creating a strong corporate culture begins with managing ... · a strong corporate culture through...

Internal Audit, Risk, Business & Technology Consulting

Creating a Strong Corporate Culture Begins With Managing Fraud Risk

Assessing the Results of the Latest White-Collar Crime and Fraud Risk Survey

Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 1protiviti.com

In Creating a Strong Corporate Culture, “Fraud Risk Management” Is a Bit of a Misnomer

While a strong corporate culture is no paint-by-the-numbers exercise, a number of vital

components must be carefully aligned — namely, ethical behaviour, tone at the top, mood in the

middle and attitude at the base. These elements can be seen as similar to a painter selecting and

painstakingly applying just the right mixture of colours and textures to transform the canvas

into a work of art. They are of critical concern in today’s boardroom and C-suite. Companies are

striving to introduce a measure of introspection to better understand the correlation between

culture and ethical failures involving fraud, corruption and misconduct. Key to this movement

toward enhanced levels of organisational maturity are growing efforts to measure culture,

flag warning signs, make control improvements, address gaps, build awareness of fraud and

misconduct risk, and avoid becoming the next headline featuring organisational breakdowns

that can derail brand, reputation and long-term viability.

Given the inverse relationship between culture and

fraud, where a poor culture leads to high rates of fraud,

the results of the latest White-Collar Crime and Fraud

Risk Survey from Utica College and Protiviti reveal

some troubling trends that should raise concerns for

boards of directors and executive leadership.

Culture, fraud and misconduct are inextricably

linked. Poor corporate culture can cause the kind of

organisational inertia and complacency that give

rise to a pattern of unethical behaviour and other

misdeeds that may continue unchecked for years,

in part because many in the organisation knew or

suspected what was going on but failed to take action.

The organisation’s culture either discourages doing

the right thing, is blind to bullying behaviour, and/

or rewards those who employ a “win at all costs”

attitude. These types of “open secrets” become fertile

ground for fraudulent and unethical activity.

In fact, while investigating ethical breaches,

government investigators now look more deeply

into organisations to ascertain root causes and what

preventive and detective measures were in place

to identify, investigate and report suspected fraud,

bribery or misconduct. Thus, fraud risk governance,

assessment, prevention and detection practices

have never been more critical; they help shine light

on practices and issues that can create the type of

dysfunctional corporate culture in which unethical

and illegal behaviour thrive. We assess these and many

other issues in our study.

http://www.protiviti.com

2 · Protiviti

These areas also represent the approaches and leading

practices the Committee of Sponsoring Organizations

of the Treadway Commission (COSO) advocates

in its Fraud Risk Management Guide (FRM Guide) to

help mitigate and prevent improper behaviour by

employees seeking greater rewards at the expense

of ethics and compliance with company policies or

state and federal laws.1 To this end, a key question for

organisations to consider is, “Are we measuring our

corporate culture on a periodic basis?”

The bottom line is that an organisation’s posture on

fraud risk can signal problems within its corporate

culture. Executives who downplay the existence of fraud

risk, consistently make business decisions solely on the

basis of revenues without properly considering risk, or

allow incentive compensation to drive inappropriate

behaviour are all signs that a company’s approach to

fraud risk is no approach at all. Companies that give lip

service to fraud risk are signaling to their employees

and management that ethical business practices are

not a priority — an ill-conceived posture that can have

a toxic ripple effect and set the stage for an inevitable

cultural meltdown.

In our study, we examine the perceptions and actions

underlying fraud risk activities across an array of

organisations and geographies that should serve

as a wake-up call to corporate leaders who allocate

insufficient time and attention to fraud risk due to

their lack of understanding about the close linkage

between weak or nonexistent fraud risk management

programs and a poor corporate culture.

Our survey findings appear to align with “compliance

fatigue” and, to a certain extent, complacency that

many organisations face when they have a seemingly

endless succession of regulatory obligations to meet,

sales goals and revenue targets that are top priorities,

limited budget and resources, and a general lack of

understanding about the potentially devastating impact

that a poor culture and major fraud or corruption matter

can have on a company’s brand, reputation, debt

covenants and market capitalisation.

One way to attack such malaise is to better link

the implications of failing to focus on culture to

the potentially devastating outcomes that follow.

CEOs, billionaire venture capitalists, judges and

Hollywood powerhouses are among many who have

made dramatic departures from their roles following

allegations of fraud, corruption and misconduct. Often,

the investigations that follow reveal that problems

involving such individuals were “open secrets” and that

if the company had only sought to evaluate its corporate

culture, these matters might have more quickly

surfaced in time to stop the victimisation and prevent

further damage to individuals, companies and their

shareholders. Ultimately, linking the development of

a strong corporate culture through robust fraud risk

management to the prevention of actions that can

bring down the organisation is sure to command the

attention of the boardroom and C-suite.

We hear from many organisations that obtaining

resources and support from the C-suite to strengthen

culture through a proactive fraud risk management

program is an uphill battle. In fact, though there is

growing understanding about the impact of corporate

culture and the benefits of measuring it, there is

still limited awareness of its linkage with fraud

and misconduct. Perhaps using the results of culture

surveys and tapping into the current climate of moral

outrage to support a more proactive stance in managing

fraud risk is in order. Until then, we will continue to see

results like those in this year’s survey.

1 Fraud Risk Management Guide, COSO and the Association of Certified Fraud Examiners (ACFE), September 2016: www.coso.org.

Our survey findings appear to align with

“compliance fatigue” and, to a certain extent,

complacency that many organisations face.

http://www.coso.org


Our Key Findings

01Organisations continue to lag in employing leading practices to build a strong culture — From the frequency

of performing fraud risk assessments to a lack of understanding about the drivers of fraud, organisations

must seek to move away from the continuous loop of responding to one fire after another to a more proactive,

strategic and methodical approach to mitigating organisational fraud and culture breaches.

02Resources represent a significant challenge in building a strong corporate culture with a clear fraud risk

strategy — More than a third of organisations consider their fraud risk strategy to be weakly defined, with many

citing the limited availability of internal resources as a significant challenge in addressing fraud proactively.

03Many organisations lack a fraud risk management program, including policies to mitigate fraud — Given

the prevalence of actual and potential fraud issues in organisations and those involving vendor relationships,

as well as the long-term effects on corporate culture, this finding is surprising — and likely disappointing

to shareholders and other key stakeholders. Increasingly, external auditors are paying attention to fraud

risk and internal investigations. In some cases, they will withhold their sign-off pending improvements to the

fraud risk management infrastructure or more thorough investigations, or give qualified opinions when they

are underwhelmed with a company’s approach to fraud and investigations.

04Third parties represent a significant gap in fraud risk management — Overall, one in three organisations

lacks a high level of confidence as to whether it has effective oversight of third parties. However, third parties

account for a disproportionate number of violations an organisation commits, including those related to the

Foreign Corrupt Practices Act (FCPA) and other anti-corruption statutes, cybercrime, vendor fraud, kickbacks,

human trafficking, and data privacy breaches. Most organisations do not allocate sufficient time, energy and

resources to understand and seek to mitigate the myriad issues third parties represent.

Culture is complex and different within every organisation and remains largely abstract. However, even though a

company’s culture may be abstract, one thing is clear: developing the right approach for auditing an organisation’s

risk culture takes time and careful planning. And for any business, the value of undertaking this process is

developing a better understanding of the cultural causes that create risk — in short, human behaviours.

— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit


4 · Protiviti

Methodology

Utica College and Protiviti partnered to conduct the

White-Collar Crime and Fraud Risk Survey in the

second and third quarters of 2017. This global survey,

conducted online, consisted of a series of questions

grouped into six categories:

• Fraud Risk Governance

• Fraud Risk Assessment

• Fraud Prevention Techniques

• Fraud Detection Techniques

• Corruption

• Reporting, Investigation and Corrective Action

Globally, 748 executives and professionals — including

board members, C-suite executives, general counsel

and chief audit executives (CAEs) — completed our

online questionnaire. All respondents are in a position

to understand their organisation’s fraud risk manage-

ment capabilities. Survey participants also were asked

to provide demographic information about their titles

and positions and the nature, size and location of

their businesses.

We appreciate the time these individuals invested

in our study.

Because this year’s survey was global, whereas our

prior study (published in 2016) was based on responses

gathered only in the United States, we did not include

comparisons with findings from our prior survey in this

report. However, we would be pleased to provide any

specific year-over-year comparisons upon request, to

the extent such data is available.

All demographic information was provided voluntarily

by our respondents (see page 52).

Notes

This report includes numerous breakdowns of

the survey findings by company size, defined as

follows (all figures are in U.S. dollars):*

Large = Companies with revenues of $10 billion or more

Midsize = Companies with revenues between $100

million and $9.99 billion

Small = Companies with less than $100 million

in revenues

* Upon request, Protiviti can provide additional reporting in these broad categories.

Measuring ethical culture may be a confusing concept since culture isn’t an object one can easily quantify.

That said, there are characteristics, behaviours and impressions that can be examined to determine whether

a company is on the right path or whether it has institutionalised bad behaviour that, left unchecked, can

lead to ethical failures down the road.

— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic


Fraud Risk Governance — Who’s Minding the Store?

First things first: The board of directors, along with

senior management, need to demonstrate their expec-

tations and commitment to “high integrity and ethical

values regarding fraud risk.”2 That is a key driver for

developing and maintaining a strong corporate culture.

The concept of fraud risk governance is highlighted

as Principle 1 in COSO’s FRM Guide. To manage fraud

risk effectively, an organisation should designate

an executive or other leader with direct ownership

of and responsibility for the fraud risk management

program. Oversight of fraud risk should be active

and defined. And a clear, formal fraud risk strategy

should be in place. All the above actions are part of

good fraud risk governance, but our survey results

reveal that many organisations have significant

shortcomings in these areas.

For example, in 16 percent of organisations overall,

no senior management professional is designated

with ownership of and responsibility for fraud risk

management — or, that individual is not known.

In a large percentage of instances involving break-

downs in corporate culture or in the conduct at the

top or throughout the organisation, one or more

fraud-related activities are driving those issues. That

fact should underscore the need for robust fraud risk

management practices, including board oversight and

senior management responsibilities.

The survey results also show that one in five

organisations has a “no fraud here” mentality.

These organisations likely do not perform fraud risk

assessments, which is a critical practice. Another

factor for this mindset could be that the individuals

responsible for conducting these assessments

have “day jobs” and therefore lack time to conduct

thorough — or any — evaluation of fraud risk and

corresponding anti-fraud controls. This behaviour

creates fertile ground for a poor corporate culture.

Many Organisations Falling Short on Fraud Risk Policy and Strategy

What also stands out in the results is the small but

meaningful number of organisations that lack active

and defined oversight of fraud risk. The numbers

are slightly smaller for large companies but are still

notable. Of particular note, the percentages are higher

among North American-based organisations.

Also noteworthy is that a substantial percentage of

organisations have a fraud risk strategy that is not

defined clearly. Without a solid understanding of fraud

risks throughout the organisation, how can manage-

ment express confidence that its control environment

is effective, and that it is focusing on creating a strong

corporate culture?

Another eye-opening finding is that a third of

organisations worldwide appear to lack a formal

and documented fraud control policy. That is despite

COSO’s specific recommendation that organisations

have such a policy, as outlined in its FRM Guide.

Organisations overall that have no senior management professional designated with ownership of and

responsibility for fraud risk management*

KEY FACTS

16%

* Includes “Don’t know” responses.

2 Ibid.


6 · Protiviti

Who in the ranks of senior management is designated with ownership and responsibility for fraud risk management in your organisation?

Company Size (Annual Revenue)

2016 Large companies

Midsize companies

Small companies

Chief Executive Officer 29% 17% 20%

Chief Financial Officer 13% 13% 19%

Chief Risk Officer 15% 13% 11%

Chief Legal Officer or General Counsel 11% 9% 10%

Chief Security Officer 12% 10% 7%

Internal Audit Director 5% 13% 8%

Other 6% 7% 7%

No senior management professional is designated with ownership and responsibility for fraud risk management

4% 13% 13%

Don’t know 5% 5% 5%

Region

2016 Asia-Pacific Europe India Latin America/

South AmericaNorth

America

Chief Executive Officer 27% 28% 32% 38% 8%

Chief Financial Officer 11% 11% 18% 11% 21%

Chief Risk Officer 19% 13% 11% 3% 13%

Chief Legal Officer or General Counsel 7% 10% 4% 8% 13%

Chief Security Officer 5% 17% 15% 15% 4%

Internal Audit Director 10% 5% 5% 5% 11%

Other 4% 4% 5% 3% 11%

No senior management professional is designated with ownership and responsibility for fraud risk management

12% 10% 9% 14% 12%

Don’t know 5% 2% 1% 3% 7%

While 4 percent of large companies indicate that no senior management professional is

designated with fraud risk management ownership and responsibility, this figure rises to

13 percent in midsize and small companies, suggesting the latter group of organisations is

seemingly more tolerant of “absentee leadership” in this critical area.


Which of the following groups in your organisation provides active and defined oversight of the organisation’s fraud risk? (Multiple responses permitted)



Midsize companies

Small companies

Audit committee 50% 59% 48%

Risk management committee 53% 51% 39%

Board of directors 44% 39% 42%

C-level executive(s) 43% 37% 37%

No active and defined oversight 5% 6% 12%


Other 5% 7% 3%

Region


South AmericaNorth

America

Audit committee 58% 40% 60% 46% 56%

Risk management committee 51% 60% 58% 50% 33%

Board of directors 42% 51% 42% 56% 32%

C-level executive(s) 32% 41% 51% 37% 37%

No active and defined oversight 7% 7% 4% 7% 11%

Don’t know 3% 2% 0% 1% 6%

Other 2% 3% 3% 4% 7%

A significant number of organisations, particularly small and North American-based

companies, lack active and defined oversight of fraud risk.


8 · Protiviti

On a scale of 1 to 5, where “5” indicates very well-defined and “1” indicates undefined, how would you rate your organisation’s fraud risk strategy?


Region

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

Large companies

60% 40%Small companies

Midsize companies 60% 40%

72% 28%

Very well-defined/defined Less defined/reactive/undefined/don’t know

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

53% 47%

72% 28%

74% 26%

68% 32%

65% 35%

Very well-defined/defined Less defined/reactive/undefined/don’t know

India

North America

Latin America/South America

Europe

Asia-Pacific

When scanning national patterns, North American organisations look relatively less concerned

about well-defined risk strategies than do companies in other parts of the world.


Which of the following challenges does your organisation face in managing its fraud risk proactively? (Multiple responses permitted)

There is limited availability of internal resources to address fraud risk. 36%

We lack a unified fraud risk management strategy. 28%

We lack proactive fraud risk management. Our focus is on incident response when allegations arise. 28%

Proactive fraud risk management is not a corporate priority. 27%

Fraud and misconduct are not considered “high risks” within the organisation. 27%

There is inadequate funding for an anti-fraud program and related initiatives. 21%

Our organisation has a “no fraud here” mentality. 20%

Laws and regulations or cultural norms in our non-U.S. locations present unique challenges that we have yet to address.

20%

We do not have a member of senior management who is designated with ownership of and responsibility for fraud risk management.

16%

KEY FACTS

Organisations globally that have a formal and documented code of conduct

Organisations globally that have a formal and documented fraud control policy

93% 67%

An area of concern appears to be the availability of internal resources to address fraud risk

proactively, with more than one in three organisations citing this as a challenge.


10 · Protiviti

COSO Elevates and Evolves Fraud Risk Management Practices

For many organisations, building a strong corporate culture and managing fraud consists of checking boxes and

thinking positive thoughts:

• “We hire good people.”

• “We have a code of conduct.”

• “We comply with Sarbanes-Oxley.”

• “Our hotline does not ring (for serious things).”

• “Fraud simply doesn’t happen here.”

Of course, as forensic professionals and educators, we know this is not enough. COSO knows this, too.

Recognising the need to both elevate and evolve management’s thinking on the topics of fraud prevention, detection

and deterrence, COSO released its Fraud Risk Management Guide (FRM Guide) in collaboration with the Association

of Certified Fraud Examiners (ACFE) in September 2016. This guidance provides a valuable blueprint of leading

practices and user-friendly templates to help organisations not only correlate, but also actively apply, the five fraud

risk management principles first outlined in Managing the Business Risk of Fraud: A Practical Guide* within the context

of the 2013 COSO Internal Control — Integrated Framework.

These principles serve as a universal foundation for fraud risk management programs. They are:

1. Fraud Risk Governance

2. Fraud Risk Assessment

3. Fraud Control Activities

4. Fraud Investigation and Corrective Action

5. Fraud Risk Management Monitoring Activities

Of these five principles, fraud risk assessment is perhaps the most widely recognised because the consideration

of the potential for fraud was explicitly included in the 2013 COSO Framework. Since that time, the identification

and assessment of fraud risk have been focal points of inquiry for internal and external auditors. However, the

scope of management’s fraud risk assessment is still often limited to fraud scenarios that would cause a material

misstatement of an organisation’s financial statements. In contrast, COSO’s FRM Guide encourages an elevated

and evolved assessment of fraud risk in the context of the organisation’s overarching fraud risk management

program to achieve better support of and greater consistency with the overall 2013 COSO Framework.

Continued on page 11


COSO’s FRM Guide is both user-friendly and pragmatic in its design. Each chapter is organised to provide a clear

snapshot of how individual fraud risk management principles align with the COSO 2013 Framework’s components

and principles. It also outlines unique characteristics for each fraud risk management principle within specific points

of focus. These points are structured similarly to those contained in the 2013 COSO Framework and are useful in

considering the design and operating effectiveness of management’s fraud risk management capabilities. Whether

an organisation is new to the topic of fraud risk management or seeking a more detailed view on the “how-to” of

certain fraud risk management activities, COSO’s FRM Guide provides information that is thorough and thoughtful,

and applicable to various audiences.

