Mitigate or exacerbate fraud risk? Culture’s critical role

Carey Miller, CPA/CFF, is a co-author of this quarter’s FVS Eye on Fraud report, focused on the role of organizational culture in reducing fraud risk.

Miller, a partner at the firm J.S. Held, joined the Journal of Accountancy podcast to discuss details in the report and share stories from her experience as a forensic accountant.

The discussion delves into particulars of the quarterly report, including how strong culture can serve to minimize fraud risk, why middle managers are important in such culture, and indicators that a company’s culture is more likely to allow fraud.

The first-quarter FVS Eye on Fraud report, focused on financial tracing, was detailed in a March podcast episode.

Resources

• FVS Section home page
• CFF credential information page
• Eye on Fraud report for the second quarter of 2025

What you’ll learn from this episode:

• The multiple business aspects affected by a company’s culture.
• Why a weak or unethical corporate culture might permit employees to commit fraud.
• Five drivers of high-performance culture.
• The important role of middle managers in building or affirming organizational culture.
• Three points of the fraud triangle.
• How leaders can balance employee autonomy with a system of checks and balances that mitigates fraud risk.
• Indicators of a fraud-prone culture.

Play the episode below or read the edited transcript:

— To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.

Transcript

Neil Amato: Welcome to the Journal of Accountancy podcast. This is Neil Amato with the JofA. Today, we’re discussing the quarterly Eye on Fraud report from the AICPA’s Forensic and Valuation Services Section, that’s the FVS Section. Carey Miller is a CPA, a managing director at the firm J.S. Held, and a co-author of this quarter’s report, which focuses on the role of organizational culture in reducing fraud risk. Carey, we’re glad to have you on the podcast today. Thanks for being here.

Carey Miller: Thank you for having me. I’m happy to be here.

Amato: Great. I mentioned we’re talking fraud and specifically organizational culture in reducing fraud risk. In summary, to lead off, how does an organization’s culture correlate to fraud risk?

Miller: I’m glad that we’re having this conversation because organizational culture is such an important part of mitigating or exacerbating fraud risk. When we talk about culture, I think what first comes to mind for many people is characteristics of a company or organization that make it unique, that drive how employees and consumers interact with that organization.

But as a forensic accountant, I’m particularly interested in the relationship between culture and fraud risk. In order to understand that relationship, I think it’s helpful to recognize that organizational culture really affects all aspects of the business. It affects how leadership sets organizational goals and priorities. It affects how employees perform their jobs, interact with other employees, and how customers, consumers, and suppliers interface with the organization.

Not only does culture affect all aspects of a business, it’s also embedded throughout all levels of an organization, through things like methods of communication, through training and education, policies and procedures, systems to monitor compliance, and mechanisms to recognize and reward certain behaviors. Given that culture is such a core part of any business, I think it makes sense that a strong ethical culture can go a long way toward helping to mitigate fraud risk.

On the flip side, when a company’s culture is weak or unethical, employees might feel like it’s OK or even expected to act unethically. They might stay quiet about unethical or fraudulent behavior if they think no one cares or will do anything about it. While it’s impossible to eliminate fraud risk entirely, I think organizational culture plays a significant role in influencing it, either for better or for worse.

Amato: That’s great. Organizations maintaining a strong culture, we can say that. That’s easier said than done. But still, employees in organizations with strong cultures may be less tempted to commit fraud. How can those companies act on those words? How can they build that culture, and what are some of the drivers of strong organizational culture?

Miller: I think it’s a great question, and you’re absolutely right. Easier said than done. It’s not formulaic or one-size-fits-all, but I can share some thoughts based on both my research and my experience as a forensic accountant, and I think a really good place to start is with something that we discussed in the article, which is the Gallup research that identified five drivers for a high-performance culture, which can also be drivers for a strong ethical culture that’s committed to reducing fraud risk.

The first driver of high-performance culture is leadership and communication. I think this is a really good place to start because effective communication from leaders about the organization’s purpose and brand strengthens employees’ understanding. When it comes to leadership, tone at the top is critical to laying a foundation for mitigating fraud risks.

