Fraud - A policy is always best for honesty
An effective policy on fraud is vital to every organisation but it is rarely worked out in adequate depth. A thorough understanding of your risk profile is the first step to success, writes Alex Plavsic.
Fraud is often given short shrift in the development of codes of ethics and business principles. It is seen by management as a negative aspect in company policy statements which usually extol positive corporate principles such as teamwork, trust and respect.
This is a lost opportunity. Those organisations which successfully address the subject of fraud have a lower incidence of the problem.
A company’s code of business principles should not only define acceptable behaviour and encourage ethical conduct but it should also set out monitoring mechanisms.
The fundamental message is that employees are bound to work under a set of rules which everyone in the company should accept.
Those who break these rules, including those who commit fraud, are working against corporate goals and to the detriment of shareholder value.
The message is, however, just the beginning. Its success depends on practical processes and structures.
Several steps are needed to reinforce the fraud message. Boards would be well advised to, first of all, develop a profile of their organisation’s susceptibility to fraud risk. They then need to illustrate what is acceptable and unacceptable conduct and set out how the company will react to fraud, with provisions of a number of assurance mechanisms which have teeth. And a rollout should be structured to communicate fraud risks, raise awareness of them and expand on the key messages contained in the business code.
Organisations often leap from the self-evident position – that fraud is bad – to a policy and action plan. A key missing link is developing an understanding of the particular fraud-risk profile. Few senior managers can list the fraud risks which their organisation may suffer. This means opening their minds to fraud risk, and giving managers information on fraud or control breakdowns suffered by the company or other organisations.
The resulting fraud profile then provides a basis for more effective fraud awareness training.
Defining what is unacceptable behaviour is an attempt to reduce the grey area which fraudsters can exploit. A company that supplies services to governments will wish to set out a policy on bribery and corruption of public officials. A principle that clarifies the distinction between a ‘facilitating payment’, which is usually acceptable, and a bribe is extremely helpful.
There are many methods of bringing the issue of what is acceptable to the forefront of people’s minds. Some organisations have used ethical dilemmas to fine-tune and clarify what is expected of employees in a set of realistic situations.
Resources & Whitepapers
Accounting Software The power of customisation in accounting systems
A company-wide fraud policy should set out what will be done and by whom if breaches are suspected. Protection of those who report suspicions from a genuine concern can also be included in the code.
Companies need to convince employees that assurance mechanisms are in place. Integrating evidence of good ethical behaviour into the appraisal process is a key step.
Another topical issue is the use of external anonymous hotlines. Hotlines do have a deterrent effect and can help to cut through internal bureaucracy.
They highlight problems early and are relatively cheap to set up. But they can generate spurious information, can be viewed by employees as ‘grassing’ and require some resources to respond to allegations.
Much of the downside in the use of hotlines can be addressed by careful planning and implementation. It is interesting that in some companies over 40% of those who report on the anonymous hotline are ready to give their name and details. This indicates how ineffective or off-putting internal lines of reporting, by contrast, can be.
The success of any fraud-risk awareness depends on the quality and consistency of the message. The key is to put fraud on the agenda in a direct and challenging way. For example, a lecture to a sales force should focus on the front-end risks such as loading sales to meet targets.
Apart from being specific to the audience, the message must be challenging – and it must give examples of case studies that highlight the kind of fraud risks which may often be hidden or dismissed. Procurement managers are often aware of bid-fixing, where there is collusion between a supplier and a procurement officer, but less aware of bid-rigging, where suppliers collude to fix a price.
If handled properly, fraud- awareness training, integrated with the rollout of the other principles of a code, brings into play a key resource in the fight against fraud – the company’s employees.
They are the eyes and ears of the organisation. Often, after such training, there is a substantial increase in the reporting of suspicions. Most of these are genuine reports which require the appropriate follow-up investigation.
Awareness is one aspect of controlling fraud and another is employees’ confidence in the efficacy of reporting channels. They need to know how their suspicions are being handled. Regular feedback to reporters of suspicions, as far as possible, is essential.
The code of ethics is an essential building block in the war against fraud risk. But, to succeed, it must be linked to four key elements: a properly structured fraud-risk profile of the organisation; a policy on fraud; assurance mechanisms that count; plus a rollout which addresses fraud- risk and related issues in an innovative, challenging and memorable way.
Alex Plavsic is a partner in KPMG Forensic Accounting.