Dec 23, 2020
ComplianceMitigation.com
Previous modules offered insights we believe leaders should
consider when designing an effective compliance program and
risk-management strategy for their organizations. The more leaders
customize their compliance and best-practice programs, the better
they safeguard against intrusive investigations that could threaten
the business and its team members.
Regardless of what efforts team members make to protect a
company, possibilities always exist for a breakdown, or for a rogue
team member that could expose the organization to liability. For
that reason, all companies should create a plan that would
coordinate a team response in the event of an inquiry from
regulators or law enforcement.
Lack of Planning Brings
Vulnerabilities:
In the absence of a structured response plan, team members may
not know what to do if they learn that authority figures have taken
an interest in the company or in a team member. Sometimes, leaders
act rashly. People have gone to prison for their response to a
government investigation, rather than for the underlying reasons
behind the inquiry.
Consider the case of the famous celebrity, Martha Stewart. Many
people are familiar with her brand, which sells household products.
In 2001, however, a personal scandal over a stock sale completely
disrupted her life. Her response to a government inquiry led to
criminal charges.
According to the U.S. Securities and Exchange Commission, in
late December 2001, her stockbroker at Merrill Lynch, Peter
Baconovic, called her. Peter revealed that Sam Waksal, the CEO of
ImClone Systems had placed an order to sell all of his shares in
his company as a result of an adverse decision by the Food and Drug
Administration. In response, Martha sold approximately 4,000 shares
that she owned, avoiding losses of more than $45,000.
When government investigators began making inquiries, Martha did
not have a good plan. The responses she gave to the government
investigators resulted in criminal charges. The fees and costs
associated with the disruption likely exceeded several million
dollars. Besides losing money for legal costs, Martha’s response to
the investigation led to a prison term, a shareholder derivative
suit against Martha Stewart and other directors at her company, and
five months in prison. With a felony conviction, Martha endured
lifelong complications, including bans on travel to some
countries.
Clearly, Martha Stewart did not have a principled plan that
would guide her response to a government inquiry. Sadly, many
people find themselves in the same predicament. Those who operate
businesses without designing a response plan for government
inquiries may leave themselves vulnerable to knee-jerk reactions
that can exacerbate troubles.
A lack of a plan can lead to confusion during the first few
hours, days and weeks of an inquiry. The unfolding drama can
distract team members, as everyone may worry about personal
liability. If people don’t know what to do, they may make futile
attempts at self-preservation, such as destroying incriminating
evidence, or lying to government investigators. Either response
would expose the individual, and potentially others, to criminal
charges.
Risk Management:
A good response plan will ensure that all team members have
guidelines to follow. Whether government regulators inquire about
business operations or potential fraud, everyone should know what
steps to take. To protect both the business and the team members,
corporate leaders should articulate the appropriate protocol any
time an investigator makes an inquiry.
- Does everyone in your organization know how to respond in the
event that an investigator asks a question?
Leaders can easily get an answer to that question by creating a
plan. Then, they should create a training exercise for all team
members. The more transparency leaders bring to an
investigation-response plan, the more they will strengthen
arguments that the organization has made a genuine effort to act in
compliance with all regulations and laws.
Point for business leaders to consider:
- Regulators and judges are increasingly asking not just whether
a company has an anti-fraud, anti-money laundering, or corporate
ethics policy in place. They are also asking how well such programs
work and whether their quality and results make sense. They are
asking, in other words, how good are they? This trend raises the
stakes for those charged with governance.
An example of an effective “anti-fraud policy” may prove helpful
to business leaders that want to create an organizational-specific
plan. Our team at Compliance Mitigation offers the following as a
template:
1.
INTRODUCTION
- Our company (the “Company”) has a commitment to high legal,
ethical and moral standards. We expect all members of staff to
share this commitment. The Board of Directors tries to ensure that
a risk (and fraud) awareness culture exists in this organization.
Fraud is an ever-present threat and hence must be a concern to all
members of staff. Our Company views fraud as an extremely serious
matter and is committed to the promotion of an Anti-Fraud Culture
throughout the
- We created this document to provide direction and help to those
who find themselves having to deal with suspected cases of theft,
fraud or corruption. This document gives a framework for a
response, advice and information on various aspects and
implications of an investigation. It is not intended to provide
direction on prevention of
- This Policy applies to any irregularity, or suspected
irregularity, involving employees as well as consultants, vendors,
contractors, customers and/or any other parties having a business
relationship with the Company. Any investigative activity required
will be conducted without regard to any person’s relationship to
this organization, position or length of service. All managers and
supervisors have a duty to familiarize themselves with the types of
improprieties that might be expected to occur within their areas of
responsibility and to be alert for any indications of
2.
