creating a strong corporate culture begins with managing ... · in creating a strong corporate...
TRANSCRIPT
Creating a Strong Corporate Culture Begins With Managing Fraud Risk
Assessing the Results of the Latest White-Collar Crime and Fraud Risk Survey
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 1protiviti.com · utica.edu
In Creating a Strong Corporate Culture, “Fraud Risk Management” Is a Bit of a Misnomer
While a strong corporate culture is no paint-by-the-numbers exercise, a number of vital
components must be carefully aligned — namely, ethical behavior, tone at the top, mood in the
middle and attitude at the base. These elements can be seen as similar to a painter selecting
and painstakingly applying just the right mixture of colors and textures to transform the canvas
into a work of art. They are of critical concern in today’s boardroom and C-suite. Companies are
striving to introduce a measure of introspection to better understand the correlation between
culture and ethical failures involving fraud, corruption and misconduct. Key to this movement
toward enhanced levels of organizational maturity are growing efforts to measure culture,
flag warning signs, make control improvements, address gaps, build awareness of fraud and
misconduct risk, and avoid becoming the next headline featuring organizational breakdowns
that can derail brand, reputation and long-term viability.
Given the inverse relationship between culture and
fraud, where a poor culture leads to high rates of fraud,
the results of the latest White-Collar Crime and Fraud
Risk Survey from Utica College and Protiviti reveal some
troubling trends that should raise concerns for boards of
directors and executive leadership.
Culture, fraud and misconduct are inextricably linked.
Poor corporate culture can cause the kind of organi-
zational inertia and complacency that give rise to a
pattern of unethical behavior and other misdeeds that
may continue unchecked for years, in part because
many in the organization knew or suspected what was
going on but failed to take action. The organization’s
culture either discourages doing the right thing, is
blind to bullying behavior, and/or rewards those who
employ a “win at all costs” attitude. These types of
“open secrets” become fertile ground for fraudulent
and unethical activity.
In fact, while investigating ethical breaches, government
investigators now look more deeply into organizations to
ascertain root causes and what preventive and detective
measures were in place to identify, investigate and report
suspected fraud, bribery or misconduct. Thus, fraud
risk governance, assessment, prevention and detection
practices have never been more critical; they help shine
light on practices and issues that can create the type of
dysfunctional corporate culture in which unethical and
illegal behavior thrive. We assess these and many other
issues in our study.
2 · Protiviti · Utica College
These areas also represent the approaches and leading
practices the Committee of Sponsoring Organizations
of the Treadway Commission (COSO) advocates in
its Fraud Risk Management Guide (FRM Guide) to help
mitigate and prevent improper behavior by employees
seeking greater rewards at the expense of ethics and
compliance with company policies or state and federal
laws.1 To this end, a key question for organizations to
consider is, “Are we measuring our corporate culture on
a periodic basis?”
The bottom line is that an organization’s posture on fraud
risk can signal problems within its corporate culture.
Executives who downplay the existence of fraud risk,
consistently make business decisions solely on the basis
of revenues without properly considering risk, or allow
incentive compensation to drive inappropriate behavior
are all signs that a company’s approach to fraud risk is no
approach at all. Companies that give lip service to fraud
risk are signaling to their employees and management
that ethical business practices are not a priority — an
ill-conceived posture that can have a toxic ripple effect
and set the stage for an inevitable cultural meltdown.
In our study, we examine the perceptions and actions
underlying fraud risk activities across an array of
organizations and geographies that should serve
as a wake-up call to corporate leaders who allocate
insufficient time and attention to fraud risk due to their
lack of understanding about the close linkage between
weak or nonexistent fraud risk management programs
and a poor corporate culture.
Our survey findings appear to align with “compliance
fatigue” and, to a certain extent, complacency that
many organizations face when they have a seemingly
endless succession of regulatory obligations to meet,
sales goals and revenue targets that are top priorities,
limited budget and resources, and a general lack of
understanding about the potentially devastating impact
that a poor culture and major fraud or corruption matter
can have on a company’s brand, reputation, debt
covenants and market capitalization.
One way to attack such malaise is to better link the
implications of failing to focus on culture to the
potentially devastating outcomes that follow. CEOs,
billionaire venture capitalists, judges and Hollywood
powerhouses are among many who have made dramatic
departures from their roles following allegations of fraud,
corruption and misconduct. Often, the investigations that
follow reveal that problems involving such individuals
were “open secrets” and that if the company had only
sought to evaluate its corporate culture, these matters
might have more quickly surfaced in time to stop the
victimization and prevent further damage to individuals,
companies and their shareholders. Ultimately, linking
the development of a strong corporate culture through
robust fraud risk management to the prevention of
actions that can bring down the organization is sure to
command the attention of the boardroom and C-suite.
We hear from many organizations that obtaining
resources and support from the C-suite to strengthen
culture through a proactive fraud risk management
program is an uphill battle. In fact, though there is
growing understanding about the impact of corporate
culture and the benefits of measuring it, there is
still limited awareness of its linkage with fraud and
misconduct. Perhaps using the results of culture surveys
and tapping into the current climate of moral outrage to
support a more proactive stance in managing fraud risk
is in order. Until then, we will continue to see results like
those in this year’s survey.
1 Fraud Risk Management Guide, COSO and the Association of Certified Fraud Examiners (ACFE), September 2016: www.coso.org.
Our survey findings appear to align with “compliance
fatigue” and, to a certain extent, complacency that
many organizations face.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 3protiviti.com · utica.edu
Our Key Findings
01Organizations continue to lag in employing leading practices to build a strong culture — From the frequency of
performing fraud risk assessments to a lack of understanding about the drivers of fraud, organizations must seek
to move away from the continuous loop of responding to one fire after another to a more proactive, strategic and
methodical approach to mitigating organizational fraud and culture breaches.
02Resources represent a significant challenge in building a strong corporate culture with a clear fraud risk strategy —
More than a third of organizations consider their fraud risk strategy to be weakly defined, with many citing the limited
availability of internal resources as a significant challenge in addressing fraud proactively.
03Many organizations lack a fraud risk management program, including policies to mitigate fraud — Given
the prevalence of actual and potential fraud issues in organizations and those involving vendor relationships,
as well as the long-term effects on corporate culture, this finding is surprising — and likely disappointing to
shareholders and other key stakeholders. Increasingly, external auditors are paying attention to fraud risk
and internal investigations. In some cases, they will withhold their sign-off pending improvements to the fraud
risk management infrastructure or more thorough investigations, or give qualified opinions when they are
underwhelmed with a company’s approach to fraud and investigations.
04Third parties represent a significant gap in fraud risk management — Overall, one in three organizations lacks a
high level of confidence as to whether it has effective oversight of third parties. However, third parties account for
a disproportionate number of violations an organization commits, including those related to the Foreign Corrupt
Practices Act (FCPA) and other anti-corruption statutes, cybercrime, vendor fraud, kickbacks, human trafficking,
and data privacy breaches. Most organizations do not allocate sufficient time, energy and resources to understand
and seek to mitigate the myriad issues third parties represent.
Culture is complex and different within every organization and remains largely abstract. However, even though a
company’s culture may be abstract, one thing is clear: developing the right approach for auditing an organization’s
risk culture takes time and careful planning. And for any business, the value of undertaking this process is developing
a better understanding of the cultural causes that create risk — in short, human behaviors.
— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit
4 · Protiviti · Utica College
Methodology
Utica College and Protiviti partnered to conduct the
White-Collar Crime and Fraud Risk Survey in the
second and third quarters of 2017. This global survey,
conducted online, consisted of a series of questions
grouped into six categories:
• Fraud Risk Governance
• Fraud Risk Assessment
• Fraud Prevention Techniques
• Fraud Detection Techniques
• Corruption
• Reporting, Investigation and Corrective Action
Globally, 748 executives and professionals — including
board members, C-suite executives, general counsel
and chief audit executives (CAEs) — completed our
online questionnaire. All respondents are in a position
to understand their organization’s fraud risk manage-
ment capabilities. Survey participants also were asked
to provide demographic information about their titles
and positions and the nature, size and location of
their businesses.
We appreciate the time these individuals invested in
our study.
Because this year’s survey was global, whereas our
prior study (published in 2016) was based on responses
gathered only in the United States, we did not include
comparisons with findings from our prior survey in
this report. However, we would be pleased to provide
any specific year-over-year comparisons upon request,
to the extent such data is available.
All demographic information was provided voluntarily
by our respondents (see page 52).
Notes
This report includes numerous breakdowns of the
survey findings by company size, defined as follows
(all figures are in U.S. dollars):*
Large = Companies with revenues of $10 billion or more
Midsize = Companies with revenues between $100
million and $9.99 billion
Small = Companies with less than $100 million
in revenues
* Upon request, Protiviti can provide additional reporting in these broad categories.
Measuring ethical culture may be a confusing concept since culture isn’t an object one can easily quantify.
That said, there are characteristics, behaviors and impressions that can be examined to determine whether a
company is on the right path or whether it has institutionalized bad behavior that, left unchecked, can lead to
ethical failures down the road.
— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 5protiviti.com · utica.edu
Fraud Risk Governance — Who’s Minding the Store?
First things first: The board of directors, along with
senior management, need to demonstrate their expec-
tations and commitment to “high integrity and ethical
values regarding fraud risk.”2 That is a key driver for
developing and maintaining a strong corporate culture.
The concept of fraud risk governance is highlighted
as Principle 1 in COSO’s FRM Guide. To manage fraud
risk effectively, an organization should designate an
executive or other leader with direct ownership of and
responsibility for the fraud risk management program.
Oversight of fraud risk should be active and defined. And
a clear, formal fraud risk strategy should be in place. All
the above actions are part of good fraud risk governance,
but our survey results reveal that many organizations
have significant shortcomings in these areas.
For example, in 16 percent of organizations overall, no
senior management professional is designated with
ownership of and responsibility for fraud risk manage-
ment — or, that individual is not known.
In a large percentage of instances involving break-
downs in corporate culture or in the conduct at the
top or throughout the organization, one or more
fraud-related activities are driving those issues. That
fact should underscore the need for robust fraud risk
management practices, including board oversight and
senior management responsibilities.
The survey results also show that one in five
organizations has a “no fraud here” mentality.
These organizations likely do not perform fraud risk
assessments, which is a critical practice. Another factor
for this mindset could be that the individuals responsible
for conducting these assessments have “day jobs” and
therefore lack time to conduct thorough — or any —
evaluation of fraud risk and corresponding anti-fraud
controls. This behavior creates fertile ground for a poor
corporate culture.
Many Organizations Falling Short on Fraud Risk Policy and Strategy
What also stands out in the results is the small but
meaningful number of organizations that lack active
and defined oversight of fraud risk. The numbers are
slightly smaller for large companies but are still notable.
Of particular note, the percentages are higher among
North American-based organizations.
Also noteworthy is that a substantial percentage of
organizations have a fraud risk strategy that is not
defined clearly. Without a solid understanding of fraud
risks throughout the organization, how can manage-
ment express confidence that its control environment
is effective, and that it is focusing on creating a strong
corporate culture?
Another eye-opening finding is that a third of organiza-
tions worldwide appear to lack a formal and documented
fraud control policy. That is despite COSO’s specific
recommendation that organizations have such a policy,
as outlined in its FRM Guide.
Organizations overall that have no senior management professional designated with ownership of and
responsibility for fraud risk management*
KEY FACTS
16%
* Includes “Don’t know” responses.
2 Ibid.
6 · Protiviti · Utica College
Who in the ranks of senior management is designated with ownership and responsibility for fraud risk management in your organization?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Chief Executive Officer 29% 17% 20%
Chief Financial Officer 13% 13% 19%
Chief Risk Officer 15% 13% 11%
Chief Legal Officer or General Counsel 11% 9% 10%
Chief Security Officer 12% 10% 7%
Internal Audit Director 5% 13% 8%
Other 6% 7% 7%
No senior management professional is designated with ownership and responsibility for fraud risk management
4% 13% 13%
Don’t know 5% 5% 5%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Chief Executive Officer 27% 28% 32% 38% 8%
Chief Financial Officer 11% 11% 18% 11% 21%
Chief Risk Officer 19% 13% 11% 3% 13%
Chief Legal Officer or General Counsel 7% 10% 4% 8% 13%
Chief Security Officer 5% 17% 15% 15% 4%
Internal Audit Director 10% 5% 5% 5% 11%
Other 4% 4% 5% 3% 11%
No senior management professional is designated with ownership and responsibility for fraud risk management
12% 10% 9% 14% 12%
Don’t know 5% 2% 1% 3% 7%
While 4 percent of large companies indicate that no senior management professional is designated
with fraud risk management ownership and responsibility, this figure rises to 13 percent in midsize
and small companies, suggesting the latter group of organizations is seemingly more tolerant of
“absentee leadership” in this critical area.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 7protiviti.com · utica.edu
Which of the following groups in your organization provides active and defined oversight of the organization’s fraud risk? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Audit committee 50% 59% 48%
Risk management committee 53% 51% 39%
Board of directors 44% 39% 42%
C-level executive(s) 43% 37% 37%
No active and defined oversight 5% 6% 12%
Don’t know 4% 4% 3%
Other 5% 7% 3%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Audit committee 58% 40% 60% 46% 56%
Risk management committee 51% 60% 58% 50% 33%
Board of directors 42% 51% 42% 56% 32%
C-level executive(s) 32% 41% 51% 37% 37%
No active and defined oversight 7% 7% 4% 7% 11%
Don’t know 3% 2% 0% 1% 6%
Other 2% 3% 3% 4% 7%
A significant number of organizations, particularly small and North American-based companies,
lack active and defined oversight of fraud risk.
8 · Protiviti · Utica College
On a scale of 1 to 5, where “5” indicates very well-defined and “1” indicates undefined, how would you rate your organization’s fraud risk strategy?
Company Size (Annual Revenue)
Region
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
Large companies
60% 40%Small companies
Midsize companies 60% 40%
72% 28%
Very well-defined/defined Less defined/reactive/undefined/don’t know
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
53% 47%
72% 28%
74% 26%
68% 32%
65% 35%
Very well-defined/defined Less defined/reactive/undefined/don’t know
India
North America
Latin America/South America
Europe
Asia-Pacific
When scanning national patterns, North American organizations look relatively less concerned
about well-defined risk strategies than do companies in other parts of the world.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 9protiviti.com · utica.edu
Which of the following challenges does your organization face in managing its fraud risk proactively? (Multiple responses permitted)
There is limited availability of internal resources to address fraud risk. 36%
We lack a unified fraud risk management strategy. 28%
We lack proactive fraud risk management. Our focus is on incident response when allegations arise. 28%
Proactive fraud risk management is not a corporate priority. 27%
Fraud and misconduct are not considered “high risks” within the organization. 27%
There is inadequate funding for an anti-fraud program and related initiatives. 21%
Our organization has a “no fraud here” mentality. 20%
Laws and regulations or cultural norms in our non-U.S. locations present unique challenges that we have yet to address.
20%
We do not have a member of senior management who is designated with ownership of and responsibility for fraud risk management.
16%
KEY FACTS
Organizations globally that have a formal and documented code of conduct
Organizations globally that have a formal and documented fraud control policy
93% 67%
An area of concern appears to be the availability of internal resources to address fraud risk
proactively, with more than one in three organizations citing this as a challenge.
10 · Protiviti · Utica College
COSO Elevates and Evolves Fraud Risk Management Practices
For many organizations, building a strong corporate culture and managing fraud consists of checking boxes and thinking
positive thoughts:
• “We hire good people.”
• “We have a code of conduct.”
• “We comply with Sarbanes-Oxley.”
• “Our hotline does not ring (for serious things).”
• “Fraud simply doesn’t happen here.”
Of course, as forensic professionals and educators, we know this is not enough. COSO knows this, too.
Recognizing the need to both elevate and evolve management’s thinking on the topics of fraud prevention, detection
and deterrence, COSO released its Fraud Risk Management Guide (FRM Guide) in collaboration with the Association
of Certified Fraud Examiners (ACFE) in September 2016. This guidance provides a valuable blueprint of leading
practices and user-friendly templates to help organizations not only correlate, but also actively apply, the five fraud risk
management principles first outlined in Managing the Business Risk of Fraud: A Practical Guide* within the context of the
2013 COSO Internal Control — Integrated Framework.
These principles serve as a universal foundation for fraud risk management programs. They are:
1. Fraud Risk Governance
2. Fraud Risk Assessment
3. Fraud Control Activities
4. Fraud Investigation and Corrective Action
5. Fraud Risk Management Monitoring Activities
Of these five principles, fraud risk assessment is perhaps the most widely recognized because the consideration of
the potential for fraud was explicitly included in the 2013 COSO Framework. Since that time, the identification and
assessment of fraud risk have been focal points of inquiry for internal and external auditors. However, the scope of
management’s fraud risk assessment is still often limited to fraud scenarios that would cause a material misstatement
of an organization’s financial statements. In contrast, COSO’s FRM Guide encourages an elevated and evolved
assessment of fraud risk in the context of the organization’s overarching fraud risk management program to achieve
better support of and greater consistency with the overall 2013 COSO Framework.
Continued on page 11
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 11protiviti.com · utica.edu
COSO’s FRM Guide is both user-friendly and pragmatic in its design. Each chapter is organized to provide a clear
snapshot of how individual fraud risk management principles align with the COSO 2013 Framework’s components
and principles. It also outlines unique characteristics for each fraud risk management principle within specific points
of focus. These points are structured similarly to those contained in the 2013 COSO Framework and are useful in
considering the design and operating effectiveness of management’s fraud risk management capabilities. Whether an
organization is new to the topic of fraud risk management or seeking a more detailed view on the “how-to” of certain
fraud risk management activities, COSO’s FRM Guide provides information that is thorough and thoughtful, and
applicable to various audiences.
