Fraud Week 2020: Cyberfraud and COVID-19

By Lowers & Associates,

Fraud Week 2020: Cyberfraud and COVID-19

Think You’re Not at Risk? Think Again.

Our special 5-part Fraud Week Coffee Break Series continues today where we invite you to spend 10 minutes each day learning about various aspects of fraud detection and prevention through the eyes of our Certified Fraud Examiners and other fraud experts.

For this episode, we interviewed Steven Schwartz, Chief Revenue Officer for Periculus and a recognized innovation leader in the fields of risk management and cybersecurity. Periculus is a digital risk company specializing in helping small businesses measure, understand, and protect against digital risks so they can pursue growth. Before launching Periculus, Schwartz led strategy and insurance at Cytegic, one of the industry’s leading cyber risk quantification platforms, playing a vital role in the company’s successful acquisition by MasterCard in June 2020.

In its September 2020 Fraud in the Wake of COVID-19 Benchmarking Report, the Association of Certified Fraud Examiners (ACFE) reported, “Cyberfraud (e.g., business email compromise, hacking, ransomware, and malware) continues to be the most heightened risk for organizations, with 83% of respondents already observing an increase in these schemes and 90% anticipating a further increase over the next year.”

Many experts believe that organizations were simply unprepared from a cyber perspective for the pandemic and its resulting shift to a remote work environment where employees are now operating outside the usual infrastructure and oversight of their organizations.

As Schwartz explains, “We’re in an interesting time right now, where we’ve never been so polarized, yet so connected. With the increase in digital connectivity comes an exponential increase in the vulnerabilities and threats. The doors are open for attackers to exploit.”

Grab a cup of coffee and spend 7 minutes listening to Schwartz’s view on cyberfraud during COVID-19 and how organizations can better protect themselves moving forward.

How Can Organizations Better Protect Against Cyberfraud?

As with any type of risk an organization faces, it starts with an assessment to develop a true understanding of the risks you face and how those risks might impact your organization. From that place of understanding, you can make decisions about how to effectively mitigate or transfer those risks.

Schwartz explains it this way: “If you just tell me my risk is a 3 out of 5 and that’s all you tell me, I have no idea what that means to my business. But if you tell me I’m a 3 out of 5 with a financial impact of 2 million dollars, it becomes contextualized. And if we take that a step further and we’re able to demonstrate the controls you should invest in because they’re going to have the greatest impact in reducing your risk and financial impact and this is how much you should consider transferring via insurance, we can start to make sense of it all.”

We hope you enjoyed this Coffee Break episode. Come back tomorrow to hear from Neil Watson and lessons learned from real-life stories of fraud.

The Element of Surprise: How to Cut Fraud Detection Time in Half

By Lowers & Associates,

unannounced audits

When it comes to occupational fraud, the total loss an organization suffers is correlated with the length of time from when the fraud begins to the time it is detected. This is true for all types and circumstances of fraud even though some types lead to greater total losses, e.g., petty larceny vs. financial statement fraud. The Association of Certified Fraud Examiners’ (ACFE) 2018 Report to the Nations finds that frauds that are not detected in 60 months are 20 times as costly as those detected within the first six months.

Therefore, there is substantial value for any policy or procedure that reduces detection time. Overall the most common form of detection is from tips, especially when a safe and easily accessed hotline is provided. Other common forms of active detection are internal controls and routine internal and external audits.

Surprise Audits are Surprisingly Effective

Where external audits reduce fraud losses by less than a third, unannounced audits were found to reduce median loss and duration by 51%. When unannounced audits were in effect, median losses dropped from $152k per fraud case to $75k. What’s more, the use of unannounced audits was shown to cut the average detection time in half for fraud cases in the ACFE 2018 study. However, while superior in terms of effectiveness, unannounced audits are much less commonly used than external audits. Only 37% of the companies surveyed in the 2018 ACFE report, ‘Report to the Nations,’ used unannounced audits to detect fraud.

An unannounced audit would typically be performed by an external third party, but it doesn’t have to be. The key thing is that it must truly be unanticipated by employees or contractors who have access to assets to prevent them from taking steps to conceal fraudulent activity. An unannounced audit might employ a different and unusual approach compared to routine internal audits as an added precaution to thwart the fraudsters’ defensive tactics. Intuitively, an unannounced audit can disrupt fraud more effectively than an audit that is expected.

Perhaps the most important benefit of an unannounced audit is its capacity to detect frauds earlier, thereby reducing total losses. Obviously, these audits have to be performed often enough to disrupt fraudulent activity, but their value justifies the expense of more frequent application.

A secondary, less often recognized benefit of an audit being unannounced is that it provides a test of the routine controls in place to detect fraud. It is exactly where internal controls are weak that some of the most expensive frauds can occur.  The longer-term benefit of being unannounced includes strengthening the routine controls that operate every day.

Unannounced audits can be used in many circumstances. Auditing cash on hand is one of the most important applications, which can cover activities ranging from skimming petty cash to concealing large cash thefts from CIT carriers. Numerous accounting functions like accounts payable and payroll, as well as routines like inventory are vulnerable to frauds that can be detected by unannounced audits.

Like any other audit, unannounced audits have to be planned. The planning will involve identifying the risk points in the system being evaluated and understanding the design of existing internal controls. These factors will be used to create an audit approach leading to reporting and policy revisions as needed.

Sometimes an unannounced audit is the best way to reveal the truth about operations. The clear light of observation is the last thing a fraudster wants to see.