Below are some suggestions for utilising the information and templates included within COSO’s FRM Guide, which

can benefit organisations in pursuit of a “best-in-class” fraud risk management program, as well as those companies

that are simply looking to enhance certain elements of their anti-fraud control activities:

• Map and analyze the fraud risk management process for improvement opportunities.

• Evaluate whether there is proper oversight and assignment of resources for fraud control activities.

• Create or update the organisation’s fraud control policy.

• Conduct a survey to understand perceptions about the organisation’s culture and fraud risk

management capabilities.

• Expand documentation and visualisation of the organisation’s fraud risk and controls matrix.

• Assess the organisation’s list of potential fraud exposures.

• Review the organisation’s fraud response plan.

• Implement a data analytics framework.

• Enhance awareness of fraud risk through communication with various organisational constituencies.

COSO’s FRM Guide offers insights into leading practices encompassing fraud prevention, detection and deterrence.

However, it is not intended to create a prescriptive standard for either fraud risk management or fraud risk assessment.

Furthermore, there is no “one-size-fits-all” approach to either process; each must be tailored to suit an organisation’s

specific operations, objectives, industry, people, geographies and technologies.

Finally, it is critical to recognise that fraud is a highly dynamic event. There is no guarantee that an organisation will

be free from its occurrence or effect simply because it has implemented leading practices. The ability to prevent and

detect fraud can — and should — evolve with the organisation’s internal control framework, and COSO’s FRM Guide

provides a clear road map that can help drive organisations toward excellence in fraud risk management.

* Managing the Business Risk of Fraud: A Practical Guide was jointly published in 2008 by the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (The IIA) and ACFE.


12 · Protiviti

Assessing Fraud Risk: A Foundational Component of Corporate Culture and Fraud Risk Management

Patterns of fraud, corruption and misconduct that take

root in organisations are frequently open secrets

among personnel. The fact that organisational assets

are being misused or diverted is often widely known

but perhaps not openly discussed. This phenomenon

gives rise to several questions including, “Why

are these actions not reported?” and “Is it because

of fear of retaliation?” “Failure to report” is a clear

symptom of a poor corporate culture, as is ignoring

or silently endorsing bad behaviour because of who

is involved or benefiting from it. For this reason,

fraud risk assessments should be performed to help

identify unreported, overlooked or even “culturally

accepted” vulnerabilities and include consideration

of an organisation’s corporate culture — in effect,

taking the company’s temperature from an ethical

viewpoint. Seeking to measure corporate culture

can expose an organisation’s open secrets before

they devolve into more significant ethical lapses

with serious legal and regulatory consequences.

Fraud risk assessments should be conducted at least

annually, if not more frequently, depending upon

shifts in strategic objectives, organisational changes

or the occurrence of fraud. Overall, most organisations

report that they do this, which is positive. However,

significant numbers of organisations, of all sizes

and across regions, appear to do so less frequently

or inconsistently.

A small but notable number of organisations report that

they don’t know who the business owner responsible

for the fraud risk assessment is, or they don’t have a

defined business owner for that process. There should

be a designated owner, of course. But regardless of who

ultimately is responsible for a fraud risk assessment,

the process must involve a broad range of functions

in the organisation — internal audit, accounting and

finance, procurement, information technology (IT), risk

management, facilities, research and development

(R&D), and more. This approach enables the fraud risk

assessment to capture the nuances of each organisa-

tional function where fraud has the potential to occur,

along with the potential fraud drivers. That includes

understanding opportunities, incentives, pressures,

attitudes and rationalisation to commit fraud within

different groups in the organisation.

Also, it is critical for organisations to examine fraud

risk not in pockets or silos, but across the enterprise.

Principle 2 of COSO’s FRM Guide specifies that the

fraud risk assessment process should include all

appropriate levels of management along with the

resources necessary to assess fraud risk throughout

the enterprise.

Simply put, fraud risk can neither be managed nor

mitigated if it is not understood. Fraud risk assessments

undertaken correctly enhance an organisation’s aware-

ness of the various fraud risks it is facing and allow

it to prioritise efforts to mitigate the most serious areas

of vulnerability.

The fraud risk assessment process, to remain effective

and relevant, also must evolve as personnel, opera-

tions, methodologies and other processes change. Our

survey found that, across organisation type and region,

“previous fraud risk assessment results” ranks high

among the frequently used information applied to the

assessment methodology. While the inclusion of this

information is an important data point, no aspect of

the fraud risk assessment should be a cut-and-paste

exercise. Indeed, in a recent publication by the U.S.

Department of Justice (DOJ) (Evaluation of Corporate

Compliance Programs), an 11th hallmark of an effective

compliance program was introduced: Analysis and

Remediation of Underlying Misconduct. While this

“Failure to report” is a clear symptom of a poor

corporate culture, as is ignoring or silently

endorsing bad behaviour because of who is

involved or benefiting from it.


is directed at organisations that are in the throes of

a government investigation, all organisations should

seek to apply lessons learned from any internal

investigations that have been performed since the last

fraud risk assessment. Organisations should always

strive to ensure that their fraud risk assessment

processes are dynamic, are evolving along with the

company’s changing risks and strategic objectives,

and don’t become a rote exercise lacking meaningful

benefit year-over-year.

More Care Needed When Discussing Sensitive Information

Another result in our survey is the low number of

organisations globally that conduct fraud risk

assessments under attorney-client privilege. In

North America, for instance, three in four organisa-

tions do not conduct fraud risk assessments under

this privilege. Anecdotally, most organisations do

not even consider the need to do so.

Who within your organisation is primarily responsible for conducting your fraud risk assessment?



Midsize companies

Small companies

Internal audit 32% 46% 44%

Corporate compliance 20% 18% 15%

SOX compliance team 16% 14% 9%

General counsel/legal 12% 9% 13%

Other 12% 6% 10%

None of these 2% 3% 7%


Region


South AmericaNorth

America

Internal audit 43% 39% 52% 40% 41%

Corporate compliance 17% 23% 17% 18% 14%

SOX compliance team 14% 12% 12% 11% 12%

General counsel/legal 8% 18% 6% 26% 7%

Other 10% 4% 10% 1% 14%

None of these 5% 3% 3% 2% 6%

Don’t know 3% 1% 0% 2% 6%


14 · Protiviti

While some organisations make rational business

cases for why they choose not to perform fraud risk

assessments under the attorney-client privilege,

problems sometimes arise in those organisations

that do not even consider doing so. When conducting

fraud risk assessments, root cause analyses of

prior internal investigations (which were probably

undertaken pursuant to the attorney-client privilege),

internal control weaknesses or gaps identified through

previous audits, and other confidential compliance

matters may be discussed. If sensitive information is

gathered without the opportunity for legal counsel to

provide advice to the organisation, it could result in a

significant problem down the road if, during litigation,

that sensitive information becomes discoverable.

As our survey results indicate, the fraud risk

assessment process often involves the use of

other techniques such as the review of policies,

procedures and training materials, gathering of

public information and industry news, brainstorming

sessions, interviews or group workshops, process

walkthroughs, surveys, and data analytics. During

these activities, candid feedback about business

practices, personnel matters and corporate culture

may be shared. In some cases, indicators of fraud

may even be identified through the use of electronic

data interrogation routines. Organisations likely do

not want this material exposed during litigation. It

is therefore imperative to consider confidentiality,

as well as the potential for conducting the fraud

risk assessment under the direction of counsel for

attorney-client privilege purposes, during planning

activities. (See sidebar on page 18 for further

discussion about attorney-client privilege.)

Circling back to the updated 2013 COSO Internal Control

Framework, Principle 8 includes consideration of

three key types of fraud during management’s risk

assessment activities. Interestingly, when asked which

fraud type concerns them the most, respondents

provided a wide range of responses. What stands out is

that while fraudulent nonfinancial reporting is the type

of fraud that happens most often in organisations, only

a small number cited it as the area of greatest concern.

Another point of emphasis is that fraud risk in many

organisations is centered on compliance with SOX and

the concept of materiality. This is a dangerously narrow

way of viewing fraud risk and often leaves a significant

number of potential fraud scenarios out of the process,

some of which can have a negative effect on the

organisation, since the statutes being violated do not

use materiality in weighing whether criminal violations

have occurred. Examples of two such categories of

fraud are the bribery of foreign officials and sanctions

violations such as those enforced by the U.S. Office of

Foreign Assets Control (OFAC).

Factors having an impact on fraud risk are highlighted

in the 2013 COSO Framework’s Points of Focus for

Principle 8. While fraud risk factors are shared by all

organisations that experience fraud, the fraud risk

assessment methodology should be a unique process.

A holistic view of fraud includes consideration of

potential scenarios and perpetrators at all levels of the

enterprise, as well as vulnerabilities in all processes

and geographic locations — not only those deemed

“in scope” for SOX purposes. Executed correctly, the

fraud risk assessment should not be a “cookie-cutter”

template for a different company in a different industry

offering different products or services, since it has been

specifically tailored to the company at hand.

A holistic view of fraud includes consideration of

potential scenarios and perpetrators at all levels

of the enterprise, as well as vulnerabilities in all

processes and geographic locations.