Below are some suggestions for utilizing the information and templates included within COSO’s FRM Guide, which can
benefit organizations in pursuit of a “best-in-class” fraud risk management program, as well as those companies that
are simply looking to enhance certain elements of their anti-fraud control activities:
• Map and analyze the fraud risk management process for improvement opportunities.
• Evaluate whether there is proper oversight and assignment of resources for fraud control activities.
• Create or update the organization’s fraud control policy.
• Conduct a survey to understand perceptions about the organization’s culture and fraud risk management capabilities.
• Expand documentation and visualization of the organization’s fraud risk and controls matrix.
• Assess the organization’s list of potential fraud exposures.
• Review the organization’s fraud response plan.
• Implement a data analytics framework.
• Enhance awareness of fraud risk through communication with various organizational constituencies.
COSO’s FRM Guide offers insights into leading practices encompassing fraud prevention, detection and deterrence.
However, it is not intended to create a prescriptive standard for either fraud risk management or fraud risk assessment.
Furthermore, there is no “one-size-fits-all” approach to either process; each must be tailored to suit an organization’s
specific operations, objectives, industry, people, geographies and technologies.
Finally, it is critical to recognize that fraud is a highly dynamic event. There is no guarantee that an organization will
be free from its occurrence or effect simply because it has implemented leading practices. The ability to prevent and
detect fraud can — and should — evolve with the organization’s internal control framework, and COSO’s FRM Guide
provides a clear road map that can help drive organizations toward excellence in fraud risk management.
* Managing the Business Risk of Fraud: A Practical Guide was jointly published in 2008 by the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (The IIA) and ACFE.
12 · Protiviti · Utica College
Assessing Fraud Risk: A Foundational Component of Corporate Culture and Fraud Risk Management
Patterns of fraud, corruption and misconduct that take
root in organizations are frequently open secrets
among personnel. The fact that organizational assets
are being misused or diverted is often widely known
but perhaps not openly discussed. This phenomenon
gives rise to several questions including, “Why are
these actions not reported?” and “Is it because of fear of
retaliation?” “Failure to report” is a clear symptom of a
poor corporate culture, as is ignoring or silently endorsing
bad behavior because of who is involved or benefiting
from it. For this reason, fraud risk assessments should
be performed to help identify unreported, overlooked or
even “culturally accepted” vulnerabilities and include
consideration of an organization’s corporate culture —
in effect, taking the company’s temperature from an
ethical viewpoint. Seeking to measure corporate
culture can expose an organization’s open secrets
before they devolve into more significant ethical lapses
with serious legal and regulatory consequences.
Fraud risk assessments should be conducted at least
annually, if not more frequently, depending upon shifts
in strategic objectives, organizational changes or the
occurrence of fraud. Overall, most organizations report
that they do this, which is positive. However, significant
numbers of organizations, of all sizes and across regions,
appear to do so less frequently or inconsistently.
A small but notable number of organizations report that
they don’t know who the business owner responsible
for the fraud risk assessment is, or they don’t have a
defined business owner for that process. There should
be a designated owner, of course. But regardless of who
ultimately is responsible for a fraud risk assessment,
the process must involve a broad range of functions
in the organization — internal audit, accounting and
finance, procurement, information technology (IT), risk
management, facilities, research and development
(R&D), and more. This approach enables the fraud risk
assessment to capture the nuances of each organiza-
tional function where fraud has the potential to occur,
along with the potential fraud drivers. That includes
understanding opportunities, incentives, pressures,
attitudes and rationalization to commit fraud within
different groups in the organization.
Also, it is critical for organizations to examine fraud risk
not in pockets or silos, but across the enterprise. Principle
2 of COSO’s FRM Guide specifies that the fraud risk
assessment process should include all appropriate levels
of management along with the resources necessary to
assess fraud risk throughout the enterprise.
Simply put, fraud risk can neither be managed nor
mitigated if it is not understood. Fraud risk assessments
undertaken correctly enhance an organization’s aware-
ness of the various fraud risks it is facing and allow
it to prioritize efforts to mitigate the most serious areas
of vulnerability.
The fraud risk assessment process, to remain effective
and relevant, also must evolve as personnel, operations,
methodologies and other processes change. Our survey
found that, across organization type and region, “previ-
ous fraud risk assessment results” ranks high among the
frequently used information applied to the assessment
methodology. While the inclusion of this information
is an important data point, no aspect of the fraud risk
assessment should be a cut-and-paste exercise. Indeed,
in a recent publication by the U.S. Department of Justice
(DOJ) (Evaluation of Corporate Compliance Programs), an
11th hallmark of an effective compliance program was
introduced: Analysis and Remediation of Underlying
Misconduct. While this is directed at organizations that
“Failure to report” is a clear symptom of a poor corporate
culture, as is ignoring or silently endorsing bad behavior
because of who is involved or benefiting from it.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 13protiviti.com · utica.edu
are in the throes of a government investigation, all
organizations should seek to apply lessons learned from
any internal investigations that have been performed
since the last fraud risk assessment. Organizations
should always strive to ensure that their fraud risk
assessment processes are dynamic, are evolving along
with the company’s changing risks and strategic
objectives, and don’t become a rote exercise lacking
meaningful benefit year-over-year.
More Care Needed When Discussing Sensitive Information
Another result in our survey is the low number of organi-
zations globally that conduct fraud risk assessments
under attorney-client privilege. In North America, for
instance, three in four organizations do not conduct fraud
risk assessments under this privilege. Anecdotally, most
organizations do not even consider the need to do so.
Who within your organization is primarily responsible for conducting your fraud risk assessment?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Internal audit 32% 46% 44%
Corporate compliance 20% 18% 15%
SOX compliance team 16% 14% 9%
General counsel/legal 12% 9% 13%
Other 12% 6% 10%
None of these 2% 3% 7%
Don’t know 6% 4% 2%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Internal audit 43% 39% 52% 40% 41%
Corporate compliance 17% 23% 17% 18% 14%
SOX compliance team 14% 12% 12% 11% 12%
General counsel/legal 8% 18% 6% 26% 7%
Other 10% 4% 10% 1% 14%
None of these 5% 3% 3% 2% 6%
Don’t know 3% 1% 0% 2% 6%
14 · Protiviti · Utica College
While some organizations make rational business
cases for why they choose not to perform fraud risk
assessments under the attorney-client privilege,
problems sometimes arise in those organizations that
do not even consider doing so. When conducting fraud
risk assessments, root cause analyses of prior internal
investigations (which were probably undertaken
pursuant to the attorney-client privilege), internal
control weaknesses or gaps identified through previous
audits, and other confidential compliance matters may
be discussed. If sensitive information is gathered without
the opportunity for legal counsel to provide advice to the
organization, it could result in a significant problem down
the road if, during litigation, that sensitive information
becomes discoverable.
As our survey results indicate, the fraud risk assessment
process often involves the use of other techniques such as
the review of policies, procedures and training materials,
gathering of public information and industry news,
brainstorming sessions, interviews or group workshops,
process walkthroughs, surveys, and data analytics.
During these activities, candid feedback about business
practices, personnel matters and corporate culture may
be shared. In some cases, indicators of fraud may even be
identified through the use of electronic data interrogation
routines. Organizations likely do not want this material
exposed during litigation. It is therefore imperative
to consider confidentiality, as well as the potential for
conducting the fraud risk assessment under the direction
of counsel for attorney-client privilege purposes, during
planning activities. (See sidebar on page 18 for further
discussion about attorney-client privilege.)
Circling back to the updated 2013 COSO Internal Control
Framework, Principle 8 includes consideration of
three key types of fraud during management’s risk
assessment activities. Interestingly, when asked which
fraud type concerns them the most, respondents
provided a wide range of responses. What stands out
is that while fraudulent nonfinancial reporting is the
type of fraud that happens most often in organizations,
only a small number cited it as the area of greatest
concern. Another point of emphasis is that fraud risk
in many organizations is centered on compliance with
SOX and the concept of materiality. This is a dangerously
narrow way of viewing fraud risk and often leaves a
significant number of potential fraud scenarios out of
the process, some of which can have a negative effect on
the organization, since the statutes being violated do not
use materiality in weighing whether criminal violations
have occurred. Examples of two such categories of
fraud are the bribery of foreign officials and sanctions
violations such as those enforced by the U.S. Office of
Foreign Assets Control (OFAC).
Factors having an impact on fraud risk are highlighted in
the 2013 COSO Framework’s Points of Focus for Principle 8.
While fraud risk factors are shared by all organizations
that experience fraud, the fraud risk assessment
methodology should be a unique process. A holistic view
of fraud includes consideration of potential scenarios
and perpetrators at all levels of the enterprise, as well as
vulnerabilities in all processes and geographic locations
— not only those deemed “in scope” for SOX purposes.
Executed correctly, the fraud risk assessment should not
be a “cookie-cutter” template for a different company
in a different industry offering different products or
services, since it has been specifically tailored to the
company at hand.
A holistic view of fraud includes consideration of
potential scenarios and perpetrators at all levels
of the enterprise, as well as vulnerabilities in all
processes and geographic locations.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 15protiviti.com · utica.edu
How often does your organization conduct a formal fraud risk assessment?
