creating a strong corporate culture begins with managing ... · a strong corporate culture through...
TRANSCRIPT
Internal Audit, Risk, Business & Technology Consulting
Creating a Strong Corporate Culture Begins With Managing Fraud Risk
Assessing the Results of the Latest White-Collar Crime and Fraud Risk Survey
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 1protiviti.com
In Creating a Strong Corporate Culture, “Fraud Risk Management” Is a Bit of a Misnomer
While a strong corporate culture is no paint-by-the-numbers exercise, a number of vital
components must be carefully aligned — namely, ethical behaviour, tone at the top, mood in the
middle and attitude at the base. These elements can be seen as similar to a painter selecting and
painstakingly applying just the right mixture of colours and textures to transform the canvas
into a work of art. They are of critical concern in today’s boardroom and C-suite. Companies are
striving to introduce a measure of introspection to better understand the correlation between
culture and ethical failures involving fraud, corruption and misconduct. Key to this movement
toward enhanced levels of organisational maturity are growing efforts to measure culture,
flag warning signs, make control improvements, address gaps, build awareness of fraud and
misconduct risk, and avoid becoming the next headline featuring organisational breakdowns
that can derail brand, reputation and long-term viability.
Given the inverse relationship between culture and
fraud, where a poor culture leads to high rates of fraud,
the results of the latest White-Collar Crime and Fraud
Risk Survey from Utica College and Protiviti reveal
some troubling trends that should raise concerns for
boards of directors and executive leadership.
Culture, fraud and misconduct are inextricably
linked. Poor corporate culture can cause the kind of
organisational inertia and complacency that give
rise to a pattern of unethical behaviour and other
misdeeds that may continue unchecked for years,
in part because many in the organisation knew or
suspected what was going on but failed to take action.
The organisation’s culture either discourages doing
the right thing, is blind to bullying behaviour, and/
or rewards those who employ a “win at all costs”
attitude. These types of “open secrets” become fertile
ground for fraudulent and unethical activity.
In fact, while investigating ethical breaches,
government investigators now look more deeply
into organisations to ascertain root causes and what
preventive and detective measures were in place
to identify, investigate and report suspected fraud,
bribery or misconduct. Thus, fraud risk governance,
assessment, prevention and detection practices
have never been more critical; they help shine light
on practices and issues that can create the type of
dysfunctional corporate culture in which unethical
and illegal behaviour thrive. We assess these and many
other issues in our study.
2 · Protiviti
These areas also represent the approaches and leading
practices the Committee of Sponsoring Organizations
of the Treadway Commission (COSO) advocates
in its Fraud Risk Management Guide (FRM Guide) to
help mitigate and prevent improper behaviour by
employees seeking greater rewards at the expense
of ethics and compliance with company policies or
state and federal laws.1 To this end, a key question for
organisations to consider is, “Are we measuring our
corporate culture on a periodic basis?”
The bottom line is that an organisation’s posture on
fraud risk can signal problems within its corporate
culture. Executives who downplay the existence of fraud
risk, consistently make business decisions solely on the
basis of revenues without properly considering risk, or
allow incentive compensation to drive inappropriate
behaviour are all signs that a company’s approach to
fraud risk is no approach at all. Companies that give lip
service to fraud risk are signaling to their employees
and management that ethical business practices are
not a priority — an ill-conceived posture that can have
a toxic ripple effect and set the stage for an inevitable
cultural meltdown.
In our study, we examine the perceptions and actions
underlying fraud risk activities across an array of
organisations and geographies that should serve
as a wake-up call to corporate leaders who allocate
insufficient time and attention to fraud risk due to
their lack of understanding about the close linkage
between weak or nonexistent fraud risk management
programs and a poor corporate culture.
Our survey findings appear to align with “compliance
fatigue” and, to a certain extent, complacency that
many organisations face when they have a seemingly
endless succession of regulatory obligations to meet,
sales goals and revenue targets that are top priorities,
limited budget and resources, and a general lack of
understanding about the potentially devastating impact
that a poor culture and major fraud or corruption matter
can have on a company’s brand, reputation, debt
covenants and market capitalisation.
One way to attack such malaise is to better link
the implications of failing to focus on culture to
the potentially devastating outcomes that follow.
CEOs, billionaire venture capitalists, judges and
Hollywood powerhouses are among many who have
made dramatic departures from their roles following
allegations of fraud, corruption and misconduct. Often,
the investigations that follow reveal that problems
involving such individuals were “open secrets” and that
if the company had only sought to evaluate its corporate
culture, these matters might have more quickly
surfaced in time to stop the victimisation and prevent
further damage to individuals, companies and their
shareholders. Ultimately, linking the development of
a strong corporate culture through robust fraud risk
management to the prevention of actions that can
bring down the organisation is sure to command the
attention of the boardroom and C-suite.
We hear from many organisations that obtaining
resources and support from the C-suite to strengthen
culture through a proactive fraud risk management
program is an uphill battle. In fact, though there is
growing understanding about the impact of corporate
culture and the benefits of measuring it, there is
still limited awareness of its linkage with fraud
and misconduct. Perhaps using the results of culture
surveys and tapping into the current climate of moral
outrage to support a more proactive stance in managing
fraud risk is in order. Until then, we will continue to see
results like those in this year’s survey.
1 Fraud Risk Management Guide, COSO and the Association of Certified Fraud Examiners (ACFE), September 2016: www.coso.org.
Our survey findings appear to align with
“compliance fatigue” and, to a certain extent,
complacency that many organisations face.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 3protiviti.com
Our Key Findings
01Organisations continue to lag in employing leading practices to build a strong culture — From the frequency
of performing fraud risk assessments to a lack of understanding about the drivers of fraud, organisations
must seek to move away from the continuous loop of responding to one fire after another to a more proactive,
strategic and methodical approach to mitigating organisational fraud and culture breaches.
02Resources represent a significant challenge in building a strong corporate culture with a clear fraud risk
strategy — More than a third of organisations consider their fraud risk strategy to be weakly defined, with many
citing the limited availability of internal resources as a significant challenge in addressing fraud proactively.
03Many organisations lack a fraud risk management program, including policies to mitigate fraud — Given
the prevalence of actual and potential fraud issues in organisations and those involving vendor relationships,
as well as the long-term effects on corporate culture, this finding is surprising — and likely disappointing
to shareholders and other key stakeholders. Increasingly, external auditors are paying attention to fraud
risk and internal investigations. In some cases, they will withhold their sign-off pending improvements to the
fraud risk management infrastructure or more thorough investigations, or give qualified opinions when they
are underwhelmed with a company’s approach to fraud and investigations.
04Third parties represent a significant gap in fraud risk management — Overall, one in three organisations
lacks a high level of confidence as to whether it has effective oversight of third parties. However, third parties
account for a disproportionate number of violations an organisation commits, including those related to the
Foreign Corrupt Practices Act (FCPA) and other anti-corruption statutes, cybercrime, vendor fraud, kickbacks,
human trafficking, and data privacy breaches. Most organisations do not allocate sufficient time, energy and
resources to understand and seek to mitigate the myriad issues third parties represent.
Culture is complex and different within every organisation and remains largely abstract. However, even though a
company’s culture may be abstract, one thing is clear: developing the right approach for auditing an organisation’s
risk culture takes time and careful planning. And for any business, the value of undertaking this process is
developing a better understanding of the cultural causes that create risk — in short, human behaviours.
— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit
4 · Protiviti
Methodology
Utica College and Protiviti partnered to conduct the
White-Collar Crime and Fraud Risk Survey in the
second and third quarters of 2017. This global survey,
conducted online, consisted of a series of questions
grouped into six categories:
• Fraud Risk Governance
• Fraud Risk Assessment
• Fraud Prevention Techniques
• Fraud Detection Techniques
• Corruption
• Reporting, Investigation and Corrective Action
Globally, 748 executives and professionals — including
board members, C-suite executives, general counsel
and chief audit executives (CAEs) — completed our
online questionnaire. All respondents are in a position
to understand their organisation’s fraud risk manage-
ment capabilities. Survey participants also were asked
to provide demographic information about their titles
and positions and the nature, size and location of
their businesses.
We appreciate the time these individuals invested
in our study.
Because this year’s survey was global, whereas our
prior study (published in 2016) was based on responses
gathered only in the United States, we did not include
comparisons with findings from our prior survey in this
report. However, we would be pleased to provide any
specific year-over-year comparisons upon request, to
the extent such data is available.
All demographic information was provided voluntarily
by our respondents (see page 52).
Notes
This report includes numerous breakdowns of
the survey findings by company size, defined as
follows (all figures are in U.S. dollars):*
Large = Companies with revenues of $10 billion or more
Midsize = Companies with revenues between $100
million and $9.99 billion
Small = Companies with less than $100 million
in revenues
* Upon request, Protiviti can provide additional reporting in these broad categories.
Measuring ethical culture may be a confusing concept since culture isn’t an object one can easily quantify.
