Risk Assessment & Legal Issues

COVERING THE BASES: RISK ASSESSMENT & LEGAL ISSUES INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT

Compliance risk assessment is the cornerstone of effective fraud prevention and detection and has recently taken on greater importance for public and private organizations because of increased enforcement activity by federal and state regulators. This presentation will cover why organizations need a compliance program, the critical components, the practical benefits for having such a program, and best practices gained from having effective compliance and ethics programs. The presentation emphasizes an integrated approach between fraud deterrence, detection, and prevention on the one hand and a compliance and ethics program on the other.

WALTER PAGANO, CFE, CPA, CFF Partner EisnerAmper LLP New York, New York

Walter Pagano is a Partner in the Litigation Services Group and Tax Controversy Practice. He has more than 35 years of diversified and relevant litigation consulting and forensic accounting experience. He has testified in federal and state courts, as well as at arbitration hearings, and has served as a federal, state, and bankruptcy court appointed forensic accountant and special fiscal agent. Walter’s experience, knowledge, and expertise enable practicing attorneys and corporate counsel to rely on his objective and independent critical thinking and judgment as a source to ascertain the financial facts in a wide variety of civil and criminal cases that have included white-collar crime, internal investigations, adequacy of internal controls, commercial litigation, civil and criminal tax controversy, internal and external fraud schemes, financial statement fraud, shareholder and matrimonial disputes, guardianship litigation, accounting malpractice and third-party asset misappropriation. Walter has served as an expert witness in diverse cases such as IRS practice and procedure, breach of accounting and tax representations and warranties, damage calculations, criminal tax prosecutions, and guardianship accounting.

Prior to joining the firm, Walter served as Partner-in-Charge of Litigation Consulting and Forensic Accounting at another public accounting firm. His background also includes serving 10 years as a revenue agent with the United States Treasury Department, Internal Revenue Service (IRS). In this position, Walter conducted forensic and tax audits of businesses and individuals, and also trained revenue agents and criminal investigation special agents in the applicable provisions of income tax law. In addition, he was an appeals officer, co-authored

Walter is a frequent guest speaker on topics such as forensic accounting, IRS investigations and white-collar crime. He received his B.S. from Saint Joseph’s University and master’s degree from New York University. He is a member of the American Institute of Certified Public Accountants (AICPA), New Jersey Society of Certified Public Accountants (NJSCPA), New York State Society of Certified Public Accountants (NYSSCPA), American Bar Association (ABA), and Association of Certified Fraud Examiners (ACFE).

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc.

©2011 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT Introduction NOTES Public and privately held organizations, including not-for- profits, face numerous daily challenges to their core principles and values; mission statement; federal, state, and local regulations; compliance and ethical environment; and professional standards. The challenges come from within as well as outside of the organization. For example, directors, officers, employees, vendors, customers, and competitors act either independently or in combination with one another to pose organization compliance and ethical risks that must be vigilantly and regularly identified, analyzed, assessed, and managed.

Acting with integrity is among an organization’s most cherished core values. Without integrity as a core component of an organization’s principles and values, organizations can potentially face civil or criminal sanctions for violating not only their core values, but also their ethical and professional standards; federal, state, and local laws and regulations; and their very own policies and procedures. As is well known and generally accepted by all organizations, an organization’s unblemished reputation and record for compliance and ethics are some of its critical attributes that it must foster and nurture among its employees regardless of their position, vendors, contractors, and customers. This is done to demonstrate to federal and state regulators, law enforcement, the marketplace, and the general public the organization’s commitment to maintaining compliance and ethics programs. The integration of effective fraud deterrence, detection, and prevention programs and compliance and ethics serves to demonstrate this commitment.

22nd Annual ACFE Fraud Conference and Exhibition ©2011 1 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT The objective of this presentation is to make the case for NOTES the value proposition that organizations must have and should integrate these programs.

Background and Historical Perspective About Fraud, Compliance and Ethics The vast majority of organizations that are concerned about deterring, detecting, and preventing fraud have programs in place to combat occupational fraud as well as internal and external fraud schemes. But all too often, their programs fail in large measure due to the misbehavior of senior executive and middle managers, as well as employees who override and/or circumvent the organization’s control environment. During the previous decade, examples abound to demonstrate this phenomenon. In 2000, Lernout & Hauspie, a Belgium company, engaged in fictitious. transactions in Korea and improper accounting methodologies in other countries. In 2000, Xerox, a U.S. company, falsified financial results. In 2002, AOL, a U.S. company, inflated sales. In 2002, Bristol-Myers Squibb, a U.S. company, inflated revenues. In 2002, U.S. companies CMS Energy, Duke Energy, Dynegy, and El Paso engaged in round-trip trades. In 2002, Merrill Lynch, a U.S. company, engaged in a conflict of interest. In 2002, Peregrine Systems, a U.S. company, overstated sales. In 2002, Tyco International, a Bermuda company, engaged in improper accounting. In 2002, WorldCom, a U.S. company, overstated cash flows. In 2003, Parmalat, an Italian company, falsified accounting records.

