Recent events in U.S. and international markets have cast the spotlight on business fraud. Cases like Cendant  a giant created when HFS, Inc. and CUC International merged - involved accounting fraud. Livent - the Canadian entertainment company -combined allegations of accounting and procurement fraud. And the case involving Bre-X Minerals arose due to the falsification of geological core samples from a gold mine. All three offer dramatic evidence that large-scale financial statement fraud can be perpetrated in multinational organizations. In addition, "traditional" fraud, such as employee theft or embezzlement, remain costly. U.S. businesses, for example, lose some $400 billion per year due to traditional fraud. Experience shows that the hospitality industry is not immune from these threats. Hospitality companies can be highly vulnerable to fraud and integrity risks in many guises. Embezzlement by employees, manipulation of financial statements, illegal acts by the company or its employees, and other wrongdoing can result in major asset loss or damage to a company's reputation. 

Evidence in a number of the world's major economies suggests that the incidence of fraud is increasing. While it is difficult to determine the exact causes for this, research has shown that relevant factors include declining social values, greater profit participation by management, less supervision due to downsizing increased performance pressures and more active international crime organizations. A recent survey of U.S. chief financial officers (CFOs) by Business Week magazine indicated that more than two-thirds of these managers had been asked by senior management to manipulate the financial statements and an alarming 12 percent admitted to doing so. 

This article, part of our series on risk management in the Hospitality & Leisure Executive Report, has been developed to assist executives who must manage fraud and integrity risk in today's global environment. A risk management framework presented here serves as a roadmap to institute programs and processes to combat fraud, including preventative methods and what to do when it is discovered. 

Why Does Fraud Occur? 

Motive and opportunity are essential components for fraud to occur. For fraud to be sustained, the guilty employee typically must also rationalize the behavior. Motivation ranges from simple greed in an embezzlement case to a complex series of issues in a fraud involving "cooking the books." 

Weak internal controls and/or collusion with colleagues or outside third parties usually create opportunities. The focus of an organization's fraud and integrity risk management program should be in the "opportunities" area of the fraud cycle. Rationalization is the process by which the person committing a fraud legitimizes his or her crime. This often includes a feeling of entitlement and a belief that "the company can afford it." 

Financial Reporting Fraud 

Fraud occurs in two primary arenas: financial reporting and the more traditional acts of fraud, such as procurement theft. In the area of financial reporting a CFO, controller or staff accountant may be involved in any number of common methods of financial statement manipulation, "cooking the books." These include: 

• Manipulation of revenue recognition 
• Overstatement of inventory 
• Failure to record necessary write-offs 
• Capitalization of expenses
• Use of reserves to "create" income

• Inadequate leadership at the top
• Weak internal controls
• Autocratic senior management
• Collusion among accounting employees
• Aggressive accounting policies

• Precipitous drops in market value, particularly when price/earnings ratios are high. (Cendant lost 520 billion in market value the day the discovery of financial fraud was announced.)
• Multiple shareholder lawsuits and damages material to the entity's financial statements.
• Damaged employee morale and retention.
• Extensive amounts of management time diverted.

"Traditional" Fraud 

Fraud in its more traditional forms involves the theft or misappropri-ation of assets. Theft ranges from simple check fraud, which commonly occurs in the gaming industry, to more sophisticated schemes such as procurement fraud. Frequently, individual thefts in the hospitality industry are immaterial, and such thefts are not the focus of this article. However, procurement and related fraud deserve special mention because they can have significant "bottom line" impact. Consider this example of a single employee acting alone at a Washington, D.C. property of a major hotel chain. Weak internal controls in the hotel's accounts payable area opened the door to fraud, allowing a reservation clerk to establish a vendor account for his own company (a fake travel agency). The clerk then stole a significant sum by crediting his company with his agency "commissions" on guests' self-booked accounts. 

In contrast to this case, the most common form of procurement fraud involves collusion with outside vendors, which is difficult to detect. No internal control system can prevent collusion between an employee and an outside vendor acting as a partner in the fraud. In this type of scenario, the vendor usually pays a "kickback" or commission to the employee. The employer, rather than the vendor, usually bears this additional cost. Often, the scheme is varied over time and may involve significant gifts (e.g., a car) or benefits in-kind (e.g., construction of an employee's home by a construction vendor). A recent example of this type of fraud took place in New York. Two senior employees of a major hotel chain were arrested and charged with receiving several hundred thousand dollars in kickbacks from their orange juice, meat and produce supplier over a period of 10 years. Their "commission" amounted to 3 percent of the items purchased. While this type of fraud is difficult to prevent, important safeguards include vigilant training of employ-ees and rotation of responsibilities in the purchasing department. 

An Ounce of Prevention 

Hospitality companies can benefit greatly by installing a fraud and integrity risk management program that embeds preventative processes and controls in the organization. A "best practices" process includes four phases: 

1. Risk Assessment; 
2. Prevention; 
3. Deterrence; and 
4. Detection.

This is the most important phase; risks can only be managed if they have been identified. An adequate assessment of fraud and integrity risk should include the following steps: 

• Identify the fraud and integrity risks to which the company is exposed, including industry, geographic and management style factors.
• Use both internal and external information.
• Make use of any available empirical data.
• Identify potential consequences and estimate the total impact.

