The Weakest Links

The Weakest Links

We communicate frequently about the ethics and compliance risks employees and managers face, and what can be done to reduce those risks. Most of our emphasis is on our own actions.

However, some of the greatest risks we face are caused by the actions of those who are not company employees. Suppliers, agents, consultants and contract employees can all expose companies to risk.  In the last few years, for example, the following has been alleged:

  • The recent horsemeat scandal in Europe occurred as a result of decisions made by suppliers.
  • A Mattel supplier changed subcontractors without Mattel’s knowledge. The new subcontractor changed a production process to use paint with lead in it.
  • Agents hired by a joint venture between a Halliburton subsidiary and a local company in Nigeria paid bribes. Halliburton faced penalties of more than $500M USD.
  • Allegations of child labor and poor working conditions have increased scrutiny on dozens of companies sourcing apparel and electronics in Asia.

Examples don’t have to be so dramatic, either.  Shoddy and shady practices of all kinds can come back and haunt us. One thing is clear: no one ever remembers the name of the supplier, agent or subcontractor who got the big-name company into trouble. It is always the big company—us—who is negatively identified with these events.

What can you do about this?

  1. First, of course, is to follow any review or due diligence policies that apply to your relationships with third parties.
  2. Make sure the third parties you deal with are under contract, have been trained and otherwise know our expectations of ethical conduct.
  3. Continue to exercise oversight toward our third parties. Know the third parties you work with. Look for signs of change, and let the appropriate people know if changes in process, quality, ownership or anything else raise questions in your mind.
  4. Be aware of specific requests or actions that could suggest problems. For example, if you are asked for payment outside of normal channels, or if you sense nervousness or antagonism toward our auditing or quality processes, these could be red flags.

Is it really worth it?

As a small business owner, you probably question the cost of preventing potential fraud in your organization. It makes perfect sense today to balance the cost of risk mitigation versus just absorbing that risk. However, when it comes to preventing fraud, the potential risks cannot be ignored. One single incident can cost your organization tens of thousands of dollars or more, can destroy employee morale, and can leave a lingering feeling of distrust among your customers and vendors. Taking the steps to protect your business does not have to be cost prohibitive. A simple Fraud Risk Checkup can take the temperature of your business as it relates to vulnerability to fraud. The Fraud Risk Checkup takes about 30 minutes and can provide a snapshot of what areas of your business are ripe for fraud.

Your March Madness compliance bracket!

The first order of business after Spring Break and St. Patrick’s Day is to email your co-workers about the annual NCAA basketball tournament bracket. Company employees will take five minutes to fill out their bracket, playing for a cash prize or bragging rights, and then spend countless hours during the work day watching basketball streaming on their work computers. This year, as companies are revising their compliance programs to try to ensure a risk-based approach to compliance, the NCAA tournament presents a monumental opportunity. Instead of hiring some costly third party to assist in this effort, the NCAA tournament presents a free way to conduct an internal compliance assessment by creating a compliance risk assessment bracket in the style of the ones used leading up to the Final Four.

Here is an example:

The complexity of your bracket will vary depending upon the size of your operations and type of business. The model above is just a starting point, and you may consider including some non-risk areas for the business just to see how they perform. For instance, if your company is a U.S. business with no foreign operations, include the Foreign Corrupt Practices Act in your bracket to see how far it goes.

You also need some instructions to go with your compliance bracket. These can be modified and adjusted to conform to the company. A good place to start might go something like this (subject to state law governing gambling, company policies, and the like):

  1. Announce that the company has officially sanctioned an NCAA tournament bracket this year. The employee who wins the tournament will receive a $10,000 cash prize. (Having an official, company-sanctioned tournament will make it harder for that guy in accounting to prey on employees with little knowledge of college sports by encouraging them to pick teams based on the school colors.)
  2. But here’s the catch: In order to participate in the NCAA tournament bracket this year and be eligible for the $10,000 prize, you also must complete the compliance risk assessment bracket by choosing which compliance areas in your operation/country/business unit pose the greatest risk, generating the Final Four Compliance Risks.
  3. Completing the compliance bracket entitles you to watch one NCAA tournament game on company time—unless Ole Miss goes undefeated in the first three rounds, then each employee who completes the compliance bracket can watch three games. (Employees will do this anyway, so with this admonition, you can try to limit them to one game instead of watching the entire tournament.)
  4. You must submit both the compliance bracket and the tournament bracket before the first tournament game begins. You must choose a compliance subject matter and NCAA basketball winner for each bracket. The winner of the NCAA bracket will be decided by multiplying the number of correct predictions of winning teams in each round by a weighting formula for each round (here those accounting guys come in handy). But note that with the compliance bracket there are no right or wrong choices—we are all winners for filling out the compliance bracket and bringing these issues into sharper focus.

The email announcing the twin tourneys should preferably be sent by someone in operations—an executive would be terrific. (Warning: If the email is sent by the chief compliance officer or general counsel, employees will think it’s a trick and not respond)

At the end of the tournament, the CCO will appear to be less of a killjoy for facilitating the tournament—and as a bonus, the underground NCAA tournament (with competing brackets and formulations) will end. Employees will be happier, as will be the chief compliance officer and general counsel, who will know that everyone is more aware of compliance concerns and can help make the company compliance program more effective.