22nd Annual ACFE Fraud Conference and Exhibition ©2011 2 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT In 2004, Chiquita Brands, a U.S. company, made illegal NOTES payments. In 2004, AIG, a U.S. company, structured financial transactions. In 2008, Bernard L. Madoff Investment Securities, a U.S. company, engaged in a massive Ponzi scheme. In 2009, Satyam Computer, an Indian company, falsified accounts. In 2010, Lehman Brothers, a U.S. company, failed to disclose Repo 105 transactions to investors.

The above cited examples illustrate different accounting and business scandals caused by the misbehavior of just one or a few individuals. Oftentimes, driven by their own zeal for self and perhaps unjust enrichment, these individuals devised simple as well as complex methods to (1) misappropriate assets; (2) accelerate or overstate revenue; (3) defer or understate expenses; and (4) misrepresent the value of assets or liabilities.

In the past several months preceding this conference, the scandals that plagued the previous decade have not diminished. In fact, they have occurred with regular frequency. For example, in March 2011, the following misbehavior by individuals was reported in the press: A former Wachovia Bank manager in Virginia pleaded guilty to stealing $14.1 million from bank clients over seven years by persuading them to invest in a bogus wealth-management account. A former top Fry’s Electronics’ executive charged with shaking down vendors in an elaborate multi-million dollar kickback scheme reportedly plead guilty. An Indiana pharmacist faces a possible 10-year prison sentence if convicted of health care fraud and money

22nd Annual ACFE Fraud Conference and Exhibition ©2011 3 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT laundering in a scheme that netted him more than $3.57 NOTES million, federal prosecutors say. The owner of an Illinois-based technology company has pleaded guilty in a plot to bribe school officials in Louisiana and Arkansas in exchange for awarding computer contracts. The Securities and Exchange Commission filed a complaint against Steven T. Kobayashi alleging that between 2006 and 2009, financial advisor Steven T. Kobayashi, at the time a broker in the Walnut Creek, California office of UBS Financial Services, Inc., defrauded his customers out of millions of dollars. The Securities and Exchange Commission filed a complaint against Lawrence R. Goldfarb and Baystar Capital Management, LLC alleging that since at least 2006, Mr. Goldfarb, a San Francisco Bay Area hedge fund manager, and Baystar Capital Management misused and secretly diverted $12 million in proceeds that belonged to a fund of other entities owned and controlled by Mr. Goldfarb. The Securities and Exchange Commission filed a complaint against Ian J. McCarthy alleging that Mr. McCarthy, president, chief executive officer, and board member of Beazer Homes USA, Inc. (“Beazer”) failed to reimburse Beazer for cash bonuses, incentive and equity-based compensation, and profits from his sale of Beazer stock received during the 12-month period following the issuance of Beazer’s quarterly and annual financial statements for its fiscal year 2006. Beazer was required to restate those financial statements due to a fraudulent earnings management scheme perpetrated to artificially inflate Beazer’s income and earnings during its fiscal year 2006.

22nd Annual ACFE Fraud Conference and Exhibition ©2011 4 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT The Value Proposition: Why Integrate? Why Care? NOTES Looking back over the past 30 years of significant business and accounting scandals and misbehavior by executives, employees, customers, and vendors brings to mind the following well-known offenders and violators: Barry Minkow – ZZZZ Best (1986) Michael Saylor – MicroStrategy (2000) Sanjay Kumar – Computer Associates (2000) Kenneth Lay, Andrew Fastow, and Jeffrey Skilling – Enron (2001) John Rigas – Adelphia (2002) Samuel Waksal – ImClone Systems (2002) Dennis Kozlowski – Tyco International (2002) Bernard Ebbers – Worldcom (2002) Calisto Tanzi – Parmalat (2003) Richard Scrushy – HealthSouth (2003) Bernard Madoff – Bernard L. Madoff Investment Securities (2008)

Although greed played an important role in the above scandals, arguably the common denominator present among the above individuals and organizations is the organizations’ failure to have a fraud program integrated with a robust compliance and ethics program. How can an organization expect to deter misdeeds and misbehavior if it does not have a compliance and ethical environment in which to set standards?

Organizations should care about maintaining robust compliance and ethics programs because their failure to maintain them as standard setters in conjunction with effective fraud deterrence, detection, and prevention programs further encourages misbehavior and contributes to occupational fraud and abuse and internal and external fraud schemes. More fundamentally, organizations should

22nd Annual ACFE Fraud Conference and Exhibition ©2011 5 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT care about compliance and ethics because an organization’s NOTES core principles, values, and mission statement are basic, internal “standards” that organizations are judged by in addition to external rules, regulations, and statutes that regulators, law enforcement, and others will use to judge an organization’s and its employees’ behavior. It is clear that the above cited examples bear this out.

