Creating a Strong Corporate Culture Begins with Managing Fraud Risk
Creating a Strong Corporate Culture Begins With Managing Fraud Risk
Assessing the Results of the Latest White-Collar Crime and Fraud Risk Survey In Creating a Strong Corporate Culture, “Fraud Risk Management” Is a Bit of a Misnomer
While a strong corporate culture is no paint-by-the-numbers exercise, a number of vital components must be carefully aligned — namely, ethical behavior, tone at the top, mood in the middle and attitude at the base. These elements can be seen as similar to a painter selecting and painstakingly applying just the right mixture of colors and textures to transform the canvas into a work of art. They are of critical concern in today’s boardroom and C-suite. Companies are striving to introduce a measure of introspection to better understand the correlation between culture and ethical failures involving fraud, corruption and misconduct. Key to this movement toward enhanced levels of organizational maturity are growing efforts to measure culture, flag warning signs, make control improvements, address gaps, build awareness of fraud and misconduct risk, and avoid becoming the next headline featuring organizational breakdowns that can derail brand, reputation and long-term viability.
Given the inverse relationship between culture and employ a “win at all costs” attitude. These types of fraud, where a poor culture leads to high rates of fraud, “open secrets” become fertile ground for fraudulent the results of the latest White-Collar Crime and Fraud and unethical activity. Risk Survey from Utica College and Protiviti reveal some In fact, while investigating ethical breaches, government troubling trends that should raise concerns for boards of investigators now look more deeply into organizations to directors and executive leadership. ascertain root causes and what preventive and detective Culture, fraud and misconduct are inextricably linked. measures were in place to identify, investigate and report Poor corporate culture can cause the kind of organi- suspected fraud, bribery or misconduct. Thus, fraud zational inertia and complacency that give rise to a risk governance, assessment, prevention and detection pattern of unethical behavior and other misdeeds that practices have never been more critical; they help shine may continue unchecked for years, in part because light on practices and issues that can create the type of many in the organization knew or suspected what was dysfunctional corporate culture in which unethical and going on but failed to take action. The organization’s illegal behavior thrive. We assess these and many other culture either discourages doing the right thing, is issues in our study. blind to bullying behavior, and/or rewards those who
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 1 These areas also represent the approaches and leading that a poor culture and major fraud or corruption matter practices the Committee of Sponsoring Organizations can have on a company’s brand, reputation, debt of the Treadway Commission (COSO) advocates in covenants and market capitalization. its Fraud Risk Management Guide (FRM Guide) to help mitigate and prevent improper behavior by employees seeking greater rewards at the expense of ethics and Our survey findings appear to align with “compliance compliance with company policies or state and federal fatigue” and, to a certain extent, complacency that 1 laws. To this end, a key question for organizations to many organizations face. consider is, “Are we measuring our corporate culture on a periodic basis?” One way to attack such malaise is to better link the The bottom line is that an organization’s posture on fraud implications of failing to focus on culture to the risk can signal problems within its corporate culture. potentially devastating outcomes that follow. CEOs, Executives who downplay the existence of fraud risk, billionaire venture capitalists, judges and Hollywood consistently make business decisions solely on the basis powerhouses are among many who have made dramatic of revenues without properly considering risk, or allow departures from their roles following allegations of fraud, incentive compensation to drive inappropriate behavior corruption and misconduct. Often, the investigations that are all signs that a company’s approach to fraud risk is no follow reveal that problems involving such individuals approach at all. Companies that give lip service to fraud were “open secrets” and that if the company had only risk are signaling to their employees and management sought to evaluate its corporate culture, these matters that ethical business practices are not a priority — an might have more quickly surfaced in time to stop the ill-conceived posture that can have a toxic ripple effect victimization and prevent further damage to individuals, and set the stage for an inevitable cultural meltdown. companies and their shareholders. Ultimately, linking the development of a strong corporate culture through In our study, we examine the perceptions and actions robust fraud risk management to the prevention of underlying fraud risk activities across an array of actions that can bring down the organization is sure to organizations and geographies that should serve command the attention of the boardroom and C-suite. as a wake-up call to corporate leaders who allocate insufficient time and attention to fraud risk due to their We hear from many organizations that obtaining lack of understanding about the close linkage between resources and support from the C-suite to strengthen weak or nonexistent fraud risk management programs culture through a proactive fraud risk management and a poor corporate culture. program is an uphill battle. In fact, though there is growing understanding about the impact of corporate Our survey findings appear to align with “compliance culture and the benefits of measuring it, there is fatigue” and, to a certain extent, complacency that still limited awareness of its linkage with fraud and many organizations face when they have a seemingly misconduct. Perhaps using the results of culture surveys endless succession of regulatory obligations to meet, and tapping into the current climate of moral outrage to sales goals and revenue targets that are top priorities, support a more proactive stance in managing fraud risk limited budget and resources, and a general lack of is in order. Until then, we will continue to see results like understanding about the potentially devastating impact those in this year’s survey.
1 Fraud Risk Management Guide, COSO and the Association of Certified Fraud Examiners (ACFE), September 2016: www.coso.org.
2 · Protiviti · Utica College Our Key Findings
Organizations continue to lag in employing leading practices to build a strong culture — From the frequency of performing fraud risk assessments to a lack of understanding about the drivers of fraud, organizations must seek to move away from the continuous loop of responding to one fire after another to a more proactive, strategic and 01 methodical approach to mitigating organizational fraud and culture breaches.
Resources represent a significant challenge in building a strong corporate culture with a clear fraud risk strategy — More than a third of organizations consider their fraud risk strategy to be weakly defined, with many citing the limited 02 availability of internal resources as a significant challenge in addressing fraud proactively.
Many organizations lack a fraud risk management program, including policies to mitigate fraud — Given the prevalence of actual and potential fraud issues in organizations and those involving vendor relationships, as well as the long-term effects on corporate culture, this finding is surprising — and likely disappointing to shareholders and other key stakeholders. Increasingly, external auditors are paying attention to fraud risk 03 and internal investigations. In some cases, they will withhold their sign-off pending improvements to the fraud risk management infrastructure or more thorough investigations, or give qualified opinions when they are underwhelmed with a company’s approach to fraud and investigations.
Third parties represent a significant gap in fraud risk management — Overall, one in three organizations lacks a high level of confidence as to whether it has effective oversight of third parties. However, third parties account for a disproportionate number of violations an organization commits, including those related to the Foreign Corrupt Practices Act (FCPA) and other anti-corruption statutes, cybercrime, vendor fraud, kickbacks, human trafficking, 04 and data privacy breaches. Most organizations do not allocate sufficient time, energy and resources to understand and seek to mitigate the myriad issues third parties represent.
Culture is complex and different within every organization and remains largely abstract. However, even though a company’s culture may be abstract, one thing is clear: developing the right approach for auditing an organization’s risk culture takes time and careful planning. And for any business, the value of undertaking this process is developing a better understanding of the cultural causes that create risk — in short, human behaviors.
— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 3 Methodology
Utica College and Protiviti partnered to conduct the We appreciate the time these individuals invested in White-Collar Crime and Fraud Risk Survey in the our study. second and third quarters of 2017. This global survey, Because this year’s survey was global, whereas our conducted online, consisted of a series of questions prior study (published in 2016) was based on responses grouped into six categories: gathered only in the United States, we did not include • Fraud Risk Governance comparisons with findings from our prior survey in this report. However, we would be pleased to provide • Fraud Risk Assessment any specific year-over-year comparisons upon request, • Fraud Prevention Techniques to the extent such data is available.
• Fraud Detection Techniques All demographic information was provided voluntarily by our respondents (see page 52). • Corruption
• Reporting, Investigation and Corrective Action Notes Globally, 748 executives and professionals — including board members, C-suite executives, general counsel This report includes numerous breakdowns of the survey findings by company size, defined as follows and chief audit executives (CAEs) — completed our (all figures are in U.S. dollars):* online questionnaire. All respondents are in a position to understand their organization’s fraud risk manage- Large = Companies with revenues of $10 billion or more ment capabilities. Survey participants also were asked Midsize = Companies with revenues between $100 to provide demographic information about their titles million and $9.99 billion and positions and the nature, size and location of their businesses. Small = Companies with less than $100 million in revenues
* Upon request, Protiviti can provide additional reporting in these broad categories.
Measuring ethical culture may be a confusing concept since culture isn’t an object one can easily quantify. That said, there are characteristics, behaviors and impressions that can be examined to determine whether a company is on the right path or whether it has institutionalized bad behavior that, left unchecked, can lead to ethical failures down the road.
— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic
4 · Protiviti · Utica College Fraud Risk Governance — Who’s Minding the Store?