Assessing costs and benefits is an important part of the prevention process, which should include: 

• Determine the tolerable level of fraud and integrity risk. This is a difficult, but necessary' process. The interests of all constituents should be considered (directors, shareholders, customers, lenders, employees, etc.).
• Reject excessive risks that cannot be cost-effectively managed. Some corporations have ceased doing business in certain areas.
• Transfer risks where possible. The use of procurement monitoring and contract language that puts the vendor "on the hook" for abuses is increasing.
• Undertake forensic due diligence.

• Set the best tone at the top. Senior management "sets the tone" for the organization as a whole, signaling that fraud will not be tolerated. A detailed internal control manual will tell employees what should happen, but management actions signal what will happen.
• Avoid obvious control weaknesses. The lack of certain controls makes it much more likely that fraudulent activity will occur. These weaknesses include:
• Poorly defined organizational chart and job descriptions
• Poor division of duties
• Inexperienced accounting personnel
• Understaffed accounting departments
• Lack of formal merger and acquisition procedures
• Significant and unnecessary manual accounting entries
• Lack of formal accounting policies and procedures
• Lack of standardized subsidiary reporting packages
• Poor integration of various data and information systems
• Lack of a monthly accounting statement "close"
• Infrequent variance reporting and analysis
• Lack of timely financial information

• Develop a strong internal audit function. Appropriate risk management techniques can make it a powerful tool in preventing fraud.

• Screening . Implement an appropriate screening program for all employees, joint venture partners, agents, acquisition targets and major suppliers. Often a simple background check will reveal items of concern. Several years ago, a well-known services company in New York City lost several hundred thousand dollars to an employee embezzlement scheme. The subsequent investigation revealed that 13 people had interviewed the guilty employee before he was offered the job, but no meaningful background check had been performed. Such a check would have revealed the employee's existing criminal record for embezzlement at a previous employer.

• Acquisitions . Background checks are key in this area, particularly if there is to be a major construction project located in an emerging market. Several major hotel chains have been "burned" in situations where they are funding large hotel construction projects in emerging markets.

• Beyond the numbers . Due diligence requires more than attention to numbers. Consider this example of an acquisition involving a U.S. business. The acquiring company performed extensive due diligence on "the numbers." Shortly after the acquisition was completed, management discovered that the target had engaged in widespread fraud, triggering liability from the resulting litigation. No one on the due diligence team had inquired about the character of management.

• Legislative Issues . The United States has had anti-bribery legislation since the mid-1970s in the form of the Foreign Corrupt Practices Act ("FCPA"). Following this lead, the OECD Convention on Combating Bribery of Foreign Officials in International Business Transactions finally went into force in February 1999. This Convention means that all 29 member nations of the OECD (together with five additional nations) have committed themselves to introduce anti-bribery legislation. It will be a crime for a company located in an OECD nation to bribe a foreign official.

• Corruption Perceptions Index .Transparency International publishes a survey of business people, which attempts to rank countries based on respondents' perceptions of corruption. Although these data may be of limited use to members of the hospitality industry, it does provide a proxy for measures of integrity' risk in different geographic locations.

• Written code of conduct applicable to all employees
• Frequent employee training
• Monitoring of employee compliance
• Use of an ethics "hotline"

Phase IV - Detection 

What happens if you find fraud? Regardless of the type of fraud found, legal counsel should be contacted immediately. Counsel is in the best position to determine the extent of investigation needed, as well as how the issues should be resolved. Legal advisors can recommend whether forensic accountants should be retained or whether the person committing the fraud should be terminated. In poorly handled situations, counsel can also protect against claims of libel and/or slander by persons who may have been wrongly accused of impropriety. In cases of publicly traded companies where financial statement fraud has been discovered, it is even more important to retain outside counsel. Since the company has a fiduciary duty to its shareholders, counsel can advise about press releases, notification of appropriate parties and financial statement restatement issues. In most situations, insiders with knowledge of the fraud should consult counsel prior to trading any holdings in company stock to avoid any insider trading violations. 

In many situations, counsel will call in forensic accountants to aid in the investigation. This approach allows for the accountants to operate under the cloak of attorney work-product privilege and protects the work they perform from legal discovery. Forensic accountants will validate or refute allegations of fraud and quantify the impact of any fraudulent activity. The independence of the forensic accountant is important if management is to demonstrate that it has thoroughly investigated the fraud. The role of the forensic accountant in an investigation includes reviewing books and records, interviewing employees and management of disclosure obligations to various regulatory and governmental authorities (if applicable). 

Conclusion 

The best method of managing fraud and integrity risks is prevention. And prevention requires that you know your employees, vendors and potential business partners, as well as the social political and legal climates of the countries in which you do business. Strong internal controls with proper oversight, including frequent audits by independent parties, can be powerful, best practice approaches in reducing the potential for fraud.. 

(Brian Laughman is a Senior Manager and Patrice Schiano is a Senior Consultant in the Business Fraud and Investigation Services group. They are both based in the firm's New York office.) 

©Arthur Andersen