, rather than proactive, in managing fraud risk and respond-ing to fraud and corruption once issues have been identified because they lack resources and strategy. Overall, less than one in five respondents described their organization’s fraud risk strategy as “well defined,” and a little over a third reported having a fraud detection program. Respondents cited a lack of internal resources as the biggest challenge to proactive fraud risk management.

• Few companies are availing themselves of the tools and best practices for mitigating fraud risk. For example, less than one in three large companies have implemented state-of-the-art forensic data analysis, and the numbers are even lower among midsize and small organizations. These results correspond with findings from Protiviti’s 2015 Internal Audit Capabilities and Needs Survey, which listed data analysis and fraud monitoring as two of the top five internal audit priorities.2

• Third-party fraud and corruption risk is barely on the radar of most organizations. Less than one in 10 respondents reported a high level of confidence in their organization’s vendor fraud and corruption risk oversight. When this is considered alongside a recent finding in the Organisation for Economic Co-operation and Development (OECD) Foreign Bribery Report, which found that 75 percent of bribes were paid by third parties, the gap between how much attention is being paid to third parties in comparison to the potential risks they represent is alarming. This finding is consis-tent with key findings of the 2015 Vendor Risk Management Benchmark Study from the Shared Assessments Program and Protiviti, which noted a pervasive lack of maturity in vendor risk gover-nance.3 Our findings also suggest that companies may be inviting trouble by not thoroughly vetting acquisition prospects for indicators of corruption and fraud. Indeed, many of the white-collar crime and corruption matters Protiviti is called upon to investigate are the result of fraud and corruption schemes that were not detected during due diligence and continued for years after the deal had closed.

• Organizations without strong fraud detection and reporting programs face a higher risk of damaging “whistleblower” disclosures. The lack of a strong fraud detection and prevention culture – “tone at the top” – can create a vacuum in which some individuals may feel compelled, either morally or for the financial remuneration of a whistleblower “bounty,” to report fraud directly to regulators instead of trusting that their concerns will be fully and fairly investigated internally.

• The trend toward “consultative” internal audits must be weighed against the deterrent effect of surprise audits. While surprise internal audits may run counter to the organization’s culture, they can certainly have a deterrent effect when used in a targeted manner focused on perceived problem areas or intransigent business units or geographies.

2 From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions, Protiviti, 2015: www.protiviti.com/IAsurvey.

3 2015 Vendor Risk Management Benchmark Study, Protiviti and The Shared Assessments Program, 2015: www.protiviti.com/vendor-risk.

http://www.protiviti.com/IAsurvey

http://www.protiviti.com/vendor-risk


METHODOLOGY

Utica College and Protiviti partnered to conduct the White-Collar Crime and Fraud Risk Survey in the second and third quarters of 2015. This global survey, conducted online, consisted of a series of questions grouped into six categories:

• Fraud Risk Governance

• Fraud Risk Assessment

• Fraud Prevention Techniques

• Fraud Detection Techniques

• Corruption

• Reporting, Investigation and Corrective Action

Nearly 300 (n=272) executives and professionals − including board members, C-suite executives, general counsel and chief audit executives − completed our online questionnaire. All respondents are in a position to understand their organization’s fraud risk management capabilities. Survey participants also were asked to provide demographic information about their titles and positions and the nature, size and location of their businesses. We are very appreciative and grateful for the time these individuals invested in our study.

All demographic information was provided voluntarily by our respondents.

Notes:

This report includes numerous breakdowns of the survey findings by company size, defined as follows:*

Company size:

Large = Companies with revenues of $10 billion or greater

Midsize = Companies with revenues between $100 million and $9.99 billion

Small = Companies with revenues less than $100 million

*Upon request, Protiviti can provide additional reporting in these broad categories.


FRAUD RISK GOVERNANCE

Key Observations

• While 92 percent of organizations reported having a formal and documented code of conduct, few consider their fraud risk strategy to be well-defined.

• With regard to the challenges organizations face in managing fraud risk proactively, a plurality (47 percent) of respondents cited the lack of internal resources. “Lack of proactive fraud risk management” (37 percent) and “lack of a unified fraud risk management strategy” (31 percent) were the next two highest responses.

• The fourth-highest reason (29 percent) for not having a well-defined risk strategy is the belief that fraud and misconduct do not represent significant risks. Our experts found this to be inconsistent with the widespread incidence of financial crime across the spectrum of industries represented by the survey participants. This misconception often plays out when companies are performing fraud risk assessments and at roundtable discussions in which many executives state the belief that their overall fraud risks are low − even those operating in particularly high-risk industries and geographies. Without the perception that fraud represents at least some degree of risk, companies whose executives have this mindset are not likely to allocate adequate resources or take steps to strengthen their anti-fraud programs.

KEY FACT

Organizations with a formal and documented code of conduct

97%92%

94% 80%

Large

Small

All

Midsize


Which of the following best describes your organization’s fraud risk strategy?

5 = Very well defined 38% 13% 14%

4 = Defined 23% 28% 30%

3 = Less defined 31% 40% 33%

2 = Reactive only 5% 11% 14%

1 = Undefined 3% 8% 9%

Large companies

Midsize companies

Small companies

Which of the following challenges does your organization face in managing its fraud risk proactively? (Multiple responses permitted.)

There is limited availabilityof internal resources to

address fraud risk.

We lack a unified fraud risk management strategy.

Fraud and misconduct are not considered high risks

within the organization.

Proactive fraud risk management is not a

corporate priority.

We do not have a member of senior management who is designated with ownership and responsibility for fraud

risk management.

There is inadequate funding for anti-fraud

programs and initiatives.

Our organization has a “no fraud here” mentality.

Laws and regulations or cultural norms in our

non-U.S. locations present unique challenges that we

have yet to address.

