The outbreak of COVID-19 (coronavirus) has resulted in an unprecedented increase in fraud and corruption. A fraud contributing factor, unique to this crisis, is the reduced oversight and control due to the decentralized way of remote working both internally and across the supply chain (e.g. third parties). This continues to expand the opportunities for fraud, particularly when coupled with the increasing complexity of global organizations in terms of technologies, financial transactions and processes, global supply chains and third party relationships. At the same time, the regulatory landscape is increasingly complex while regulators are enforcing larger fines and penalties are being issued like never before.
Audit committees have to address the various fraud and corruption risks head-on, ensuring that appropriate safeguards are in place and that whistle-blowing channels are both fit for purpose and working as intended.
The impact of COVID-19 on fraud trends
COVID‐19 has had unthinkable impact on our society and the world economy faces an economic downturn. Organized crime has been quick to respond, mounting large scale orchestrated campaigns to defraud customers, preying on fear and anxiety. Within organizations worldwide, we have seen an increasing rise in fraud and corruption as COVID-19 distracts business from internal control and creates a working conditions in which all three classic fraud indicators – opportunity, motive, and rationalization – coincide.
Our experience of the previous crisis suggests that in such times, management could resort to creative accounting techniques to draw a better picture of the business performance and/or its balance sheet. This is particularly relevant where the management is incentivized by reference to the underlying performance or is target pressured. This increased pressure could motivate the management to misuse company assets or make false applications to government relief packages available.
Another fraud contributing factor is the remote working of organizations’ workforces, which has put internal controls under greater pressure. Financial controls are not adapting well to the mass remote working environment. Segregation of financial functions are vulnerable to override, the ability to verify if goods or services have been received is impeded and hasty system work-arounds to get things done are becoming more common.
All these factors and heightened pressures potentially compromise the overall integrity of a business’ control framework. The audit committee should therefore be proactive and urge management to review their existing fraud risk and control environment and to implement increased transactional reviews, exception reporting and/or other controls in order to adjust to new realities arising from COVID-19.
Audit committee oversight essentials
While the ultimate responsibility rests with the board as a whole, audit committees are typically tasked with the principal oversight of fraud, misappropriation and whistleblowing systems, with the direct responsibility for anti-fraud efforts generally residing with management, including internal audit.
As an important first step to its fraud risk oversight, the audit committee should make sure management has fraud risk management right. The audit committee must be properly informed and actively engaged in overseeing the process while avoiding taking on the role or responsibilities of management. To this end, it should seek input from legal counsel, internal and/or external audit.
The audit committee should seek to ensure that management has considered all risks that are likely to have a significant financial, reputational, or regulatory impact on the organization. For any such risks, a rigorous assessment of the relevant internal controls – including their ability to detect or prevent fraud – should be made. Effective monitoring of these internal controls and periodic re-assessments of their effectiveness are key elements to stay abreast, together with management’s active engagement in the process.
Weak internal controls was the root cause of 61% of the fraud cases we studied.
The audit committee should consider whether effective fraud awareness programmes are in place, updated as appropriate and effectively communicated to all employees. Also, the need for periodic fraud awareness training for all employees should be stressed. Importantly, the audit committee must be equipped to assess, monitor, and influence the tone at the top to aim at enforcing a zero-tolerance approach to fraud. The audit committee should be sensitive to the various business pressures on management – to meet earnings estimates and budget targets, meeting incentive compensation targets, hiding bad news, etc. – and how small adjustments can snowball into bigger problems.
The audit committee’s objective should be to ensure that arrangements are in place for the receipt and proportionate independent investigation of alleged or suspected fraudulent actions and for appropriate follow-up action. Whistle-blowing procedures are a major line of defence against fraud, and audit committees have a role in ensuring such procedures are effective.
Over 58% of fraud cases are detected by tip-offs (e.g. whistle-blowing reports) or internal audit.
