Last month, the Association of Certified Fraud Examiners (ACFE) issued its 2018 Report to the Nations on Occupational Fraud and Abuse ("Global Fraud Study"). In the Global Fraud Study, the ACFE analyzed 2,690 cases reported by Certified Fraud Examiners from January 2016 through October 2017, covering 125 countries and over $7.1 billion in losses. The findings of the Global Fraud Study are concerning given the limited focus that most businesses place on fraud prevention.
Organizations that are victims of fraud may suffer reputational risk, financial harm and increased regulatory scrutiny*. Given these threats, most organizations attempt to prevent fraud from ever occurring in the first place. There are a number of anti-fraud controls that help prevent, deter and detect fraud, including the 18 entity-level examples used by the ACFE in the Global Fraud Study:
Despite the use of anti-fraud controls, organizations are not immune from fraud. The graph below (Fig. 17) illustrates fraud prevention measures that certain Global Fraud Study participants had in place at the time fraud was committed against them.
According to the study, the five most common types of anti-fraud controls in place included a code of conduct (80%), external audit of financial statements (80%), internal audit department (73%), management certification of financial statements (72%) and external audit of internal controls over financial reporting (67%). The least common types of anti-fraud controls in place included rewards for whistleblowers (12%), job rotation/mandatory vacation (19%), proactive data monitoring (37%), surprise audits (37%), formal fraud risk assessment (41%) and dedicated fraud department, function, or team (41%).
THE ABSENCE OR WEAKNESS OF ANTI-FRAUD CONTROLS
According to the Global Fraud Study, “understanding the factors that can lead to fraud is the foundation of preventing future occurrences.” As shown in Figure 22 below, nearly 50 percent of all study respondents reporting perceived the lack of (30%), or ability to override (19%), internal controls to be the main factors that allowed the fraud to occur.
The lack of management review (18%), poor tone at the top (10%) and lack of competent personnel in oversight roles (8%) also played roles in allowing the fraud to occur.
The fact that organizations analyzed in the Global Fraud Study still experienced fraud, despite a number of anti-fraud controls present, may lead organizations to question the value and expense of implementing these controls and prevention measures.
The Global Fraud Study, however, provides some concrete evidence that anti-fraud controls can have a major impact on actual dollars lost as well as the duration of the fraud. As Figure 18 shows, there are six anti-fraud controls that, when in place, reduced an organization’s median loss by 50 percent or more. They include code of conduct (56%), proactive data monitoring/analysis (52%), surprise audits (51%), external audit of internal controls over financial reporting (50%), management review (50%) and hotline (50%).
Some of the fraud prevention methods that organizations typically implement, including independent audit committees (61%) and external audit of financial statements (80%), yielded the smallest percentage reduction in the median loss at 20 percent and 29 percent, respectively.
CONTROLS TO REDUCE DURATION OF THE FRAUD
In addition to a significant reduction in median loss, anti-fraud controls were also shown to have a significant impact on the duration of the fraud. The two anti-fraud controls that had the greatest reduction were proactive data monitoring/analysis (58%) and surprise audits (54%), while another ten anti-fraud controls were shown to reduce the duration by 50 percent (see Figure 19 below).
As with the reduction in median loss, there are a few anti-fraud controls that, while widely used, had less impact on the duration of the fraud. These include employee support programs and external audit of financial statements that, despite a use rate of 54% and 80% respectively, only had a 33% and 38% reduction on the duration of the fraud.
The Global Fraud Study is useful in providing some context on the prevalence of fraud in the market and how effective organizational responses to that threat have been. Here are some key takeaways:
Any anti-fraud control system is only as effective as the management that oversees and monitors it. In order to be successful, everybody in the organization, from management on down, must support the established controls and create an atmosphere of compliance with them.
Organizations create anti-fraud controls that are appropriate for that specific organization. No two organizations, even in the same industry, are the same, and, therefore, you cannot just take what another organization is using and implement it within your organization. This may mean hiring a consultant to give you an outside perspective to help you find areas that are currently being missed.
The best anti-fraud control system in the world will not be effective unless everyone responsible for its implementation and adherence fully understands the system and their designated roles. Training is a critical element to success. All current staff and new hires must be trained and must be aware of policies to document and escalate up the chain of command when red flags occur.
Training is not a “one-and-done” commitment – it must be revisited on a regular basis. This underscores the organization’s commitment to continuously combatting the threat of fraud and ensures that everyone involved in the process continues to play their part in keeping the system working.
Complacency at any level regarding the threat of fraud may be one of the most difficult challenges an organization may face. The only thing worse than an organization that doesn’t think it needs anti-fraud controls because “they don’t have fraud” is one that may create a great program, but fails to implement or then doesn’t review it regularly for effectiveness and completeness. As we all know, any organization that has been around for any period of time has likely experienced fraud, but may not know about it if it was never detected or is still on-going. Just as likely is that perpetrators (both internal and external) determined to commit fraud will find ways to circumvent existing anti-fraud controls. The more complacent the operation, the easier it is to bypass the controls. That is why it is critical to continue to evaluate, update and create new anti-fraud controls.
A managerial commitment to fraud prevention, organization specific controls, continuous training and retraining and fighting complacency: these are the critical elements to an effective fraud prevention and control program.
Bates Group offers consulting services to support effective fraud control efforts. If you are concerned that your financial institution may need assistance in any of the areas mentioned, or if you have questions about other services we offer, please visit Bates Group Financial Crimes practice online.