principles of fraud examination€¦ · in organizations that had fraud hotlines, 51 percent of...

© 2015 Association of Certified Fraud Examiners, Inc.

Fraud-Related Compliance

R. A. (Andy) Wilson, CFE, CPP

VP Fraud & Compliance

Sedgwick Claims Management Services, Inc.

Introduction: Why Compliance Is Essential

© 2015 Association of Certified Fraud Examiners, Inc. 2 of 27

Compliance Defined

A program or a set of policies in an organization

designed to ensure compliance with laws and

regulations on a variety of issues


Evolution of Compliance Field

Relatively new field

• Mid-20th century: Civil Rights Act, OSHA, and other

laws targeting businesses

• Early 1990s: Federal Sentencing Guidelines for

Organizations

• Early 2000s: Corporate scandals and resulting

regulations


Evolution of Compliance Field

Growing focus on formal compliance efforts

• Compliance efforts being moved out of the legal

department and into dedicated ethics and compliance

functions

• The rise of the corporate Ethics and Compliance

Officer

• Professional associations, training, and guidance

specifically for ethics and compliance professionals


The Cost of Fraud—

2014 Report to the Nations

The typical organization loses 5 percent of

annual revenue to fraud.

Anti-fraud controls appear to help reduce the

cost and duration of fraud schemes.

Small organizations are particularly vulnerable

to occupational fraud.


The Cost of Fraud—


In organizations that had fraud hotlines, 51

percent of frauds were detected by tips, while in

organizations without hotlines, only 33 percent

of cases were detected by tips.

Internal controls alone are insufficient to fully

prevent occupational fraud.


Federal Sentencing Guidelines

for Organizations

A formula for federal

courts to determine

fines/punishments for

organizations that

violate the law

The purpose: to

promote consistent

penalties for violators


Federal Sentencing Guidelines

for Organizations

For sentencing, the guidelines suggest the court

should consider the defendant’s compliance

program.

Effective compliance program is defined as one

that is reasonably designed, implemented, and

enforced so that it generally will be effective in

preventing and detecting criminal conduct.


Why Are the Guidelines Important?

Even where liability cannot be avoided, the

presence of a compliance program may

mitigate or avoid penalties.

Organization’s culpability is a measure of its

actions taken that either mitigated or

aggravated the situation.

Minimum sentencing can be reduced by as

much as 95 percent or increased by up to 400

percent.



In 2009, Pfizer made a $2.3 billion settlement.

DOJ found that Pfizer acted with indifference to

the laws in place.

Largest fraud-related fine from DOJ:

GlaxoSmithKline paid $3 billion settlement for

fraudulent promotion of prescription drugs and

hiding safety data.



Eli Lilly, for defrauding the government: $1.4 billion

qui tam settlement in 2009

Siemens, for FCPA violations: $800 million

settlement in 2008

KBR/Halliburton, for FCPA violations: $580 million

settlement in 2009

LG, for antitrust violations: $400 million settlement

in 2011

SAIC, for defrauding NYC government: $500 million

settlement in 2012


Are the Guidelines Mandatory?

In 2005, the U.S.

Supreme Court ruled that

the guidelines are

advisory, rather than

mandatory.

While not binding, courts

continue to use the

guidelines when

determining sentences.


Elements of an Effective

Compliance Program

1. Establishing standards and procedures

2. Assigning responsibility

3. Due diligence in hiring

4. Communicating the policy

5. Achieving compliance

6. Disciplinary action

7. Appropriate responses


Elements of a Compliance Program

Establish standards

and procedures.

• Design them to be

reasonably capable of

preventing fraud.

• Have an ethics policy.



Assign responsibility to governing authority.

• Governing authority includes directors, officers, major

business managers, and individuals with substantial

ownership interests.

• Consider placing compliance program under control

of audit committee.

• Audit committee overseen by high-level personnel.



Conduct due diligence in hiring/contracting.

• Make reasonable efforts to keep people who the

organization knew or should have known committed

illegal acts out of positions with substantial authority.

• Substantial authority personnel includes supervisors

(e.g., plant and sales managers) who are authorized

to exercise significant discretion.

• Screen applicants, run background checks, and

monitor current employee performance.



Communicate the compliance policy.

• To anyone who can bind the organization

• Directors and officers

• Managers and supervisors

• Low-level employees and independent contractors

Include ethics policy, as well as what kinds of

acts and omissions are prohibited by law.

Train new employees.

Provide ongoing training for current employees.



Take steps to achieve compliance.

• Audit and periodically evaluate program

effectiveness.

• Implement a reporting system (e.g., fraud hotline).

Disciplinary action

• Enforce compliance to assure employees that

violations will be punished.

• Determine range of punishment for various offenses.

• Probation, suspension, or demotion

• Termination

• Referral for criminal prosecution or civil action



1. Correct the offense.

• Make restitution to victims.

• Self-report criminal conduct.

• Cooperate with authorities.

2. Prevent similar offenses.

• Modify compliance program.

• Identify and remediate internal control weaknesses.