How often does your organisation conduct a formal fraud risk assessment?


Region

Quarterly

Annually

As needed

Never

Don’t know

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

Large companies

25% 22% 10% 7%36%Small companies

5%

Midsize companies 21% 19% 5%50% 5%

12%17%35% 31%

Quarterly

Annually

As needed

Never

Don’t know

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

11% 13% 11% 13%52%

39% 26% 3%31% 1%

2%25%48% 22%

34% 24% 5% 3%34%

25% 22% 11%35% 7%

India

North America


Europe

Asia-Pacific

3%

It is surprising to find a significant percentage of large companies and North American-based

organisations that report not knowing how often the fraud risk assessment is conducted.


16 · Protiviti

How is your organisation’s fraud risk assessment process structured within your organisation?



Midsize companies

Small companies

Incorporated into our enterprise risk management (ERM) process 47% 40% 38%

Incorporated into our internal audit planning process 21% 22% 26%

Incorporated into our SOX compliance process 8% 18% 13%

Stand-alone 18% 12% 12%

None of these 2% 2% 9%


Region


South AmericaNorth

America

Incorporated into our ERM process 42% 52% 45% 48% 32%

Incorporated into our internal audit planning process 23% 15% 32% 27% 25%

Incorporated into our SOX compliance process 8% 13% 2% 10% 20%

Stand-alone 17% 15% 17% 11% 9%

None of these 6% 4% 4% 3% 8%

Don’t know 4% 1% 0% 1% 6%


Does your company conduct its fraud risk assessment under attorney-client privilege? (Shown: “Yes” responses)


51% 45% 41%Large companies Small companiesMidsize companies

Region

North America

25%

77%

63%

51%

36%

Europe

India

Asia-Pacific



18 · Protiviti

Fraud Risk Assessment and Attorney-Client Privilege

As with any internal investigation, a fraud risk assessment may include sensitive matters that potentially involve

litigation or damage to a company’s reputation. There are often compelling reasons for an organisation’s

assessment team to report to legal counsel. Some things to consider include:

• In the United States, conversations between an attorney and a client seeking legal advice are considered

“privileged and confidential” and “attorney-client privileged.” Once privilege is established, the information

shared between a client and attorney is largely protected from disclosure to other parties.

• Attorney-client privilege allows companies and their lawyers to discuss findings and potential solutions without

fear of inappropriate disclosure of the privileged discussions and material. If other providers, such as forensic

accountants or investigators, participate in the fraud risk assessment or an investigation, their work should

be performed at the direction of lawyers so that their findings are considered attorney work product and are

privileged as well.

• It should be made clear that the fraud risk assessment is being conducted to assist legal counsel in providing

legal advice. That includes marking materials as “Privileged and Confidential” and informing interviewees of

the legal purpose of the fraud risk assessment or investigation.

• Distribution of privileged materials must be limited. Company representatives must not be allowed to discuss the

review with anyone who is not involved in the project, so as not to inadvertently waive the privilege by sharing

information outside of the attorney-client relationship.

• The attorney-client privilege varies widely by country. For any investigations, fraud risk assessments or other

projects that the client and counsel feel should be performed under the privilege and involve foreign jurisdictions,

the rules of those jurisdictions would apply.

Note that while attorney-client privilege generally applies to in-house counsel (at least in the United States), internal

lawyers serve in a dual business and legal capacity, and privilege could be challenged on the grounds that discussions

were of a business, and not a legal, nature.

Legal privilege varies widely from one country to the next, and these decisions are best made in consultation

with attorneys who have a deep understanding of the various jurisdictions in which the company is operating and

whether and to what extent the fraud risk assessment can be undertaken pursuant to the attorney-client privilege.

It’s important for companies to understand the interrelationship between internal investigations that were

performed at the direction of counsel and the company’s fraud risk. Reviewing those investigations could

constitute an inadvertent waiver of privilege. Plus, during the course of a fraud risk assessment, people

sometimes share information about past or ongoing fraud or misconduct that could give rise to legal liability.

Performing fraud risk assessments pursuant to the attorney-client privilege can add a layer of protection to

sensitive information that was gathered during the course of the project.



Does your fraud risk assessment team include members from different departments? (Shown: “Yes” responses)



Region

North America

54%

82%

79%

71%

60%

Europe

India

Asia-Pacific



20 · Protiviti

IF YES: Which departments participate in the fraud risk assessment team? (Multiple responses permitted)



Midsize companies

Small companies

Internal audit 73% 72% 70%

Accounting/finance 65% 62% 63%

Legal 61% 57% 63%

Risk management 68% 50% 56%

Compliance 54% 50% 44%

Operations 48% 41% 51%

Corporate security 45% 46% 42%

Human resources 44% 39% 46%

External consultants 20% 17% 25%

Region


South AmericaNorth

America

Internal audit 64% 63% 78% 64% 84%

Accounting/finance 68% 47% 53% 63% 80%

Legal 48% 53% 59% 65% 72%

Risk management 58% 65% 67% 51% 50%

Compliance 44% 45% 51% 32% 61%

Operations 42% 43% 41% 45% 58%

Corporate security 40% 49% 45% 43% 43%

Human resources 44% 34% 41% 41% 51%

External consultants 24% 20% 35% 28% 15%

Organisations in Latin America/South America and Europe are far more likely to include

members from different departments on the fraud risk assessment team than are companies in

other regions, particularly North America.


Which of the following does your company utilise as part of its fraud risk assessment methodology? (Multiple responses permitted)



Midsize companies

Small companies

Previous fraud risk assessment results 49% 55% 51%

Prior reported concerns and complaints 49% 51% 49%

Data analytics 53% 47% 44%

Prior audits or other reviews conducted at the company 47% 44% 48%

Interviews 47% 52% 42%

Brainstorming sessions 43% 42% 36%

Surveys 48% 35% 36%

Public information about criminal, civil and regulatory cases and complaints

33% 31% 30%

Industry news 31% 32% 25%

Workshops 35% 28% 26%

Industry-accepted fraud taxonomies, such as the ACFE’s Occupational Fraud and Abuse Classification System

35% 28% 24%

Region


South AmericaNorth

America

Previous fraud risk assessment results 57% 46% 70% 47% 52%

Prior reported concerns and complaints 56% 44% 61% 37% 53%

Data analytics 39% 55% 62% 62% 36%

Prior audits or other reviews conducted at the company

54% 32% 58% 40% 53%

Interviews 38% 44% 39% 42% 54%

Brainstorming sessions 35% 47% 50% 35% 36%

Surveys 25% 45% 45% 43% 35%

Public information about criminal, civil and regulatory cases and complaints

30% 36% 32% 42% 26%

Industry news 24% 31% 39% 29% 26%

Workshops 42% 36% 32% 42% 14%

Industry-accepted fraud taxonomies, such as the ACFE’s Occupational Fraud and Abuse Classification System

25% 28% 32% 27% 25%


22 · Protiviti

Which one of the following types of fraud is of greatest concern to your organisation?



Midsize companies

Small companies

Safeguarding of assets 24% 16% 20%

Management override of controls 19% 19% 19%

Fraudulent financial reporting 16% 15% 16%

Corruption 10% 10% 14%

Illegal acts 10% 7% 7%

Fraudulent nonfinancial reporting 2% 7% 5%

No one type is more concerning than the other 14% 20% 15%

Other/none of these 5% 6% 4%

Region


South AmericaNorth

America

Safeguarding of assets 24% 18% 25% 12% 21%

Management override of controls 20% 21% 20% 26% 13%

Fraudulent financial reporting 12% 24% 17% 17% 12%

Corruption 15% 10% 9% 21% 9%

Illegal acts 6% 8% 3% 11% 8%

Fraudulent nonfinancial reporting 1% 5% 2% 8% 6%

No one type is more concerning than the other 18% 8% 12% 3% 26%

Other/none of these 4% 6% 12% 2% 5%

As expected, the safeguarding of assets seems to be a high priority, while corruption appears to

be a lower priority (though more significant for organisations in Latin America/South America).


Does your organisation have a fraud risk management (mitigation) program? (Shown: “Yes” responses)



Region

North America

39%

87%

81%

74%

61%

Europe

India

Asia-Pacific



24 · Protiviti

IF YES: Who in your organisation is responsible for the fraud risk management (mitigation) program?



Midsize companies

Small companies

Chief Compliance Officer 30% 42% 39%


Chief Audit Executive 24% 25% 26%

Other 12% 6% 8%


Region


South AmericaNorth

America

Chief Compliance Officer 48% 41% 31% 31% 33%


Chief Audit Executive 15% 24% 25% 41% 21%

Other 14% 6% 13% 1% 12%

Don’t know 0% 2% 2% 3% 7%

It may seem obvious to everyone that culture is important, and that the risks associated with an unhealthy

organisational culture can derail operations, damage the brand, drive away customers and put a sizable dent

in the bottom line. Yet for many organisations, culture continues to be a buzzword in boardroom discussions

but is given short shrift as an operational priority. “Doing the right thing” is a key performance indicator that

doesn’t appear as a line item on any balance sheet but contributes considerably to the “goodwill” capital of a

company, and its loss or erosion presents a significant risk. Culture assurance then becomes something much

more specific and necessary.

— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit


Cultivating a Healthy Corporate Culture Through Fraud Prevention

One surprise from the results of our survey is evidence

of the low use of certain primary controls, including

ethics and fraud awareness training, which could help

organisations recognise warning signs and prevent

fraud if they were utilised or provided more frequently.

In the United States, for example, the DOJ and the

Securities and Exchange Commission (SEC) consider

training and continuous advice to be a hallmark of an

effective compliance program, yet a large majority of

organisations do not appear to conduct such training.

Shockingly, even basic measures appear to be falling

short. For instance, a good argument can be made that

every organisation should have a code of conduct and

code of ethics, yet more than one in five companies

surveyed do not. Indeed, a code of conduct and compli-

ance policies and procedures are called out by both

the DOJ and the SEC as hallmarks of an effective

compliance program.

Third- and Fourth-Party Relationships Require More Scrutiny

Several other findings from our survey should raise

red flags for boards and executive leadership seeking

to build a strong corporate culture. For example, less

than a majority of organisations have third-party

due diligence and competitive bidding in place as

controls to prevent fraud; only slightly more than

a majority have IT controls, authority and approval

limits, and segregation of duties (SoD) in place. While

some may not view these measures specifically as

fraud controls, they can be very effective for fraud

prevention. That is especially true for publicly held

companies that must comply with requirements such

as SOX in the United States.

The results for third-party due diligence controls

are especially eye-opening, particularly when

considering the extent to which third parties may

have access to personally identifiable information

and/or may have permission to act on behalf of the

company. Third parties can represent a weak link in

the organisation’s fraud control structure (as well

as security and privacy, anti-bribery, regulatory

compliance, and other areas of internal control).

Conducting risk-based investigative due diligence of

the organisation’s third parties, especially those in

particularly high-risk jurisdictions, as well as fourth

parties (i.e., the vendor’s vendors or subcontractor’s

subcontractors) should be considered essential.

Authorities May Question Lack of Commitment to Combating Fraud

As noted above, a potential weak link in an organi-

sation’s culture is the frequency of ethics and fraud

awareness training. Our survey results suggest that

two in five organisations conduct this type of training

only annually — or even less frequently.

If the organisation lacks a strong commitment to

regular ethics and fraud awareness training, what

does that say about management’s commitment to

building a healthy corporate culture? That is the type

of question authorities could ask during a formal

fraud investigation and in evaluating whether there

was an effective compliance program in place at the

time violations were occurring. When a prosecutor or

law enforcement agency concludes that there was not

an effective compliance program in place, or there

were other aggravating circumstances at the time,


26 · Protiviti

the company itself can be charged with criminal

violations, which can have sweeping and often

devastating consequences for the company and

its shareholders.

The U.S. DOJ and the SEC have provided clear guidance

for what they expect of companies when it comes

to effective compliance and ethics programs. One

recommendation is delivering risk-based training,

as compliance policies are not meaningful unless

they are communicated effectively throughout the

organisation. COSO also stresses the importance of

regular training in its FRM Guide.

Organisations (overall) that conduct ethics and fraud risk awareness training

KEY FACTS

57%

It is very important for organisations to create processes that support people doing the right thing all the time

and foster a culture where people in the organisation know the tone at the top, ensuring that the tone flows

all the way down to middle management and beyond. This is because, in most cases, employees pay more

attention to what their direct supervisors are saying or doing, and less to what the CEO has announced.

— Susan Haseley, Protiviti Executive Vice President, Diversity and Inclusion Initiative Leader


Which of the following primary controls does your organisation utilise to prevent fraud? (Multiple responses permitted)



Midsize companies

Small companies

Code of conduct/Code of ethics 78% 81% 72%

Authority or approval limits 59% 63% 67%

Employee background checks 56% 63% 66%

IT controls 55% 58% 63%

Segregation of duties 54% 58% 58%

Ethics or fraud risk awareness training 64% 58% 53%

Third-party due diligence 41% 32% 33%

Competitive bidding 36% 32% 32%

Region


South AmericaNorth

America

Code of conduct/Code of ethics 73% 62% 78% 71% 87%

Authority or approval limits 68% 50% 64% 45% 78%

Employee background checks 60% 47% 69% 56% 75%

IT controls 57% 47% 58% 58% 70%

Segregation of duties 55% 37% 50% 35% 81%

Ethics or fraud risk awareness training 58% 55% 56% 56% 59%

Third-party due diligence 30% 32% 53% 19% 38%

Competitive bidding 29% 24% 38% 24% 41%

Europe reflects a lower percentage of firms that have codes of conduct or codes of ethics.

North American firms are notably ahead of other regions in demanding segregation of duties.

Compared to companies in other regions, both European and Latin American/South American

firms reflect a much lower percentage of demanding segregation of duties.


28 · Protiviti

How often does your organisation offer ethics and fraud awareness training?



Midsize companies

Small companies

New hire orientation only 12% 12% 16%

On demand 27% 19% 20%

Semi-annually 18% 19% 17%

Annually 33% 36% 27%

Less than annually 6% 6% 7%

Never 1% 5% 11%


Region


South AmericaNorth

America

New hire orientation only 12% 13% 20% 21% 11%

On demand 20% 34% 33% 27% 8%

Semi-annually 18% 25% 28% 22% 10%

Annually 21% 20% 14% 25% 49%

Less than annually 13% 5% 3% 2% 7%

Never 16% 2% 2% 1% 10%

Don’t know 0% 1% 0% 2% 5%

With regard to the frequency of ethics and fraud awareness training, the question raised

here is “How often is often enough?” Less than a majority of firms in North America conduct

these trainings every six months or have them available on demand. These percentages are

significantly higher among companies in Europe, India and Latin America/South America. On the

other hand, 16 percent of organisations in the Asia-Pacific region never conduct these trainings.


Data Analytics, Fraud Detection and the Path Forward

One of the most notable findings in our survey is that

one-third of organisations lack a fraud detection

program. This begs the question as to what exactly

these organisations are doing to detect the type of

fraudulent acts that can undermine the organisation’s

culture or indicate red flags for deep-seated issues.

The absence of a fraud detection program likely

indicates a reactive environment for detecting fraud.

Internal audit and management respond to fraud issues

that arise but are unable to be proactive in spotting

issues early or identifying potential root causes.

The absence of such a program also suggests organisa-

tions have limited resources and technologies to apply

to fraud detection; thus, they lack alignment with

Principle 3 of COSO’s FRM Guide. This principle focuses

on preventive and detective control activities designed

to mitigate the occurrence — and longevity — of fraud

risk events. Timely discovery of fraud risk events is

a critical component of a well-designed fraud risk

management program and the lack of a program

calls into question the ability of such organisations

to fully achieve risk mitigation under the 2013

COSO Framework.

Few Firms Using Data Analysis for Fraud Detection

One in five organisations reports that they do not use

any form of data analysis to detect fraud proactively.

The numbers are better for large organisations, but

those operating in regions such as North America

and Asia-Pacific fare worse. These results are not

surprising, however. Business records in many

organisations still exist in a manual state. Companies

may want to incorporate forensic data analysis to

identify potential red flags and fraud indicators, but

they can’t if their information resides in boxes rather

than a digital state.

These results generally mirror the findings of Protiviti’s

2018 Internal Audit Capabilities and Needs Survey,

which show that about one-third of organisations

do not use data analysis or analytics in their internal

audit functions.3

Most organisations are still in the early stages of

using data analytics. Furthermore, many are likely

performing only the most basic form of analytics.

This was borne out in the findings of Protiviti’s

internal audit survey. Few internal audit groups are

employing current high-end technologies or artificial

intelligence (AI), or even computer-assisted audit

tools (CAATs), which could boost effectiveness and

efficiency significantly.

Factors limiting the use of data analysis include dated

legacy systems in the organisation, as well as the

absence of a data warehouse. Also, most organisations

have few employees who are trained to use new

technologies and AI to perform forensics and analytics.

3 Analytics in Auditing Is a Game Changer, Protiviti, 2018: protiviti.com/IAsurvey.


http://www.protiviti.com/IAsurvey

30 · Protiviti

Does your organisation have a fraud detection program? (Shown: “Yes” responses)



Region

North America

40%

87%

72%

71%

57%

Europe

India

Asia-Pacific


When it comes to fraud detection, North American companies appear to be significantly behind

organisations in other regions.


IF YES: Who in your organisation is responsible for the fraud detection program?



Midsize companies

Small companies

Chief Compliance Officer 24% 38% 38%

Chief Audit Executive 34% 36% 34%



Region


South AmericaNorth

America

Chief Compliance Officer 42% 39% 32% 34% 26%

Chief Audit Executive 31% 35% 29% 40% 34%


Don’t know 0% 0% 0% 1% 9%

One cannot manage that which cannot be measured. If firms focused on enhancing access to their own legacy

data systems so that disparate data sources were converted into consistent, timely and reliable information,

the return on this investment would be enormous. Advanced analytics, such as machine learning, deep

learning and AI, performed on this newly reliable data, will enable firms to measure historical fraud, predict

potential future fraud occurrences and manage fraud risk appropriately. That, in turn, will significantly

strengthen corporate culture.