DEFINITIONS – WHAT IS FRAUD?
- We define Fraud as “dishonestly obtaining an advantage,
avoiding an obligation or causing a loss to another party.” The
term “fraud” commonly includes activities such as theft,
corruption, conspiracy, embezzlement, deception, bribery and
extortion. It may involve:
- manipulation, falsification or alteration of records or
documents;
- suppression or omission of the effects of transactions from
records or documents;
- recording of transactions without substance;
- misappropriation (theft) or willful destruction or loss of
assets including cash; and
- deliberate misapplication of accounting or other regulations
or
- The criminal act is the attempt to deceive, and attempted fraud
is therefore treated as seriously as accomplished
- Computer fraud arises where information technology equipment
has been used to manipulate programs or data dishonestly (for
example, by altering, substituting or destroying records, or
creating spurious records), or where the use of an IT system was a
material factor in the perpetration of fraud. Theft or fraudulent
use of computer time and resources is included in this
definition.
- Some illustrations of incidents which would be classified as
fraud are contained in Appendix A to this
3.
PURPOSE OF THE FRAUD RESPONSE PLAN
- The purpose of the Fraud Response Plan (the “Plan”) is to
ensure that effective and timely action is taken in the event of a
fraud. The Plan aims to help minimize losses, reduce liability and
increase the chances of a successful
- The Plan defines authority levels, responsibilities for action,
and reporting lines in the event of a suspected fraud or
irregularity. It acts as a checklist of actions and a guide to
follow in the event of fraud being suspected. The Plan is designed
to enable the Company to:
- prevent further loss;
- establish and secure evidence necessary for criminal, civil
and/or disciplinary action;
- determine when to contact the police and establish lines of
communication;
- assign responsibility for investigating the incident;
- minimize and recover losses;
- review the reasons for the incident, the measures taken to
prevent a recurrence, and determine any action needed to strengthen
future responses to
4.
COMPANY RESPONSIBILITIES
- The company will undertake fraud investigations where there is
suspected fraud and take the appropriate legal and/or disciplinary
action in all cases where that would be justified. Whether there is
fraud (proven or suspected), the Company should make any necessary
changes to systems and procedures to prevent similar frauds from
occurring in the future. The Company should establish systems for
recording and subsequently monitoring all discovered cases of fraud
(proven or suspected).
- Responsibility for exercising disciplinary actions rests with
the Director of Human Resources [or the Director of
Compliance, for a company large enough to have independent
compliance personnel], although this should be done in
consultation with other Executives where
5.
MANAGING THE RISK OF FRAUD - RESPONSIBILITIES
- The Executives (CEO and CFO) of the Company are responsible for
establishing and maintaining a sound system of internal controls
that support the achievement of Company policies, aims and
objectives. The system of internal controls is designed to respond
to and manage the whole range of risks that the Company faces.
Managing fraud risk will be seen in the context of the management
of this wider range of
- Overall responsibility for managing the risk of fraud has been
delegated to front line managers and an internal auditor (whose
duties are defined below). Their responsibilities include:
- developing a fraud risk profile and undertaking a regular
review of the fraud risks associated with each of the key
organizational objectives in order to keep the profile
current;
- designing an effective control environment to prevent fraud
from happening;
- establishing appropriate mechanisms for:
- reporting fraud risk issues,
- reporting significant incidents of fraud to the CFO and Human
Resources [or the Compliance Department].
- making sure that all staff are aware of the Company’s attitude
to fraud and know what their responsibilities are in relation to
combating fraud;
- developing skill and experience competency frameworks;
- ensuring that appropriate anti-fraud training and development
opportunities are available to appropriate staff in order to meet
the defined competency;
- ensuring that vigorous and prompt investigations are carried
out if fraud occurs or is suspected;
- taking appropriate disciplinary action against supervisors
where supervisory failures have contributed to the commission of
fraud;
- taking appropriate action to safeguard the recovery of
assets;
- ensuring that appropriate action is taken to minimize the risk
of similar frauds occurring in the future.