We lack proactive fraud risk management – our focus is on incident response when

allegations arise.

0% 10% 20% 30% 40% 50%

47%

37%

31%

29%

26%

22%

15%

13%

11%


Commentary

Good governance is essential as regulators and shareholders demand more active management of fraud risk. With the typical organization losing an estimated 5 percent of its annual revenue to fraud,4 it is critical that organizations look past the traditional preventive measures (e.g., code of conduct) and take a proactive approach toward removing the opportunity. The first step is setting the right “tone at the top” – acknowledging that fraud risk is real; examining the specific fraud risks that the company is facing or may face, including those that are nuanced to the company and its industry; and creating and implementing a formal and unified fraud risk strategy.

Who in the ranks of senior management is designated with ownership and responsibility for fraud risk management in your organization?

Chief financial officer

Don’t know

0% 5% 10% 15% 20%

18%

Chief legal officeror general counsel

Internal audit director

Chief risk officer

Chief executive officer

Chief security officer

13%

13%

13%

10%

2%

Other 12%

5%

No senior management professional is designated

with ownership14%

4 Report to the Nations on Occupational Fraud and Abuse – 2014 Global Fraud Study, Association of Certified Fraud Examiners, Inc., 2014: www.acfe.com/rttn/docs/2014-report-to-nations.pdf.

www.acfe.com/rttn/docs/2014-report-to-nations.pdf


Which of the following groups in your organization provides active and defined oversight of the organization’s fraud risk? (Multiple responses permitted.)

Audit committee

C-level executive(s)

Board of directors

Risk managementcommittee

No active anddefined oversight

Other

Don’t know

0% 10% 20% 30% 40% 60%50%

57%

37%

31%

29%

13%

8%

5%

Does your organization have a formal and documented fraud control policy?

Yes 56% 42% 33%

No 41% 53% 60%

Don’t know 3% 5% 7%

Large companies

Midsize companies

Small companies


FRAUD RISK ASSESSMENT

Key Observations

• An effective fraud risk assessment process should be conducted in alignment with the organization’s objectives and thoroughly consider potential vulnerabilities arising from fraud and misconduct. Overall, less than half of respondents reported that they conduct an annual fraud risk assessment, and a troubling one in four said “never” or “don’t know.”

• A fraud risk assessment methodology should include one or more of the following techniques in order to identify potential fraud risk: document review and analysis, interviews with designated managers and process or control owners, electronic data analysis, surveys, and facilitated brainstorming sessions and workshops. While a majority of respondents said they review prior audits, complaints and assessments, less than half (48 percent) conduct interviews. And only a little more than a third (36 percent) use data analytics.

• Some companies consider a fraud risk assessment to be part of their SOX compliance process. This narrow focus fails to address the systemic nature of fraud risk and instead focuses on internal control over financial reporting, which is a mere fraction of an organization’s overall fraud risk.

How often does your organization conduct a formal fraud risk assessment?

Quarterly 0% 4% 3%

Annually 57% 51% 34%

As needed 13% 21% 24%

Never 17% 15% 21%

Don’t know 13% 9% 18%

Large companies

Midsize companies

Small companies


Who within your organization is primarily responsible for conducting your fraud risk assessment?

Internal audit

SOX compliance team

General counsel/legal

Other

None of these

Don’t know

Corporate compliance

0% 10% 20% 30% 40% 50%

45%

10%

7%

5%

18%

12%

3%

“ROUTINE STAFF-RELATED DISCIPLINARY MATTERS AND ROUTINE CASES ARE DEALT WITH BY COMPLIANCE AND HUMAN RESOURCES TEAMS. MAJOR FRAUD INVESTIGATIONS ARE REFERRED TO INTERNAL AUDIT, WHO HAVE BANKING, FRAUD AND INTERNAL CONTROL SUBJECT-MATTER EXPERTS TO REVIEW SUCH CASES.”

– Chief Audit Executive, Midsize Financial Services Institution


Does your fraud risk assessment team include members from different departments?

Yes

47%

No

42%

Don’t know

11%

Which departments participate on the fraud risk assessment team? (Multiple responses permitted.)

Base: “Yes” responses to above

Accounting/finance

Internal audit

Legal

Operations

Human resources

Compliance

Risk management

Corporate security

External consultants

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

82%

75%

68%

58%

54%

54%

45%

29%

14%


Which of the following does your company utilize as part of its fraud risk assessment methodology? (Multiple responses permitted.)

Prior audits or other reviews conducted at

the company

Prior reported concerns and complaints

Previous fraud risk assessment results

Interviews

Brainstorming sessions

Data analytics

Industry news

0% 10% 20% 30% 40% 70%60%50%

31%

29%

28%

19%

15%

5%

12%

61%

57%

50%

48%

40%

36%

Public information aboutcriminal, civil and

regulatory casesand complaints

Surveys

Industry-accepted fraudtaxonomies, such as the

Association of Certified FraudExaminers’ Occupational Fraud and

Abuse Classification System

Workshops

Other

Don’t know


How is your organization’s fraud risk assessment process structured?

Incorporated into our internal audit planning process

26% 31% 38%

Incorporated into our enterprise risk management (ERM) process

32% 22% 15%

Incorporated into our SOX compliance process

12% 21% 8%

Stand-alone 12% 9% 10%

None of these 12% 12% 18%


Large companies

Midsize companies

Small companies

Commentary

An effective fraud risk assessment is tailored to an organization’s industry and unique operations. It should be performed on an annual basis and refreshed when a change in the internal or external environment occurs, including such things as actual fraud or corruption incidents that have occurred and subsequent efforts to apply the lessons learned.

Key components are risk objectives, identification, assessment of inherent and residual fraud risk (measured by likelihood and significance), evaluation of anti-fraud controls and management’s risk response. It is important to obtain this information from a variety of internal and external sources, including data analysis and personal interviews.

