Nearly half of all global organizations in PwC's 2018 Global Economic Crime and Fraud Survey admit to having been the victim of fraud and economic crime in the past two years, resulting in more than $7 billion in total losses and a median loss of $130,000 per case. Nearly half of those frauds were because of internal control weaknesses.
Internal audit plays several key roles in the prevention, detection, and monitoring of fraud risks. First, as internal audit has broad visibility into the different areas of the enterprise, it should be aware of potential red flags of fraud in all audit engagements and identify ones that may warrant further investigation. Also, internal audit should assess the effectiveness of controls designed to mitigate fraud risk. Finally, internal audit can lend valuable expertise in an advisory role to the development of the fraud policy. To do this, internal auditors need to understand the key elements of a strong policy, and who it should involve.
The Building Blocks
Any organization can be a victim of fraud, regardless of its size, industry, or location. The most effective recourse is to develop a strong and implementable fraud policy that defines unacceptable behavior and how the organization will respond to it. While policies can vary depending on the organization's number of employees, industry complexity, and operating environment, the fundamental elements remain the same:
While no fraud policy can define every fraudulent action, a well-written policy uses clear language and relatable examples to help reduce uncertainty of what the organization considers illegal activity. It also provides clear instructions regarding the responsibilities and procedures to be followed by all involved when illegal activity is suspected or uncovered.
However, it doesn't matter how well the fraud policy is written if it sits in a three-ring binder gathering dust. The organization must ensure that the fraud policy is not only created, but also read and understood by all internal personnel and external parties with which it engages. The greater the importance the organization places on this document, the greater the likelihood employees will place an equal amount of importance to it. From regular manager/employee policy reviews to live training to role playing, the same message, stance, and emphasis on eliminating fraud can be reinforced. Regular communication not only promotes understanding, but also can deter potential fraudsters.
Occupational fraud is most efficiently organized into three categories, each of which companies must identify and communicate with personnel.
Asset misappropriation is the stealing or misuse of enterprise resources by personnel. This occurred in more than 89% of all reported cases and resulted in a median loss of $114,000, according to the Association of Certified Fraud Examiner's (ACFE's) Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse.
Corruption schemes occur when personnel misuse their influence during business transactions to obtain benefit and violate their duties to the employer. According to the ACFE study, this results in 38% of occupational fraud cases with a median loss of $250,000.
Financial statement fraud occurs when personnel intentionally cause misstatements or omit information in enterprise financial reports. It is the least common but most costly, averaging $800,000 per incident.
While fraud detection and prevention is an organizationwide effort, clearly defined roles must be instituted to promote responsibility and reduce confusion. For example, the board of directors is responsible for corporate fraud governance, and management must be engaged in executing these policies. Internal audit's role should be clearly defined, as well. Auditors must have the authority to ensure fraud controls are appropriate and effective, to investigate instances of possible fraud, and to support management in executing the fraud risk assessment.
Without the threat of prosecution, a fraud policy is little more than a toothless tiger. Therefore, it's critical that the policy conveys a plan of disciplinary action to all personnel. The fraud policy must include a statement that all appropriate measures to deter fraud will be taken and all instances of suspected fraud will be investigated and reported to the appropriate authorities.
Generally, organizations have four options when fraud is uncovered: criminal prosecution, civil fraud lawsuit, a mutually agreed upon termination of the perpetrator, or no action. There are varying schools of thought as to which of these actions should apply to different fraud situations. For example, it can be argued that taking no action is one of the surest ways to promote an organization's susceptibility to future fraud because of the perception of impunity. On the other hand, there also are cases when the cost of prosecution exceeds the cost of the fraud and other disciplinary actions may be preferred. Some organizations will prosecute all fraud regardless of monetary value. From the internal auditor's perspective, however, the key question is whether the organization has considered the risks of its disciplinary policy (reputational risk, cost, future fraud risk, etc.) and is comfortable with them.
The fraud policy must provide personnel with instructions regarding the steps to take when suspecting fraud. The policy should remind personnel that they are not prosecutors of the law and that their job is to report their findings to the organization's appropriate party. The fraud policy should provide anonymous avenues to give employees confidence that they can safely report potential fraud, such as a fraud hotline number. In addition to verifying the existence of a hotline, internal audit also may want to understand whether it is being used and how effectively the company has responded to these tips.
A Preventive Measure
In the end, a fraud policy is an inexpensive and effective method for reducing the threat of potentially crippling financial losses. Furthermore, all departments, including internal audit, can play major roles in its development. This stand-alone document should be seen by all personnel as playing an integral role in the organization's health and longevity.