- Line Managers are responsible for:
- ensuring that an adequate system of internal controls exists
within their areas of responsibility and that controls operate
effectively;
- preventing and detecting fraud;
- assessing the types of risk involved in the operations for
which they are responsible;
- regularly reviewing and testing the control systems for which
they are responsible;
- ensuring that controls are being complied with and their
systems continue to operate effectively;
- implementing new controls to reduce the risk of similar fraud
occurring where frauds have taken
- The Internal Auditor is responsible for:
- delivering an opinion to the CFO and Audit Committee on the
adequacy of arrangements for managing the risk of fraud and
ensuring that the Company promotes an anti-fraud culture;
- assisting in the deterrence and prevention of fraud by
examining and evaluating the effectiveness of controls commensurate
with the extent of the potential exposure/risk in the various
segments of Company’s operations;
- assisting management in conducting fraud
- Every member of staff bears responsibility for:
- acting with propriety in the use of Company resources and the
handling and use of Company funds whether they are involved with
cash or payments systems, receipts or dealing with suppliers
or
- being conscious to the possibility that unusual events or
transactions could be indicators of fraud;
- reporting details immediately through the appropriate channel,
if they suspect that a fraud has been committed or see any
suspicious acts or activities;
- co-operating fully with whoever is conducting internal checks,
reviews or fraud investigations.
6.
FRAUD DETECTION
- Line Managers should be alert to the possibility that unusual
events or transactions could be symptoms of fraud or attempted
fraud. Fraud may also be highlighted as a result of specific
management checks or be brought to management's attention by a
third party. Additionally, irregularities occasionally come to
light in the course of audit
- The factors which gave rise to the suspicion should be
determined and examined to clarify whether a genuine mistake has
been made or an irregularity has occurred. An irregularity may be
defined as any incident or action which is not part of the normal
operation of the system or the expected course of
- Preliminary examination may involve discreet enquiries with
staff or the review of documents. It is important for staff to be
clear that any irregularity of this type, however apparently
innocent, will be
7.
ACTION FOLLOWING DETECTION
- When any member of staff suspects that a fraud has occurred,
he/she should notify his/her Line Manager or Internal Auditor
immediately. Speed is of the essence and this initial report can be
verbal and must be followed up within 24 hours by a written report
addressed to the Line Manager/Internal Auditor which should cover:
- The amount/value if
- The position regarding
- The period over which the irregularity occurred, if
- The date of discovery and how the suspected fraud was
- Whether the person responsible has been
- Whether any collusion with others is
- Details of any actions taken to
- Any other information or comments which might be
- Before completing the report above, line management may want to
undertake an initial inquiry to ascertain the facts. This enquiry
should be carried out as speedily as possible after suspicion has
been aroused: prompt action is essential. The
purpose of the initial enquiry is to confirm or negate, as far as
possible, the suspicions that have arisen so that, if necessary,
disciplinary action including further and more detailed
investigation may be initiated. The Internal Auditor is available
to offer advice on any specific course of action which may be
necessary.
- As the gravity of each irregularity might be different, a
reporting member of staff may wish to act in accordance with the
"Policy on Reporting and Investigating Allegations of Suspected
Improper Activities."
8.
CONSULTATION AND REPORTING WITHIN THE COMPANY
- On verbal notification of a possible fraud the Line
Manager/Internal Auditor must immediately contact the CFO. He/She
will inform and consult with the CEO (General Director) in cases
where the loss is potentially significant or where the incident may
lead to adverse
- The CFO will maintain a log of all reported suspicions,
including those dismissed as minor or otherwise not investigated.
The log will contain details of actions taken and conclusions
reached and will be presented to the Audit Committee for inspection
annually. Significant matters will be reported to the Board of
Directors as soon as
- Where a member of staff is to be interviewed or disciplined,
the CFO and/or Internal Auditor will consult with, and take advice
from, the Director of Human Resources [or Director of
Compliance]. He will advise those involved in the
investigation in matters of employment law, Company policy and
other procedural matters (such as disciplinary or complaints
procedures) as
9.
INVESTIGATION / FURTHER ACTION
- If it appears that a criminal act has not taken place, an
internal investigation will be undertaken to:
- determine the facts;
- consider what, if any, action should be taken against those
involved;
- consider what may be done to recover any loss incurred;
and
- identify any system weakness and look at how internal controls
could be improved to prevent a recurrence.
After proper investigation, the Company will take legal and/or
disciplinary action in all cases where leaders consider further
action appropriate. There will be consistent handling of cases
without regard to position or length of service of the
perpetrator.
