Managing Fraud Risk, Culture, and Skepticism During COVID-19
Monday, April 20, 2020
The COVID-19 pandemic has resulted in unprecedented social and economic paralysis. Most companies have transitioned to an entirely remote workforce, and while existing technologies have facilitated connectivity via cloud computing and video and teleconferencing services, working in this new environment still poses numerous challenges. It is hard to predict the effects this “new normal” will have on operations because even experts can’t say with certainty how long it will take to contain the virus or how long its economic effects will last.
In the past several weeks, much has been written about the wide range of issues that companies are facing as a result of COVID-19. Abundant resources discuss the accounting and reporting implications. The Center for Audit Quality (CAQ) is working to create resources, as well as curate and distill information from regulators, its member firms, and Anti-Fraud Collaboration partners.
This resource is intended to heighten awareness of the risk for fraud and misconduct that might occur inside an organization during, or as a result of, this crisis. Even if most people behave ethically, members of the financial reporting supply chain should review the controls, processes, and procedures that they have in their arsenals: a robust crisis and fraud risk management plan, a healthy dose of skepticism, and a strong culture of integrity.
The Importance of Crisis Planning and Fraud Risk Management
The reality of a crisis is that it often hits when you least expect it. While crises come in many shapes and forms, PwC defines the phenomenon as “a major disruption to multiple functions of the enterprise—and one with the potential to significantly harm your reputation.” It is undeniable that the COVID-19 pandemic is a crisis that has posed extraordinary challenges for companies.
While companies are faced with increased pressure and the urgency to respond to constantly changing facts and communicate effectively with stakeholders, it is even more important now for leaders to reinforce the fundamentals in a visible and working manner. KPMG’s guide to Crisis Prevention and Readiness emphasizes the importance for companies to do the following to successfully respond to a crisis:
- Make it safe for people to do the right thing.
- Monitor culture and incentives enterprise-wide, with healthy skepticism.
- Calibrate board/committee processes and communications for a better line of sight.
- Do not simply have a crisis plan in place—practice it.
Fraud prevention should not be an afterthought in crisis planning and response; it should be the starting point. These are questions for company leadership and the board to consider:
- Is the company reinforcing its code of conduct and policies and procedures?
- Are resources still dedicated to monitoring compliance and the whistleblower hotline?
- Is the company emphasizing a safe environment for employees to speak up?
- Are processes still in place to identify yellow flags and warning signs?
- What gatekeeping functions or internal controls might be compromised that may pose a new risk?
- What measures are being set in place to boost employee morale and prevent culture erosion?
Moreover, crises are often not standalone incidents—one crisis can trigger a series of events that lead to another crisis. PwC’s Global Crisis Survey 2019 reports that one in five companies (20 percent) have experienced a reputational crisis that cascaded into another crisis connected to fraud or ethical misconduct (20 percent) or leadership transition (14 percent). As companies continue to grapple with COVID-19, it will be important to simultaneously keep a keen focus on fraud risk management programs with crisis response plans to deal with this period of disruption and potential ripple effects.
COVID-19 Presents Heightened Fraud Risk
Companies should be giving some thought to what otherwise might not have been top of mind—that their organization is susceptible to fraud, even by employees with good intentions. We find ourselves facing an economic downturn that will impact nearly every industry sector, some more deeply than others. With a significant decrease in expected revenue, businesses will need to turn to cost-cutting measures. For most companies, in all likelihood that will involve a reduction in payroll. What will that mean for the employees still on the job?
Potential sources of pressure, opportunity, and rationalization—the three sides of the fraud triangle—will be present in this economic downturn. While pressure can be a positive force—it can inspire creativity and efficiency—in some situations it can instill fear. Employees will be concerned about the viability of the company and whether it can navigate this unprecedented downturn. One or more employees, from management to staff, might come to believe that falsifying operational or financial information, in the short term, will make the company appear more liquid than it actually is. While investors likely anticipate that companies might not meet quarterly earnings projections, the temptation may still exist to conceal certain losses or embellish financial performance with the expectation that it can be regained in the coming periods. Most frauds start out small and compound over several reporting periods—often referred to as a “slippery slope.”
