The Association of Certified Fraud Examiners' (ACFE's) 2012 Report to the Nations on Occupational Fraud and Abuse estimates the global cost of internal fraud at US $3.5 trillion, or 5 percent of total revenue. And, as we all know, internal fraud is only part of the picture.
Everything is moving faster these days, including fraudsters. Today, a rogue employee with a smartphone, given a weak enough control environment, could transfer significant sums of money offshore in the blink of an eye. According to the ACFE, the average fraudster takes US $160,000 out of a company before the fraud is detected. Little of that money is ever recovered.
Detection technology is advancing as rapidly as fraud, with real-time transaction monitoring exposing anomalous patterns that otherwise might go undetected. Means for collecting tips (e.g., hotlines) and a robust internal audit function also have been shown to be effective fraud detectors. Detection, however, should never be your first line of defense.
In fraud, as in health care, an ounce of prevention is worth a pound of cure. Donald R. Cressey, the late criminologist, is credited with identifying the three ingredients required for fraud: motive, opportunity, and rationalization. Today these are collectively known as The Fraud Triangle. With appropriate risk assessment and controls, an organization can effectively shrink the "opportunity" side of the triangle.
As a federal Inspector General, I had a key responsibility to prevent and detect fraud in my agency. I was fortunate to lead a well-resourced cadre of auditors and criminal investigators. In retrospect, I would give us high marks for our ability to detect and investigate instances of fraud that had already occurred. However, I always felt that the real opportunities where fraud was concerned was to have been more effective in prevention. Leveraging our knowledge of fraud risks and getting in early, before the frauds occurred, would have added so much more value.
The IIA's Practice Guide, Internal Auditing and Fraud — included in the International Professional Practices Framework — offers five key steps to fraud risk and controls assessment:
- Identify relevant fraud risk factors. This process includes review of documentation of previous frauds and suspected frauds committed against or on behalf of the organization, evaluation of related frauds at similar organizations, and review of the organization's performance measures over the past few years compared with competitors.
- Identify potential fraud schemes and prioritize them based on risk. Where are the opportunities for fraud? What is the level of pressure management is under that would lead it to override internal controls? Are there any consequences if management fails to reach goals?
- Map existing controls to potential fraud schemes and identify gaps. Entity-level anti-fraud controls such as the existence of a whistleblower hotline and whistleblower protection policy, board oversight, results of continuous monitoring, code of conduct, and the tone of management's communications regarding its tolerance for fraud risk are important elements in this exercise. The risk of management's override of controls needs to be considered explicitly and the cost/benefit for controlling that risk should be evaluated.
- Test operating effectiveness of fraud prevention and detection controls. Internal audit typically plays an important role in assessing the operating effectiveness of internal controls. Internal auditors consider not only the existence of the internal control, but also the effectiveness of the internal control through periodic testing of the control.
- Document and report the fraud risk assessment. Organizations need to document the process that identifies and evaluates fraud risk. Key elements that would likely be documented in a fraud risk assessment for each significant business area include: the types of fraud that have some chance of occurring; the inherent risk of fraud considering the availability of liquid and saleable assets, organizational morale and employee turnover, the history of fraud and losses, and other specific business area indicators; the adequacy of existing anti-fraud programs, monitoring, and preventive controls; the potential gaps in the organization's fraud controls, including segregation of duties; the likelihood of a significant fraud occurring; and the business impact/significance of a fraud.
As always, this is just a conversation starter. Volume 3 of the recently published 6th Edition of Sawyer's Guide For Internal Auditors offers an excellent overview of fraud, ethics, and people risk. Does your organization do a good job of fraud risk management? Tell us your story. Share your best practices.