- Where an investigation involves a member of staff and it is
determined that no criminal act has taken place, the CFO will
liaise with the Director of Human Resources [or Director of
Compliance] and appropriate Line Manager to determine
which of the following has occurred and therefore whether, under
the circumstances, disciplinary action is appropriate:
- gross misconduct (i.e. acting dishonestly but without criminal
intent);
- negligence or error of judgment was seen to be exercised;
or
- nothing untoward occurred and therefore there is no case to
- Where, after having sought legal advice, the CFO judges it cost
effective to do so, the Company will normally pursue civil action
in order to recover any losses. The CFO will refer the case to the
Company’s legal advisers for
- Where initial investigations point to the likelihood of a
criminal act having taken place, the Executives (CEO or CFO) will
contact the police (or appropriate Federal agency, as the case may
be) and the Company’s legal advisers at once. The advice of the
police will be followed in taking forward the
- The investigations described above will also consider whether
there has been any failure of supervision. Where this has occurred,
appropriate disciplinary action will be taken against those
responsible for this
10.
RECOVERY OF LOSSES
The recovery of losses should be a major objective of any fraud
investigation. To this end, the quantification of losses is
important. Repayment of losses should be sought in all cases. Where
necessary, the Company will seek external advisors and legal advice
on the most effective actions to secure recovery of losses.
11.
MANAGERS’ DUTY OF CARE
- Managers conducting initial enquiries must be conscious that
internal disciplinary action and/or criminal prosecution may
result. If such action is later taken, then under proper procedure
the member of staff concerned has a right to representation and may
have the right to remain silent. Utmost care is therefore required
from the outset in conducting enquiries and
- In addition, in order to protect the Company from further loss
and damage from destruction of evidence, it may be necessary to
suspend the member of staff concerned immediately after the
allegation has been made or following the submission of the
Manager’s initial verbal report. Specific advice should be sought
from Human Resources [Compliance] before
12.
PROTECTION OF EVIDENCE
If the initial examination confirms the suspicion that a fraud
has been perpetrated, then to prevent the loss of evidence which
may subsequently prove essential for disciplinary action or
prosecution, the person heading up the investigation (“Head of
Investigation”) should:
- take steps to ensure that all original evidence is secured as
soon as possible;
- be able to account for the security of the evidence at all
times after it has initially been secured, including keeping a
record of its movement and signatures of all persons to whom the
evidence has been transferred. For this purpose, all items of
evidence should be individually numbered and descriptively
labeled;
- not alter or amend the evidence in any way;
- keep a note of when investigators came into possession of the
evidence. This will be useful later if proceedings take place;
- remember that all memoranda relating to the investigation must
be disclosed to the defense in the event of formal proceedings
against an employee, so it is important to carefully consider what
information needs to be recorded. Particular care must be taken
with phrases such as “discrepancy” and “irregularity” when what is
really meant is fraud or theft;
- ensure that electronic evidence is appropriately handled by
certified
13.
HEAD OF INVESTIGATION
13.1 Executives of the Company will
nominate in writing the Head of Investigation on a case by case
basis depending on the gravity of issues and potential losses
involved. The Internal Auditor will oversee and control the
subsequent investigation, therefore for this purpose the Head of
Investigation will report to the Internal Auditor.
- The Terms of Reference should be agreed between those involved
in the investigation. The Head of Investigation should arrange for
an action plan to be put in place with, as far as is possible, a
set timeframe and regular reviews. He should call on the assistance
of various sources of help at all stages (technical assistance,
personnel, external audit, attorneys, etc.) but ultimate
responsibility and accountability in progressing the case should
remain with the Head of Investigation.
- The Head of Investigation should have the necessary authority
(i.e. the appropriate rank and experience) to enable him/her to
properly discharge these duties. Depending on the volume of work to
be performed and the issues involved, this person might be released
from his/her main duties in the Company on a temporary
- The Head of Investigation should also be independent from the
matter in question. It is the responsibility of the Head of
Investigation to keep the Internal Auditor abreast of developments
and report all material developments promptly to facilitate onward
reporting to the Executive Team and Audit
14.
LEARNING FROM EXPERIENCE
Following completion of the case, the Internal Auditor should
prepare a summary report on the outcome and lessons learned
circulating it to all other interested parties who must take the
appropriate action to improve controls to mitigate the scope for
future recurrence of the fraud. Where a fraud has occurred,
Management must make any necessary changes to systems and
procedures to minimize prospects for similar acts of fraud.
