The refrain “trust, but verify” first entered common parlance in 1980s political talks, but it also has relevance for ethics, compliance training, and fraud prevention. You want to be able to trust all of your colleagues, business partners, and customers, but trust must be earned. Sometimes perpetrators of unethical conduct and outright fraud are those you least expect and among those most invested in the organization’s success.
There are many cases that illustrate this point. For example, criminal charges were filed against Thomas Wiechmann, the former CFO of Reichel Foods, for allegedly spending more than $600,000 on unauthorized purchases with corporate credit cards between 2013 and 2019. In March 2021, he was “discharged for cause,” with the company accusing him of “abusing his position of trust” and “violating his fiduciary duty” by getting financial benefits from Reichel Foods “to which he was not entitled.”
Kelly Richmond Pope, a professor of accounting at DePaul University and a faculty fellow at Surgent, directed and produced the documentary All the Queen’s Horses. It investigates the crime and affluent lifestyle of Rita Crundwell, a formerly trusted comptroller of Dixon, Ill., who stole $53 million of public funds over 20 years and used it to build a highly successful quarter-horse-breeding business.
“Once you start pulling back the layers of how fraud happens at organizations of any size, you notice there’s typically an overreliance on one person who does something really well, and you just let them go do it, and you don’t ask a lot of questions because they own that function,” Pope said. “You’re just happy that they’re on your team. So that can impact the oversight that you have of that person in that function. That’s really what happened in Dixon, which can happen anywhere, so the need for a routine check-up of your internal controls is a universal message.”
Many companies establish compliance policies and internal controls but don’t communicate them to employees regularly or periodically evaluate if updates are needed. A best practice is to review the organization’s code of conduct, mission and ethics statements, compliance policies, and internal controls annually or at least biennially.
“You put them in place, and then you walk away from them—you don’t go back and update or pressure-test them, for example, doing a hackathon and asking your employees or an external service provider, ‘How could you break this? How could you defraud us if you wanted to?’” Pope said. “Many people think, ‘I have a trusted employee’ but not ‘When’s the last time I’ve looked at our internal controls? What did the auditor say? And did I even ask our auditors the right questions to get them to think about fraud in the audit process?’”
THE STATUS QUO TRAP
People can fall into a kind of blindness to fraud risk because “things have always been done this way.” Many of us have a high degree of comfort with the status quo that prevents us from seeing warning signs of unethical conduct.
“People say, ‘Oh, no, we’ve never had any fraud before. We’ve always done business this way,’ so there’s no urgency to scrutinize the policies, procedures, and controls,” Pope said. “But often there are indications that people might be able to look at to say, ‘Maybe we do need to tighten up our compliance, risk management, and internal controls.’”
If your organization hasn’t updated its internal controls or explored what technology is out there to protect against cybercrime and fraud within the past year or two, then that’s a sign there could be vulnerabilities and such a process is overdue. It’s difficult to plan for every eventuality; be proactive about looking for red flags, and educate your staff about signs that fraud has already happened so everyone knows what to look for.
It’s important to instill ethical principles and values that could make a difference if an ethically ambiguous situation or indications of fraud emerge. Prevention is more effective than reacting.
“People have so much on their plate. Sometimes you don’t find out about fraud until it’s too late, but when you replay what happened, there were so many red flags that could have pointed you to it before it was too late,” Pope said. “Our bias and our blinders prevented us from seeing the signs, and we just didn’t want to think the worst of a person or people—if you hear things like, ‘We’ve always done it this way; we’re like a family; we don’t need internal controls because that person manages it,’ those are all telltale famous last words.”
Most organizations should aim to schedule compliance training once a year. Pope recommends presenting various workplace situations and then asking employees behavioral science questions that have an ethical component.
“Compliance training has to be fun; speakers need to use tactics like visual aids and humor to keep an audience engaged,” Pope said. “You need to give people situations so they can get sticky with their thinking and almost see themselves in the scenario that you presented, and that’s why film and storytelling are so powerful, because they allow you to do that—people can empathize with characters in a well-told story.”
The training should have a participatory element to it. Examples include using TED Talks, podcasts, documentaries, articles, and recent case studies. Those are effective prompts to get employees talking about compliance, ethics, and fraud-prevention situations and issues with each other.
“If we can move away from the check-the-box kind of compliance training, where it’s truly engaging in some regard and even enjoyable in some capacity, then we could see more of a change in behavior with internal fraud,” Pope said. “More attention should be placed on it to have richer conversations and then sneak in reminders about some of those rules.”