“AN ORGANIZATION-WIDE FRAUD RISK ASSESSMENT HAS NOT BEEN PERFORMED IN ABOUT 10 YEARS. THE LAST TIME ONE WAS PERFORMED WAS WHEN IT WAS REQUIRED BY AN ELECTED OFFICIAL FOR ALL STATE AGENCIES.”

– Chief Audit Executive, Midsize Government Organization


Fraud Risk Assessment and Attorney-Client Privilege

As with any internal investigation, a fraud risk assessment may include sensitive matters that poten-tially involve litigation or damage to a company’s reputation. There are often compelling reasons for an organization’s assessment team to report to legal counsel. Some things to consider include:

• In the United States, conversations between an attorney and a client seeking legal advice are considered “privileged and confidential” and “attorney-client privileged.” Once privilege is established, the information shared between a client and attorney is largely protected from disclosure to other parties.

• Attorney-client privilege allows companies and their lawyers to discuss findings and potential solutions without fear of inappropriate disclosure of the privileged discussions and material. If other providers, such as forensic accountants or investigators, participate in the fraud risk assessment or an investigation, their work should be performed at the direction of lawyers so that their findings are considered attorney work product and are privileged as well.

• It should be made clear that the risk assessment is being conducted to assist legal counsel in providing legal advice. This includes marking materials as “Privileged and Confidential” and informing interviewees of the legal purpose of the fraud risk assessment or investigation.

• Distribution of privileged materials must be limited. Company representatives must not be allowed to discuss the review with anyone who is not involved in the project, so as not to inad-vertently waive the privilege by sharing information outside of the attorney-client relationship.

• The attorney-client privilege varies widely outside of the United States. For any investigations, fraud risk assessments or other projects that the client and counsel feel should be performed under the privilege and involve foreign jurisdictions, the rules of those jurisdictions would apply.

Note that while attorney-client privilege generally applies to in-house counsel (at least in the United States), internal lawyers serve in a dual business and legal capacity, and privilege could be challenged on the grounds that discussions were of a business, and not a legal, nature.

Does your company conduct its fraud risk assessment under attorney-client privilege?

Yes No Don’t know

15% 59% 26%


While COSO 2013 Principle 8 requires consideration of four types of fraud, which one of the following is of greatest concern to your organization?

Management override of controls

Safeguarding of assets Fraudulent reporting

No one type is more concerning than the other

None of these Other

Corruption

20% 22% 12% 6%

31% 4% 5%

Does your organization have a fraud risk management (mitigation) program?

Yes 47% 31% 29%

No 40% 57% 55%

Don’t know 13% 12% 16%

Large companies

Midsize companies

Small companies

If YES: Who in your organization is responsible for the fraud risk management (mitigation) program?

Chief compliance officer

21% 29% 18%

Chief audit executive

7% 27% 18%


21% 12% 36%

Other 43% 29% 27%


Large companies

Midsize companies

Small companies


FRAUD PREVENTION TECHNIQUES

Key Observations

• Most respondents gave their organizations high marks for fraud prevention. Many utilize “old school” basics, including a formal code of ethics, spending approval limits and segregation of duties (SoD).

• Most conduct ethics and fraud awareness training, although overall, less than half do so at least annually, which is the desired frequency.

Which of the following primary controls does your organization utilize to prevent fraud? (Multiple responses permitted.)

Code of conduct/code of ethics

100% 91% 76%

Authority or approval limits

93% 89% 82%

Segregation of duties

93% 89% 71%

Information technology controls

87% 88% 68%

Employee background checks

77% 83% 68%

Ethics or fraud risk awareness training

83% 59% 37%

Competitive bidding 67% 56% 39%

Third-party due diligence

63% 41% 24%


Other 7% 3% 5%

Large companies

Midsize companies

Small companies


How often does your organization offer ethics and fraud awareness training?

New-hire orientation only

On demand

Semiannually

Annually

Less than annually

Never

Don’t know

0% 10% 20% 30% 40% 50% 60%

3% 13% 21%

7% 11%

43%18%

18%

15% 18%

7%

17%

60%

7%

7%

3%

Large companies Midsize companies Small companies

3%

6%

11%

8%4%

Commentary

Fraud prevention is the baseline of fraud risk management and has traditionally consisted of simple controls designed to set an ethical and moral tone and limit the opportunity for fraud. Such measures are a good start, but they need to be part of a comprehensive and ongoing fraud risk management strategy that includes third-party due diligence, fraud auditing, brainstorming sessions and data analytics.

“OUR COMPANY ACTUALLY REQUIRES THAT FRAUD OR ETHICS RELATED TRAINING BE TAKEN ABOUT EVERY QUARTER ON AVERAGE, AND ATTENDANCE IS TRACKED. TOPICS ARE REINFORCED AT LEAST ANNUALLY.”

– Chief Audit Executive, Large Professional Services (Consulting, Technology and Outsourcing) Company


FRAUD DETECTION TECHNIQUES

Key Observations

• Tellingly, more than half of all organizations lack a fraud detection program (though the numbers are better for large companies). It is one thing to have a program that is not fully developed, but this suggests a majority of companies aren’t doing anything proactive to look for fraud.

• While most respondents indicated that their companies have a telephone hotline, website or electronic mailbox for employees to report fraud, only 13 percent regularly conduct surprise audits at least annually. And relatively few organizations have evolved to a point where they are using ongoing data analysis – the equivalent of a red-light camera – to catch fraud in progress.

Does your organization have a fraud detection program?

Yes 57% 35% 21%

No 27% 55% 68%

Don’t know 16% 10% 11%

Large companies

Midsize companies

Small companies

Who in your organization is responsible for the fraud detection program?

