Creating a Strong Corporate Culture Begins With Managing ... · In Creating a Strong Corporate...

Creating a Strong Corporate Culture Begins With Managing Fraud Risk

Assessing the Results of the Latest White-Collar Crime and Fraud Risk Survey

Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 1protiviti.com · utica.edu

In Creating a Strong Corporate Culture, “Fraud Risk Management” Is a Bit of a Misnomer

While a strong corporate culture is no paint-by-the-numbers exercise, a number of vital

components must be carefully aligned — namely, ethical behavior, tone at the top, mood in the

middle and attitude at the base. These elements can be seen as similar to a painter selecting

and painstakingly applying just the right mixture of colors and textures to transform the canvas

into a work of art. They are of critical concern in today’s boardroom and C-suite. Companies are

striving to introduce a measure of introspection to better understand the correlation between

culture and ethical failures involving fraud, corruption and misconduct. Key to this movement

toward enhanced levels of organizational maturity are growing efforts to measure culture,

flag warning signs, make control improvements, address gaps, build awareness of fraud and

misconduct risk, and avoid becoming the next headline featuring organizational breakdowns

that can derail brand, reputation and long-term viability.

Given the inverse relationship between culture and

fraud, where a poor culture leads to high rates of fraud,

the results of the latest White-Collar Crime and Fraud

Risk Survey from Utica College and Protiviti reveal some

troubling trends that should raise concerns for boards of

directors and executive leadership.

Culture, fraud and misconduct are inextricably linked.

Poor corporate culture can cause the kind of organi-

zational inertia and complacency that give rise to a

pattern of unethical behavior and other misdeeds that

may continue unchecked for years, in part because

many in the organization knew or suspected what was

going on but failed to take action. The organization’s

culture either discourages doing the right thing, is

blind to bullying behavior, and/or rewards those who

employ a “win at all costs” attitude. These types of

“open secrets” become fertile ground for fraudulent

and unethical activity.

In fact, while investigating ethical breaches, government

investigators now look more deeply into organizations to

ascertain root causes and what preventive and detective

measures were in place to identify, investigate and report

suspected fraud, bribery or misconduct. Thus, fraud

risk governance, assessment, prevention and detection

practices have never been more critical; they help shine

light on practices and issues that can create the type of

dysfunctional corporate culture in which unethical and

illegal behavior thrive. We assess these and many other

issues in our study.

http://www.protiviti.com

http://www.utica.edu

2 · Protiviti · Utica College

These areas also represent the approaches and leading

practices the Committee of Sponsoring Organizations

of the Treadway Commission (COSO) advocates in

its Fraud Risk Management Guide (FRM Guide) to help

mitigate and prevent improper behavior by employees

seeking greater rewards at the expense of ethics and

compliance with company policies or state and federal

laws.1 To this end, a key question for organizations to

consider is, “Are we measuring our corporate culture on

a periodic basis?”

The bottom line is that an organization’s posture on fraud

risk can signal problems within its corporate culture.

Executives who downplay the existence of fraud risk,

consistently make business decisions solely on the basis

of revenues without properly considering risk, or allow

incentive compensation to drive inappropriate behavior

are all signs that a company’s approach to fraud risk is no

approach at all. Companies that give lip service to fraud

risk are signaling to their employees and management

that ethical business practices are not a priority — an

ill-conceived posture that can have a toxic ripple effect

and set the stage for an inevitable cultural meltdown.

In our study, we examine the perceptions and actions

underlying fraud risk activities across an array of

organizations and geographies that should serve

as a wake-up call to corporate leaders who allocate

insufficient time and attention to fraud risk due to their

lack of understanding about the close linkage between

weak or nonexistent fraud risk management programs

and a poor corporate culture.

Our survey findings appear to align with “compliance

fatigue” and, to a certain extent, complacency that

many organizations face when they have a seemingly

endless succession of regulatory obligations to meet,

sales goals and revenue targets that are top priorities,

limited budget and resources, and a general lack of

understanding about the potentially devastating impact

that a poor culture and major fraud or corruption matter

can have on a company’s brand, reputation, debt

covenants and market capitalization.

One way to attack such malaise is to better link the

implications of failing to focus on culture to the

potentially devastating outcomes that follow. CEOs,

billionaire venture capitalists, judges and Hollywood

powerhouses are among many who have made dramatic

departures from their roles following allegations of fraud,

corruption and misconduct. Often, the investigations that

follow reveal that problems involving such individuals

were “open secrets” and that if the company had only

sought to evaluate its corporate culture, these matters

might have more quickly surfaced in time to stop the

victimization and prevent further damage to individuals,

companies and their shareholders. Ultimately, linking

the development of a strong corporate culture through

robust fraud risk management to the prevention of

actions that can bring down the organization is sure to

command the attention of the boardroom and C-suite.

We hear from many organizations that obtaining

resources and support from the C-suite to strengthen

culture through a proactive fraud risk management

program is an uphill battle. In fact, though there is

growing understanding about the impact of corporate

culture and the benefits of measuring it, there is

still limited awareness of its linkage with fraud and

misconduct. Perhaps using the results of culture surveys

and tapping into the current climate of moral outrage to

support a more proactive stance in managing fraud risk

is in order. Until then, we will continue to see results like

those in this year’s survey.

1 Fraud Risk Management Guide, COSO and the Association of Certified Fraud Examiners (ACFE), September 2016: www.coso.org.

Our survey findings appear to align with “compliance

fatigue” and, to a certain extent, complacency that

many organizations face.

http://www.coso.org


Our Key Findings

01Organizations continue to lag in employing leading practices to build a strong culture — From the frequency of

performing fraud risk assessments to a lack of understanding about the drivers of fraud, organizations must seek

to move away from the continuous loop of responding to one fire after another to a more proactive, strategic and

methodical approach to mitigating organizational fraud and culture breaches.

02Resources represent a significant challenge in building a strong corporate culture with a clear fraud risk strategy —

More than a third of organizations consider their fraud risk strategy to be weakly defined, with many citing the limited

availability of internal resources as a significant challenge in addressing fraud proactively.

03Many organizations lack a fraud risk management program, including policies to mitigate fraud — Given

the prevalence of actual and potential fraud issues in organizations and those involving vendor relationships,

as well as the long-term effects on corporate culture, this finding is surprising — and likely disappointing to

shareholders and other key stakeholders. Increasingly, external auditors are paying attention to fraud risk

and internal investigations. In some cases, they will withhold their sign-off pending improvements to the fraud

risk management infrastructure or more thorough investigations, or give qualified opinions when they are

underwhelmed with a company’s approach to fraud and investigations.

04Third parties represent a significant gap in fraud risk management — Overall, one in three organizations lacks a

high level of confidence as to whether it has effective oversight of third parties. However, third parties account for

a disproportionate number of violations an organization commits, including those related to the Foreign Corrupt

Practices Act (FCPA) and other anti-corruption statutes, cybercrime, vendor fraud, kickbacks, human trafficking,

and data privacy breaches. Most organizations do not allocate sufficient time, energy and resources to understand

and seek to mitigate the myriad issues third parties represent.

Culture is complex and different within every organization and remains largely abstract. However, even though a

company’s culture may be abstract, one thing is clear: developing the right approach for auditing an organization’s

risk culture takes time and careful planning. And for any business, the value of undertaking this process is developing

a better understanding of the cultural causes that create risk — in short, human behaviors.

— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit




Methodology

Utica College and Protiviti partnered to conduct the

White-Collar Crime and Fraud Risk Survey in the

second and third quarters of 2017. This global survey,

conducted online, consisted of a series of questions

grouped into six categories:

• Fraud Risk Governance

• Fraud Risk Assessment

• Fraud Prevention Techniques

• Fraud Detection Techniques

• Corruption

• Reporting, Investigation and Corrective Action

Globally, 748 executives and professionals — including

board members, C-suite executives, general counsel

and chief audit executives (CAEs) — completed our

online questionnaire. All respondents are in a position

to understand their organization’s fraud risk manage-

ment capabilities. Survey participants also were asked

to provide demographic information about their titles

and positions and the nature, size and location of

their businesses.

We appreciate the time these individuals invested in

our study.

Because this year’s survey was global, whereas our

prior study (published in 2016) was based on responses

gathered only in the United States, we did not include

comparisons with findings from our prior survey in

this report. However, we would be pleased to provide

any specific year-over-year comparisons upon request,

to the extent such data is available.

All demographic information was provided voluntarily

by our respondents (see page 52).

Notes

This report includes numerous breakdowns of the

survey findings by company size, defined as follows

(all figures are in U.S. dollars):*

Large = Companies with revenues of $10 billion or more

Midsize = Companies with revenues between $100

million and $9.99 billion

Small = Companies with less than $100 million

in revenues

* Upon request, Protiviti can provide additional reporting in these broad categories.

Measuring ethical culture may be a confusing concept since culture isn’t an object one can easily quantify.

That said, there are characteristics, behaviors and impressions that can be examined to determine whether a

company is on the right path or whether it has institutionalized bad behavior that, left unchecked, can lead to

ethical failures down the road.

— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic


Fraud Risk Governance — Who’s Minding the Store?

First things first: The board of directors, along with

senior management, need to demonstrate their expec-

tations and commitment to “high integrity and ethical

values regarding fraud risk.”2 That is a key driver for

developing and maintaining a strong corporate culture.

The concept of fraud risk governance is highlighted

as Principle 1 in COSO’s FRM Guide. To manage fraud

risk effectively, an organization should designate an

executive or other leader with direct ownership of and

responsibility for the fraud risk management program.

Oversight of fraud risk should be active and defined. And

a clear, formal fraud risk strategy should be in place. All

the above actions are part of good fraud risk governance,

but our survey results reveal that many organizations

have significant shortcomings in these areas.

For example, in 16 percent of organizations overall, no

senior management professional is designated with

ownership of and responsibility for fraud risk manage-

ment — or, that individual is not known.

In a large percentage of instances involving break-

downs in corporate culture or in the conduct at the

top or throughout the organization, one or more

fraud-related activities are driving those issues. That

fact should underscore the need for robust fraud risk

management practices, including board oversight and

senior management responsibilities.

The survey results also show that one in five

organizations has a “no fraud here” mentality.

These organizations likely do not perform fraud risk

assessments, which is a critical practice. Another factor

for this mindset could be that the individuals responsible

for conducting these assessments have “day jobs” and

therefore lack time to conduct thorough — or any —

evaluation of fraud risk and corresponding anti-fraud

controls. This behavior creates fertile ground for a poor

corporate culture.

Many Organizations Falling Short on Fraud Risk Policy and Strategy

What also stands out in the results is the small but

meaningful number of organizations that lack active

and defined oversight of fraud risk. The numbers are

slightly smaller for large companies but are still notable.

Of particular note, the percentages are higher among

North American-based organizations.

Also noteworthy is that a substantial percentage of

organizations have a fraud risk strategy that is not

defined clearly. Without a solid understanding of fraud

risks throughout the organization, how can manage-

ment express confidence that its control environment

is effective, and that it is focusing on creating a strong

corporate culture?

Another eye-opening finding is that a third of organiza-

tions worldwide appear to lack a formal and documented

fraud control policy. That is despite COSO’s specific

recommendation that organizations have such a policy,

as outlined in its FRM Guide.

Organizations overall that have no senior management professional designated with ownership of and

responsibility for fraud risk management*

KEY FACTS

16%

* Includes “Don’t know” responses.

2 Ibid.




Who in the ranks of senior management is designated with ownership and responsibility for fraud risk management in your organization?

Company Size (Annual Revenue)

2016 Large companies

Midsize companies

Small companies

Chief Executive Officer 29% 17% 20%

Chief Financial Officer 13% 13% 19%

Chief Risk Officer 15% 13% 11%

Chief Legal Officer or General Counsel 11% 9% 10%

Chief Security Officer 12% 10% 7%

Internal Audit Director 5% 13% 8%

Other 6% 7% 7%

No senior management professional is designated with ownership and responsibility for fraud risk management

4% 13% 13%

Don’t know 5% 5% 5%

Region

2016 Asia-Pacific Europe India Latin America/

South AmericaNorth

America

Chief Executive Officer 27% 28% 32% 38% 8%

Chief Financial Officer 11% 11% 18% 11% 21%

Chief Risk Officer 19% 13% 11% 3% 13%

Chief Legal Officer or General Counsel 7% 10% 4% 8% 13%

Chief Security Officer 5% 17% 15% 15% 4%

Internal Audit Director 10% 5% 5% 5% 11%

Other 4% 4% 5% 3% 11%

No senior management professional is designated with ownership and responsibility for fraud risk management

12% 10% 9% 14% 12%

Don’t know 5% 2% 1% 3% 7%

While 4 percent of large companies indicate that no senior management professional is designated

with fraud risk management ownership and responsibility, this figure rises to 13 percent in midsize

and small companies, suggesting the latter group of organizations is seemingly more tolerant of

“absentee leadership” in this critical area.


Which of the following groups in your organization provides active and defined oversight of the organization’s fraud risk? (Multiple responses permitted)



Midsize companies

Small companies

Audit committee 50% 59% 48%

Risk management committee 53% 51% 39%

Board of directors 44% 39% 42%

C-level executive(s) 43% 37% 37%

No active and defined oversight 5% 6% 12%


Other 5% 7% 3%

Region


South AmericaNorth

America

Audit committee 58% 40% 60% 46% 56%

Risk management committee 51% 60% 58% 50% 33%

Board of directors 42% 51% 42% 56% 32%

C-level executive(s) 32% 41% 51% 37% 37%

No active and defined oversight 7% 7% 4% 7% 11%

Don’t know 3% 2% 0% 1% 6%

Other 2% 3% 3% 4% 7%

A significant number of organizations, particularly small and North American-based companies,

lack active and defined oversight of fraud risk.




On a scale of 1 to 5, where “5” indicates very well-defined and “1” indicates undefined, how would you rate your organization’s fraud risk strategy?


Region

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

Large companies

60% 40%Small companies

Midsize companies 60% 40%

72% 28%

Very well-defined/defined Less defined/reactive/undefined/don’t know

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

53% 47%

72% 28%

74% 26%

68% 32%

65% 35%

Very well-defined/defined Less defined/reactive/undefined/don’t know

India

North America

Latin America/South America

Europe

Asia-Pacific

When scanning national patterns, North American organizations look relatively less concerned

about well-defined risk strategies than do companies in other parts of the world.


Which of the following challenges does your organization face in managing its fraud risk proactively? (Multiple responses permitted)

There is limited availability of internal resources to address fraud risk. 36%

We lack a unified fraud risk management strategy. 28%

We lack proactive fraud risk management. Our focus is on incident response when allegations arise. 28%

Proactive fraud risk management is not a corporate priority. 27%

Fraud and misconduct are not considered “high risks” within the organization. 27%

There is inadequate funding for an anti-fraud program and related initiatives. 21%

Our organization has a “no fraud here” mentality. 20%

Laws and regulations or cultural norms in our non-U.S. locations present unique challenges that we have yet to address.

20%

We do not have a member of senior management who is designated with ownership of and responsibility for fraud risk management.

16%

KEY FACTS

Organizations globally that have a formal and documented code of conduct

Organizations globally that have a formal and documented fraud control policy

93% 67%

An area of concern appears to be the availability of internal resources to address fraud risk

proactively, with more than one in three organizations citing this as a challenge.




COSO Elevates and Evolves Fraud Risk Management Practices

For many organizations, building a strong corporate culture and managing fraud consists of checking boxes and thinking

positive thoughts:

• “We hire good people.”

• “We have a code of conduct.”

• “We comply with Sarbanes-Oxley.”

• “Our hotline does not ring (for serious things).”

• “Fraud simply doesn’t happen here.”

Of course, as forensic professionals and educators, we know this is not enough. COSO knows this, too.

Recognizing the need to both elevate and evolve management’s thinking on the topics of fraud prevention, detection

and deterrence, COSO released its Fraud Risk Management Guide (FRM Guide) in collaboration with the Association

of Certified Fraud Examiners (ACFE) in September 2016. This guidance provides a valuable blueprint of leading

practices and user-friendly templates to help organizations not only correlate, but also actively apply, the five fraud risk

management principles first outlined in Managing the Business Risk of Fraud: A Practical Guide* within the context of the

2013 COSO Internal Control — Integrated Framework.

These principles serve as a universal foundation for fraud risk management programs. They are:

1. Fraud Risk Governance

2. Fraud Risk Assessment

3. Fraud Control Activities

4. Fraud Investigation and Corrective Action

5. Fraud Risk Management Monitoring Activities

Of these five principles, fraud risk assessment is perhaps the most widely recognized because the consideration of

the potential for fraud was explicitly included in the 2013 COSO Framework. Since that time, the identification and

assessment of fraud risk have been focal points of inquiry for internal and external auditors. However, the scope of

management’s fraud risk assessment is still often limited to fraud scenarios that would cause a material misstatement

of an organization’s financial statements. In contrast, COSO’s FRM Guide encourages an elevated and evolved

assessment of fraud risk in the context of the organization’s overarching fraud risk management program to achieve

better support of and greater consistency with the overall 2013 COSO Framework.

Continued on page 11


COSO’s FRM Guide is both user-friendly and pragmatic in its design. Each chapter is organized to provide a clear

snapshot of how individual fraud risk management principles align with the COSO 2013 Framework’s components

and principles. It also outlines unique characteristics for each fraud risk management principle within specific points

of focus. These points are structured similarly to those contained in the 2013 COSO Framework and are useful in

considering the design and operating effectiveness of management’s fraud risk management capabilities. Whether an

organization is new to the topic of fraud risk management or seeking a more detailed view on the “how-to” of certain

fraud risk management activities, COSO’s FRM Guide provides information that is thorough and thoughtful, and

applicable to various audiences.