Business Ethics: Actions lagging behind proclamations

While more organizations are voicing a committment to ethical standards, their proclamations do not appear to be matched by their actions-an alarming disconnect that is emerging as financial professionals are facing more pressure to act unethically. The continuing down economy may have something to do with the divide. Challenging competetive and economic conditions have meant that executives are often focusing on more immediate concerns such as cost-cutting. A survey conducted by the AICPA and Chartered Institute of Management Accountants revealed that about 10% to 15% more organizations are providing statements of ethical values and a code of ethics as well as related training, hotlines and incentives such as performance based rewards. However, corporate leadership seems to be less engaged. There was a reported decline in the number of corporate leaders who held formal responsibility for ethics. Respondents to the survey said they felt more pressure to act unethically during an economic downturn. Of the respondents who reported ethical misconduct, only half were satisfied with how their ethical concerns were handled. Among those who did not report misconduct, the main reason was the perception that reporting the misconduct would not make a difference. Clearly, their needs to be an attitudinal adjustment with those held responsible for reporting unethical behavior.

Contract and Procurement Fraud

The 12 Red Flags of Contract and Procurement Fraud

  1. Repeated awards to the same company.
  2. Competitive bidder complaints and protests.
  3. Complaints about quality and quantity.
  4. Multiple contracts awarded below the competitive threshold.
  5. Abnormal bid patterns.
  6. Agent fees.
  7. Questionable bidders.
  8. Awards to non-lowest bidder.
  9. Contract scope changes.
  10. Numerous post-award contract change orders.
  11. Urgent need or sole source.
  12. Questionable minority or disabled ownership.

Behavioral Red Flags of Fraud Perpetrators

Below are the top behavioral red flags of fraud perpetrators, ranked from highest to lowest:

  1. Living beyond means
  2. Having financial difficulties
  3. Having an unusually close relationship with a vendor or customer
  4. Having control issues and an unwillingness to share duties
  5. Having divorce or family issues
  6. Having a wheeler-dealer attitude
  7. Being irritable, suspicious or having  a defensive attitude
  8. Having addiction problems
  9. Having a history of employment problems
  10. Constant complaints of inadequate pay
  11. Refusing to take vacations
  12. Having a history of legal problems
  13. Experiencing excessive pressure for success


That will never happen to us!

As we are already well into 2013, I look back and reflect upon the experiences that I had in 2012. I think what continues to surprise me the most, is the cavalier attitude that so many organizations have when the subject of fraud is broached. You would think that, with as much media attention that fraud and embezzlement get, businesses, organizations, and those charged with fiduciary duties would “get it”, but in many cases, far too many cases, they do not. I still hear, over and over, “that would never happen to us”. It almost sounds like a cliche to me anymore and I almost come to expect it. I almost want to respond by saying, “what would it take for you to see it differently, somebody stealing hundreds of thousands of dollars from your organization”? In any case, I continue to forge on, preaching the gospel that “fraud happens”. Maybe I should get bumper stickers and t-shirts with that slogan. Now that is a novel idea!

Fraud Hotlines

An effective hotline is clearly an important means of detecting fraud. More importantly, it is an effective means of shortening the duration of a fraud. According to the ACFE’s 2010 Report to the Nations on Occupational Fraud and Abuse, more than 40% of frauds are detected via tip-nearly three times more than by any other detection method-and two-thirds of those tips were made through fraud hotlines. In addition, a well publicized and widely supported hotline can also have a preventative effect; thus, by giving all employees a clear and secure way to report any suspected wrongdoing, an effective reporting mechanism can increase the fraudster’s perception that he or she will be caught and might deter him or her from commencing the scheme.

Organizational Control Environment

An organization’s control environment sets the moral tone of the organization and includes the integrity, ethical values and competence of the entity’s employees, as well as management’s philosophy and operating style. If the tone set by management is poor; if the owners, executives and managers exhibit less-than-ethical conduct, employees at lower levels in the organization will see that such activities are tolerated and will be more likely to engage in unethical, or even fraudulent conduct. As part of establishing an effective control environment, its is highly recommended that a written code of conduct is in place, which covers all employees, but emphasizes that, while the offical policy should reflect desired conduct, corporate culture will determine what occurs. Consequently, in addition to instituting formal policies covering employee conduct, management must do the following:

  • Lead by example
  • Verbally communicate the entity’s values and standards to all employees
  • Establish and enforce penalties for improper conduct
  • Ensure that jobs are staffed by employees with requisite knowledge and skills
  • Establish appropriate reporting lines
  • Set human resources policies that ensure the organization hires, promotes and supports competent and trustworthy individuals

Employee Anti-Fraud Training

Because employees are on the frontline to observe suspicious acts by their fellow staff members, employee anti-fraud education is the cornerstone of an effective fraud prevention program. Without training about how fraud hurts the organization and it’s staff, what constitutes fraud, how to identify the red flags of fraud, how to report any suspected wrongdoing, and the consequences of fraudulent actions, many employees might miss; or even willingly turn a blind eye to the warning signs of theft and misconduct. To be most effective, such training should be based on the realities of the organization, rather than on generic anti-fraud messagesthat provide no real applicable value, and should be ongoing with refresher training held at least annually. Additionally, while employees at all levels should be required to participate in the anti-fraud training program, managers and executives should be provided with supplemental training that addresses the added fraud prevention and detection responsibility provided by their positions of authority.