As compliance and internal fraud prevention specialists who witness our clients' difficulties with corporate fraud on a daily basis, we have always encouraged them to develop and maintain a culture of compliance. We have advised them on the benefits of a compliant work environment and a customized compliance and risk protection system. But above all, we tried to teach them that internal fraud no should be seen as an unavoidable operational cost.

However, looking more closely at what has so far been presented as a mere myth, one cannot help but wonder whether, especially in certain cultures such as our own, fraud should not be considered a normal operational cost. Even if this seems an extremely harsh statement, if we were to consider the economic and social context of a country, we could come to realize a painful reality: in most business sectors, internal fraud is inevitable, and managers and shareholders very often end up directing generous budgets towards reactive measures instead of preventive strategies. An important contributing factor is the legal system and the general work of the public prosecutors in the state where the company operates.

Without wishing to put the legislature or prosecutors in a bad light, we have summarized below the main difficulties we have encountered in developing and sustaining an organization that meets compliance rigors:

# 1 Public funds and assets are still considered more valuable than private funds and assets

Any manager or shareholder who has been confronted at least once with a case of internal fraud has had to consider whether or not it is necessary or appropriate to bring a criminal charge against the offending employee or employees. Having been advised by his or her advisers as to whether or not the fraud in question is criminal, this manager or shareholder is likely to focus on the practical difficulties of making and sustaining a criminal complaint rather than on the legal issues. Will anyone bother to consider this complaint? Am I obliged to make a criminal complaint to protect the company? Can I trust that the prosecutors have been trained to understand the differences between the public and private sectors? Will the costs of this criminal complaint outweigh the damage the company has suffered as a result of the fraud I am facing? And these are just some of the usual questions a manager is forced to ask.

Managers and business owners in Romania are well aware of the Public Ministry's reluctance to invest resources in investigating cases of internal fraud. They fear, and not without reason, lack of interest, public corruption, notorious incompetence (especially in cases where understanding internal fraud also requires some knowledge of civil or commercial law), extremely lengthy and pointless investigations, which generate unnecessarily high legal fees.

As a consequence, most companies refuse to bring a well-deserved criminal complaint, even if the fraud against them is of a clear criminal nature and even if the damage suffered by the company is massive. Moreover, if a manager or shareholder were to compare this reaction of the Public Prosecutor's Office with the latter facing, for example, a suspicion of tax evasion with similar damage, the only thing they would face would be the related frustration, and a sense of powerlessness. As a result, most companies are forced to give up the illusion of help from public authorities and end up investing impressive sums of money in internal compliance investigations and disciplinary proceedings. Which brings us to number two in our summary:

#2 Firing an employee involved in fraud is more expensive than ever

Prin "employee involved in fraud" or fraudster for short, we are referring to the common thief, the employee who has a predisposition for embezzlement schemes or, generically speaking, the employee who has mysteriously come to see the workplace as an opportunity to earn something other than a salary. According to this definition, the fraudster is, unfortunately, a typology that every company comes across at some point.

With this typology in mind, let's imagine the following scenario: a diligent manager takes serious steps to learn how to develop a true culture of compliance in the organization he or she leads; he or she has gone so far as to allocate a more than generous budget to developing a risk protection system, advanced staff training, and the procurement of sophisticated consultants, all of which should ideally work together to create that illusion of a highly robust compliance system. But, as is usually the case, this diligent manager at some point develops serious suspicions of a kick-back scheme, a case of nepotism, breach of trust or embezzlement, or gross circumvention of internal company policies. Perhaps a slightly more seasoned employee, promoted to a C-Level management position, has decided to contract a friend's firm to provide various services for the company, and these services suddenly become increasingly necessary (company cars suddenly need frequent and frequent repairs, company machinery breaks down at an alarming rate and needs more and more spare parts, etc.). Or perhaps this up-and-coming employee in a C-Level management position has worked his or her way safely through the company's compliance system and discovered an inventive way to use company assets for personal gain.

After carefully analyzing the damage to the company, the diligent manager in our scenario above begins to prepare for a disciplinary investigation. But he faces at least the following problems:

♦ A 6-month statute of limitations for the application of any disciplinary sanction (including dismissal of the at-fault employee), although this 6-month period is inexplicably much shorter than the statute of limitations for the offense(s) committed by the employee. Any manager who has ever dealt with a case of internal fraud knows that it takes much longer than 6 months to uncover and document fraud;

♦ If the evidence found by the manager consists of statements given by other employees or witnesses, they end up either being bribed by the fraudster or expressing real discomfort in writing down what they saw or witnessed;

♦ What about the possibility of making a criminal complaint against the employee? It might seem like a logical solution, but it is not legal to fire an employee just because you have filed a criminal complaint against them. So, even if the manager decided to do so, dismissal would only be a possibility after a few years, when the criminal prosecution is finalized with the employee being prosecuted (assuming we are talking about fraud with substantial damage and a cooperating prosecutor who understood the ungrateful situation the company finds itself in).

In view of the above, it is not surprising that managers end up negotiating a termination agreement, with generous severance pay, with a fraudster who, by law, turns out to be impossible to fire. In fact, more and more companies are budgeting in advance for these severance payments because, after exhausting the available legal avenues, this still turns out to be the most effective (and cheapest) solution.

Having said that, we would like to conclude on a more humorous note by mentioning that compliance systems increasingly appear to be mere commitments compliance that a company is forced to make by non-compliant employees and public officials. And as long as this responsibility is not shared among all participants and backed up thoroughly by the judiciary and the legislative system, we can no longer condemn companies that consider internal fraud to be... a substantial and unavoidable operational cost.

But even so, a manager's diligence and the quality of his or her consultants play a particularly important role in assessing this cost. Yes, some internal fraud is inevitable, but the truth is that most of it is predictable and preventable. From this perspective, risk assessments, i.e. complex assessments aimed at identifying a company's operational vulnerabilities, and reacting quickly to identified suspected fraud, are by far the most effective ways to fight internal fraud. Regular assessments are recommended, and those carried out following restructuring, for example, are mandatory.

Last but not least, the average duration of a typical fraud case is 14 months, according to ACFE ^{(Association for Certified Fraud Examiners).} In this respect, even if some frauds are not preventable, there is a fundamental difference in the damage caused by a fraud that is detected at an early stage and one that is detected too late.

Material written by Alexandru Ene-Dragan (Partner, Head of Compliance & Litigation, Noerr), Oana Piticas (Coordinator White Collar Crime Practice, Noerr), Gabriel Zgunea (CEO, Corporate Intelligence Agency)