Below are some suggestions for utilizing the information and templates included within COSO’s FRM Guide, which can

benefit organizations in pursuit of a “best-in-class” fraud risk management program, as well as those companies that

are simply looking to enhance certain elements of their anti-fraud control activities:

• Map and analyze the fraud risk management process for improvement opportunities.

• Evaluate whether there is proper oversight and assignment of resources for fraud control activities.

• Create or update the organization’s fraud control policy.

• Conduct a survey to understand perceptions about the organization’s culture and fraud risk management capabilities.

• Expand documentation and visualization of the organization’s fraud risk and controls matrix.

• Assess the organization’s list of potential fraud exposures.

• Review the organization’s fraud response plan.

• Implement a data analytics framework.

• Enhance awareness of fraud risk through communication with various organizational constituencies.

COSO’s FRM Guide offers insights into leading practices encompassing fraud prevention, detection and deterrence.

However, it is not intended to create a prescriptive standard for either fraud risk management or fraud risk assessment.

Furthermore, there is no “one-size-fits-all” approach to either process; each must be tailored to suit an organization’s

specific operations, objectives, industry, people, geographies and technologies.

Finally, it is critical to recognize that fraud is a highly dynamic event. There is no guarantee that an organization will

be free from its occurrence or effect simply because it has implemented leading practices. The ability to prevent and

detect fraud can — and should — evolve with the organization’s internal control framework, and COSO’s FRM Guide

provides a clear road map that can help drive organizations toward excellence in fraud risk management.

* Managing the Business Risk of Fraud: A Practical Guide was jointly published in 2008 by the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (The IIA) and ACFE.




Assessing Fraud Risk: A Foundational Component of Corporate Culture and Fraud Risk Management

Patterns of fraud, corruption and misconduct that take

root in organizations are frequently open secrets

among personnel. The fact that organizational assets

are being misused or diverted is often widely known

but perhaps not openly discussed. This phenomenon

gives rise to several questions including, “Why are

these actions not reported?” and “Is it because of fear of

retaliation?” “Failure to report” is a clear symptom of a

poor corporate culture, as is ignoring or silently endorsing

bad behavior because of who is involved or benefiting

from it. For this reason, fraud risk assessments should

be performed to help identify unreported, overlooked or

even “culturally accepted” vulnerabilities and include

consideration of an organization’s corporate culture —

in effect, taking the company’s temperature from an

ethical viewpoint. Seeking to measure corporate

culture can expose an organization’s open secrets

before they devolve into more significant ethical lapses

with serious legal and regulatory consequences.

Fraud risk assessments should be conducted at least

annually, if not more frequently, depending upon shifts

in strategic objectives, organizational changes or the

occurrence of fraud. Overall, most organizations report

that they do this, which is positive. However, significant

numbers of organizations, of all sizes and across regions,

appear to do so less frequently or inconsistently.

A small but notable number of organizations report that

they don’t know who the business owner responsible

for the fraud risk assessment is, or they don’t have a

defined business owner for that process. There should

be a designated owner, of course. But regardless of who

ultimately is responsible for a fraud risk assessment,

the process must involve a broad range of functions

in the organization — internal audit, accounting and

finance, procurement, information technology (IT), risk

management, facilities, research and development

(R&D), and more. This approach enables the fraud risk

assessment to capture the nuances of each organiza-

tional function where fraud has the potential to occur,

along with the potential fraud drivers. That includes

understanding opportunities, incentives, pressures,

attitudes and rationalization to commit fraud within

different groups in the organization.

Also, it is critical for organizations to examine fraud risk

not in pockets or silos, but across the enterprise. Principle

2 of COSO’s FRM Guide specifies that the fraud risk

assessment process should include all appropriate levels

of management along with the resources necessary to

assess fraud risk throughout the enterprise.

Simply put, fraud risk can neither be managed nor

mitigated if it is not understood. Fraud risk assessments

undertaken correctly enhance an organization’s aware-

ness of the various fraud risks it is facing and allow

it to prioritize efforts to mitigate the most serious areas

of vulnerability.

The fraud risk assessment process, to remain effective

and relevant, also must evolve as personnel, operations,

methodologies and other processes change. Our survey

found that, across organization type and region, “previ-

ous fraud risk assessment results” ranks high among the

frequently used information applied to the assessment

methodology. While the inclusion of this information

is an important data point, no aspect of the fraud risk

assessment should be a cut-and-paste exercise. Indeed,

in a recent publication by the U.S. Department of Justice

(DOJ) (Evaluation of Corporate Compliance Programs), an

11th hallmark of an effective compliance program was

introduced: Analysis and Remediation of Underlying

Misconduct. While this is directed at organizations that

“Failure to report” is a clear symptom of a poor corporate

culture, as is ignoring or silently endorsing bad behavior

because of who is involved or benefiting from it.


are in the throes of a government investigation, all

organizations should seek to apply lessons learned from

any internal investigations that have been performed

since the last fraud risk assessment. Organizations

should always strive to ensure that their fraud risk

assessment processes are dynamic, are evolving along

with the company’s changing risks and strategic

objectives, and don’t become a rote exercise lacking

meaningful benefit year-over-year.

More Care Needed When Discussing Sensitive Information

Another result in our survey is the low number of organi-

zations globally that conduct fraud risk assessments

under attorney-client privilege. In North America, for

instance, three in four organizations do not conduct fraud

risk assessments under this privilege. Anecdotally, most

organizations do not even consider the need to do so.

Who within your organization is primarily responsible for conducting your fraud risk assessment?



Midsize companies

Small companies

Internal audit 32% 46% 44%

Corporate compliance 20% 18% 15%

SOX compliance team 16% 14% 9%

General counsel/legal 12% 9% 13%

Other 12% 6% 10%

None of these 2% 3% 7%


Region


South AmericaNorth

America

Internal audit 43% 39% 52% 40% 41%

Corporate compliance 17% 23% 17% 18% 14%

SOX compliance team 14% 12% 12% 11% 12%

General counsel/legal 8% 18% 6% 26% 7%

Other 10% 4% 10% 1% 14%

None of these 5% 3% 3% 2% 6%

Don’t know 3% 1% 0% 2% 6%




While some organizations make rational business

cases for why they choose not to perform fraud risk

assessments under the attorney-client privilege,

problems sometimes arise in those organizations that

do not even consider doing so. When conducting fraud

risk assessments, root cause analyses of prior internal

investigations (which were probably undertaken

pursuant to the attorney-client privilege), internal

control weaknesses or gaps identified through previous

audits, and other confidential compliance matters may

be discussed. If sensitive information is gathered without

the opportunity for legal counsel to provide advice to the

organization, it could result in a significant problem down

the road if, during litigation, that sensitive information

becomes discoverable.

As our survey results indicate, the fraud risk assessment

process often involves the use of other techniques such as

the review of policies, procedures and training materials,

gathering of public information and industry news,

brainstorming sessions, interviews or group workshops,

process walkthroughs, surveys, and data analytics.

During these activities, candid feedback about business

practices, personnel matters and corporate culture may

be shared. In some cases, indicators of fraud may even be

identified through the use of electronic data interrogation

routines. Organizations likely do not want this material

exposed during litigation. It is therefore imperative

to consider confidentiality, as well as the potential for

conducting the fraud risk assessment under the direction

of counsel for attorney-client privilege purposes, during

planning activities. (See sidebar on page 18 for further

discussion about attorney-client privilege.)

Circling back to the updated 2013 COSO Internal Control

Framework, Principle 8 includes consideration of

three key types of fraud during management’s risk

assessment activities. Interestingly, when asked which

fraud type concerns them the most, respondents

provided a wide range of responses. What stands out

is that while fraudulent nonfinancial reporting is the

type of fraud that happens most often in organizations,

only a small number cited it as the area of greatest

concern. Another point of emphasis is that fraud risk

in many organizations is centered on compliance with

SOX and the concept of materiality. This is a dangerously

narrow way of viewing fraud risk and often leaves a

significant number of potential fraud scenarios out of

the process, some of which can have a negative effect on

the organization, since the statutes being violated do not

use materiality in weighing whether criminal violations

have occurred. Examples of two such categories of

fraud are the bribery of foreign officials and sanctions

violations such as those enforced by the U.S. Office of

Foreign Assets Control (OFAC).

Factors having an impact on fraud risk are highlighted in

the 2013 COSO Framework’s Points of Focus for Principle 8.

While fraud risk factors are shared by all organizations

that experience fraud, the fraud risk assessment

methodology should be a unique process. A holistic view

of fraud includes consideration of potential scenarios

and perpetrators at all levels of the enterprise, as well as

vulnerabilities in all processes and geographic locations

— not only those deemed “in scope” for SOX purposes.

Executed correctly, the fraud risk assessment should not

be a “cookie-cutter” template for a different company

in a different industry offering different products or

services, since it has been specifically tailored to the

company at hand.

A holistic view of fraud includes consideration of

potential scenarios and perpetrators at all levels

of the enterprise, as well as vulnerabilities in all

processes and geographic locations.


How often does your organization conduct a formal fraud risk assessment?