SUMMARY
Deloitte, one of the world’s largest business consultants,
offers the following guidance for businesses that want to begin a
fraud-response plan:
- Create an allegation system:
- In what ways does the company systematically receive
complaints?
- What process exists to assess the validity of complaints?
- How does the company train team members on what they should do
if they suspect fraud?
- How does the company train team members on what they should not
do if they suspect fraud?
- Allegation Triage:
- How does the company determine when to escalate a complaint to
a formal investigation?
- How does the company document the criteria to determine which
complaints get investigated?
- What protocols guide the investigator’s assignment?
- Case Investigation:
- What work plan exists to guide investigations?
- How do investigators handle evidence?
- What level of competency do investigators have?
- How does the company review case status?
- Who has access to case files?
- Communication and Reporting:
- How do investigators communicate with stakeholders?
- How does the company reveal investigations to team
members?
Action List
The following checklist of actions may guide a person that
suspects fraud within the company.
- Do not act on emotion. It’s time to gather all the facts.
- Alert appropriate management within your organization. This, of
course, heavily depends on who’s suspected of committing the fraud.
Fraud discovered at the lower echelons of the company can probably
be handled by the direct manager in association with the compliance
supervisor. Things get a bit more complicated the higher you move
up the corporate ladder. Accountability, though, goes straight to
the President, CEO and Board of Directors. So, make sure compliance
is amply prepared and authorized to do what’s necessary even upon
discovery of high-level fraud with the company.
- Document date, time and details of initial report/discovery.
This is important for both the reporting of the suspected fraud and
ongoing investigation.
- Take notes (and/or pictures and video) of all observations and
actions. Important information can quickly be forgotten or confused
over time. Creating copious notes and/or documenting photographic
evidence helps ensure you have all the information the company
needs to maintain the integrity of the investigation.
- Maintain confidentiality (only inform those people who need to
know about the suspected act). Loose lips sink ships – and
investigations. Prematurely alerting the suspect(s) leads to
destruction of evidence and cover-ups.
- Do not confront the suspect. You could be putting yourself in
danger, in addition to undermining the investigation.
- Write out in full the suspected act or wrongdoing in as much
detail as possible, including:
- The alleged occurrence,
- Who was involved in the occurrence,
- Whether the activity is ongoing,
- Location of occurrence,
- The value of the loss or potential loss, and
- A list of who else may know of the activity.
Collection of evidence is critical for proving the crime.
Corporate investigations can take months and legal ones even
longer.
- Identify all documentary and other evidence connected to the
activity, such as:
- Invoices,
- Contract and Agreements,
- Purchase orders,
- Checks,
- Computers,
- Laptops,
- Tablets,
- Cell phones,
- Cloud access accounts,
- Credit card statements, and
- Relevant social media accounts.
- Immediately gather the evidence (only if doing so will not
alert the suspects) and place it in a secure area. Bear in mind a
need to maintain a legitimate chain of evidence in case it becomes
necessary to bring in outside authorities.
- Protect the evidence from damage or contamination. This
includes all confiscated electronic devices. You may need the
evidence for civil or criminal proof, or even use it in a
countersuit should you need to against a litigious fired
employee.
- Identify all potential witnesses. This includes people within
and without your organization. Certain people may even alternate
from witness to suspect and vice-a-verse during the course of your
investigation.
- If possible, secure and/or remove the suspect’s access to
relevant computers and security systems. This decision is delicate
and may need to be made at the highest levels of authority within
the organization. There’s a fine balance between mitigating damages
and continuing to collect evidence. You may want to consult outside
legal and accounting firms and request an Opinion Letter regarding
your decisions, depending on the situation.
- Ensure regular back-up of all files and secretly place
additional security on all accounts the suspect(s) may have access
to.
- Contact the company’s outside counsel and accountants for
advice and recommendations. This should occur early on in the
process but, typically, at the highest levels of management.
- Contact the company’s insurance carrier. You may or may not be
covered for the type of fraud under investigation. Should you be
covered, the insurer may have its own processes for conducting
investigations and you may unwittingly forfeit certain rights or
claims by not alerting them early enough. The insurer, moreover,
may try to deny the claim and you might be forced to retain
additional counsel to sue your insurer for coverage.
- You may need to retain a forensic accountant. Some frauds can
be quite elaborate and complex, involve multiple jurisdictions
and/or require advanced training in computer programming. A full
investigation may require particular expertise.
- Continue to monitor suspicious personnel and activities to
ascertain the full breadth and extent of the fraud.