[ISN] The risks of fraud go well beyond SocGen

From: InfoSec News (alerts@private)
Date: Mon Feb 04 2008 - 00:02:12 PST


http://www.ft.com/cms/s/0/a71451e6-d008-11dc-9309-0000779fd2ac.html

By Francis Hounnongandji
FT.com
January 31 2008

The lax internal controls revealed at Societe Generale are not specific 
to that bank, or even to the financial services industry, but are 
endemic throughout the corporate world. The best cure is better 
education and a stronger culture of internal controls among board 
members, senior management and the financial analysts who assess the 
value of companies.

Scandals at companies such as Enron, Barings, WorldCom and Parmalat have 
highlighted the huge losses that can occur through frauds or the 
breakdown of internal controls. At SocGen, the activities of a rogue 
trader triggered a sequence of events that cost the bank 4.9bn ($7.2bn)  
and this does not account for soft costs including the diversion of 
senior managements focus from the day-to-day business, the negative 
impact on the franchise and the blow to employee morale.

In view of such huge losses, it is unbelievable how little interest 
there is in the subject of internal controls among financial analysts, 
shareholders and bondholders, unions and employee organisations, board 
members and senior management. Too many leaders underestimate the risks 
of fraud to their organisations and to the economy.

It is common for internal audit and control teams in many organisations 
to be composed of junior people who are less familiar with complex 
transactions than those they are in charge of scrutinising. Despite 
anti-fraud laws and regulations such as Sarbanes-Oxley in the US, fraud 
risks have actually increased. The absence in Sarbanes-Oxley, the Loi de 
la Scurit Financire in France and their equivalent in other countries of 
specific guidelines and standards for anti-fraud controls and the lack 
of guidance for measuring their effectiveness render the exercise fuzzy.

Companies have a cosmetic interest in complying with these regulations, 
as nobody wants to be seen to have failed to obtain the required 
certification. However, while the costs of the internal controls and 
anti-fraud systems are visible to most organisations management, the 
benefits are less obvious. Incoherent and sub-optimal internal control 
systems implemented by many companies have left loopholes that 
fraudsters can exploit.

The imposition of so many laws and regulations has created its own 
problem, as this has led to a string of audit visits and inspections and 
a mountain of paperwork that has come to be seen as an administrative 
burden. Little has been done to explain to businesses why effective 
internal controls and anti-fraud programmes add value to organisations 
by improving productivity and providing a competitive edge. In the 
meantime, technologies and information systems are more complex, as are 
the companies transactions. At the same time, loyalty between employees 
and employers is in decline, increasing the chances of fraud.

In the heat of the debate, there are demands for more and tougher 
regulations on the financial services industry. With the shock provoked 
by the losses at SocGen, it would be easy, at least in France, to push 
hasty laws and regulations on to an industry on the defensive. But the 
cure is not extra laws and regulations, but more sensible ones with 
specific guidance and measurement standards, better understood and 
consistently applied by organisations.

How to make existing laws and regulations more practical should be the 
primary focus. In due course, mandatory awareness of internal controls 
should be required for board members, senior management and financial 
analysts. A minimum level of knowledge of internal controls should be 
required for all audit committee members. Whenever possible, 
knowledgeable internal control and anti-fraud experts should be hired by 
companies to implement risk-assessment and fraud prevention measures. 
Anti-fraud processes and tools implemented to prevent management 
overriding internal control systems should be disclosed in the annual 
report, as a clarification to the requirements of Sarbanes-Oxley laws, 
the Loi de Scurit Financire in France and their equivalents.

We must avoid an overreaction. What organisations require are smarter 
controls, integrated into the culture and the business model of the 
organisations and commensurate with their risk profiles. We need to be 
consistently proactive. This, not more regulation, is the way to plug 
the holes in the corporate armour.

-=-

The writer is president of the French chapter of the Association of 
Certified Fraud Examiners. He is also chief executive of Allied Business 
Controls, the corporate governance and financial advisory firm

Copyright The Financial Times Limited 2008


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Feb 04 2008 - 00:09:37 PST