First things first: The board of directors, along with Many Organizations Falling Short on Fraud Risk senior management, need to demonstrate their expec- Policy and Strategy tations and commitment to “high integrity and ethical What also stands out in the results is the small but values regarding fraud risk.”2 That is a key driver for meaningful number of organizations that lack active developing and maintaining a strong corporate culture. and defined oversight of fraud risk. The numbers are The concept of fraud risk governance is highlighted slightly smaller for large companies but are still notable. as Principle 1 in COSO’s FRM Guide. To manage fraud Of particular note, the percentages are higher among risk effectively, an organization should designate an North American-based organizations. executive or other leader with direct ownership of and Also noteworthy is that a substantial percentage of responsibility for the fraud risk management program. organizations have a fraud risk strategy that is not Oversight of fraud risk should be active and defined. And defined clearly. Without a solid understanding of fraud a clear, formal fraud risk strategy should be in place. All risks throughout the organization, how can manage- the above actions are part of good fraud risk governance, ment express confidence that its control environment but our survey results reveal that many organizations is effective, and that it is focusing on creating a strong have significant shortcomings in these areas. corporate culture? For example, in 16 percent of organizations overall, no Another eye-opening finding is that a third of organiza- senior management professional is designated with tions worldwide appear to lack a formal and documented ownership of and responsibility for fraud risk manage- fraud control policy. That is despite COSO’s specific ment — or, that individual is not known. recommendation that organizations have such a policy, In a large percentage of instances involving break- as outlined in its FRM Guide. downs in corporate culture or in the conduct at the top or throughout the organization, one or more KEY FACTS fraud-related activities are driving those issues. That fact should underscore the need for robust fraud risk management practices, including board oversight and senior management responsibilities. % The survey results also show that one in five organizations has a “no fraud here” mentality. 16 These organizations likely do not perform fraud risk assessments, which is a critical practice. Another factor for this mindset could be that the individuals responsible Organizations overall that have no senior management for conducting these assessments have “day jobs” and professional designated with ownership of and therefore lack time to conduct thorough — or any — responsibility for fraud risk management* evaluation of fraud risk and corresponding anti-fraud controls. This behavior creates fertile ground for a poor * Includes “Don’t know” responses. corporate culture.
2 Ibid.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 5 Who in the ranks of senior management is designated with ownership and responsibility for fraud risk management in your organization?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Chief Executive Officer 29% 17% 20%
Chief Financial Officer 13% 13% 19%
Chief Risk Officer 15% 13% 11%
Chief Legal Officer or General Counsel 11% 9% 10%
Chief Security Officer 12% 10% 7%
Internal Audit Director 5% 13% 8%
Other 6% 7% 7% No senior management professional is designated with ownership 4% 13% 13% and responsibility for fraud risk management Don’t know 5% 5% 5%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Chief Executive Officer 27% 28% 32% 38% 8%
Chief Financial Officer 11% 11% 18% 11% 21%
Chief Risk Officer 19% 13% 11% 3% 13%
Chief Legal Officer or General Counsel 7% 10% 4% 8% 13%
Chief Security Officer 5% 17% 15% 15% 4%
Internal Audit Director 10% 5% 5% 5% 11%
Other 4% 4% 5% 3% 11% No senior management professional is designated with ownership and responsibility for fraud risk 12% 10% 9% 14% 12% management Don’t know 5% 2% 1% 3% 7%
While 4 percent of large companies indicate that no senior management professional is designated with fraud risk management ownership and responsibility, this figure rises to 13 percent in midsize and small companies, suggesting the latter group of organizations is seemingly more tolerant of “absentee leadership” in this critical area.
6 · Protiviti · Utica College Which of the following groups in your organization provides active and defined oversight of the organization’s fraud risk? (Multiple responses permitted)
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Audit committee 50% 59% 48%
Risk management committee 53% 51% 39%
Board of directors 44% 39% 42%
C-level executive(s) 43% 37% 37%
No active and defined oversight 5% 6% 12%
Don’t know 4% 4% 3%
Other 5% 7% 3%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Audit committee 58% 40% 60% 46% 56%
Risk management committee 51% 60% 58% 50% 33%
Board of directors 42% 51% 42% 56% 32%
C-level executive(s) 32% 41% 51% 37% 37%
No active and defined oversight 7% 7% 4% 7% 11%
Don’t know 3% 2% 0% 1% 6%
Other 2% 3% 3% 4% 7%
A significant number of organizations, particularly small and North American-based companies, lack active and defined oversight of fraud risk.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 7 On a scale of 1 to 5, where “5” indicates very well-defined and “1” indicates undefined, how would you rate your organization’s fraud risk strategy?
Company Size (Annual Revenue)
Large companies 72% 28%
Midsize companies 60% 40%
Small companies 60% 40%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Very well-defined/defined Less defined/reactive/undefined/don’t know
Region
Asia-Pacific 65% 35%
Europe 68% 32%
India 74% 26%
Latin America/ 72% 28% South America
North America 53% 47%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Very well-defined/defined Less defined/reactive/undefined/don’t know
When scanning national patterns, North American organizations look relatively less concerned about well-defined risk strategies than do companies in other parts of the world.
8 · Protiviti · Utica College Which of the following challenges does your organization face in managing its fraud risk proactively? (Multiple responses permitted)
There is limited availability of internal resources to address fraud risk. 36%
We lack a unified fraud risk management strategy. 28%
We lack proactive fraud risk management. Our focus is on incident response when allegations arise. 28%
Proactive fraud risk management is not a corporate priority. 27%
Fraud and misconduct are not considered “high risks” within the organization. 27%
There is inadequate funding for an anti-fraud program and related initiatives. 21%
Our organization has a “no fraud here” mentality. 20% Laws and regulations or cultural norms in our non-U.S. locations present unique challenges that we have 20% yet to address. We do not have a member of senior management who is designated with ownership of and responsibility 16% for fraud risk management.
KEY FACTS 93% 67%
Organizations globally that have a formal Organizations globally that have a formal and and documented code of conduct documented fraud control policy
An area of concern appears to be the availability of internal resources to address fraud risk proactively, with more than one in three organizations citing this as a challenge.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 9 COSO Elevates and Evolves Fraud Risk Management Practices
For many organizations, building a strong corporate culture and managing fraud consists of checking boxes and thinking positive thoughts:
•• “We hire good people.” •• “We have a code of conduct.” •• “We comply with Sarbanes-Oxley.” •• “Our hotline does not ring (for serious things).” •• “Fraud simply doesn’t happen here.”
Of course, as forensic professionals and educators, we know this is not enough. COSO knows this, too.
Recognizing the need to both elevate and evolve management’s thinking on the topics of fraud prevention, detection and deterrence, COSO released its Fraud Risk Management Guide (FRM Guide) in collaboration with the Association of Certified Fraud Examiners (ACFE) in September 2016. This guidance provides a valuable blueprint of leading practices and user-friendly templates to help organizations not only correlate, but also actively apply, the five fraud risk management principles first outlined in Managing the Business Risk of Fraud: A Practical Guide* within the context of the 2013 COSO Internal Control — Integrated Framework.
These principles serve as a universal foundation for fraud risk management programs. They are:
1. Fraud Risk Governance 2. Fraud Risk Assessment 3. Fraud Control Activities 4. Fraud Investigation and Corrective Action 5. Fraud Risk Management Monitoring Activities
Of these five principles, fraud risk assessment is perhaps the most widely recognized because the consideration of the potential for fraud was explicitly included in the 2013 COSO Framework. Since that time, the identification and assessment of fraud risk have been focal points of inquiry for internal and external auditors. However, the scope of management’s fraud risk assessment is still often limited to fraud scenarios that would cause a material misstatement of an organization’s financial statements. In contrast, COSO’s FRM Guide encourages an elevated and evolved assessment of fraud risk in the context of the organization’s overarching fraud risk management program to achieve better support of and greater consistency with the overall 2013 COSO Framework.
Continued on page 11
10 · Protiviti · Utica College COSO’s FRM Guide is both user-friendly and pragmatic in its design. Each chapter is organized to provide a clear snapshot of how individual fraud risk management principles align with the COSO 2013 Framework’s components and principles. It also outlines unique characteristics for each fraud risk management principle within specific points of focus. These points are structured similarly to those contained in the 2013 COSO Framework and are useful in considering the design and operating effectiveness of management’s fraud risk management capabilities. Whether an organization is new to the topic of fraud risk management or seeking a more detailed view on the “how-to” of certain fraud risk management activities, COSO’s FRM Guide provides information that is thorough and thoughtful, and applicable to various audiences.
