Nobody wants to believe that their company is losing significant revenue to fraud. And, understandably, organizations don’t want to spend scarce resources managing risks they don’t consider legitimate. With regulators and prosecutors increasingly holding executives accountable for fraud prevention, however, there’s a strong incentive to replace the old refrain of “no fraud here” with the more proactive “not on my watch.”
That’s the conclusion of a new study from Protiviti and the Economic Crime and Justice Studies Department at Utica College, released yesterday. The study, titled “Taking the Best Route to Managing Fraud and Corruption Risk,” is based on a 2015 survey of board members, C-suite executives, general counsel and chief audit executives.
Our survey corresponded with a September memorandum from the U.S. Department of Justice – The Yates Memo – instructing prosecutors not to give corporate defendants cooperation credit unless they identified the individuals responsible for illegal conduct. The memo is named for its author, Deputy Attorney General Sally Quillian Yates, who subsequently elaborated: “We are not going to be accepting a company’s cooperation when they just offer up the vice president in charge of going to jail.”
Against that backdrop, it was distressing to see, in the survey results, how few companies are living up to the fraud risk assessment provisions of COSO 2013, Principle 8, and remain in reactive response mode “putting out fires.” Only 17 percent of respondents described their organization’s fraud risk strategy as “well defined,” and only 57 and 35 percent of large and mid-size companies, respectively, had a fraud detection program in place. In addition, third-party fraud and corruption risk is barely on the radar of most organizations. Less than one in 10 respondents reported a high level of confidence in their organization’s vendor fraud and corruption risk oversight. A lack of internal resources was cited as the biggest challenge to proactive fraud risk assessment.
Other notable findings that emerged from our research:
- Few companies are availing themselves of the tools and best practices for mitigating fraud risk, e.g., less than one in five utilize ongoing forensic data analysis to identify potential red flags and fraud indicators.
- Just over one-third of the respondents reported their organizations do not conduct due diligence on business intermediaries (third parties) prior to onboarding.
- Organizations without strong fraud detection and reporting programs face a higher risk of whistleblower disclosures.
And a cautionary note: As much the internal audit profession is to be applauded for reaching beyond its accounting roots to strengthen interdepartmental relationships through “soft” skills, such as interpersonal communication, it is critical to maintain a clear line between improving communication and compromising assurance. Our report refers to the trend toward “consultative” audits, stressing that while surprise audits may sometimes be seen as running counter to an organization’s culture, they are an effective fraud deterrent when used in a targeted manner and focused on perceived problem areas or intransigent business units or geographies. That’s not to say such audits can’t be handled with dignity and respect, merely that we need to ensure that in adding the soft skills, we don’t lose our edge.