The first side of the fraud triangle is pressure. Work-from-home mandates can present a unique set of pressures if employees need to balance their job responsibilities with other demands such as homeschooling and caregiving. Reductions in the workforce may prove to be an additional source of pressure if employees are expected to pick up the workload of their colleagues who have been laid off or furloughed.
Employees might also face personal financial pressures. Research has shown that one-quarter of people who commit fraud have experienced financial difficulties. Over 22 million people have filed for unemployment over a four-week period due to the COVID-19 crisis. If a family was dependent on two incomes to meet monthly expenses and one spouse is no longer working, the household member who is still employed might feel pressure to find ways to compensate for the loss. Even otherwise honest employees, under stressful circumstances, might commit fraud. When assessing the risks of managing through a crisis, corporate leaders should consider the pressure that employees are under.
The second side of the fraud triangle is opportunity. For example, companies that have introduced cutbacks in departments, such as internal audit or SOX compliance, may come to realize that they are vulnerable. They might not realize the number and types of changes that need to be made to the design and operation of its internal controls to address changes in risks for areas such as credit and liquidity. Companies should reassess their period-end reporting processes, among other key controls. Employees might find ways to take advantage of these weaknesses. Another area to pay close attention to is management override of controls. Employees may be able to manipulate certain manual processes that could be overlooked in a remote work environment.
The third side of the fraud triangle is rationalization. This allows people to convince themselves that they are not doing anything wrong or that their actions are justified. In some cases, the employee can justify his or her actions because they are altruistic: “I’m doing it for the company.” This would be the case in situations in which the employee falsifies or “tweaks” the numbers to make the company appear to be in a better position than the actual financial performance would otherwise indicate. Personal pressures, including those discussed above, might lead an employee to misappropriate assets by telling himself or herself that “no one will notice,” “I’ll pay it back,” or “it’s not a big deal.” Others might rationalize stealing from their employer because they decide that the company owes it to them.
Could Fraud Happen Here?
It may be difficult for company leaders and managers to contemplate their employees being tempted to commit fraud or engage in misconduct during challenging times, especially when the company and its employees are striving to overcome a crisis together. Yet, with the confluence of these factors—pressure, opportunity, and rationalization—a company needs to be hypervigilant in assessing its fraud risk throughout the prolonged period of uncertainty caused by COVID-19.
Encouraging Skepticism as a Fraud Deterrent
Each member of the financial reporting supply chain plays a role in deterring and detecting fraud and misconduct. Skepticism is a vital tool in the arsenal. External auditors are required by auditing standards to be professionally skeptical—to have a questioning mind, to be alert to conditions that may indicate a possible misstatement due to fraud or error, and to perform a critical assessment of audit evidence. The need to audit remotely because of work-from-home mandates imposed on auditors and their clients does not change that. Auditors assess the risk of fraud throughout the course of the audit engagement as they review evidence. They gather and review not just evidence that confirms what they expected to find, but information that calls into question—or disconfirms—the anticipated results.
The Anti-Fraud Collaboration has stressed the need for not only the auditors themselves but also audit committee members, internal auditors, and financial team members to hone their skepticism skills.
Management’s job is to design, implement, and assess a company’s internal control over financial reporting (ICFR), acknowledging that even if the company promotes a culture of high integrity, the need still exists to recognize that the organization is susceptible to fraud. Even though management is operating in uncharted waters, with multiple demands on time, its members must be proactive in reviewing internal controls during this period—including controls that needed to be changed to accommodate a remote working environment.
Audit committees should also exercise skepticism. There are many unknowns in the current business environment, including how COVID-19 will affect the demand for a company’s products or services. Several financial reporting areas also should be the focus of conversations between the audit committee and management. Committee members should ask follow-up questions and continue to probe until they are satisfied that they understand new or heightened areas of risks and the decisions that management is making to address those risks.
