To Best Prevent, Remedy Fraud: Create Biz-Tailored Culture of Compliance

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Michael Greene

Nov. 18 — An effective compliance program should have policies and procedures for preventing fraud and responding to potential fraud, according to speakers at a Nov. 14 Practising Law Institute webinar.

Implementing these procedures requires companies to create a culture of compliance that is tailored to their business, said speakers at “Bolstering Your Company's FraudDefenses 2014: Proactive Prevention and Responses.” Accordingly, companies need to look at their weaknesses and risks in determining how to implement these procedures.

‘No One Size Fits All.'

The first step in developing a fraud prevention program is to “understand your company's weakness,” according to Kristina S. Azlin, a partner at Holland & Knight, LLP.

There really is “no one size fits all” fraud prevention program, she said, because different companies have different risks. Accordingly, the most effective programs “will be based on how your company does business.”

After identifying your company's weaknesses, the next step is to “assess your company's fraud risks,” said Azlin. In doing so, companies should solicit input from a variety ofdifferent departments. She added that sometimes an outside consultant may be needed to provide a “fresh perspective.”

Nadia Brannon, an executive director of Ernst & Young LLP's fraud investigations and dispute services, said that part of risk assessment is “responding to likely and significant risks.” Companies cannot mitigate every single risk, she noted. Accordingly, residual risks—ones that are unlikely to recur or are insignificant—do not require a response.

Brannon mentioned that the most common type of fraudulent scheme can vary depending on the industry. Moreover, the “stakes and opportunities” are very different depending on the role of the perpetrator within the organization. She added, for example, that accountants are the common perpetrators of fraud because of their access and controls.

“It seem logical that people with control also have the ability to steal,” said Deborah Forhan Rimmler, Nexant, Inc.'s senior vice president and general counsel.

Implementing a Prevention & Detection Program

To implement an effective antifraud program, the company's leadership must make a commitment to preventing fraud, said Vince Farhat, a partner at Holland & Knight. “Thetone from the top is critical,” he said. “Unless the board and senior executives are 100 percent committed to a culture of compliance, the program, however robust it might be, is going to sit on the shelf and do nothing.”

Farhat added that when a company makes this commitment, there are five critical things it must do: adopt written policies and procedures; create a company-wide ethics code; train directors, managers and employees; communicate a “zero tolerance” policy; and regularly review, revise and update policies and procedures.

The training piece is often the hardest and most expensive part of this commitment, according to Farhat. He noted that having an effective, systematic training program is a vital part of demonstrating to outside investigators that the company has made a commitment to compliance.

Hotlines, HR

Companies should not only train employees on their antifraud policies and procedures, but also make sure they are aware of the process for reporting, said Brannon.

According to an industry report, 42 percent of all fraud is discovered by tips. A hotline with procedures for reporting is “by far the cheapest, easiest, and most effective antifraud control” a company can have in place, said Brannon.

Providing awareness of these procedure requires actively engaging employees, said Rimmler.

Human resource procedures also can be an effective part of fraud prevention, said Farhat. HR is often your “first line of defense” because employees are used to hearing from this department, he added.

Review, Revise & Update

In developing company procedures, Farhat noted that it is easier to implement specific rules that circumscribe the discretion for employees performing specialized functions than for upper management. Creating specific rules for higher-level employees can be difficult because of the need to allow for discretion, he added.

Generally, companies should not forget to review, revise and update their corporate governance policies and procedures, said Azlin. An important part of this process is looking back periodically at the residual risks that the company has left, she added. These risks may have become significant since policies were last implemented.

Brannon observed that companies often change the way they conduct business, which has an effect on their potential risks. She also noted with the advancement of technology, forms of crime can change. “The criminal community is always a step ahead of us,” she said.

Responding to Fraud

Ultimately, however, developing and maintaining a prevention program is only part of managing and minimizing antifraud risks, said Stacey Wang, an associate at Holland & Knight. Companies also need to have policies and procedures for responding to fraud, she explained.

Knowing when to take action in response to potential fraud requires having an effective screening process, said Farhat. He noted that companies “will get false positives,” and determining the credibility of a potential instance can be the hardest part of this process.

In setting up this process, companies should be aware that “internal triggers” often require more screening than “external” ones, he added.

Once a trigger has happened, companies need to define the scope of the investigation, said Wang, which should be based on the trigger of the investigation, the company and the company's resources, she added.

There are no federal rules of internal investigation, “so companies really need to follow reason and common sense” when they learn that something wrong has happened, said Farhat. Companies sometimes jump into an investigation without defining the scope, which can cause them to waste resources and time and create a bad record for the company when it is dealing with the government, he said.

Leading the Investigation

Assessing the type and scope of the fraud will also drive who leads the investigation, said Farhat. Sometimes routine investigations can be handled by HR departments. He added that companies do not always have to bring in outside investigators.

The key part of any investigation is credibility, he said. Investigations that look one-sided can be difficult to defend, he added. “If your don't have credibility, you won't be taken seriously by outside investigators,” Farhat said.

Farhat also provided some general advice in dealing with government investigations. He noted that some litigation techniques that may work in the civil arena do not work for government investigations. Dealing with the government requires being collegial, advising companies under investigation to “leave Rambo at home.”

To contact the reporter on this story: Michael Greene in Washington at mgreene@bna.com

To contact the editor responsible for this story: Ryan Tuck at rtuck@bna.com