Fraud, conceptually, is not difficult to understand. Someone takes advantage of his or her access to the means to break the rules for financial gain, to accomplish a specific business aim, or to cover up other misdeeds. The specifics may differ, but the motivation and the means are clear.
But being easy to comprehend doesn’t make fraud easy to deter or detect. A security camera may spot an employee physically stealing money from the cash register, but the more sophisticated frauds that occur higher up the executive ladder often require extensive forensic work to discover — and cutting edge controls to deter. Someone with the means to carry out a fraud also may have the ability to cover it up. Indeed, some executive fraud may be impossible to uncover unless the perpetrator makes a serious mistake or has a change of heart and confesses his or her activities. And for internal auditors who get involved in fraud detection, there are personal risks to consider in taking on executives who may be able to end their jobs — or damage their careers.
Despite the risk, internal auditors can’t ignore fraud — even when it involves top company executives. Instead, auditors and their organizations need to use the tools and tactics at their disposal to prevent and detect fraud as aggressively as possible. The U.S. Sarbanes-Oxley Act of 2002 and similar statutes around the world — including the U.K. Public Interest and Disclosure Act and Bribery Act and the U.S. Foreign Corrupt Practices Act — have done some of the heavy lifting when it comes to fraud fighting. By most accounts, new rules regarding board composition and internal reporting structures have been effective, too. Internal auditors must take it from there by using their investigative expertise and objectivity to help keep executive-level fraud from affecting their organizations.
Motives for Misdeeds
Mark Whitacre’s motivation to participate in a billion-dollar-a-year fraud scheme 25 years ago was easy to understand. “With my base salary and stock options combined, my total compensation was in the seven figures,” he says now. “Much of my compensation was in stock options, where there was much incentive to increase company earnings to drive the stock price upward as fast as possible.”
Throughout the 1980s and early 1990s, ADM and four other companies — two Japanese and two South Korean — conspired to raise the price of lysine by artificially reducing production to 70 percent of capacity, then dramatically raising prices. The fraud involved elaborate internal manipulation of the company’s finances and financial reporting that prosecutors estimated had increased ADM’s income by about US$1 billion a year. Although Mark Whitacre received immunity for his part of the scheme by cooperating with federal authorities, he ultimately served more than eight years in federal prison because he separately embezzled almost US$10 million as a financial cushion against his imminent unemployment.
At the time, Whitacre was corporate vice president and president of the bioproducts division at Archer Daniels Midland Co. (ADM), a Decatur, Ill.-based producer of food additives; he and three other executives conspired with other companies globally to fix the price of a handful of chemicals (see “ADM” at right). But his wife convinced him to come forward, so he gained immunity from prosecution by wearing a wire for the U.S. Federal Bureau of Investigation for three years, helping the feds take down Michael Andreas, ADM’s vice chair, and Terrance Wilson, another division president, who had taught Whitacre the price-fixing ropes.
Whitacre is now chief operating officer and chief science officer at Cypress Systems Inc., a biotech company in Florence, Ky. His story hit the silver screen in the 2009 movie “The Informant.” He says ADM even at the time was “30,000 good people and just us four bad ones” and stresses that “it’s a totally different company today.”
Whitacre says he did it to prop up the stock price and, as a result, for the money. Those motivations are recognizable to Michele Hooper, CEO of The Directors’ Council, a private company based in Wilmette, Ill., that works with corporate boards to increase their independence, effectiveness, and diversity, and audit committee chair at Pittsburgh-based PPG Industries Inc. “Three factors seem to come up repeatedly as rationales when frauds are perpetrated,” she says, “personal gain, the need to meet short-term performance targets, and the desire to hide bad news.” She adds: “Fraud happens when these factors meet opportunity, when the fraudster believes that controls are lax or nonexistent.” In fact, financial need and opportunity — along with rationalization — are the three fraud indicators identified in the Fraud Triangle developed by Professor Donald Cressley.
Whitacre’s case also shows how difficult it can be to track down fraud when clever people do their best to hide their illegal activity — it’s only obvious in hindsight. As it’s happening, fraud is a series of clandestine actions by executives who are often otherwise above reproach and who put great effort into covering up their crimes.
Red Flags Aren’t So Obvious
During one 12-month period at the height of the ADM fraud, the price of lysine, an essential amino acid that the body cannot make itself, spiked from 60 cents a pound to US$3.50 a pound. “An internal auditor should have at least looked at that,” Whitacre says now. But as Gary Jordan, chief auditor and director, global compliance and risk, at Masonite International Corp. in Tampa, Fla., points out, price increases “are not something that typically makes the internal audit universe unless there’s some corporate history of regulatory scrutiny” — such as operating in a market that’s controlled by a few large companies. Absent a compliance issue to examine, many internal audit departments would leave pricing policy to the experts.