That said, there are characteristics, behaviours and impressions that can be examined to determine whether
a company is on the right path or whether it has institutionalised bad behaviour that, left unchecked, can
lead to ethical failures down the road.
— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 5protiviti.com
Fraud Risk Governance — Who’s Minding the Store?
First things first: The board of directors, along with
senior management, need to demonstrate their expec-
tations and commitment to “high integrity and ethical
values regarding fraud risk.”2 That is a key driver for
developing and maintaining a strong corporate culture.
The concept of fraud risk governance is highlighted
as Principle 1 in COSO’s FRM Guide. To manage fraud
risk effectively, an organisation should designate
an executive or other leader with direct ownership
of and responsibility for the fraud risk management
program. Oversight of fraud risk should be active
and defined. And a clear, formal fraud risk strategy
should be in place. All the above actions are part of
good fraud risk governance, but our survey results
reveal that many organisations have significant
shortcomings in these areas.
For example, in 16 percent of organisations overall,
no senior management professional is designated
with ownership of and responsibility for fraud risk
management — or, that individual is not known.
In a large percentage of instances involving break-
downs in corporate culture or in the conduct at the
top or throughout the organisation, one or more
fraud-related activities are driving those issues. That
fact should underscore the need for robust fraud risk
management practices, including board oversight and
senior management responsibilities.
The survey results also show that one in five
organisations has a “no fraud here” mentality.
These organisations likely do not perform fraud risk
assessments, which is a critical practice. Another
factor for this mindset could be that the individuals
responsible for conducting these assessments
have “day jobs” and therefore lack time to conduct
thorough — or any — evaluation of fraud risk and
corresponding anti-fraud controls. This behaviour
creates fertile ground for a poor corporate culture.
Many Organisations Falling Short on Fraud Risk Policy and Strategy
What also stands out in the results is the small but
meaningful number of organisations that lack active
and defined oversight of fraud risk. The numbers
are slightly smaller for large companies but are still
notable. Of particular note, the percentages are higher
among North American-based organisations.
Also noteworthy is that a substantial percentage of
organisations have a fraud risk strategy that is not
defined clearly. Without a solid understanding of fraud
risks throughout the organisation, how can manage-
ment express confidence that its control environment
is effective, and that it is focusing on creating a strong
corporate culture?
Another eye-opening finding is that a third of
organisations worldwide appear to lack a formal
and documented fraud control policy. That is despite
COSO’s specific recommendation that organisations
have such a policy, as outlined in its FRM Guide.
Organisations overall that have no senior management professional designated with ownership of and
responsibility for fraud risk management*
KEY FACTS
16%
* Includes “Don’t know” responses.
2 Ibid.
6 · Protiviti
Who in the ranks of senior management is designated with ownership and responsibility for fraud risk management in your organisation?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Chief Executive Officer 29% 17% 20%
Chief Financial Officer 13% 13% 19%
Chief Risk Officer 15% 13% 11%
Chief Legal Officer or General Counsel 11% 9% 10%
Chief Security Officer 12% 10% 7%
Internal Audit Director 5% 13% 8%
Other 6% 7% 7%
No senior management professional is designated with ownership and responsibility for fraud risk management
4% 13% 13%
Don’t know 5% 5% 5%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Chief Executive Officer 27% 28% 32% 38% 8%
Chief Financial Officer 11% 11% 18% 11% 21%
Chief Risk Officer 19% 13% 11% 3% 13%
Chief Legal Officer or General Counsel 7% 10% 4% 8% 13%
Chief Security Officer 5% 17% 15% 15% 4%
Internal Audit Director 10% 5% 5% 5% 11%
Other 4% 4% 5% 3% 11%
No senior management professional is designated with ownership and responsibility for fraud risk management
12% 10% 9% 14% 12%
Don’t know 5% 2% 1% 3% 7%
While 4 percent of large companies indicate that no senior management professional is
designated with fraud risk management ownership and responsibility, this figure rises to
13 percent in midsize and small companies, suggesting the latter group of organisations is
seemingly more tolerant of “absentee leadership” in this critical area.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 7protiviti.com
Which of the following groups in your organisation provides active and defined oversight of the organisation’s fraud risk? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Audit committee 50% 59% 48%
Risk management committee 53% 51% 39%
Board of directors 44% 39% 42%
C-level executive(s) 43% 37% 37%
No active and defined oversight 5% 6% 12%
Don’t know 4% 4% 3%
Other 5% 7% 3%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Audit committee 58% 40% 60% 46% 56%
Risk management committee 51% 60% 58% 50% 33%
Board of directors 42% 51% 42% 56% 32%
C-level executive(s) 32% 41% 51% 37% 37%
No active and defined oversight 7% 7% 4% 7% 11%
Don’t know 3% 2% 0% 1% 6%
Other 2% 3% 3% 4% 7%
A significant number of organisations, particularly small and North American-based
companies, lack active and defined oversight of fraud risk.
8 · Protiviti
On a scale of 1 to 5, where “5” indicates very well-defined and “1” indicates undefined, how would you rate your organisation’s fraud risk strategy?
Company Size (Annual Revenue)
Region
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
Large companies
60% 40%Small companies
Midsize companies 60% 40%
72% 28%
Very well-defined/defined Less defined/reactive/undefined/don’t know
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
53% 47%
72% 28%
74% 26%
68% 32%
65% 35%
Very well-defined/defined Less defined/reactive/undefined/don’t know
India
North America
Latin America/South America
Europe
Asia-Pacific
When scanning national patterns, North American organisations look relatively less concerned
about well-defined risk strategies than do companies in other parts of the world.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 9protiviti.com
Which of the following challenges does your organisation face in managing its fraud risk proactively? (Multiple responses permitted)
There is limited availability of internal resources to address fraud risk. 36%
We lack a unified fraud risk management strategy. 28%
We lack proactive fraud risk management. Our focus is on incident response when allegations arise. 28%
Proactive fraud risk management is not a corporate priority. 27%
Fraud and misconduct are not considered “high risks” within the organisation. 27%
There is inadequate funding for an anti-fraud program and related initiatives. 21%
Our organisation has a “no fraud here” mentality. 20%
Laws and regulations or cultural norms in our non-U.S. locations present unique challenges that we have yet to address.
20%
We do not have a member of senior management who is designated with ownership of and responsibility for fraud risk management.
16%
KEY FACTS
Organisations globally that have a formal and documented code of conduct
Organisations globally that have a formal and documented fraud control policy
93% 67%
An area of concern appears to be the availability of internal resources to address fraud risk
proactively, with more than one in three organisations citing this as a challenge.
10 · Protiviti
COSO Elevates and Evolves Fraud Risk Management Practices
For many organisations, building a strong corporate culture and managing fraud consists of checking boxes and
thinking positive thoughts:
• “We hire good people.”
• “We have a code of conduct.”
• “We comply with Sarbanes-Oxley.”
• “Our hotline does not ring (for serious things).”
• “Fraud simply doesn’t happen here.”
Of course, as forensic professionals and educators, we know this is not enough. COSO knows this, too.
Recognising the need to both elevate and evolve management’s thinking on the topics of fraud prevention, detection
and deterrence, COSO released its Fraud Risk Management Guide (FRM Guide) in collaboration with the Association
of Certified Fraud Examiners (ACFE) in September 2016. This guidance provides a valuable blueprint of leading
practices and user-friendly templates to help organisations not only correlate, but also actively apply, the five fraud
risk management principles first outlined in Managing the Business Risk of Fraud: A Practical Guide* within the context
of the 2013 COSO Internal Control — Integrated Framework.
These principles serve as a universal foundation for fraud risk management programs. They are:
1. Fraud Risk Governance
2. Fraud Risk Assessment
3. Fraud Control Activities
4. Fraud Investigation and Corrective Action
5. Fraud Risk Management Monitoring Activities
Of these five principles, fraud risk assessment is perhaps the most widely recognised because the consideration
of the potential for fraud was explicitly included in the 2013 COSO Framework. Since that time, the identification
and assessment of fraud risk have been focal points of inquiry for internal and external auditors. However, the
scope of management’s fraud risk assessment is still often limited to fraud scenarios that would cause a material
misstatement of an organisation’s financial statements. In contrast, COSO’s FRM Guide encourages an elevated
and evolved assessment of fraud risk in the context of the organisation’s overarching fraud risk management
program to achieve better support of and greater consistency with the overall 2013 COSO Framework.
Continued on page 11
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 11protiviti.com
COSO’s FRM Guide is both user-friendly and pragmatic in its design. Each chapter is organised to provide a clear
snapshot of how individual fraud risk management principles align with the COSO 2013 Framework’s components
and principles. It also outlines unique characteristics for each fraud risk management principle within specific points
of focus. These points are structured similarly to those contained in the 2013 COSO Framework and are useful in
considering the design and operating effectiveness of management’s fraud risk management capabilities. Whether
an organisation is new to the topic of fraud risk management or seeking a more detailed view on the “how-to” of
certain fraud risk management activities, COSO’s FRM Guide provides information that is thorough and thoughtful,
and applicable to various audiences.