Internal auditors should have an impartial and unbiased attitude, making skepticism critical to their role. They have intimate knowledge of the company’s culture, operations, and internal controls. The Institute of Internal Auditors (IIA) Professional Standards specifically require internal auditors to, among other activities, evaluate the probability of fraud, be able to identify red flags, and be alert to opportunities for fraud, such as control deficiencies.
Myriad resources are available to help the different financial reporting supply chain members navigate the current circumstances. The list of considerations below is not intended to be all inclusive, but rather to provide a starting point for discussions among management, the board, internal audit, and external audit as each deals with the risks that present themselves as a result of COVID-19.
- Acknowledge that fraud can occur even in organizations with a strong ethical culture and reassess your company’s risk profile in this new environment.
- Identify how mandated working from home may impact the ICFR environment and take steps to make necessary changes or updates in the design and implementation of controls that respond to existing or new risks—and assess their effectiveness.
- Remind teams that skepticism is a key component of culture—that the expectation should be that all levels of management will question and challenge results with the intent of confirming that corporate standards of ethics and accuracy have been met, particularly during these stressful times.
Boards and Audit Committees:
- Ask probing questions about how the company is revising its risk management program to address the challenges that have emerged due to COVID-19, including potential opportunities or incentives for financial reporting fraud.
- Do not forget to focus on the risk of management override of controls.
- Leverage internal and external auditors as key resources.
- Review the engagement plan and make necessary adjustments to priorities to support the heightened risk of fraud.
- Explore The IIA’s COVID-19 Resource Exchange for risk guidance, tools, events, articles, and blogs to help internal auditors manage the important role that they play in dealing with the challenges posed by the pandemic.
- Review the Public Company Accounting Oversight Board’s COVID-19 Spotlight, which states that the risk assessment “is not a discrete phase of the audit, but rather a continual and iterative one.” The current business environment may require review and/or revision of previous risk assessments to consider how COVID-19 will impact financial statement areas, including the company’s disclosures.
- Explore the CAQ’s COVID-19 Resource Collection for the latest information to help auditors, management, and audit committees understand the impact of the COVID-19 pandemic on financial reporting and oversight.
Keep Your Eye on Corporate Culture
In addition to putting your crisis plan into practice, corporate culture plays a major role in determining how well an organization navigates its way through and emerges from the other side of a crisis. A culture of integrity should be foundational to a company’s strategy, and companies should continue to focus on how they will keep their employees engaged with their core values and behaviors.
Of the 2,084 respondents surveyed by PwC in its Global Crisis Survey 2019, 59 percent reported that workforce morale was impacted as a result of their company’s worst crisis. During the COVID-19 crisis, we have seen many examples of company management being responsive to employee needs and concerns. This is important, as a strong culture begins with an ethical tone at the top—management is responsible for setting the tone, but just as important, they need to communicate the company’s purpose and ethical values to all levels of the organization.
KPMG’s guide to Crisis Prevention and Readiness offers several questions that are particularly pertinent to risks to a company’s culture in light of COVID-19:
- Do we understand our cultural risks—particularly those associated with tone at the top, incentives, and pressures—and how are we addressing them?
- What pressures are we creating? Are performance metrics and goals realistic?
- What is our zero-tolerance policy?
- Do we consider the reputational implications of what may seem like “financially immaterial” risks?
- Are we sensitive to early warning signs regarding workplace conduct, safety, product quality, and compliance?
- How much information, and what kind of information, does the board require to provide effective oversight in this environment?
A recent report published by the Anti-Fraud Collaboration, Assessing Corporate Culture: A Proactive Approach to Deter Misconduct, shares insights into the importance of assessing culture, as many companies have begun to recognize that measuring and monitoring culture—even in times of stress—should be considered a fundamental component of managing risk. This can be challenging in these times of disruption and uncertainty, but it provides a critical opportunity to address the needs of employees and the potential risks that may be pervading an organization when it is most vulnerable.