Company Size (Annual Revenue)
Region
Quarterly
Annually
As needed
Never
Don’t know
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
Large companies
25% 22% 10% 7%36%Small companies
5%
Midsize companies 21% 19% 5%50% 5%
12%17%35% 31%
Quarterly
Annually
As needed
Never
Don’t know
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
11% 13% 11% 13%52%
39% 26% 3%31% 1%
2%25%48% 22%
34% 24% 5% 3%34%
25% 22% 11%35% 7%
India
North America
Latin America/South America
Europe
Asia-Pacific
3%
It is surprising to find a significant percentage of large companies and North American-based
organizations that report not knowing how often the fraud risk assessment is conducted.
16 · Protiviti · Utica College
How is your organization’s fraud risk assessment process structured within your organization?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Incorporated into our enterprise risk management (ERM) process 47% 40% 38%
Incorporated into our internal audit planning process 21% 22% 26%
Incorporated into our SOX compliance process 8% 18% 13%
Stand-alone 18% 12% 12%
None of these 2% 2% 9%
Don’t know 4% 6% 2%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Incorporated into our ERM process 42% 52% 45% 48% 32%
Incorporated into our internal audit planning process 23% 15% 32% 27% 25%
Incorporated into our SOX compliance process 8% 13% 2% 10% 20%
Stand-alone 17% 15% 17% 11% 9%
None of these 6% 4% 4% 3% 8%
Don’t know 4% 1% 0% 1% 6%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 17protiviti.com · utica.edu
51% 45% 41%Large companies Small companiesMidsize companies
Does your company conduct its fraud risk assessment under attorney-client privilege? (Shown: “Yes” responses)
Company Size (Annual Revenue)
Region
North America
25%
77%
63%
51%36%
Europe
India
Asia-Pacific
Latin America/South America
18 · Protiviti · Utica College
Fraud Risk Assessment and Attorney-Client Privilege
As with any internal investigation, a fraud risk assessment may include sensitive matters that potentially involve litigation
or damage to a company’s reputation. There are often compelling reasons for an organization’s assessment team to
report to legal counsel. Some things to consider include:
• In the United States, conversations between an attorney and a client seeking legal advice are considered “privileged
and confidential” and “attorney-client privileged.” Once privilege is established, the information shared between a
client and attorney is largely protected from disclosure to other parties.
• Attorney-client privilege allows companies and their lawyers to discuss findings and potential solutions without fear
of inappropriate disclosure of the privileged discussions and material. If other providers, such as forensic accountants
or investigators, participate in the fraud risk assessment or an investigation, their work should be performed at the
direction of lawyers so that their findings are considered attorney work product and are privileged as well.
• It should be made clear that the fraud risk assessment is being conducted to assist legal counsel in providing legal
advice. That includes marking materials as “Privileged and Confidential” and informing interviewees of the legal
purpose of the fraud risk assessment or investigation.
• Distribution of privileged materials must be limited. Company representatives must not be allowed to discuss the
review with anyone who is not involved in the project, so as not to inadvertently waive the privilege by sharing
information outside of the attorney-client relationship.
• The attorney-client privilege varies widely by country. For any investigations, fraud risk assessments or other projects
that the client and counsel feel should be performed under the privilege and involve foreign jurisdictions, the rules of
those jurisdictions would apply.
Note that while attorney-client privilege generally applies to in-house counsel (at least in the United States), internal
lawyers serve in a dual business and legal capacity, and privilege could be challenged on the grounds that discussions
were of a business, and not a legal, nature.
Legal privilege varies widely from one country to the next, and these decisions are best made in consultation with
attorneys who have a deep understanding of the various jurisdictions in which the company is operating and whether
and to what extent the fraud risk assessment can be undertaken pursuant to the attorney-client privilege.
It’s important for companies to understand the interrelationship between internal investigations that were
performed at the direction of counsel and the company’s fraud risk. Reviewing those investigations could
constitute an inadvertent waiver of privilege. Plus, during the course of a fraud risk assessment, people
sometimes share information about past or ongoing fraud or misconduct that could give rise to legal liability.
Performing fraud risk assessments pursuant to the attorney-client privilege can add a layer of protection to
sensitive information that was gathered during the course of the project.
— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 19protiviti.com · utica.edu
74% 68% 62%Large companies Small companiesMidsize companies
Does your fraud risk assessment team include members from different departments? (Shown: “Yes” responses)
Company Size (Annual Revenue)
Region
North America
54%
82%
79%
71%60%
Europe
India
Asia-Pacific
Latin America/South America
20 · Protiviti · Utica College
IF YES: Which departments participate in the fraud risk assessment team? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Internal audit 73% 72% 70%
Accounting/finance 65% 62% 63%
Legal 61% 57% 63%
Risk management 68% 50% 56%
Compliance 54% 50% 44%
Operations 48% 41% 51%
Corporate security 45% 46% 42%
Human resources 44% 39% 46%
External consultants 20% 17% 25%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Internal audit 64% 63% 78% 64% 84%
Accounting/finance 68% 47% 53% 63% 80%
Legal 48% 53% 59% 65% 72%
Risk management 58% 65% 67% 51% 50%
Compliance 44% 45% 51% 32% 61%
Operations 42% 43% 41% 45% 58%
Corporate security 40% 49% 45% 43% 43%
Human resources 44% 34% 41% 41% 51%
External consultants 24% 20% 35% 28% 15%
Organizations in Latin America/South America and Europe are far more likely to include members
from different departments on the fraud risk assessment team than are companies in other
regions, particularly North America.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 21protiviti.com · utica.edu
Which of the following does your company utilize as part of its fraud risk assessment methodology? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Previous fraud risk assessment results 49% 55% 51%
Prior reported concerns and complaints 49% 51% 49%
Data analytics 53% 47% 44%
Prior audits or other reviews conducted at the company 47% 44% 48%
Interviews 47% 52% 42%
Brainstorming sessions 43% 42% 36%
Surveys 48% 35% 36%
Public information about criminal, civil and regulatory cases and complaints
33% 31% 30%
Industry news 31% 32% 25%
Workshops 35% 28% 26%
Industry-accepted fraud taxonomies, such as the ACFE’s Occupational Fraud and Abuse Classification System
35% 28% 24%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Previous fraud risk assessment results 57% 46% 70% 47% 52%
Prior reported concerns and complaints 56% 44% 61% 37% 53%
Data analytics 39% 55% 62% 62% 36%
Prior audits or other reviews conducted at the company
54% 32% 58% 40% 53%
Interviews 38% 44% 39% 42% 54%
Brainstorming sessions 35% 47% 50% 35% 36%
Surveys 25% 45% 45% 43% 35%
Public information about criminal, civil and regulatory cases and complaints
30% 36% 32% 42% 26%
Industry news 24% 31% 39% 29% 26%
Workshops 42% 36% 32% 42% 14%
Industry-accepted fraud taxonomies, such as the ACFE’s Occupational Fraud and Abuse Classification System
25% 28% 32% 27% 25%
22 · Protiviti · Utica College
Which one of the following types of fraud is of greatest concern to your organization?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Safeguarding of assets 24% 16% 20%
Management override of controls 19% 19% 19%
Fraudulent financial reporting 16% 15% 16%
Corruption 10% 10% 14%
Illegal acts 10% 7% 7%
Fraudulent nonfinancial reporting 2% 7% 5%
No one type is more concerning than the other 14% 20% 15%
Other/none of these 5% 6% 4%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Safeguarding of assets 24% 18% 25% 12% 21%
Management override of controls 20% 21% 20% 26% 13%
Fraudulent financial reporting 12% 24% 17% 17% 12%
Corruption 15% 10% 9% 21% 9%
Illegal acts 6% 8% 3% 11% 8%
Fraudulent nonfinancial reporting 1% 5% 2% 8% 6%
No one type is more concerning than the other 18% 8% 12% 3% 26%
Other/none of these 4% 6% 12% 2% 5%
As expected, the safeguarding of assets seems to be a high priority, while corruption appears to be
a lower priority (though more significant for organizations in Latin America/South America).
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 23protiviti.com · utica.edu
76% 63% 56%Large companies Small companiesMidsize companies
Does your organization have a fraud risk management (mitigation) program? (Shown: “Yes” responses)
Company Size (Annual Revenue)
Region
North America
39%
87%
81%
74%61%
Europe
India
Asia-Pacific
Latin America/South America
24 · Protiviti · Utica College
IF YES: Who in your organization is responsible for the fraud risk management (mitigation) program?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Chief Compliance Officer 30% 42% 39%
Chief Financial Officer 28% 25% 25%
Chief Audit Executive 24% 25% 26%
Other 12% 6% 8%
Don’t know 6% 2% 2%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Chief Compliance Officer 48% 41% 31% 31% 33%
Chief Financial Officer 23% 27% 29% 24% 27%
Chief Audit Executive 15% 24% 25% 41% 21%
Other 14% 6% 13% 1% 12%
Don’t know 0% 2% 2% 3% 7%
It may seem obvious to everyone that culture is important, and that the risks associated with an unhealthy
organizational culture can derail operations, damage the brand, drive away customers and put a sizable dent in
the bottom line. Yet for many organizations, culture continues to be a buzzword in boardroom discussions but is
given short shrift as an operational priority. “Doing the right thing” is a key performance indicator that doesn’t
appear as a line item on any balance sheet but contributes considerably to the “goodwill” capital of a company,
and its loss or erosion presents a significant risk. Culture assurance then becomes something much more specific
and necessary.
— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 25protiviti.com · utica.edu
Cultivating a Healthy Corporate Culture Through Fraud Prevention
One surprise from the results of our survey is evidence
of the low use of certain primary controls, including
ethics and fraud awareness training, which could help
organizations recognize warning signs and prevent
fraud if they were utilized or provided more frequently.
In the United States, for example, the DOJ and the
Securities and Exchange Commission (SEC) consider
training and continuous advice to be a hallmark of an
effective compliance program, yet a large majority of
organizations do not appear to conduct such training.
Shockingly, even basic measures appear to be falling
short. For instance, a good argument can be made that
every organization should have a code of conduct and
code of ethics, yet more than one in five companies
surveyed do not. Indeed, a code of conduct and compli-
ance policies and procedures are called out by both
the DOJ and the SEC as hallmarks of an effective
compliance program.
Third- and Fourth-Party Relationships Require More Scrutiny
Several other findings from our survey should raise red
flags for boards and executive leadership seeking to
build a strong corporate culture. For example, less than a
majority of organizations have third-party due diligence
and competitive bidding in place as controls to prevent
fraud; only slightly more than a majority have IT controls,
authority and approval limits, and segregation of
duties (SoD) in place. While some may not view these
measures specifically as fraud controls, they can be
very effective for fraud prevention. That is especially
true for publicly held companies that must comply with
requirements such as SOX in the United States.
The results for third-party due diligence controls are
especially eye-opening, particularly when considering
the extent to which third parties may have access to
personally identifiable information and/or may have
permission to act on behalf of the company. Third
parties can represent a weak link in the organization’s
fraud control structure (as well as security and privacy,
anti-bribery, regulatory compliance, and other areas of
internal control).
Conducting risk-based investigative due diligence of the
organization’s third parties, especially those in particu-
larly high-risk jurisdictions, as well as fourth parties (i.e.,
the vendor’s vendors or subcontractor’s subcontractors)
should be considered essential.
Authorities May Question Lack of Commitment to Combating Fraud
As noted above, a potential weak link in an organi-
zation’s culture is the frequency of ethics and fraud
awareness training. Our survey results suggest that two
in five organizations conduct this type of training only
annually — or even less frequently.
If the organization lacks a strong commitment to regular
ethics and fraud awareness training, what does that say
about management’s commitment to building a healthy
corporate culture? That is the type of question authorities
could ask during a formal fraud investigation and in
evaluating whether there was an effective compliance
program in place at the time violations were occurring.
When a prosecutor or law enforcement agency concludes
that there was not an effective compliance program in
place, or there were other aggravating circumstances
26 · Protiviti · Utica College
at the time, the company itself can be charged with
criminal violations, which can have sweeping and often
devastating consequences for the company and
its shareholders.
The U.S. DOJ and the SEC have provided clear guidance
for what they expect of companies when it comes
to effective compliance and ethics programs. One
recommendation is delivering risk-based training,
as compliance policies are not meaningful unless
they are communicated effectively throughout the
organization. COSO also stresses the importance of
regular training in its FRM Guide.
Organizations (overall) that conduct ethics and fraud risk awareness training
KEY FACTS
57%
It is very important for organizations to create processes that support people doing the right thing all the time
and foster a culture where people in the organization know the tone at the top, ensuring that the tone flows all
the way down to middle management and beyond. This is because, in most cases, employees pay more attention
to what their direct supervisors are saying or doing, and less to what the CEO has announced.
— Susan Haseley, Protiviti Executive Vice President, Diversity and Inclusion Initiative Leader
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 27protiviti.com · utica.edu
Which of the following primary controls does your organization utilize to prevent fraud? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Code of conduct/Code of ethics 78% 81% 72%
Authority or approval limits 59% 63% 67%
Employee background checks 56% 63% 66%
IT controls 55% 58% 63%
Segregation of duties 54% 58% 58%
Ethics or fraud risk awareness training 64% 58% 53%
Third-party due diligence 41% 32% 33%
Competitive bidding 36% 32% 32%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Code of conduct/Code of ethics 73% 62% 78% 71% 87%
Authority or approval limits 68% 50% 64% 45% 78%
Employee background checks 60% 47% 69% 56% 75%
IT controls 57% 47% 58% 58% 70%
Segregation of duties 55% 37% 50% 35% 81%
Ethics or fraud risk awareness training 58% 55% 56% 56% 59%
Third-party due diligence 30% 32% 53% 19% 38%
Competitive bidding 29% 24% 38% 24% 41%
Europe reflects a lower percentage of firms that have codes of conduct or codes of ethics. North
American firms are notably ahead of other regions in demanding segregation of duties. Compared
to companies in other regions, both European and Latin American/South American firms reflect a
much lower percentage of demanding segregation of duties.
28 · Protiviti · Utica College
How often does your organization offer ethics and fraud awareness training?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
New hire orientation only 12% 12% 16%
On demand 27% 19% 20%
Semi-annually 18% 19% 17%
Annually 33% 36% 27%
Less than annually 6% 6% 7%
Never 1% 5% 11%
Don’t know 3% 3% 2%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
New hire orientation only 12% 13% 20% 21% 11%
On demand 20% 34% 33% 27% 8%
Semi-annually 18% 25% 28% 22% 10%
Annually 21% 20% 14% 25% 49%
Less than annually 13% 5% 3% 2% 7%
Never 16% 2% 2% 1% 10%
Don’t know 0% 1% 0% 2% 5%
With regard to the frequency of ethics and fraud awareness training, the question raised here is
“How often is often enough?” Less than a majority of firms in North America conduct these
trainings every six months or have them available on demand. These percentages are significantly
higher among companies in Europe, India and Latin America/South America. On the other hand,
16 percent of organizations in the Asia-Pacific region never conduct these trainings.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 29protiviti.com · utica.edu
Data Analytics, Fraud Detection and the Path Forward
One of the most notable findings in our survey is that
one-third of organizations lack a fraud detection
program. This begs the question as to what exactly
these organizations are doing to detect the type of
fraudulent acts that can undermine the organization’s
culture or indicate red flags for deep-seated issues.
The absence of a fraud detection program likely indicates
a reactive environment for detecting fraud. Internal
audit and management respond to fraud issues that arise
but are unable to be proactive in spotting issues early or
identifying potential root causes.
The absence of such a program also suggests organiza-
tions have limited resources and technologies to apply to
fraud detection; thus, they lack alignment with Principle
3 of COSO’s FRM Guide. This principle focuses on
preventive and detective control activities designed to
mitigate the occurrence — and longevity — of fraud risk
events. Timely discovery of fraud risk events is a critical
component of a well-designed fraud risk management
program and the lack of a program calls into question
the ability of such organizations to fully achieve risk
mitigation under the 2013 COSO Framework.
Few Firms Using Data Analysis for Fraud Detection
One in five organizations reports that they do not use
any form of data analysis to detect fraud proactively. The
numbers are better for large organizations, but those
operating in regions such as North America and
Asia-Pacific fare worse. These results are not surprising,
however. Business records in many organizations
still exist in a manual state. Companies may want to
incorporate forensic data analysis to identify potential
red flags and fraud indicators, but they can’t if their
information resides in boxes rather than a digital state.
These results generally mirror the findings of Protiviti’s
2018 Internal Audit Capabilities and Needs Survey,
which show that about one-third of organizations
do not use data analysis or analytics in their internal
audit functions.3
Most organizations are still in the early stages of using
data analytics. Furthermore, many are likely performing
only the most basic form of analytics. This was borne
out in the findings of Protiviti’s internal audit survey.
Few internal audit groups are employing current high-
end technologies or artificial intelligence (AI), or even
computer-assisted audit tools (CAATs), which could boost
effectiveness and efficiency significantly.
Factors limiting the use of data analysis include dated
legacy systems in the organization, as well as the absence
of a data warehouse. Also, most organizations have few
employees who are trained to use new technologies and
AI to perform forensics and analytics.
3 Analytics in Auditing Is a Game Changer, Protiviti, 2018: protiviti.com/IAsurvey.
30 · Protiviti · Utica College
74% 58% 55%Large companies Small companiesMidsize companies
Does your organization have a fraud detection program? (Shown: “Yes” responses)
Company Size (Annual Revenue)
North America
40%
87%
72%
71%57%
Europe
India
Asia-Pacific
Latin America/South America
Region
When it comes to fraud detection, North American companies appear to be significantly behind
organizations in other regions.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 31protiviti.com · utica.edu
IF YES: Who in your organization is responsible for the fraud detection program?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Chief Compliance Officer 24% 38% 38%
Chief Audit Executive 34% 36% 34%
Chief Financial Officer 38% 23% 27%
Don’t know 4% 3% 1%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Chief Compliance Officer 42% 39% 32% 34% 26%
Chief Audit Executive 31% 35% 29% 40% 34%
Chief Financial Officer 27% 26% 39% 25% 31%
Don’t know 0% 0% 0% 1% 9%
One cannot manage that which cannot be measured. If firms focused on enhancing access to their own legacy data
systems so that disparate data sources were converted into consistent, timely and reliable information, the return on
this investment would be enormous. Advanced analytics, such as machine learning, deep learning and AI, performed
on this newly reliable data, will enable firms to measure historical fraud, predict potential future fraud occurrences
and manage fraud risk appropriately. That, in turn, will significantly strengthen corporate culture.
