Human Capital Risk Series: Fraud in the Workplace
In the 2016 update to the invaluable Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE) analyzed 2,410 cases of occupational fraud that cost more than $6.3 billion in losses. Extrapolate this to the total number of organizations at risk and you can understand why ACFE has found in report after report that about 5% of top line revenue is lost to fraud every year, worldwide (download the ACFE The Staggering Cost of Fraud PDF).
Unlike the human capital risks of complacency or turnover, occupational fraud is an intentional act to steal from the organization. It involves a conscious attempt by someone within or linked to the organization to seek “personal enrichment through the deliberate misuse of misapplication of the employing organization’s resources or assets” (ACFE).
Needless to say, fraudsters have every incentive to remain hidden, so a well-executed fraud can go on for years. The intentional, hidden nature of fraud puts the emphasis in risk management on identifying potential fraudsters (preferably before you hire them) and limiting and monitoring the opportunities for fraud.
Finding the Fraudsters
Most of the time, you will find out who is a fraudster in your organization when you catch them in the act. Fraud is usually detected because a procedural control or audit reveals losses or inconsistencies in financial data, but this can be long after the fraud is instigated. Organizations with robust controls in place—routine monitoring through audits or other tools, employee hotlines, segregation of duties, and so forth—tend to have much smaller losses when fraud does occur than organizations without controls (more on controls below).
Of course, not hiring fraudsters in the first place is the most cost-effective form of fraud prevention. The background screening used in the hiring process can sometimes identify the red flags that raise the risk of fraud. People with histories of criminal financial activity are easy to exclude, but other personal circumstances such as extreme personal financial stress would justify a deeper look at the applicant. Character matters, and the results of background verification of employment, education, and performance claims help to substantiate the good risks.
In general, every organization has a “culture of control” that can help prevent fraud or not. Some elements of the culture might be aimed at detecting fraud, such as an employee hotline that can be trusted, and others might aim to improve prevention through training and employee support activities. The culture of control has to be a conscious strategy that includes every level of the organization, and exposes every person at all levels to the same standards.
The Role of Controls
Background checks cannot be 100% effective because people at all levels of an organization commit frauds, and some of them are long-time employees or managers. Individuals’ motivations and circumstances change over time, so a trusted person might succumb to a tempting opportunity. Regular employee reviews or screenings are recommended, especially if an employee is promoted or moved to a position of higher authority.
The essential point about controls is that they provide your strongest defense against opportunistic fraud. They should remove or mitigate any vulnerability that can be exploited by the potential fraudster.
Controls should be designed specifically for the organization’s risk profile even though there are standard approaches to many risks. This requires a thorough risk assessment that includes testing internal procedures and responsibilities, as well as linkages to external vendors or partners, for exposure to fraud. Operations at vulnerable points are where controls should be implemented and monitored.
Organizations’ that nurture both lines of defense against fraud—maintaining a healthy culture of control and implementing robust controls—will suffer fewer losses. Fraud may not be totally eliminated, but its costs can be reduced through systematic effort.