  Category: Fraud Prevention
  Comments: Comments Off on The Element of Surprise: How to Cut Fraud Detection Time in Half

Calculating the Payoff of Proactive Fraud Detection

By Lowers & Associates,

Calculate the Payoffs

According to a 2018 report from the Association of Certified Fraud Examiners (ACFE), organizations lose 5% of their annual revenues to fraud. While you know your organization is not immune to fraud, it can be easy to assume that sooner or later, the fraudsters inside your organization will be caught. Surely, the controls you have in place and the managers and employees you trust are keen enough to detect and report unusual behaviors. So, why not let the truth reveal itself?

Should you do more to detect fraud?

While it’s true that most fraud (40%) is caught by tips from employees, customers, or vendors associated with the victim organization, relying on those tips is neither the most proactive nor the most effective way to detect fraud. In other words, just because tips are common, doesn’t mean they are the best source of detection.

 

detecting fraud with tips

Proactive fraud detection measures are shown to minimize the losses and damages caused by occupational fraud. The stark difference between proactive and passive detection methods comes to light when median losses and median months to detection are compared. Let’s take a strictly passive fraud detection method: confession. In cases where confession is the primary source of detection, it usually takes 24 months and costs the organization $186,000 in losses before the fraud comes to light. Comparatively, proactive measures such as account reconciliation, impact the organization far less and are detected more quickly. On average, account reconciliation is able to detect fraud within 11 months of its onset and halves the cost of fraud induced on an organization in comparison to relying on tips.

how fraud is detected

The outliers here are detection methods that are neither strictly active nor passive. These include tips and external audits, and how they are categorized depends on the circumstance. According to the 2018 ACFE report, such solutions were less effective than truly active solutions, but more effective than explicitly passive. For example, where fraud is detected through a tip, the case has generally already gone on for an average of 18 months with a median loss of $126K.

Being proactive is key to minimizing the losses and damages caused by occupational fraud.

The 2018 ACFE Report cites six proactive detection methods:

  • IT Controls
  • Surveillance/Monitoring
  • Account Reconciliation
  • Internal Audit
  • Management Review
  • Document Examination

The correlation between active and passive detection methods is made very clear. When plotting median months to detection and total losses, all six proactive detection methods outcompeted the passive detection methods in terms of both the time it took to detect, and the total amount lost in the case.

active fraud detection methodsThe point is clear, by choosing to proactively go after fraud, you put yourself in better standing to catch offenses early. This could be achieved by putting in place one of the six active detection methods. These proactive measures can be combined with other detection tools, such as hotlines. Hotlines and other reporting mechanisms were associated with a 50% reduction in losses for companies who have them, compared to companies without.

Does your organization take proactive measures to reduce the risk of occupational fraud? Discover ways to protect your company from the inside out.

  Category: Fraud Prevention
  Comments: Comments Off on Calculating the Payoff of Proactive Fraud Detection

Collusion: Teamwork at its Worst

By Lowers & Associates,

Teamwork is usually a good thing. Many organizations work hard to increase its effectiveness because well-coordinated activity can boost productivity and improve outcomes. Unfortunately, the effect of multiple people colluding to commit occupational fraud and abuse has the same kind of effect as good teamwork by increasing the impact of the crime.

Greater Collusion = Greater Loss

The Association of Certified Fraud Examiners (ACFE) 2016 Report to the Nations on Occupational Fraud and Abuse shows that the greater the number of people colluding in a fraud, the greater the loss. The median loss for a lone fraudster was $85,000, while losses where 5 or more colluded was $833,000.

It’s important to note that about 48% of the cases covered by the 2016 report involve collusion between two or more people. However, fraud by collusion was detected in about 18 months as compared to 16 months for the lone fraudster, so the duration of the fraud was not the prime source of the higher cost of collusion. In any event, the frequency and higher cost of collusion means that this form of fraud is a serious threat.

Working Together to Defeat Controls

Collusion may enable fraudsters to defeat controls based on separation of duties, independent verification procedures, or other procedural methods intended to reduce fraud or failure. Certainly, employees are expert in the application of controls where they work every day. When two or more of them coordinate activity meant to defraud the organization, they can defeat the controls at least for a time.

How to Detect Collusion

Detection of clever collusion schemes may be improved by setting up automated tracking or standardized analytical systems that flag unusual behaviors. For example, numerous transactions on a dormant or very low volume account or transaction amounts outside normal limits may indicate fraud. The system might flag changes in employee behavior, such as failure to take a vacation for a lengthy period of time or a significant change in working hours. The system might be designed to create norms for behavior in a given type of job and compare each person in that role to the norm. Outliers’ of behaviors could be scrutinized more closely.

Prevention is the Best Medicine

Of course, prevention is better than detection because detection means that fraudulent losses have already occurred. Potential fraudsters may leave a trail based on internal searches, such as searches for accounts whose inactivity means that they would not be regularly monitored, helping them to escape detection.

More straightforward, a well-designed hiring process with effective background checks, plus regular training in fraud prevention can help to create a workplace culture where fraud is not tolerated. Multiplying the number of people who would report suspicious behavior is probably the most effective means of fraud prevention, including collusion to commit fraud.

5 Principles of Effective Fraud Risk Management

By Lowers & Associates,

fraud week

As part of the annual fraud awareness week, we wanted to bring you a quick summary of the principles of fraud risk management. These points are based on an extensive review titled Managing the Business Risk of Fraud: A Practical Guide.

As the Practical Guide emphasizes, “An organization should strive for a structured as opposed to a haphazard approach.” The Guide is a good place to start developing a fraud prevention and detection program as part of your overall risk management efforts (or structuring a review of an existing program). But as always, diving into the details of organizing and implementing a program like this requires significant effort. Skipping steps or making assumptions about risks and mitigation practices without systematic assessment will often lead to gaps or weaknesses in the plan. … Continue reading