Below are some suggestions for utilising the information and templates included within COSO’s FRM Guide, which
can benefit organisations in pursuit of a “best-in-class” fraud risk management program, as well as those companies
that are simply looking to enhance certain elements of their anti-fraud control activities:
• Map and analyze the fraud risk management process for improvement opportunities.
• Evaluate whether there is proper oversight and assignment of resources for fraud control activities.
• Create or update the organisation’s fraud control policy.
• Conduct a survey to understand perceptions about the organisation’s culture and fraud risk
management capabilities.
• Expand documentation and visualisation of the organisation’s fraud risk and controls matrix.
• Assess the organisation’s list of potential fraud exposures.
• Review the organisation’s fraud response plan.
• Implement a data analytics framework.
• Enhance awareness of fraud risk through communication with various organisational constituencies.
COSO’s FRM Guide offers insights into leading practices encompassing fraud prevention, detection and deterrence.
However, it is not intended to create a prescriptive standard for either fraud risk management or fraud risk assessment.
Furthermore, there is no “one-size-fits-all” approach to either process; each must be tailored to suit an organisation’s
specific operations, objectives, industry, people, geographies and technologies.
Finally, it is critical to recognise that fraud is a highly dynamic event. There is no guarantee that an organisation will
be free from its occurrence or effect simply because it has implemented leading practices. The ability to prevent and
detect fraud can — and should — evolve with the organisation’s internal control framework, and COSO’s FRM Guide
provides a clear road map that can help drive organisations toward excellence in fraud risk management.
* Managing the Business Risk of Fraud: A Practical Guide was jointly published in 2008 by the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (The IIA) and ACFE.
12 · Protiviti
Assessing Fraud Risk: A Foundational Component of Corporate Culture and Fraud Risk Management
Patterns of fraud, corruption and misconduct that take
root in organisations are frequently open secrets
among personnel. The fact that organisational assets
are being misused or diverted is often widely known
but perhaps not openly discussed. This phenomenon
gives rise to several questions including, “Why
are these actions not reported?” and “Is it because
of fear of retaliation?” “Failure to report” is a clear
symptom of a poor corporate culture, as is ignoring
or silently endorsing bad behaviour because of who
is involved or benefiting from it. For this reason,
fraud risk assessments should be performed to help
identify unreported, overlooked or even “culturally
accepted” vulnerabilities and include consideration
of an organisation’s corporate culture — in effect,
taking the company’s temperature from an ethical
viewpoint. Seeking to measure corporate culture
can expose an organisation’s open secrets before
they devolve into more significant ethical lapses
with serious legal and regulatory consequences.
Fraud risk assessments should be conducted at least
annually, if not more frequently, depending upon
shifts in strategic objectives, organisational changes
or the occurrence of fraud. Overall, most organisations
report that they do this, which is positive. However,
significant numbers of organisations, of all sizes
and across regions, appear to do so less frequently
or inconsistently.
A small but notable number of organisations report that
they don’t know who the business owner responsible
for the fraud risk assessment is, or they don’t have a
defined business owner for that process. There should
be a designated owner, of course. But regardless of who
ultimately is responsible for a fraud risk assessment,
the process must involve a broad range of functions
in the organisation — internal audit, accounting and
finance, procurement, information technology (IT), risk
management, facilities, research and development
(R&D), and more. This approach enables the fraud risk
assessment to capture the nuances of each organisa-
tional function where fraud has the potential to occur,
along with the potential fraud drivers. That includes
understanding opportunities, incentives, pressures,
attitudes and rationalisation to commit fraud within
different groups in the organisation.
Also, it is critical for organisations to examine fraud
risk not in pockets or silos, but across the enterprise.
Principle 2 of COSO’s FRM Guide specifies that the
fraud risk assessment process should include all
appropriate levels of management along with the
resources necessary to assess fraud risk throughout
the enterprise.
Simply put, fraud risk can neither be managed nor
mitigated if it is not understood. Fraud risk assessments
undertaken correctly enhance an organisation’s aware-
ness of the various fraud risks it is facing and allow
it to prioritise efforts to mitigate the most serious areas
of vulnerability.
The fraud risk assessment process, to remain effective
and relevant, also must evolve as personnel, opera-
tions, methodologies and other processes change. Our
survey found that, across organisation type and region,
“previous fraud risk assessment results” ranks high
among the frequently used information applied to the
assessment methodology. While the inclusion of this
information is an important data point, no aspect of
the fraud risk assessment should be a cut-and-paste
exercise. Indeed, in a recent publication by the U.S.
Department of Justice (DOJ) (Evaluation of Corporate
Compliance Programs), an 11th hallmark of an effective
compliance program was introduced: Analysis and
Remediation of Underlying Misconduct. While this
“Failure to report” is a clear symptom of a poor
corporate culture, as is ignoring or silently
endorsing bad behaviour because of who is
involved or benefiting from it.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 13protiviti.com
is directed at organisations that are in the throes of
a government investigation, all organisations should
seek to apply lessons learned from any internal
investigations that have been performed since the last
fraud risk assessment. Organisations should always
strive to ensure that their fraud risk assessment
processes are dynamic, are evolving along with the
company’s changing risks and strategic objectives,
and don’t become a rote exercise lacking meaningful
benefit year-over-year.
More Care Needed When Discussing Sensitive Information
Another result in our survey is the low number of
organisations globally that conduct fraud risk
assessments under attorney-client privilege. In
North America, for instance, three in four organisa-
tions do not conduct fraud risk assessments under
this privilege. Anecdotally, most organisations do
not even consider the need to do so.
Who within your organisation is primarily responsible for conducting your fraud risk assessment?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Internal audit 32% 46% 44%
Corporate compliance 20% 18% 15%
SOX compliance team 16% 14% 9%
General counsel/legal 12% 9% 13%
Other 12% 6% 10%
None of these 2% 3% 7%
Don’t know 6% 4% 2%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Internal audit 43% 39% 52% 40% 41%
Corporate compliance 17% 23% 17% 18% 14%
SOX compliance team 14% 12% 12% 11% 12%
General counsel/legal 8% 18% 6% 26% 7%
Other 10% 4% 10% 1% 14%
None of these 5% 3% 3% 2% 6%
Don’t know 3% 1% 0% 2% 6%
14 · Protiviti
While some organisations make rational business
cases for why they choose not to perform fraud risk
assessments under the attorney-client privilege,
problems sometimes arise in those organisations
that do not even consider doing so. When conducting
fraud risk assessments, root cause analyses of
prior internal investigations (which were probably
undertaken pursuant to the attorney-client privilege),
internal control weaknesses or gaps identified through
previous audits, and other confidential compliance
matters may be discussed. If sensitive information is
gathered without the opportunity for legal counsel to
provide advice to the organisation, it could result in a
significant problem down the road if, during litigation,
that sensitive information becomes discoverable.
As our survey results indicate, the fraud risk
assessment process often involves the use of
other techniques such as the review of policies,
procedures and training materials, gathering of
public information and industry news, brainstorming
sessions, interviews or group workshops, process
walkthroughs, surveys, and data analytics. During
these activities, candid feedback about business
practices, personnel matters and corporate culture
may be shared. In some cases, indicators of fraud
may even be identified through the use of electronic
data interrogation routines. Organisations likely do
not want this material exposed during litigation. It
is therefore imperative to consider confidentiality,
as well as the potential for conducting the fraud
risk assessment under the direction of counsel for
attorney-client privilege purposes, during planning
activities. (See sidebar on page 18 for further
discussion about attorney-client privilege.)
Circling back to the updated 2013 COSO Internal Control
Framework, Principle 8 includes consideration of
three key types of fraud during management’s risk
assessment activities. Interestingly, when asked which
fraud type concerns them the most, respondents
provided a wide range of responses. What stands out is
that while fraudulent nonfinancial reporting is the type
of fraud that happens most often in organisations, only
a small number cited it as the area of greatest concern.
Another point of emphasis is that fraud risk in many
organisations is centered on compliance with SOX and
the concept of materiality. This is a dangerously narrow
way of viewing fraud risk and often leaves a significant
number of potential fraud scenarios out of the process,
some of which can have a negative effect on the
organisation, since the statutes being violated do not
use materiality in weighing whether criminal violations
have occurred. Examples of two such categories of
fraud are the bribery of foreign officials and sanctions
violations such as those enforced by the U.S. Office of
Foreign Assets Control (OFAC).
Factors having an impact on fraud risk are highlighted
in the 2013 COSO Framework’s Points of Focus for
Principle 8. While fraud risk factors are shared by all
organisations that experience fraud, the fraud risk
assessment methodology should be a unique process.