— Shaheen Dil, Protiviti Managing Director, Global Leader, Data Management and Advanced Analytics
32 · Protiviti · Utica College
Does your organization actively utilize forensic data analysis to identify potential red flags and fraud indicators (i.e., fraud detection techniques)?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports are monitored by an independent group, such as internal audit.
41% 34% 23%
Yes, periodically. Management or internal audit runs fraud detection programs at specific times, such as at the start of an audit.
30% 31% 32%
Yes, on demand only. Data is extracted manually from various systems that are queried.
13% 15% 15%
No, we do not utilize data analysis to detect fraud proactively. 8% 17% 26%
Don’t know. 8% 3% 4%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports are monitored by an independent group, such as internal audit.
27% 38% 45% 30% 21%
Yes, periodically. Management or internal audit runs fraud detection programs at specific times, such as at the start of an audit.
36% 36% 28% 54% 20%
Yes, on demand only. Data is extracted manually from various systems that are queried.
13% 12% 14% 9% 20%
No, we do not utilize data analysis to detect fraud proactively.
22% 12% 11% 6% 31%
Don’t know. 2% 2% 2% 1% 8%
North American-based organizations appear to lag considerably behind companies in other
regions in utilizing forensic data analysis.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 33protiviti.com · utica.edu
Which of the following procedures has your organization established for the submission of concerns by employees about questionable accounting or auditing matters? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Telephonic hotline 61% 54% 50%
Electronic mailbox 61% 48% 45%
Website 56% 54% 39%
“Chain-of-command” reporting 47% 42% 47%
Designated management 36% 33% 43%
Designated board member 33% 18% 27%
No formal reporting mechanism exists 6% 6% 9%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Telephonic hotline 42% 32% 41% 48% 76%
Electronic mailbox 48% 55% 60% 56% 40%
Website 31% 47% 49% 49% 52%
“Chain-of-command” reporting 44% 42% 41% 36% 54%
Designated management 45% 40% 51% 42% 32%
Designated board member 19% 37% 38% 39% 14%
No formal reporting mechanism exists 11% 6% 5% 6% 8%
Interestingly, the use of telephonic hotlines for employees to communicate concerns about
accounting or auditing issues is far more prevalent in North America than in other regions.
34 · Protiviti · Utica College
How often does your organization conduct surprise audits within the organization?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Quarterly 33% 20% 23%
Annually 15% 19% 16%
As needed 35% 40% 37%
Never 9% 16% 20%
Don’t know 8% 5% 4%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Quarterly 15% 32% 41% 44% 11%
Annually 14% 27% 14% 28% 8%
As needed 49% 33% 35% 26% 42%
Never 18% 6% 7% 1% 30%
Don’t know 4% 2% 3% 1% 9%
Large companies that conduct surprise audits at least annually
KEY FACTS
48%Most companies like to believe that they have a highly
ethical culture. Many find out the hard way that their
culture isn’t as rock solid as they believed it was. Better
to burst your own bubble by proactively examining
culture, fraud and compliance risk than to have the
DOJ or the SEC burst it for you.
— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 35protiviti.com · utica.edu
Being Vigilant — Addressing Corruption and Performing Due Diligence
Third parties, or vendors, present a heightened level of
risk to organizations. However, overall, just under one
in five companies reports that they have a high level of
confidence about third-party oversight.
As detailed in the 2017 Vendor Risk Management Bench-
mark Study from the Shared Assessments Program
and Protiviti, vendor risk management activities and
programs are improving in organizations overall.4 But
the results from that study, as well as this survey, under-
score the point that organizations have a significant
way to go to achieve optimal vendor risk management
and oversight.
Most organizations in our survey align with the U.S.
DOJ and the SEC’s hallmarks of effective compliance
programs by conducting due diligence on business
intermediaries,5 such as agents, distributors, consultants
and subcontractors, prior to onboarding them in the
organization. However, it is vital that investigative
due diligence6 efforts be nuanced and risk-based.
Organizations cannot approach this activity through
cursory, unstructured online research.
Just One Bad Vendor Relationship Can Lead to Irreversible Damage
Most companies report that they are conducting this
category of investigative due diligence. But are they
performing the right level of due diligence? Are they
applying a risk-based approach with regard to the third
parties with which they do business? These organizations
should realize they likely have questionable relation-
ships that present substantial risks. The bottom line
is that even one bad vendor relationship can create
irreversible damage to the organization. Organizations,
therefore, need to do a better job conducting investigative
due diligence on business intermediaries — including
improving how they conduct this due diligence.
To illustrate, there are some remarkable differences
among regions and organization size regarding whether
a company conducts a corruption risk assessment
as part of its due diligence related to an acquisition.
Interestingly, a strong majority of organizations in
Europe perform a corruption risk assessment, whereas
only a minority of companies in North America do so.
As expected, more large organizations tend to conduct
these risk assessments.
What is the best way to approach due diligence? Adopt
a risk-based approach by designating key categories
that present the most risk. As part of the due diligence
process, cover those categories first in the questionnaire,
and perform other research focused specifically on
those categories. Essentially, this approach results in
prioritizing the most significant risks first, rather than
adopting a blanket approach to due diligence.
4 Study available at www.protiviti.com/vendor-risk.
5 The term “intermediary” in a third-party context typically refers to an entity that can act on behalf of another company, and those actions can give rise to liability.
6 “Investigative due diligence” refers to the performance of background investigations of legal entities and their owners and key executives to determine whether there is anything in their backgrounds that would make them unsuitable business partners.
36 · Protiviti · Utica College
Fostering an Anti-Bribery Culture Within Your Organization
The breadth and depth of authoritative guidance designed to mitigate global bribery and corruption continue to build.
Organizations often utilize a compilation of information to establish and evolve their anti-bribery or anti-corruption
compliance program. These include, among others, the Organization for Economic Co-Operation and Development’s
(OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance, International Chamber of Commerce’s ICC
Rules on Combating Corruption, the U.S. DOJ’s and SEC’s hallmarks of effective compliance programs, and the United
Kingdom’s Ministry of Justice’s The Bribery Act of 2010 Guidance about procedures which relevant commercial organizations
can put into place to prevent persons associated with them from bribing (section 9 of the Bribery Act 2010).
In addition, the World Bank Group has published both Integrity Compliance Guidelines and Guidelines on Preventing and
Combating Fraud and Corruption in Projects Financed by IBRD Loans and IDA Projects and Grants, while the Wolfsberg Group
has issued Wolfsberg Anti-Bribery and Corruption (ABC) Compliance Programme Guidance intended for use by the “broader
financial services industry.”
Now, with the International Organization of Standardization’s (ISO) release of ISO 37001: 2016 — Anti-Bribery Management
Systems, companies can seek certification of their anti-bribery program if they meet ISO’s requirements for “establishing,
implementing, maintaining, reviewing and improving an anti-bribery management system.” This anti-bribery standard is
applicable to all organizations — regardless of industry and corporate structure — and is intended to help foster an anti-
bribery culture within an organization.
Indeed, each of the guidance documents referenced above cites the importance of ethical competencies and commitment
to a strong corporate culture as integral to mitigating this common type of fraud found in today’s global marketplace.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 37protiviti.com · utica.edu
On a scale of 1 to 5, where “5” indicates a high level of confidence and “1” indicates little or no confidence, rate your level of confidence that your organization has effective oversight of third parties.
Company Size (Annual Revenue)
Region
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
Large companies
Small companies
Midsize companies
Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)
55% 45%
51% 49%
68% 32%
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
60%40%
74% 26%
81% 19%
66% 34%
48% 52%
India
North America
Latin America/South America
Europe
Asia-Pacific
Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)
Large companies in North America appear to have a much higher level of confidence in effective
oversight of third parties compared to midsize and small companies. However, in assessing the
results by region, North American firms have far lower confidence levels than firms in Europe, India
and Latin America/South America.