Below are some suggestions for utilizing the information and templates included within COSO’s FRM Guide, which can benefit organizations in pursuit of a “best-in-class” fraud risk management program, as well as those companies that are simply looking to enhance certain elements of their anti-fraud control activities:
•• Map and analyze the fraud risk management process for improvement opportunities. •• Evaluate whether there is proper oversight and assignment of resources for fraud control activities. •• Create or update the organization’s fraud control policy. •• Conduct a survey to understand perceptions about the organization’s culture and fraud risk management capabilities. •• Expand documentation and visualization of the organization’s fraud risk and controls matrix. •• Assess the organization’s list of potential fraud exposures. •• Review the organization’s fraud response plan. •• Implement a data analytics framework. •• Enhance awareness of fraud risk through communication with various organizational constituencies.
COSO’s FRM Guide offers insights into leading practices encompassing fraud prevention, detection and deterrence. However, it is not intended to create a prescriptive standard for either fraud risk management or fraud risk assessment. Furthermore, there is no “one-size-fits-all” approach to either process; each must be tailored to suit an organization’s specific operations, objectives, industry, people, geographies and technologies.
Finally, it is critical to recognize that fraud is a highly dynamic event. There is no guarantee that an organization will be free from its occurrence or effect simply because it has implemented leading practices. The ability to prevent and detect fraud can — and should — evolve with the organization’s internal control framework, and COSO’s FRM Guide provides a clear road map that can help drive organizations toward excellence in fraud risk management.
* Managing the Business Risk of Fraud: A Practical Guide was jointly published in 2008 by the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (The IIA) and ACFE.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 11 Assessing Fraud Risk: A Foundational Component of Corporate Culture and Fraud Risk Management
Patterns of fraud, corruption and misconduct that take the process must involve a broad range of functions root in organizations are frequently open secrets in the organization — internal audit, accounting and among personnel. The fact that organizational assets finance, procurement, information technology (IT), risk are being misused or diverted is often widely known management, facilities, research and development but perhaps not openly discussed. This phenomenon (R&D), and more. This approach enables the fraud risk gives rise to several questions including, “Why are assessment to capture the nuances of each organiza- these actions not reported?” and “Is it because of fear of tional function where fraud has the potential to occur, retaliation?” “Failure to report” is a clear symptom of a along with the potential fraud drivers. That includes poor corporate culture, as is ignoring or silently endorsing understanding opportunities, incentives, pressures, bad behavior because of who is involved or benefiting attitudes and rationalization to commit fraud within from it. For this reason, fraud risk assessments should different groups in the organization. be performed to help identify unreported, overlooked or Also, it is critical for organizations to examine fraud risk even “culturally accepted” vulnerabilities and include not in pockets or silos, but across the enterprise. Principle consideration of an organization’s corporate culture — 2 of COSO’s FRM Guide specifies that the fraud risk in effect, taking the company’s temperature from an assessment process should include all appropriate levels ethical viewpoint. Seeking to measure corporate of management along with the resources necessary to culture can expose an organization’s open secrets assess fraud risk throughout the enterprise. before they devolve into more significant ethical lapses with serious legal and regulatory consequences. Simply put, fraud risk can neither be managed nor mitigated if it is not understood. Fraud risk assessments Fraud risk assessments should be conducted at least undertaken correctly enhance an organization’s aware- annually, if not more frequently, depending upon shifts ness of the various fraud risks it is facing and allow in strategic objectives, organizational changes or the it to prioritize efforts to mitigate the most serious areas occurrence of fraud. Overall, most organizations report of vulnerability. that they do this, which is positive. However, significant numbers of organizations, of all sizes and across regions, The fraud risk assessment process, to remain effective appear to do so less frequently or inconsistently. and relevant, also must evolve as personnel, operations, methodologies and other processes change. Our survey found that, across organization type and region, “previ- “Failure to report” is a clear symptom of a poor corporate ous fraud risk assessment results” ranks high among the culture, as is ignoring or silently endorsing bad behavior frequently used information applied to the assessment because of who is involved or benefiting from it. methodology. While the inclusion of this information is an important data point, no aspect of the fraud risk assessment should be a cut-and-paste exercise. Indeed, A small but notable number of organizations report that in a recent publication by the U.S. Department of Justice they don’t know who the business owner responsible (DOJ) (Evaluation of Corporate Compliance Programs), an for the fraud risk assessment is, or they don’t have a 11th hallmark of an effective compliance program was defined business owner for that process. There should introduced: Analysis and Remediation of Underlying be a designated owner, of course. But regardless of who Misconduct. While this is directed at organizations that ultimately is responsible for a fraud risk assessment,
12 · Protiviti · Utica College Who within your organization is primarily responsible for conducting your fraud risk assessment?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Internal audit 32% 46% 44%
Corporate compliance 20% 18% 15%
SOX compliance team 16% 14% 9%
General counsel/legal 12% 9% 13%
Other 12% 6% 10%
None of these 2% 3% 7%
Don’t know 6% 4% 2%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Internal audit 43% 39% 52% 40% 41%
Corporate compliance 17% 23% 17% 18% 14%
SOX compliance team 14% 12% 12% 11% 12%
General counsel/legal 8% 18% 6% 26% 7%
Other 10% 4% 10% 1% 14%
None of these 5% 3% 3% 2% 6%
Don’t know 3% 1% 0% 2% 6%
are in the throes of a government investigation, all More Care Needed When Discussing organizations should seek to apply lessons learned from Sensitive Information any internal investigations that have been performed Another result in our survey is the low number of organi- since the last fraud risk assessment. Organizations zations globally that conduct fraud risk assessments should always strive to ensure that their fraud risk under attorney-client privilege. In North America, for assessment processes are dynamic, are evolving along instance, three in four organizations do not conduct fraud with the company’s changing risks and strategic risk assessments under this privilege. Anecdotally, most objectives, and don’t become a rote exercise lacking organizations do not even consider the need to do so. meaningful benefit year-over-year.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 13 While some organizations make rational business Circling back to the updated 2013 COSO Internal Control cases for why they choose not to perform fraud risk Framework, Principle 8 includes consideration of assessments under the attorney-client privilege, three key types of fraud during management’s risk problems sometimes arise in those organizations that assessment activities. Interestingly, when asked which do not even consider doing so. When conducting fraud fraud type concerns them the most, respondents risk assessments, root cause analyses of prior internal provided a wide range of responses. What stands out investigations (which were probably undertaken is that while fraudulent nonfinancial reporting is the pursuant to the attorney-client privilege), internal type of fraud that happens most often in organizations, control weaknesses or gaps identified through previous only a small number cited it as the area of greatest audits, and other confidential compliance matters may concern. Another point of emphasis is that fraud risk be discussed. If sensitive information is gathered without in many organizations is centered on compliance with the opportunity for legal counsel to provide advice to the SOX and the concept of materiality. This is a dangerously organization, it could result in a significant problem down narrow way of viewing fraud risk and often leaves a the road if, during litigation, that sensitive information significant number of potential fraud scenarios out of becomes discoverable. the process, some of which can have a negative effect on the organization, since the statutes being violated do not use materiality in weighing whether criminal violations A holistic view of fraud includes consideration of have occurred. Examples of two such categories of potential scenarios and perpetrators at all levels fraud are the bribery of foreign officials and sanctions of the enterprise, as well as vulnerabilities in all violations such as those enforced by the U.S. Office of Foreign Assets Control (OFAC). processes and geographic locations. Factors having an impact on fraud risk are highlighted in As our survey results indicate, the fraud risk assessment the 2013 COSO Framework’s Points of Focus for Principle 8. process often involves the use of other techniques such as While fraud risk factors are shared by all organizations the review of policies, procedures and training materials, that experience fraud, the fraud risk assessment gathering of public information and industry news, methodology should be a unique process. A holistic view brainstorming sessions, interviews or group workshops, of fraud includes consideration of potential scenarios process walkthroughs, surveys, and data analytics. and perpetrators at all levels of the enterprise, as well as During these activities, candid feedback about business vulnerabilities in all processes and geographic locations practices, personnel matters and corporate culture may — not only those deemed “in scope” for SOX purposes. be shared. In some cases, indicators of fraud may even be Executed correctly, the fraud risk assessment should not identified through the use of electronic data interrogation be a “cookie-cutter” template for a different company routines. Organizations likely do not want this material in a different industry offering different products or exposed during litigation. It is therefore imperative services, since it has been specifically tailored to the to consider confidentiality, as well as the potential for company at hand. conducting the fraud risk assessment under the direction of counsel for attorney-client privilege purposes, during planning activities. (See sidebar on page 18 for further discussion about attorney-client privilege.)
14 · Protiviti · Utica College How often does your organization conduct a formal fraud risk assessment?