Region

Quarterly

Annually

As needed

Never

Don’t know

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

Large companies

25% 22% 10% 7%36%Small companies

5%

Midsize companies 21% 19% 5%50% 5%

12%17%35% 31%

Quarterly

Annually

As needed

Never

Don’t know

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

11% 13% 11% 13%52%

39% 26% 3%31% 1%

2%25%48% 22%

34% 24% 5% 3%34%

25% 22% 11%35% 7%

India

North America


Europe

Asia-Pacific

3%

It is surprising to find a significant percentage of large companies and North American-based

organizations that report not knowing how often the fraud risk assessment is conducted.




How is your organization’s fraud risk assessment process structured within your organization?



Midsize companies

Small companies

Incorporated into our enterprise risk management (ERM) process 47% 40% 38%

Incorporated into our internal audit planning process 21% 22% 26%

Incorporated into our SOX compliance process 8% 18% 13%

Stand-alone 18% 12% 12%

None of these 2% 2% 9%


Region


South AmericaNorth

America

Incorporated into our ERM process 42% 52% 45% 48% 32%

Incorporated into our internal audit planning process 23% 15% 32% 27% 25%

Incorporated into our SOX compliance process 8% 13% 2% 10% 20%

Stand-alone 17% 15% 17% 11% 9%

None of these 6% 4% 4% 3% 8%

Don’t know 4% 1% 0% 1% 6%


51% 45% 41%Large companies Small companiesMidsize companies

Does your company conduct its fraud risk assessment under attorney-client privilege? (Shown: “Yes” responses)


Region

North America

25%

77%

63%

51%36%

Europe

India

Asia-Pacific





Fraud Risk Assessment and Attorney-Client Privilege

As with any internal investigation, a fraud risk assessment may include sensitive matters that potentially involve litigation

or damage to a company’s reputation. There are often compelling reasons for an organization’s assessment team to

report to legal counsel. Some things to consider include:

• In the United States, conversations between an attorney and a client seeking legal advice are considered “privileged

and confidential” and “attorney-client privileged.” Once privilege is established, the information shared between a

client and attorney is largely protected from disclosure to other parties.

• Attorney-client privilege allows companies and their lawyers to discuss findings and potential solutions without fear

of inappropriate disclosure of the privileged discussions and material. If other providers, such as forensic accountants

or investigators, participate in the fraud risk assessment or an investigation, their work should be performed at the

direction of lawyers so that their findings are considered attorney work product and are privileged as well.

• It should be made clear that the fraud risk assessment is being conducted to assist legal counsel in providing legal

advice. That includes marking materials as “Privileged and Confidential” and informing interviewees of the legal

purpose of the fraud risk assessment or investigation.

• Distribution of privileged materials must be limited. Company representatives must not be allowed to discuss the

review with anyone who is not involved in the project, so as not to inadvertently waive the privilege by sharing

information outside of the attorney-client relationship.

• The attorney-client privilege varies widely by country. For any investigations, fraud risk assessments or other projects

that the client and counsel feel should be performed under the privilege and involve foreign jurisdictions, the rules of

those jurisdictions would apply.

Note that while attorney-client privilege generally applies to in-house counsel (at least in the United States), internal

lawyers serve in a dual business and legal capacity, and privilege could be challenged on the grounds that discussions

were of a business, and not a legal, nature.

Legal privilege varies widely from one country to the next, and these decisions are best made in consultation with

attorneys who have a deep understanding of the various jurisdictions in which the company is operating and whether

and to what extent the fraud risk assessment can be undertaken pursuant to the attorney-client privilege.

It’s important for companies to understand the interrelationship between internal investigations that were

performed at the direction of counsel and the company’s fraud risk. Reviewing those investigations could

constitute an inadvertent waiver of privilege. Plus, during the course of a fraud risk assessment, people

sometimes share information about past or ongoing fraud or misconduct that could give rise to legal liability.

Performing fraud risk assessments pursuant to the attorney-client privilege can add a layer of protection to

sensitive information that was gathered during the course of the project.




Does your fraud risk assessment team include members from different departments? (Shown: “Yes” responses)


Region

North America

54%

82%

79%

71%60%

Europe

India

Asia-Pacific





IF YES: Which departments participate in the fraud risk assessment team? (Multiple responses permitted)



Midsize companies

Small companies

Internal audit 73% 72% 70%

Accounting/finance 65% 62% 63%

Legal 61% 57% 63%

Risk management 68% 50% 56%

Compliance 54% 50% 44%

Operations 48% 41% 51%

Corporate security 45% 46% 42%

Human resources 44% 39% 46%

External consultants 20% 17% 25%

Region


South AmericaNorth

America

Internal audit 64% 63% 78% 64% 84%

Accounting/finance 68% 47% 53% 63% 80%

Legal 48% 53% 59% 65% 72%

Risk management 58% 65% 67% 51% 50%

Compliance 44% 45% 51% 32% 61%

Operations 42% 43% 41% 45% 58%

Corporate security 40% 49% 45% 43% 43%

Human resources 44% 34% 41% 41% 51%

External consultants 24% 20% 35% 28% 15%

Organizations in Latin America/South America and Europe are far more likely to include members

from different departments on the fraud risk assessment team than are companies in other

regions, particularly North America.


Which of the following does your company utilize as part of its fraud risk assessment methodology? (Multiple responses permitted)



Midsize companies

Small companies

Previous fraud risk assessment results 49% 55% 51%

Prior reported concerns and complaints 49% 51% 49%

Data analytics 53% 47% 44%

Prior audits or other reviews conducted at the company 47% 44% 48%

Interviews 47% 52% 42%

Brainstorming sessions 43% 42% 36%

Surveys 48% 35% 36%

Public information about criminal, civil and regulatory cases and complaints

33% 31% 30%

Industry news 31% 32% 25%

Workshops 35% 28% 26%

Industry-accepted fraud taxonomies, such as the ACFE’s Occupational Fraud and Abuse Classification System

35% 28% 24%

Region


South AmericaNorth

America

Previous fraud risk assessment results 57% 46% 70% 47% 52%

Prior reported concerns and complaints 56% 44% 61% 37% 53%

Data analytics 39% 55% 62% 62% 36%

Prior audits or other reviews conducted at the company

54% 32% 58% 40% 53%

Interviews 38% 44% 39% 42% 54%

Brainstorming sessions 35% 47% 50% 35% 36%

Surveys 25% 45% 45% 43% 35%

Public information about criminal, civil and regulatory cases and complaints

30% 36% 32% 42% 26%

Industry news 24% 31% 39% 29% 26%

Workshops 42% 36% 32% 42% 14%

Industry-accepted fraud taxonomies, such as the ACFE’s Occupational Fraud and Abuse Classification System

25% 28% 32% 27% 25%




Which one of the following types of fraud is of greatest concern to your organization?



Midsize companies

Small companies

Safeguarding of assets 24% 16% 20%

Management override of controls 19% 19% 19%

Fraudulent financial reporting 16% 15% 16%

Corruption 10% 10% 14%

Illegal acts 10% 7% 7%

Fraudulent nonfinancial reporting 2% 7% 5%

No one type is more concerning than the other 14% 20% 15%

Other/none of these 5% 6% 4%

Region


South AmericaNorth

America

Safeguarding of assets 24% 18% 25% 12% 21%

Management override of controls 20% 21% 20% 26% 13%

Fraudulent financial reporting 12% 24% 17% 17% 12%

Corruption 15% 10% 9% 21% 9%

Illegal acts 6% 8% 3% 11% 8%

Fraudulent nonfinancial reporting 1% 5% 2% 8% 6%

No one type is more concerning than the other 18% 8% 12% 3% 26%

Other/none of these 4% 6% 12% 2% 5%

As expected, the safeguarding of assets seems to be a high priority, while corruption appears to be

a lower priority (though more significant for organizations in Latin America/South America).



Does your organization have a fraud risk management (mitigation) program? (Shown: “Yes” responses)


Region

North America

39%

87%

81%

74%61%

Europe

India

Asia-Pacific





IF YES: Who in your organization is responsible for the fraud risk management (mitigation) program?



Midsize companies

Small companies

Chief Compliance Officer 30% 42% 39%


Chief Audit Executive 24% 25% 26%

Other 12% 6% 8%


Region


South AmericaNorth

America

Chief Compliance Officer 48% 41% 31% 31% 33%


Chief Audit Executive 15% 24% 25% 41% 21%

Other 14% 6% 13% 1% 12%

Don’t know 0% 2% 2% 3% 7%

It may seem obvious to everyone that culture is important, and that the risks associated with an unhealthy

organizational culture can derail operations, damage the brand, drive away customers and put a sizable dent in

the bottom line. Yet for many organizations, culture continues to be a buzzword in boardroom discussions but is

given short shrift as an operational priority. “Doing the right thing” is a key performance indicator that doesn’t

appear as a line item on any balance sheet but contributes considerably to the “goodwill” capital of a company,

and its loss or erosion presents a significant risk. Culture assurance then becomes something much more specific

and necessary.

— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit


Cultivating a Healthy Corporate Culture Through Fraud Prevention

One surprise from the results of our survey is evidence

of the low use of certain primary controls, including

ethics and fraud awareness training, which could help

organizations recognize warning signs and prevent

fraud if they were utilized or provided more frequently.

In the United States, for example, the DOJ and the

Securities and Exchange Commission (SEC) consider

training and continuous advice to be a hallmark of an

effective compliance program, yet a large majority of

organizations do not appear to conduct such training.

Shockingly, even basic measures appear to be falling

short. For instance, a good argument can be made that

every organization should have a code of conduct and

code of ethics, yet more than one in five companies

surveyed do not. Indeed, a code of conduct and compli-

ance policies and procedures are called out by both

the DOJ and the SEC as hallmarks of an effective

compliance program.

Third- and Fourth-Party Relationships Require More Scrutiny

Several other findings from our survey should raise red

flags for boards and executive leadership seeking to

build a strong corporate culture. For example, less than a

majority of organizations have third-party due diligence

and competitive bidding in place as controls to prevent

fraud; only slightly more than a majority have IT controls,

authority and approval limits, and segregation of

duties (SoD) in place. While some may not view these

measures specifically as fraud controls, they can be

very effective for fraud prevention. That is especially

true for publicly held companies that must comply with

requirements such as SOX in the United States.

The results for third-party due diligence controls are

especially eye-opening, particularly when considering

the extent to which third parties may have access to

personally identifiable information and/or may have

permission to act on behalf of the company. Third

parties can represent a weak link in the organization’s

fraud control structure (as well as security and privacy,

anti-bribery, regulatory compliance, and other areas of

internal control).

Conducting risk-based investigative due diligence of the

organization’s third parties, especially those in particu-

larly high-risk jurisdictions, as well as fourth parties (i.e.,

the vendor’s vendors or subcontractor’s subcontractors)

should be considered essential.

Authorities May Question Lack of Commitment to Combating Fraud

As noted above, a potential weak link in an organi-

zation’s culture is the frequency of ethics and fraud

awareness training. Our survey results suggest that two

in five organizations conduct this type of training only

annually — or even less frequently.

If the organization lacks a strong commitment to regular

ethics and fraud awareness training, what does that say

about management’s commitment to building a healthy

corporate culture? That is the type of question authorities

could ask during a formal fraud investigation and in

evaluating whether there was an effective compliance

program in place at the time violations were occurring.

When a prosecutor or law enforcement agency concludes

that there was not an effective compliance program in

place, or there were other aggravating circumstances




at the time, the company itself can be charged with

criminal violations, which can have sweeping and often

devastating consequences for the company and

its shareholders.

The U.S. DOJ and the SEC have provided clear guidance

for what they expect of companies when it comes

to effective compliance and ethics programs. One

recommendation is delivering risk-based training,

as compliance policies are not meaningful unless

they are communicated effectively throughout the

organization. COSO also stresses the importance of

regular training in its FRM Guide.

Organizations (overall) that conduct ethics and fraud risk awareness training

KEY FACTS

57%

It is very important for organizations to create processes that support people doing the right thing all the time

and foster a culture where people in the organization know the tone at the top, ensuring that the tone flows all

the way down to middle management and beyond. This is because, in most cases, employees pay more attention

to what their direct supervisors are saying or doing, and less to what the CEO has announced.

— Susan Haseley, Protiviti Executive Vice President, Diversity and Inclusion Initiative Leader


Which of the following primary controls does your organization utilize to prevent fraud? (Multiple responses permitted)



Midsize companies

Small companies

Code of conduct/Code of ethics 78% 81% 72%

Authority or approval limits 59% 63% 67%

Employee background checks 56% 63% 66%

IT controls 55% 58% 63%

Segregation of duties 54% 58% 58%

Ethics or fraud risk awareness training 64% 58% 53%

Third-party due diligence 41% 32% 33%

Competitive bidding 36% 32% 32%

Region


South AmericaNorth

America

Code of conduct/Code of ethics 73% 62% 78% 71% 87%

Authority or approval limits 68% 50% 64% 45% 78%

Employee background checks 60% 47% 69% 56% 75%

IT controls 57% 47% 58% 58% 70%

Segregation of duties 55% 37% 50% 35% 81%

Ethics or fraud risk awareness training 58% 55% 56% 56% 59%

Third-party due diligence 30% 32% 53% 19% 38%

Competitive bidding 29% 24% 38% 24% 41%

Europe reflects a lower percentage of firms that have codes of conduct or codes of ethics. North

American firms are notably ahead of other regions in demanding segregation of duties. Compared

to companies in other regions, both European and Latin American/South American firms reflect a

much lower percentage of demanding segregation of duties.




How often does your organization offer ethics and fraud awareness training?



Midsize companies

Small companies

New hire orientation only 12% 12% 16%

On demand 27% 19% 20%

Semi-annually 18% 19% 17%

Annually 33% 36% 27%

Less than annually 6% 6% 7%

Never 1% 5% 11%


Region


South AmericaNorth

America

New hire orientation only 12% 13% 20% 21% 11%

On demand 20% 34% 33% 27% 8%

Semi-annually 18% 25% 28% 22% 10%

Annually 21% 20% 14% 25% 49%

Less than annually 13% 5% 3% 2% 7%

Never 16% 2% 2% 1% 10%

Don’t know 0% 1% 0% 2% 5%

With regard to the frequency of ethics and fraud awareness training, the question raised here is

“How often is often enough?” Less than a majority of firms in North America conduct these

trainings every six months or have them available on demand. These percentages are significantly

higher among companies in Europe, India and Latin America/South America. On the other hand,

16 percent of organizations in the Asia-Pacific region never conduct these trainings.


Data Analytics, Fraud Detection and the Path Forward

One of the most notable findings in our survey is that

one-third of organizations lack a fraud detection

program. This begs the question as to what exactly

these organizations are doing to detect the type of

fraudulent acts that can undermine the organization’s

culture or indicate red flags for deep-seated issues.

The absence of a fraud detection program likely indicates

a reactive environment for detecting fraud. Internal

audit and management respond to fraud issues that arise

but are unable to be proactive in spotting issues early or

identifying potential root causes.

The absence of such a program also suggests organiza-

tions have limited resources and technologies to apply to

fraud detection; thus, they lack alignment with Principle

3 of COSO’s FRM Guide. This principle focuses on

preventive and detective control activities designed to

mitigate the occurrence — and longevity — of fraud risk

events. Timely discovery of fraud risk events is a critical

component of a well-designed fraud risk management

program and the lack of a program calls into question

the ability of such organizations to fully achieve risk

mitigation under the 2013 COSO Framework.

Few Firms Using Data Analysis for Fraud Detection

One in five organizations reports that they do not use

any form of data analysis to detect fraud proactively. The

numbers are better for large organizations, but those

operating in regions such as North America and

Asia-Pacific fare worse. These results are not surprising,

however. Business records in many organizations

still exist in a manual state. Companies may want to

incorporate forensic data analysis to identify potential

red flags and fraud indicators, but they can’t if their

information resides in boxes rather than a digital state.

These results generally mirror the findings of Protiviti’s

2018 Internal Audit Capabilities and Needs Survey,

which show that about one-third of organizations

do not use data analysis or analytics in their internal

audit functions.3

Most organizations are still in the early stages of using

data analytics. Furthermore, many are likely performing

only the most basic form of analytics. This was borne

out in the findings of Protiviti’s internal audit survey.

Few internal audit groups are employing current high-

end technologies or artificial intelligence (AI), or even

computer-assisted audit tools (CAATs), which could boost

effectiveness and efficiency significantly.

Factors limiting the use of data analysis include dated

legacy systems in the organization, as well as the absence

of a data warehouse. Also, most organizations have few

employees who are trained to use new technologies and

AI to perform forensics and analytics.

3 Analytics in Auditing Is a Game Changer, Protiviti, 2018: protiviti.com/IAsurvey.



http://www.protiviti.com/IAsurvey



Does your organization have a fraud detection program? (Shown: “Yes” responses)


North America

40%

87%

72%

71%57%

Europe

India

Asia-Pacific


Region

When it comes to fraud detection, North American companies appear to be significantly behind

organizations in other regions.


IF YES: Who in your organization is responsible for the fraud detection program?



Midsize companies

Small companies

Chief Compliance Officer 24% 38% 38%

Chief Audit Executive 34% 36% 34%



Region


South AmericaNorth

America

Chief Compliance Officer 42% 39% 32% 34% 26%

Chief Audit Executive 31% 35% 29% 40% 34%


Don’t know 0% 0% 0% 1% 9%

One cannot manage that which cannot be measured. If firms focused on enhancing access to their own legacy data

systems so that disparate data sources were converted into consistent, timely and reliable information, the return on

this investment would be enormous. Advanced analytics, such as machine learning, deep learning and AI, performed

on this newly reliable data, will enable firms to measure historical fraud, predict potential future fraud occurrences

and manage fraud risk appropriately. That, in turn, will significantly strengthen corporate culture.

