Enron had a code of conduct. Enron had a hotline. And in the end, Enron had fraud. Today, companies operate with a false sense of security because they either don't have a fraud prevention program or the program they have is a legal, yet ineffective "fig leaf."
"One key to fraud prevention is to create an atmosphere where employees feel confident in reporting wrongdoing without being victimized, even if executives appear to be involved," explains Toby Bishop, president & CEO of the Association of Certified Fraud Examiners (ACFE), the largest anti-fraud association in the world. "If companies don't have effective fraud prevention programs, they are at risk of failure," says Bishop.
Years ago, working as a consultant, Bishop tested the effectiveness of an existing fraud prevention program for a major utility company. Management thought their program was working and wanted confirmation. Bishop's firm surveyed a statistical sample of employees to assess their feelings about management's commitment only to discover that employees in one division did not believe management wanted to "do the right thing," says Bishop.
"If employees perceive their company's fraud controls to be weak or if they think management is only giving lip service to ethical behavior, fraud is inevitable," Bishop warns.
In 2002 fraud prevention was one of the goals addressed in the Sarbanes-Oxley Act (SOX), legislation that affects how public organizations and accounting firms deal with corporate governance, financial reporting and public accounting. The effect of SOX has been far reaching, leading to voluntary changes in private companies and mandatory changes in public companies. But is it preventing fraud? "It may not be as effective as people expected," Bishop answers.
Over the past 18 months Bishop has taught several thousand participants how to use the ACFE's Fraud Prevention Check-Up, a tool that identifies major gaps in organizations' fraud prevention processes. None of the participants thought their organization would pass the test, which means they are at significant risk of fraud.
Bishop says while Sarbanes-Oxley invokes a basic framework for internal controls, including anti-fraud controls, additional specifics are needed to address controls to prevent fraud. "There is a definite gap in the standards used to establish fraud prevention controls, if companies use them at all."