Developing an Integrated Anti-Fraud, Compliance, and Ethics Program Introduction Eric Feldman, CFE, CIG Affiliated Monitors, Inc. 2018 Association of Certified Fraud Examiners, Inc.
CPE Information 2018 Association of Certified Fraud Examiners, Inc. 2 of 27
Course Overview Day One Introduction Creating a culture of ethics and compliance Assessing the organization Developing anti-fraud, compliance, and ethics policies Establishing an effective anti-fraud, compliance, and ethics function Day Two Performing due diligence Conducting anti-fraud, compliance, and ethics training Implementing a whistleblower helpline Responding to ethical breaches and noncompliance Monitoring, assessing, and remediating the program 2018 Association of Certified Fraud Examiners, Inc. 3 of 27
Discussion Questions 1. Why is it important to understand the differences between ethics and compliance? 2. Does your organization have a formal compliance and ethics program? If so, how would you rate its effectiveness on a scale of 1 to 5 (5 being the highest)? Why? 3. Does your organization integrate anti-fraud initiatives into its compliance and ethics program? Or does your organization see these as separate functions? 2018 Association of Certified Fraud Examiners, Inc. 4 of 27
What Are Compliance and Ethics? Compliance Ethics Rules, regulations What can be done Morals: right versus wrong What should be done 2018 Association of Certified Fraud Examiners, Inc. 5 of 27
What Are Compliance and Ethics? Compliance breaches Ethical breaches 2018 Association of Certified Fraud Examiners, Inc. 6 of 27
What Is a Compliance and Ethics Program? A collection of policies, procedures, initiatives, and resources used to manage the risk of misconduct by: Identifying and communicating the boundaries of acceptable and unacceptable behavior Creating mechanisms to alert management when potential breaches might occur or have already occurred Ensuring breaches are responded to quickly, effectively, and appropriately 2018 Association of Certified Fraud Examiners, Inc. 7 of 27
What Is a Compliance and Ethics Program? Federal Sentencing Guidelines: To have an effective compliance and ethics program... an organization shall exercise due diligence to prevent and detect criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. 2018 Association of Certified Fraud Examiners, Inc. 8 of 27
Elements of an Effective Program 1. Establishing standards and procedures 2. Assigning responsibility 3. Due diligence in hiring 4. Communicating the policy 5. Achieving compliance 6. Disciplinary action 7. Appropriate responses 2018 Association of Certified Fraud Examiners, Inc. 9 of 27
COMPONENTS Control Environment Risk Assessment COSO INTERNAL CONTROL INTEGRATED FRAMEWORK Ethical tone at the top Organizational structure, including key areas of authority and reporting lines Policies both formal and informal to reward ethical conduct and punish unethical actions Mechanism and support for employee reporting HR policies to ensure hiring and promotion of those who demonstrate integrity Consistent and appropriate discipline Identification and analysis of risks related to operations, financial reporting, and compliance A strategy to manage risks Tailoring compliance and ethics programs to specifics of organization SENTENCING GUIDELINES Code of conduct Promote a culture that encourages ethical conduct and compliance Knowledgeable governing authority with reasonable oversight High-level personnel assigned overall responsibility for the program Incentives to promote proper conduct and discourage improper conduct Reporting mechanisms for employees and agents Prohibit retaliation against those who make good faith reports of suspected violations Due diligence to avoid delegation of authority to those with criminal tendencies Consistent and appropriate discipline Develop compliance standards and procedures using risk assessment Periodic assessments of compliance and ethics risk Incentives to maintain internal controls Identification of industry-specific compliance risks 2018 Association of Certified Fraud Examiners, Inc. 10 of 27
COMPONENTS Control Activities Information and Communication COSO INTERNAL CONTROL INTEGRATED FRAMEWORK Policies and procedures to help ensure that management s directives are followed Activities to ensure fraud risks are addressed Methods used to identify, capture, classify, and report pertinent information in an appropriate format and time frame Communication of roles and responsibilities pertaining to internal control SENTENCING GUIDELINES Standards and procedures capable of reducing the prospect of criminal conduct Determination of modifications needed to prevent future problems Effective communication of standards and procedures to all employees and other agents Required participation in compliance and ethics training programs Compliance and ethics training and communications that are ongoing, updated, and appropriate to each group of employees Monitoring Ongoing assessment of the internal control system Actions to correct and remediate any deficiencies Use of monitoring and auditing systems designed to detect criminal conduct Periodic evaluation of program effectiveness After discovering misconduct, taking reasonable steps to remedy the harm caused (e.g., provide restitution to victims, and selfreporting and cooperation with authorities) Responding to identified offenses by assessing the compliance program and making necessary modifications to prevent future problems 2018 Association of Certified Fraud Examiners, Inc. 11 of 27
