首页 > 舞弊新闻 >

您的舞弊风险管理计划在实践中是否有效?

2022-06-09

作者:Vincent M. Walden

原文标题:Does your fraud risk management program actually work, in practice?

由ACFE China进行翻译,如需转载,请提前告知。


Global anti-fraud and compliance enforcement is on the rise, and regulators want proof that fraud risk management programs are effective. Here we look at some of the hard questions organizations need to ask and some examples of how companies have updated their systems to tackle fraud in the post-COVID environment.

全球反舞弊和合规执法正在崛起,监管机构希望获得一些舞弊风险管理计划有效的证据。在这里,我们来看一些组织需要面临的难题,以及一些公司如何更新系统以应对新冠疫情后环境中的舞弊的例子。


As the new year dawned, Susan felt good about what she and her team had accomplished in 2021 with their fraud risk management program. As the head of internal audit and investigations at a mid-sized manufacturing company, she was confident her program aligned to the five principles described in the ACFE/COSO Fraud Risk Management Guide (FRMG). But now, a few months into the new year, Susan is struggling to find a solid, data-driven answer for her chief compliance officer and chief financial officer, who are asking how the program is actually working, in practice.

随着新年的到来,苏珊对自己和她的团队在2021进行了舞弊风险管理计划,感到很高兴。作为一家中型制造公司的内部审计和调查主管,她相信自己的计划符合ACFE/COSO舞弊风险管理指南(FRMG)中描述的五项原则。但现在,新年已经过去了几个月,Susan正在努力为她的首席合规官和首席财务官找到一个可靠的、数据驱动的答案,他们正在询问该计划在实践中是如何运作的。


Supply-chain issues, new hybrid working models (with many employees working remotely) and other changes to the business environment brought on by the COVID-19 pandemic have altered her company’s fraud risk landscape. How can Susan ensure her program is relevant; and, even more important, how can she and her team measurably demonstrate anti-fraud and compliance effectiveness via key performance indicators? Susan and her company are fictional, but these are dilemmas currently on the minds of many anti-fraud and compliance professionals and their organizations.

新冠疫情带来的商业环境、供应链问题、新的混合工作模式(以及许多员工远程工作)以及其他的变化改变了公司的舞弊风险。Susan如何确保她的项目是相关的;更重要的是,她和她的团队如何通过关键绩效指标来衡量反舞弊和合规有效性?Susan和她的公司都是虚构的,但这些都是许多反舞弊和合规专业人士及其组织目前所面临的困境。


Leading guidance provides framework

领先的指南提供了框架

1.jpg

As CFEs, we come from many different disciplines: accounting, internal audit, law, compliance, law enforcement, finance, government and business, to name a few. Each of these disciplines has its own guidance on mitigating fraud risks.

作为舞弊调查师,我们来自许多不同的学科:会计、内部审计、法律、合规、执法、金融、政府和商业等等。这些学科中的每一个都有自己关于降低舞弊风险的指南。


Perhaps best known to CFEs and anti-fraud practitioners is the aforementioned FRMG. COSO’s Fraud Risk Task Force is currently updating the FRMG, with an expected release later this year. COSO, short for the Committee of Sponsoring Organizations of the Treadway Commission, generally sets forth the expectations for an effective internal controls environment. (See “Innovation Update,” by Vincent M. Walden, Fraud Magazine, November/December 2021.)

舞弊调查师和反舞弊从业人员最熟悉的可能是上述FRMG。COSO的舞弊风险工作组目前正在更新FRMG,预计将于今年晚些时候发布。COSO是特雷德韦委员会赞助组织委员会的简称,通常规定了对有效内部控制环境的期望。(参见Vincent M. Walden,《舞弊杂志》,2021年11月12月“创新更新”)


In the legal and compliance arena, practitioners often look to the U.S. Department of Justice’s (DOJ) “Evaluation of Corporate Compliance Programs (Updated June 2020),” which carries some weight as it’s what prosecutors use, in part, to decide on an offending organization’s culpability and potential penalties.

