If you open a newspaper, turn on a TV, or listen to a radio, most likely within a very short time you will come across a story about fraud perpetrated in an organization. In today's business environment, fraud remains one of the top risks facing organizations as well as individuals.
The continued focus and hype that surrounds emerging fraud events does serve a strategic purpose. As the old saying goes, "what gets identified gets addressed." The more internal auditors learn about the characteristics of fraud incidents, the psychology behind the individual acts, the characteristics of the people who commit those acts, and the missing controls that could prevent fraud, the closer they get to slowing or mitigating the occurrence of unwanted events.
Most people are aware of the fraud triangle and its related theories, but internal auditors must dig deeper to understand the various aspects of how and why fraud is committed. The application of professional skepticism may lead internal auditors to ask whether there are certain fallacies rooted within their current perception of fraud and its underlying causes.
Fraud Is Perpetrated By Foes
The concepts of ethics and controls are deeply embedded within internal auditors' thought processes, thus the belief by many that those who commit malicious acts of fraud are not friends, but foes. Unfortunately, statistics show that the typical white-collar criminal is someone of respectable status in the organization with no prior fraudulent experience. He or she may be a long-time and trusted employee or supervisor. These individuals are thought of as friends, mentors, or respected superiors.
How is it that the very people trusted in an organization become the perpetrators of fraud acts? The fraud triangle and its leg of opportunity show one of the reasons. Long-term, trusted employees often are the ones who recognize the opportunity that exists when controls are missing or lax. They have the ability to act on that opportunity without raising immediate speculation. Even if other employees notice the act, to insinuate that a professional of this stature is involved in a potential deceptive act is a difficult step to take. This may be why so many frauds go unreported or undetected for long periods.
This misconception reinforces the need for ongoing fraud awareness and monitoring processes at all levels of an organization. Theoretically, the stronger the awareness of fraud red flags, the higher probability there is someone who will speak up about an issue. But to speak up, professionals need to understand the symptoms and have the appropriate reporting avenues to communicate observations.
Fraud Risk Is Assessed
Do organizations truly perform sufficient risk assessments focused on the potential for fraud? The belief that the risk of fraud is assessed adequately in the organization based on the fact that internal audit may look for fraud can prove to be a fallacy in many ways. Organizations must explicitly evaluate various threat areas to determine the potential for fraud. They must assess emerging risk areas and the ever-changing aspect of technological innovation to determine how fraud could happen within their own operating environments. In addition, processes must be in place and effectively executed to promptly investigate and follow-up on reported anomalies.
Many guidelines and pieces of legislation in today's business world mandate that organizations be proactive in their search for, and identification of, potential control gaps that could lead to fraud. COSO's updated
Internal Control–Integrated Framework stresses the importance of focusing on this concept and has dedicated a principle to the topic of fraud. Yet, inherently, organizations don't like to think that fraud could occur within their walls. This leads some organizations to wrongfully believe that detailed and complete fraud risk assessments are not necessary.
There are various lessons to learn from these misconceptions. In regard to risk assessments, first and foremost, organizations need to re-evaluate their approaches to executing the process.
- Are procedures used to evaluate potential fraud risk truly independent from the business areas and performed with appropriate technical expertise and professional skepticism?
- Are potential threats assessed at a macro level, micro level, or both?
- Who performs the assessment and how are the results used in the day-to-day business?
- Are there any areas that are off limits when it comes to performing the risk assessment?
- How frequently is the risk assessment done?
- Is the organization proactive in its assessments and reactive when a fraud incident is identified?
Fraud Won't Happen To Us
All organizations want to believe they're immune to fraud. They must face the fact that fraud does not discriminate. Just as individuals may rationalize why it is okay to commit fraud, organizations sometimes attempt to rationalize the "whys" that support their belief that fraud won't happen to them.
There can be multiple beliefs within corporate cultures that contribute to the act of rationalization. What one person views as a very strict policy, another person may see as a simple guideline open to interpretation. It is important to maintain several levels of defense against fraud, including multiple preventive and detective controls. Because it is not possible to provide absolute assurance against fraud, it becomes even more critical to ensure that controls in place are sufficient to place periodic roadblocks, warning signs, or the proverbial fire alarms in appropriate places. It also is important that those controls and warning signs are applied to all employees within the organizational ranks.
It's the Amount That Matters
Much of the recent fraud-related legislation focuses on accounting and financial issues. Indeed, many frauds result in significant financial ramifications, so the legislation related to transparent financial statement disclosures and whistleblowers is warranted.
However, fraud is dynamic and often can occur long before there is any significant impact to the financial statements. For example, frauds resulting in identity and information theft may eventually have financial ramifications. However, the initial ramifications are breach of identity and information confidentiality. The perpetrators see this type of fraud as one they can execute with a lower probability of being identified because they perceive the financial impact may not be noticed immediately. In addition, they often don't know their victim, so they may not feel the guilt impact.
