The father of modern internal auditing, Larry Sawyer, once observed:
"Employee and management fraud is a poisonous weed that flourishes in a permissive climate where the seeds of fraud are helped and even invited to grow and mature."
While Sawyer might have been a bit melodramatic in describing the risks related to fraud, there is no question that fraud risks have been around much longer than the internal audit profession itself. And, while the emphasis on fraud ebbs and flows, the risk of fraud itself never goes away.
There are many factors that influence the priorities of 21st century internal auditors. While all are based on risk to the organization, other influences specific to the business, such as industry sector, level of reliance on technology, and risk tolerance, create enough differences to make each internal audit profile unique.
Of late a great deal of emphasis has been placed on how cybersecurity, technology, and corporate culture can influence that unique blend of risks. Meanwhile, the timeless risk that fraud presents to organizations has gotten relatively little attention. Yet it continues to plague organizations large and small, and it's one we cannot afford to overlook.
The Association of Certified Fraud Examiners' (ACFE's) latest Report to the Nations on Occupational Fraud and Abuse provides all the confirmation one needs to understand how pervasive and significant fraud remains as a threat to organizations. The latest report finds that asset misappropriations, financial statement fraud, and corruption account for median losses of $150,000 per organization, based on more than 2,400 cases examined in the report.
Those cases alone accounted for US$6.3 billion in total losses, but that number barely begins to scratch the surface.
Respondents to ACFE's survey estimated a 5 percent average revenue loss to fraud in any given year. Based on the 2014 estimated Gross World Product of US$74.16 trillion, the projected total fraud loss globally could reach US$3.7 trillion, according to the report.
Other details from the report, the ninth produced by ACFE since 1996, provide ample evidence to show that fraud remains a clear-and-present danger in virtually every organization:
- Asset misappropriation was by far the most common form of occupation fraud, accounting for 83 percent of the examined cases and creating a median loss of US$125,000 per incident.
- Financial misstatement, while accounting for a much smaller percentage in number, caused the greatest median loss — a whopping $975,000 per instance.
- Of the examined cases, 23 percent caused more than a US$1 million in losses.
- Billing schemes and check tampering posed the greatest risk based on frequency and median loss.
- A vast majority of fraudsters, 94.5 percent, attempted to conceal the fraud, most frequently by altering physical documents.
The report confirms what all good internal auditors should know — fraud is still a clear and present danger. It may sound cynical, but the reality is that there will always be someone willing to do evil.
Detecting and deterring fraud, therefore, must remain a significant priority for internal audit and the organization overall. The ACFE survey finds that the presence of anti-fraud controls correlated with lower fraud losses and quicker detection. Not surprisingly, the biggest contributor to fraud was a lack of internal controls followed by overriding existing internal controls.
Other findings provide valuable information on spotting signs of fraud.
Red flags for spotting fraudsters include individuals living beyond their means or having financial difficulties, unusually cozy associations with a vendor or customer, excessive control issues, a general "wheeler-dealer" attitude involving unscrupulous behavior, and recent divorce or family problems. According to the report, at least one of the warning signs was present in nearly eight in 10 of the examined fraud cases.
Fraud must always be on internal audit's radar, and all auditors must be aware of our own biases when it comes to uncovering wrongdoing. Human nature is to try to corroborate, not disprove. We feel better when we find evidence to support instead of contradict.
We also should be aware of the pressures that can push people to commit fraud and recognize that those who succumb may be much more like us than we'd like to admit. Elizabeth Pittelkow, an ethics and business management consultant, sums up this point succinctly when she warns, "Everyone is ethical until they are not."
A final point based on the report's findings that carried particular weight with me was that more than 4 in 10 fraud victims declined to refer cases to law enforcement. Often fearing bad publicity, these cases are kept quiet.
While it is easy to see why organizations might want to play down such embarrassing failures, I believe this course of action does more harm than good. Fraudsters who aren't prosecuted are free to move on and commit fraud elsewhere. The ACFE study found that all but about 5 percent of occupational fraudsters were "first-time" offenders. But in light of the prosecution figure, I have to wonder how accurate that might be.
As always, I look forward to your comments.