• Conduct periodic risk assessments.

• Consider use of outside professional advisor.

Appropriate responses


COMPONENTS COSO INTERNAL CONTROL—

INTEGRATED FRAMEWORK

SENTENCING GUIDELINES

Control

Environment

Ethical tone at the top

Organizational structure, including

key areas of authority and reporting

lines

Policies—both formal and

informal—to reward ethical conduct

and punish unethical actions

Mechanism and support for

employee reporting

HR policies to ensure hiring and

promotion of those who

demonstrate integrity

Consistent and appropriate

discipline

Code of conduct

Promote a culture that encourages ethical

conduct and compliance

Knowledgeable governing authority with

reasonable oversight

High-level personnel assigned overall

responsibility for the program

Incentives to promote proper conduct and

discourage improper conduct

Reporting mechanisms for employees and

agents

Prohibit retaliation against those who make

good faith reports of suspected violations

Due diligence to avoid delegation of authority

to those with criminal tendencies

Consistent and appropriate discipline

Risk

Assessment

Identification and analysis of risks

related to operations, financial

reporting, and compliance

A strategy to manage risks

Tailoring ethics and compliance

programs to specifics of

organization

Develop compliance standards and

procedures using risk assessment

Periodic assessments of compliance and

ethics risk

Incentives to maintain internal controls

Identification of industry-specific compliance

risks


COMPONENTS COSO INTERNAL CONTROL—

INTEGRATED FRAMEWORK

SENTENCING GUIDELINES

Control

Activities

Policies and procedures to help

ensure that management’s

directives are followed

Activities to ensure fraud risks are

addressed

Standards and procedures capable of reducing

the prospect of criminal conduct

Determination of modifications needed to

prevent future problems

Information and

Communication

Methods used to identify, capture,

classify, and report pertinent

information in an appropriate

format and time frame

Communication of roles and

responsibilities pertaining to

internal control

Effective communication of standards and

procedures to all employees and other agents

Required participation in compliance and ethics

training programs

Compliance and ethics training and

communications that are ongoing, updated, and

appropriate to each group of employees

Monitoring Ongoing assessment of the

internal control system

Actions to correct and remediate

any deficiencies

Use of monitoring and auditing systems

designed to detect criminal conduct

Periodic evaluation of program effectiveness

After discovering misconduct, taking reasonable

steps to remedy the harm caused (e.g., provide

restitution to victims, and self-reporting and

cooperation with authorities)

Responding to identified offenses by assessing

the compliance program and making necessary

modifications to prevent future problems


Periodic Assessment: Freescale Model

Present formal annual program review to Audit

and Legal Committee.

Explain new policies established since last

program review.

Discuss one-on-one meetings between CCO

and senior leaders regarding tone at the top

and tone at the middle.


Periodic Assessment: Freescale Model

Report on:

• Background check process for officers

• Content and effectiveness of employee training

• Investigations and disciplinary actions

• How the company may have responded to any

reported violations of law

• Periodic risk assessment training and updates on

completion of action items to address identified risks


Periodic Assessment: List of Metrics

Total number of contacts rec’d from reporting

mechanisms

Total anonymous contacts

Total unsubstantiated contacts

Total employee terminations

Summary of discipline as a result of contact

Geographical distribution

Type of complaint (HR, ethics, legal violation)

How complaint was received


Periodic Assessment: List of Metrics

Trend analysis of contacts

Cycle time to resolve contacts

Year-on-year comparison of all of the above

Employee ethics survey results

Year-on-year survey comparison

Training completions


Importance of the Seven Elements

Adherence to the Guidelines is not required.

Then why are the seven elements important?

• Promotes a culture of ethical behavior

• Communicates organizational expectations and

commitment

• Prevents and identifies illegal and unethical behavior

• Limits liability and possibly avoids prosecution in

instances of wrongdoing

• Makes good business sense to minimize fraud

• Promotes a positive reputation


Discussion Question #1

Establishing standards

• Do you think that the sample business conduct policy

meets the requirements?

• What, if any, standards or procedures would you add

to the policy?



Assigning responsibility

• Does the policy assign responsibility concerning the

content and operation of the policy, and, if so, to

whom?

• Would you add anyone to that list?



Due diligence in hiring and contracting

• Does the policy contain adequate measures to meet

the expectations of due diligence in hiring? What

about due diligence in contracting?

• What kind of policies are necessary to create due

diligence in hiring? Due diligence in contracting?



Communicating the policy

• Who needs to receive the policy?

• How should the company communicate the policy to

each of these groups?



Achieving compliance

• What steps not currently in the policy would you take

to achieve compliance?



Disciplinary action

• Does the policy provide for a proper range of

punishment?

• What should the company do to ensure consistent

enforcement?



Appropriate response

• Does the policy provide for adequate procedures to

respond to and correct an offense?

• Does the policy contain provisions that would work to

prevent future violations from occurring? What would

you add?

principles of fraud examination€¦ · in organizations that had fraud hotlines, 51 percent of...

Documents