— Shaheen Dil, Protiviti Managing Director, Global Leader, Data Management and Advanced Analytics




Does your organization actively utilize forensic data analysis to identify potential red flags and fraud indicators (i.e., fraud detection techniques)?



Midsize companies

Small companies

Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports are monitored by an independent group, such as internal audit.

41% 34% 23%

Yes, periodically. Management or internal audit runs fraud detection programs at specific times, such as at the start of an audit.

30% 31% 32%

Yes, on demand only. Data is extracted manually from various systems that are queried.

13% 15% 15%

No, we do not utilize data analysis to detect fraud proactively. 8% 17% 26%

Don’t know. 8% 3% 4%

Region


South AmericaNorth

America

Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports are monitored by an independent group, such as internal audit.

27% 38% 45% 30% 21%

Yes, periodically. Management or internal audit runs fraud detection programs at specific times, such as at the start of an audit.

36% 36% 28% 54% 20%

Yes, on demand only. Data is extracted manually from various systems that are queried.

13% 12% 14% 9% 20%

No, we do not utilize data analysis to detect fraud proactively.

22% 12% 11% 6% 31%

Don’t know. 2% 2% 2% 1% 8%

North American-based organizations appear to lag considerably behind companies in other

regions in utilizing forensic data analysis.


Which of the following procedures has your organization established for the submission of concerns by employees about questionable accounting or auditing matters? (Multiple responses permitted)



Midsize companies

Small companies

Telephonic hotline 61% 54% 50%

Electronic mailbox 61% 48% 45%

Website 56% 54% 39%

“Chain-of-command” reporting 47% 42% 47%

Designated management 36% 33% 43%

Designated board member 33% 18% 27%

No formal reporting mechanism exists 6% 6% 9%

Region


South AmericaNorth

America

Telephonic hotline 42% 32% 41% 48% 76%

Electronic mailbox 48% 55% 60% 56% 40%

Website 31% 47% 49% 49% 52%

“Chain-of-command” reporting 44% 42% 41% 36% 54%

Designated management 45% 40% 51% 42% 32%

Designated board member 19% 37% 38% 39% 14%

No formal reporting mechanism exists 11% 6% 5% 6% 8%

Interestingly, the use of telephonic hotlines for employees to communicate concerns about

accounting or auditing issues is far more prevalent in North America than in other regions.




How often does your organization conduct surprise audits within the organization?



Midsize companies

Small companies

Quarterly 33% 20% 23%

Annually 15% 19% 16%

As needed 35% 40% 37%

Never 9% 16% 20%


Region


South AmericaNorth

America

Quarterly 15% 32% 41% 44% 11%

Annually 14% 27% 14% 28% 8%

As needed 49% 33% 35% 26% 42%

Never 18% 6% 7% 1% 30%

Don’t know 4% 2% 3% 1% 9%

Large companies that conduct surprise audits at least annually

KEY FACTS

48%Most companies like to believe that they have a highly

ethical culture. Many find out the hard way that their

culture isn’t as rock solid as they believed it was. Better

to burst your own bubble by proactively examining

culture, fraud and compliance risk than to have the

DOJ or the SEC burst it for you.



Being Vigilant — Addressing Corruption and Performing Due Diligence

Third parties, or vendors, present a heightened level of

risk to organizations. However, overall, just under one

in five companies reports that they have a high level of

confidence about third-party oversight.

As detailed in the 2017 Vendor Risk Management Bench-

mark Study from the Shared Assessments Program

and Protiviti, vendor risk management activities and

programs are improving in organizations overall.4 But

the results from that study, as well as this survey, under-

score the point that organizations have a significant

way to go to achieve optimal vendor risk management

and oversight.

Most organizations in our survey align with the U.S.

DOJ and the SEC’s hallmarks of effective compliance

programs by conducting due diligence on business

intermediaries,5 such as agents, distributors, consultants

and subcontractors, prior to onboarding them in the

organization. However, it is vital that investigative

due diligence6 efforts be nuanced and risk-based.

Organizations cannot approach this activity through

cursory, unstructured online research.

Just One Bad Vendor Relationship Can Lead to Irreversible Damage

Most companies report that they are conducting this

category of investigative due diligence. But are they

performing the right level of due diligence? Are they

applying a risk-based approach with regard to the third

parties with which they do business? These organizations

should realize they likely have questionable relation-

ships that present substantial risks. The bottom line

is that even one bad vendor relationship can create

irreversible damage to the organization. Organizations,

therefore, need to do a better job conducting investigative

due diligence on business intermediaries — including

improving how they conduct this due diligence.

To illustrate, there are some remarkable differences

among regions and organization size regarding whether

a company conducts a corruption risk assessment

as part of its due diligence related to an acquisition.

Interestingly, a strong majority of organizations in

Europe perform a corruption risk assessment, whereas

only a minority of companies in North America do so.

As expected, more large organizations tend to conduct

these risk assessments.

What is the best way to approach due diligence? Adopt

a risk-based approach by designating key categories

that present the most risk. As part of the due diligence

process, cover those categories first in the questionnaire,

and perform other research focused specifically on

those categories. Essentially, this approach results in

prioritizing the most significant risks first, rather than

adopting a blanket approach to due diligence.

4 Study available at www.protiviti.com/vendor-risk.

5 The term “intermediary” in a third-party context typically refers to an entity that can act on behalf of another company, and those actions can give rise to liability.

6 “Investigative due diligence” refers to the performance of background investigations of legal entities and their owners and key executives to determine whether there is anything in their backgrounds that would make them unsuitable business partners.



http://www.protiviti.com/vendor-risk


Fostering an Anti-Bribery Culture Within Your Organization

The breadth and depth of authoritative guidance designed to mitigate global bribery and corruption continue to build.

Organizations often utilize a compilation of information to establish and evolve their anti-bribery or anti-corruption

compliance program. These include, among others, the Organization for Economic Co-Operation and Development’s

(OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance, International Chamber of Commerce’s ICC

Rules on Combating Corruption, the U.S. DOJ’s and SEC’s hallmarks of effective compliance programs, and the United

Kingdom’s Ministry of Justice’s The Bribery Act of 2010 Guidance about procedures which relevant commercial organizations

can put into place to prevent persons associated with them from bribing (section 9 of the Bribery Act 2010).

In addition, the World Bank Group has published both Integrity Compliance Guidelines and Guidelines on Preventing and

Combating Fraud and Corruption in Projects Financed by IBRD Loans and IDA Projects and Grants, while the Wolfsberg Group

has issued Wolfsberg Anti-Bribery and Corruption (ABC) Compliance Programme Guidance intended for use by the “broader

financial services industry.”

Now, with the International Organization of Standardization’s (ISO) release of ISO 37001: 2016 — Anti-Bribery Management

Systems, companies can seek certification of their anti-bribery program if they meet ISO’s requirements for “establishing,

implementing, maintaining, reviewing and improving an anti-bribery management system.” This anti-bribery standard is

applicable to all organizations — regardless of industry and corporate structure — and is intended to help foster an anti-

bribery culture within an organization.

Indeed, each of the guidance documents referenced above cites the importance of ethical competencies and commitment

to a strong corporate culture as integral to mitigating this common type of fraud found in today’s global marketplace.


On a scale of 1 to 5, where “5” indicates a high level of confidence and “1” indicates little or no confidence, rate your level of confidence that your organization has effective oversight of third parties.


Region

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

Large companies

Small companies

Midsize companies

Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)

55% 45%

51% 49%

68% 32%

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

60%40%

74% 26%

81% 19%

66% 34%

48% 52%

India

North America


Europe

Asia-Pacific

Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)

Large companies in North America appear to have a much higher level of confidence in effective

oversight of third parties compared to midsize and small companies. However, in assessing the

results by region, North American firms have far lower confidence levels than firms in Europe, India

and Latin America/South America.





Does your organization conduct due diligence on business intermediaries (e.g., agent, distributor, consultant, subcontractor) prior to onboarding? (Shown: “Yes” responses)


North America

70%

83%

66%

90%71%

Europe

India

Asia-Pacific


Region



Does your organization include communications from management that it expects adherence to the standards as set out in the code of conduct and/or anti-corruption policy? (Shown: “Yes” responses)


North America

79%

91%

76%

92%83%

Europe

India

Asia-Pacific


Region





Does your organization have the ability to distinguish between foreign government agencies, state-owned companies, public international organizations and private enterprises among its customer base? (Shown: “Yes” responses)


North America

69%

87%

78%

89%71%

Europe

India

Asia-Pacific


Region



Does your organization categorize third parties according to risk? (Shown: “Yes” responses)


North America

46%

79%

68%

78%54%

Europe

India

Asia-Pacific


Region




IF YES: Which of the following activities does your organization perform? (Multiple responses permitted)



Midsize companies

Small companies

Assign risk based upon a variety of factors 58% 65% 62%

Perform escalating levels of investigative due diligence based upon assigned risk level

64% 53% 55%

Focus on a single high-risk category for third party (such as sales agents) 49% 40% 38%

Perform investigative research in-house 34% 34% 43%

Perform the same level of due diligence or screening for all categories of third party

36% 31% 40%

Region


South AmericaNorth

America

Assign risk based upon a variety of factors 66% 65% 61% 61% 57%

Perform escalating levels of investigative due diligence based upon assigned risk level

57% 53% 61% 57% 56%

Focus on a single high-risk category for third party (such as sales agents)

45% 45% 53% 50% 26%

Perform investigative research in-house 34% 43% 37% 40% 36%

Perform the same level of due diligence or screening for all categories of third party

39% 36% 43% 46% 26%

It is somewhat surprising that, compared to large companies, a higher percentage of midsize and

small companies assign risk based upon a variety of factors instead of one. Close to a majority

of large companies focus on a single high-risk category for third parties, suggesting these

organizations may be adopting a view of third-party risk that is too myopic.