— Shaheen Dil, Protiviti Managing Director, Global Leader, Data Management and Advanced Analytics


32 · Protiviti

Does your organisation actively utilise forensic data analysis to identify potential red flags and fraud indicators (i.e., fraud detection techniques)?



Midsize companies

Small companies

Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports are monitored by an independent group, such as internal audit.

41% 34% 23%

Yes, periodically. Management or internal audit runs fraud detection programs at specific times, such as at the start of an audit.

30% 31% 32%

Yes, on demand only. Data is extracted manually from various systems that are queried.

13% 15% 15%

No, we do not utilise data analysis to detect fraud proactively. 8% 17% 26%

Don’t know. 8% 3% 4%

Region


South AmericaNorth

America

Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports are monitored by an independent group, such as internal audit.

27% 38% 45% 30% 21%

Yes, periodically. Management or internal audit runs fraud detection programs at specific times, such as at the start of an audit.

36% 36% 28% 54% 20%

Yes, on demand only. Data is extracted manually from various systems that are queried.

13% 12% 14% 9% 20%

No, we do not utilise data analysis to detect fraud proactively.

22% 12% 11% 6% 31%

Don’t know. 2% 2% 2% 1% 8%

North American-based organisations appear to lag considerably behind companies in other

regions in utilising forensic data analysis.


Which of the following procedures has your organisation established for the submission of concerns by employees about questionable accounting or auditing matters? (Multiple responses permitted)



Midsize companies

Small companies

Telephonic hotline 61% 54% 50%

Electronic mailbox 61% 48% 45%

Website 56% 54% 39%

“Chain-of-command” reporting 47% 42% 47%

Designated management 36% 33% 43%

Designated board member 33% 18% 27%

No formal reporting mechanism exists 6% 6% 9%

Region


South AmericaNorth

America

Telephonic hotline 42% 32% 41% 48% 76%

Electronic mailbox 48% 55% 60% 56% 40%

Website 31% 47% 49% 49% 52%

“Chain-of-command” reporting 44% 42% 41% 36% 54%

Designated management 45% 40% 51% 42% 32%

Designated board member 19% 37% 38% 39% 14%

No formal reporting mechanism exists 11% 6% 5% 6% 8%

Interestingly, the use of telephonic hotlines for employees to communicate concerns about

accounting or auditing issues is far more prevalent in North America than in other regions.


34 · Protiviti

How often does your organisation conduct surprise audits within the organisation?



Midsize companies

Small companies

Quarterly 33% 20% 23%

Annually 15% 19% 16%

As needed 35% 40% 37%

Never 9% 16% 20%


Region


South AmericaNorth

America

Quarterly 15% 32% 41% 44% 11%

Annually 14% 27% 14% 28% 8%

As needed 49% 33% 35% 26% 42%

Never 18% 6% 7% 1% 30%

Don’t know 4% 2% 3% 1% 9%

Large companies that conduct surprise audits at least annually

KEY FACTS

48%Most companies like to believe that they have a

highly ethical culture. Many find out the hard way

that their culture isn’t as rock solid as they believed it

was. Better to burst your own bubble by proactively

examining culture, fraud and compliance risk than

to have the DOJ or the SEC burst it for you.



Being Vigilant — Addressing Corruption and Performing Due Diligence

Third parties, or vendors, present a heightened level

of risk to organisations. However, overall, just under

one in five companies reports that they have a high

level of confidence about third-party oversight.

As detailed in the 2017 Vendor Risk Management Bench-

mark Study from the Shared Assessments Program

and Protiviti, vendor risk management activities and

programs are improving in organisations overall.4

But the results from that study, as well as this survey,

underscore the point that organisations have a

significant way to go to achieve optimal vendor risk

management and oversight.

Most organisations in our survey align with the U.S.

DOJ and the SEC’s hallmarks of effective compliance

programs by conducting due diligence on business

intermediaries,5 such as agents, distributors, consul-

tants and subcontractors, prior to onboarding them in

the organisation. However, it is vital that investigative

due diligence6 efforts be nuanced and risk-based.

Organisations cannot approach this activity through

cursory, unstructured online research.

Just One Bad Vendor Relationship Can Lead to Irreversible Damage

Most companies report that they are conducting

this category of investigative due diligence. But are

they performing the right level of due diligence?

Are they applying a risk-based approach with regard

to the third parties with which they do business?

These organisations should realise they likely have

questionable relationships that present substantial

risks. The bottom line is that even one bad vendor

relationship can create irreversible damage to the

organisation. Organisations, therefore, need to do a

better job conducting investigative due diligence on

business intermediaries — including improving how

they conduct this due diligence.

To illustrate, there are some remarkable differences

among regions and organisation size regarding whether

a company conducts a corruption risk assessment

as part of its due diligence related to an acquisition.

Interestingly, a strong majority of organisations in

Europe perform a corruption risk assessment, whereas

only a minority of companies in North America do so.

As expected, more large organisations tend to conduct

these risk assessments.

What is the best way to approach due diligence?

Adopt a risk-based approach by designating key

categories that present the most risk. As part of the

due diligence process, cover those categories first in

the questionnaire, and perform other research focused

specifically on those categories. Essentially, this

approach results in prioritising the most significant

risks first, rather than adopting a blanket approach to

due diligence.

4 Study available at www.protiviti.com/vendor-risk.

5 The term “intermediary” in a third-party context typically refers to an entity that can act on behalf of another company, and those actions can give rise to liability.

6 “Investigative due diligence” refers to the performance of background investigations of legal entities and their owners and key executives to determine whether there is anything in their backgrounds that would make them unsuitable business partners.


http://www.protiviti.com/vendor-risk

36 · Protiviti

Fostering an Anti-Bribery Culture Within Your Organisation

The breadth and depth of authoritative guidance designed to mitigate global bribery and corruption continue to build.

Organisations often utilise a compilation of information to establish and evolve their anti-bribery or anti-corruption

compliance program. These include, among others, the Organization for Economic Co-Operation and Development’s

(OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance, International Chamber of Commerce’s ICC

Rules on Combating Corruption, the U.S. DOJ’s and SEC’s hallmarks of effective compliance programs, and the United

Kingdom’s Ministry of Justice’s The Bribery Act of 2010 Guidance about procedures which relevant commercial organisations

can put into place to prevent persons associated with them from bribing (section 9 of the Bribery Act 2010).

In addition, the World Bank Group has published both Integrity Compliance Guidelines and Guidelines on Preventing and

Combating Fraud and Corruption in Projects Financed by IBRD Loans and IDA Projects and Grants, while the Wolfsberg

Group has issued Wolfsberg Anti-Bribery and Corruption (ABC) Compliance Programme Guidance intended for use by the

“broader financial services industry.”

Now, with the International Organization of Standardization’s (ISO) release of ISO 37001: 2016 — Anti-Bribery

Management Systems, companies can seek certification of their anti-bribery program if they meet ISO’s requirements

for “establishing, implementing, maintaining, reviewing and improving an anti-bribery management system.” This

anti-bribery standard is applicable to all organisations — regardless of industry and corporate structure — and is

intended to help foster an anti-bribery culture within an organisation.

Indeed, each of the guidance documents referenced above cites the importance of ethical competencies and commitment

to a strong corporate culture as integral to mitigating this common type of fraud found in today’s global marketplace.


On a scale of 1 to 5, where “5” indicates a high level of confidence and “1” indicates little or no confidence, rate your level of confidence that your organisation has effective oversight of third parties.


Region

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

Large companies

Small companies

Midsize companies

Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)

55% 45%

51% 49%

68% 32%

10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%

60%40%

74% 26%

81% 19%

66% 34%

48% 52%

India

North America


Europe

Asia-Pacific

Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)

Large companies in North America appear to have a much higher level of confidence in

effective oversight of third parties compared to midsize and small companies. However, in

assessing the results by region, North American firms have far lower confidence levels than

firms in Europe, India and Latin America/South America.