Base: Organizations with a fraud detection program

Chief audit executive

24% 45% 25%

Chief compliance officer

18% 21% 25%


18% 17% 13%

Other 40% 13% 37%


Large companies

Midsize companies

Small companies


Does your organization actively utilize forensic data analysis to identify potential red flags and fraud indicators?

Yes, routinely. Fraud detectionprograms have been written

and overlay systems. Exceptionreports are monitored by anindependent group, such as

internal audit.

Yes, periodically.Management or internal

audit runs fraud detectionprograms at specific times,

such as at the startof an audit.

Yes, on demand only.Data is extracted manually

from various systemsthat are queried.

No, we do not utilizedata analysis to

proactively detect fraud.

Don’t know.

0% 10% 20% 30% 40% 50%

30%13%5%

17% 21% 30%

24%16% 30%

42% 50%10%

4% 8%


How often does your organization conduct surprise audits within the organization?

Quarterly Annually

Never Don’t know

As needed

7% 6% 39%

38% 10%


Which of the following procedures has your organization established for the submission of concerns by employees about questionable accounting or auditing matters? (Multiple responses permitted.)

Telephone hotline 93% 81% 47%

“Chain-of-command” reporting

57% 53% 45%

Website 73% 47% 26%

Electronic mailbox 60% 34% 21%

Designated management

30% 32% 29%

Designated board member

17% 13% 13%

No formal reporting mechanism exists

0% 5% 16%

Other 3% 5% 5%


Large companies

Midsize companies

Small companies

Commentary

Fraud detection techniques look for fraud in progress. Consistent with our other findings, our survey results suggest that most companies are putting forth minimal effort – relying on passive tools like hotlines, websites and email reporting mechanisms, which provide a means for individuals to report fraud – and not actively searching for fraud with surprise audits and ongoing or periodic forensic data analysis.

This reactive stance is consistent with the results of Protiviti’s 2015 Finance Priorities Survey,5 which ranked enterprise risk reporting significantly below profitability reporting and other operational and revenue-generating priorities.

“SEVERAL YEARS AGO, INTERNAL AUDIT ATTEMPTED TO RELATE THE RESULTS OF A FRAUD PREVENTION AND DETECTION SCOREBOARD. IT WAS NOT WELL RECEIVED BY EXECUTIVE MANAGEMENT, AS THERE IS NO ‘REGULATION’ THAT REQUIRES OUR INSTITUTION TO HAVE THE PRESCRIBED CONTROLS IN PLACE.”

– Audit Director, Midsize Healthcare Provider

5 The Rising Tide of Finance Challenges, Protiviti and the Financial Executives Research Foundation, 2015: www.protiviti.com/en-US/Documents/Surveys/2015-Finance-Priorities-Survey-FERF-Protiviti.pdf.

www.protiviti.com/en-US/Documents/Surveys/2015-Finance-Priorities-Survey-FERF-Protiviti.pdf


CORRUPTION

Key Observations

• Third parties are widely considered to represent a disproportionate degree of corruption risk to companies operating outside of the United States. The OECD recently published the Foreign Bribery Report, a study of 427 corruption enforcement actions in countries that are a party to the OECD Anti-Bribery Convention enacted in 1999.6 It found that in 75 percent of those cases, bribes were paid by third parties and not the officers or company directors themselves. However, our survey found that most companies have a long way to go when it comes to assessing and monitoring third-party corruption risk, with few respondents giving their organizations a high confidence rating.

• More than a third of respondents (35 percent) indicated that they were not aware of any due diligence being performed by their companies on intermediaries prior to onboarding. And among those conducting due diligence investigations, most perform only the most cursory Internet and government watchlist searches.

• An equal number of respondents (35 percent) were unaware of any efforts by their company to identify foreign government agencies, state-owned companies, public international organizations and private enterprises among their customers. However, these efforts are a critical success factor for an effective anti-corruption compliance program under the U.S. Foreign Corrupt Practices Act (FCPA). Without the ability to readily distinguish between the different categories of customers, companies risk operating “in the blind” as to which of their customers’ employees meet the definition of a “foreign official.” These companies therefore risk unwittingly violating the FCPA.

• An effective anti-corruption program should also extend to hiring practices, particularly when it comes to hiring employees or interns with ties to clients, foreign governments or state-owned companies. Overall, only a third of respondents could say that their organizations attempt to determine whether job candidates are family members or associates of government officials who are in a position to influence contract awards. Recent prosecutions of U.S. companies for targeting the children of executives of Middle Eastern Sovereign Wealth Funds and ongoing investigations of the hiring practices of numerous investment banks operating in China make it critically important to determine whether candidates for employment or internships have disclosed such ties and that the company has taken appropriate steps to ensure that candidates are qualified. There should not be even the appearance of a quid pro quo.

6 OECD Foreign Bribery Report: An Analysis of the Crime of Bribery of Foreign Public Officials, 2014, OECD Publishing, Paris: http://dx.doi.org/10.1787/9789264226616-en.

http://dx.doi.org/10.1787/9789264226616-en


On a scale of 1 to 5, rate your level of confidence that the organization has effective oversight of the external third parties retained in the United States and/or outside the United States.

3.5 3.1

2.9

Midsize companiesLarge companies

Small companies

Does your organization conduct due diligence on business intermediaries (e.g., agent, distributor, consultant, subcontractor) prior to onboarding?

Yes No Don’t know

65% 17% 18%

Does your organization include communications from management that it expects adherence to the standards as set out in the code of conduct and/or anti-corruption policy?

Yes No Don’t know

77% 15% 8%


Does your organization have the ability to distinguish between foreign government agencies, state-owned companies, public international organizations and private enterprises among its customer base?

