Despite efforts by businesses in all industries to tighten security, occupational crime and fraud remain a significant and growing exposure. Today, prevention and timely detection of such crimes is critical.
Internal audit often assists with detecting, reporting, and remedying fraud, or helping with recovery. Given their skills and access to information, auditors can help their organization understand and manage occupational crime and fraud risks. Accordingly, some knowledge of how these risks are evolving and the best practices for dealing with them — as called for in Section 1210.A2: Proficiency of the International Standards for the Professional Practice of Internal Auditing — will equip auditors to become more effective participants in their organization’s efforts to fight crime.
A Culture of Integrity and Vigilance
The U.S. Securities and Exchange Commission’s (SEC’s) Whistleblower Program has alerted U.S.-listed companies to their responsibility to strengthen their internal anti-crime initiatives. A good starting place is fostering vigilance among all employees and promoting a culture of honesty and transparency. Moreover, employees need assurance that they can report internally without fear of retaliation and that the organization will respond promptly and appropriately.
Instilling a culture based on integrity involves:
- Having senior leadership establish the overall tone by citing integrity as a core value in company meetings, employee discussions, town halls, memos, emails, videos, and presentations.
- Having supervisors and team leaders remind employees they are partners in the firm’s success and integrity is a core value.
- Requiring all employees to participate in ethics training.
- Encouraging employees to be guardians of the firm’s integrity. As a result, employees may report wrongdoing to appropriate people internally before contacting outside agencies such as the SEC.
- Establishing a tip line. Anonymous telephone tip lines account for nearly 40 percent of all fraud discoveries, according to the Association of Certified Fraud Examiners (ACFE).
- Looking internally to assess, control, and correct wrongdoing. Robust discussions about the whistleblower program underscore the organization’s emphasis on transparency and can encourage internal remedies.
- Recognizing that the company’s leadership may have to reinforce its focus on integrity following mergers or acquisitions to indoctrinate new employees or during significant workforce reductions.
- Establishing and communicating a zero tolerance policy that applies to all fraudulent activity, including the organization’s intent to prosecute all perpetrators.
The Crime Insurance Market
Insurance is a significant potential financial remedy for occupational crime and fraud. Although in many cases internal auditors may not be aware of their organization’s insurance coverage, they typically become involved in the event of a loss.
The best time to meet with those responsible for such insurance coverage — usually finance, treasury, and risk management — is before an event occurs. Auditors should learn about their organization’s crime or fidelity insurance policy or coverage under its cyberrisk or property insurance. This gives them the opportunity to strategize with the risk manager about what they can expect from internal audit.
In turn, the risk manager can brief internal audit on coverage and the potential for outside, independent forensic accounting support that may be included in coverage as “investigations or professional fee coverage.” This outside help can further investigate a crime and pursue recovery. The partnership between such external resources and internal audit staff can be both cost-effective and optimal for gathering required internal documentation of the loss.
When Fraud Is Suspected
Investigators and risk advisers typically prepare for the worst. If an occupational crime or fraud incident is suspected, absent of urgent issues or threats to life or property, organizations should take these steps, which can be completed simultaneously:
- Conduct a preliminary investigation before notifying their insurer. This typically is performed by internal audit alongside the organization’s security function and general counsel.
- Ensure the risk management function analyzes the company’s crime or fidelity insurance policy.
- Give appropriate notice to their crime and property insurance carriers.
- Note the time on their insurance policy to file “proof of loss.”
- Note the time to file suit against the insurance carrier for nonpayment of a loss.
- Follow up the preliminary investigation by conducting a thorough internal investigation, including efforts to identify all perpetrators and any conspirators and their method, as well as to determine the full extent of the loss.
- Work with human resources, communications, operations, and other internal functions, as well as employment attorneys and outside counsel, to take steps to deal with potential employee issues.
- Consider civil litigation against the perpetrators.
- Consider criminal prosecution.
Typically, the risk manager is directly responsible for arranging and coordinating insurance coverage and helping to marshal internal and external resources to address exposures to crime. Still, a fraudulent event leading to a loss may not be communicated promptly to the risk manager. Because any delays can compromise an organization’s ability to collect its insurance recovery, it’s critical that internal audit share its initial findings with the general counsel and appropriate executives in finance, and include the risk manager as soon as a crime or fraud event is suspected.
Along with internal audit and risk management, members of an organization’s “crime team” may include in-house and outside counsel, security, an investigative specialist and forensic accountant, a broker claims advocate, and representatives from different business units. The principal roles leading an internal investigation include:
- The risk manager, who oversees the process and communicates directly with the organization’s insurance broker and carriers.
- The in-house counsel, who manages the internal audit, investigation, litigation, and law enforcement activities, and controls costs.
- The investigator and forensic accountant, who conduct the investigation under the external counsel (i.e., privilege) umbrella, working with in-house resources such as internal audit.
- All members of the crime team, especially internal audit and risk management, should recognize that the organization’s fidelity and crime insurer has its own claims team — including the insurer’s in-house adjuster, external counsel, and a forensic accountant — that represents the insurer’s interests.