Company Size (Annual Revenue)
Large companies 35% 31% 17% 5% 12%
Midsize companies 21% 50% 19% 5% 5%
Small companies 25% 36% 22% 10% 7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Quarterly As needed Don’t know Annually Never
Region
Asia-Pacific 25% 35% 22% 11% 7%
Europe 34% 34% 24% 5% 3%
India 48% 22% 25% 3% 2%
Latin America/ 39% 31% 26% 3% 1% South America
North America 11% 52% 13% 11% 13%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Quarterly As needed Don’t know Annually Never
It is surprising to find a significant percentage of large companies and North American-based organizations that report not knowing how often the fraud risk assessment is conducted.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 15 How is your organization’s fraud risk assessment process structured within your organization?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Incorporated into our enterprise risk management (ERM) process 47% 40% 38%
Incorporated into our internal audit planning process 21% 22% 26%
Incorporated into our SOX compliance process 8% 18% 13%
Stand-alone 18% 12% 12%
None of these 2% 2% 9%
Don’t know 4% 6% 2%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Incorporated into our ERM process 42% 52% 45% 48% 32%
Incorporated into our internal audit planning process 23% 15% 32% 27% 25%
Incorporated into our SOX compliance process 8% 13% 2% 10% 20%
Stand-alone 17% 15% 17% 11% 9%
None of these 6% 4% 4% 3% 8%
Don’t know 4% 1% 0% 1% 6%
16 · Protiviti · Utica College Does your company conduct its fraud risk assessment under attorney-client privilege? (Shown: “Yes” responses)
Company Size (Annual Revenue) 51% 45% 41%
Large companies Midsize companies Small companies
Region
Europe 63% Asia-Pacific North America 25% 36% India 51% Latin America/ South America 77%
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 17 Fraud Risk Assessment and Attorney-Client Privilege
As with any internal investigation, a fraud risk assessment may include sensitive matters that potentially involve litigation or damage to a company’s reputation. There are often compelling reasons for an organization’s assessment team to report to legal counsel. Some things to consider include:
•• In the United States, conversations between an attorney and a client seeking legal advice are considered “privileged and confidential” and “attorney-client privileged.” Once privilege is established, the information shared between a client and attorney is largely protected from disclosure to other parties.
•• Attorney-client privilege allows companies and their lawyers to discuss findings and potential solutions without fear of inappropriate disclosure of the privileged discussions and material. If other providers, such as forensic accountants or investigators, participate in the fraud risk assessment or an investigation, their work should be performed at the direction of lawyers so that their findings are considered attorney work product and are privileged as well.
•• It should be made clear that the fraud risk assessment is being conducted to assist legal counsel in providing legal advice. That includes marking materials as “Privileged and Confidential” and informing interviewees of the legal purpose of the fraud risk assessment or investigation.
•• Distribution of privileged materials must be limited. Company representatives must not be allowed to discuss the review with anyone who is not involved in the project, so as not to inadvertently waive the privilege by sharing information outside of the attorney-client relationship.
•• The attorney-client privilege varies widely by country. For any investigations, fraud risk assessments or other projects that the client and counsel feel should be performed under the privilege and involve foreign jurisdictions, the rules of those jurisdictions would apply.
Note that while attorney-client privilege generally applies to in-house counsel (at least in the United States), internal lawyers serve in a dual business and legal capacity, and privilege could be challenged on the grounds that discussions were of a business, and not a legal, nature.
Legal privilege varies widely from one country to the next, and these decisions are best made in consultation with attorneys who have a deep understanding of the various jurisdictions in which the company is operating and whether and to what extent the fraud risk assessment can be undertaken pursuant to the attorney-client privilege.
It’s important for companies to understand the interrelationship between internal investigations that were performed at the direction of counsel and the company’s fraud risk. Reviewing those investigations could constitute an inadvertent waiver of privilege. Plus, during the course of a fraud risk assessment, people sometimes share information about past or ongoing fraud or misconduct that could give rise to legal liability. Performing fraud risk assessments pursuant to the attorney-client privilege can add a layer of protection to sensitive information that was gathered during the course of the project.
— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic
18 · Protiviti · Utica College Does your fraud risk assessment team include members from different departments? (Shown: “Yes” responses)
Company Size (Annual Revenue) 74% 68% 62%
Large companies Midsize companies Small companies
Region
Europe 79% Asia-Pacific North America 54% 60% India 71% Latin America/ South America 82%
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 19 IF YES: Which departments participate in the fraud risk assessment team? (Multiple responses permitted)
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Internal audit 73% 72% 70%
Accounting/finance 65% 62% 63%
Legal 61% 57% 63%
Risk management 68% 50% 56%
Compliance 54% 50% 44%
Operations 48% 41% 51%
Corporate security 45% 46% 42%
Human resources 44% 39% 46%
External consultants 20% 17% 25%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Internal audit 64% 63% 78% 64% 84%
Accounting/finance 68% 47% 53% 63% 80%
Legal 48% 53% 59% 65% 72%
Risk management 58% 65% 67% 51% 50%
Compliance 44% 45% 51% 32% 61%
Operations 42% 43% 41% 45% 58%
Corporate security 40% 49% 45% 43% 43%
Human resources 44% 34% 41% 41% 51%
External consultants 24% 20% 35% 28% 15%
Organizations in Latin America/South America and Europe are far more likely to include members from different departments on the fraud risk assessment team than are companies in other regions, particularly North America.
20 · Protiviti · Utica College Which of the following does your company utilize as part of its fraud risk assessment methodology? (Multiple responses permitted)
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Previous fraud risk assessment results 49% 55% 51%
Prior reported concerns and complaints 49% 51% 49%
Data analytics 53% 47% 44%
Prior audits or other reviews conducted at the company 47% 44% 48%
Interviews 47% 52% 42%
Brainstorming sessions 43% 42% 36%
Surveys 48% 35% 36% Public information about criminal, civil and regulatory cases 33% 31% 30% and complaints Industry news 31% 32% 25%
Workshops 35% 28% 26% Industry-accepted fraud taxonomies, such as the ACFE’s 35% 28% 24% Occupational Fraud and Abuse Classification System
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Previous fraud risk assessment results 57% 46% 70% 47% 52%
Prior reported concerns and complaints 56% 44% 61% 37% 53%
Data analytics 39% 55% 62% 62% 36% Prior audits or other reviews conducted at the 54% 32% 58% 40% 53% company Interviews 38% 44% 39% 42% 54%
Brainstorming sessions 35% 47% 50% 35% 36%
Surveys 25% 45% 45% 43% 35% Public information about criminal, civil and regulatory 30% 36% 32% 42% 26% cases and complaints Industry news 24% 31% 39% 29% 26%
Workshops 42% 36% 32% 42% 14% Industry-accepted fraud taxonomies, such as the ACFE’s 25% 28% 32% 27% 25% Occupational Fraud and Abuse Classification System protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 21 Which one of the following types of fraud is of greatest concern to your organization?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Safeguarding of assets 24% 16% 20%
Management override of controls 19% 19% 19%
Fraudulent financial reporting 16% 15% 16%
Corruption 10% 10% 14%
Illegal acts 10% 7% 7%
Fraudulent nonfinancial reporting 2% 7% 5%
No one type is more concerning than the other 14% 20% 15%
Other/none of these 5% 6% 4%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Safeguarding of assets 24% 18% 25% 12% 21%
Management override of controls 20% 21% 20% 26% 13%
Fraudulent financial reporting 12% 24% 17% 17% 12%
Corruption 15% 10% 9% 21% 9%
Illegal acts 6% 8% 3% 11% 8%
Fraudulent nonfinancial reporting 1% 5% 2% 8% 6%
No one type is more concerning than the other 18% 8% 12% 3% 26%
Other/none of these 4% 6% 12% 2% 5%
As expected, the safeguarding of assets seems to be a high priority, while corruption appears to be a lower priority (though more significant for organizations in Latin America/South America).
22 · Protiviti · Utica College Does your organization have a fraud risk management (mitigation) program? (Shown: “Yes” responses)
Company Size (Annual Revenue) 76% 63% 56%
Large companies Midsize companies Small companies
Region
Europe 81% Asia-Pacific North America 39% 61% India 74% Latin America/ South America 87%
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 23 IF YES: Who in your organization is responsible for the fraud risk management (mitigation) program?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Chief Compliance Officer 30% 42% 39%
Chief Financial Officer 28% 25% 25%
Chief Audit Executive 24% 25% 26%
Other 12% 6% 8%
Don’t know 6% 2% 2%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Chief Compliance Officer 48% 41% 31% 31% 33%
Chief Financial Officer 23% 27% 29% 24% 27%
Chief Audit Executive 15% 24% 25% 41% 21%
Other 14% 6% 13% 1% 12%
Don’t know 0% 2% 2% 3% 7%
It may seem obvious to everyone that culture is important, and that the risks associated with an unhealthy organizational culture can derail operations, damage the brand, drive away customers and put a sizable dent in the bottom line. Yet for many organizations, culture continues to be a buzzword in boardroom discussions but is given short shrift as an operational priority. “Doing the right thing” is a key performance indicator that doesn’t appear as a line item on any balance sheet but contributes considerably to the “goodwill” capital of a company, and its loss or erosion presents a significant risk. Culture assurance then becomes something much more specific and necessary.
— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit
24 · Protiviti · Utica College Cultivating a Healthy Corporate Culture Through Fraud Prevention
One surprise from the results of our survey is evidence The results for third-party due diligence controls are of the low use of certain primary controls, including especially eye-opening, particularly when considering ethics and fraud awareness training, which could help the extent to which third parties may have access to organizations recognize warning signs and prevent personally identifiable information and/or may have fraud if they were utilized or provided more frequently. permission to act on behalf of the company. Third In the United States, for example, the DOJ and the parties can represent a weak link in the organization’s Securities and Exchange Commission (SEC) consider fraud control structure (as well as security and privacy, training and continuous advice to be a hallmark of an anti-bribery, regulatory compliance, and other areas of effective compliance program, yet a large majority of internal control). organizations do not appear to conduct such training. Conducting risk-based investigative due diligence of the Shockingly, even basic measures appear to be falling organization’s third parties, especially those in particu- short. For instance, a good argument can be made that larly high-risk jurisdictions, as well as fourth parties (i.e., every organization should have a code of conduct and the vendor’s vendors or subcontractor’s subcontractors) code of ethics, yet more than one in five companies should be considered essential. surveyed do not. Indeed, a code of conduct and compli- ance policies and procedures are called out by both Authorities May Question Lack of Commitment the DOJ and the SEC as hallmarks of an effective to Combating Fraud compliance program. As noted above, a potential weak link in an organi- zation’s culture is the frequency of ethics and fraud Third- and Fourth-Party Relationships Require More Scrutiny awareness training. Our survey results suggest that two in five organizations conduct this type of training only Several other findings from our survey should raise red annually — or even less frequently. flags for boards and executive leadership seeking to If the organization lacks a strong commitment to regular build a strong corporate culture. For example, less than a ethics and fraud awareness training, what does that say majority of organizations have third-party due diligence about management’s commitment to building a healthy and competitive bidding in place as controls to prevent corporate culture? That is the type of question authorities fraud; only slightly more than a majority have IT controls, could ask during a formal fraud investigation and in authority and approval limits, and segregation of evaluating whether there was an effective compliance duties (SoD) in place. While some may not view these program in place at the time violations were occurring. measures specifically as fraud controls, they can be When a prosecutor or law enforcement agency concludes very effective for fraud prevention. That is especially that there was not an effective compliance program in true for publicly held companies that must comply with place, or there were other aggravating circumstances requirements such as SOX in the United States.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 25 at the time, the company itself can be charged with KEY FACTS criminal violations, which can have sweeping and often devastating consequences for the company and its shareholders. The U.S. DOJ and the SEC have provided clear guidance % for what they expect of companies when it comes to effective compliance and ethics programs. One 57 recommendation is delivering risk-based training, as compliance policies are not meaningful unless they are communicated effectively throughout the Organizations (overall) that conduct ethics organization. COSO also stresses the importance of and fraud risk awareness training regular training in its FRM Guide.
It is very important for organizations to create processes that support people doing the right thing all the time and foster a culture where people in the organization know the tone at the top, ensuring that the tone flows all the way down to middle management and beyond. This is because, in most cases, employees pay more attention to what their direct supervisors are saying or doing, and less to what the CEO has announced.
— Susan Haseley, Protiviti Executive Vice President, Diversity and Inclusion Initiative Leader
26 · Protiviti · Utica College Which of the following primary controls does your organization utilize to prevent fraud? (Multiple responses permitted)
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Code of conduct/Code of ethics 78% 81% 72%
Authority or approval limits 59% 63% 67%
Employee background checks 56% 63% 66%
IT controls 55% 58% 63%
Segregation of duties 54% 58% 58%
Ethics or fraud risk awareness training 64% 58% 53%
Third-party due diligence 41% 32% 33%
Competitive bidding 36% 32% 32%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Code of conduct/Code of ethics 73% 62% 78% 71% 87%
Authority or approval limits 68% 50% 64% 45% 78%
Employee background checks 60% 47% 69% 56% 75%
IT controls 57% 47% 58% 58% 70%
Segregation of duties 55% 37% 50% 35% 81%
Ethics or fraud risk awareness training 58% 55% 56% 56% 59%
Third-party due diligence 30% 32% 53% 19% 38%
Competitive bidding 29% 24% 38% 24% 41%
Europe reflects a lower percentage of firms that have codes of conduct or codes of ethics. North American firms are notably ahead of other regions in demanding segregation of duties. Compared to companies in other regions, both European and Latin American/South American firms reflect a much lower percentage of demanding segregation of duties.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 27 How often does your organization offer ethics and fraud awareness training?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies New hire orientation only 12% 12% 16%
On demand 27% 19% 20%
Semi-annually 18% 19% 17%
Annually 33% 36% 27%
Less than annually 6% 6% 7%
Never 1% 5% 11%
Don’t know 3% 3% 2%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America New hire orientation only 12% 13% 20% 21% 11%
On demand 20% 34% 33% 27% 8%
Semi-annually 18% 25% 28% 22% 10%
Annually 21% 20% 14% 25% 49%
Less than annually 13% 5% 3% 2% 7%
Never 16% 2% 2% 1% 10%
Don’t know 0% 1% 0% 2% 5%
With regard to the frequency of ethics and fraud awareness training, the question raised here is “How often is often enough?” Less than a majority of firms in North America conduct these trainings every six months or have them available on demand. These percentages are significantly higher among companies in Europe, India and Latin America/South America. On the other hand, 16 percent of organizations in the Asia-Pacific region never conduct these trainings.
28 · Protiviti · Utica College Data Analytics, Fraud Detection and the Path Forward
One of the most notable findings in our survey is that operating in regions such as North America and one-third of organizations lack a fraud detection Asia-Pacific fare worse. These results are not surprising, program. This begs the question as to what exactly however. Business records in many organizations these organizations are doing to detect the type of still exist in a manual state. Companies may want to fraudulent acts that can undermine the organization’s incorporate forensic data analysis to identify potential culture or indicate red flags for deep-seated issues. red flags and fraud indicators, but they can’t if their information resides in boxes rather than a digital state. The absence of a fraud detection program likely indicates a reactive environment for detecting fraud. Internal These results generally mirror the findings of Protiviti’s audit and management respond to fraud issues that arise 2018 Internal Audit Capabilities and Needs Survey, but are unable to be proactive in spotting issues early or which show that about one-third of organizations identifying potential root causes. do not use data analysis or analytics in their internal audit functions.3 The absence of such a program also suggests organiza- tions have limited resources and technologies to apply to Most organizations are still in the early stages of using fraud detection; thus, they lack alignment with Principle data analytics. Furthermore, many are likely performing 3 of COSO’s FRM Guide. This principle focuses on only the most basic form of analytics. This was borne preventive and detective control activities designed to out in the findings of Protiviti’s internal audit survey. mitigate the occurrence — and longevity — of fraud risk Few internal audit groups are employing current high- events. Timely discovery of fraud risk events is a critical end technologies or artificial intelligence (AI), or even component of a well-designed fraud risk management computer-assisted audit tools (CAATs), which could boost program and the lack of a program calls into question effectiveness and efficiency significantly. the ability of such organizations to fully achieve risk Factors limiting the use of data analysis include dated mitigation under the 2013 COSO Framework. legacy systems in the organization, as well as the absence of a data warehouse. Also, most organizations have few Few Firms Using Data Analysis for employees who are trained to use new technologies and Fraud Detection AI to perform forensics and analytics.
One in five organizations reports that they do not use any form of data analysis to detect fraud proactively. The numbers are better for large organizations, but those
3 Analytics in Auditing Is a Game Changer, Protiviti, 2018: protiviti.com/IAsurvey.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 29 Does your organization have a fraud detection program? (Shown: “Yes” responses)
Company Size (Annual Revenue) 74% 58% 55%
Large companies Midsize companies Small companies
Region
Europe 72% Asia-Pacific North America 40% 57% India 71% Latin America/ South America 87%
When it comes to fraud detection, North American companies appear to be significantly behind organizations in other regions.
30 · Protiviti · Utica College IF YES: Who in your organization is responsible for the fraud detection program?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Chief Compliance Officer 24% 38% 38%
Chief Audit Executive 34% 36% 34%
Chief Financial Officer 38% 23% 27%
Don’t know 4% 3% 1%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Chief Compliance Officer 42% 39% 32% 34% 26%
Chief Audit Executive 31% 35% 29% 40% 34%
Chief Financial Officer 27% 26% 39% 25% 31%
Don’t know 0% 0% 0% 1% 9%
One cannot manage that which cannot be measured. If firms focused on enhancing access to their own legacy data systems so that disparate data sources were converted into consistent, timely and reliable information, the return on this investment would be enormous. Advanced analytics, such as machine learning, deep learning and AI, performed on this newly reliable data, will enable firms to measure historical fraud, predict potential future fraud occurrences and manage fraud risk appropriately. That, in turn, will significantly strengthen corporate culture.