Because the price-fixing fraud involved ADM and its co-conspirators cutting back production, salespeople saw their client bases dramatically reduced. But cutting their pay could have tipped off internal audit, so Whitacre and the other executives manipulated their total package to emphasize bonuses over straight commission. While compensation reviews often are part of fraud audits, Jordan notes, they don’t always look at the salespeople’s incomes, especially if they don’t jump suddenly. Whitacre and his cronies carefully covered their tracks, going so far as to hold secret meetings in hotels all over the world to avoid a paper trail that could have led to their being discovered.
Two decades on, Whitacre is surprised that the cockiness he and his cronies displayed didn’t turn up in a tone at the top audit; in public conversations, they joked that customers were their enemies and competitors were their friends. But as Jordan points out, “tone at the top audits are rare,” and such an exchange might not be the type of issue that would come up in one, anyway. Michael Woodford, former CEO at Tokyo-based Olympus Corp., and now a risk reduction consultant with his own London-based firm, Michael Woodford Associates Ltd., calls tone at the top “a meaningless semantic catch-phrase.” Instead, he and others recommend encouraging the co-workers who overhear such things to report them directly to a whistleblower hotline.
Taking on the Powerful
A low-level employee at Olympus Corp., the optical equipment manufacturer, blew the whistle on irregular payments by the company for acquisitions and the subsequent loss-hiding schemes designed to cover up those misdeeds. Then-CEO Michael Woodford learned of the allegations and exposed them to the world. For his efforts, he was suddenly ousted in October 2011, after only two weeks as CEO. Although Olympus at first denied everything, it soon became one of Japan’s biggest corruption scandals. An independent panel found that the company had concealed US$1.5 billion in investment losses and other financial misdeeds dating to the late 1980s and may have made payments to criminal organizations. The scandal led to the arrest of 11 former and current high-ranking executives, the resignation of much of Olympus’ board, and a dramatic corporate downsizing.
Blowing the whistle has a downside that can frustrate internal audit’s efforts to detect top-level executive fraud. An employee may face retaliation from his or her organization and difficulty finding a new job if the individual is labeled a whistleblower.
It also takes a toll on personal and professional relationships, as Woodford found out after blowing the whistle on fraud at Olympus (see “Olympus” at right). “One thing that surprised me is within 15 minutes of my being fired for coming forward with allegations against Olympus, with the exception of one principled individual, my Western colleagues turned their backs on me,” he says now. “That taught me that most people don’t do bad things, but most people also don’t want to get involved. That’s what internal auditors need to understand.”
Detecting fraud is harder when you bring expectations about human nature to the table, too, Jordan notes. “Unfortunately, many of us do think very rationally about linkages and motivation,” he says. “I’m talking about people making more than US$250,000 a year stealing US$6,000 through expense account fraud. You can’t let it shock you the extent to which someone might be willing to risk a career to steal very insignificant amounts.” Even at the upper levels, ascribing familiar sentiments to someone else’s crime can muddy an investigation, as it’s easy to dismiss allegations against a successful executive.
Also complicating detection of executive fraud is the possibility that an internal auditor is taking on a senior executive who is many rungs higher on the corporate ladder. “The key risk is taking on executives and losing,” says Douglas Anderson, assistant professor of accounting at Saginaw Valley State University, in University Center, Mich. He’s a former CAE at Dow Chemical Co., where he was in charge of fraud investigative services. “Organizations may not want internal audit to be successful in highlighting fraud by top executives. It can be a very lonely situation.” The key, he says, is having a great relationship with the audit committee — a sentiment Jordan echoes. “It’s prudent to develop a personal relationship with the chair and the other members,” Jordan advises, “to the point where you can go to them in private and tell them what you’re investigating — and they can then give you some support in advance of your move.”
On the Trail of Fraud
Despite the risks, internal audit has a vital role to play in detecting fraud. The IIA’s March 2012 Pulse of the Profession report indicated that 71 percent of North American CAEs and their internal audit departments conducted confidential investigations on behalf of the audit committee, while even more performed investigations on behalf of executive management. In some cases, internal auditors were tapped by the organization’s general counsel or CEO to assist with a specific investigation such as investigating allegations of fraud or other misconduct; in others, the internal audit department ran such investigations all the time.