Check a variety of watchlists (e.g., OFAC,

politically exposed persons (PEPs), debarments)

Perform internet research

Organizations that perform the following activities as part of investigative due diligence:

Check corporation registrations

Search public records

KEY FACTS

Search negative news (English-speaking sources)

No investigative due diligence is performed in

the organization

Search negative news (non-English-speaking sources)

29% 8%23%

47% 43%44% 40%




Who performs the work associated with investigative due diligence? (Multiple responses permitted)



Midsize companies

Small companies

All investigative work performed in-house 50% 40% 42%

Watchlists, negative media, internet research performed in-house 47% 34% 36%

More comprehensive investigative work performed by investigative firm

39% 30% 33%

All investigative work outsourced 34% 28% 28%

Region


South AmericaNorth

America

All investigative work performed in-house 47% 45% 46% 45% 40%

Watchlists, negative media, internet research performed in-house

38% 45% 51% 45% 27%

More comprehensive investigative work performed by investigative firm

27% 43% 51% 48% 18%

All investigative work outsourced 21% 45% 41% 49% 12%



When acquiring a company, does your organization conduct a corruption risk assessment during the acquisition due diligence process? (Shown: “Yes” responses)


North America

41%

90%

71%

76%53%

Europe

India

Asia-Pacific


Region





Do your hiring practices include an examination as to whether candidates are family members or associates of government officials? (Shown: “Yes” responses)


North America

49%

82%

66%

71%65%

Europe

India

Asia-Pacific


Region


Which of the following additional steps does your organization take in an effort to mitigate the elevated risk associated with doing business with government agencies, state-owned companies and/or public international organizations? (Multiple responses permitted)



Midsize companies

Small companies

Pre-approval requirements before paying for gifts, meals or entertainment

68% 51% 49%

Enhanced contract provisions 63% 52% 47%

Advanced anti-corruption training for select personnel 59% 50% 44%

Prohibitions against hiring of family members of employees of this category of customers

35% 33% 38%

Region


South AmericaNorth

America

Pre-approval requirements before paying for gifts, meals or entertainment

59% 50% 65% 54% 49%

Enhanced contract provisions 47% 57% 65% 54% 46%

Advanced anti-corruption training for select personnel 48% 57% 51% 64% 38%

Prohibitions against hiring of family members of employees of this category of customers

37% 33% 33% 53% 33%

With regard to corruption risk assessments, hiring practices that include examinations of cases

where candidates are family members or associates of government officials, and mitigating elevated

risks associated with state agencies and organizations, North American-based organizations lag

notably behind companies in other regions.




Reporting, Investigation and Corrective Action

Principle 4 of COSO’s FRM Guide states: “The organi-

zation establishes a communication process to obtain

information about potential fraud and deploys a coordi-

nated approach to investigation and corrective action to

address fraud appropriately and in a timely manner.”

Further, one of the hallmarks of effective compliance

programs as promulgated by the U.S. DOJ and the SEC

is confidential reporting and internal investigation.

Organizations that do not properly consider and

document the various channels by which the need for

an internal investigation comes to light and/or do not

follow written procedures for the performance of in-

ternal investigations are at risk of failing to undertake

investigative activities that are proportionate to the

allegations at hand. Not only does that lead to the risk of

not conducting a productive internal investigation, but

it also can give rise to concerns that the company is

not applying a consistent standard of care in its inves-

tigative processes. That, in turn, can call into question

whether that inconsistency is simply a by-product of

a poorly designed process or a calculated effort to hold

some people accountable but not others.

Overall, more than one in five organizations conducted

between six and 20 investigations in the previous year.

While you would expect those same organizations to

have well-defined, consistently applied investigative

procedures in place, the reality is that many organi-

zations allow the facts at hand — or even common

psychological biases — to dictate the investigative

steps that follow, and those steps are left to the discre-

tion of the investigators themselves.

While there are many very talented and experienced

investigators working in-house at organizations across

the globe, the lack of documented policies and proce-

dures that govern investigative processes can expose

the company to a broad range of issues, including, but

not limited to, views that the organization’s culture and

institutional justice are flawed and prone to favoritism,

or that internal investigations are performed in such

a way as to raise questions about their independence

and the inconsistent application of disciplinary actions.

That is why confidential reporting and internal investi-

gation is a hallmark of effective compliance programs.

Without a well-defined and documented process, it would

be very difficult for an outside party such as a regulator

or law enforcement agency to conclude that an ethics and

compliance program meets the definition of effective.

Recently, guidance issued by the U.S. DOJ has placed a

great deal of emphasis on the performance of root cause

analysis. In addition, another hallmark of effective

compliance programs is continuous improvement:

periodic testing and review. What is being said in

various ways is that once a problem comes to light and is

investigated, the investigation and subsequent remedi-

ation need to carefully consider not just the “what” of

what happened but also the “why,” the “how” and the

“by whom.” Answering these questions will provide

the company with insights into cultural breakdowns:

how things happened; what deficiencies in the control

environment were exposed by the fraud; and how the

pattern of fraud, corruption or misconduct was allowed

to continue undetected. These shortcomings then can be

translated into substantive changes to the controls, both

detective and preventive, that will lessen the likelihood

of a recurrence. A fraud risk management program must

be in a constant state of evolution with new threats

being addressed and lessons learned being applied.

Five Most Common Root Causes or Control Breakdowns That Allow Fraud Incidents to Occur (Source: Top five responses from all survey participants)

1. Internal collusion

2. Collusion with third parties

3. Inadequate internal controls

4. Deliberate override of internal controls

5. Undisclosed conflicts of interest


What level of involvement does your organization’s audit committee have in the investigation of alleged fraud or misconduct?



Midsize companies

Small companies

The audit committee chair is informed of all allegations involving accounting, auditing and internal control matters immediately upon receipt by the individual designated to receive complaints.

61% 57% 58%

On at least a quarterly basis, the audit committee is informed of all allegations being investigated.

21% 25% 25%

The audit committee is only informed of investigations involving accounting, auditing and internal control matters.

8% 11% 8%

Don’t know. 10% 7% 9%

Region


South AmericaNorth

America

The audit committee chair is informed of all allegations involving accounting, auditing and internal control matters immediately upon receipt by the individual designated to receive complaints.

57% 60% 67% 75% 46%

On at least a quarterly basis, the audit committee is informed of all allegations being investigated.

25% 25% 27% 15% 27%

The audit committee is only informed of investigations involving accounting, auditing and internal control matters.

14% 6% 5% 6% 12%

Don’t know. 4% 9% 1% 4% 15%




Disciplinary action Training

The most common corrective actions taken by companies after an investigation involving employees:

Termination

KEY FACTS

KEY FACTS

New internal controls Reassignment

32% 18% 15%

10% 7%

Organizations that have received and investigated five or fewer allegations of fraud or misconduct

over the past three years

29%Organizations that have received and investigated

six to 20 allegations of fraud or misconduct over the past three years

22%


In Closing

The importance of corporate culture is garnering an

unprecedented amount of media and organizational

attention, and yet, there has not been an equal amount of

introspection or root cause analysis as to what has led to

some of the more noteworthy fraud and misconduct cases

occurring in the last year. Understanding the interplay

between fraud, corruption and corporate culture — and

the controls necessary to mitigate ethical failures — can

accelerate efforts to affect positive organizational change

and process improvements.

In today’s business environment, executives need to ask

themselves this question: Do we want to be viewed as

leaders of ethical business practices, or are we willing to

risk being the latest headline involving a toxic culture

that ultimately results in embarrassing — and costly —

fraud and misconduct?

Private sector companies in today’s world face extraordinary challenges. The results of this year’s survey

shed light on a particularly perplexing challenge; namely, creating and maintaining a strong corporate

environment that prevents and deters fraud. Key findings from respondents around the globe demonstrate

that many companies, large and small, have much work to do in crafting a strong organizational culture to

keep fraud from occurring. Many organizations indicate their fraud risk strategies are weakly defined and

that resources dedicated to fraud risk can be scarce. Only one in three organizations are confident they have

strong fraud control policies in place — a troubling finding. These and other results underscore the dire need

for corporations to embrace a more proactive position in managing fraud risk across the board to build a

stronger corporate culture.