Proof of Loss
An organization’s insurance policy dictates — and its insurer expects — the organization’s full cooperation in gathering all information necessary with respect to its loss. This response is always subsequent to the organization having filed an appropriate proof of loss in support of a claim. The proof of loss is a series of documents describing what happened and who did what to whom. That is followed by a well-documented calculation of the loss, including supporting documentation.
The internal audit staff will be tasked to supply information, documents, and data during this phase. In putting together this documentation, auditors should consider how much evidence is sufficient. The insurer will incur considerable expense to validate and develop the facts. Moreover, any proof provided must be objective and credible.
Working With Law Agencies
If any of the circumstances of the organization’s loss is remotely dangerous, the local police should be contacted. If danger is not suspected, internal auditors should work with the organization’s in-house counsel, security, and risk management functions to discern what the organization needs to do before acting.
Often, leadership or senior executives want the police to investigate right away. While that may be the correct decision, it is not always in the organization’s best interest to involve law enforcement immediately. Nonetheless, the organization may be required to involve law enforcement earlier in the process if its crime insurance policy dictates it. Auditors should check whether the policy requires simple notice or whether the organization must file a report and refer the matter. These two actions are vastly different.
Once the organization decides to involve law enforcement, it sets in motion a series of activities likely to affect its internal investigation. Law enforcement investigators generally are more open to accepting a new matter when a great amount of information is provided. They may be receptive toward the victim’s internal audit team upon understanding its methodology and seeing documentation. In collaboration with the organization’s forensic accounting team and investigators, the law enforcement efforts likely will be accelerated.
Law enforcement involvement also can affect the organization’s ability to gather evidence, identify collaborators, and bring perpetrators to justice. The organization should take care about which employees it suspends or terminates, and when, because valuable information is at risk. A mistake here could prevent the organization from uncovering critical evidence. Furthermore, the organization may not be able to ascertain the full extent of its loss or identify any individuals who may have participated in the fraudulent activity or helped facilitate the crime. This may complicate efforts to fully recover any losses incurred from the crime or to avoid a recurrence of the problem in the future. Often, law enforcement expects the organization has done all it can within its administrative constraints to gather evidence and conduct interviews. Internal audit should document everything and preserve all notes, which may prove to be critical.
Once the case has been referred to law enforcement, even though the organization may be the victim with certain rights, investigators will likely make communication a one-way street. Moreover, if the matter goes to a grand jury, the organization will not be able to learn about information obtained by law enforcement through the grand jury.
Who to Call
Two crucial decisions are determining the appropriate time to call law enforcement and, more importantly, determining which agency to call. Referring the organization’s investigation to the wrong law enforcement agency or prosecutorial office can cause significant frustration, so it’s critical to understand the complexity and reach of the loss to avoid a misstep. Calling the wrong agency not only could delay the resolution of the matter, but it may result in lost evidence, a compromised or stalled investigation, unanticipated and adverse news coverage, business disruption, and employee distress.
Any investigation or search for assets may be outside the jurisdiction of local and state police. In the United States, matters reaching across state lines or outside the country may require federal assistance from the Federal Bureau of Investigation, Internal Revenue Service, Secret Service, Immigration and Customs Enforcement, Marshals Service, or Postal Inspectors. Although internal auditors should understand the issues associated with reporting a crime, identifying the appropriate law enforcement agency or prosecutorial office requires expertise that goes beyond the scope of the general counsel and typically requires the involvement of an outside criminal attorney or investigator.
Regardless of which agency is involved, the organization’s forensic accounting and internal investigation will provide law enforcement with the amount of loss, witnesses, statements, evidence, and a road map. A solid forensic investigation also can provide law enforcement with leads toward assets that may be vital for alternative restitution, such as recovery of investments and purchases the perpetrators made with stolen funds.
As a practical matter, investigative firms and risk advisers generally do not advocate filing law suits. However, there may come a time when the organization’s investigators will need bank records and other documents. For example, internal audit may determine early in the investigation that it wants to see the credit card or bank records of a current or former employee. A civil filing is the only option the organization has to obtain financial records without the account holder’s cooperation. In a U.S. criminal investigation, law enforcement would be able to obtain such records using search warrants and grand jury subpoenas.
Typically, civil litigation follows the investigation in the form of a subrogation action by the insurance carrier, which will seek to recover stolen funds or related assets and properties from the perpetrators. If litigation is inevitable, getting the process started sooner may be in the organization’s best interest.
Vital to Anti-fraud Efforts
Although internal auditors may not be experts in crime and fraud detection, they should be aware of these issues and the resources needed to address them. Ultimately, auditors are critical to their organization’s overall crime prevention initiatives and response activities.
Preparation is as important as prevention. The internal audit function should align with the risk management and legal departments to understand and anticipate potential occupational crime risks. Effective crime prevention should include quantifying worst-case scenarios as they typically would do for physical damage and business interruption exposures. Quantification also can help determine appropriate insurance coverage limits.
Finally, internal audit should collaborate within the organization to create an incident-response team for instances when fraud is suspected or substantiated. Auditors should be well read, provide appropriate notice, and help their organization recover any crime loss to the fullest extent.