Fraud Part III: You discovered fraud in your organisation! Now what?
Following the first article of this series, which described the human factor in fraud, the second article described the different kinds of fraud that can be found in a business context. This third article will explain how to deal with a freshly discovered fraud in an organization and what specific steps should be taken next.
To illustrate possible reactions to the discovered fraud, we’ll describe three different situations:
- The fraudulent activities only involve assets within the organization and neither clients nor suppliers are directly affected. For example, theft of paid inventory, travel expense fraud, overstating the value of warehouse stock and so on.
- The fraud is related to interactions with customers and/or suppliers and/or lenders. For example, overstated invoices to clients, alleged quality defects during goods receiving, balance sheet falsification and so on.
As in Case II but the company is already in restructuring and is critically endangered by the fraud.
Let’s begin with Case I: If you have learned that someone has „only“ been faking travel expenses, this is probably not relevant for the existence of the company. The questions are „how did you learn of the fraudulent activity?“ and „is there actually fraudulent activity or are there only accusations?“ Confirm the accusations with documentation and follow the individual steps of the fraudulent process in order to understand it. Was it one single event, conducted by one person, or was there an error in a process? Are there additional instances? If you have a management role in your organization, make this your priority and show that you are actively pursuing this subject and absolutely will not accept such activity whatsoever. Demand regular reports on what steps have been taken to prevent this kind of fraud, which audit routines have been implemented and what potential tax consequences could result from the fraud. Another important question is „who must be informed?“ Your tax advisor and/or auditor will decide if the corrections that may be necessary are significant and will have larger repercussions. There is no general rule here and depends on the specific situation. Should employment consequences be necessary, consult a legal expert.
Case II is more complex because external parties are involved. Let’s be honest: who wouldn’t want to just bury the whole thing? Either you don’t want problems with the customer and have to listen to complaints at the next contract negotiation, you certainly don’t want the reverse situation with your suppliers and who wants problems with the auditors or the banks? Unfortunately it’s just not that simple. Before you subject yourself later to a punishable offence, communicate proactively with your business partners. Present a plan with verifiable measures to re-establish mutual trust. You should assume that your business partners will generally be overwhelmed, unless your client is a mass producer who has many suppliers himself. In the case of falsifying the balance sheet, you should proceed more subtly. Your auditor will determine with you whether corrections to the balance sheet can be made in the following year or if the fraud is so grave that the audited annual results and published annual report are no longer true representations of the current situation.
At this point it is important to add that in the course of a conventional annual audit, the auditor does not and cannot specifically check for fraudulent activity. This is also noted in the general terms and conditions of the audit report. The Institute of Financial Auditors in Germany publishes professional standards (including auditing standards PS) for the conduct of audits in Germany. Audit Standard PS 200 (General Standards and Goals for Conducting Annual Audits) defines the premise of sufficient reliability such that the annual audit does not guarantee absolute reliability and is not a guarantee that incorrect statements based on incorrect values or breaches will be discovered by the auditor. Audit Standard PS 210 (Exposure of Breaches in the Course of the Annual Audit) defines breaches as incorrect statements in the financial report based on intentional violation of statutory or accounting regulations. No auditor will assume that reporting has been intentionally manipulated in an organization, in spite of his skeptical nature. This is the same concept with the AICPA of the United States of America, and frankly spoken worldwide the same concept.
Case III is total stress!
In a more seldom but more dramatic example, we assume that the recently discovered fraud or fraudulent action is so dramatic that it could have broad consequences for your company. A simple but accurate metaphor for this situation is an airplane in flight. With no speed or forward motion, the plane has no lift and will crash and you have to keep the turbines turning at all costs. Business operations and communication are your turbines and if you don’t keep them running, you may suffer the same fate.
In the course of his professional experience, the author has been in exactly this unfortunate situation several times, in Germany and abroad.
Don’t panic: Evaluate everything objectively and remember to „fly the plane“. In this situation you are already in a restructuring phase and it can be assumed that you already have problems with suppliers and lenders.
If you conclude, either on your own or with external help, that fraudulent activity is so pervasive that the continued existence of the company is endangered then I recommend immediately contacting your auditor or, in a company not subject to audits, your tax consultant. Experience shows that although one fraud has been identified, further fraudulent activities can exist beneath it. It is not unusual for top management, in trying to prevent the crisis that led to restructuring, to resort to manipulation or other related measures.
It is now your job to investigate not only how large the damage really is but also who (internal or external) took what actions that led to the damage, who already knows about it and who should be informed right away. All investigations need to be conducted in parallel and need to be managed by you. Keep the number of people involved as small as possible. There’s no other way to say it – this will be pure stress for you. Either manage it by yourself of get professional, objective external support.
If the fraudulent activity occurred in a previous period for which an annual audit report with certification exists, then it is possible, in extreme cases that the auditor will withdraw his opinion (the reported result of his completed audit) and a new audit with a new focus based on new information must be conducted. Usually you will pay the auditor for this service.
The next question is: Who should be informed first? Should you wait for further results or inform certain parties now? There is no standard answer to these questions. If the existence of your company is endangered, then the risk for your business partners – customers, suppliers, lenders – is higher, also. The question „who must be informed?“ depends on the individual situation.
If your company supplies a large manufacturer, e.g. a car maker, then it is self evident that the delivery chain cannot be disrupted. This means the customer must be informed and your customer’s purchase managers will be forced to hand the situation to their own supply risk managers. These are professionals who know the situation and may be able to give you some good tips, in my experience. The procedures require a delicate touch but the advantages are clear: If you don’t inform your customer and the supply chain is disrupted, your image can be permanently damaged. If you do inform your customer and maintain constant communication, things could turn out all right. Naturally, there is no guarantee.
A company in restructuring will usually not have sufficient liquidity and will most likely be under careful scrutiny by its suppliers, who may only deliver upon prepayment. You will need to find a compromise with your suppliers and with all parties involved. Good communication is necessary here.
If your company is already under intense scrutiny by the „distressed loan“ group, then these lenders should also be informed. You will experience massive differences in the professional reactions by lenders to this situation.
A further risk that should not be underestimated is that information will flow through unwanted channels inside the organization and feed the rumor mill. Key personnel may leave the company in panic under the assumption the company has no future. You can only avoid this if you are entrusted with stabilizing the company by strict management in order to survive this extreme crisis.
As mentioned above, several activities are running in parallel and you are performing active crisis management. You may enlist support from legal experts for specific issues, such as activating a D&O insurance policy – whjch usually does not provide protection in cases of intentional fraud.
If the state attorney’s office is involved then you may no longer be in control of the situation and the risk of disrupting the company’s operations increases, as well as the risk of negative publicity. Naturally this will depend on the individual situation and cannot be considered a general rule.
A multi-dimensional crisis situation such as this one can also turn out well and the author wishes you success.
The fourth article in this series will present a few of the more simple and easily implemented measures to prevent or reduce fraud in an occupational setting.
Stay tuned!
Dr. Michael-A. Leuthner studied mechanical engineering and economics, writing his doctorate with a professor for financial auditing. In addition, he holds the following qualifications:
- Certified Public Accountant (State of Washington)
- Certified Internal Auditor
- Certified Fraud Examiner
- Certified Financial Services Auditor
Focus of Dr. Leuthner’s work is restructuring and fraud discovery and prevention in international firms around the world.
E-mail: leuthner@cpa-leuthner.com