When a CFO finds fraud

Fraud is on the rise. “We know that every organization is going to face attempted fraud at some point in their existence,” Andi McNeal, chief training officer at the Association of Certified Fraud Examiners, told CFO Brew. And CFOs, who spend so much time with financial data, may be among the first to spot it.

But if CFOs come across suspicious transactions or patterns of behavior that throw up a red flag, what should be their first move?

Just like most employees, they should formally report their suspicions to the appropriate party, be that a hotline, HR, or a corporate security team, McNeal said. Bringing the concerns to the individuals responsible for taking such reports “is by far the first and most important thing that should be done,” she noted.

If you’re concerned that senior leadership could potentially be involved in fraud, “go straight to those charged with governance, whether it’s the board of directors or an audit committee,” McNeal said.

Avoid the temptation to comb through the evidence on your own, McNeal said. Otherwise, you run the risk of interfering with an official investigation. “There are legal parameters involved with collecting evidence,” she said. “And if anyone that suspects fraud decides that they want to dig a little deeper and start trying to understand the situation more, they actually put the case at risk if they do anything that might compromise the evidence.”

Most large organizations will have fraud response protocols that the CFO can follow, McNeal said. These documents outline procedures and lines of communication for reporting suspected fraud, and detail who receives reports of potential misconduct and determines whether to act on them.

If your company doesn’t yet have a fraud response protocol, consider putting one in place, McNeal said, adding, “The best time to have fraud response protocols developed is before you ever need them.”

Who to tell—and who not to. In general, keep the board and audit committee apprised of any fraud investigations or concerns about fraud, McNeal said. Consult with legal counsel early—“ideally, that is baked into those fraud response protocols”—so they can advise on whether to bring in external help and inform you “around evidence protection and appropriate responses.”

Don’t question or confront anyone you suspect of committing misconduct, McNeal said. If they are indeed a bad actor, you could tip them off. “Now they’re able to go destroy documents, conceal their tracks, disappear, spend all the proceeds of the fraud so that it can’t be recovered,” and “basically ruin the chance of any successful investigation,” she said.

The CFO’s role as fraud fighter. With fraud so prevalent, “CFOs should always have some type of fraud risk management training,” Eric Young, senior managing director at investigations and compliance consultancy Guidepost Solutions, told CFO Brew. They should “understand what’s material and what’s not, for purposes of financial reporting and accuracy and integrity. That should be in their DNA.”

CFOs’ role, which requires them to work across multiple functions, positions them to communicate across silos to address fraud risks, he said.

“Compliance, risk, operations, business technology, they all need to work more closely together” to combat fraud, Young, a former chief compliance officer at BNP Paribas and S&P Global Ratings, told us.

“The CFO can be an excellent mobilizer to not only gather information but integrate information across these functions and to educate around the evolving risk around fraud.” In particular, he said, they can “keep the board aware through training and awareness” of fraud risks, especially cybersecurity-related risks, “at least quarterly.”