38 · Protiviti · Utica College
87% 69% 71%Large companies Small companiesMidsize companies
Does your organization conduct due diligence on business intermediaries (e.g., agent, distributor, consultant, subcontractor) prior to onboarding? (Shown: “Yes” responses)
Company Size (Annual Revenue)
North America
70%
83%
66%
90%71%
Europe
India
Asia-Pacific
Latin America/South America
Region
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 39protiviti.com · utica.edu
89% 81% 80%Large companies Small companiesMidsize companies
Does your organization include communications from management that it expects adherence to the standards as set out in the code of conduct and/or anti-corruption policy? (Shown: “Yes” responses)
Company Size (Annual Revenue)
North America
79%
91%
76%
92%83%
Europe
India
Asia-Pacific
Latin America/South America
Region
40 · Protiviti · Utica College
83% 71% 76%Large companies Small companiesMidsize companies
Does your organization have the ability to distinguish between foreign government agencies, state-owned companies, public international organizations and private enterprises among its customer base? (Shown: “Yes” responses)
Company Size (Annual Revenue)
North America
69%
87%
78%
89%71%
Europe
India
Asia-Pacific
Latin America/South America
Region
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 41protiviti.com · utica.edu
73% 59% 55%Large companies Small companiesMidsize companies
Does your organization categorize third parties according to risk? (Shown: “Yes” responses)
Company Size (Annual Revenue)
North America
46%
79%
68%
78%54%
Europe
India
Asia-Pacific
Latin America/South America
Region
42 · Protiviti · Utica College
IF YES: Which of the following activities does your organization perform? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Assign risk based upon a variety of factors 58% 65% 62%
Perform escalating levels of investigative due diligence based upon assigned risk level
64% 53% 55%
Focus on a single high-risk category for third party (such as sales agents) 49% 40% 38%
Perform investigative research in-house 34% 34% 43%
Perform the same level of due diligence or screening for all categories of third party
36% 31% 40%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Assign risk based upon a variety of factors 66% 65% 61% 61% 57%
Perform escalating levels of investigative due diligence based upon assigned risk level
57% 53% 61% 57% 56%
Focus on a single high-risk category for third party (such as sales agents)
45% 45% 53% 50% 26%
Perform investigative research in-house 34% 43% 37% 40% 36%
Perform the same level of due diligence or screening for all categories of third party
39% 36% 43% 46% 26%
It is somewhat surprising that, compared to large companies, a higher percentage of midsize and
small companies assign risk based upon a variety of factors instead of one. Close to a majority
of large companies focus on a single high-risk category for third parties, suggesting these
organizations may be adopting a view of third-party risk that is too myopic.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 43protiviti.com · utica.edu
Check a variety of watchlists (e.g., OFAC,
politically exposed persons (PEPs), debarments)
Perform internet research
Organizations that perform the following activities as part of investigative due diligence:
Check corporation registrations
Search public records
KEY FACTS
Search negative news (English-speaking sources)
No investigative due diligence is performed in
the organization
Search negative news (non-English-speaking sources)
29% 8%23%
47% 43%44% 40%
44 · Protiviti · Utica College
Who performs the work associated with investigative due diligence? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
All investigative work performed in-house 50% 40% 42%
Watchlists, negative media, internet research performed in-house 47% 34% 36%
More comprehensive investigative work performed by investigative firm
39% 30% 33%
All investigative work outsourced 34% 28% 28%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
All investigative work performed in-house 47% 45% 46% 45% 40%
Watchlists, negative media, internet research performed in-house
38% 45% 51% 45% 27%
More comprehensive investigative work performed by investigative firm
27% 43% 51% 48% 18%
All investigative work outsourced 21% 45% 41% 49% 12%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 45protiviti.com · utica.edu
74% 56% 58%Large companies Small companiesMidsize companies
When acquiring a company, does your organization conduct a corruption risk assessment during the acquisition due diligence process? (Shown: “Yes” responses)
Company Size (Annual Revenue)
North America
41%
90%
71%
76%53%
Europe
India
Asia-Pacific
Latin America/South America
Region
46 · Protiviti · Utica College
73% 60% 59%Large companies Small companiesMidsize companies
Do your hiring practices include an examination as to whether candidates are family members or associates of government officials? (Shown: “Yes” responses)
Company Size (Annual Revenue)
North America
49%
82%
66%
71%65%
Europe
India
Asia-Pacific
Latin America/South America
Region
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 47protiviti.com · utica.edu
Which of the following additional steps does your organization take in an effort to mitigate the elevated risk associated with doing business with government agencies, state-owned companies and/or public international organizations? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Pre-approval requirements before paying for gifts, meals or entertainment
68% 51% 49%
Enhanced contract provisions 63% 52% 47%
Advanced anti-corruption training for select personnel 59% 50% 44%
Prohibitions against hiring of family members of employees of this category of customers
35% 33% 38%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Pre-approval requirements before paying for gifts, meals or entertainment
59% 50% 65% 54% 49%
Enhanced contract provisions 47% 57% 65% 54% 46%
Advanced anti-corruption training for select personnel 48% 57% 51% 64% 38%
Prohibitions against hiring of family members of employees of this category of customers
37% 33% 33% 53% 33%
With regard to corruption risk assessments, hiring practices that include examinations of cases
where candidates are family members or associates of government officials, and mitigating elevated
risks associated with state agencies and organizations, North American-based organizations lag
notably behind companies in other regions.
48 · Protiviti · Utica College
Reporting, Investigation and Corrective Action
Principle 4 of COSO’s FRM Guide states: “The organi-
zation establishes a communication process to obtain
information about potential fraud and deploys a coordi-
nated approach to investigation and corrective action to
address fraud appropriately and in a timely manner.”
Further, one of the hallmarks of effective compliance
programs as promulgated by the U.S. DOJ and the SEC
is confidential reporting and internal investigation.
Organizations that do not properly consider and
document the various channels by which the need for
an internal investigation comes to light and/or do not
follow written procedures for the performance of in-
ternal investigations are at risk of failing to undertake
investigative activities that are proportionate to the
allegations at hand. Not only does that lead to the risk of
not conducting a productive internal investigation, but
it also can give rise to concerns that the company is
not applying a consistent standard of care in its inves-
tigative processes. That, in turn, can call into question
whether that inconsistency is simply a by-product of
a poorly designed process or a calculated effort to hold
some people accountable but not others.
Overall, more than one in five organizations conducted
between six and 20 investigations in the previous year.
While you would expect those same organizations to
have well-defined, consistently applied investigative
procedures in place, the reality is that many organi-
zations allow the facts at hand — or even common
psychological biases — to dictate the investigative
steps that follow, and those steps are left to the discre-
tion of the investigators themselves.
While there are many very talented and experienced
investigators working in-house at organizations across
the globe, the lack of documented policies and proce-
dures that govern investigative processes can expose
the company to a broad range of issues, including, but
not limited to, views that the organization’s culture and
institutional justice are flawed and prone to favoritism,
or that internal investigations are performed in such
a way as to raise questions about their independence
and the inconsistent application of disciplinary actions.
That is why confidential reporting and internal investi-
gation is a hallmark of effective compliance programs.
Without a well-defined and documented process, it would
be very difficult for an outside party such as a regulator
or law enforcement agency to conclude that an ethics and
compliance program meets the definition of effective.
Recently, guidance issued by the U.S. DOJ has placed a
great deal of emphasis on the performance of root cause
analysis. In addition, another hallmark of effective
compliance programs is continuous improvement:
periodic testing and review. What is being said in
various ways is that once a problem comes to light and is
investigated, the investigation and subsequent remedi-
ation need to carefully consider not just the “what” of
what happened but also the “why,” the “how” and the
“by whom.” Answering these questions will provide
the company with insights into cultural breakdowns:
how things happened; what deficiencies in the control
environment were exposed by the fraud; and how the
pattern of fraud, corruption or misconduct was allowed
to continue undetected. These shortcomings then can be
translated into substantive changes to the controls, both
detective and preventive, that will lessen the likelihood
of a recurrence. A fraud risk management program must
be in a constant state of evolution with new threats
being addressed and lessons learned being applied.
Five Most Common Root Causes or Control Breakdowns That Allow Fraud Incidents to Occur (Source: Top five responses from all survey participants)
1. Internal collusion
2. Collusion with third parties
3. Inadequate internal controls
4. Deliberate override of internal controls
5. Undisclosed conflicts of interest
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 49protiviti.com · utica.edu
What level of involvement does your organization’s audit committee have in the investigation of alleged fraud or misconduct?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
The audit committee chair is informed of all allegations involving accounting, auditing and internal control matters immediately upon receipt by the individual designated to receive complaints.
61% 57% 58%
On at least a quarterly basis, the audit committee is informed of all allegations being investigated.
21% 25% 25%
The audit committee is only informed of investigations involving accounting, auditing and internal control matters.
8% 11% 8%
Don’t know. 10% 7% 9%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
The audit committee chair is informed of all allegations involving accounting, auditing and internal control matters immediately upon receipt by the individual designated to receive complaints.
57% 60% 67% 75% 46%
On at least a quarterly basis, the audit committee is informed of all allegations being investigated.
25% 25% 27% 15% 27%
The audit committee is only informed of investigations involving accounting, auditing and internal control matters.