在法律和合规领域,从业者通常会参考美国司法部(DOJ)“企业合规计划评估(2020年6月更新)”,该评估具有一定的影响力,因为检察官在一定程度上利用它来决定违规组织的罪责和潜在惩罚。


Kara Brockmeyer, a partner with Debevoise & Plimpton LLP and former chief of the SEC Enforcement Division’s FCPA Unit, advises clients on how to improve their anti-fraud and anti-corruption programs and points to 10 key questions from the above DOJ guidance. I’ve collaborated with Brockmeyer in the past to organize some of the DOJ guidance’s key questions that focus on how organizations can measurably demonstrate the effectiveness of a compliance/anti-fraud program. She’s summarized them in the following chart. As you read them, ask yourself: “How well can my organization answer these questions?”

Kara Brockmeyer是Debevoise & Plimpton LLP的合伙人,也是美国证券交易委员会执法部门反海外腐败法部门的前负责人,她就如何改进客户的反舞弊和反腐败计划向客户提供建议,并指出上述司法部指南中的10个关键问题。过去,我曾与Brockmeyer合作整理美国司法部指南中的一些关键问题,这些问题侧重于各组织如何可以衡量地证明合规/反舞弊计划的有效性。她在下面的图表中总结了它们。当你阅读这些问题时,问问自己:“我的组织能很好地回答这些问题吗?”


CATEGORY

类别

DOJ'S QUESTION

司法部的问题

Risk assessment
风险评估

"Is the periodic review limited to a 'snapshot' in time or based upon continuous access to operational data and information across func-tions?" (Based on page 3 of DOJ guidance.)

“定期审查是否仅限于及时的‘快照’,还是基于跨职能部门对运营数据和信息的连续访问?”(根据美国司法部指南第3页。)

Risk management

风险管理

“What information or metrics has the company collected and used to help detect the type of misconduct in question?How have the informa-tion or metrics informed the company's compliance program?" (Basedon page 3 of DOJ guidance.)

“公司收集并使用了哪些信息或指标来帮助发现有问题的不当行为类型?这些信息或指标是如何告知公司的合规计划的?”(见司法部指南第3页。)

lncorporating lessons learned

总结经验教训

"Does the company have a process for tracking and incorporating into its periodic risk assessmentlessonslearned, eitherfrom the company'sown prior issues or from those of other companies operating in thesame industry and/or geographical region?"(Based on page 4 ofDoJ guidance.)

“公司是否有一个程序来跟踪并将从公司之前的问题或在同一行业和/或地理区域运营的其他公司学到的东西纳入定期风险评估?”(根据OJ指南第4页。)

Adequate resources and results tracking

充足的资源和成果跟踪

"How has the company collected, tracked, analyzed and used information from its reporting mechanisms? Does the company periodicallyanalyze the reports or investigation findings for patterns of misconductor other red flags for compliance weakness? Does the company peri-odically test the effectiveness of the hotline; for example, by trackinga report from start to finish?"(Based on page 7 of DOJ guidance.)

“公司是如何从其报告机制中收集、跟踪、分析和使用信息的?公司是否定期分析报告或调查结果,以确定不当行为的模式或合规弱点的其他危险信号?公司是否定期测试热线的有效性;例如,通过从头到尾跟踪报告?”(根据美国司法部指南第7页。)

Third-party management

第三方管理

"Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, andthe risks by third-party partners; including the third-party partners'reputations and relationships, if any, with foreign officials."(Based onpage 7 of DOJ guidance.)

“检察官还应评估公司是否知道在交易中需要第三方的商业理由,以及第三方合作伙伴的风险,包括第三方合作伙伴的声誉以及与外国官员的关系(如有)。”(根据美国司法部指南第7页。)

Third-party management

第三方管理

"Does the company engage in risk management of third parties through-out the lifespan of the relationship, or primarily during the onboardingprocess?"(Based on page 8 of DOJ guidance.)

“公司是否在关系的整个生命周期内,或主要在入职过程中,对第三方进行风险管理?”(根据美国司法部指南第8页。)

Third-party management

第三方管理

"Does the company track red flags that are identified from due diligence of third parties and how those red flags are addressed? Does the company keep track of third parties that do not pass the company'sdue diligence or that are terminated, and does the companytake stepsto ensure that those third parties are not hired or re-hired at a laterdate?" (Based on page 8 of DOJ guidance.)

