John Hall, CPA, has spoken to thousands of employees at hundreds of organizations around the world — from Las Vegas casinos to national governments in Eastern Europe — about ethics, integrity, and fraud prevention.
Few people would disagree about the importance of those topics. But to get people truly engaged with an anti-fraud mission, he said, requires something more.
"The big question," he said with a smile, "is, 'So what? What exactly should every business leader actually do with this information?'"
Hall is an auditor, consultant, and speaker who will be among the presenters Oct. 27–29 at the AICPA & CIMA Corporate Finance and Controllers Conference in Las Vegas. His presentation focuses on tangible steps to build what he calls a "defensive wall" against fraud and ethics breaches.
Here are Hall's six building blocks for an anti-fraud wall that is built on the strength of all members of an organization.
Visible, vocal leadership support: Leadership support is mandatory for any effort to fight fraud and uphold company ethics. "Yes, at the top, plus every manager at every level on the way down," he said.
If the topic, for example, is wire transfer risks, then the message must "filter down" through each level of treasury and procurement management. As a result, each employee will know that their direct supervisor expects them to know and to act on the company's anti-fraud policies and related transaction controls.
Policies in writing: "I spent my career dealing with people who say, 'I didn't know,'" Hall said.
The solution, he said, is written policy documents that call on employees to help fight fraud and corruption. These higher-level documents should describe the risks and recruit employees into the anti-fraud mission.
"We have this risk. We need your help. If you see something, say something," Hall said.
Instead of laying out specific "do" and "don't" actions, he added, these policies should focus on four key ideas:
- You are responsible for knowing what can go wrong in your function.
- It is your job to safeguard against fraud and ethical breaches in your area of responsibility.
- It is also your job to surface and report wrongdoing and fraud.
- Fraud should be caught, reported, and stopped as soon as possible.
Brainstorming to bring people in: Auditors and executives can't be expected to predict every possible vector for fraud risk. Instead, Hall suggests convening managers throughout the organization in small groups to talk about potential risks.
"You sit around with people you can trust and be open with, and you spitball ideas," Hall said.
These sessions include two major steps:
- Participants list "what can go wrong" in terms of fraud or ethical breaches, such as contractors overcharging or employees misusing purchase cards.
- Next, they talk about ways to catch those misdeeds. Employees should consider "What would fraud look like?" and build lists of red flags. This allows employees to know exactly what to look for in their everyday work.
Brainstorming has a dual role. It can highlight potential risk vulnerabilities for leadership to act on. It also engages participants in the anti-fraud fight.
"In that time, we educate, and we have that same message: 'We need your help,'" Hall said.
Anti-fraud controls: Internal controls are, of course, fundamental to most organizations and have been the subject of decades of work at the regulatory and congressional level. For example, companies often require multiple signatures for transactions above a certain value. This basic but important requirement limits access to disbursements and places responsibility for approval at the appropriate management level.
Hall suggests that financial professionals familiarize themselves with the history of controls generally and with their own companies' controls. But he doesn't dwell on the specifics when speaking with a general audience.
Instead, he asks how people behave under the controls.
Anti-fraud behavior: "We want to make sure that employee and manager behaviors fully support the anti-fraud intention of control procedures," Hall said.
Too often, he finds managers ignoring the true purpose of controls — for instance, by signing off on purchases without truly examining the documentation.
"It can be the lack of skills. It can be the lack of time, the lack of energy, of boss support," he said. Any of those factors can produce a "rift" where managers aren't upholding the purpose of a control. And in 90% of the fraud cases he's seen, Hall said, he has found flawed or inadequate human execution of controls to be the root cause.
The best way to detect a rift, he said, is to spend time on the frontlines. That could include testing samples of transactions and asking managers about how they handled unusual transactions — what he calls "strange, odd, or curious" triggers that catch an employee's attention.
Training for the "anti-fraud moment": Anti-fraud training is the final piece of Hall's defensive wall. Training sessions, he said, should be light on theory. Instead, he focuses on the moments where employees are called upon to enact anti-fraud controls.
"What do I need to know in the moment that I either pick up a pen or reach for a mouse and place my name and reputation on a transaction?" Hall said. "I call that the anti-fraud moment. 'I'm the gatekeeper right now. What do I need to know before I open up the gate?' Everything else is secondary."
In preparation for that moment, managers should be learning how to employ critical analysis to question whether, for example, a purchase or invoice looks suspect.
Hall offers numerous questions to be asked, including:
- Are you familiar with the vendor?
- Have the goods or services been provided?
- How do you know that the prices were reasonable, and by what standard?
For purchasing and timecards, managers can be trained to look for suspicious patterns and encouraged to follow up on red flags.
Hall also likes to begin trainings by having participants calculate the potential cost of fraud to their organization, making the risk tangible.
Above all, he urged finance professionals to remember that the anti-fraud fight is unfamiliar territory for many colleagues.
"We are asking our supervisors and managers to do something that some, even most, simply don't know how to do," he said. "What a great leadership opportunity to demonstrate our knowledge and add measurable bottom-line value."
— Andrew Kenney is a freelance writer based in Colorado. To comment on this article or to suggest an idea for another article, contact Neil Amato, a JofA senior editor, at Neil.Amato@aicpa-cima.com.