Protecting Your Organization From FraudMarch 01, 2011
Richard P. Finkel, CPA/CFF, CFE, CIRA
The Association of Certified Fraud Examiners estimates that organizations lose 5% of annual revenue to fraud. Frauds include Ponzi schemes, asset misappropriation, computer hacking and identify theft, just to name a few. Small- and mid-size businesses tend to be the most vulnerable because they generally have fewer controls in place to detect and deter fraud.
Koss Corporation is a small, publicly traded company located in Milwaukee, Wisconsin with annual revenues of approximately $38 million and net assets of approximately $28 million. Sujata Sacdeva, a long-time, trusted employee, worked her way up through the ranks over 19 years with the company to the position of Vice President of Finance. In December 2009 it was discovered that she had misappropriated more than $34 million of company funds over a period of approximately 12 years. She used cashier checks funded by Koss Corporation to purchase millions of dollars worth of clothing, jewelry and other personal items. Over $10 million was paid via checks and wire transfers to cover personal American Express charges. Although Koss Corporation had certain internal controls in place, these controls were ineffective in detecting or preventing this fraud.
Fraud activity has been rapidly increasing. Although there is no assurance that all fraud can be prevented or detected, the best way to protect against fraud is to be proactive by developing and implementing an anti-fraud program. The development of an anti-fraud program requires support of management. The following are initial steps that organizations can take to plan and implement an effective anti-fraud program.
Code of Conduct
The starting point of an anti-fraud program is the Code of Conduct. Although this document should cover a wide range of business practices and procedures, it cannot cover every possible situation that may arise. It should set forth the basic principles to guide all employees, officers and directors of the organization as to what constitutes acceptable behavior and how to avoid even the appearance of improper actions. The Code of Conduct should cover areas such as: conflicts of interest, gift policies, political contributions, harassment and social networking. It should also be made clear that sanctions will be imposed for violations of the Code of Conduct. All employees should be required to annually re-certify that they have read and understand the Code of Conduct and that they have not and will not take part in unethical behavior or fraudulent activity.
Prevention and Detection Policies & Procedures
Policies and procedures should be developed that are specific to the organization's needs. They should focus on the importance of reporting possible fraudulent activity by employees and third parties. They should provide a reporting mechanism, such as a hotline, and include whistleblower protections for employees who report fraudulent activity. The policies and procedures should also set forth how the organization will handle actual fraud, including how fraud will be investigated, reported to authorities and communicated to employees, customers and vendors. It is important that management set the tone at the top as a model for the organization.
Communication & Education
Anti-fraud programs cannot succeed without communications and training. Employees should understand what constitutes fraud and the possible effects of fraud on the organization, from both a financial and reputational perspective. They should know how to report suspicious activity anonymously without fear of reprisal. Employees should also know where and when to seek advice when faced with uncertain ethical decisions. Education should be ongoing in order to assist employees in recognizing the signs of fraudulent activity and reinforcing management's commitment to deter and detect fraud. Educational programs should be specifically designed to meet the organization's policies as well as industry standards.
Fraud Risk Assessment
Organizations should have an understanding of general and specific fraud risks that could directly or indirectly impact their operations. A fraud risk assessment will proactively help the organization identify vulnerabilities, measure fraud risk tolerance and pinpoint opportunities to attack and reduce the cost of fraud. The assessment should be tailored to the organization's structure, size and industry. Information should be gathered through interviews and brainstorming with employees from all levels of the organization, as well as from outside industry and regulatory sources. The most effective fraud risk assessments are performed by outside third parties who are specifically trained and experienced in fraud prevention, detection and investigation.
Fraudsters are creative and deceptive. They violate trust. The establishment of an anti-fraud program is an important and ongoing effort. The program should be revisited at least annually and re-tooled as needed to meet the ever-changing and evolving world of fraudulent activity.
Richard P. Finkel, CPA/CFF, CFE, CIRA is a partner with BlumShapiro, New England's largest regional accounting, tax and business consulting firm based in Connecticut, with offices in West Hartford, Shelton and Westport, CT and Rockland, MA. The firm serves as business advisors for today's leading middle market companies, non-profit organizations and government entities, working to strategically tailor and consistently deliver tested solutions for unlocking an organizations full potential. For more information about BlumShapiro, visit blumshapiro.com.