38 · Protiviti

Does your organisation conduct due diligence on business intermediaries (e.g., agent, distributor, consultant, subcontractor) prior to onboarding? (Shown: “Yes” responses)



Region

North America

70%

83%

66%

90%

71%

Europe

India

Asia-Pacific



Does your organisation include communications from management that it expects adherence to the standards as set out in the code of conduct and/or anti-corruption policy? (Shown: “Yes” responses)



Region

North America

79%

91%

76%

92%

83%

Europe

India

Asia-Pacific



40 · Protiviti

Does your organisation have the ability to distinguish between foreign government agencies, state-owned companies, public international organisations and private enterprises among its customer base? (Shown: “Yes” responses)



Region

North America

69%

87%

78%

89%

71%

Europe

India

Asia-Pacific




Does your organisation categorise third parties according to risk? (Shown: “Yes” responses)


Region

North America

46%

79%

68%

78%

54%

Europe

India

Asia-Pacific



42 · Protiviti

IF YES: Which of the following activities does your organisation perform? (Multiple responses permitted)



Midsize companies

Small companies

Assign risk based upon a variety of factors 58% 65% 62%

Perform escalating levels of investigative due diligence based upon assigned risk level

64% 53% 55%

Focus on a single high-risk category for third party (such as sales agents)

49% 40% 38%

Perform investigative research in-house 34% 34% 43%

Perform the same level of due diligence or screening for all categories of third party

36% 31% 40%

Region


South AmericaNorth

America

Assign risk based upon a variety of factors 66% 65% 61% 61% 57%

Perform escalating levels of investigative due diligence based upon assigned risk level

57% 53% 61% 57% 56%

Focus on a single high-risk category for third party (such as sales agents)

45% 45% 53% 50% 26%

Perform investigative research in-house 34% 43% 37% 40% 36%

Perform the same level of due diligence or screening for all categories of third party

39% 36% 43% 46% 26%

It is somewhat surprising that, compared to large companies, a higher percentage of midsize

and small companies assign risk based upon a variety of factors instead of one. Close to a

majority of large companies focus on a single high-risk category for third parties, suggesting

these organisations may be adopting a view of third-party risk that is too myopic.


Check a variety of watchlists (e.g., OFAC,

politically exposed persons (PEPs), debarments)

Perform internet research

Organisations that perform the following activities as part of investigative due diligence:

Check corporation registrations

Search public records

KEY FACTS

Search negative news (English-speaking sources)

No investigative due diligence is performed in

the organisation

Search negative news (non-English-speaking sources)

29% 8%23%

47% 43%44% 40%


44 · Protiviti

Who performs the work associated with investigative due diligence? (Multiple responses permitted)



Midsize companies

Small companies

All investigative work performed in-house 50% 40% 42%

Watchlists, negative media, internet research performed in-house 47% 34% 36%

More comprehensive investigative work performed by investigative firm

39% 30% 33%

All investigative work outsourced 34% 28% 28%

Region


South AmericaNorth

America

All investigative work performed in-house 47% 45% 46% 45% 40%

Watchlists, negative media, internet research performed in-house

38% 45% 51% 45% 27%

More comprehensive investigative work performed by investigative firm

27% 43% 51% 48% 18%

All investigative work outsourced 21% 45% 41% 49% 12%


When acquiring a company, does your organisation conduct a corruption risk assessment during the acquisition due diligence process? (Shown: “Yes” responses)



Region

North America

41%

90%

71%

76%

53%

Europe

India

Asia-Pacific



46 · Protiviti

Do your hiring practices include an examination as to whether candidates are family members or associates of government officials? (Shown: “Yes” responses)



Region

North America

49%

82%

66%

71%

65%

Europe

India

Asia-Pacific



Which of the following additional steps does your organisation take in an effort to mitigate the elevated risk associated with doing business with government agencies, state-owned companies and/or public international organisations? (Multiple responses permitted)



Midsize companies

Small companies

Pre-approval requirements before paying for gifts, meals or entertainment

68% 51% 49%

Enhanced contract provisions 63% 52% 47%

Advanced anti-corruption training for select personnel 59% 50% 44%

Prohibitions against hiring of family members of employees of this category of customers

35% 33% 38%

Region


South AmericaNorth

America

Pre-approval requirements before paying for gifts, meals or entertainment

59% 50% 65% 54% 49%

Enhanced contract provisions 47% 57% 65% 54% 46%

Advanced anti-corruption training for select personnel

48% 57% 51% 64% 38%

Prohibitions against hiring of family members of employees of this category of customers

37% 33% 33% 53% 33%

With regard to corruption risk assessments, hiring practices that include examinations of cases

where candidates are family members or associates of government officials, and mitigating

elevated risks associated with state agencies and organisations, North American-based

organisations lag notably behind companies in other regions.


48 · Protiviti

Reporting, Investigation and Corrective Action

Principle 4 of COSO’s FRM Guide states: “The organi-

zation establishes a communication process to obtain

information about potential fraud and deploys a

coordinated approach to investigation and corrective

action to address fraud appropriately and in a timely

manner.” Further, one of the hallmarks of effective

compliance programs as promulgated by the U.S.

DOJ and the SEC is confidential reporting and

internal investigation.

Organisations that do not properly consider and

document the various channels by which the need

for an internal investigation comes to light and/or do

not follow written procedures for the performance of

internal investigations are at risk of failing to under-

take investigative activities that are proportionate

to the allegations at hand. Not only does that lead

to the risk of not conducting a productive internal

investigation, but it also can give rise to concerns that

the company is not applying a consistent standard

of care in its investigative processes. That, in turn,

can call into question whether that inconsistency is

simply a by-product of a poorly designed process or a

calculated effort to hold some people accountable but

not others.

Overall, more than one in five organisations conducted

between six and 20 investigations in the previous

year. While you would expect those same organi-

sations to have well-defined, consistently applied

investigative procedures in place, the reality is that

many organisations allow the facts at hand — or

even common psychological biases — to dictate the

investigative steps that follow, and those steps are

left to the discretion of the investigators themselves.

While there are many very talented and experienced

investigators working in-house at organisations

across the globe, the lack of documented policies

and procedures that govern investigative processes

can expose the company to a broad range of issues,

including, but not limited to, views that the organisa-

tion’s culture and institutional justice are flawed and

prone to favouritism, or that internal investigations

are performed in such a way as to raise questions

about their independence and the inconsistent

application of disciplinary actions.

That is why confidential reporting and internal investi-

gation is a hallmark of effective compliance programs.

Without a well-defined and documented process, it

would be very difficult for an outside party such as a

regulator or law enforcement agency to conclude that

an ethics and compliance program meets the definition

of effective.

Recently, guidance issued by the U.S. DOJ has placed a

great deal of emphasis on the performance of root cause

analysis. In addition, another hallmark of effective

compliance programs is continuous improvement:

periodic testing and review. What is being said in

various ways is that once a problem comes to light and

is investigated, the investigation and subsequent reme-

diation need to carefully consider not just the “what”

of what happened but also the “why,” the “how” and

the “by whom.” Answering these questions will provide

the company with insights into cultural breakdowns:

how things happened; what deficiencies in the control

environment were exposed by the fraud; and how the

pattern of fraud, corruption or misconduct was allowed

to continue undetected. These shortcomings then can

be translated into substantive changes to the controls,

both detective and preventive, that will lessen the

likelihood of a recurrence. A fraud risk management

program must be in a constant state of evolution with

new threats being addressed and lessons learned

being applied.

Five Most Common Root Causes or Control Breakdowns That Allow Fraud Incidents to Occur (Source: Top five responses from all survey participants)

1. Internal collusion

2. Collusion with third parties

3. Inadequate internal controls

4. Deliberate override of internal controls

5. Undisclosed conflicts of interest


What level of involvement does your organisation’s audit committee have in the investigation of alleged fraud or misconduct?



Midsize companies

Small companies

The audit committee chair is informed of all allegations involving accounting, auditing and internal control matters immediately upon receipt by the individual designated to receive complaints.

61% 57% 58%

On at least a quarterly basis, the audit committee is informed of all allegations being investigated.

21% 25% 25%

The audit committee is only informed of investigations involving accounting, auditing and internal control matters.

8% 11% 8%

Don’t know. 10% 7% 9%

Region


South AmericaNorth

America

The audit committee chair is informed of all allegations involving accounting, auditing and internal control matters immediately upon receipt by the individual designated to receive complaints.

57% 60% 67% 75% 46%

On at least a quarterly basis, the audit committee is informed of all allegations being investigated.

25% 25% 27% 15% 27%

The audit committee is only informed of investigations involving accounting, auditing and internal control matters.

14% 6% 5% 6% 12%

Don’t know. 4% 9% 1% 4% 15%


50 · Protiviti

Disciplinary action Training

The most common corrective actions taken by companies after an investigation involving employees:

Termination

KEY FACTS

New internal controls Reassignment

32% 18% 15%

10% 7%

KEY FACTS

Organisations that have received and investigated five or fewer allegations of fraud or misconduct

over the past three years

29%Organisations that have received and investigated

six to 20 allegations of fraud or misconduct over the past three years

22%


In Closing

The importance of corporate culture is garnering an

unprecedented amount of media and organisational

attention, and yet, there has not been an equal amount

of introspection or root cause analysis as to what has led

to some of the more noteworthy fraud and misconduct

cases occurring in the last year. Understanding the

interplay between fraud, corruption and corporate

culture — and the controls necessary to mitigate ethical

failures — can accelerate efforts to affect positive

organisational change and process improvements.

In today’s business environment, executives need to ask

themselves this question: Do we want to be viewed as

leaders of ethical business practices, or are we willing to

risk being the latest headline involving a toxic culture

that ultimately results in embarrassing — and costly —

fraud and misconduct?