— Donald J. Rebovich, Ph.D., Coordinator, Fraud and Financial Crimes Investigation Programs, Utica College




Survey Demographics

Position

Chief Audit Executive 13%

Chief Executive Officer 12%

Audit Manager 10%

Audit Staff 10%

Chief Information Officer 9%

Chief Financial Officer 7%

Audit Director 4%

Chief Risk Officer 4%

Chief Operating Officer 4%

Chief Compliance Officer 3%

Board Member/Audit Committee Member 3%

Chief Security Officer 3%

Business Unit Control Leader 2%

Corporate Controller 2%

Corporate Security Director 2%

General Counsel 1%

Other 11%


Industry

Financial Services 15%

Manufacturing 14%

Technology 14%

Government 6%

Consumer Products 5%

Services 4%

CPA/Public Accounting/Consulting Firm 4%

Retail 3%

Insurance (excluding Healthcare – Payer) 3%

Education 3%

Healthcare – Provider 3%

Oil and Gas 2%

Distribution 2%

Real Estate 2%

Telecommunications 2%

Utilities 2%

Life Sciences/Biotechnology/Pharmaceuticals 2%

Not-for-profit 2%

Mining 1%

Hospitality 1%

Power and Utilities 1%

Healthcare – Payer 1%

Media 1%

Other 7%




Financial Services Industry — Size of Organization (by Assets Under Management in U.S. Dollars)

More than $250 billion 14%

$50 billion - $250 billion 15%





Less than $1 billion 17%

Size of Organization (Outside of Financial Services) — by Gross Annual Revenue in U.S. Dollars

$20 billion or greater 9%

$10 billion - $19.99 billion 10%



$500 million - $999.99 million 19%

$100 million - $499.99 million 18%

Less than $100 million 11%


Type of Organization

Private 48%

Public 31%

Private, but planning an IPO within the next 12 months 5%

Not-for-profit 4%

Government (non-U.S.) 3%

Educational institution 3%

Government (U.S.) 3%

Public international organization 1%

Other 2%

Organization Headquarters

North America 43%

Europe 20%

Asia-Pacific 13%

Latin America/South America 12%

India 10%

Middle East 1%

Africa 1%




ABOUT UTICA COLLEGE

Utica College, founded in 1946, is a comprehensive private institution offering bachelor’s, master’s and doctoral degree programs. The college, located in upstate central New York, approximately 90 miles west of Albany and 50 miles east of Syracuse, currently enrolls over 4,400 students in 44 undergraduate majors, 30 minors, 21 graduate programs and a number of pre-professional and special programs.

ABOUT UTICA COLLEGE’S ECONOMIC CRIME AND JUSTICE STUDIES DEPARTMENT

Utica College’s Economic Crime and Justice Studies (ECJS) Department offers a suite of programs at the undergraduate and graduate levels, as well as two research centers and the Economic Crime and Cybersecurity Institute (ECCI).

Our faculty is truly interdisciplinary, and faculty members have worked at private financial services companies, state law enforcement agencies, local courts and government agencies, and have founded their own companies. At the undergraduate level, we educate our students to be investigators — whether the evidence they are reviewing is fingerprints, numbers on a spreadsheet or digital code. We have an innovative curriculum consisting of three programs: criminal justice, economic crime investigation and cybersecurity. Students are grounded in a liberal arts core along with criminology and relevant law classes. Specialty classes, rigorous writing expectations and a capstone internship are defining features of our programs. At the graduate level, we train students in the latest best practices to manage the security of economic and digital information.

Our ECCI is a unique organization of professionals and academics that provides thought leadership on economic crime and cybersecurity issues faced by business and government. We have two research centers that examine the latest trends in identity theft, economic fraud and cybercrime. The Center for Identity Management and Information Protection (CIMIP) is a research collaborative dedicated to furthering a national research agenda on identity management, information sharing and data protection. Founded in June 2006, its ultimate goal is to impact policy, regulation and legislation, working toward a more secure homeland. The Northeast Cybersecurity and Forensics Center (NCFC) is a partnership of academic, government and private sector resources that collaborate to provide cutting-edge research, development and service in the fields of digital forensics and cybersecurity.

Donald Rebovich, [email protected]

CONTACTS

Bernard L. Hyman, Jr., [email protected]

mailto:drebovi%40utica.edu?subject=

mailto:blhyman%40utica.edu?subject=


ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

ABOUT PROTIVITI FORENSIC

Protiviti’s Forensic consultants help organizations build a solid infrastructure for evaluating, mitigating, investigating, reporting and monitoring their risk of fraud, corruption and misconduct.

Understanding organizational vulnerabilities and establishing an appropriate framework to identify and respond to them are essential in today’s global marketplace, as regulators are demanding more active management and investigation for a wide range of risks, including financial crime, fraud and corruption.

Our Forensic professionals assist organizations with building sustainable anti-corruption, investigative and fraud risk assessment processes and developing anti-fraud, anti-corruption and investigative programs and controls to meet fiduciary and regulatory responsibilities. We support organizations in their efforts to identify, triage, investigate, report and monitor a wide array of risks at every level — from the performance of risk assessments, program design or remediation, risk governance, and employee training to audits of anti-corruption, fraud, and investigation programs and processes.

Our team’s unique blend of anti-corruption, fraud risk management and investigative subject-matter expertise can quickly identify program shortcomings and remediate your critically important programs. We also have extensive experience in undertaking investigations of suspected violations of those programs by leveraging investigative, forensic accounting and technology disciplines across our global footprint to provide our clients with the experience and local resources necessary to gather the facts to make informed business decisions.




UNITED STATES

Kelly [email protected]

James [email protected]

Peter [email protected]

Robert [email protected]

Pamela [email protected]

Diane [email protected]

AUSTRALIA

Adam Christou+61.03.9948.1200 [email protected]

BELGIUM

Jaap Gerkes +31.6.1131.0156 [email protected]

BRAZIL

Raul Silva +55.11.2198.4200 [email protected]

CANADA

Ram Balakrishnan +1.647.288.8525 [email protected]

CHINA (HONG KONG AND MAINLAND CHINA)

Albert Lee +852.2238.0499 [email protected]

FRANCE

Bernard Drui +33.1.42.96.22.77 [email protected]

GERMANY

Michael Klinger +49.69.963.768.155 [email protected]

INDIA

Sanjeev Agarwal +91.99.0332.4304 [email protected]

ITALY

Alberto Carnevale +39.02.6550.6301 [email protected]

JAPAN

Yasumi Taniguchi +81.3.5219.6600 [email protected]

MEXICO

Roberto Abad +52.55.5342.9100 [email protected]

MIDDLE EAST

Sanjeev Agarwal +965.2295.7770 [email protected]

THE NETHERLANDS

Jaap Gerkes +31.6.1131.0156 [email protected]

SINGAPORE

Sidney Lim +65.6220.6066 [email protected]

UNITED KINGDOM

Lindsay Dart +44.207.389.0448 [email protected]

PROTIVITI CONTACTS

Brian ChristensenExecutive Vice President, Global Internal [email protected]

Scott MoritzManaging Director and Global Lead, Protiviti [email protected]

mailto:kelly.sherman%40protiviti.com?subject=

mailto:james.gallo%40protiviti.com?subject=

mailto:peter.grupe%40protiviti.com?subject=

mailto:robert.hennigan%40protiviti.com?subject=

mailto:pam.verick%40protiviti.com?subject=

mailto:diane.walker%40protiviti.com?subject=

mailto:adam.christou%40protiviti.com.au?subject=

mailto:gary.anderson%40protiviti.com.au%0D?subject=

mailto:jaap.gerkes%40protiviti.nl?subject=

mailto:arvind.benani%40protivitiglobal.me?subject=

mailto:raul.silva%40protivitiglobal.com.br?subject=

mailto:ram.balakrishnan%40protiviti.com?subject=

mailto:david.dawson%40protiviti.com?subject=

mailto:albert.lee%40protiviti.com?subject=

mailto:soraya.boada%40protivitiglobal.cl?subject=

mailto:bernard.drui%40protiviti.fr?subject=

mailto:drui%40protiviti.fr?subject=

mailto:michael.klinger%40protiviti.de?subject=

mailto:sanjeev.agarwal%40protivitiglobal.in?subject=

mailto:sanjeev.agarwal1%40protivitiglobal.in?subject=

mailto:alberto.carnevale%40protiviti.it?subject=

mailto:yasumi.taniguchi%40protiviti.jp?subject=

mailto:roberto.abad%40protivitiglobal.com.mx?subject=

mailto:sanjeev.agarwal%40protivitiglobal.me?subject=

mailto:anneke.wieling%40protiviti.nl?subject=

mailto:sidney.lim%40protiviti.com?subject=

mailto:lindsay.dart%40protiviti.co.uk?subject=

mailto:brian.christensen%40protiviti.com?subject=

mailto:scott.moritz%40protiviti.com?subject=

© 2018 Utica College. All rights reserved. © 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0618-101107

utica.edu protiviti.com

http://www.utica.edu/


Date post:	20-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Creating a Strong Corporate Culture Begins With Managing ... · In Creating a Strong Corporate...

Documents