The importance of whistle-blowing systems has recently been underlined by the European Council of Ministers, who, on 7 October 2019, formally adopted a new Directive on the protection of persons reporting on breaches of Union Law. The new Directive will require all legal entities in EU Member States to adhere to certain minimum standards for protection, and obliges the creation of safe channels for reporting – both within an organization, private and public, and towards public authorities (for more information, click here). While this Directive is not yet codified into Belgian law (as of June 2020), organizations are starting to adopt it as a matter of good governance.
By focusing on fraud risk management and whistle-blowing channels – and considering it within the context of the organization’s overall approach to enterprise risk management – the audit committee can help strengthen internal controls, financial reporting, and corporate governance.
Symptoms of potential fraud
- Overly dominant senior executives with unfettered powers and highly leveraged reward schemes.
- Frequent changes in finance, other key personnel, or auditors.
- Individuals with lifestyles or habits potentially at variance with the remuneration they receive.
- Implausible explanations as to surpluses, or projections that are “too good to be true”.
- Organizations “bucking the trend” or significantly outperforming the competition.
- Aggressive accounting policies and frequent changes thereto.
- Overly complex and/or opaque corporate structures.
Barriers to effective whistle blowing
- Operational – Is the whistle blowing process fully embedded within the organization? Do all staff members know what to do; what to look for? Do the hotlines and reporting lines actually work?
- Emotional and cultural – Whistle-blowers are commonly viewed as snitches, sneaks, grasses, and gossips. This perception can make it difficult to blow the whistle even though individuals recognize that it is good for the company, employees, shareholders, and other stakeholders.
- Fear – Potential whistle-blowers often fear reporting incidents to management. Areas such as legal protection, fear of trouble and potential dismissal all play a part when an individual is considering whistle-blowing.
Key questions for audit committees to consider
Fraud risk oversight
- Is management taking sufficient responsibility for the fight against fraud and misappropriation? Is the tone from the top unequivocal in insisting on an anti-fraud culture throughout the organization?
- Has management considered the effectiveness of the anti-fraud organization in response to the new way of working, following the COVID-19 pandemic?
- Do record-keeping policies and procedures minimize the risk of fraud?
- Are appropriate diagnostic assessments of fraud risks performed and updated periodically?
- Are all significant fraud risks properly included in the enterprise risk management approach, linked to relevant internal controls and monitored?
- Do codes of conduct contain adequate, user-friendly and up-to-date behavioral guidelines in respect of fraud and other misconduct? Are they adopted across the organization and do they apply evenly to business partners and subcontractors?
- What is the level of assurance gained related to the effectiveness of anti-fraud controls by management, internal and/or external audit and is it appropriate in the circumstances?
- Are anti-fraud controls designed to detect or prevent financial reporting fraud from the early stage (i.e. before small adjustments snowball into bigger issues)?
- Are fraud-tracking, monitoring systems, and response plans in place? Are they fit for purpose?
- Do staff members at all levels have appropriate skills to identify the signs of fraud and do they receive fraud awareness training relevant to their role?
- Are whistle-blowing policies and procedures documented and communicated across the organization?
- Does the whistle-blowing policy ensure that it is both safe and acceptable for employees to raise concerns about wrongdoing?
- Were the whistle-blowing procedures arrived at through a consultative process? Do management and employees “buy into” the process? Are success stories publicized?
- Are concerns raised by employees (and others) responded to within a reasonable time frame?
- Are procedures in place to ensure that all reasonable steps are taken to prevent the victimization of whistle-blowers and to keep the identity of whistle- blowers confidential?
- Has a dedicated person been identified to whom confidential concerns can be disclosed? Does this person have the authority and statute to act if concerns are not raised with, or properly dealt with, by line management and other responsible individuals?
- Does management understand how to act if a concern is raised? Do they understand that employees (and others) have the right to blow the whistle?
- Has consideration been given to the use of an independent advice center as part of the whistleblowing procedures?
- In cases where no instances are being reported though the whistle-blowing channel, did management reassess the effectiveness of the procedures?
About the BLC
The Board Leadership Center offers non-executive and executive board members and those working closely with them (including CROs and Heads of Internal Audit) a place within a community of board-level peers and access to topical seminars and ‘lunch and learn’ Board Academy sessions, invaluable resources and thought leadership, and lively and engaging networking opportunities.