Print this article | Return to Article | Return to CFO.com
Why the risk of wrongdoing has migrated from senior executives to middle management — and what to do about it.
David M. Katz, CFO.com | US
January 30, 2008
With recession looming larger with each passing day, fraud is ever more likely to rear its ugly head. Unlike the last recessionary period beginning in late 2001, today's fraudsters are more likely to come from middle management than the C-suite. What happened to change things in the intervening years? Section 404 of the Sarbanes-Oxley Act of 2002.
Since then, chief executives, CFOs, and other managers have learned that their jobs are on the line if they violate the famed internal controls-provision of Sarbox, says Yigal Rechtman, head of the forensic accounting department for Buchbinder, Tunick, and Company, an audit firm. As a result, corporations have become saturated with "a false sense of security because c-level executives and the board are trained to talk Sarbanes-Oxley."
What's more, the compensation of top management of many companies has risen so strongly since the last recession that they have simply too much to lose to commit the kind of fraud that the top execs of Enron, WorldCom, and so many other companies committed around the turn of the century, the fraud sleuth reasons. Not so for middle management, where compensation has remained stagnant and recession and decreasing home prices represent serious threat. "Middle management is the first place where management overrides will happen," he says.
Thus, the focus of frauds will shift from earnings per share and stock options — the typical obsessions of top managements — to productivity and commissions, more the province of the mid-level worker, Rechtman says, noting that inventory and payroll misdeeds may soon be on the rise. How senior executives take a bite out of crime? The forensic investigator offers the following 10 suggestions:
•Avoid reliance on budgets. Since budgets are a prime place that wrongdoers can hide excessive spending, they're a good place to sniff out fraud, right? Wrong. Budgets tend to inflate, making it hard for management to spot telltale signs by comparing budget from year: one year's padded expense account becomes next year's norm. Budgets are also composites of aggregated numbers, showing little of how those numbers were calculated. "Don’t use the budget as a control," says Rechtman. "It's good for performance measures, but not for detecting fraud."
• Install an anonymous tip line. Whistleblowers are unlikely to leave a message, so their lifeline should be one provided by a third-party service in which real people answer the phone — not a company voicemail. Also: To prosecute a fraud, there must be a reasonable cause, and a tape recording is a weak one, says Rechtman.
• Conduct seminars about workplace fraud. Educational efforts should stress the message to employees that their annual bonuses and raises are tied directly to the health of the company, which in turn is tied to preventing fraud. Many frauds are discovered by accident, and employees should know what to do if they stumble upon it.
• Get credit reports on employees. Employers should "definitely" get reports on workers' borrowings before they're hired and consider making periodic provision of them a condition of continued employment, says Rechtman. Credit reports provide employers with some idea of the ratio of an employee's spending habits to his or her income. A particular "red flag" of fraud risk is a large amount of pressure on an employee to maintain a rich lifestyle. In such cases, an employer might decide to minimize an employee's responsibility for collecting checks and similar risky areas.
• Talk with auditors about fraud risks at the start of the fiscal year. Employers should ask their independent auditors for their assessment of the areas of potential fraud in the company. "Auditors are not required to find fraud, but are required to look for it," Rechtman notes. "Ask your auditor where . . . a fraud could happen, and then go look for it yourself."
• Perform an annual review of vendors and service providers. Reviewers should focus on new sellers and outside advisers, with an eye trained on unfamiliar product names and acronyms and post-office-box addresses: all reasons to dig further into fraud risk. Tax identification numbers (especially ones with all the same digits) of vendors should be checked — especially ones that don't have them. Be especially suspicious of vendor addresses that can be matched to employees, because the employee could be setting up a fictitious vendor in an attempt to commit fraud.
• Apply "Benford's Law." Also known as the "first-digit law," Benford's Law states that in lists of numbers, the leading digit is 1 almost one third of the time. What's more larger numbers — 2,3,4, etc. — appear as the leading digit less often as they grow larger. Counterintuitively — you'd tend to think that all single digits would have an equal shot to appear in the first slot — the law holds that the number 9 has the least chance (4.6 percent) to appear in the first slot. Keeping this dictum in mind can be a great help in spotting anomalies in check numbers and payroll statements.
• Break the fraud chain. Although it makes sense to give the most fraud-sensitive work to the most reliable employees, this practice also creates the highest concentration of fraud risk, notes the investigator. To avoid a situation in which a finance executive, for instance, authorizes checks, executes payments, and holds on to supporting documents, have at least two, or even three people responsible for those functions, according to Rechtman. A particularly ripe area for such fraud: wiring cash, which is a situation in which an employee deals directly with a bank with no intervening controls.
• Surprise 'em. At the beginning of a new year or at year's end, company managers should plan when unexpected audits or tests should be done and who should perform them. Internal auditors or quality-assurance employees might be best at this, notes Rechtman, and casinos often use audit firms to perform the function. Sometimes, it's a good idea to discuss the surprise audits beforehand.
•Do it now. It's important to take at least one specific anti-fraud measure as soon as possible in order to battle a false sense of security, given the widespread risk of fraud. "Just reading this list is already a step in the right direction," Rechtman says of the above.