A holistic view of fraud includes consideration of
potential scenarios and perpetrators at all levels of the
enterprise, as well as vulnerabilities in all processes
and geographic locations — not only those deemed
“in scope” for SOX purposes. Executed correctly, the
fraud risk assessment should not be a “cookie-cutter”
template for a different company in a different industry
offering different products or services, since it has been
specifically tailored to the company at hand.
A holistic view of fraud includes consideration of
potential scenarios and perpetrators at all levels
of the enterprise, as well as vulnerabilities in all
processes and geographic locations.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 15protiviti.com
How often does your organisation conduct a formal fraud risk assessment?
Company Size (Annual Revenue)
Region
Quarterly
Annually
As needed
Never
Don’t know
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
Large companies
25% 22% 10% 7%36%Small companies
5%
Midsize companies 21% 19% 5%50% 5%
12%17%35% 31%
Quarterly
Annually
As needed
Never
Don’t know
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
11% 13% 11% 13%52%
39% 26% 3%31% 1%
2%25%48% 22%
34% 24% 5% 3%34%
25% 22% 11%35% 7%
India
North America
Latin America/South America
Europe
Asia-Pacific
3%
It is surprising to find a significant percentage of large companies and North American-based
organisations that report not knowing how often the fraud risk assessment is conducted.
16 · Protiviti
How is your organisation’s fraud risk assessment process structured within your organisation?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Incorporated into our enterprise risk management (ERM) process 47% 40% 38%
Incorporated into our internal audit planning process 21% 22% 26%
Incorporated into our SOX compliance process 8% 18% 13%
Stand-alone 18% 12% 12%
None of these 2% 2% 9%
Don’t know 4% 6% 2%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Incorporated into our ERM process 42% 52% 45% 48% 32%
Incorporated into our internal audit planning process 23% 15% 32% 27% 25%
Incorporated into our SOX compliance process 8% 13% 2% 10% 20%
Stand-alone 17% 15% 17% 11% 9%
None of these 6% 4% 4% 3% 8%
Don’t know 4% 1% 0% 1% 6%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 17protiviti.com
Does your company conduct its fraud risk assessment under attorney-client privilege? (Shown: “Yes” responses)
Company Size (Annual Revenue)
51% 45% 41%Large companies Small companiesMidsize companies
Region
North America
25%
77%
63%
51%
36%
Europe
India
Asia-Pacific
Latin America/South America
18 · Protiviti
Fraud Risk Assessment and Attorney-Client Privilege
As with any internal investigation, a fraud risk assessment may include sensitive matters that potentially involve
litigation or damage to a company’s reputation. There are often compelling reasons for an organisation’s
assessment team to report to legal counsel. Some things to consider include:
• In the United States, conversations between an attorney and a client seeking legal advice are considered
“privileged and confidential” and “attorney-client privileged.” Once privilege is established, the information
shared between a client and attorney is largely protected from disclosure to other parties.
• Attorney-client privilege allows companies and their lawyers to discuss findings and potential solutions without
fear of inappropriate disclosure of the privileged discussions and material. If other providers, such as forensic
accountants or investigators, participate in the fraud risk assessment or an investigation, their work should
be performed at the direction of lawyers so that their findings are considered attorney work product and are
privileged as well.
• It should be made clear that the fraud risk assessment is being conducted to assist legal counsel in providing
legal advice. That includes marking materials as “Privileged and Confidential” and informing interviewees of
the legal purpose of the fraud risk assessment or investigation.
• Distribution of privileged materials must be limited. Company representatives must not be allowed to discuss the
review with anyone who is not involved in the project, so as not to inadvertently waive the privilege by sharing
information outside of the attorney-client relationship.
• The attorney-client privilege varies widely by country. For any investigations, fraud risk assessments or other
projects that the client and counsel feel should be performed under the privilege and involve foreign jurisdictions,
the rules of those jurisdictions would apply.
Note that while attorney-client privilege generally applies to in-house counsel (at least in the United States), internal
lawyers serve in a dual business and legal capacity, and privilege could be challenged on the grounds that discussions
were of a business, and not a legal, nature.
Legal privilege varies widely from one country to the next, and these decisions are best made in consultation
with attorneys who have a deep understanding of the various jurisdictions in which the company is operating and
whether and to what extent the fraud risk assessment can be undertaken pursuant to the attorney-client privilege.
It’s important for companies to understand the interrelationship between internal investigations that were
performed at the direction of counsel and the company’s fraud risk. Reviewing those investigations could
constitute an inadvertent waiver of privilege. Plus, during the course of a fraud risk assessment, people
sometimes share information about past or ongoing fraud or misconduct that could give rise to legal liability.
Performing fraud risk assessments pursuant to the attorney-client privilege can add a layer of protection to
sensitive information that was gathered during the course of the project.
— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 19protiviti.com
Does your fraud risk assessment team include members from different departments? (Shown: “Yes” responses)
Company Size (Annual Revenue)
74% 68% 62%Large companies Small companiesMidsize companies
Region
North America
54%
82%
79%
71%
60%
Europe
India
Asia-Pacific
Latin America/South America
20 · Protiviti
IF YES: Which departments participate in the fraud risk assessment team? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Internal audit 73% 72% 70%
Accounting/finance 65% 62% 63%
Legal 61% 57% 63%
Risk management 68% 50% 56%
Compliance 54% 50% 44%
Operations 48% 41% 51%
Corporate security 45% 46% 42%
Human resources 44% 39% 46%
External consultants 20% 17% 25%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Internal audit 64% 63% 78% 64% 84%
Accounting/finance 68% 47% 53% 63% 80%
Legal 48% 53% 59% 65% 72%
Risk management 58% 65% 67% 51% 50%
Compliance 44% 45% 51% 32% 61%
Operations 42% 43% 41% 45% 58%
Corporate security 40% 49% 45% 43% 43%
Human resources 44% 34% 41% 41% 51%
External consultants 24% 20% 35% 28% 15%
Organisations in Latin America/South America and Europe are far more likely to include
members from different departments on the fraud risk assessment team than are companies in
other regions, particularly North America.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 21protiviti.com
Which of the following does your company utilise as part of its fraud risk assessment methodology? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Previous fraud risk assessment results 49% 55% 51%
Prior reported concerns and complaints 49% 51% 49%
Data analytics 53% 47% 44%
Prior audits or other reviews conducted at the company 47% 44% 48%
Interviews 47% 52% 42%
Brainstorming sessions 43% 42% 36%
Surveys 48% 35% 36%
Public information about criminal, civil and regulatory cases and complaints
33% 31% 30%
Industry news 31% 32% 25%
Workshops 35% 28% 26%
Industry-accepted fraud taxonomies, such as the ACFE’s Occupational Fraud and Abuse Classification System
35% 28% 24%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Previous fraud risk assessment results 57% 46% 70% 47% 52%
Prior reported concerns and complaints 56% 44% 61% 37% 53%
Data analytics 39% 55% 62% 62% 36%
Prior audits or other reviews conducted at the company
54% 32% 58% 40% 53%
Interviews 38% 44% 39% 42% 54%
Brainstorming sessions 35% 47% 50% 35% 36%
Surveys 25% 45% 45% 43% 35%
Public information about criminal, civil and regulatory cases and complaints
30% 36% 32% 42% 26%
Industry news 24% 31% 39% 29% 26%
Workshops 42% 36% 32% 42% 14%
Industry-accepted fraud taxonomies, such as the ACFE’s Occupational Fraud and Abuse Classification System
25% 28% 32% 27% 25%
22 · Protiviti
Which one of the following types of fraud is of greatest concern to your organisation?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Safeguarding of assets 24% 16% 20%
Management override of controls 19% 19% 19%
Fraudulent financial reporting 16% 15% 16%
Corruption 10% 10% 14%
Illegal acts 10% 7% 7%
Fraudulent nonfinancial reporting 2% 7% 5%
No one type is more concerning than the other 14% 20% 15%
Other/none of these 5% 6% 4%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Safeguarding of assets 24% 18% 25% 12% 21%
Management override of controls 20% 21% 20% 26% 13%
Fraudulent financial reporting 12% 24% 17% 17% 12%
Corruption 15% 10% 9% 21% 9%
Illegal acts 6% 8% 3% 11% 8%
Fraudulent nonfinancial reporting 1% 5% 2% 8% 6%
No one type is more concerning than the other 18% 8% 12% 3% 26%
Other/none of these 4% 6% 12% 2% 5%
As expected, the safeguarding of assets seems to be a high priority, while corruption appears to
be a lower priority (though more significant for organisations in Latin America/South America).