Enron Corp. whistleblower — and now a Houston-based lecturer on, and advocate for, ethical leadership — Sherron Watkins is passionate about internal audit’s anti-fraud responsibilities. Enron outsourced its internal audit department in the early 1990s to Arthur Andersen, its external auditor, she says, “so low-level staff at Arthur Andersen conducted internal audit work.” The accounting firm went bankrupt and dissolved as a result of the Enron meltdown (see “Enron” below). Indeed, Watkins is so adamant about the role of internal audit that she says this to interviewers: “Would the Enron frauds have been detected earlier or prevented completely had Enron maintained an internal audit department?” To the extent that the answer is yes, there are steps that internal audit departments can take to stay on top of potential executive fraud.
When Sherron Watkins blew the whistle on Enron Corp. in 2001, the energy company based in Houston was deeply involved in fraud, insider trading, conspiracy, bank fraud, making false statements to banks and external auditors, and securities and wire fraud. When the dust settled, 18 people pleaded guilty and three more were found guilty in court.
Count on the audit committee. Internal auditors who suspect illegal activity must have direct access to a nonexecutive board member or, ideally, the audit committee chair, Woodford emphasizes. “If that person acknowledges you, that changes the whole game,” he says. “You’ll have protection and a trail that you acted appropriately, if action against you arises at a future time.” For the auditor’s protection, it’s important to move reporting away from corporate executives in positions of control and influence. “It’s a brave internal auditor who takes on people who have sway over his or her career,” he points out. “An internal auditor who feels there’s wrongdoing in the C-suite is in a very compromised position without the ability to report to a director.”
For their part, board directors are responsible for being engaged, understanding the business, and having a questioning mind-set, Hooper says. “Appropriate skepticism may not prevent fraud,” she observes, “but the fear that someone is watching may deter some potential frauds.”
Reach out to the rest of the organization. “Review your communications — newsletters and workshops, for example — to ensure that, as you uncover situations that may be applicable to other parts of the company, you can discuss them and ways to strengthen controls in a confidential manner,” Hooper advises.
Focus on prevention. “Prevention is always better than a cure,” Woodford emphasizes. Even so, internal audit should constantly be sampling and checking transactions that might suggest executive wrongdoing. “Trust is for personal relationships,” he says. “Trust isn’t for corporations.”
Remember the frailties of human nature. “Leaders farther from the home office often feel they can bend the rules more,” Anderson points out. “Internal audit needs to give extra attention to those areas where executives operate without much oversight and there is a reasonable risk of fraud.”
Focus on compliance. “Not one time in almost seven years did anybody come to me and mention that we had a compliance program,” Whitacre says. “I never heard of it, and I was the No. 4 executive in the company.” A compliance program is a necessity and must extend from the CEO down to all employees, he emphasizes.
Use every tool available. Jordan says data mining and data analytics can greatly enhance internal audit’s potential to detect and prevent fraud, especially the speed with which auditors can uncover issues. “You almost have to have a single platform to do the most sophisticated work,” he cautions, though. “It’s often too difficult to conduct meaningful data mining without designing something custom for each organization when you have a multitude of systems across your subsidiaries.”
Draw the line. All the effort internal auditors expend on internal investigations can work against them if they’re not careful, as IIA President and CEO Richard Chambers notes in a recent blog post on InternalAuditor.org. The problem: Investigations that result in disciplinary action against a top-level executive can make it a challenge for internal audit to continue to be viewed as an independent, dependable adviser in its day-to-day role. That doesn’t mean internal audit should shy away from sensitive investigational work, Chambers writes. Its input is critical and, in some small enterprises, it may be the company’s best defense against executive fraud, especially if there isn’t adequate staff to operate separate consultative and investigative functions in the same department. It means, rather, that internal audit should shore up its relationships with its internal clients and keep the team assigned to investigations as separate as possible from the team assigned to internal audits.
Keep the lines of authority clear. As Anderson says, “Internal audit first needs to determine whether the work is allowed for in its charter and is consistent with the directions of the audit committee. After that, there needs to be agreement within the company as to the role of internal audit versus legal.” He emphasizes that management is responsible for setting up processes and controls for prevention, while internal audit assesses what management has done. For detection, some organizations use internal audit as the most independent group in the organization to work on fraud by executives. “If internal audit has done its work to establish good relationships throughout the organization,” he says, “and has a reputation of being absolutely independent and straight, regardless of the people involved, then employees will cooperate.”
Beyond Business as Usual
The pursuit of money may or may not be the root of all evil, but money is a constant, and examples abound of how it fuels much of the top-level executive fraud internal audit may be investigating. That’s not going to change, nor is the motivation to inflate performance metrics or prop up a failing business unit with falsified financial information. An internal audit department’s best hope is to marshal its resources, shore up support from the key decision-makers, and explore opportunities for gaining insight into what on the surface looks like business as usual. That’s where fraud is hiding — behind the façade of “business as usual” — and that’s where auditors must continue to look.