Private sector companies in today’s world face extraordinary challenges. The results of this year’s survey

shed light on a particularly perplexing challenge; namely, creating and maintaining a strong corporate

environment that prevents and deters fraud. Key findings from respondents around the globe demonstrate

that many companies, large and small, have much work to do in crafting a strong organisational culture to

keep fraud from occurring. Many organisations indicate their fraud risk strategies are weakly defined and

that resources dedicated to fraud risk can be scarce. Only one in three organisations are confident they have

strong fraud control policies in place — a troubling finding. These and other results underscore the dire need for

corporations to embrace a more proactive position in managing fraud risk across the board to build a stronger

corporate culture.

— Donald J. Rebovich, Ph.D., Coordinator, Fraud and Financial Crimes Investigation Programs, Utica College


52 · Protiviti

Survey Demographics

Position

Chief Audit Executive 13%

Chief Executive Officer 12%

Audit Manager 10%

Audit Staff 10%

Chief Information Officer 9%

Chief Financial Officer 7%

Audit Director 4%

Chief Risk Officer 4%

Chief Operating Officer 4%

Chief Compliance Officer 3%

Board Member/Audit Committee Member 3%

Chief Security Officer 3%

Business Unit Control Leader 2%

Corporate Controller 2%

Corporate Security Director 2%

General Counsel 1%

Other 11%


Industry

Financial Services 15%

Manufacturing 14%

Technology 14%

Government 6%

Consumer Products 5%

Services 4%

CPA/Public Accounting/Consulting Firm 4%

Retail 3%

Insurance (excluding Healthcare – Payer) 3%

Education 3%

Healthcare – Provider 3%

Oil and Gas 2%

Distribution 2%

Real Estate 2%

Telecommunications 2%

Utilities 2%

Life Sciences/Biotechnology/Pharmaceuticals 2%

Not-for-profit 2%

Mining 1%

Hospitality 1%

Power and Utilities 1%

Healthcare – Payer 1%

Media 1%

Other 7%


54 · Protiviti

Financial Services Industry — Size of Organisation (by Assets Under Management in U.S. Dollars)

More than $250 billion 14%

$50 billion - $250 billion 15%





Less than $1 billion 17%

Size of Organisation (Outside of Financial Services) — by Gross Annual Revenue in U.S. Dollars

$20 billion or greater 9%

$10 billion - $19.99 billion 10%



$500 million - $999.99 million 19%

$100 million - $499.99 million 18%

Less than $100 million 11%


Type of Organisation

Private 48%

Public 31%

Private, but planning an IPO within the next 12 months 5%

Not-for-profit 4%

Government (non-U.S.) 3%

Educational institution 3%

Government (U.S.) 3%

Public international organisation 1%

Other 2%

Organisation Headquarters

North America 43%

Europe 20%

Asia-Pacific 13%

Latin America/South America 12%

India 10%

Middle East 1%

Africa 1%


56 · Protiviti

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

ABOUT PROTIVITI FORENSIC

Protiviti’s Forensic consultants help organisations build a solid infrastructure for evaluating, mitigating, investigating, reporting and monitoring their risk of fraud, corruption and misconduct.

Understanding organisational vulnerabilities and establishing an appropriate framework to identify and respond to them are essential in today’s global marketplace, as regulators are demanding more active management and investigation for a wide range of risks, including financial crime, fraud and corruption.

Our Forensic professionals assist organisations with building sustainable anti-corruption, investigative and fraud risk assessment processes and developing anti-fraud, anti-corruption and investigative programs and controls to meet fiduciary and regulatory responsibilities. We support organisations in their efforts to identify, triage, investigate, report and monitor a wide array of risks at every level — from the performance of risk assessments, program design or remediation, risk governance, and employee training to audits of anti-corruption, fraud, and investigation programs and processes.

Our team’s unique blend of anti-corruption, fraud risk management and investigative subject-matter expertise can quickly identify program shortcomings and remediate your critically important programs. We also have extensive experience in undertaking investigations of suspected violations of those programs by leveraging investigative, forensic accounting and technology disciplines across our global footprint to provide our clients with the experience and local resources necessary to gather the facts to make informed business decisions.


UNITED STATES

Kelly [email protected]

James [email protected]

Peter [email protected]

Robert [email protected]

Pamela [email protected]

Diane [email protected]

AUSTRALIA

Adam Christou+61.03.9948.1200 [email protected]

Anthony Hodgkinson+61.418.123.564 [email protected]

BELGIUM

Jaap Gerkes +31.6.1131.0156 [email protected]

BRAZIL

Raul Silva +55.11.2198.4200 [email protected]

CANADA

Ram Balakrishnan +1.647.288.8525 [email protected]

CHINA (HONG KONG AND MAINLAND CHINA)

Albert Lee +852.2238.0499 [email protected]

FRANCE

Bernard Drui +33.1.42.96.22.77 [email protected]

GERMANY

Michael Klinger +49.69.963.768.155 [email protected]

INDIA

Sanjeev Agarwal +91.99.0332.4304 [email protected]

ITALY

Alberto Carnevale +39.02.6550.6301 [email protected]

JAPAN

Yasumi Taniguchi +81.3.5219.6600 [email protected]

MEXICO

Roberto Abad +52.55.5342.9100 [email protected]

MIDDLE EAST

Sanjeev Agarwal +965.2295.7770 [email protected]

THE NETHERLANDS

Jaap Gerkes +31.6.1131.0156 [email protected]

SINGAPORE

Sidney Lim +65.6220.6066 [email protected]

UNITED KINGDOM

Lindsay Dart +44.207.389.0448 [email protected]

CONTACTS

Brian ChristensenExecutive Vice President, Global Internal [email protected]

Scott MoritzManaging Director and Global Lead, Protiviti [email protected]


mailto:kelly.sherman%40protiviti.com?subject=

mailto:james.gallo%40protiviti.com?subject=

mailto:peter.grupe%40protiviti.com?subject=

mailto:robert.hennigan%40protiviti.com?subject=

mailto:pam.verick%40protiviti.com?subject=

mailto:diane.walker%40protiviti.com?subject=

mailto:adam.christou%40protiviti.com.au?subject=

mailto:anthony.hodgkinson%40protiviti.com.au?subject=

mailto:gary.anderson%40protiviti.com.au%0D?subject=

mailto:jaap.gerkes%40protiviti.nl?subject=

mailto:arvind.benani%40protivitiglobal.me?subject=

mailto:raul.silva%40protivitiglobal.com.br?subject=

mailto:ram.balakrishnan%40protiviti.com?subject=

mailto:david.dawson%40protiviti.com?subject=

mailto:albert.lee%40protiviti.com?subject=

mailto:soraya.boada%40protivitiglobal.cl?subject=

mailto:bernard.drui%40protiviti.fr?subject=

mailto:drui%40protiviti.fr?subject=

mailto:michael.klinger%40protiviti.de?subject=

mailto:sanjeev.agarwal%40protivitiglobal.in?subject=

mailto:sanjeev.agarwal1%40protivitiglobal.in?subject=

mailto:alberto.carnevale%40protiviti.it?subject=

mailto:yasumi.taniguchi%40protiviti.jp?subject=

mailto:roberto.abad%40protivitiglobal.com.mx?subject=

mailto:sanjeev.agarwal%40protivitiglobal.me?subject=

mailto:anneke.wieling%40protiviti.nl?subject=

mailto:sidney.lim%40protiviti.com?subject=

mailto:lindsay.dart%40protiviti.co.uk?subject=

mailto:brian.christensen%40protiviti.com?subject=

mailto:scott.moritz%40protiviti.com?subject=

© 2018 Protiviti Inc. PRO-0718-101107I-IZ-ENG Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

*MEMBER FIRM

© 2

017

Proti

viti

Inc.

An

Equa

l Opp

ortu

nity

Em

ploy

er. M

/F/D

isab

ility

/Vet

. PRO

-041

7

THE AMERICAS UNITED STATES

Alexandria

Atlanta

Baltimore

Boston

Charlotte

Chicago

Cincinnati

Cleveland

Dallas

Denver

Fort Lauderdale

Houston

Kansas City

Los Angeles

Milwaukee

Minneapolis

New York

Orlando

Philadelphia

Phoenix

Pittsburgh

Portland

Richmond

Sacramento

Salt Lake City

San Francisco

San Jose

Seattle

Stamford

St. Louis

Tampa

Washington, D.C.

Winchester

Woodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro Sao Paulo

CANADA

Kitchener-Waterloo Toronto

CHILE*

Santiago

COLOMBIA*

Bogota

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE MIDDLE EAST

FRANCE

Paris

GERMANY

Frankfurt

Munich

ITALY

Milan

Rome

Turin

NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

UNITED ARAB EMIRATES*

Abu Dhabi

Dubai

ASIA-PACIFIC CHINA

Beijing

Hong Kong

Shanghai

Shenzhen

JAPAN

Osaka

Tokyo

SINGAPORE

Singapore

INDIA*

Bengaluru

Hyderabad

Kolkata

Mumbai

New Delhi

AUSTRALIA

Brisbane

Canberra

Melbourne

Sydney

creating a strong corporate culture begins with managing ... · a strong corporate culture through...

Documents