— Shaheen Dil, Protiviti Managing Director, Global Leader, Data Management and Advanced Analytics
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 31 Does your organization actively utilize forensic data analysis to identify potential red flags and fraud indicators (i.e., fraud detection techniques)?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports are monitored by an 41% 34% 23% independent group, such as internal audit. Yes, periodically. Management or internal audit runs fraud detection 30% 31% 32% programs at specific times, such as at the start of an audit. Yes, on demand only. Data is extracted manually from various 13% 15% 15% systems that are queried. No, we do not utilize data analysis to detect fraud proactively. 8% 17% 26%
Don’t know. 8% 3% 4%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports 27% 38% 45% 30% 21% are monitored by an independent group, such as internal audit. Yes, periodically. Management or internal audit runs fraud detection programs at specific times, such as at 36% 36% 28% 54% 20% the start of an audit. Yes, on demand only. Data is extracted manually from 13% 12% 14% 9% 20% various systems that are queried. No, we do not utilize data analysis to detect 22% 12% 11% 6% 31% fraud proactively. Don’t know. 2% 2% 2% 1% 8%
North American-based organizations appear to lag considerably behind companies in other regions in utilizing forensic data analysis.
32 · Protiviti · Utica College Which of the following procedures has your organization established for the submission of concerns by employees about questionable accounting or auditing matters? (Multiple responses permitted)
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Telephonic hotline 61% 54% 50%
Electronic mailbox 61% 48% 45%
Website 56% 54% 39%
“Chain-of-command” reporting 47% 42% 47%
Designated management 36% 33% 43%
Designated board member 33% 18% 27%
No formal reporting mechanism exists 6% 6% 9%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Telephonic hotline 42% 32% 41% 48% 76%
Electronic mailbox 48% 55% 60% 56% 40%
Website 31% 47% 49% 49% 52%
“Chain-of-command” reporting 44% 42% 41% 36% 54%
Designated management 45% 40% 51% 42% 32%
Designated board member 19% 37% 38% 39% 14%
No formal reporting mechanism exists 11% 6% 5% 6% 8%
Interestingly, the use of telephonic hotlines for employees to communicate concerns about accounting or auditing issues is far more prevalent in North America than in other regions.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 33 How often does your organization conduct surprise audits within the organization?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Quarterly 33% 20% 23%
Annually 15% 19% 16%
As needed 35% 40% 37%
Never 9% 16% 20%
Don’t know 8% 5% 4%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Quarterly 15% 32% 41% 44% 11%
Annually 14% 27% 14% 28% 8%
As needed 49% 33% 35% 26% 42%
Never 18% 6% 7% 1% 30%
Don’t know 4% 2% 3% 1% 9%
KEY FACTS Most companies like to believe that they have a highly ethical culture. Many find out the hard way that their culture isn’t as rock solid as they believed it was. Better % to burst your own bubble by proactively examining culture, fraud and compliance risk than to have the 48 DOJ or the SEC burst it for you. — Scott Moritz, Managing Director and Global Lead, Protiviti Forensic
Large companies that conduct surprise audits at least annually
34 · Protiviti · Utica College Being Vigilant — Addressing Corruption and Performing Due Diligence
Third parties, or vendors, present a heightened level of performing the right level of due diligence? Are they risk to organizations. However, overall, just under one applying a risk-based approach with regard to the third in five companies reports that they have a high level of parties with which they do business? These organizations confidence about third-party oversight. should realize they likely have questionable relation- ships that present substantial risks. The bottom line As detailed in the 2017 Vendor Risk Management Bench- is that even one bad vendor relationship can create mark Study from the Shared Assessments Program irreversible damage to the organization. Organizations, and Protiviti, vendor risk management activities and therefore, need to do a better job conducting investigative programs are improving in organizations overall.4 But due diligence on business intermediaries — including the results from that study, as well as this survey, under- improving how they conduct this due diligence. score the point that organizations have a significant way to go to achieve optimal vendor risk management To illustrate, there are some remarkable differences and oversight. among regions and organization size regarding whether a company conducts a corruption risk assessment Most organizations in our survey align with the U.S. as part of its due diligence related to an acquisition. DOJ and the SEC’s hallmarks of effective compliance Interestingly, a strong majority of organizations in programs by conducting due diligence on business Europe perform a corruption risk assessment, whereas intermediaries,5 such as agents, distributors, consultants only a minority of companies in North America do so. and subcontractors, prior to onboarding them in the As expected, more large organizations tend to conduct organization. However, it is vital that investigative these risk assessments. due diligence6 efforts be nuanced and risk-based. Organizations cannot approach this activity through What is the best way to approach due diligence? Adopt cursory, unstructured online research. a risk-based approach by designating key categories that present the most risk. As part of the due diligence Just One Bad Vendor Relationship Can Lead to process, cover those categories first in the questionnaire, Irreversible Damage and perform other research focused specifically on those categories. Essentially, this approach results in Most companies report that they are conducting this prioritizing the most significant risks first, rather than category of investigative due diligence. But are they adopting a blanket approach to due diligence.
4 Study available at www.protiviti.com/vendor-risk. 5 The term “intermediary” in a third-party context typically refers to an entity that can act on behalf of another company, and those actions can give rise to liability. 6 “Investigative due diligence” refers to the performance of background investigations of legal entities and their owners and key executives to determine whether there is anything in their backgrounds that would make them unsuitable business partners.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 35 Fostering an Anti-Bribery Culture Within Your Organization
The breadth and depth of authoritative guidance designed to mitigate global bribery and corruption continue to build. Organizations often utilize a compilation of information to establish and evolve their anti-bribery or anti-corruption compliance program. These include, among others, the Organization for Economic Co-Operation and Development’s (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance, International Chamber of Commerce’s ICC Rules on Combating Corruption, the U.S. DOJ’s and SEC’s hallmarks of effective compliance programs, and the United Kingdom’s Ministry of Justice’s The Bribery Act of 2010 Guidance about procedures which relevant commercial organizations can put into place to prevent persons associated with them from bribing (section 9 of the Bribery Act 2010).
In addition, the World Bank Group has published both Integrity Compliance Guidelines and Guidelines on Preventing and Combating Fraud and Corruption in Projects Financed by IBRD Loans and IDA Projects and Grants, while the Wolfsberg Group has issued Wolfsberg Anti-Bribery and Corruption (ABC) Compliance Programme Guidance intended for use by the “broader financial services industry.”
Now, with the International Organization of Standardization’s (ISO) release of ISO 37001: 2016 — Anti-Bribery Management Systems, companies can seek certification of their anti-bribery program if they meet ISO’s requirements for “establishing, implementing, maintaining, reviewing and improving an anti-bribery management system.” This anti-bribery standard is applicable to all organizations — regardless of industry and corporate structure — and is intended to help foster an anti- bribery culture within an organization.
Indeed, each of the guidance documents referenced above cites the importance of ethical competencies and commitment to a strong corporate culture as integral to mitigating this common type of fraud found in today’s global marketplace.
36 · Protiviti · Utica College On a scale of 1 to 5, where “5” indicates a high level of confidence and “1” indicates little or no confidence, rate your level of confidence that your organization has effective oversight of third parties.
