Time and again I hear “there is no fraud here…we have great controls and an excellent culture…”
If you are reading this and believe the above then you have “Perfect Place Syndrome” and should immediately call me to be thoroughly diagnosed and treated.
At some point it appears there was a human behavior theory that was possibly applied to fraud risk management and the 10-80-10 Rule to Ethics was born.
This theory is based on the assumption that 10 percent of the people are ethical all of the time, 80 percent could behave unethically depending on the situation or the pressure(s) being applied, and 10 percent have no or a severely broken moral compass and will pounce on opportunities to commit fraud.
So Where Should We Focus?
Revisit your fraud risk management program, starting with an assessment of your organizational culture and code of conduct.
For those 10 percent of potential employees who have no or a severely broken moral compass, Don’t let them in! Conduct proper due diligence and pre-hiring procedures before extending offers of employment and don’t be pressured into taking short cuts during the hiring process.
To help combat the 80 percent of employees from misappropriating assets, corruption, and financial statement fraud make sure you have a strong control environment (tone-from-the-top/in-the-middle that resonates) and properly designed internal controls.
A strong tone and timely conduct by leadership demonstrates a lack of tolerance for unethical behavior. Employees who perceive a tolerance for fraud or misconduct are more inclined to participate in such behavior if the perceived level of consequences are low.
Controls, such as segregation of duties and approvals before a vendor is approved, a contract is generated or changed, a transaction is executed, or a change to anything that was once vetted and approved, can be used to prevent or deter the 80 percent of employees that could commit fraud given the situation.
Detective controls, such as timely account reconciliations and properly designed data analytics help identify “red flags or instances of fraud after it occurs.
Basic Check Up
Does your organization have a strong internal control environment?
The following controls would be indicators that you might, but I would recommend an independent review by outside professionals at least bi-annually, or sooner if there have been significant changes.
Monitoring of expenses and purchases. The company has a process to monitor and approve expenses and at least two levels of approval for certain expenses or purchases over a set threshold.
Limited access to cash, inventory, and financial systems. Restricting access to cash, inventory, and accounting systems can prevent theft, bribery, and financial statement manipulation.
Purchases have an audit trail. From proposal to procurement to final payment, the accounting system should be capable of identifying pertinent information such as who requested the services along with the business purposes, the purchase amounts, approval of the purchase, and who authorized payment. Similar controls should be in place for the sales or quote to cash process.
Ability to compare budgeted amounts to actual amounts spent. Budgetary control is a useful tool to detect purchasing schemes. Misconduct is often detected when meaningful reviews of budgets to actual spending are done on a timely and regular basis, and anomalies are investigated accordingly.
Analytical review of sales and expenses. Fraud indicators may become apparent after a review of detailed data extracts. Periodically, the company should review sales and expenses to ensure they are appropriate.
It is extremely difficult to stop the unethical 10 percent of employees from perpetrating fraud, but developing and implementing effective anti-fraud programs and controls will help deter or detect instances of fraud and/or misconduct earlier in order to minimize the loss of assets, impact to reputation and legal liabilities associated with these matters.
The following techniques are useful for proving instances of fraud:
Calculation of statistical parameters. Identify outliers that could indicate fraud. For example, research the highest and lowest values, or expenses that are higher than the average expense.
Classification. Find patterns amongst data elements, and research outliers to the pattern.
Stratification of numbers. Identify unusual entries, such as those that are excessively high and/or low.
Digital analysis using Benford’s Law. Identify unexpected occurrences of digits in naturally occurring data sets.
Joining different diverse sources. Identify matching values such as names, addresses, and account numbers, where they shouldn’t exist. For example, matching employee listings to vendors, when a conflict of interest is not known.
Duplicate testing. Identify duplicate transactions such as transactions with duplicate invoice amounts, check payment amounts, or claim numbers.
Gap testing. Identify missing values in sequential data where there should be none, such as check numbers or purchase orders.
Validating entry dates. Identify transactions posted to the general ledger during suspicious times, such as when a user was absent from work, on the weekend/holiday, or by people who should not have access to the accounting system.
No organization is immune from fraud or misconduct. Each year companies loss millions of dollars as a result of fraud perpetrated by employees. A comprehensive fraud risk assessment or fraud check-up is a good investment for those companies working to mitigate fraud risk and protect organizational assets.
Don’t deal with alleged ethics violations or fraud by turning a blind eye!
I welcome you comments and suggestions-
Jonathan T. Marks
Special thanks to my great friend Paul Zikmund for his contributions!