How to Foil the Fraudster in Your Organization
Most managers, and in fact employees at all levels, assume their co-workers are honest and working to do their best for the organization. Unless they are the one who is perpetrating a fraud.
Unfortunately, occupational fraud is a lot more common than most people think. The Association of Certified Fraud Examiners (ACFE) has published a series of reports based on fraud examiners’ actual cases that document the pervasiveness of these hidden crimes. The 2014 edition of the Report to the Nations on Occupational Fraud and Abuse confirms that fraudsters steal 5% of top line revenue every year, which amounts to over $650 billion per year in the U.S. alone, and an astonishing $3.7 trillion worldwide.
The ACFE defines occupational fraud as, “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” The frauds are categorized as corruption (such as extortion or bribes), asset misappropriation (theft or check tampering, for example), and financial statement fraud (under or over statement of assets or revenues).
Asset misappropriation is by far the most common kind of fraud, occurring in 85% of the cases studied, but it also has the smallest median loss of $130,000. Corruption losses are intermediate at $200,000, while the median loss to financial statement fraud was a million dollars. Although financial statement frauds accounted for less than 10% of the cases, they obviously resulted in a very disproportionate share of the losses.
Strategies to Thwart Occupational Fraud
The vast amount of money siphoned off by these crimes is a strong incentive for managers to find ways to prevent or detect occupational fraud. Unfortunately, the fraudsters have an equally strong incentive to remain undetected, and they choose clever ways to hide their actions. The longer the crime goes undetected, the more costly it is.
Organizations have two main avenues of defense. One is to focus on the people in the organization to try to avoid hiring employees who might commit frauds or to find who is actively engaged in a fraud (which is detecting the crime). The second is to prevent fraud by analyzing the organization’s structures and functions to identify where weaknesses might create a risk of fraud (opportunities for the fraudster).
Finding the Fraudster
The 2014 ACFE report includes information about who the perpetrators of these crimes tend to be. Managers can use this information to know where to target fraud prevention or detection tactics, and also to determine the organization’s tolerance for risk at specific points in the hierarchy.
People at every rung of the organizational ladder perpetrate frauds, but there are important differences between ordinary employees, managers, and owners/executives. Employees committed 42% of reported frauds, compared with 36% for managers, and about 19% for owners/executives. The median value of the losses increased the higher the person was in the organization, from $75,000 for employees to $130,000 for managers to $500,000 for owners or executives. Owners and executives’ crimes were harder to detect, too, with 24 months elapsing from the onset of the fraud to its detection.
An obvious implication of these findings is that the higher you go in an organization, the greater your access to assets and the more you are able to deflect controls and efforts to investigate. It is imperative to have sound controls in place at all levels, but it is especially critical to avoid giving higher-level employees the ability to execute both ends of any kind of transaction or to unilaterally deflect a financial control.
Numbers of perpetrators:
An added challenge to controls occurs when two or more perpetrators collaborate to defeat them. Median losses mount rapidly from a median of $80,000 for a single perpetrator to $550,000 where five or more are working together. Frauds committed by teams of two or more were much more likely to involve corruption or non-cash frauds because those crimes require cooperation. Audits need to be comprehensive and routine to prevent collaborators from helping each other cover their tracks.
Losses tend to be higher the older the fraudster, which correlates with the fact that older people are likely to be higher in the organization. Similarly, frauds committed by men are more likely to involve the relatively more costly crimes of corruption or financial statement fraud. Both of these findings are consistent with the fact that men are more highly represented in higher positions.
By far the highest proportion of frauds were committed by people with 1 to 5 years tenure (few frauds were committed in the first year), but the median loss increased the longer a person had been in the organization. New hires will have been screened, so that the number of employees with a relevant criminal history should be small.
The highest proportion of frauds occur where people have access to assets: accounting, operations, sales, and among executives/upper management. Organizations will obviously want to ensure that these areas are carefully organized to remove opportunities for fraud to occur.
Managing the Risks of Fraud
The second strategy aims to reduce the opportunities for occupational fraud as part of a risk management plan. This plan needs to identify the potential risks, evaluate the possible costs of each risk, and then design a cost-effective control to mitigate that risk. It is impossible to eliminate all risk, and costly to try. But by taking five steps, an organization can reduce its exposure to occupational fraud.
Make someone responsible for fraud prevention.
A member of upper management must own the fraud prevention plan. Performance of this task and its outcomes have to be reviewed just like every other management function.
Analyze the organization to identify the fraud weak points.
Unknown risks cannot be mitigated. The fraud manager has to review operations in detail to determine which organizational structures or operations might pose vulnerabilities to fraud. This analysis should include external or third parties that have access to assets.
Determine which risks must be mitigated, and which can be tolerated.
The possible losses to fraud will vary across weak points. If a control to contain that fraud costs more than the fraud itself, it may be a risk worth tolerating. After all, the reason investments have yields is because there is a possibility of loss.
Which risks can be mitigated with risk sharing?
The most common kind of risk sharing is through insurance, but you may also be able to share financial exposure with a vendor or other partner.
Determine how to manage risks in the core functions.
At the end of the day, there will be some operations that are essential to the identity and purpose of the organization. There will be occupational fraud risks in these core functions, but they must be contained with well-designed controls and persistent reviews.
Taken together, these strategies give management tools to help prevent and detect occupational fraud. Neither of these can guarantee perfect protection against fraud, but independently or together they can help to reduce an organization’s exposure.