How could it happen? Hundreds of thousands or even millions of dollars have gone missing. A long-term, trusted employee stands accused. No one knew? No one suspected? It happens every day. Businesses, large and small, municipalities and non-profit organizations all over the country are victimized from within by fraudulent activity. The financial and reputational impact can be devastating and may take years to overcome. In a majority of cases, the perpetrator has no means to make restitution, and the victims are unable to fully recover their losses.
Fraud is generally defined as “wrongful or criminal deception intended to result in financial or personal gain”. According to the 2012 Report to the Nations on Occupational Fraud and Abuse, published by the Association of Certified Fraud Examiners, it is estimated that organizations lose 5% of revenue annually to fraudulent activity, with fraud schemes lasting a median of 18 months before being detected. The report identifies the typical fraudster as male (54% of reported cases) between the ages of 31 and 45, with one to ten years of employment by the organization. Losses tend to increase based on the length of the fraudster’s employment.
Fraud prevention starts with the tone at the top. Management should create and support a culture in which it is clear, at all levels of the organization, that fraud will not be tolerated and suspected, and fraudulent behavior will be investigated and dealt with quickly and decisively. The development of a written, well-documented anti-fraud program is key to establishing a positive tone at the top. The document should include policies and procedures in which management sets forth its expectations with regard to the minimization of the risk of fraud. Lines of communication should be defined through an organizational chart and communicated to personnel at all levels, providing clear paths for employees to report suspected fraud.
A code of conduct should also be implemented, setting forth expected behavior and required compliance with established rules and procedures. Employees should be required to annually certify, in writing, their understanding of and compliance with the code of conduct. In addition, anti-fraud training programs should be held regularly to educate employees on fraud-related issues and to reinforce the organization’s policies and procedures.
An organization’s risk of exposure to fraud schemes should be assessed on a regular basis through a formalized process known as a fraud risk assessment. Such an assessment can be conducted internally; however, the use of trained outside experts will often provide a much more in-depth, independent analysis.
First, identify inherent fraud risk. This is done by gathering information on fraud risks specific to the organization, including consideration of all types of schemes and scenarios, pressures, incentives and opportunities to commit fraud. The identified fraud risks are then compared to existing internal controls to determine if these controls are adequate.
Second, assess the likelihood and significance of inherent fraud risk. This is accomplished by analyzing historical information, including known fraud schemes. It also includes interviews with employees at all levels of the organization to help identify fraud risks previously unconsidered by management.
Third, develop and implement controls based on the identified inherent fraud risks. This begins with proposed responses to each identified fraud risk and should include a cost-benefit analysis of the implementation of the suggested controls. Anti-fraud controls should be formally documented, including the roles and responsibilities of all those involved. Continuous monitoring programs should be established to test the ongoing adequacy of controls.
With preventive techniques in place, management should turn its attention to fraud detection controls. Detection controls can provide assurance that preventive controls are working and can identify fraud when it occurs. One of the most effective detection controls is the implementation of an independent hotline. Hotlines provide 24/7 confidential access via phone and/or internet. They can be made available to employees, customers, vendors and the general public for reporting suspected fraudulent activity. The success of a hotline is based on the understanding that information provided by callers will be kept strictly confidential and that employees will not face retribution for information they provide, including information about their superiors. Other detection controls include the use of technologies such as data mining and data analysis to identify suspicious transactions, hidden relationships among employees, vendors or customers, and monitoring vulnerabilities.
An investigative protocol should be established so when fraud is detected, it can be dealt with in an efficient, effective pre-determined manner. The protocol should include a process for determining the validity of an allegation, categorizing and analyzing the issues and evidence and conducting a fact-finding investigation. It should also clearly outline the appropriate timing and necessity of seeking advice from outside legal counsel or other professionals.
It is impossible to entirely eliminate all fraud risk in an organization. The nature of fraud risk differs by business type, location, industry and geographic location. Small businesses, generally having fewer resources, are particularly vulnerable to fraud. No system of prevention and detection controls can provide absolute assurance that fraud will not take place. Fraud is dynamic. Fraudsters are creative, hatching new fraud schemes on a regular basis and using new technology to help perpetrate their crimes. Management should strive to design and implement cost-effective, anti-fraud programs specifically designed to meet the needs of the organization and to be flexible enough to keep pace with the ever-changing fraud landscape.
Please contact Rich Finkel, firstname.lastname@example.org with any questions.