James Ratley, President and CEO of the Association of Certified Fraud Examiners, gives advice to company secretaries on understanding and identifying the red flags of potential fraud.
Over the last several years, major global economic events have brought the concept of risk to the public eye and to the forefront of many business operations worldwide. Although the particular risks threatening an organisation’s success depend on many factors specific to its operations, the risk of fraud is present in every company. Additionally, the failure to effectively manage fraud risk can have significant compliance implications. Consequently, compliance professionals must be acutely aware of, and proactively dedicated to, preventing, detecting and responding to this risk.
The truth is that fraud occurs in all organisations, of every size, in every industry, and in every region; no entity is immune to this risk. The fundamental reason for this pervasiveness is that, at its core, fraud is a human problem, not an accounting problem. As long as organisations employ individuals to carry out business operations, the risk for fraud exists.
And this universal risk can be devastating if not given adequate attention. According to the Association of Certified Fraud Examiners (ACFE) 2012 Report to the Nations on Occupational Fraud and Abuse, the typical organisation loses an estimated five percent of its revenue to fraud each year. Like other risks, proactive risk management initiatives are necessary to mitigate the threat and its associated potential losses. Companies whose management is least attentive to the potential for fraud are at the greatest risk of being victimised.
The four pillars of managing fraud risk
Addressing fraud risk involves a continual process of assessing the specific risks related to fraud and enacting focused initiatives to address the identified violations before, during and after their potential occurrence. Figure 1 (next page) provides an illustration of the anti-fraud initiatives that form the pillars of the fraud risk management programme.
1. Fraud risk assessment
In the simplest terms, conducting a fraud risk assessment involves looking at what has happened in the past – both at the organisation and at other organisations – and identifying where the opportunity still exists for individuals to commit fraud. In doing so, management must consider the risk of fraud from both internal and external sources, as well as the increased risk that stems from collusion between parties. While most fraud schemes, in their essence, fall within a known spectrum, a fraud risk assessment involves identifying and evaluating the likelihood and significance of each of these risks based on the specifics of the organisation.
To be effective, the fraud risk assessment must be an ongoing process, and should be revisited frequently to ensure the organisation is remaining ahead of the risks. Further, the results of the assessment should be used to focus the organisation’s fraud prevention and detection efforts on those areas assessed to be of the greatest risk.
2. Fraud prevention
When asked about their schemes, many fraudsters state that the most difficult violation is the first one; once they have stolen once, it becomes much easier to continue their fraudulent activity. Consequently, fraud prevention activities should be designed to stop employees from engaging in the first instance of fraud. Among the most important organisationwide mechanisms that can effectively deter employees from engaging in fraud are:
- an ethical tone at the top and a corporate culture that clearly illustrate the value of honesty and provide employees with visible examples of leaders doing the right thing
- employee fraud awareness training programmes that educate staff members on what fraud is and what it is not; the types of behaviours that are expected of employees; how fraud hurts both the organisation and every employee on staff; common warning signs to watch for; and how to report suspected wrongdoing
- employee support programmes, such as addiction, financial and family counselling services, that help address the pressures that can lead otherwise honest individuals to resort to fraud
- background checks (where legally permissible) of potential employees to ensure that the company is hiring honest and ethical staff members and not letting known thieves in through the front door
- mechanisms that increase the perception of detection in employees’ minds – that is, tools that convince employees that, if they attempt fraud, their actions will certainly and swiftly be detected.
3. Fraud detection
Even the most robust fraud prevention programme will not curb all instances of fraud. Consequently, anti-fraud programmes must also include controls designed specifically to detect fraud as soon as possible after it has begun.
ACFE research shows that tip-offs are consistently the most common method by which frauds are uncovered. According to the ACFE 2012 Report to the Nations on Occupational Fraud and Abuse, more than 40 percent of occupational frauds are detected by tip-offs, and over half of those tipoffs come from company employees. Implementing a hotline that provides employees and other parties with an easily accessible means of coming forward with information is among the most effective anti-fraud defences an organisation can have.
Additionally, an internal audit function, particularly one that undertakes periodic fraud audits that incorporate an element of surprise, can help bolster management’s ability to identify potential instances of fraud. Within these audits – or as part of other proactive measures – the use of data mining and data analysis to look for anomalies and data patterns that indicate fraud or manipulation can be an excellent fraud detection tool.
Process-specific internal controls, such as segregation of duties and management review of processes and transactions, provide further layers of oversight and additional checks-and-balances that make it less likely that fraud will be able to remain undetected for long.
4. Fraud response
The fraud risk management programme must include protocols for responding when potential fraud is uncovered. The fraud response mechanism should include clear, formalised procedures to facilitate:
- investigating the allegations
- taking action against the perpetrator, such as employment sanctions, criminal prosecution, or a civil lawsuit
- recovering amounts lost through legally available means, and
- correcting any internal control deficiencies that allowed fraud to occur.
Focus on fraud indicators
While the anti-fraud controls above are a necessary part of combating fraud, addressing fraud risk involves more than just implementing internal control mechanisms. To be effective, the fraud risk management process must be anchored in understanding and identifying the red flags of potential fraud. Throughout all anti-fraud activities, as well as while conducting daily operations, compliance professionals and other involved staff members must focus on recognising fraud indicators, and those charged with managing this risk must consider such indicators while designing and implementing the fraud risk management programme components.
The red flags of fraud typically fall into the following broad categories.
