By Leonardo J. Matignas, Jr.
AS THE SAYING GOES, “prevention is better than cure.” This principle is especially true when addressing dishonest or illegal acts committed by individuals or organizations for unjust advantage — commonly known as occupational fraud.
Occupational fraud involves the misuse of one’s position or access to an organization’s resources or information for personal or organizational gain. According to the Association of Certified Fraud Examiners’ (ACFE) “Occupational Fraud 2024: A Report to the Nations,” the average loss per case of occupational fraud is a staggering $1.7 million.
Given these high stakes, it is essential for organizations to examine their governance frameworks and ensure that the four lines of defense described below are present and functioning effectively.
1ST LINE OF DEFENSE: A STRONG CODE OF CONDUCTA well-designed and actively maintained code of conduct or ethics forms the first line of defense.
Every director, officer, and employee should be guided by a fundamental question: “When faced with a dilemma that tests their values, how will they respond?” Common ethical dilemmas include: When is a gift a bribe? When does a relationship pose a conflict of interest? To be effective, the code should emphasize positive behavior — what people should do — rather than merely listing prohibitions. It should not read like a list of “Thou shall nots,” but rather reflect the organization’s values and ethical expectations.
The code must be a living document, embedded in daily operations through:
• Ongoing communication and training (e.g., e-learning, workshops).
• Annual individual acknowledgment and certification of compliance.
• A confidential hotline for reporting violations or seeking clarification.
• A robust Whistleblower Policy that protects anonymity and prevents retaliation.
As I emphasized in my book on fraud and forensics: “No amount of super effective internal controls can prevent a person from doing the wrong thing if he or she truly wants to.” This underscores the critical role of the Human Resources or Talent team. Hiring strategies must go beyond traditional background checks to assess alignment with the organization’s core values and ethical standards.
Remember Enron? According to a report by Vinson & Elkins, a Houston-based law firm, and as reported in The Wall Street Journal by Joan Lublin and John Emshwiller on Jan. 17, 2002, Enron’s board suspended the company’s ethics code twice in 1999. This was done to allow the formation of partnerships to conceal debt and artificially boost reported earnings. These actions also enabled executive Andrew Fastow to lead and participate in these partnerships — ultimately facilitating one of the most infamous corporate frauds in history.
Had the board effectively upheld this first line of defense, the scheme might never have been carried out. Therefore, the overall effectiveness of this and subsequent lines of defense hinges on the diligence and competence of those charged with governance.
2ND LINE OF DEFENSE: EFFECTIVE INTERNAL CONTROLSIf the first line fails, the second must act as a barrier and deterrent. This is where internal controls come in.
Effective internal controls should:
• Be well-designed and regularly updated.
• Include preventive measures to reduce the opportunity for fraud.
• Offer detective measures to ensure the continuing effectiveness of the preventive controls.
Controls can be system-based, people-based, or a combination of both. System-based controls are often more reliable, as they reduce subjectivity and human error.
Internal controls serve to reinforce the perception that: “If you attempt to commit fraud, the system or process will catch you.” This psychological deterrent can be just as powerful as the controls themselves.
3RD LINE OF DEFENSE: INDEPENDENT INTERNAL AUDITInternal audit provides assurance that the first and second lines of defense are working as intended. Their responsibilities include:
• Verifying adherence to the code of conduct.
• Ensuring hotline reports are acted upon.
• Reviewing compliance with the whistleblower policy, in particular regarding strict confidentiality.
• Assessing whether internal controls are properly designed, consistently applied, and effectively mitigating the fraud risk.
Contrary to popular perception, internal auditors do not design or implement controls. That responsibility lies with management under the oversight of the board usually through its audit committee. Internal audit, however, evaluates and tests those controls to identify gaps and weaknesses.
When breaches occur — whether due to ethical lapses or control failures — internal audit investigates and provides recommendations to prevent recurrence.
4TH LINE OF DEFENSE: EXTERNAL AUDITThe external audit is the fourth and final line of defense. While external auditors operate with a broader objective and are not involved in day-to-day operations, they are also considered as a line of defense for material misstatements of the financial statements — whether caused by error or fraud, in accordance with the Philippine Financial Reporting Standards Accounting Standards.
Although most occupational fraud is discovered through internal mechanisms, external auditors are still responsible for:
• Designing audit procedures to identify material misstatement due to fraud,
• Reporting concerns to those charged with governance (e.g., the audit committee) following professional standards, such as Philippine Standards on Auditing (PSA) 240, and guidance from the International Ethics Standards Board for Accountants (IESBA) on reporting non-compliance with laws and regulations. An essential part of the external audit process is open communication with the audit committee about how fraud risks are being addressed.
CONCLUSIONBoards must ensure that all four lines of defense are not only established but function effectively to prevent and detect fraud. A best practice is to integrate these lines into a comprehensive fraud risk management framework — also known as an anti-fraud program.
The collapse of corporate giants like Enron, Tyco, and WorldCom serves as a stark reminder: fraud is often at the center of catastrophic organizational failures. These corporate scandals catalyzed a global shift toward stronger corporate governance and ethical oversight — a journey that continues to this day.
Leonardo J. Matignas, Jr. is a retired partner of SGV & Co. (a member practice of Ernst & Young) and its first chief risk officer. He was also Ernst & Young’s ASEAN risk management leader until his retirement. He is a multi-awarded and internationally recognized authority on Enterprise Risk Management. Aside from being a Philippine CPA, he also holds a Fellow CPA Australia (FCPA) title which is the highest rank in CPA Australia and is recognized globally. He is also a certified internal auditor (CIA), certified fraud examiner (CFE), and has Certification in Risk Management Assurance (CRMA) — all of which are global certifications. It has been his advocacy to encourage Philippine accountants to explore various areas of expertise and certifications to stay relevant considering the changing business and professional environment. He sits as an independent director of Bank of Commerce and the chairman of its Audit Committee. He is also an independent director of PNB Holdings Corp. and the chairman of its Audit and Risk Management Committee. He released his first book, A Practical Approach to Enterprise Risk Management, before he retired. This is the first comprehensive book on ERM written by a Filipino author for the Filipino. His second book, Piercing the Numbers — Fraud and Forensics, was published in November 2023.
