您的舞弊风险管理计划在实践中是否有效？

As the new year dawned, Susan felt good about what she and her team had accomplished in 2021 with their fraud risk management program. As the head of internal audit and investigations at a mid-sized manufacturing company, she was confident her program aligned to the five principles described in the ACFE/COSO Fraud Risk Management Guide (FRMG). But now, a few months into the new year, Susan is struggling to find a solid, data-driven answer for her chief compliance officer and chief financial officer, who are asking how the program is actually working, in practice.

随着新年的到来，苏珊对自己和她的团队在2021进行了舞弊风险管理计划，感到很高兴。作为一家中型制造公司的内部审计和调查主管，她相信自己的计划符合ACFE/COSO舞弊风险管理指南（FRMG）中描述的五项原则。但现在，新年已经过去了几个月，Susan正在努力为她的首席合规官和首席财务官找到一个可靠的、数据驱动的答案，他们正在询问该计划在实践中是如何运作的。

Supply-chain issues, new hybrid working models (with many employees working remotely) and other changes to the business environment brought on by the COVID-19 pandemic have altered her company’s fraud risk landscape. How can Susan ensure her program is relevant; and, even more important, how can she and her team measurably demonstrate anti-fraud and compliance effectiveness via key performance indicators? Susan and her company are fictional, but these are dilemmas currently on the minds of many anti-fraud and compliance professionals and their organizations.

新冠疫情带来的商业环境、供应链问题、新的混合工作模式（以及许多员工远程工作）以及其他的变化改变了公司的舞弊风险。Susan如何确保她的项目是相关的；更重要的是，她和她的团队如何通过关键绩效指标来衡量反舞弊和合规有效性？Susan和她的公司都是虚构的，但这些都是许多反舞弊和合规专业人士及其组织目前所面临的困境。

Leading guidance provides framework

领先的指南提供了框架

As CFEs, we come from many different disciplines: accounting, internal audit, law, compliance, law enforcement, finance, government and business, to name a few. Each of these disciplines has its own guidance on mitigating fraud risks.

作为舞弊调查师，我们来自许多不同的学科：会计、内部审计、法律、合规、执法、金融、政府和商业等等。这些学科中的每一个都有自己关于降低舞弊风险的指南。

Perhaps best known to CFEs and anti-fraud practitioners is the aforementioned FRMG. COSO’s Fraud Risk Task Force is currently updating the FRMG, with an expected release later this year. COSO, short for the Committee of Sponsoring Organizations of the Treadway Commission, generally sets forth the expectations for an effective internal controls environment. (See “Innovation Update,” by Vincent M. Walden, Fraud Magazine, November/December 2021.)

舞弊调查师和反舞弊从业人员最熟悉的可能是上述FRMG。COSO的舞弊风险工作组目前正在更新FRMG，预计将于今年晚些时候发布。COSO是特雷德韦委员会赞助组织委员会的简称，通常规定了对有效内部控制环境的期望。（参见Vincent M. Walden，《舞弊杂志》，2021年11月12月“创新更新”）

In the legal and compliance arena, practitioners often look to the U.S. Department of Justice’s (DOJ) “Evaluation of Corporate Compliance Programs (Updated June 2020),” which carries some weight as it’s what prosecutors use, in part, to decide on an offending organization’s culpability and potential penalties.

在法律和合规领域，从业者通常会参考美国司法部（DOJ）“企业合规计划评估（2020年6月更新）”，该评估具有一定的影响力，因为检察官在一定程度上利用它来决定违规组织的罪责和潜在惩罚。

Kara Brockmeyer, a partner with Debevoise & Plimpton LLP and former chief of the SEC Enforcement Division’s FCPA Unit, advises clients on how to improve their anti-fraud and anti-corruption programs and points to 10 key questions from the above DOJ guidance. I’ve collaborated with Brockmeyer in the past to organize some of the DOJ guidance’s key questions that focus on how organizations can measurably demonstrate the effectiveness of a compliance/anti-fraud program. She’s summarized them in the following chart. As you read them, ask yourself: “How well can my organization answer these questions?”

Kara Brockmeyer是Debevoise & Plimpton LLP的合伙人，也是美国证券交易委员会执法部门反海外腐败法部门的前负责人，她就如何改进客户的反舞弊和反腐败计划向客户提供建议，并指出上述司法部指南中的10个关键问题。过去，我曾与Brockmeyer合作整理美国司法部指南中的一些关键问题，这些问题侧重于各组织如何可以衡量地证明合规/反舞弊计划的有效性。她在下面的图表中总结了它们。当你阅读这些问题时，问问自己：“我的组织能很好地回答这些问题吗？”

Going back to our fictional example, Susan evaluated her own organization in the context of the DOJ questions in the chart and found many couldn’t be fully answered. This was especially a concern with respect to how her company conducted risk assessments and managed third parties. For example, her company conducted extensive due diligence on third parties during the vendor setup process. However, risk indicators, such as contract terms or thresholds for spending were never migrated into the financial accounting system that actually paid and tracked those vendors.

回到我们虚构的例子，Susan在图表中的司法部问题的背景下评估了她自己的组织，发现许多问题无法完全回答。对于她的公司如何进行风险评估和管理第三方，这尤其令人担忧。例如，她的公司在供应商设立过程中对第三方进行了广泛的尽职调查。然而，合同条款或支出门槛等风险指标从未被转移到实际支付和跟踪这些供应商的财务会计系统中。

Don’t overlook in-house resources

不要忽视内部资源

Fortunately, there’s hope for Susan — and others in her position looking to measurably demonstrate an effective compliance and anti-fraud program. If you have a marketing department, finance department, information technology team or some other business function where the analysis of data requires them to utilize business intelligence, data warehouse or data visualization tools to help them make decisions, you may be able to leverage what’s already in place — without buying expensive software licenses or data warehouses. Whether those resources require major or minor modifications is typically based on the nature and complexity of the business. But in my experience working with a variety of clients in several industries, there are always some “quick-hit” wins and/or cloud-based solutions that you can rapidly deploy to improve transparency and address key fraud risks.