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 23protiviti.com
Does your organisation have a fraud risk management (mitigation) program? (Shown: “Yes” responses)
Company Size (Annual Revenue)
76% 63% 56%Large companies Small companiesMidsize companies
Region
North America
39%
87%
81%
74%
61%
Europe
India
Asia-Pacific
Latin America/South America
24 · Protiviti
IF YES: Who in your organisation is responsible for the fraud risk management (mitigation) program?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Chief Compliance Officer 30% 42% 39%
Chief Financial Officer 28% 25% 25%
Chief Audit Executive 24% 25% 26%
Other 12% 6% 8%
Don’t know 6% 2% 2%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Chief Compliance Officer 48% 41% 31% 31% 33%
Chief Financial Officer 23% 27% 29% 24% 27%
Chief Audit Executive 15% 24% 25% 41% 21%
Other 14% 6% 13% 1% 12%
Don’t know 0% 2% 2% 3% 7%
It may seem obvious to everyone that culture is important, and that the risks associated with an unhealthy
organisational culture can derail operations, damage the brand, drive away customers and put a sizable dent
in the bottom line. Yet for many organisations, culture continues to be a buzzword in boardroom discussions
but is given short shrift as an operational priority. “Doing the right thing” is a key performance indicator that
doesn’t appear as a line item on any balance sheet but contributes considerably to the “goodwill” capital of a
company, and its loss or erosion presents a significant risk. Culture assurance then becomes something much
more specific and necessary.
— Brian Christensen, Protiviti Executive Vice President, Global Internal Audit
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 25protiviti.com
Cultivating a Healthy Corporate Culture Through Fraud Prevention
One surprise from the results of our survey is evidence
of the low use of certain primary controls, including
ethics and fraud awareness training, which could help
organisations recognise warning signs and prevent
fraud if they were utilised or provided more frequently.
In the United States, for example, the DOJ and the
Securities and Exchange Commission (SEC) consider
training and continuous advice to be a hallmark of an
effective compliance program, yet a large majority of
organisations do not appear to conduct such training.
Shockingly, even basic measures appear to be falling
short. For instance, a good argument can be made that
every organisation should have a code of conduct and
code of ethics, yet more than one in five companies
surveyed do not. Indeed, a code of conduct and compli-
ance policies and procedures are called out by both
the DOJ and the SEC as hallmarks of an effective
compliance program.
Third- and Fourth-Party Relationships Require More Scrutiny
Several other findings from our survey should raise
red flags for boards and executive leadership seeking
to build a strong corporate culture. For example, less
than a majority of organisations have third-party
due diligence and competitive bidding in place as
controls to prevent fraud; only slightly more than
a majority have IT controls, authority and approval
limits, and segregation of duties (SoD) in place. While
some may not view these measures specifically as
fraud controls, they can be very effective for fraud
prevention. That is especially true for publicly held
companies that must comply with requirements such
as SOX in the United States.
The results for third-party due diligence controls
are especially eye-opening, particularly when
considering the extent to which third parties may
have access to personally identifiable information
and/or may have permission to act on behalf of the
company. Third parties can represent a weak link in
the organisation’s fraud control structure (as well
as security and privacy, anti-bribery, regulatory
compliance, and other areas of internal control).
Conducting risk-based investigative due diligence of
the organisation’s third parties, especially those in
particularly high-risk jurisdictions, as well as fourth
parties (i.e., the vendor’s vendors or subcontractor’s
subcontractors) should be considered essential.
Authorities May Question Lack of Commitment to Combating Fraud
As noted above, a potential weak link in an organi-
sation’s culture is the frequency of ethics and fraud
awareness training. Our survey results suggest that
two in five organisations conduct this type of training
only annually — or even less frequently.
If the organisation lacks a strong commitment to
regular ethics and fraud awareness training, what
does that say about management’s commitment to
building a healthy corporate culture? That is the type
of question authorities could ask during a formal
fraud investigation and in evaluating whether there
was an effective compliance program in place at the
time violations were occurring. When a prosecutor or
law enforcement agency concludes that there was not
an effective compliance program in place, or there
were other aggravating circumstances at the time,
26 · Protiviti
the company itself can be charged with criminal
violations, which can have sweeping and often
devastating consequences for the company and
its shareholders.
The U.S. DOJ and the SEC have provided clear guidance
for what they expect of companies when it comes
to effective compliance and ethics programs. One
recommendation is delivering risk-based training,
as compliance policies are not meaningful unless
they are communicated effectively throughout the
organisation. COSO also stresses the importance of
regular training in its FRM Guide.
Organisations (overall) that conduct ethics and fraud risk awareness training
KEY FACTS
57%
It is very important for organisations to create processes that support people doing the right thing all the time
and foster a culture where people in the organisation know the tone at the top, ensuring that the tone flows
all the way down to middle management and beyond. This is because, in most cases, employees pay more
attention to what their direct supervisors are saying or doing, and less to what the CEO has announced.
— Susan Haseley, Protiviti Executive Vice President, Diversity and Inclusion Initiative Leader
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 27protiviti.com
Which of the following primary controls does your organisation utilise to prevent fraud? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Code of conduct/Code of ethics 78% 81% 72%
Authority or approval limits 59% 63% 67%
Employee background checks 56% 63% 66%
IT controls 55% 58% 63%
Segregation of duties 54% 58% 58%
Ethics or fraud risk awareness training 64% 58% 53%
Third-party due diligence 41% 32% 33%
Competitive bidding 36% 32% 32%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Code of conduct/Code of ethics 73% 62% 78% 71% 87%
Authority or approval limits 68% 50% 64% 45% 78%
Employee background checks 60% 47% 69% 56% 75%
IT controls 57% 47% 58% 58% 70%
Segregation of duties 55% 37% 50% 35% 81%
Ethics or fraud risk awareness training 58% 55% 56% 56% 59%
Third-party due diligence 30% 32% 53% 19% 38%
Competitive bidding 29% 24% 38% 24% 41%
Europe reflects a lower percentage of firms that have codes of conduct or codes of ethics.
North American firms are notably ahead of other regions in demanding segregation of duties.
Compared to companies in other regions, both European and Latin American/South American
firms reflect a much lower percentage of demanding segregation of duties.
28 · Protiviti
How often does your organisation offer ethics and fraud awareness training?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
New hire orientation only 12% 12% 16%
On demand 27% 19% 20%
Semi-annually 18% 19% 17%
Annually 33% 36% 27%
Less than annually 6% 6% 7%
Never 1% 5% 11%
Don’t know 3% 3% 2%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
New hire orientation only 12% 13% 20% 21% 11%
On demand 20% 34% 33% 27% 8%
Semi-annually 18% 25% 28% 22% 10%
Annually 21% 20% 14% 25% 49%
Less than annually 13% 5% 3% 2% 7%
Never 16% 2% 2% 1% 10%
Don’t know 0% 1% 0% 2% 5%
With regard to the frequency of ethics and fraud awareness training, the question raised
here is “How often is often enough?” Less than a majority of firms in North America conduct
these trainings every six months or have them available on demand. These percentages are
significantly higher among companies in Europe, India and Latin America/South America. On the
other hand, 16 percent of organisations in the Asia-Pacific region never conduct these trainings.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 29protiviti.com
Data Analytics, Fraud Detection and the Path Forward
One of the most notable findings in our survey is that
one-third of organisations lack a fraud detection
program. This begs the question as to what exactly
these organisations are doing to detect the type of
fraudulent acts that can undermine the organisation’s
culture or indicate red flags for deep-seated issues.
The absence of a fraud detection program likely
indicates a reactive environment for detecting fraud.
Internal audit and management respond to fraud issues
that arise but are unable to be proactive in spotting
issues early or identifying potential root causes.
The absence of such a program also suggests organisa-
tions have limited resources and technologies to apply
to fraud detection; thus, they lack alignment with
Principle 3 of COSO’s FRM Guide. This principle focuses
on preventive and detective control activities designed
to mitigate the occurrence — and longevity — of fraud
risk events. Timely discovery of fraud risk events is
a critical component of a well-designed fraud risk
management program and the lack of a program
calls into question the ability of such organisations
to fully achieve risk mitigation under the 2013
COSO Framework.
Few Firms Using Data Analysis for Fraud Detection
One in five organisations reports that they do not use
any form of data analysis to detect fraud proactively.
The numbers are better for large organisations, but
those operating in regions such as North America
and Asia-Pacific fare worse. These results are not
surprising, however. Business records in many
organisations still exist in a manual state. Companies
may want to incorporate forensic data analysis to
identify potential red flags and fraud indicators, but
they can’t if their information resides in boxes rather
than a digital state.
These results generally mirror the findings of Protiviti’s
2018 Internal Audit Capabilities and Needs Survey,
which show that about one-third of organisations
do not use data analysis or analytics in their internal
audit functions.3
Most organisations are still in the early stages of
using data analytics. Furthermore, many are likely
performing only the most basic form of analytics.
This was borne out in the findings of Protiviti’s
internal audit survey. Few internal audit groups are
employing current high-end technologies or artificial
intelligence (AI), or even computer-assisted audit
tools (CAATs), which could boost effectiveness and
efficiency significantly.
Factors limiting the use of data analysis include dated
legacy systems in the organisation, as well as the
absence of a data warehouse. Also, most organisations
have few employees who are trained to use new
technologies and AI to perform forensics and analytics.