Yes No Don’t know

65% 12% 23%

Which of the following additional steps does your organization take in an effort to mitigate the elevated risk associated with doing business with government agencies, state-owned companies and/or public international organizations? (Multiple responses permitted.)

Pre-approval requirements before paying for gifts, meals or entertainment

63% 44% 34%

Enhanced contract provisions

57% 41% 29%

Advanced anti-corruption training for select personnel

57% 27% 13%

Prohibitions against hiring of family members of employees of this category of customer

40% 26% 32%

Large companies

Midsize companies

Small companies

Does your organization categorize third parties according to risk?

Large companies

Yes No Don’t know

57% 30% 13%


Midsize companies

Yes No Don’t know

22% 56% 22%

Small companies

Yes No Don’t know

24% 63% 13%

Does your organization perform any of the following? (Multiple responses permitted.)

Base: Organizations that categorize third parties according to risk.

Assign risk based upon a variety of factors

82% 67% 38%

Perform escalating levels of investiga-tive due diligence based upon assigned risk level

71% 45% 50%

Perform investigative research in-house

29% 27% 50%

Focus on a single high-risk category for third parties (such as sales agents)

35% 27% 13%

Perform the same level of due diligence or screening for all categories of third parties

18% 24% 13%

Large companies

Midsize companies

Small companies


If your organization performs investigative due diligence, which activities are included in this process? (Multiple responses permitted.)

Check a variety of watchlists (e.g., OFAC, PEPs, debarments)

60% 38% 31%

Perform Internet research

40% 40% 39%

Check corporation registrations

47% 30% 39%

Search public records

47% 32% 25%

Search negative news in English

33% 21% 14%

Perform site visits with photographs

33% 15% 14%

Perform human intelligence research

23% 13% 11%

Search negative news in applicable foreign languages

10% 8% 8%

Don’t know 37% 23% 19%

None – No investigative due diligence performed in my organization

0% 18% 22%

Large companies

Midsize companies

Small companies

When acquiring a company, does your organization conduct a corruption risk assessment during the acquisition due diligence process?

Yes 47% 23% 25%

No 10% 26% 11%

Don’t know 43% 51% 64%

Large companies

Midsize companies

Small companies


If your organization performs investigative due diligence, who performs the work associated with this process? (Multiple responses permitted.)

All investigative work performed in-house

40% 34% 31%

Watchlists, negative media and Internet research performed in-house

37% 21% 25%

More comprehensive investigative work performed by investigative firm

20% 9% 8%

All investigative work outsourced

3% 5% 3%

Other 0% 5% 6%

None – No investigative due diligence performed in my organization

0% 20% 22%

Don’t know 37% 23% 25%

Large companies

Midsize companies

Small companies

“THERE IS NO COMPANY-WIDE FRAUD RISK MANAGEMENT PROGRAM. THERE ARE POCKETS OF PEOPLE THROUGHOUT THE ORGANIZATION WHO DEAL WITH COMPLAINTS/INVESTIGATIONS (WHICH COULD BE FRAUD), AND ANTI-MONEY LAUNDERING AND FRAUD INVESTIGATION TEAMS. IN ADDITION, INTERNAL AUDIT INCLUDES A FRAUD RISK ASSESSMENT LIMITED TO THE SCOPE OF EACH AUDIT, BUT THERE IS NO CENTRALIZED SYSTEM OR REPORTING REGARDING THE VARIOUS DECENTRALIZED FRAUD RISK MANAGEMENT ACTIVITIES.”

– Audit Director, Large Financial Services Institution


Do your hiring practices include an examination as to whether candidates are family members or associates of government officials?

Yes 50% 31% 33%

No 17% 42% 36%

Don’t know 33% 27% 31%

Large companies

Midsize companies

Small companies

Commentary

Momentum is building for stronger third-party anti-corruption programs, as regulators make it clear that companies will no longer be able to “outsource” risk by handing it off to a contractor. Regulators are becoming increasingly sophisticated in their understanding of how certain organizations are identifying their high-risk business intermediaries. They are holding them to heightened standards of care and are asking those not approaching their third parties in this way, “Why not?”

Based on our survey findings, this is a real weakness for most companies. The DOJ and U.S. Securities and Exchange Commission (SEC) have made their expectations clear: Corruption risk assessment must evolve, and anti-corruption programs must be derived from a meaningful risk assessment process in order to be truly effective.

Even those organizations that profess to be conducting vendor due diligence need to start asking tough questions:

• How many existing relationships have we severed as a result of our anti-corruption program?

• How many prospective vendors have we rejected?

If there is not a single relationship severed or new relationship rejected, it invites regulators to question the validity of these programs, regardless of how much the programs cost to administer.

“WITH THE COSO 2013 UPDATE, OUR COMPANY GAVE SOME ADDITIONAL THOUGHT TO FRAUD RISK. IT’S NOT THAT WE WEREN’T THINKING ABOUT IT BEFORE; IT WAS JUST ALWAYS EMBEDDED IN OUR SOX CONTROLS. THE UPDATE GAVE US A CHANCE TO TAKE A FRESH LOOK AT THINGS AND PLUCK THOSE FRAUD CONTROLS TO ENSURE WE WERE THINKING THROUGH ALL THE APPLICABLE SCENARIOS.”

– Audit Manager, Midsize Manufacturing Company


7 FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, Criminal Division of the DOJ and Enforcement Division of the SEC, 2012: www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf.

Hallmarks of an Effective FCPA Compliance Program

The DOJ and SEC have provided clear guidance for what they expect of companies when it comes to complying with the FCPA. Their 10 “Hallmarks of an Effective Compliance Program”7 is essential reading for anyone responsible for overseeing a corporate anti-corruption program.

10 Hallmarks

• Commitment from Senior Management and a Clearly Articulated Policy Against Corruption – Compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.

