The now-infamous fraud scandals that began in the energy sector and spread to other industries sparked a new era of corporate responsibility. It’s true that much of the impetus was driven by the markets, regulators, and other stakeholders—all of whom felt blind-sided in the scandals.
But there was another factor that is equally important in driving companies to rethink their approaches to corporate responsibility. And that’s the fact that well-governed companies, those distinguished by their reputations for integrity, stand to gain a competitive advantage in the market when others falter.
However, developing an approach to fraud risk management that will stand up to the challenges of a rough-and-tumble business environment is no easy task. This is especially true in global industries, such as energy, where the risks can be as diverse as the business itself.
Oil and gas exploration, for example, often takes companies to corners of the world where bribery and corruption represent business as usual. In addition, getting products and services to market can bring in other types of risk, such as improper price fixing, market allocation, or bid rigging. Then there’s accounting for it all at the end of the day, including when to recognize revenue, how to estimate reserves, and what to disclose to investors. All can be dangerous trip wires for energy companies.
To help energy companies address this risk, this article will outline some of the key practices to which leading companies are turning for help in managing fraud risk more effectively.
Creating a framework for managing fraud risk
Fraud is a broad concept that generally refers to an intentional act committed with the intent to secure an improper gain.1 Misconduct is also a broad concept, one that generally refers to violations of laws, regulations, internal policies, or market expectations of ethical business conduct. Either can create risk that can undermine public trust and damage a company’s reputation for integrity.
Experience shows us that managing fraud and misconduct risk–and protecting energy companies from their potential damage—requires an effective, business-driven approach. In our opinion, this approach should focus on three key objectives:
- Prevention–reducing the risk of fraud and misconduct from occurring in the first place
- Detection–discovering fraud and misconduct when it occurs
- Response–taking appropriate corrective action and remedy the damage caused by fraud or misconduct
 |
Let’s take a look at each of these three objectives and see how they can work together to provide energy companies with a cohesive approach to managing fraud risk.
Prevention: How can we keep fraud from happening?
The best way to manage fraud and misconduct is to prevent them from occurring in the first place. Doing so requires addressing their root causes. These can often be traced to unrealistic business targets coupled with overly aggressive incentives to achieve them. Not surprisingly, some company managers and employees react accordingly and do what they think it takes – whether that’s cheating to win business, cutting costs by cutting corners, or just plain stealing to get ahead.
Protecting against these outcomes doesn’t just happen. This takes focused oversight from the board, the audit committee, and senior management since all three groups are responsible for setting the “tone at the top” in terms of ethical behavior. These groups also share responsibility for ensuring that ethical business practices are supported at the highest levels of organization.
A good place for this leadership and governance to begin is with directors, since it is their fiduciary duty to ensure that organizations have programs and controls in place to address the risk of wrongdoing. It is also the board’s duty to ensure these controls are effective.2 In many cases, the board may delegate principal oversight for fraud and misconduct to a committee, typically the audit committee.
Senior management’s role in this oversight is to help ensure that fraud and misconduct controls remain effective and in line with governmental standards. Senior management also has responsibility for determining the organization’s fraud and misconduct risk management approach.
To help accomplish this, many companies assign direct responsibility for antifraud efforts to a senior leader. This is often a chief compliance officer who works with internal audit staff and designated subject matter experts. The chief compliance officer is responsible for coordinating the organization’s approach to fraud and misconduct prevention, detection, and response. In addition, the organization’s antifraud strategy should also assign responsibilities to other business leaders—such as department heads—who oversee daily operations where risks may arise.
Other considerations leading companies include as part of the protection aspect are:
- Utilizing the internal audit function to help evaluate the design and operating effectiveness of controls
- Assessing fraud and misconduct risk to identify, inventory, rate, and remediate risks
- Establishing a code of conduct to define and communicate the organization’s standards and management’s expectations for integrity
- Emphasizing employee and third-party due diligence to send a clear signal that management expects all work to be done in a manner consistent with the organization’s values and standards
- Offering ongoing communication and training to ensure that all employees are aware of their obligations concerning fraud and misconduct controls.
Detection: The right controls help uncover fraud when it occurs
Many companies and employees acknowledge that fraud risk is already present. One method companies can use to monitor and detect this risk is to provide employees with multiple channels for reporting concerns about fraud or misconduct. This is key so that employees have options for reporting their concerns without fearing retaliation.