How Does Fraud Relate to a Compliance and Ethics Program? Compliance breaches Ethical breaches Fraud 2018 Association of Certified Fraud Examiners, Inc. 12 of 27
Why Do People Comply? To comply, employees must: Understand their responsibilities Be able to comply Be willing to comply 2018 Association of Certified Fraud Examiners, Inc. 13 of 27
Why Do People Commit Fraud? Opportunity Fraud Triangle Pressure Rationalization 2018 Association of Certified Fraud Examiners, Inc. 14 of 27
The Fraud Triangle and Ethical Culture Pressure Unrealistic business objectives Ethics divorced from financial metrics Opportunity Greatest when an employee perceives bad behavior is an accepted way of doing business Fear of retaliation prevents reporting Rationalization Sense of entitlement high in cultures with low morale Perception of unfair treatment Incentives/rewards favor ethically challenged and promote the wrong behaviors Doing the wrong thing for the right reasons 2018 Association of Certified Fraud Examiners, Inc. 15 of 27
The Fraud Triangle 2018 Association of Certified Fraud Examiners, Inc. 16 of 27
Why Create an Integrated Anti-Fraud, Compliance, and Ethics Program? Investigation/ disciplinary actions Management/ monitoring Recruiting/ hiring Anti-fraud, compliance, and ethics Onboarding/ training Messaging/ communications The most effective programs are built-in, not added on. Performance objectives/ evaluations 2018 Association of Certified Fraud Examiners, Inc. 17 of 27
Why Create an Integrated Anti-Fraud, Compliance, and Ethics Program? 2018 Association of Certified Fraud Examiners, Inc. 18 of 27
Why Create an Integrated Anti-Fraud, Compliance, and Ethics Program? Prevent and reduce direct, indirect, and reputational costs of misconduct or fraud. Comply with laws, regulations, and other initiatives. Mitigate penalties for misconduct. Avoid being subject to corporate monitoring (e.g., DPAs, CIAs). 2018 Association of Certified Fraud Examiners, Inc. 19 of 27
Why Create an Integrated Anti-Fraud, Compliance, and Ethics Program? Realize a competitive advantage: Improve and facilitate business processes. Enhance the quality of goods or services provided. Attract and retain high-quality employees. Build goodwill with potential business partners. Draw investors. Entice customers. 2018 Association of Certified Fraud Examiners, Inc. 20 of 27
Why Create an Integrated Anti-Fraud, Compliance, and Ethics Program? Reiterate the company s mission statement. Reinforce a sense of right and wrong. Provide protection from liability. 2018 Association of Certified Fraud Examiners, Inc. 21 of 27
Selling the Program to Management Management buy-in is the most important factor in a program s success. Demonstrate the program s value: Impact on the bottom line Impact on employee morale Impact on reputation 2018 Association of Certified Fraud Examiners, Inc. 22 of 27
Selling the Program to Management Median Loss Based on Presence of Anti-Fraud Controls (Source: ACFE 2016 Report to the Nations) 2018 Association of Certified Fraud Examiners, Inc. 23 of 27
Selling the Program to Management Address the we don t have a fraud problem mentality. 2018 Association of Certified Fraud Examiners, Inc. 24 of 27
Determining the Goals and Objectives of the Program Primary goal is to demonstrate management s commitment to doing the right thing. Program components serve as resources to make that possible and desirable. Management should tailor detailed program objectives to the organization s specific needs and goals. 2018 Association of Certified Fraud Examiners, Inc. 25 of 27
Determining the Goals and Objectives of the Program Factors to consider: Corporate strategy and mission Management s ideal corporate culture Number and complexity of the laws and regulations that must be complied with Management s risk tolerance for violations The necessary investment in program components The financial and human resources already available The program s effect on company operations 2018 Association of Certified Fraud Examiners, Inc. 26 of 27
Determining the Goals and Objectives of the Program Addressing management s expectations and risk tolerance: Will vary by organization Zero-tolerance approach Must include consideration of non-monetary impact of violations 2018 Association of Certified Fraud Examiners, Inc. 27 of 27
Ensuring Efficient Use of Program Resources Bigger is not always better. The goal is to avoid overly extensive policies that will sit unread. The goal is preventing, identifying, and addressing the risk of misconduct. 2018 Association of Certified Fraud Examiners, Inc. 28 of 27
Designating Responsibility for Program Effectiveness Responsible individual should have: Ethics and compliance background Deep understanding of realities of business operations Should include responsibility for document retention for all compliance-related initiatives and activities 2018 Association of Certified Fraud Examiners, Inc. 29 of 27