• Code of Conduct and Compliance Policies and Procedures – A company’s code of conduct is often the foundation upon which an effective compliance program is built. The most effective codes are clear, concise and accessible to all employees and to those conducting business on the company’s behalf.

• Oversight, Autonomy and Resources – In appraising a compliance program, the DOJ and SEC look for one or more senior executives specifically assigned to oversight and provided with resources and board access.

• Risk Assessment – Assessment and prioritization of risk are fundamental to developing a strong compliance program. The DOJ and SEC have said they are likely to be more forgiving of a company with a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low-risk area because greater attention and resources have been devoted to a higher-risk area.

• Training and Continuing Advice – Compliance policies cannot work unless they are effectively communicated throughout a company.

• Incentives and Disciplinary Measures – A compliance program should apply from the boardroom to the supply room – no one should be beyond its reach.

• Third-Party Due Diligence and Payments – Third parties, including agents, consultants and distributors, are commonly used to conceal the payment of bribes to foreign officials in international business transactions. Risk-based due diligence will be considered by the DOJ and SEC in assessing the effectiveness of a company’s compliance program.

• Confidential Reporting and Internal Investigations – In addition to confidential reporting mechanisms, there should be an efficient, reliable and properly funded process for investigating allegations and documenting the company’s response, including any disciplinary or reme-diation measures.

• Continuous Improvement: Periodic Testing and Review – Effective compliance programs evolve. Consequently, the DOJ and SEC evaluate whether companies regularly review and improve their compliance programs to keep them from becoming stale.

• Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration – A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks.

www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf


REPORTING, INVESTIGATION AND CORRECTIVE ACTION

Key Observations

• Overall, insufficient management review and inadequate controls have accounted for more than half of all fraud and misconduct investigated over the past three years. Deliberate override of controls was the second-highest individually cited cause, after insufficient management review.

• A substantial percentage of respondents said there have been no allegations of fraud or misconduct investigated over the past three years. This raises questions about how effective those organizations are at identifying fraud and whether this statistic is a true picture of the absence of fraud or, rather, the inability to deter, detect, investigate and report fraud and the absence of proactive efforts to identify fraud indicators.

Based on your personal knowledge, how many allegations of fraud or misconduct have been received and investigated by your company in the past three years?

More than 20 investigations

27% 11% 6%

Six to 20 investigations

17% 19% 8%

Five or fewer investigations

7% 33% 25%

None that I am aware of

3% 13% 39%

I’m not comfortable disclosing this information

17% 11% 3%

Unknown – I don’t have visibility into how many investigations are conducted/completed

29% 13% 19%

Large companies

Midsize companies

Small companies


For known fraud events or incidents of misconduct within your company, what was the primary root cause or control breakdown that allowed the incident to occur?

Base: Organizations in which there have been allegations of fraud or misconduct that have been investigated in the past three years.

Insufficient management review or approval

15% 18% 47%

Deliberate override of internal controls

35% 20% 0%

Inadequate internal controls

5% 21% 27%

Inadequate SoD 10% 11% 20%

Collusion with third parties

25% 10% 0%

Internal collusion 0% 6% 0%

Lack of qualified personnel performing tasks/responsible for controls

5% 5% 0%

Undisclosed conflict(s) of interest

0% 4% 0%

Other 5% 5% 6%

Large companies

Midsize companies

Small companies

“OUR FRAUD RISK STRATEGY IS EVOLVING. WE HAVE A FRAUD RISK POLICY AND A WHISTLEBLOWER PROTECTION POLICY. WE HAVE SOME PREVENTIVE FRAUD MONITORING IN PLACE IN SOME RISK AREAS, BUT THE APPROACH IS NOT A STRUCTURED BASIS FOR A FORMAL FRAUD RISK ASSESSMENT. THIS IS NOW MANDATED BY THE BOARD, AND WE PLAN TO COMMENCE THIS SHORTLY. MANAGEMENT BUY-IN IS LIMITED; IT IS MORE A COMPLIANCE TICK BOX APPROACH!”

– Chief Audit Executive, Midsize Financial Services Institution


What level of involvement does your organization’s audit committee have in the investigation of alleged fraud or misconduct?

0% 10% 20% 30% 40% 50% 60%

On at least a quarterly basis,the audit committee is

informed of all allegationsbeing investigated.

33%14% 57%

The audit committee chairis informed of all allegations

involving accounting, auditingand internal control matters

immediately upon receipt bythe individual designated to

receive complaints.

36%

36%20%

The audit committee is onlyinformed about investigationsinvolving accounting, auditing

and internal control matters.

17%

17%7%


Don’t know. 14% 33%16%

Commentary

Not every missing laptop requires the attention of the audit committee, but there should be a mechanism for the investigation and reporting of suspected fraud and misconduct. There also needs to be some kind of prioritization of when and why to escalate suspected misconduct to a higher level of scrutiny to include categories of fraud and misconduct that would warrant reporting to the audit committee.

More important, from a long-term value standpoint, is the ability to drill down to the root cause and take corrective action. Many respondents cited inadequate internal controls as a leading cause of fraud, along with insufficient management review. These responses aren’t surprising consider-ing that most companies don’t seem to see fraud and misconduct as significant risks. Performing investigations in such a way as to gather evidence, expose shortcomings in the control environment and then apply the lessons learned are of critical importance to an organization’s ability to demon-strate forward progress on its anti-fraud and anti-corruption programs. These efforts also can help to lower the company’s exposure to these categories of risk over time.


