Following any investigation, organisations should seek to incorporate a practice within the investigation process that includes a post-investigation controls review, which provides considered expert and professional opinion in recommending control improvements. In many cases, organisations will generally find through basic analysis that repeat offences of the same issues are occurring, including control failures that had led to the internal malpractice occurring. In order to successfully implement such an approach, there are two critical steps organisations need to consider.
Step 1 – prepping your investigation team
The skill set of the investigation team members in situ should be assessed to ensure that there are adequately skilled and trained for investigation purposes but also to ensure that they are equipped to capture operational experiences from an audit and/or compliance perspective. This approach will make certain that the post-investigation review and subsequent recommendations are competent while also addressing any personal development needs on a continuous basis.
Where an organisation has a dedicated investigation unit, such investigation specialists should look back at a historical investigation case and undertake a mind map session with their teams to understand any control issues. This should then be repeated on several differing case types. An invitation should also be provided to the audit department to attend the workshop and comment as to whether:
- these issues had been raised before in the organisation (potentially highlighting cultural deficiencies); and
- provide advice as to what the audit methodology to document the issues highlighted would be, what recommendations and actions should be considered and how to rate and score the issues.
The output of the workshop not only provides an understanding as to what a control weakness looks like but also creates a relationship with the audit department (whether it be internal or outsourced) who, on an advisory basis, can assist with confirming audit issues that could be delivered back to the organisation post-investigation. The latter could include co- attendance at meetings with the business area to counter any transparency and technical perspective.
Step 2 – find and safeguard against repeat offences
Often investigations, by their very nature, are focused on the specific allegations at hand and fail to consider the risk that potential repeat offences might very well be occurring elsewhere in the organisation. An organisations remedy is often just to issue a report to the business area that is based on the current investigation findings.
Experience has shown that as part of an effective post-investigation control review process and proactive fraud risk management strategy, organisations should undertake an additional review using data analytics information, not only to assess if potential repeat offences have occurred with the case to hand but highlighting other offences or breaches elsewhere in the business.
What will be the result?
These additional tasks incorporated by an investigation team will often be viewed with trepidation but with correct facilitation and a step-by-step approach, a process can be adopted with ease and skills will be improved as a result. More importantly, this process will add value to the business which, in theory, should align itself to the investigation/internal audit mission statement. Adopting proactive fraud risk management will mean reduced repeat offences and, ultimately, save costs and protect the brand reputation.
Michael Fitzgerald is a Senior Manager, Governance Risk & Internal Controls, at Mazars.
This article first appeared in Briefly a weekly eNewsletter from Accountancy Ireland on the 21st January 2019.