ACFE Large Windowed Office Meeting

Business as usual isn’t going to cut it in the fight against fraud. Organizations and external auditors must step up their game in preventing and detecting it.

Reducing risk

Organizational Fraud Continues to Rise: Here’s How We Can All Do Better

  • Dennis Maschke
  • 11/13/2018

The Association of Certified Fraud Examiners (ACFE) has released its biannual Report to the Nations on occupational fraud. The results were unsurprising and perhaps a bit discouraging. Fraud cases are on the rise, while perpetrators, red flags, median loss statistics, and detection methods have remained consistent over the last decade. The glaring question is: Are we really doing enough?

The 2018 report analyzes 2,690 fraud cases from 125 countries, amounting to over $7 billion in losses. Since the initial report published in 1996, the ACFE continues to see the same trends in occupational fraud:

  • It is indiscriminant, as it occurs in all industry groups and organizations of all sizes.
  • Men continue to be the predominant perpetrators of fraud, especially at the executive levels.
  • Approximately one-third of cases are never reported to the police.
  • It is still identified by the same detection methods.

Some improvement — but not quite enough

Over the past 10 years, occupational fraud has most frequently been detected by a tip. The next most common detection methods are management review or internal audits. One of the least likely methods of detection is an external audit, which happens to be one of the most commonly utilized anti-fraud controls.

Even the good news is slightly tainted. Organizations are doing more to add anti-fraud controls to prevent and detect occupational fraud. Hotlines have grown 12 percent over the past ten years. External audits, fraud training, anti-fraud polices, fraud risk assessments, and surprise audits have all risen as well. And yet, only half of the organizations analyzed have anti-fraud policies or fraud prevention training in place, even fewer have a formal fraud risk assessment process, and only 63 percent have a hotline.

Integrity and ethical behavior, or “tone at the top,” are integral parts of a strong control environment and drive the design, implementation, and monitoring of the various controls within an organization. The 2018 Report to the Nations makes it apparent the increased controls and policies lead to a reduction in fraud risk. Almost 80 percent of organizations have a code of conduct. Of the fraud cases studied, those with a code of conduct had around a 56 percent reduction in losses when fraud was identified. This clearly shows that organizations are hitting the mark in regards to a code of conduct. However, anti-fraud policies and fraud training often show a similar reduction in losses when implemented (47 percent and 39 percent, respectively).

Opportunities for stronger control environments

To strengthen the control environment in your organization, consider adding those two elements to your already existing code of conduct to mitigate fraud risk. Your organization should be able to definitively answer these questions in the affirmative:

  • Do your employees know who they can report suspicious behavior to?
  • Has there been training on the most significant red flags and where to report concerns?
  • Does your organization have a policy for those undergoing financial difficulties?
  • How does your organization promote and reward integrity and ethical behavior?

With a strong control environment in place, the next step you can turn to is your fraud risk assessment. The ACFE’s report details fraud trends along industry lines. For instance, in the banking and financial services sector, fraud is frequently perpetrated by corruption and cash-on-hand schemes, while service organizations are likelier to report expense reimbursement and billing frauds. You should assess the highest fraud risk based on your operations and undertake a fraud risk assessment process, starting with a brainstorming session that includes employees from all departments and levels to identify and create effective control activities.

Some questions that might be asked during the brainstorming session are:

  • How might a fraud perpetrator exploit weaknesses in the system of internal controls?
  • How could a perpetrator override or circumvent controls?
  • What could a perpetrator do to conceal fraud?

Control mechanisms such as a hotline can reduce your organization’s fraud risk. The ACFE has reported that only 63 percent of organizations utilize a hotline system, and those without hotlines were more than twice as likely to detect fraud by accident or through an external audit. Some organizations imagine fraud hotlines to be complex systems that involve monitoring hundreds of calls, but that isn’t necessarily the case. Your organization needs to evaluate what is the most effective and cost-efficient method for your operations. Tips can be received through telephone hotlines, email, online forms, mailed letters, messaging platforms, or even faxes. Instead of implementing a large hotline campaign, you could try setting up an email-based system with web-based forms that go to an independent individual for review. The key element is always the whistleblower remains anonymous.

If your organization isn’t large enough to have an in-house monitoring system, you could negotiate a combined agreement where your and another organization split the costs of a monitoring hotline system. Hotlines, or other tip-generating control activities, also serve as an effective preventative control. When employees, vendors, and management know they are being monitored by peers and others in and outside the organization, potential perpetrators may be less inclined to commit a crime. Regardless of the techniques utilized, tips continue to be the best way to detect occupational fraud and should be implemented in some fashion.

Heightened responsibilities for external auditors

External auditors are often seen as experts that are expected to catch fraud. Although standards dictate external auditors aren’t required to design procedures to detect fraud, there is probably more that could be done, both on your organization’s and your auditor’s parts.

Through a risk-based audit approach, audit firms can evaluate your risks based on their understanding of internal controls, inherent risk, and complexity of account balance information. However, fraud risk is often glazed over during this process. Within an external audit plan, revenue recognition, inventory, or cash are often designed as high-risk areas due to their susceptibility to fraud. But are procedures specifically designed to detect fraud?

The report has increasingly emphasized proactive data monitoring and analysis as an anti-fraud control. Computer software and systems have become more advanced and accessible as a means to evaluate large sets of data. The ACFE has found that billing and check tampering are significant risks within the accounting departments of those organizations reporting fraud. During the external auditors’ risk assessment, if weak billing controls have been identified, what additional procedures are designed to test the affected account balances? Taking that one step further, what procedures have been designed and discussed with management to review for fraud related activity? Fraud risk assessment is only implemented at 41 percent of organizations analyzed in the report. If organizations aren’t performing this type of analysis, wouldn’t it look good to governance, the public, and stakeholders if some fraud risk procedures were designed and tested during the audit process?

How we can help

There is no way to catch all fraud, but it’s not acceptable for current trends to continue unchecked. Your organization’s employees, customers, and other stakeholders look to you to take steps to improve systems and their design to mitigate fraud risk. Instead of doing what has always been done, our industry-specialized professionals and risk management advisors can work with your people to change those unsurprising results into significant progress.