On a very practicable level, organizations should also care about compliance and ethics in this day and age of more regulations and oversight because (1) compliance and ethics as a general proposition are expected to be priorities practiced by organizations; (2) they are part of Enterprise Risk Management; (3) public and private organizations are experiencing increased enforcement activity by regulators such as the SEC, OCC, CFTC and law enforcement; (4) in- house counsel, now more than ever, is subject to liability for an organization’s failure to comply; and (5) they serve to protect an organization, especially those that contract with federal, state, and local governments, from the bad apple or rogue employee.

Throughout this presentation, we have been discussing human behavior. Violations of an organization’s compliance and ethics policies and procedures have many causes. Among the most recent causes are: (1) market collapses; (2) credit freezes; (3) institutional failures; (4) internal factors; (5) domestic and foreign corrupt practices; and (6) the misperception that there is no return on the investment made to have a robust compliance and ethics program as a standalone program or integrated with an effective fraud program.

Some of the consequences of not having an integrated approach as a solution to mitigating misbehavior such as

22nd Annual ACFE Fraud Conference and Exhibition ©2011 6 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT criminal violations, negligence, breach of fiduciary duties, NOTES self-dealing, stealing, embezzlement, and conflicts of interest are (1) greater attention and scrutiny by regulators and law enforcement; (2) prosecutorial activity; and (3) more regulation such as Dodd-Frank Wall Street Reform and Consumer Protection Act.

If an organization fails to control human behavior within its internal and external environments, financial damages will result as well as the prospect for increased criminal potential.

The argument most often made against having a robust compliance and ethics program is cost. So the bottom line question is does its cost outweigh its value to an organization? Said another way, is the hypothesis true that a compliance and ethics program has little or no value to an organization? Let’s analyze this value proposition hypothesis.

Does Your Organization Have a Compliance Program? Before answering whether there is a value proposition to an organization’s compliance program, let’s identify the basic characteristics of a compliance program. A compliance program must be proactive rather than reactive. This essential attribute means that an organization’s compliance program must (1) clearly state policy; (2) train employees regardless of their position about an organization’s policies, procedures, ethical, and legal requirements—essentially tailor training to compliance risks; (3) provide a reporting mechanism, including anonymous whistleblower and hotline procedures; and (4) regularly audit, assess, and manage its program in order to deter, detect, and prevent misbehavior that could result in civil and/or criminal sanctions.

22nd Annual ACFE Fraud Conference and Exhibition ©2011 7 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT The ultimate goal of a compliance and ethics program NOTES integrated with an organization’s fraud detection and prevention program is to promote, nurture, and reinforce its compliant and ethical environment. An organization’s board of directors and senior management must create and implement an ethical environment by setting the right tone at the top with high-level oversight. An organization’s board of directors must provide the organization with adequate resources; identify its major, as well as near–miss, risks—including current and potential ones—monitor program effectiveness; and ensure that its managers are setting the right tone. Compliance programs must be tailored to the specific organization. One size does not fit all organizations.

Who Needs a Compliance and Ethics Program? It is not an overstatement or hyperbole to suggest Everyone! However, there are certain organizations that are especially vulnerable if they do not have an effectively integrated program. For example: Public companies Federal, state, and local government contractors Organizations that deal with foreign governments Organizations that operate in “risky” foreign countries International businesses and importers Regulated businesses “Political” organizations such as lobbyists and campaigns

The Value Proposition There are practical reasons to argue in favor of the value proposition that an organization must promote an integrated approach to compliance and ethics. Let’s raise the following questions: Does the organization need a scandal? Does the organization need the government on its back?

22nd Annual ACFE Fraud Conference and Exhibition ©2011 8 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT Can the organization afford internal corruption? NOTES Does the organization need to incur fines and penalties? Does the organization need to be a signatory to a deferred prosecution agreement? Does the organization need for one of its executives to be in jail?

Clearly, the answers to these questions are an unequivocal and resounding No! By answering no to these questions, the organization (1) demonstrates that it is a good corporate citizen; (2) eliminates professional fees to defend an unwanted civil or criminal complaint; (3) boosts morale; (4) reduces occupational fraud and abuse; (5) removes the cost of failing to have a compliant and ethical environment; and (6) argues convincingly in favor of the value proposition.

The primary argument against the value proposition is that the “return on investment” for the program is not quantifiable or not worth the effort because the cost is too high. This argument is meritless on its face because it strongly suggests that the organization is managing its compliant and ethical expenses to the detriment of enhanced regulatory authority and oversight and the prospect for increased penalties for non-compliance.