Leaders both need to model ethical behavior and communicate its importance to the organization at large. In doing so, effective governance and consistent, open communication that occurred throughout the organization can work to effectively mitigate fraud risk.

The second driver of high-performance culture is values and rituals. Clear, actionable values help employees navigate crises and can align their decision-making with the organization’s mission. When employees’ personal values align with the values of the organization, it comes a little bit easier, and those employees are more likely to behave ethically and adhere to expected standards.

The third driver of high-performance culture is work teams and structures. It’s really important to invest in employee development and well-being in order to drive a high-performance culture. I mentioned the importance of tone at the top. Often that comes across as only referring to senior leadership, but we shouldn’t forget how important middle managers are in building and affirming organizational cultures because they’re the people who interact daily with employees. What they say and how they act has a strong influence on the organizational culture as a whole.

The fourth driver of high-performance culture is human capital. A supportive and engaging work environment boosts employee satisfaction and productivity. Employees who feel a lack of engagement or feel disconnected from their organization’s culture and values may more easily rationalize unethical behavior. I use the word “rationalize”; rationalization is one of those three elements of the famous fraud triangle, which has been around for a long time at this point. Providing support and optimizing engagement in employees is a good way to mitigate the rationalization aspect of fraud risk.

The fifth and final driver of high-performance culture is performance. Regular feedback and recognition are crucial for maintaining high performance and motivating employees. Internally, organizations may inadvertently increase fraud risk by placing excessive pressure or unrealistic performance or sales goals on employees. This can be especially true when bonuses, promotions, compensation, those types of things are tied to aggressive metrics. Pressure is another one of the three elements of the fraud triangle. Providing realistic performance goals, recognizing employees for achieving those goals, and making sure that employees know that achieving goals through unethical or fraudulent means won’t be rewarded are good ways to promote a positive organizational culture.

Just to wrap up the five drivers of high-performance culture, I think what is clear from those is that culture affects how employees perceive the organization and their role in it, which in turn influences their behavior and drives the performance of the organization as a whole.

Amato: We will provide a link in the show notes to this quarter’s report, and in that the listeners, the readers can get a lot more information on it. You mentioned the fraud triangle. Can we talk about that just briefly? I’m not sure we hit on all three points, and I think I remember them, but I’ll let you fill me in on what those three are.

Miller: Sure. We talked about two of them, at least, and maybe the third one was embedded in there as well, but the fraud triangle is [composed] of the opportunity, pressure, and rationalization. This is a concept that has been around since, I want to say the 1950s, that is helpful in understanding if those three elements are present, then you may have an increased risk of fraud.

Amato: That’s great. Thank you. We’ll get back into some of those maybe other indicators of a culture that enables or allows fraud.

One way I’d say employees feel culture is if they don’t feel micromanaged. But obviously, organizations, managers, they have to maintain some checks and balances when it comes to fraud risk. How can those leaders and those organizations balance giving workers autonomy while still maintaining proper oversight?

Miller: Yeah, I think it’s a very important and challenging thought. You’re right that autonomy and oversight should be balanced to create an environment that promotes engagement and opportunities for employees while providing clear guidelines and expectations. Again, as a forensic accountant, I tend to look at this question from the perspective specifically of fraud risks and fraud prevention.

I think a really good place to start is to consider that in order to be able to grant autonomy, it’s important that employees are first trained to understand the organization’s commitment to ethical behavior and the rules and values that exist and that they’re made aware of the relevant internal controls in place to monitor that behavior. Regular ethics and anti-fraud training is crucial.

It should be customized to the organization and the group of employees receiving the training. If employees are trained to understand the standard of conduct that is expected of them, they can be given autonomy to perform their job responsibly if the element of trust exists. That may look different in different parts of the organization. It may not make sense to grant an entry-level employee the same level of autonomy as a manager.

You may decide it’s OK to allow autonomy at lower levels for more routine decisions, while reserving autonomy at higher levels for the more strategic or high-impact decisions. I think employees are trained to understand those expectations, rules, and boundaries. It’s important that employees have the opportunity to report unethical behavior and that they trust that those reports will be taken seriously.