幸运的是，Susan和其他处于她这个位置的人有希望以可衡量的方式展示有效的合规和反舞弊计划。如果您有一个营销部门、财务部门、信息技术团队或其他一些业务职能部门，在这些部门中，数据分析需要他们利用商业智能、数据仓库或数据可视化工具来帮助他们做出决策，那么您可能能够利用现有的资源，而无需购买昂贵的软件许可证或数据仓库。这些资源是否需要大的或小的修改通常取决于业务的性质和复杂性。但在我与多个行业的各种客户合作的经验中，总会有一些“快速成功”的胜利和/或基于云的解决方案，您可以快速部署这些解决方案，以提高透明度并解决关键的舞弊风险。

Here are examples of how some organizations are improving and updating their compliance and fraud risk management programs.

以下是一些组织如何改进和更新其合规和舞弊风险管理计划的示例。

Amy Kulikowski is vice president, internal audit for Cooper Standard, a global supplier of sealing and fluid handling systems in transportation and industrial markets. Her team uses scripting (i.e., a programming language that automates certain tasks) and other self-operating tools with their financial accounting/enterprise resource planning (ERP) system to refresh monthly and quarterly data on all global procure-to-pay and T&E spending. Hosted on a secure, third-party, cloud-based analytics platform, their fraud risk management and compliance-monitoring system assesses and monitors hundreds of thousands of payments each month, and ranks thousands of vendors and employees from highest to lowest risk based on over two dozen risk criteria.

艾米·库利科夫斯基（Amy Kulikowski）是库珀标准公司（Cooper Standard）的内部审计副总裁。库珀标准公司是运输和工业市场密封和流体处理系统的全球供应商。她的团队在财务会计/企业资源规划（ERP）系统中使用脚本（即，一种自动执行某些任务的编程语言）和其他自助工具来刷新所有全球采购支付和T&E支出的月度和季度数据。他们的舞弊风险管理和合规监控系统托管在一个安全的、基于云的第三方分析平台上，每月评估和监控数十万笔付款，并根据二十多个风险标准将数千家供应商和员工从最高风险到最低风险进行排名。

Patricia Bradford is chief human resource officer at Elara Caring, a national skilled-home-health-care, hospice-care and personal-care-services organization. She uses scripting and automation tools to gain better insights into her organization’s employee payroll base by integrating over 1,200 distinct payroll files of over 25,000 full- and part-time employees. Working with her IT department and an outside consulting firm, Bradford leveraged the business intelligence tools already used in her organization to build dynamic, risk-scoring and anomaly detection dashboards that flag payments to terminated employees, statistically anomalous payments, potential overtime abuses, repeated hiring and termination patterns and off-cycle disbursements, among many other data-driven tests.

Patricia Bradford是Elara Caring的首席人力资源官。Elara Caring是一家全国家庭保健、临终关怀和个人护理服务组织。她使用脚本和自动化工具，通过整合超过2.5万名全职和兼职员工的1200多个不同的薪资文件，更好地了解公司的员工薪资基础。Bradford与她的IT部门和外部咨询公司合作，利用其组织中已经使用的商业智能工具，在许多其他数据驱动的测试中,构建动态、风险评分和异常检测仪表盘，以标记对被解雇员工的付款、统计异常付款、潜在加班滥用、重复雇佣和终止模式以及非周期付款。

On a larger scale, who would’ve thought that the world’s biggest beer brewer also has one of the most mature anti-fraud and compliance-monitoring platforms? There isn’t enough room in this column to describe how Anheuser-Busch InBev uses in-house resources across its IT, data science, finance and legal departments to improve transparency in its businesses through its BrewRIGHT platform, but I encourage you to read more in The Wall Street Journal and Harvard Business Review. (See “AB InBev Taps Machine Learning to Root Out Corruption,” by Dylan Tokar, The Wall Street Journal, Jan. 17, 2020; and “Designing a Compliance Program at AB InBev,” by Eugene Soltes, Harvard Business Review, March 28, 2018.) For a visual primer, Dheeraj Thimmaiah, global director, ethics & compliance at Anheuser-Busch InBev, provides a summary of how the BrewRIGHT platform works globally. This is integration and data transparency at its best.

在更大范围内，谁会想到这家世界上最大的啤酒酿造商也拥有最成熟的反舞弊和合规监控平台之一？本专栏没有足够的篇幅来描述安海斯-布希英博如何利用其IT、数据科学、财务和法律部门的内部资源，通过其BrewRIGHT平台提高其业务的透明度，但我鼓励您阅读更多《华尔街日报》和《哈佛商业评论》。（参见《华尔街日报》Dylan Tokar 2020年1月17日的“AB InBev利用机器学习根除腐败”；以及《哈佛商业评论》Eugene Soltes 2018年3月28日的“AB InBev设计合规计划”。）安海斯-布希英博（Anheuser-Busch InBev）道德与合规全球总监德拉吉·蒂迈亚（Dheeraj Thimmaiah）总结了BrewRIGHT平台在全球的运作方式。这是集成和数据透明的最佳状态。