A “no fraud here” mentality may also contribute to the high percentage of instances where the root cause was determined to involve the deliberate override of internal controls. Such overrides don’t always involve malfeasance; they are sometimes a matter of misplaced expediency. But they are also indicative of a lax governance structure and a culture in which fraud can flourish because the rules are not enforced and insiders inclined to commit acts of fraud or bribery see very little risk of getting caught. Even a person who circumvents controls out of expediency and is not personally liable for fraud could certainly garner the attention of law enforcement under the Yates Memo and its mandate that companies identify responsible parties in order to receive cooperation credit.

KEY FACT

Most common corrective actions taken by companies at the conclusion of an investigation:

27%

23%Termination

Disciplinary action

“INTERNAL AUDIT FACES CHALLENGES IN ASSISTING THE ORGANIZATION TOWARD MORE MATURITY IN FRAUD RISK GOVERNANCE BECAUSE OF THE “DOESN’T/WON’T HAPPEN HERE” MINDSET. BECAUSE OF THIS, ANY PROJECTS DIRECTLY FOCUSED ON FRAUD RISK, SUCH AS CHAMPIONING AN INSTITUTION-WIDE FRAUD RISK ASSESSMENT, WOULD MOST LIKELY BE VIEWED AS NOT ADDING VALUE RELATIVE TO OTHER PROJECTS AND PRIORITIES FOR INTERNAL AUDIT.”

– Chief Audit Executive, Midsize Government Organization


IN CLOSING

Companies tend to be under-resourced when it comes to financial crime investigation, fraud detec-tion and reporting. Leadership is focused on growing revenue and delivering shareholder value. Nobody wants to believe that the company is losing significant revenue to fraud. Nor are companies inclined to freely expend unbudgeted monies to pursue investigations to their logical conclusions and then remediate the deficiencies in the control environment that the investigation may have exposed. And certainly, organizations don’t want to spend precious resources managing risks they don’t consider legitimate.

Yet regulators and prosecutors are holding corporate executives and directors individually account-able not only for acts of fraud or bribery they may have committed, but also increasingly for acts they didn’t take clear action to prevent. Such pressures are raising the bar for fraud risk management and anti-corruption compliance.

An organization’s ability to effectively manage and mitigate fraud and corruption risk begins with the abandonment of the “no fraud here” mindset and an acknowledgement that fraud and corruption don’t just happen to others. In fact, the law of averages suggests that fraud and corruption risk exists in every organization to varying degrees. The conclusion that there’s “no fraud here” is more likely a repudiation of the program’s efficacy and organizational tone than it is a reflection of reality. A truly effective program engages all levels and departments in preven-tion and detection. It is also aligned with a strong executive tone at the top, where the refrain “there is no fraud here” is replaced with “not on my watch.”


SURVEY DEMOGRAPHICS

We surveyed nearly 300 top senior executives, board members, audit directors and risk manag-ers from a cross-section of industries. The following charts show the breakdown regarding the survey respondents and their companies.

Position (Title/Role)

Chief Audit Executive 24%

Audit Director 19%

Audit Manager 16%

Chief Financial Officer 7%

Corporate Controller 6%

Chief Risk Officer 4%

Chief Compliance Officer 3%

Board Member/Audit Committee Member 3%

Business Unit Control Leader 2%

Corporate Security Director 1%

General Counsel 1%

Chief Executive Officer 1%

Chief Information Officer 1%

Chief Operating Officer 1%

Chief Security Officer 1%

Other 10%


Industry

Financial Services 18%

Manufacturing 12%

Education 6%

Energy 6%

Government 6%

Technology 6%

Healthcare – Provider 5%

CPA/Public Accounting/Consulting Firm 4%

Insurance (excluding Healthcare – Payer) 4%

Real Estate 4%

Services 4%

Retail 4%

Distribution 3%

Not-for-Profit 3%

Utilities 3%

Life Sciences/Biotechnology 3%

Media 3%

Healthcare – Payer 2%

Hospitality 2%

Telecommunications 1%

Other 1%

Size of Organization (by gross annual revenue in U.S. dollars)

$20 billion or greater 8%

$10 billion to $19.99 billion 8%



$500 million to $999.99 million 15%

$100 million to $499.99 million 19%

Less than $100 million 16%


Type of Organization

Public 49%

Private 24%

Not-for-profit 10%

Government (U.S.) 6%

Educational institution 5%

Government (non-U.S.) 2%

Public international organization 1%

Private, but planning an IPO within the next 12 months 1%

Other 2%

Organization Headquarters

North America 82%

Europe 6%

Asia-Pacific 4%

Middle East 3%

Latin America 2%

Africa 2%

India 1%


ABOUT PROTIVITI

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our inde-pendently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Named one of the 2015 Fortune 100 Best Companies to Work For®, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

About Our Investigations and Fraud Risk Management Practice

Protiviti’s Investigations and Fraud Risk Management consultants help organizations build a solid infrastructure for evaluating, mitigating, investigating, reporting and monitoring their risk of fraud, corruption and misconduct.

Understanding organizational vulnerabilities and establishing an appropriate framework to iden-tify and respond to them are essential in today’s global marketplace, as regulators are demanding more active management and investigation for a wide range of risks, including financial crime, fraud and corruption.

Our Investigations and Fraud Risk Management professionals assist organizations with building sustainable anti-corruption, investigative and fraud risk assessment processes and developing anti-fraud, anti-corruption and investigative programs and controls to meet fiduciary and regulatory responsibilities. We support organizations in their efforts to identify, triage, investigate, report and monitor a wide array of risks at every level – from the performance of risk assessments, program design or remediation, risk governance, and employee training to audits of anti-corruption, fraud, and investigation programs and processes.

Our team’s unique blend of anti-corruption, fraud risk management and investigative subject-matter expertise can quickly identify program shortcomings and remediate your critically important programs. We also have extensive experience in undertaking investigations of suspected violations of those programs by leveraging investigative, forensic accounting and technology disciplines across our global footprint to provide our clients with the experience and local resources necessary to gather the facts to make informed business decisions.