“公司是否跟踪第三方尽职调查中发现的危险信号,以及如何处理这些危险信号?公司是否跟踪未通过公司尽职调查或被终止的第三方,公司是否采取措施确保这些第三方不再被雇佣或重新雇佣?”(根据美国司法部指南第8页。)

Data resources and access

数据资源和访问

"Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effectivemonitoring and/or testing of policies, controls, and transactions? Doany impediments exist that limit access to relevant sources of dataand, if so, what is the company doing to address the impediments?(Based on page 12 of DOJ guidance.)

“合规和控制人员是否有足够的直接或间接访问相关数据源的权限,以便对政策、控制和交易进行及时有效的监控和/或测试?是否存在任何限制访问相关数据源的障碍,如果存在,公司将如何解决这些障碍?(根据美国司法部指南第12页)

Continuous improvement, periodic testing

持续改进、定期测试

"Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing ofcontrols, collection and analysis of compliance data,and interviewsof employees and third parties does the company undertake? Howare the results reported and action items tracked?"(Based on page16 of DOJ guidance.

“公司是否审查和审计了与不当行为相关领域的合规计划?一般地说,公司对控制措施、合规数据的收集和分析以及对员工和第三方的访谈进行了哪些测试?如何报告结果和跟踪行动项?”(根据美国司法部指南第16页)。

Analysis and remediation - transactions

分析和补救——交易

"How was the misconduct in question funded (e.g., purchase orders,employee reimbursements, discounts, petty cash)? What processescould have prevented or detected improper access to these funds?Have those processes been improved?"(Based on page 17 of DOJguidance.)

“问题中的不当行为是如何获得资金的(例如,采购订单、员工报销、折扣、零用金)?哪些流程可以防止或检测到不当使用这些资金?这些流程是否得到了改进?”(基于DOJguidance第17页。)

Policies and procedures
政策和程序

"Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevantemployees?" (Based on page 4 of DOJ guidance.)

“公司是否跟踪各种政策和程序的使用情况,以了解哪些政策吸引了相关员工的更多关注?”(根据美国司法部指南第4页。)


Going back to our fictional example, Susan evaluated her own organization in the context of the DOJ questions in the chart and found many couldn’t be fully answered. This was especially a concern with respect to how her company conducted risk assessments and managed third parties. For example, her company conducted extensive due diligence on third parties during the vendor setup process. However, risk indicators, such as contract terms or thresholds for spending were never migrated into the financial accounting system that actually paid and tracked those vendors.

回到我们虚构的例子,Susan在图表中的司法部问题的背景下评估了她自己的组织,发现许多问题无法完全回答。对于她的公司如何进行风险评估和管理第三方,这尤其令人担忧。例如,她的公司在供应商设立过程中对第三方进行了广泛的尽职调查。然而,合同条款或支出门槛等风险指标从未被转移到实际支付和跟踪这些供应商的财务会计系统中。


Don’t overlook in-house resources

不要忽视内部资源

2.jpg

Fortunately, there’s hope for Susan — and others in her position looking to measurably demonstrate an effective compliance and anti-fraud program. If you have a marketing department, finance department, information technology team or some other business function where the analysis of data requires them to utilize business intelligence, data warehouse or data visualization tools to help them make decisions, you may be able to leverage what’s already in place — without buying expensive software licenses or data warehouses. Whether those resources require major or minor modifications is typically based on the nature and complexity of the business. But in my experience working with a variety of clients in several industries, there are always some “quick-hit” wins and/or cloud-based solutions that you can rapidly deploy to improve transparency and address key fraud risks.

幸运的是,Susan和其他处于她这个位置的人有希望以可衡量的方式展示有效的合规和反舞弊计划。如果您有一个营销部门、财务部门、信息技术团队或其他一些业务职能部门,在这些部门中,数据分析需要他们利用商业智能、数据仓库或数据可视化工具来帮助他们做出决策,那么您可能能够利用现有的资源,而无需购买昂贵的软件许可证或数据仓库。这些资源是否需要大的或小的修改通常取决于业务的性质和复杂性。但在我与多个行业的各种客户合作的经验中,总会有一些“快速成功”的胜利和/或基于云的解决方案,您可以快速部署这些解决方案,以提高透明度并解决关键的舞弊风险。


Here are examples of how some organizations are improving and updating their compliance and fraud risk management programs.