14% 6% 5% 6% 12%
Don’t know. 4% 9% 1% 4% 15%
50 · Protiviti · Utica College
Disciplinary action Training
The most common corrective actions taken by companies after an investigation involving employees:
Termination
KEY FACTS
KEY FACTS
New internal controls Reassignment
32% 18% 15%
10% 7%
Organizations that have received and investigated five or fewer allegations of fraud or misconduct
over the past three years
29%Organizations that have received and investigated
six to 20 allegations of fraud or misconduct over the past three years
22%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 51protiviti.com · utica.edu
In Closing
The importance of corporate culture is garnering an
unprecedented amount of media and organizational
attention, and yet, there has not been an equal amount of
introspection or root cause analysis as to what has led to
some of the more noteworthy fraud and misconduct cases
occurring in the last year. Understanding the interplay
between fraud, corruption and corporate culture — and
the controls necessary to mitigate ethical failures — can
accelerate efforts to affect positive organizational change
and process improvements.
In today’s business environment, executives need to ask
themselves this question: Do we want to be viewed as
leaders of ethical business practices, or are we willing to
risk being the latest headline involving a toxic culture
that ultimately results in embarrassing — and costly —
fraud and misconduct?
Private sector companies in today’s world face extraordinary challenges. The results of this year’s survey
shed light on a particularly perplexing challenge; namely, creating and maintaining a strong corporate
environment that prevents and deters fraud. Key findings from respondents around the globe demonstrate
that many companies, large and small, have much work to do in crafting a strong organizational culture to
keep fraud from occurring. Many organizations indicate their fraud risk strategies are weakly defined and
that resources dedicated to fraud risk can be scarce. Only one in three organizations are confident they have
strong fraud control policies in place — a troubling finding. These and other results underscore the dire need
for corporations to embrace a more proactive position in managing fraud risk across the board to build a
stronger corporate culture.
— Donald J. Rebovich, Ph.D., Coordinator, Fraud and Financial Crimes Investigation Programs, Utica College
52 · Protiviti · Utica College
Survey Demographics
Position
Chief Audit Executive 13%
Chief Executive Officer 12%
Audit Manager 10%
Audit Staff 10%
Chief Information Officer 9%
Chief Financial Officer 7%
Audit Director 4%
Chief Risk Officer 4%
Chief Operating Officer 4%
Chief Compliance Officer 3%
Board Member/Audit Committee Member 3%
Chief Security Officer 3%
Business Unit Control Leader 2%
Corporate Controller 2%
Corporate Security Director 2%
General Counsel 1%
Other 11%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 53protiviti.com · utica.edu
Industry
Financial Services 15%
Manufacturing 14%
Technology 14%
Government 6%
Consumer Products 5%
Services 4%
CPA/Public Accounting/Consulting Firm 4%
Retail 3%
Insurance (excluding Healthcare – Payer) 3%
Education 3%
Healthcare – Provider 3%
Oil and Gas 2%
Distribution 2%
Real Estate 2%
Telecommunications 2%
Utilities 2%
Life Sciences/Biotechnology/Pharmaceuticals 2%
Not-for-profit 2%
Mining 1%
Hospitality 1%
Power and Utilities 1%
Healthcare – Payer 1%
Media 1%
Other 7%
54 · Protiviti · Utica College
Financial Services Industry — Size of Organization (by Assets Under Management in U.S. Dollars)
More than $250 billion 14%
$50 billion - $250 billion 15%
$25 billion - $50 billion 8%
$10 billion - $25 billion 10%
$5 billion - $10 billion 20%
$1 billion - $5 billion 16%
Less than $1 billion 17%
Size of Organization (Outside of Financial Services) — by Gross Annual Revenue in U.S. Dollars
$20 billion or greater 9%
$10 billion - $19.99 billion 10%
$5 billion - $9.99 billion 10%
$1 billion - $4.99 billion 23%
$500 million - $999.99 million 19%
$100 million - $499.99 million 18%
Less than $100 million 11%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 55protiviti.com · utica.edu
Type of Organization
Private 48%
Public 31%
Private, but planning an IPO within the next 12 months 5%
Not-for-profit 4%
Government (non-U.S.) 3%
Educational institution 3%
Government (U.S.) 3%
Public international organization 1%
Other 2%
Organization Headquarters
North America 43%
Europe 20%
Asia-Pacific 13%
Latin America/South America 12%
India 10%
Middle East 1%
Africa 1%
56 · Protiviti · Utica College
ABOUT UTICA COLLEGE
Utica College, founded in 1946, is a comprehensive private institution offering bachelor’s, master’s and doctoral degree programs. The college, located in upstate central New York, approximately 90 miles west of Albany and 50 miles east of Syracuse, currently enrolls over 4,400 students in 44 undergraduate majors, 30 minors, 21 graduate programs and a number of pre-professional and special programs.
ABOUT UTICA COLLEGE’S ECONOMIC CRIME AND JUSTICE STUDIES DEPARTMENT
Utica College’s Economic Crime and Justice Studies (ECJS) Department offers a suite of programs at the undergraduate and graduate levels, as well as two research centers and the Economic Crime and Cybersecurity Institute (ECCI).
Our faculty is truly interdisciplinary, and faculty members have worked at private financial services companies, state law enforcement agencies, local courts and government agencies, and have founded their own companies. At the undergraduate level, we educate our students to be investigators — whether the evidence they are reviewing is fingerprints, numbers on a spreadsheet or digital code. We have an innovative curriculum consisting of three programs: criminal justice, economic crime investigation and cybersecurity. Students are grounded in a liberal arts core along with criminology and relevant law classes. Specialty classes, rigorous writing expectations and a capstone internship are defining features of our programs. At the graduate level, we train students in the latest best practices to manage the security of economic and digital information.
Our ECCI is a unique organization of professionals and academics that provides thought leadership on economic crime and cybersecurity issues faced by business and government. We have two research centers that examine the latest trends in identity theft, economic fraud and cybercrime. The Center for Identity Management and Information Protection (CIMIP) is a research collaborative dedicated to furthering a national research agenda on identity management, information sharing and data protection. Founded in June 2006, its ultimate goal is to impact policy, regulation and legislation, working toward a more secure homeland. The Northeast Cybersecurity and Forensics Center (NCFC) is a partnership of academic, government and private sector resources that collaborate to provide cutting-edge research, development and service in the fields of digital forensics and cybersecurity.
Donald Rebovich, [email protected]
CONTACTS
Bernard L. Hyman, Jr., [email protected]
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 57protiviti.com · utica.edu
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
ABOUT PROTIVITI FORENSIC
Protiviti’s Forensic consultants help organizations build a solid infrastructure for evaluating, mitigating, investigating, reporting and monitoring their risk of fraud, corruption and misconduct.
Understanding organizational vulnerabilities and establishing an appropriate framework to identify and respond to them are essential in today’s global marketplace, as regulators are demanding more active management and investigation for a wide range of risks, including financial crime, fraud and corruption.
Our Forensic professionals assist organizations with building sustainable anti-corruption, investigative and fraud risk assessment processes and developing anti-fraud, anti-corruption and investigative programs and controls to meet fiduciary and regulatory responsibilities. We support organizations in their efforts to identify, triage, investigate, report and monitor a wide array of risks at every level — from the performance of risk assessments, program design or remediation, risk governance, and employee training to audits of anti-corruption, fraud, and investigation programs and processes.
Our team’s unique blend of anti-corruption, fraud risk management and investigative subject-matter expertise can quickly identify program shortcomings and remediate your critically important programs. We also have extensive experience in undertaking investigations of suspected violations of those programs by leveraging investigative, forensic accounting and technology disciplines across our global footprint to provide our clients with the experience and local resources necessary to gather the facts to make informed business decisions.
58 · Protiviti · Utica College
UNITED STATES
Kelly [email protected]
James [email protected]
Peter [email protected]
Robert [email protected]
Pamela [email protected]
Diane [email protected]
AUSTRALIA
Adam Christou+61.03.9948.1200 [email protected]
BELGIUM
Jaap Gerkes +31.6.1131.0156 [email protected]
BRAZIL
Raul Silva +55.11.2198.4200 [email protected]
CANADA
Ram Balakrishnan +1.647.288.8525 [email protected]
CHINA (HONG KONG AND MAINLAND CHINA)
Albert Lee +852.2238.0499 [email protected]
FRANCE
Bernard Drui +33.1.42.96.22.77 [email protected]
GERMANY
Michael Klinger +49.69.963.768.155 [email protected]
INDIA
Sanjeev Agarwal +91.99.0332.4304 [email protected]
ITALY
Alberto Carnevale +39.02.6550.6301 [email protected]
JAPAN
Yasumi Taniguchi +81.3.5219.6600 [email protected]
MEXICO
Roberto Abad +52.55.5342.9100 [email protected]
MIDDLE EAST
Sanjeev Agarwal +965.2295.7770 [email protected]
THE NETHERLANDS
Jaap Gerkes +31.6.1131.0156 [email protected]
SINGAPORE
Sidney Lim +65.6220.6066 [email protected]
UNITED KINGDOM
Lindsay Dart +44.207.389.0448 [email protected]
PROTIVITI CONTACTS
Brian ChristensenExecutive Vice President, Global Internal [email protected]
Scott MoritzManaging Director and Global Lead, Protiviti [email protected]
© 2018 Utica College. All rights reserved. © 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0618-101107
utica.edu protiviti.com