Managing fraud risk can be best demonstrated in graphic form as the four-part fraud deterrence cycle:
Prevention is first prize but if you cannot prevent the fraud then you should detect it as quickly as possible. Research has shown, however, that most frauds are detected (usually by accident) after two or three years.
Then once you have detected the fraud it’s crucial to investigate to find out the “five whiskies and a hotel” who, what, why, where, when and how. Once you have figured out how much was stolen by whom, the investigation report should point out the control weaknesses and this is then correction phase where you can plug the gaps that allowed the fraud to happen so easily.
Prevention and detection are known as ‘Left of Fraud’ as you have an opportunity to prevent and/or detect before, during or after the fraud happens.
Investigation and Correction are known as ‘Right of Fraud’ as you have become a victim and need to investigate, try to recover lost monies and prosecute.
In terms of situational fraudsters, they are driven by the three elements of the fraud triangle, namely pressure, opportunity and rationalisation. When these three elements come together in a person, they are sufficiently motivated to cross the line from left to right of fraud and commit the crime. Keep in mind that these elements are inversely related, meaning that the more there is of the one, the less the person needs of the other element.
Which brings is to the three ‘C’ elements of a fraud. The person commits the crime, conceals the evidence and converts the proceeds, usually by buying expensive items.
Left of Fraud:
Left of fraud consists of these ten best practices that work together to prevent and detect fraud.
Fraud prevention and detection should be looked at holistically and, based on the ACFE’s fraud prevention check-up, is presented here as sequential building blocks making up the program:
They are color-coded so you can see how they tie into the COSO Internal Control framework.
Here we explain each one briefly:
Fraud Risk Assessment – Management should assess the vulnerability of the organisation to fraudulent activity at least every 12-18 months by probability of occurrence, severity of impact and pervasiveness of the fraud risk. This could be achieved by a walk-through, interviews, surveys or a combination thereof.
Data Analytics – An organisation that decides to analyse its data for red flags of fraud has to firstly decide whether to have this function in-house or to outsource it. In-house means hiring data analysts and the various tools – each tool is expensive and staff turnover in this field is very high so outsourcing seems to be a more cost-efficient alternative. The next question to answer is how often to look for these red flags. There are basically 3 options: Ad Hoc, Automated or Continuous Monitoring.
Controls – After the fraud risk assessment and/or data analysis results have been perused, management should determine whether there are controls in place to mitigate the identified fraud risks. Where controls are weak, management should design and implement additional antifraud controls or reengineer the process to specifically address the identified fraud risks.
“If you were to ask a group of typical accountants what deters fraud, they would respond in unison: ‘Internal control!’ Using this logic, companies with adequate controls would not have fraud. But they do, time & again”. – Joe Wells, founder of the Association of Certified Fraud Examiners.
Keep in mind that controls are only to provide reasonable assurance – companies with adequate controls still have fraud as those sufficiently motivated can find a way and controls can easily be overridden by management or where there is collusion. Controls are important, but not the whole answer. Hence all nine building blocks need to be implemented otherwise you could sit with a false sense of security.
Hiring – The best indicator of future performance is past performance, so it is crucial to conduct background checks on new employees and existing employees being promoted to positions of trust. Professional background checks can uncover criminal convictions, credit history problems, and questions about education, prior employment issues and integrity concerns. This goes for all grades – executives should not be immune from background checks!
Policy – The aim of a corporate fraud policy is to demonstrate to all stakeholders that the company is taking the threat of fraud and dishonesty seriously. By issuing detailed policies (such as a Fraud policy, Whistle-blowing policy, Reward policy, Fraud response plan, Code of conduct, etc.) they clearly set out what is considered to be dishonest, warns any potential wrongdoers that the consequences of being caught will be serious and explains each process.
Fraud Hotline – Many frauds are known or suspected by both insiders and outsiders. The challenge for management is to encourage these ‘innocent’ people that ‘speaking out’ is their responsibility and is very much in their own interest. For various reasons some organisation’s hotlines do not work, i.e. people stop using them or they get only prank calls.
The code of ethics is a critical cornerstone and the success or failure of a fraud prevention plan depends primarily on the culture of the organization, and a sustainable Ethics Management Program will ensure that ethics is top-of-mind within the company. Merely having a code of ethics is not sufficient so cutting-edge companies are designing & implementing training around the code, bringing what is often a dormant item to life.
Accountability – Dishonest employees may not commit a fraud if they know the organization has an oversight and confirmation process and that they will not have an excuse if they are caught. Establishing accountability and responsibility for specific fraud risks is necessary to encourage a culture of fraud risk awareness throughout the organisation.
Training & Awareness is the other critical cornerstone and by linking fraud awareness training to the code of ethics sends a strong message and reinforces what is considered appropriate behaviour by the company. Training needs to happen annually, not only when new employees join the company, and it must target existing employees as well as newcomers. The training should also bring in the whistle blowing system and how it works, the various policies as well as roles and responsibilities. The training should be ‘edutaining’, meaning it should inform and entertain as this is the best way for people to learn and retain what they have learnt.
Tone at the Top – All the effort in terms of time and cost that is put into the above nine building blocks will be wasted if the tope at the top is rotten. The bottom line is – the executives need to be seen doing the right things. One of our clients said that their executives have ‘foot and mouth disease’. I asked him what he meant and he said, “our execs tell us to do the right things but when we watch them they are mostly doing the exact opposite”! Keep in mind that the tone at the top isn’t just the top executives – it relates to any person in a position of authority within the organisation.
Right of Fraud
Exactech provides an end-to-end fraud risk management service, from prevention and detection services through to forensic investigations and advice on correcting the root cause, to ensure that our clients don’t have any ‘weak links’ in their businesses.
This right of fraud side of the fraud deterrence lifecycle includes Forensic imaging of servers, tablets & other storage mediums plus Forensic analytics & reporting and eDiscovery.