3 Analytics in Auditing Is a Game Changer, Protiviti, 2018: protiviti.com/IAsurvey.
30 · Protiviti
Does your organisation have a fraud detection program? (Shown: “Yes” responses)
Company Size (Annual Revenue)
74% 58% 55%Large companies Small companiesMidsize companies
Region
North America
40%
87%
72%
71%
57%
Europe
India
Asia-Pacific
Latin America/South America
When it comes to fraud detection, North American companies appear to be significantly behind
organisations in other regions.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 31protiviti.com
IF YES: Who in your organisation is responsible for the fraud detection program?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Chief Compliance Officer 24% 38% 38%
Chief Audit Executive 34% 36% 34%
Chief Financial Officer 38% 23% 27%
Don’t know 4% 3% 1%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Chief Compliance Officer 42% 39% 32% 34% 26%
Chief Audit Executive 31% 35% 29% 40% 34%
Chief Financial Officer 27% 26% 39% 25% 31%
Don’t know 0% 0% 0% 1% 9%
One cannot manage that which cannot be measured. If firms focused on enhancing access to their own legacy
data systems so that disparate data sources were converted into consistent, timely and reliable information,
the return on this investment would be enormous. Advanced analytics, such as machine learning, deep
learning and AI, performed on this newly reliable data, will enable firms to measure historical fraud, predict
potential future fraud occurrences and manage fraud risk appropriately. That, in turn, will significantly
strengthen corporate culture.
— Shaheen Dil, Protiviti Managing Director, Global Leader, Data Management and Advanced Analytics
32 · Protiviti
Does your organisation actively utilise forensic data analysis to identify potential red flags and fraud indicators (i.e., fraud detection techniques)?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports are monitored by an independent group, such as internal audit.
41% 34% 23%
Yes, periodically. Management or internal audit runs fraud detection programs at specific times, such as at the start of an audit.
30% 31% 32%
Yes, on demand only. Data is extracted manually from various systems that are queried.
13% 15% 15%
No, we do not utilise data analysis to detect fraud proactively. 8% 17% 26%
Don’t know. 8% 3% 4%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Yes, routinely. Fraud detection programs have been written and overlay systems. Exception reports are monitored by an independent group, such as internal audit.
27% 38% 45% 30% 21%
Yes, periodically. Management or internal audit runs fraud detection programs at specific times, such as at the start of an audit.
36% 36% 28% 54% 20%
Yes, on demand only. Data is extracted manually from various systems that are queried.
13% 12% 14% 9% 20%
No, we do not utilise data analysis to detect fraud proactively.
22% 12% 11% 6% 31%
Don’t know. 2% 2% 2% 1% 8%
North American-based organisations appear to lag considerably behind companies in other
regions in utilising forensic data analysis.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 33protiviti.com
Which of the following procedures has your organisation established for the submission of concerns by employees about questionable accounting or auditing matters? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Telephonic hotline 61% 54% 50%
Electronic mailbox 61% 48% 45%
Website 56% 54% 39%
“Chain-of-command” reporting 47% 42% 47%
Designated management 36% 33% 43%
Designated board member 33% 18% 27%
No formal reporting mechanism exists 6% 6% 9%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Telephonic hotline 42% 32% 41% 48% 76%
Electronic mailbox 48% 55% 60% 56% 40%
Website 31% 47% 49% 49% 52%
“Chain-of-command” reporting 44% 42% 41% 36% 54%
Designated management 45% 40% 51% 42% 32%
Designated board member 19% 37% 38% 39% 14%
No formal reporting mechanism exists 11% 6% 5% 6% 8%
Interestingly, the use of telephonic hotlines for employees to communicate concerns about
accounting or auditing issues is far more prevalent in North America than in other regions.
34 · Protiviti
How often does your organisation conduct surprise audits within the organisation?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Quarterly 33% 20% 23%
Annually 15% 19% 16%
As needed 35% 40% 37%
Never 9% 16% 20%
Don’t know 8% 5% 4%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Quarterly 15% 32% 41% 44% 11%
Annually 14% 27% 14% 28% 8%
As needed 49% 33% 35% 26% 42%
Never 18% 6% 7% 1% 30%
Don’t know 4% 2% 3% 1% 9%
Large companies that conduct surprise audits at least annually
KEY FACTS
48%Most companies like to believe that they have a
highly ethical culture. Many find out the hard way
that their culture isn’t as rock solid as they believed it
was. Better to burst your own bubble by proactively
examining culture, fraud and compliance risk than
to have the DOJ or the SEC burst it for you.
— Scott Moritz, Managing Director and Global Lead, Protiviti Forensic
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 35protiviti.com
Being Vigilant — Addressing Corruption and Performing Due Diligence
Third parties, or vendors, present a heightened level
of risk to organisations. However, overall, just under
one in five companies reports that they have a high
level of confidence about third-party oversight.
As detailed in the 2017 Vendor Risk Management Bench-
mark Study from the Shared Assessments Program
and Protiviti, vendor risk management activities and
programs are improving in organisations overall.4
But the results from that study, as well as this survey,
underscore the point that organisations have a
significant way to go to achieve optimal vendor risk
management and oversight.
Most organisations in our survey align with the U.S.
DOJ and the SEC’s hallmarks of effective compliance
programs by conducting due diligence on business
intermediaries,5 such as agents, distributors, consul-
tants and subcontractors, prior to onboarding them in
the organisation. However, it is vital that investigative
due diligence6 efforts be nuanced and risk-based.
Organisations cannot approach this activity through
cursory, unstructured online research.
Just One Bad Vendor Relationship Can Lead to Irreversible Damage
Most companies report that they are conducting
this category of investigative due diligence. But are
they performing the right level of due diligence?
Are they applying a risk-based approach with regard
to the third parties with which they do business?
These organisations should realise they likely have
questionable relationships that present substantial
risks. The bottom line is that even one bad vendor
relationship can create irreversible damage to the
organisation. Organisations, therefore, need to do a
better job conducting investigative due diligence on
business intermediaries — including improving how
they conduct this due diligence.
To illustrate, there are some remarkable differences
among regions and organisation size regarding whether
a company conducts a corruption risk assessment
as part of its due diligence related to an acquisition.
Interestingly, a strong majority of organisations in
Europe perform a corruption risk assessment, whereas
only a minority of companies in North America do so.
As expected, more large organisations tend to conduct
these risk assessments.
What is the best way to approach due diligence?
Adopt a risk-based approach by designating key
categories that present the most risk. As part of the
due diligence process, cover those categories first in
the questionnaire, and perform other research focused
specifically on those categories. Essentially, this
approach results in prioritising the most significant
risks first, rather than adopting a blanket approach to
due diligence.
4 Study available at www.protiviti.com/vendor-risk.
5 The term “intermediary” in a third-party context typically refers to an entity that can act on behalf of another company, and those actions can give rise to liability.
6 “Investigative due diligence” refers to the performance of background investigations of legal entities and their owners and key executives to determine whether there is anything in their backgrounds that would make them unsuitable business partners.
36 · Protiviti
Fostering an Anti-Bribery Culture Within Your Organisation
The breadth and depth of authoritative guidance designed to mitigate global bribery and corruption continue to build.
Organisations often utilise a compilation of information to establish and evolve their anti-bribery or anti-corruption
compliance program. These include, among others, the Organization for Economic Co-Operation and Development’s
(OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance, International Chamber of Commerce’s ICC
Rules on Combating Corruption, the U.S. DOJ’s and SEC’s hallmarks of effective compliance programs, and the United
Kingdom’s Ministry of Justice’s The Bribery Act of 2010 Guidance about procedures which relevant commercial organisations
can put into place to prevent persons associated with them from bribing (section 9 of the Bribery Act 2010).
In addition, the World Bank Group has published both Integrity Compliance Guidelines and Guidelines on Preventing and
Combating Fraud and Corruption in Projects Financed by IBRD Loans and IDA Projects and Grants, while the Wolfsberg
Group has issued Wolfsberg Anti-Bribery and Corruption (ABC) Compliance Programme Guidance intended for use by the
“broader financial services industry.”
Now, with the International Organization of Standardization’s (ISO) release of ISO 37001: 2016 — Anti-Bribery
Management Systems, companies can seek certification of their anti-bribery program if they meet ISO’s requirements
for “establishing, implementing, maintaining, reviewing and improving an anti-bribery management system.” This
anti-bribery standard is applicable to all organisations — regardless of industry and corporate structure — and is
intended to help foster an anti-bribery culture within an organisation.
Indeed, each of the guidance documents referenced above cites the importance of ethical competencies and commitment
to a strong corporate culture as integral to mitigating this common type of fraud found in today’s global marketplace.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 37protiviti.com
On a scale of 1 to 5, where “5” indicates a high level of confidence and “1” indicates little or no confidence, rate your level of confidence that your organisation has effective oversight of third parties.