Internal control weaknesses
Strong internal controls help protect against potential fraud. The opposite is also true: weak or absent controls provide potential fraudsters with the opportunity to profit personally at the expense of the organisation. Common internal control weaknesses that can indicate fraud symptoms include:
- lack of segregation of duties – the responsibilities for authorisation, custody, and recording of assets and transactions should be separated among different staff members as much as possible; the ability of an employee to perform more than one of these functions can result in the ability to commit and conceal fraud
- lack of physical safeguards over assets, such as surveillance systems, security personnel, and restricted access to warehouses, computers, and sensitive or proprietary information • lack of independent checks and reviews of employees’ work by management and auditors
- lack of proper authorisation on documents, records and transactions
- an inadequate accounting system that lacks authority designation or enforcement, or does not create an effective audit trail of transactions, and
- the ability of management or other staff members to override existing controls.
Accounting anomalies are unusual deviations from the standard financial recording or reporting practices, which result in irregularities in the accounting system. Examples include missing documents or transactional information, stale items on reconciliations, alterations on documents, photocopied documents when the original should be present, and increased past due accounts. Other symptoms might be ambiguous or unexplained journal entries, inaccuracies in the ledger accounts, and unexplained changes in financial statements. Such irregularities might be the result of unusual business occurrences or human error, but they could also signify fraud. Consequently, organisations should enact initiatives to identify such anomalies for further investigation and, where appropriate, to prevent them from occurring without an appropriate level of approval.
Anomalies in the organisation’s operations – particularly deviations from what would appear reasonable or strategically sound – can be a warning sign of fraud. Such anomalies include unusual relationships, procedures, and events concerning the company’s operations, as well as transactions or situations involving unexpected times, places, people, amounts or frequencies. The following are some examples of operational anomalies that merit monitoring and scrutiny for potential fraud:
- insufficient capital for continuing operations
- unexpected overdrafts or declines in cash balance
- dependence on only one or two products
- frequent changes in legal counsel
- frequent changes in executive management and directors
- high employee turnover, especially in areas that have a high risk of fraud
- continuous rollover or refinancing of loans
- a compensation programme that is out of proportion to company profits
- unusual organisational structure (for example, having the internal audit department report to the finance department)
- severe obsolescence of assets that are integral to the organisation’s business strategy
- recurring or significant problems with government regulators
- company assets sold under market value
- excessive number of banking accounts
- frequent changes in banking accounts
- use of several different banks, and
- significant downsizing in a healthy market.
Effective management oversight provides the foundation for monitoring the occurrence and appropriateness of such anomalies. However, staff members at all levels should be trained in the importance of raising concerns over operational irregularities. If employees know that both their supervisors and their peers are encouraged to report any suspicious transactions or circumstances, they will be less likely to believe they can engage in such conduct without being detected.
The vast majority of fraudsters display some sort of behavioural symptoms of their scheme – symptoms that co-workers or supervisors might have picked up on without realising that they were connected to fraudulent actions. According to the ACFE 2012 Report to the Nations on Occupational Fraud and Abuse, at the time of their frauds:
- 35 percent of perpetrators are living beyond their means
- 27 percent of perpetrators are experiencing financial difficulties
- 19 percent of perpetrators have an unusually close relationship with a vendor or customer
- 18 percent of perpetrators display control issues or are unwilling to share their job duties
- 15 percent of perpetrators are going through a divorce or experiencing other family problems
- 15 percent of perpetrators display a wheeler-dealer attitude, and
- 13 percent of perpetrators act noticeably irritable, suspicious or defensive.
It is important to note that the presence of these behaviours does not, in itself, mean that fraud is occurring. Nonetheless, compliance professionals and managers should be educated about their frequent connection to fraud and advised to take note of them or other unexpected changes in employee behaviour that might be consistent with a pressure or opportunity to engage in wrongdoing.
Addressing fraud indicators
Studies of fraud cases consistently show that, in nearly all schemes, some indicators, such as those previously discussed, were present but not recognised, or were recognised but not acted upon, by anyone. Consequently, once such an anomaly has been identified, action must be taken to determine its implications and its effects.
Financial analysis can help determine the scope of the situation’s financial impact on the business: how much, if any, has already been lost as a result of the anomaly? What is the potential future loss? What is the cost to prevent a potential loss from occurring? What will it cost to recoup the loss identified? In addition, simple observation can be an extremely effective means of analysing a fraud indicator, particularly when behavioural anomalies are noted.
Whether the cause of the anomaly is legitimate, erroneous or fraudulent, compliance professionals should use the results of the analysis to determine the appropriate action to take – if any – to prevent the act from reoccurring. At a minimum, educating employees in the affected area is a prudent thing to do; if the affected individuals are not trained how to identify and report an indicator of potential fraud, then such occurrences might go undetected, with costly consequences.
The risk of fraud is universal and potentially devastating. Managing this risk requires proactive mechanisms that address fraud before, during and after it occurs. To effectively fight fraud in their organisations, compliance professionals must understand and focus on known fraud indicators and must closely examine and effectively respond to situations in which such anomalies are identified. Only by doing so can they successfully support the organisation in preventing, detecting and minimising the impact of fraud.
James Ratley, President and CEO, Association of Certified Fraud Examiners
James Ratley CFE, serves as President and CEO of the Association of Certified Fraud Examiners (ACFE), where he works to promote the ACFE to the public and other professional organisations. He also continues to assist in the development of antifraud products and services to meet the needs of ACFE’s members.
Copyright: Association of Certified Fraud Examiners