以下是一些组织如何改进和更新其合规和舞弊风险管理计划的示例。


Amy Kulikowski is vice president, internal audit for Cooper Standard, a global supplier of sealing and fluid handling systems in transportation and industrial markets. Her team uses scripting (i.e., a programming language that automates certain tasks) and other self-operating tools with their financial accounting/enterprise resource planning (ERP) system to refresh monthly and quarterly data on all global procure-to-pay and T&E spending. Hosted on a secure, third-party, cloud-based analytics platform, their fraud risk management and compliance-monitoring system assesses and monitors hundreds of thousands of payments each month, and ranks thousands of vendors and employees from highest to lowest risk based on over two dozen risk criteria.

艾米·库利科夫斯基(Amy Kulikowski)是库珀标准公司(Cooper Standard)的内部审计副总裁。库珀标准公司是运输和工业市场密封和流体处理系统的全球供应商。她的团队在财务会计/企业资源规划(ERP)系统中使用脚本(即,一种自动执行某些任务的编程语言)和其他自助工具来刷新所有全球采购支付和T&E支出的月度和季度数据。他们的舞弊风险管理和合规监控系统托管在一个安全的、基于云的第三方分析平台上,每月评估和监控数十万笔付款,并根据二十多个风险标准将数千家供应商和员工从最高风险到最低风险进行排名。


Patricia Bradford is chief human resource officer at Elara Caring, a national skilled-home-health-care, hospice-care and personal-care-services organization. She uses scripting and automation tools to gain better insights into her organization’s employee payroll base by integrating over 1,200 distinct payroll files of over 25,000 full- and part-time employees. Working with her IT department and an outside consulting firm, Bradford leveraged the business intelligence tools already used in her organization to build dynamic, risk-scoring and anomaly detection dashboards that flag payments to terminated employees, statistically anomalous payments, potential overtime abuses, repeated hiring and termination patterns and off-cycle disbursements, among many other data-driven tests.

Patricia Bradford是Elara Caring的首席人力资源官。Elara Caring是一家全国家庭保健、临终关怀和个人护理服务组织。她使用脚本和自动化工具,通过整合超过2.5万名全职和兼职员工的1200多个不同的薪资文件,更好地了解公司的员工薪资基础。Bradford与她的IT部门和外部咨询公司合作,利用其组织中已经使用的商业智能工具,在许多其他数据驱动的测试中,构建动态、风险评分和异常检测仪表盘,以标记对被解雇员工的付款、统计异常付款、潜在加班滥用、重复雇佣和终止模式以及非周期付款。


On a larger scale, who would’ve thought that the world’s biggest beer brewer also has one of the most mature anti-fraud and compliance-monitoring platforms? There isn’t enough room in this column to describe how Anheuser-Busch InBev uses in-house resources across its IT, data science, finance and legal departments to improve transparency in its businesses through its BrewRIGHT platform, but I encourage you to read more in The Wall Street Journal and Harvard Business Review. (See “AB InBev Taps Machine Learning to Root Out Corruption,” by Dylan Tokar, The Wall Street Journal, Jan. 17, 2020; and “Designing a Compliance Program at AB InBev,” by Eugene Soltes, Harvard Business Review, March 28, 2018.) For a visual primer, Dheeraj Thimmaiah, global director, ethics & compliance at Anheuser-Busch InBev, provides a summary of how the BrewRIGHT platform works globally. This is integration and data transparency at its best.

在更大范围内,谁会想到这家世界上最大的啤酒酿造商也拥有最成熟的反舞弊和合规监控平台之一?本专栏没有足够的篇幅来描述安海斯-布希英博如何利用其IT、数据科学、财务和法律部门的内部资源,通过其BrewRIGHT平台提高其业务的透明度,但我鼓励您阅读更多《华尔街日报》和《哈佛商业评论》。(参见《华尔街日报》Dylan Tokar 2020年1月17日的“AB InBev利用机器学习根除腐败”;以及《哈佛商业评论》Eugene Soltes 2018年3月28日的“AB InBev设计合规计划”。)安海斯-布希英博(Anheuser-Busch InBev)道德与合规全球总监德拉吉·蒂迈亚(Dheeraj Thimmaiah)总结了BrewRIGHT平台在全球的运作方式。这是集成和数据透明的最佳状态。


原文链接:https://www.fraud-magazine.com/article.aspx?id=4295017119