I think that this is a really important aspect in mitigating fraud risk. That includes providing reporting channels such as whistleblower and ethics hotlines that employees can use to confidentially report suspected violations or breaches of ethical conduct. Whistleblowing remains one of the most effective ways to uncover fraud and identify other wrongdoing.

Employees have to feel confident that those reports are going to be taken seriously if they’re going to report that they identify that there’s potential misconduct occurring. In any organization, the balance between autonomy and oversight should be considered as part of the assessment of the organization’s fraud risk overall and tailored to both the organization and the specific, relevant risks of fraud that have been identified.

Amato: That’s a great summary. Thank you for that. In our previous JofA FVS Eye on Fraud focus, I talked to David Zweighaft, and one of the cases we mentioned was the Rita Crundwell/Dixon, Illinois, fraud. I’m wondering if there are any high-profile examples specifically of poor culture leading to fraud.

Miller: We do discuss a few examples in the article, and there are certainly several instances of high-profile cultural breakdowns linked to the occurrence of fraud. I think a couple of interesting examples are Theranos, which I’m sure many of the listeners have heard about, but that involved the falsification of test results and the misleading of investors and patients about the technology’s capability. I think some of the reports about the culture that existed at the time just created a culture of fear and people not being willing to speak up about what they were seeing because they were concerned about how those reports would be handled.

I think another interesting example is Wells Fargo, with the issue that was uncovered several years ago with employees opening customer accounts and issuing debit or credit cards in customers’ names without their authorization. I think if you look again at the culture underlying some of those issues at the time, what was identified is that the company put undue pressure on employees to meet sales goals and tied performance incentives to those goals without ensuring that proper safeguards existed to mitigate misconduct.

The company’s control functions and risk-mitigation procedures were conducted within a decentralized organizational structure, which led to a lack of oversight and a failure to identify that this wasn’t an isolated problem. It was really a systemic problem within the organization. Then finally, I think, in that instance, senior leadership failed to adequately respond to the risks involved or the reports of misconduct again.

Amato: In general, what would you say are some indicators of a culture that could be classified as fraud-prone?

Miller: Sure. Those indicators are certainly organization-specific, but there are some themes that I think are helpful to think about and discuss, and I can mention a few of those. I think they really revolve around employee experiences, processes, and controls, and employee attitudes or mindsets.

One of the first things that comes to mind is high employee turnover. Employee dissatisfaction or disengagement can lead to the rationalization of fraudulent conduct. If you see high employee turnover, it can be an indicator that there may be employee dissatisfaction or disengagement within the organization. Then I think, on the other hand, persistent understaffing or failure to retain qualified staff can also enable fraud, due to inadequate supervision or inexperience. I think those are reasons why high employee turnover can be an indicator of a weak or toxic culture within an organization.

Another thing that comes to mind and I think appears as a team is lack of diversity in thought. Groupthink can emerge when teams do not leverage different backgrounds or perspectives, and that can lead to the failure to question decisions or recognize ethical concerns or challenge misconduct. I think that it’s important for organizations to consider that when accumulating and developing teams, that lack of diversity is important and plays a role in the risk and fraud mitigation within an organization.

I think we’d be hard-pressed to talk about culture and fraud without mentioning internal controls. Weak internal controls can create gaps that fraudsters exploit, and in a negative culture, employees can disregard controls altogether. If controls aren’t designed properly or operating effectively, that can be an indicator of a weak culture that’s vulnerable to fraud.

Then the final thing that I’ll mention is, again, the rationalization of unethical behavior. That behavior could become normalized if organizations reward results over integrity or fail to hold individuals accountable for misconduct. How organizations set goals and reward the achievement of those goals can be an indicator of fraud-prone culture.

Amato: Those are really good points, and again, we will link to the full FVS Eye on Fraud report in the show notes for this episode, along with other pertinent FVS resources. Carey, anything you’d like to add in closing? We appreciate having you on today.

Miller: No, I appreciate you taking the time and having this important conversation. Thank you.

Amato: Carey Miller, thanks again.