New COSO Framework and Financial Regulators Bring Internal Investigative Units into Focus as Never Before

by Scott Moritz
Managing Director – Leader, Protiviti’s Fraud Risk Management Practice

In acknowledgement of Corporate Compliance and Ethics Week, I’d like to share some thoughts about the state of internal investigative units today.

The ability of corporate security and internal investigative units within public and financial services companies to align with the new COSO internal control framework and in particular, Principle 8, has recently attracted significant focus. As a result, ethics and compliance officers, executive management and internal audit now have to pay much closer attention not only to their organizations’ ability to deter, detect and report internal and external fraud, but also to the investigative units themselves.

Similarly, the recent updating and release of the revised COSO framework last year, with its emphasis on fraud risk assessment, has caused a surge in activity in this area. Internal investigative units, an integral part of the fraud risk management framework, are once more being put under a microscope. Even companies without dedicated investigative or corporate security departments must have clearly defined roles and responsibilities to investigate allegations of fraud or misconduct successfully.

Given the importance of getting fraud investigations right and the increased attention being paid to internal investigative capabilities, organizations need to examine their in-house investigative capabilities objectively. A common problem for many lies in their use of one or more front-end detection systems. These are designed to generate alerts for subsequent review and, if necessary, escalation to higher levels of investigation.

Unfortunately, the vast majority of the alerts produced by these systems are false positives, and chasing these red herrings can quickly exhaust company resources. Fortunately, the problem can be resolved easily by adjusting the system rules and/or algorithms to better suit the end-user organization, providing a welcome lifeline to an overworked investigative team.

Case management systems, which track front-end alerts and provide an audit trail associated with false positives, are also critically important to any investigative unit since they document the progress of investigative cases from initial intake to disposition. For maximum efficiencies, case management systems need to be integrated fully with front-end systems.

Some organizations have multiple organizational constituencies that perform different categories of investigative activity. Legal, HR, anti-money laundering (in the case of financial services companies) Corporate security, financial investigative units, internal audit, labor relations and IT security each may have its own case management tools and front-end tools. There may be very good internal reasons to keep their cases separate, but doing so often results in significant duplication of effort. The creation of a formal mechanism, such as a compliance investigations working group or subcommittee, can break down some of those siloes and ensure better coordination across the units.

Also important – yet sometimes overlooked – are written procedures for the clearing of system alerts, the escalation of alerts to investigative cases, and the investigation and documentation of cases. A lack of these procedures inevitably leads to inconsistency in a company’s investigative processes, which in turn can lead to liability, particularly if an outside party is reviewing the investigative unit as part of a regulatory exam or through legal discovery in connection with an investigation that led to litigation.

In light of the inherent challenges associated with investigative processes and the potential for liability associated with ineffective investigative units, I recommend performing an assessment of your internal investigative unit to measure its effectiveness. Corporate Compliance and Ethics Week is the perfect catalyst to kick off your initiative. The improvements that will likely follow such an assessment will lead to a measurable reduction in fraud losses. Proactive measures today will save you significant heartache tomorrow.

Have you made improvements to your corporate investigative unit recently? Please share your success story here.

3 thoughts on “New COSO Framework and Financial Regulators Bring Internal Investigative Units into Focus as Never Before

  1. Let’s remember that COSO is about a material misstatement of financial reporting and disclosures which has a very high threshold of materiality especially related to fraud. Let’s not group everything into a fraud program and assessment

    • My recent post was an effort to point out that the recent uptick in fraud risk assessments resulting from the revised COSO framework and a shift in focus on the part of financial services regulators have brought heightened attention to internal investigative units. While I agree with your point that the COSO framework has been widely used in reporting on the effectiveness of internal control over financial reporting by US public companies, many companies utilize it in their assessment of operations and in measuring how well they are meeting their compliance obligations. The vast majority of public companies and financial institutions have robust corporate compliance programs. One of the hallmarks that the government considers in determining whether a company had what it deems to be an effective compliance program in place at the time when an offense took place is the extent to which the program provides a mechanism for confidential reporting and investigations of suspicious activity.
      – Scott

  2. Pingback: Implementing COSO’s 2013 Framework Ten questions that Need to be Answered | Corporate Compliance Insights | CFO Totality |

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s