Telephone hotlines are often made available and can be used at any time, although they are usually intended for use when the normal channels–such as reporting to a manager—are impractical or ineffective. Establishing a hotline provides employees, and even third parties, with a viable way to:
- Communicate concerns about potential fraud and misconduct, including questionable accounting or auditing matters
- Seek advice before making decisions when the appropriate course of action is unclear.
For most energy companies, auditing and monitoring systems also play an important role in the detection approach. These systems help management determine whether the organization’s fraud and misconduct risk assessment controls are working as intended and they should be developed based on risks identified through the organization’s fraud risk assessment process.
Response: Taking the proper corrective action
As recent history has shown, how a company responds to fraud and misconduct can determine the organization’s very survival. To help ensure they take the right action companies should consider implementing a response approach that includes three steps.
- Investigation. If information about actual or potential fraud and misconduct surfaces, management should react quickly to conduct a comprehensive and objective internal investigation. The goal here is to gather all the facts so management can assess what has happened and decide on a sound course of action. Conducting effective internal investigations will help an organization’s management company address potentially troublesome situations and give them the opportunity to avert potentially intrusive government investigations.
- Enforcement and accountability. A consistent and credible disciplinary system can be an effective control in deterring fraud and misconduct. This is also an important requirement for complying with leading regulatory frameworks. By mandating meaningful sanctions, management can send a signal to both internal and external parties that the organization considers managing fraud and misconduct risk a top priority.
- Corrective action. Once fraud or misconduct has occurred, management should consider taking action that will address any harm that was done. And while publicly disclosing news about fraud and misconduct may be embarrassing to an organization, management may wish to consider this type of action to demonstrate good faith, preempt negative publicity, and help put the matter behind it.
It’s an ongoing process
No energy company can expect to have its fraud and misconduct risk approach up and running immediately. But it is imperative that companies begin working on this ongoing process as soon as possible so that all the pieces of an effective risk management approach can be in place—in time to make a difference if the need arises.
An effective approach is one which helps identify and incorporate tools and actions that will help manage risk in a way that’s consistent with regulatory requirements, the entity’s business needs, and marketplace expectations. Developing such an approach can be achieved in key phases:
- Assessment. Assessing the needs of the organization based on the nature of fraud and misconduct that risk controls are intended to mitigate, as well as determining the adequacy of existing controls.
- Design. Developing controls to prevent, detect, and respond to identified risks in a manner consistent with legal and regulatory criteria and other leading practices.
- Implementation. Deploying a process for implementing the new controls and assigning responsibility to individuals who have the required level of authority, objectivity, and resources to support the process.
- Evaluation. Evaluating the design and operating effectiveness of controls through control self-assessment, substantive testing, routine monitoring, and separate evaluations.
 |
null
The bottom line? There’s no room for complacency
For energy companies, getting it right is especially important since fraud and misconduct issues continue to plague the industry. In fact, a recent KPMG survey found that 78% of employees who worked in the industry observed wrongdoing within their organizations in the prior 12 month period. Almost half of those employees – 43% – believed that what they observed could cause “a significant loss of public trust if discovered.”3
The good news is that it doesn’t have to be this way. The same survey found that employees who work in companies with ethics and compliance programs reported less pressure to engage in misconduct to meet business objectives, more comfort in reporting misconduct if it’s observed, and a greater sense that people on their teams felt motivated and empowered to “do the right thing.”
About the authors
 |
Ginger Menown [gmenown@kpmg.com] is a partner in KPMG LLP’s Forensic Services practice in the Houston office and is the Forensic National Energy Leader. She has more than 17 years’ experience providing services in the investigative and integrity advisory services, dispute advisory, mergers and acquisitions, valuation, financial advisory, and auditing.
 |
Scott Avelino [savelino@kpmg.com] is a principal with KPMG’s Forensic practice in Washington, DC, where he serves as national coordinator of the Fraud Risk Management service line in the United States. In this role, he helps drive the global innovation of firmwide services related to the design, implementation, and evaluation of corporate ethnics and compliance programs and related anti-fraud controls.
1Bryan A. Garner, Editor, Black’s Law Dictionary, Eight Edition, West Group, (2004).
2In re Caremark Int’l Derivative Litig., Del. Ch., 698 A.2d 959 (1996).
3KPMG Integrity Survey 2005-06.