Company Size (Annual Revenue)
Region
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
Large companies
Small companies
Midsize companies
Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)
55% 45%
51% 49%
68% 32%
10% 20% 30% 40% 50% 60% 70% 80% 100%90%0%
60%40%
74% 26%
81% 19%
66% 34%
48% 52%
India
North America
Latin America/South America
Europe
Asia-Pacific
Higher level of confidence (4-5) Lower level of confidence (1-3, don’t know)
Large companies in North America appear to have a much higher level of confidence in
effective oversight of third parties compared to midsize and small companies. However, in
assessing the results by region, North American firms have far lower confidence levels than
firms in Europe, India and Latin America/South America.
38 · Protiviti
Does your organisation conduct due diligence on business intermediaries (e.g., agent, distributor, consultant, subcontractor) prior to onboarding? (Shown: “Yes” responses)
Company Size (Annual Revenue)
87% 69% 71%Large companies Small companiesMidsize companies
Region
North America
70%
83%
66%
90%
71%
Europe
India
Asia-Pacific
Latin America/South America
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 39protiviti.com
Does your organisation include communications from management that it expects adherence to the standards as set out in the code of conduct and/or anti-corruption policy? (Shown: “Yes” responses)
Company Size (Annual Revenue)
89% 81% 80%Large companies Small companiesMidsize companies
Region
North America
79%
91%
76%
92%
83%
Europe
India
Asia-Pacific
Latin America/South America
40 · Protiviti
Does your organisation have the ability to distinguish between foreign government agencies, state-owned companies, public international organisations and private enterprises among its customer base? (Shown: “Yes” responses)
Company Size (Annual Revenue)
83% 71% 76%Large companies Small companiesMidsize companies
Region
North America
69%
87%
78%
89%
71%
Europe
India
Asia-Pacific
Latin America/South America
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 41protiviti.com
73% 59% 55%Large companies Small companiesMidsize companies
Does your organisation categorise third parties according to risk? (Shown: “Yes” responses)
Company Size (Annual Revenue)
Region
North America
46%
79%
68%
78%
54%
Europe
India
Asia-Pacific
Latin America/South America
42 · Protiviti
IF YES: Which of the following activities does your organisation perform? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Assign risk based upon a variety of factors 58% 65% 62%
Perform escalating levels of investigative due diligence based upon assigned risk level
64% 53% 55%
Focus on a single high-risk category for third party (such as sales agents)
49% 40% 38%
Perform investigative research in-house 34% 34% 43%
Perform the same level of due diligence or screening for all categories of third party
36% 31% 40%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Assign risk based upon a variety of factors 66% 65% 61% 61% 57%
Perform escalating levels of investigative due diligence based upon assigned risk level
57% 53% 61% 57% 56%
Focus on a single high-risk category for third party (such as sales agents)
45% 45% 53% 50% 26%
Perform investigative research in-house 34% 43% 37% 40% 36%
Perform the same level of due diligence or screening for all categories of third party
39% 36% 43% 46% 26%
It is somewhat surprising that, compared to large companies, a higher percentage of midsize
and small companies assign risk based upon a variety of factors instead of one. Close to a
majority of large companies focus on a single high-risk category for third parties, suggesting
these organisations may be adopting a view of third-party risk that is too myopic.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 43protiviti.com
Check a variety of watchlists (e.g., OFAC,
politically exposed persons (PEPs), debarments)
Perform internet research
Organisations that perform the following activities as part of investigative due diligence:
Check corporation registrations
Search public records
KEY FACTS
Search negative news (English-speaking sources)
No investigative due diligence is performed in
the organisation
Search negative news (non-English-speaking sources)
29% 8%23%
47% 43%44% 40%
44 · Protiviti
Who performs the work associated with investigative due diligence? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
All investigative work performed in-house 50% 40% 42%
Watchlists, negative media, internet research performed in-house 47% 34% 36%
More comprehensive investigative work performed by investigative firm
39% 30% 33%
All investigative work outsourced 34% 28% 28%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
All investigative work performed in-house 47% 45% 46% 45% 40%
Watchlists, negative media, internet research performed in-house
38% 45% 51% 45% 27%
More comprehensive investigative work performed by investigative firm
27% 43% 51% 48% 18%
All investigative work outsourced 21% 45% 41% 49% 12%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 45protiviti.com
When acquiring a company, does your organisation conduct a corruption risk assessment during the acquisition due diligence process? (Shown: “Yes” responses)
Company Size (Annual Revenue)
74% 56% 58%Large companies Small companiesMidsize companies
Region
North America
41%
90%
71%
76%
53%
Europe
India
Asia-Pacific
Latin America/South America
46 · Protiviti
Do your hiring practices include an examination as to whether candidates are family members or associates of government officials? (Shown: “Yes” responses)
Company Size (Annual Revenue)
73% 60% 59%Large companies Small companiesMidsize companies
Region
North America
49%
82%
66%
71%
65%
Europe
India
Asia-Pacific
Latin America/South America
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 47protiviti.com
Which of the following additional steps does your organisation take in an effort to mitigate the elevated risk associated with doing business with government agencies, state-owned companies and/or public international organisations? (Multiple responses permitted)
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
Pre-approval requirements before paying for gifts, meals or entertainment
68% 51% 49%
Enhanced contract provisions 63% 52% 47%
Advanced anti-corruption training for select personnel 59% 50% 44%
Prohibitions against hiring of family members of employees of this category of customers
35% 33% 38%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
Pre-approval requirements before paying for gifts, meals or entertainment
59% 50% 65% 54% 49%
Enhanced contract provisions 47% 57% 65% 54% 46%
Advanced anti-corruption training for select personnel
48% 57% 51% 64% 38%
Prohibitions against hiring of family members of employees of this category of customers
37% 33% 33% 53% 33%
With regard to corruption risk assessments, hiring practices that include examinations of cases
where candidates are family members or associates of government officials, and mitigating
elevated risks associated with state agencies and organisations, North American-based
organisations lag notably behind companies in other regions.
48 · Protiviti
Reporting, Investigation and Corrective Action
Principle 4 of COSO’s FRM Guide states: “The organi-
zation establishes a communication process to obtain
information about potential fraud and deploys a
coordinated approach to investigation and corrective
action to address fraud appropriately and in a timely
manner.” Further, one of the hallmarks of effective
compliance programs as promulgated by the U.S.
DOJ and the SEC is confidential reporting and
internal investigation.
Organisations that do not properly consider and
document the various channels by which the need
for an internal investigation comes to light and/or do
not follow written procedures for the performance of
internal investigations are at risk of failing to under-
take investigative activities that are proportionate
to the allegations at hand. Not only does that lead
to the risk of not conducting a productive internal
investigation, but it also can give rise to concerns that
the company is not applying a consistent standard
of care in its investigative processes. That, in turn,
can call into question whether that inconsistency is
simply a by-product of a poorly designed process or a
calculated effort to hold some people accountable but
not others.
Overall, more than one in five organisations conducted
between six and 20 investigations in the previous
year. While you would expect those same organi-
sations to have well-defined, consistently applied
investigative procedures in place, the reality is that
many organisations allow the facts at hand — or
even common psychological biases — to dictate the
investigative steps that follow, and those steps are
left to the discretion of the investigators themselves.
While there are many very talented and experienced
investigators working in-house at organisations
across the globe, the lack of documented policies
and procedures that govern investigative processes
can expose the company to a broad range of issues,
including, but not limited to, views that the organisa-
tion’s culture and institutional justice are flawed and
prone to favouritism, or that internal investigations
are performed in such a way as to raise questions
about their independence and the inconsistent
application of disciplinary actions.
That is why confidential reporting and internal investi-
gation is a hallmark of effective compliance programs.
Without a well-defined and documented process, it
would be very difficult for an outside party such as a
regulator or law enforcement agency to conclude that
an ethics and compliance program meets the definition
of effective.
Recently, guidance issued by the U.S. DOJ has placed a
great deal of emphasis on the performance of root cause
analysis. In addition, another hallmark of effective
compliance programs is continuous improvement:
periodic testing and review. What is being said in
various ways is that once a problem comes to light and
is investigated, the investigation and subsequent reme-
diation need to carefully consider not just the “what”
of what happened but also the “why,” the “how” and
the “by whom.” Answering these questions will provide
the company with insights into cultural breakdowns:
how things happened; what deficiencies in the control
environment were exposed by the fraud; and how the
pattern of fraud, corruption or misconduct was allowed
to continue undetected. These shortcomings then can
be translated into substantive changes to the controls,
both detective and preventive, that will lessen the
likelihood of a recurrence. A fraud risk management
program must be in a constant state of evolution with
new threats being addressed and lessons learned
being applied.
Five Most Common Root Causes or Control Breakdowns That Allow Fraud Incidents to Occur (Source: Top five responses from all survey participants)
1. Internal collusion
2. Collusion with third parties
3. Inadequate internal controls
4. Deliberate override of internal controls
5. Undisclosed conflicts of interest
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 49protiviti.com
What level of involvement does your organisation’s audit committee have in the investigation of alleged fraud or misconduct?