Company Size (Annual Revenue)
Large companies 68% 32%
Midsize companies 51% 49%
Small companies 55% 45%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)
Region
Asia-Pacific 48% 52%
Europe 66% 34%
India 81% 19%
Latin America/ 74% 26% South America
North America 40% 60%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)
Large companies in North America appear to have a much higher level of confidence in effective oversight of third parties compared to midsize and small companies. However, in assessing the results by region, North American firms have far lower confidence levels than firms in Europe, India and Latin America/South America.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 37 Does your organization conduct due diligence on business intermediaries (e.g., agent, distributor, consultant, subcontractor) prior to onboarding? (Shown: “Yes” responses)
Company Size (Annual Revenue) 87% 69% 71%
Large companies Midsize companies Small companies
Region
Europe 66% Asia-Pacific North America 70% 71% India 90% Latin America/ South America 83%
38 · Protiviti · Utica College Does your organization include communications from management that it expects adherence to the standards as set out in the code of conduct and/or anti-corruption policy? (Shown: “Yes” responses)
Company Size (Annual Revenue) 89% 81% 80%
Large companies Midsize companies Small companies
Region
Europe 76% Asia-Pacific North America 79% 83% India 92% Latin America/ South America 91%
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 39 Does your organization have the ability to distinguish between foreign government agencies, state-owned companies, public international organizations and private enterprises among its customer base? (Shown: “Yes” responses)
Company Size (Annual Revenue) 83% 71% 76%
Large companies Midsize companies Small companies
Region
Europe 78% Asia-Pacific North America 69% 71% India 89% Latin America/ South America 87%
40 · Protiviti · Utica College Does your organization categorize third parties according to risk? (Shown: “Yes” responses)
Company Size (Annual Revenue) 73% 59% 55%
Large companies Midsize companies Small companies
Region
Europe 68% Asia-Pacific North America 46% 54% India 78% Latin America/ South America 79%
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 41 IF YES: Which of the following activities does your organization perform? (Multiple responses permitted)
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Assign risk based upon a variety of factors 58% 65% 62% Perform escalating levels of investigative due diligence based upon 64% 53% 55% assigned risk level Focus on a single high-risk category for third party (such as sales agents) 49% 40% 38%
Perform investigative research in-house 34% 34% 43% Perform the same level of due diligence or screening for all 36% 31% 40% categories of third party
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Assign risk based upon a variety of factors 66% 65% 61% 61% 57% Perform escalating levels of investigative due 57% 53% 61% 57% 56% diligence based upon assigned risk level Focus on a single high-risk category for third party 45% 45% 53% 50% 26% (such as sales agents) Perform investigative research in-house 34% 43% 37% 40% 36% Perform the same level of due diligence or screening 39% 36% 43% 46% 26% for all categories of third party
It is somewhat surprising that, compared to large companies, a higher percentage of midsize and small companies assign risk based upon a variety of factors instead of one. Close to a majority of large companies focus on a single high-risk category for third parties, suggesting these organizations may be adopting a view of third-party risk that is too myopic.
42 · Protiviti · Utica College KEY FACTS Organizations that perform the following activities as part of investigative due diligence: 47% 44% 43% 40%
Check a variety of Check corporation Perform internet Search public records watchlists (e.g., OFAC, registrations research politically exposed persons (PEPs), debarments) 29% 23% 8%
Search negative news Search negative news No investigative due (English-speaking sources) (non-English-speaking sources) diligence is performed in the organization
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 43 Who performs the work associated with investigative due diligence? (Multiple responses permitted)
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies All investigative work performed in-house 50% 40% 42%
Watchlists, negative media, internet research performed in-house 47% 34% 36% More comprehensive investigative work performed by 39% 30% 33% investigative firm All investigative work outsourced 34% 28% 28%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America All investigative work performed in-house 47% 45% 46% 45% 40% Watchlists, negative media, internet research 38% 45% 51% 45% 27% performed in-house More comprehensive investigative work performed 27% 43% 51% 48% 18% by investigative firm All investigative work outsourced 21% 45% 41% 49% 12%
44 · Protiviti · Utica College When acquiring a company, does your organization conduct a corruption risk assessment during the acquisition due diligence process? (Shown: “Yes” responses)
Company Size (Annual Revenue) 74% 56% 58%
Large companies Midsize companies Small companies
Region
Europe 71% Asia-Pacific North America 41% 53% India 76% Latin America/ South America 90%
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 45 Do your hiring practices include an examination as to whether candidates are family members or associates of government officials? (Shown: “Yes” responses)
Company Size (Annual Revenue) 73% 60% 59%
Large companies Midsize companies Small companies
Region
Europe 66% Asia-Pacific North America 49% 65% India 71% Latin America/ South America 82%
46 · Protiviti · Utica College Which of the following additional steps does your organization take in an effort to mitigate the elevated risk associated with doing business with government agencies, state-owned companies and/or public international organizations? (Multiple responses permitted)
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies Pre-approval requirements before paying for gifts, meals or 68% 51% 49% entertainment Enhanced contract provisions 63% 52% 47%
Advanced anti-corruption training for select personnel 59% 50% 44% Prohibitions against hiring of family members of employees of this 35% 33% 38% category of customers
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America Pre-approval requirements before paying for gifts, 59% 50% 65% 54% 49% meals or entertainment Enhanced contract provisions 47% 57% 65% 54% 46%
Advanced anti-corruption training for select personnel 48% 57% 51% 64% 38% Prohibitions against hiring of family members of 37% 33% 33% 53% 33% employees of this category of customers
With regard to corruption risk assessments, hiring practices that include examinations of cases where candidates are family members or associates of government officials, and mitigating elevated risks associated with state agencies and organizations, North American-based organizations lag notably behind companies in other regions.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 47 Reporting, Investigation and Corrective Action
Principle 4 of COSO’s FRM Guide states: “The organi- a way as to raise questions about their independence zation establishes a communication process to obtain and the inconsistent application of disciplinary actions. information about potential fraud and deploys a coordi- That is why confidential reporting and internal investi- nated approach to investigation and corrective action to gation is a hallmark of effective compliance programs. address fraud appropriately and in a timely manner.” Without a well-defined and documented process, it would Further, one of the hallmarks of effective compliance be very difficult for an outside party such as a regulator programs as promulgated by the U.S. DOJ and the SEC or law enforcement agency to conclude that an ethics and is confidential reporting and internal investigation. compliance program meets the definition of effective. Organizations that do not properly consider and Recently, guidance issued by the U.S. DOJ has placed a document the various channels by which the need for great deal of emphasis on the performance of root cause an internal investigation comes to light and/or do not analysis. In addition, another hallmark of effective follow written procedures for the performance of in- compliance programs is continuous improvement: ternal investigations are at risk of failing to undertake periodic testing and review. What is being said in investigative activities that are proportionate to the various ways is that once a problem comes to light and is allegations at hand. Not only does that lead to the risk of investigated, the investigation and subsequent remedi- not conducting a productive internal investigation, but ation need to carefully consider not just the “what” of it also can give rise to concerns that the company is what happened but also the “why,” the “how” and the not applying a consistent standard of care in its inves- “by whom.” Answering these questions will provide tigative processes. That, in turn, can call into question the company with insights into cultural breakdowns: whether that inconsistency is simply a by-product of how things happened; what deficiencies in the control a poorly designed process or a calculated effort to hold environment were exposed by the fraud; and how the some people accountable but not others. pattern of fraud, corruption or misconduct was allowed Overall, more than one in five organizations conducted to continue undetected. These shortcomings then can be between six and 20 investigations in the previous year. translated into substantive changes to the controls, both While you would expect those same organizations to detective and preventive, that will lessen the likelihood have well-defined, consistently applied investigative of a recurrence. A fraud risk management program must procedures in place, the reality is that many organi- be in a constant state of evolution with new threats zations allow the facts at hand — or even common being addressed and lessons learned being applied. psychological biases — to dictate the investigative steps that follow, and those steps are left to the discre- Five Most Common Root Causes or tion of the investigators themselves. Control Breakdowns That Allow Fraud While there are many very talented and experienced Incidents to Occur (Source: Top five responses from all survey participants) investigators working in-house at organizations across the globe, the lack of documented policies and proce- 1. Internal collusion dures that govern investigative processes can expose 2. Collusion with third parties the company to a broad range of issues, including, but 3. Inadequate internal controls not limited to, views that the organization’s culture and 4. Deliberate override of internal controls institutional justice are flawed and prone to favoritism, 5. Undisclosed conflicts of interest or that internal investigations are performed in such
48 · Protiviti · Utica College What level of involvement does your organization’s audit committee have in the investigation of alleged fraud or misconduct?
Company Size (Annual Revenue)
Large Midsize Small 2016 companies companies companies The audit committee chair is informed of all allegations involving accounting, auditing and internal control matters immediately upon 61% 57% 58% receipt by the individual designated to receive complaints. On at least a quarterly basis, the audit committee is informed of all 21% 25% 25% allegations being investigated. The audit committee is only informed of investigations involving 8% 11% 8% accounting, auditing and internal control matters. Don’t know. 10% 7% 9%
Region
Asia- Latin America/ North 2016 Europe India Pacific South America America The audit committee chair is informed of all allegations involving accounting, auditing and internal 57% 60% 67% 75% 46% control matters immediately upon receipt by the individual designated to receive complaints. On at least a quarterly basis, the audit committee is 25% 25% 27% 15% 27% informed of all allegations being investigated. The audit committee is only informed of investigations involving accounting, auditing 14% 6% 5% 6% 12% and internal control matters. Don’t know. 4% 9% 1% 4% 15%
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 49 KEY FACTS The most common corrective actions taken by companies after an investigation involving employees: 32% 18% 15%
Disciplinary action Termination Training 10% 7%
New internal controls Reassignment
KEY FACTS 29% 22%
Organizations that have received and investigated Organizations that have received and investigated five or fewer allegations of fraud or misconduct six to 20 allegations of fraud or misconduct over over the past three years the past three years
50 · Protiviti · Utica College In Closing
The importance of corporate culture is garnering an In today’s business environment, executives need to ask unprecedented amount of media and organizational themselves this question: Do we want to be viewed as attention, and yet, there has not been an equal amount of leaders of ethical business practices, or are we willing to introspection or root cause analysis as to what has led to risk being the latest headline involving a toxic culture some of the more noteworthy fraud and misconduct cases that ultimately results in embarrassing — and costly — occurring in the last year. Understanding the interplay fraud and misconduct? between fraud, corruption and corporate culture — and the controls necessary to mitigate ethical failures — can accelerate efforts to affect positive organizational change and process improvements.