There may be some link between types of fraud and the resulting financial materiality when it comes to getting management's attention. Most auditors have been asked, "How material can the error be anyway?" This is one of the signs that management may not fully understand the variance between control gaps, which may create opportunity for inappropriate actions or actual control failures. When it comes to fraud prevention, the question should not be, "How much was taken or how much did we lose?" but instead, "What opportunity has been created from the control gap identified?" To illustrate the point, consider whether the following examples constitute fraud:
- An operations or sales manager submits a forward-dated purchase order for a product the day before financial close. Due to budget concerns, he doesn't want the expenditure to hit in the current period, so he asks the supplier to fill the order on the first day of the new period. He also has an immediate need, so he asks the company to send the materials via express shipping, which results in higher costs.
- The company's entertainment policy states employees cannot charge liquor as a business expense to the company unless there is a vendor, customer, or supplier present. A meeting is held at an expensive establishment, and there are 10 corporate employees and two vendors. The bill is several thousand dollars, of which 80 percent is spent on liquor.
- Corporate travel policies do not allow the charge-through of upgraded airfare. An employee is attending an out-of-town event with his boss and other staff members. During airport check-in, he upgrades and bills it to the company. The supervisor approves it.
In each of the incidents, there are numerous potential control gaps that range from inappropriate segregation of duties to inappropriate authorization. But in each incident, some individuals may rationalize that the act is not "true fraud." Business involves many actions and judgments. Judgments require discretion and understanding of policies. If corporate policies are unclear, even the small ones, individuals may choose a path that is not in line with company expectations. In other words, if it is fraud, does it matter how much — or little — the fraud is worth?
Technology Will Stop Fraudsters
In today's technological world, the concept of "unauthorized" is significantly mitigated with the advancements in system processes. Sophisticated information systems include workflow, authority delegation, acceptance reporting, system alerts, and scanning technology. These processes rely on programming controls and periodic monitoring techniques to ensure access is in line with company expectations. Although these system enhancements have improved efficiency in many ways, there are often loopholes that provide a knowledgeable individual with the opportunity to rationalize or take advantage of poorly designed procedures or a seemingly minor control gap. So, "authorized" can be a fallacy if individuals place too much reliance on system-established controls and don't appropriately monitor and manage those controls.
The simplest example of unauthorized transactions is illustrated in how delegation of authorities are established and maintained within systems. If authority delegations are established with no end-date, or extended to individuals at a lower responsibility level than the true authorizer, then expenditures may not be approved in line with corporate guidelines. This may seem like a minor control gap, but the potential for abuse and misuse can be significant. And, if this trend goes undetected for an extended period, the risk can become even greater.
Another example may be the use of superuser IDs for management and administrative access for systems and accounts. There is a very distinct and established purpose for granting this type of access; however, if granting of the IDs is not well-controlled or monitored, there can be a significant internal control exposure that creates the opportunity for fraudulent behavior to occur. This doesn't mean that just because a company has excessive superuser IDs, it can expect that fraud is occurring within its corporate walls. However, this is why senior management and the board need to understand the importance of a control gap. Overuse and poor monitoring of these IDs create the threat or opportunity for some activity that may not be acceptable to the organization.
Fraudsters are evolving, just like technology is evolving. Unauthorized transactions don't always occur because of external hacking. Internal auditors must not overlook all of the internal possibilities and probabilities that are present due to sophisticated business systems. Fraud in the digital age continues to expand and mature. Organizations must take a proactive approach to the examination and identification of ways that unauthorized transactions can slip through their internal firewalls and control procedures.
Good People Are Not "Deceptive"
When people think of deception, they often envision being tricked or having the wool pulled over their eyes. Although fraud acts are frequently acts of deception, the fallacy lies in believing individuals within the organization would never commit a deceptive act.
Organizations go to great lengths to hire top-notch talent who will be loyal and faithful. Individuals are promoted through the ranks into leadership roles because they have displayed some unique attributes via knowledge or talent. Although most individuals would not even consider entering into a deceitful act, the many external pressures that are placed on today's professionals must be recognized. The psychological impact of events on these professionals in today's world is difficult to predict. Individuals who are typically reasonable and display high integrity can be placed in situations where both personal and professional stress can impact their decisions and actions in ways they may have never imagined.
This is where the "silence is golden" concept must be eliminated. Organizations must encourage openness and transparency in everyday actions that is practiced at all levels. If someone questions an action or event, outlets must be available to report concerns without the fear of repercussions. A specific example that unintentionally supports the "silence is golden" theme is an instance where an employee performs an inappropriate action among a group of co-workers within the corporate setting. Someone who witnesses the act may not feel comfortable speaking up at the time of occurrence, especially if the person performing the action is his or her boss. However, that doesn't mean it is okay to walk away from the situation and say nothing. The outlets to report concerns may be as simple as speaking to a supervisor, contacting a human resources representative, or even calling the employee hotline. Employees must be encouraged to speak up when they see activity occurring that they believe is inappropriate. If they don't, they are perpetuating a culture of denial and silent acceptance.
Don't Be Deceived
Fraud is a dynamic topic and will continue to evolve in nature and form. Expanding technology and global business invites many variations and types of fraud. The best deterrence is the ongoing vigilance toward anti-fraud measures and awareness. To be effective, organizations need to embrace this approach not just in words, but in actions.