Company Size (Annual Revenue)
2016 Large companies
Midsize companies
Small companies
The audit committee chair is informed of all allegations involving accounting, auditing and internal control matters immediately upon receipt by the individual designated to receive complaints.
61% 57% 58%
On at least a quarterly basis, the audit committee is informed of all allegations being investigated.
21% 25% 25%
The audit committee is only informed of investigations involving accounting, auditing and internal control matters.
8% 11% 8%
Don’t know. 10% 7% 9%
Region
2016 Asia-Pacific Europe India Latin America/
South AmericaNorth
America
The audit committee chair is informed of all allegations involving accounting, auditing and internal control matters immediately upon receipt by the individual designated to receive complaints.
57% 60% 67% 75% 46%
On at least a quarterly basis, the audit committee is informed of all allegations being investigated.
25% 25% 27% 15% 27%
The audit committee is only informed of investigations involving accounting, auditing and internal control matters.
14% 6% 5% 6% 12%
Don’t know. 4% 9% 1% 4% 15%
50 · Protiviti
Disciplinary action Training
The most common corrective actions taken by companies after an investigation involving employees:
Termination
KEY FACTS
New internal controls Reassignment
32% 18% 15%
10% 7%
KEY FACTS
Organisations that have received and investigated five or fewer allegations of fraud or misconduct
over the past three years
29%Organisations that have received and investigated
six to 20 allegations of fraud or misconduct over the past three years
22%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 51protiviti.com
In Closing
The importance of corporate culture is garnering an
unprecedented amount of media and organisational
attention, and yet, there has not been an equal amount
of introspection or root cause analysis as to what has led
to some of the more noteworthy fraud and misconduct
cases occurring in the last year. Understanding the
interplay between fraud, corruption and corporate
culture — and the controls necessary to mitigate ethical
failures — can accelerate efforts to affect positive
organisational change and process improvements.
In today’s business environment, executives need to ask
themselves this question: Do we want to be viewed as
leaders of ethical business practices, or are we willing to
risk being the latest headline involving a toxic culture
that ultimately results in embarrassing — and costly —
fraud and misconduct?
Private sector companies in today’s world face extraordinary challenges. The results of this year’s survey
shed light on a particularly perplexing challenge; namely, creating and maintaining a strong corporate
environment that prevents and deters fraud. Key findings from respondents around the globe demonstrate
that many companies, large and small, have much work to do in crafting a strong organisational culture to
keep fraud from occurring. Many organisations indicate their fraud risk strategies are weakly defined and
that resources dedicated to fraud risk can be scarce. Only one in three organisations are confident they have
strong fraud control policies in place — a troubling finding. These and other results underscore the dire need for
corporations to embrace a more proactive position in managing fraud risk across the board to build a stronger
corporate culture.
— Donald J. Rebovich, Ph.D., Coordinator, Fraud and Financial Crimes Investigation Programs, Utica College
52 · Protiviti
Survey Demographics
Position
Chief Audit Executive 13%
Chief Executive Officer 12%
Audit Manager 10%
Audit Staff 10%
Chief Information Officer 9%
Chief Financial Officer 7%
Audit Director 4%
Chief Risk Officer 4%
Chief Operating Officer 4%
Chief Compliance Officer 3%
Board Member/Audit Committee Member 3%
Chief Security Officer 3%
Business Unit Control Leader 2%
Corporate Controller 2%
Corporate Security Director 2%
General Counsel 1%
Other 11%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 53protiviti.com
Industry
Financial Services 15%
Manufacturing 14%
Technology 14%
Government 6%
Consumer Products 5%
Services 4%
CPA/Public Accounting/Consulting Firm 4%
Retail 3%
Insurance (excluding Healthcare – Payer) 3%
Education 3%
Healthcare – Provider 3%
Oil and Gas 2%
Distribution 2%
Real Estate 2%
Telecommunications 2%
Utilities 2%
Life Sciences/Biotechnology/Pharmaceuticals 2%
Not-for-profit 2%
Mining 1%
Hospitality 1%
Power and Utilities 1%
Healthcare – Payer 1%
Media 1%
Other 7%
54 · Protiviti
Financial Services Industry — Size of Organisation (by Assets Under Management in U.S. Dollars)
More than $250 billion 14%
$50 billion - $250 billion 15%
$25 billion - $50 billion 8%
$10 billion - $25 billion 10%
$5 billion - $10 billion 20%
$1 billion - $5 billion 16%
Less than $1 billion 17%
Size of Organisation (Outside of Financial Services) — by Gross Annual Revenue in U.S. Dollars
$20 billion or greater 9%
$10 billion - $19.99 billion 10%
$5 billion - $9.99 billion 10%
$1 billion - $4.99 billion 23%
$500 million - $999.99 million 19%
$100 million - $499.99 million 18%
Less than $100 million 11%
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 55protiviti.com
Type of Organisation
Private 48%
Public 31%
Private, but planning an IPO within the next 12 months 5%
Not-for-profit 4%
Government (non-U.S.) 3%
Educational institution 3%
Government (U.S.) 3%
Public international organisation 1%
Other 2%
Organisation Headquarters
North America 43%
Europe 20%
Asia-Pacific 13%
Latin America/South America 12%
India 10%
Middle East 1%
Africa 1%
56 · Protiviti
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
ABOUT PROTIVITI FORENSIC
Protiviti’s Forensic consultants help organisations build a solid infrastructure for evaluating, mitigating, investigating, reporting and monitoring their risk of fraud, corruption and misconduct.
Understanding organisational vulnerabilities and establishing an appropriate framework to identify and respond to them are essential in today’s global marketplace, as regulators are demanding more active management and investigation for a wide range of risks, including financial crime, fraud and corruption.
Our Forensic professionals assist organisations with building sustainable anti-corruption, investigative and fraud risk assessment processes and developing anti-fraud, anti-corruption and investigative programs and controls to meet fiduciary and regulatory responsibilities. We support organisations in their efforts to identify, triage, investigate, report and monitor a wide array of risks at every level — from the performance of risk assessments, program design or remediation, risk governance, and employee training to audits of anti-corruption, fraud, and investigation programs and processes.
Our team’s unique blend of anti-corruption, fraud risk management and investigative subject-matter expertise can quickly identify program shortcomings and remediate your critically important programs. We also have extensive experience in undertaking investigations of suspected violations of those programs by leveraging investigative, forensic accounting and technology disciplines across our global footprint to provide our clients with the experience and local resources necessary to gather the facts to make informed business decisions.
Creating a Strong Corporate Culture Begins With Managing Fraud Risk · 57protiviti.com
UNITED STATES
Kelly [email protected]
James [email protected]
Peter [email protected]
Robert [email protected]
Pamela [email protected]
Diane [email protected]
AUSTRALIA
Adam Christou+61.03.9948.1200 [email protected]
Anthony Hodgkinson+61.418.123.564 [email protected]
BELGIUM
Jaap Gerkes +31.6.1131.0156 [email protected]
BRAZIL
Raul Silva +55.11.2198.4200 [email protected]
CANADA
Ram Balakrishnan +1.647.288.8525 [email protected]
CHINA (HONG KONG AND MAINLAND CHINA)
Albert Lee +852.2238.0499 [email protected]
FRANCE
Bernard Drui +33.1.42.96.22.77 [email protected]
GERMANY
Michael Klinger +49.69.963.768.155 [email protected]
INDIA
Sanjeev Agarwal +91.99.0332.4304 [email protected]
ITALY
Alberto Carnevale +39.02.6550.6301 [email protected]
JAPAN
Yasumi Taniguchi +81.3.5219.6600 [email protected]
MEXICO
Roberto Abad +52.55.5342.9100 [email protected]
MIDDLE EAST
Sanjeev Agarwal +965.2295.7770 [email protected]
THE NETHERLANDS
Jaap Gerkes +31.6.1131.0156 [email protected]
SINGAPORE
Sidney Lim +65.6220.6066 [email protected]
UNITED KINGDOM
Lindsay Dart +44.207.389.0448 [email protected]
CONTACTS
Brian ChristensenExecutive Vice President, Global Internal [email protected]
Scott MoritzManaging Director and Global Lead, Protiviti [email protected]
© 2018 Protiviti Inc. PRO-0718-101107I-IZ-ENG Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
*MEMBER FIRM
© 2
017
Proti
viti
Inc.
An
Equa
l Opp
ortu
nity
Em
ploy
er. M
/F/D
isab
ility
/Vet
. PRO
-041
7
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
COLOMBIA*
Bogota
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE MIDDLE EAST
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
UNITED KINGDOM
London
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
ASIA-PACIFIC CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
INDIA*
Bengaluru
Hyderabad
Kolkata
Mumbai
New Delhi
AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney