“Fraud is not an accounting problem; it is a social phenomenon.” Joe Wells
Who Commits Fraud
The cultural and environmental characteristics that increase fraud risk are not always so blatant. Research shows that anyone can commit fraud. Fraud perpetrators usually can’t be distinguished from other people on the basis of demographic or psychological characteristics. According to Jonathan T. Marks (“Marks”), a partner at Baker Tilly, practicing in the global forensic investigation and governance space, “most fraudsters have profiles that look like those of other honest people; however, fraudsters play you against humanity and build a false wall of integrity around themselves with the hope that your level of skepticism is reduced enough to be manipulated and fooled.”
Among the various kinds of fraud that organizations might be faced with, occupational fraud is likely the largest and most prevalent threat today, with bribery and corruption enforcement actions that allege violations of the Foreign Corrupt Practices Act (“FCPA”) causing organizations of all types and sizes to rethink their approach to governance, risk management, compliance, internal audit, and the design of their internal controls. The regulators have sent a clear message that simply maintaining a compliance program is not enough. Compliance programs and internal controls must be adequate and effective at preventing and detecting fraud. Moreover, recent enforcement actions highlight the importance to organizations that internal controls must be continuously monitored to ensure they are effective. Although there is little case law, these enforcement actions have become non-binding guidance in cases that do not involve FCPA violations.
Although most companies will not readily admit that their organizations may be vulnerable to fraud, according to the 2018 Report to the Nations published by the Association of Certified Fraud Examiners (“ACFE”), which contains an analysis of 2,690 cases of occupational fraud that were investigated between January 2016 and October 2017, organizations lose 5% of their annual revenues to fraud. While this number is only a general estimate based on the opinion, it represents the collective observations of more than 2,000 anti-fraud experts who together have investigated hundreds of thousands of fraud cases. Based on the ACFE’s study, the median loss caused by frauds was $130,000, with 22.0% of the cases resulting in losses of at least $1 million.
Because fraud inherently involves deception, deflection, distraction, and concealment, many frauds will never be detected. Therefore, organizations are encouraged to implement certain anti-fraud internal controls, in order to help minimize the opportunities to commit fraud, or at least catch any fraudulent activity sooner.
In practice, it’s been our experience that most professionals don’t really understand the definition of an internal control. Marks recently developed a definition (see below) that has become what is believed to be today’s standard that should be reviewed along with the enemies of internal controls and other factors when designing an internal control. Marks emphasizes that internal controls are a process. They do something! When it comes to designing anti-fraud internal controls to detect and deter fraudulent activity, those individuals assigned to this task must have the necessary skills and experience.
A good system of internal controls, with the right balance of preventive, deterrent, and detective controls, can greatly reduce an organization’s vulnerability to fraud.
Preventive controls are those manual or automated processes designed to stop fraudulent activity from occurring. Deterrent controls are designed to proactively identify and remove the causal and enabling factors of fraud. Detective controls can also be manual or automated but are designed to identify an undesirable event that has already occurred. No system of internal controls can fully eliminate the risk of fraud, but well-designed and effective internal controls can deter the average fraudster by reducing the opportunity to commit the fraud and increasing the perception of detection.
While the Fraud Pentagon, which is an enhancement to the three elements of fraud, identifies the conditions under which fraud may occur, the Triangle of Fraud Action describes the activities an individual must perform to perpetrate the fraud. Thus, understanding the Enhanced Meta-Model of Fraud (Model) is imperative. The model includes two key elements: The Perpetrator, or the “why based” Fraud Pentagon and the alleged Crime or the “what based” Triangle of Fraud Action that includes the act, concealment strategy, and conversion tactics, should be part of the process when considering what internal controls to implement and how they should be designed.
Based on the ACFE’s study, occupational fraud schemes are typically classified into three categories:
- Asset misappropriation (theft of cash, data, property, etc.);
- Corruption (bribes, kickbacks bid-rigging, economic extortion, illegal gratuities, etc.); and
- Financial statement fraud schemes (deliberate misstatement, misrepresentation, omission of financial statement data, etc.).
When assessing an organization’s fraud risks and designing anti-fraud controls, it is important to remember that fraudsters typically seize whatever opportunity arises when committing their schemes. Thus, many frauds, including nearly one-third of the cases involve more than one form of occupational fraud. For example: Corruption represents one of the most significant fraud risks for many organizations today and would obviously involve corruption and because in most cases would need to be concealed, the books and records or financial statements could be impacted too. In fact, of the top eight concealment methods (create, alter, and destroy) noted, fraudulent journal entries made the list.
Historically, although theft of assets has produced the lowest average losses, these schemes have accounted for the vast majority of reported fraud activity. Within this category, there are various techniques which an employee may utilize to steal company assets and resources, including theft of cash receipts and fraudulent disbursements of cash such as through billing schemes, fictitious vendors, fraudulent expense reimbursements, or check tampering. Understanding and analyzing each of these categories is a critical first step in designing an effective control environment throughout the organization which may aid in preventing and detecting fraudulent activity.
Based on the ACFE’s study, victim organizations that had implemented certain common anti-fraud controls such as the following experienced considerably lower losses than organizations lacking these controls, and some reduced the fraud duration. Here are some anti-fraud controls to strongly consider:
- Conduct a Formal Enterprise-Wide Fraud Risk Assessment aimed at proactively identifying and addressing an organization’s vulnerabilities to both internal and external fraud. As every organization is different, the fraud risk assessment process is often more an art than a science. What gets evaluated and how it gets assessed should be tailored to the organization—there is no one-size-fits-all approach. Additionally, organizational fraud risks continually change. It is therefore important to think about a fraud risk assessment as an ongoing, continuous process rather than just an activity. A fraud risk assessment starts with an identification and prioritization of fraud risks that exist in the business. The process evolves as the results of that identification and prioritization begin to drive education, communication, organizational alignment, and action around effectively managing fraud risk and identifying new fraud risks as they emerge. The fraud risk assessment should be reviewed periodically, but no less than annually and there should be a heightened focus on the scenarios where management could override of internal controls.
- Implementation of an independent Whistleblower or Ethics hotline and web portal whereby internal and external sources (see graphic below) may anonymously and confidentially report fraudulent, suspicious, or other behavior. Historically, the receipt of internal or external tips has represented the most common detection method for each of the three categories of fraud schemes listed herein. Proper and on-going training along with clearly articulated policies and procedures related to the hotline should be supported by management. Implementation of a whistleblower hotline, especially when accompanied with an anti-retaliation policy and/or reward program, will effectively improve an organization’s overall control environment through increasing the perception of detection. Lastly, a hotline is not enough. Organizations need to have a process that appropriately captures, triages, assesses, investigates, and reports potential misconduct.
- Segregation of duties involving the custody of assets, authorization of transactions affecting those assets and recording/reporting of related transactions. Segregation of duties is a basic building block of sustainable risk management and internal controls for an organization. The underlying theory of separation of duties is that a single employee should not be in a position to both perpetrate and then conceal errors or fraud in the normal course of their duties. For example, the Institute of Internal Auditors[ii] suggests there needs to be an adequate division of responsibilities among those who perform accounting procedures or control activities (authorization/recording) and those who handle the assets (custody). In general, the flow of internal processes should be designed in such a manner that one individual’s roles and responsibilities serve, in part, as a check and balance of another individual’s work. Such a system would serve to reduce the risk of undetected errors and limit opportunities to misappropriate assets or conceal intentional misstatements in the financial statements.
- Timely reconciliation of bank accounts and management review of the reconciliations (bank reconciliations, petty cash, etc.) and bank statements. Bank reconciliations provide insight into the differences between an organization’s cash balance per the balance sheet and per the bank statement, while also proving the completeness and accuracy of the data recorded in the organization’s cash ledger. Depending on the size of the organization and the volume of cash transactions, bank reconciliations may be performed anywhere from a daily to monthly basis. Adequate segregation of duties should also be implemented in the bank reconciliation process, in that the cash bookkeeping, bank reconciliation, and check signer/wire authorization functions should be separated.
- Review and authorization of expense reimbursements by supervisors and management in a timely fashion. Some expense reimbursement schemes include: mischaracterized expenses, overstated expenses, fictitious expense, and multiple reimbursements and last for approximately twenty-four months before being detected. The ACFE’s study states that a significant portion of asset misappropriation schemes involve situations in which an employee makes a claim for reimbursement of fictitious or inflated business expenses. Management should first ensure all policies and procedures, including those related to expense and travel reimbursements, are communicated to all employees, along with timely notifications of any relevant updates. Furthermore, expense reports submitted by employees, including any underlying support, such as credit card bills, receipts, telephone bills, etc., should be reviewed and signed-off by the employee’s immediate supervisor and the organization’s payroll department. Expense reports submitted by members of management should be reviewed by other members of management.
- Safeguarding and reconciliation of petty cash funds on a periodic basis by authorized employees. Although petty cash funds typically represent an insignificant amount of cash held by an organization, primarily used for small day-to-day expenses, petty cash improprieties may be a signal of broader issues regarding management’s approach to internal controls and the organization’s control environment. To help strengthen the processes surrounding petty cash, sequentially numbered vouchers should be kept as well as disbursement receipts with the disbursement date, amount, purpose, and employee name. Further, the petty cash custodian should maintain a reconciliation of the petty cash fund, reconciling total cash on hand plus outstanding receipts to the total petty cash maximum. Access to the petty cash fund should also be limited to a small number of employees, with the funds kept in a locked box. Lastly, to test compliance with organizational policies and further increase the perception of detection, management may order an independent audit of the petty cash fund on a periodic basis.
- Proactive Monitoring Using Data-Driven Fraud Detection and Technology, including robotic process automation, can be an effective way to identify “red flags” and other anomalies that were once difficult to detect. Today we are able to link together different legacy systems with minimal disruption and create dashboards that could provide management with the “visual guilt” necessary to investigate into the most promising indicators. According to the ACFE study, the use of proactive data monitoring and analysis and surprise audits was associated with a more than 50% reduction in fraud losses.
Today’s environment requires the board and management to maintain a proactive approach to identifying vulnerabilities unique to their organization and implement properly designed or sound internal controls to help prevent, deter, and detect fraudulent activities. Demonstrating a genuine interest and concern in the implementation of sound internal controls will aid management in minimizing future potential losses or worse reputational harm.
For more information on fraud, internal controls, risk assessments, investigations, or something other, kindly reach out to me directly.
Jonathan T. Marks, CPA, CFE