PROTIVITI INVESTIGATIONS AND FRAUD RISK MANAGEMENT PRACTICE CONTACTS

Brian Christensen Executive Vice President, Global Internal Audit +1.602.273.8020 [email protected]

Scott Moritz Global Lead, Investigations and Fraud Risk Management +1.212.603.8356 [email protected]

UNITED STATESKelly Flagg +1.212.603.5416 [email protected]

James Gallo +1.212.603.8320 [email protected]

James Gibson +1.312.476.6423 [email protected]

Peter Grupe +1.212.399.8613 [email protected]

Robert Hennigan +1.646.428.8231 [email protected]

Pamela Verick +1.703.338.2322 [email protected]

Diane Walker +1.212.603.8388 [email protected]

AUSTRALIAMark Harrison +61.2.6113.3900 [email protected]

BRAZILRaul Silva +55.11.2198.4200 [email protected]

MEXICORoberto Abad +52.55.5342.9100 [email protected]

CANADARam Balakrishnan +1.647.288.8525 [email protected]

MIDDLE EASTManoj Kabra +965.2295.7700 [email protected]

CHINA (HONG KONG AND MAINLAND CHINA)Albert Lee +852.2238.0499 [email protected]

THE NETHERLANDSJaap Gerkes +31.6.1131.0156 [email protected]

FRANCEBernard Drui +33.1.42.96.22.77 [email protected]

SINGAPORESidney Lim +65.6220.6066 [email protected]

GERMANYMichael Klinger +49.69.963.768.155 [email protected]

SOUTH AFRICAFana Manana +27.11.231.0600 [email protected]

INDIASubrata Bagchi +91.98.6631.4842 [email protected]

UNITED KINGDOMLindsay Dart +44.207.389.0448 [email protected]

ITALYAlberto Carnevale +39.02.6550.6301 [email protected]

BELGIUMJaap Gerkes +31.6.1131.0156 [email protected]

JAPANYasumi Taniguchi +81.3.5219.6600 [email protected]

mailto:brian.christensen%40protiviti.com?subject=

mailto:scott.moritz%40protiviti.com?subject=

mailto:kelly.flagg%40protiviti.com?subject=

mailto:james.gallo%40protiviti.com?subject=

mailto:james.gibson%40protiviti.com?subject=

mailto:peter.grupe%40protiviti.com?subject=

mailto:robert.hennigan%40protiviti.com?subject=

mailto:pam.verick%40protiviti.com?subject=

mailto:diane.walker%40protiviti.com?subject=

mailto:raul.silva%40protivitiglobal.com.br?subject=

mailto:roberto.abad%40protivitiglobal.com.mx?subject=

mailto:ram.balakrishnan%40protiviti.com?subject=

mailto:manoj.kabra%40protivitiglobal.com.kw?subject=

mailto:albert.lee%40protiviti.com?subject=

mailto:b.drui%40protiviti.fr?subject=

mailto:sidney.lim%40protiviti.com?subject=

mailto:michael.klinger%40protiviti.de?subject=

mailto:fanam%40sng.za.com?subject=

mailto:subrata.bagchi%40protivitiglobal.in?subject=

mailto:lindsay.dart%40protiviti.co.uk?subject=

mailto:alberto.carnevale%40protiviti.it?subject=

mailto:jaap.gerkes%40protiviti.nl?subject=

mailto:yasumi.taniguchi%40protiviti.jp?subject=


ABOUT UTICA COLLEGE

Utica College, founded in 1946, is a comprehensive private institution offering bachelor’s, master’s and doctoral degree programs. The college, located in upstate central New York, approximately 90 miles west of Albany and 50 miles east of Syracuse, currently enrolls over 4,400 students in 44 undergraduate majors, 30 minors, 21 graduate programs and a number of pre-professional and special programs.

About Utica College’s Economic Crime and Justice Studies Department

Utica College’s Economic Crime and Justice Studies (ECJS) Department offers a suite of programs at the undergraduate and graduate levels, as well as two research centers and the Economic Crime and Cybersecurity Institute (ECCI).

Our faculty is truly interdisciplinary, and faculty members have worked at private financial services companies, state law enforcement agencies, local courts and government agencies, and have founded their own companies. At the undergraduate level, we educate our students to be inves-tigators – whether the evidence they are reviewing is fingerprints, numbers on a spreadsheet or digital code. We have an innovative curriculum consisting of three programs: criminal justice, economic crime investigation and cybersecurity. Students are grounded in a liberal arts core along with criminology and relevant law classes. Specialty classes, rigorous writing expectations and a capstone internship are defining features of our programs. At the graduate level, we train students in the latest best practices to manage the security of economic and digital information.

Our ECCI is a unique organization of professionals and academics that provides thought leadership on economic crime and cybersecurity issues faced by business and government. We have two research centers that examine the latest trends in identity theft, economic fraud and cybercrime. The Center for Identity Management and Information Protection (CIMIP) is a research collaborative dedicated to furthering a national research agenda on identity management, information sharing and data protection. Founded in June 2006, its ultimate goal is to impact policy, regulation and legislation, working toward a more secure homeland. The Northeast Cybersecurity and Forensics Center (NCFC) is a partnership of academic, government and private sector resources that collaborate to provide cutting-edge research, development and service in the fields of digital forensics and cybersecurity.

Contacts

Donald Rebovich, Ph.D. +1.315.792.3231 [email protected]

Ray Philo +1.315.223.2483 [email protected]

mailto:drebovi%40utica.edu?subject=

mailto:rphilo%40utica.edu?subject=

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

www.protiviti.com

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veteran. PRO-0116-101083

© 2016 Utica College. All rights reserved.

www.protiviti.com