Private sector companies in today’s world face extraordinary challenges. The results of this year’s survey shed light on a particularly perplexing challenge; namely, creating and maintaining a strong corporate environment that prevents and deters fraud. Key findings from respondents around the globe demonstrate that many companies, large and small, have much work to do in crafting a strong organizational culture to keep fraud from occurring. Many organizations indicate their fraud risk strategies are weakly defined and that resources dedicated to fraud risk can be scarce. Only one in three organizations are confident they have strong fraud control policies in place — a troubling finding. These and other results underscore the dire need for corporations to embrace a more proactive position in managing fraud risk across the board to build a stronger corporate culture.
— Donald J. Rebovich, Ph.D., Coordinator, Fraud and Financial Crimes Investigation Programs, Utica College
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 51 Survey Demographics
Position
Chief Audit Executive 13%
Chief Executive Officer 12%
Audit Manager 10%
Audit Staff 10%
Chief Information Officer 9%
Chief Financial Officer 7%
Audit Director 4%
Chief Risk Officer 4%
Chief Operating Officer 4%
Chief Compliance Officer 3%
Board Member/Audit Committee Member 3%
Chief Security Officer 3%
Business Unit Control Leader 2%
Corporate Controller 2%
Corporate Security Director 2%
General Counsel 1%
Other 11%
52 · Protiviti · Utica College Industry
Financial Services 15%
Manufacturing 14%
Technology 14%
Government 6%
Consumer Products 5%
Services 4%
CPA/Public Accounting/Consulting Firm 4%
Retail 3%
Insurance (excluding Healthcare – Payer) 3%
Education 3%
Healthcare – Provider 3%
Oil and Gas 2%
Distribution 2%
Real Estate 2%
Telecommunications 2%
Utilities 2%
Life Sciences/Biotechnology/Pharmaceuticals 2%
Not-for-profit 2%
Mining 1%
Hospitality 1%
Power and Utilities 1%
Healthcare – Payer 1%
Media 1%
Other 7%
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 53 Financial Services Industry — Size of Organization (by Assets Under Management in U.S. Dollars)
More than $250 billion 14%
$50 billion - $250 billion 15%
$25 billion - $50 billion 8%
$10 billion - $25 billion 10%
$5 billion - $10 billion 20%
$1 billion - $5 billion 16%
Less than $1 billion 17%
Size of Organization (Outside of Financial Services) — by Gross Annual Revenue in U.S. Dollars
$20 billion or greater 9%
$10 billion - $19.99 billion 10%
$5 billion - $9.99 billion 10%
$1 billion - $4.99 billion 23%
$500 million - $999.99 million 19%
$100 million - $499.99 million 18%
Less than $100 million 11%
54 · Protiviti · Utica College Type of Organization
Private 48%
Public 31%
Private, but planning an IPO within the next 12 months 5%
Not-for-profit 4%
Government (non-U.S.) 3%
Educational institution 3%
Government (U.S.) 3%
Public international organization 1%
Other 2%
Organization Headquarters
North America 43%
Europe 20%
Asia-Pacific 13%
Latin America/South America 12%
India 10%
Middle East 1%
Africa 1%
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 55 ABOUT UTICA COLLEGE
Utica College, founded in 1946, is a comprehensive private institution offering bachelor’s, master’s and doctoral degree programs. The college, located in upstate central New York, approximately 90 miles west of Albany and 50 miles east of Syracuse, currently enrolls over 4,400 students in 44 undergraduate majors, 30 minors, 21 graduate programs and a number of pre-professional and special programs.
ABOUT UTICA COLLEGE’S ECONOMIC CRIME AND JUSTICE STUDIES DEPARTMENT
Utica College’s Economic Crime and Justice Studies (ECJS) Department offers a suite of programs at the undergraduate and graduate levels, as well as two research centers and the Economic Crime and Cybersecurity Institute (ECCI).
Our faculty is truly interdisciplinary, and faculty members have worked at private financial services companies, state law enforcement agencies, local courts and government agencies, and have founded their own companies. At the undergraduate level, we educate our students to be investigators — whether the evidence they are reviewing is fingerprints, numbers on a spreadsheet or digital code. We have an innovative curriculum consisting of three programs: criminal justice, economic crime investigation and cybersecurity. Students are grounded in a liberal arts core along with criminology and relevant law classes. Specialty classes, rigorous writing expectations and a capstone internship are defining features of our programs. At the graduate level, we train students in the latest best practices to manage the security of economic and digital information.
Our ECCI is a unique organization of professionals and academics that provides thought leadership on economic crime and cybersecurity issues faced by business and government. We have two research centers that examine the latest trends in identity theft, economic fraud and cybercrime. The Center for Identity Management and Information Protection (CIMIP) is a research collaborative dedicated to furthering a national research agenda on identity management, information sharing and data protection. Founded in June 2006, its ultimate goal is to impact policy, regulation and legislation, working toward a more secure homeland. The Northeast Cybersecurity and Forensics Center (NCFC) is a partnership of academic, government and private sector resources that collaborate to provide cutting-edge research, development and service in the fields of digital forensics and cybersecurity.
CONTACTS
Donald Rebovich, Ph.D. Bernard L. Hyman, Jr., J.D. +1.315.792.3231 +1.315.792.3813 [email protected] [email protected]
56 · Protiviti · Utica College ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
ABOUT PROTIVITI FORENSIC
Protiviti’s Forensic consultants help organizations build a solid infrastructure for evaluating, mitigating, investigating, reporting and monitoring their risk of fraud, corruption and misconduct.
Understanding organizational vulnerabilities and establishing an appropriate framework to identify and respond to them are essential in today’s global marketplace, as regulators are demanding more active management and investigation for a wide range of risks, including financial crime, fraud and corruption.
Our Forensic professionals assist organizations with building sustainable anti-corruption, investigative and fraud risk assessment processes and developing anti-fraud, anti-corruption and investigative programs and controls to meet fiduciary and regulatory responsibilities. We support organizations in their efforts to identify, triage, investigate, report and monitor a wide array of risks at every level — from the performance of risk assessments, program design or remediation, risk governance, and employee training to audits of anti-corruption, fraud, and investigation programs and processes.
Our team’s unique blend of anti-corruption, fraud risk management and investigative subject-matter expertise can quickly identify program shortcomings and remediate your critically important programs. We also have extensive experience in undertaking investigations of suspected violations of those programs by leveraging investigative, forensic accounting and technology disciplines across our global footprint to provide our clients with the experience and local resources necessary to gather the facts to make informed business decisions.
protiviti.com · utica.edu Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 57 PROTIVITI CONTACTS
Brian Christensen Scott Moritz Executive Vice President, Managing Director and Global Internal Audit Global Lead, Protiviti Forensic +1.602.273.8020 +1.212.603.8356 [email protected] [email protected]
UNITED STATES CANADA MEXICO Kelly Sherman Ram Balakrishnan Roberto Abad +1.212.603.5416 +1.647.288.8525 +52.55.5342.9100 [email protected] [email protected] [email protected]
James Gallo CHINA (HONG KONG AND MAINLAND CHINA) MIDDLE EAST +1.212.603.8320 [email protected] Albert Lee Sanjeev Agarwal +852.2238.0499 +965.2295.7770 Peter Grupe [email protected] [email protected] +1.212.399.8613 [email protected] FRANCE THE NETHERLANDS
Robert Hennigan Bernard Drui Jaap Gerkes +1.646.428.8231 +33.1.42.96.22.77 +31.6.1131.0156 [email protected] [email protected] [email protected]
Pamela Verick GERMANY SINGAPORE +1.703.299.3539 Michael Klinger Sidney Lim [email protected] +49.69.963.768.155 +65.6220.6066 Diane Walker [email protected] [email protected] +1.212.603.8388 INDIA UNITED KINGDOM [email protected] Sanjeev Agarwal Lindsay Dart AUSTRALIA +91.99.0332.4304 +44.207.389.0448 Adam Christou [email protected] [email protected] +61.03.9948.1200 [email protected] ITALY BELGIUM Alberto Carnevale +39.02.6550.6301 Jaap Gerkes [email protected] +31.6.1131.0156 [email protected] JAPAN
BRAZIL Yasumi Taniguchi +81.3.5219.6600 Raul Silva [email protected] +55.11.2198.4200 [email protected]
58 · Protiviti · Utica College utica.edu protiviti.com
© 2018 Utica College. All rights reserved. © 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0618-101107