by Scott Moritz
Managing Director – Leader, Protiviti’s Fraud Risk Management Practice
In acknowledgement of Corporate Compliance and Ethics Week, I’d like to share some thoughts about the state of internal investigative units today.
The ability of corporate security and internal investigative units within public and financial services companies to align with the new COSO internal control framework and in particular, Principle 8, has recently attracted significant focus. As a result, ethics and compliance officers, executive management and internal audit now have to pay much closer attention not only to their organizations’ ability to deter, detect and report internal and external fraud, but also to the investigative units themselves.
Similarly, the recent updating and release of the revised COSO framework last year, with its emphasis on fraud risk assessment, has caused a surge in activity in this area. Internal investigative units, an integral part of the fraud risk management framework, are once more being put under a microscope. Even companies without dedicated investigative or corporate security departments must have clearly defined roles and responsibilities to investigate allegations of fraud or misconduct successfully.
Given the importance of getting fraud investigations right and the increased attention being paid to internal investigative capabilities, organizations need to examine their in-house investigative capabilities objectively. A common problem for many lies in their use of one or more front-end detection systems. These are designed to generate alerts for subsequent review and, if necessary, escalation to higher levels of investigation.
Unfortunately, the vast majority of the alerts produced by these systems are false positives, and chasing these red herrings can quickly exhaust company resources. Fortunately, the problem can be resolved easily by adjusting the system rules and/or algorithms to better suit the end-user organization, providing a welcome lifeline to an overworked investigative team.
Case management systems, which track front-end alerts and provide an audit trail associated with false positives, are also critically important to any investigative unit since they document the progress of investigative cases from initial intake to disposition. For maximum efficiencies, case management systems need to be integrated fully with front-end systems.
Some organizations have multiple organizational constituencies that perform different categories of investigative activity. Legal, HR, anti-money laundering (in the case of financial services companies) Corporate security, financial investigative units, internal audit, labor relations and IT security each may have its own case management tools and front-end tools. There may be very good internal reasons to keep their cases separate, but doing so often results in significant duplication of effort. The creation of a formal mechanism, such as a compliance investigations working group or subcommittee, can break down some of those siloes and ensure better coordination across the units.
Also important – yet sometimes overlooked – are written procedures for the clearing of system alerts, the escalation of alerts to investigative cases, and the investigation and documentation of cases. A lack of these procedures inevitably leads to inconsistency in a company’s investigative processes, which in turn can lead to liability, particularly if an outside party is reviewing the investigative unit as part of a regulatory exam or through legal discovery in connection with an investigation that led to litigation.
In light of the inherent challenges associated with investigative processes and the potential for liability associated with ineffective investigative units, I recommend performing an assessment of your internal investigative unit to measure its effectiveness. Corporate Compliance and Ethics Week is the perfect catalyst to kick off your initiative. The improvements that will likely follow such an assessment will lead to a measurable reduction in fraud losses. Proactive measures today will save you significant heartache tomorrow.
Have you made improvements to your corporate investigative unit recently? Please share your success story here.