It is no secret, for example, that the SEC’s and other regulators’ focus is on compliance and ethics, and ultimately, whether the organization is misbehaving is whether the organization is making managing expenses a priority over sacrificing compliance. Cutting corners will ultimately lead to compliance and ethics failures. The response to the argument against the value proposition is that the organization must tailor its budget to its compliance risks rather than using a budget that is derived

Tailor an Organization’s Budget to Its Compliance Risks Before an organization can tailor its budget to its compliance risks, it must identify, analyze, and assess its compliance and ethics risks by: Identifying all applicable laws and regulations that the organization must comply with Identifying all of its ethical requirements and obligations

Simply stated, an organization must assess the compliance risks that it faces in conjunction with its fraud deterrence, detection, and prevention program; rank the risks; and develop an action plan to address risks such as violating its Code of Conduct or laws and regulations. An organization determines its compliance risks by communicating with its people.

“Talk to Your People” methods that an organization should use to identify, analyze, and assess compliance risks are indispensable because they involve personnel for input, feedback, comments, and suggestions. They include the following: Employee surveys Focus groups Executive and management interviews Gap analysis Reviews of prior reports and organization responses

Certified Fraud Examiners can play a major role in identifying, analyzing, and assessing an organization’s compliance and ethics risks by helping to:

22nd Annual ACFE Fraud Conference and Exhibition ©2011 10 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT Identify and prioritize all present and potential NOTES organization and industry risks. Identify an organization’s controls, protocols, processes, procedures, and personnel responsible for preventing, detecting, and reducing fraud and compliant and ethical risk. Qualify and quantify the risks. Identify risk “look backs.” Monitor a compliance and ethics checklist. Make a record of the assessment. Contribute to an organization’s compliance, ethics, and fraud awareness programs. Contribute to an organization’s compliance and ethics handbook.

Once the organization makes its compliance risk assessment and tailors its budget to those risks, it must determine whether the budgeted expenditures address and prevent the risks. This process requires vigilant and periodic monitoring by the organization.

Certified Fraud Examiners can also play a major role in compiling the data to answer the following questions that should be considered in an organization’s checklist for risk assessment: Does the organization have a Code of Conduct, Core Values, and Mission Statement? Do the principles or standards include references to the law, ethics, and ethical conduct? Do the principles or standards refer to professional code of conduct or rules and regulations, e.g., ABA Model Rules, AICPA Rules of Professional Conduct, ACFE Code of Conduct, Circular 230, OCC, FINRA, or SEC? Does the organization have internal audit, risk assessment, or loss-prevention personnel?

22nd Annual ACFE Fraud Conference and Exhibition ©2011 11 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT How does the organization measure its risk assessment NOTES progress against internal audit, risk assessment, and loss-prevention personnel? Is the organization’s ethical environment free of political or financial interference? Does the organization periodically assess risk? How? Does the organization periodically train and test employees’ knowledge of compliant and ethical risk assessment? What organizational framework/structure is in place to address ethics, compliance, and fraud detection and prevention—e.g., Office of Investigations, HR, General Counsel, or Ethics Hotline? Does senior management communicate the tone at the top and walk the talk? Does the organization have a commitment to integrity, due care, excellence, fairness, and respect for the individual? Are the organization’s policies and procedures designed and implemented to prohibit bad conduct? Does the organization act on its risk assessment findings? Does the organization have in place a communication program to keep its personnel apprised about ethics, compliance, and fraud?

In conducting risk assessments, organizations should focus on the following non-exhaustive internal and external areas that are systemic and unique to their business and industry: Code of Conduct General employee conduct Conflicts of interest Outside activities Relationships with customers or clients and vendors Gifts, entertainment, travel, favors, and gratuities Kickbacks, bribes, and secret commissions

22nd Annual ACFE Fraud Conference and Exhibition ©2011 12 INTEGRATING FRAUD PREVENTION AND DETECTION WITH COMPLIANCE RISK ASSESSMENT Assets NOTES Proprietary communications and records Public comments Privacy and physical security Timely communication and response

Summary An organization must encourage its employees regardless of position to be cognizant of and comply with its compliance, ethics, and fraud awareness programs. The purpose for an organization having an integrated approach to compliance risk assessment, which is the cornerstone of effective fraud prevention and detection, is to coordinate, implement, and monitor its compliance with its (1) principles and core values; (2) mission statement; (3) ethical and professional standards; (4) laws, rules, and regulations; and (5) policies and procedures. In the end, an integrated approach is cost effective if properly designed and will assist the organization in making ethical and legal business decisions so as not to face civil or criminal sanctions and tarnish its good name and reputation. This result is a very valuable proposition!