And Striking the Right Balance to Fight It
The reality is that the vast majority of corporations have a fraud problem to some degree. It’s a growing problem – one indicator pointing to a rise in overall economic crime globally. Michael Volkov outlines various methods to detect and prevent fraud and gives us a peek into the mind of a corporate fraudster.
“For the love of money is the root of all evil…” – 1 Timothy 6:10, King James Version, The Bible
Corporate bribery requires money. How is that for something obvious?
Companies face a variety of threats; one enduring threat is the risk of fraud or theft. Unfortunately, employee fraud is all too common.
PWC’s 2018 Global Economic Crime and Fraud Survey reported that “only 49 percent of global organizations said they’d been a victim of fraud and economic crime. However, we know this number should be much higher. So what about the other 51 percent?” PWC suggests that the other 51 percent of corporate organizations are blissfully ignorant and ignoring their obvious fraud problem.
In the new environment of aggressive enforcement, governance surveillance and stakeholder focus on corporate organizations, corporations can no longer view fraud as a simple cost of doing business. The risks and problems are increasing, and the consequences of ineffective fraud controls are significant.
There is no question that fraud awareness is increasing. Companies are recognizing that fraud is growing concern. The PWC survey result of 49 percent is the highest level of awareness over the last 18 years.
Companies are experiencing increased fraud as part of an overall increase in economic crime around the globe. Reported economic crime has increased over the last few years and is continuing to increase. As a result, companies face ever-increasing risks of fraud. In response, companies are increasing their spending on fraud prevention and detection strategies. The cornerstone of this effort is technology and data analytics. Companies are exploring the use of whistleblower programs to encourage reporting and detection.
Like many other risks, companies have to adopt proactive measures, beginning with a risk assessment. Many companies are beginning to conduct fraud or economic crime risk assessments on a regular basis. Such an assessment could easily be included in an anti-corruption, anti-money laundering and trade controls risk assessment.
Companies are not going to be surprised by the results of their risk assessments. Asset misappropriation, consumer fraud and cybercrime are likely to round out the top three risks.
The PWC survey confirmed what we already know: The incidence of economic crime committed by internal actors has increased to 52 percent. Interestingly, the proportion of economic crimes committed by senior management increased from 16 percent in 2016 to 24 percent in 2018.
Fraud, however, is not a problem limited to internal actors; it extends to a company’s third parties. Add that to the list of risks requiring due diligence and third-party risk management. According to PWC, 68 percent of external actors committing fraud are agents, vendors, shared services providers and customers.
The cost of fraud to an organization is much more than the theft itself. Secondary costs include investigations and other interventions. In response, companies are definitely increasing their spending on fraud prevention and detection. Forty-two percent of responding companies have increased their spending on economic crime and fraud.
Companies have access to a number of technologies to defend themselves against fraud; these are aimed at monitoring, analyzing and predicting human conduct, including machine learning, predictive analytics and other artificial intelligence techniques. Technology is expensive and difficult to implement across an organization.
Fraud Detection: New Technologies and Analytics
The battle against fraud is evolving, and technology is providing new and important tools to detect and prevent fraud. Companies are using a variety of techniques, including continuous monitoring, email monitoring, anomaly detection, pattern recognition and artificial intelligence.
Data mining and statistical analysis can also be helpful in detecting fraud. By using sophisticated data mining tools, companies can search millions of transactions to spot patterns and detect fraudulent transactions. These tools include decision trees, machine learning, cluster analysis and association rules and can generate models to predict fraud.
Before discussing sophisticated techniques for fraud detection, let’s start with basic anti-fraud controls; these include segregation of duties for authorization, custody of assets and recording or reporting transactions. In some cases, companies should ensure that their basic controls are in place and re-engineer business procedures to minimize such risks.
Major fraud usually involves senior management, especially those with the authority to override controls. Employee fraud schemes often involve theft by exploiting control weaknesses, such as stealing cash before it has been recorded, fictitious expense reimbursement claims and/or stealing assets from the organization (e.g., computers, iPads, phones). On average, fraud schemes last 18 months before being detected.
Fraud awareness training and communications are important aspects of a fraud prevention program. Every employee should be made aware of the risks of fraud and corporate policies prohibiting such activities. Employees who may be considering engaging in theft can be deterred from such conduct when they learn about robust fraud detection and enforcement policies. Other employees who are committed to honest conduct can be essential allies in reporting suspected fraud to their supervisors. Employees, customers, vendors and related persons can become important sources of tips and information leading to exposure of fraud schemes.
Data analysis is a straightforward strategy for detecting fraud. The objective is to analyze the entire set of data (e.g., transactional data, master vendor data and application control settings) to identify indicators of fraud. Data analysis techniques can vary from statistical analysis for transactions outside the norm to analytic tests for identifying specific circumstances indicative of fraud. Statistical analysis identifies transactions for closer examination. Another type of statistical test is to look for the presence of certain matches (e.g., employees and suppliers identities, addresses and bank accounts).
Fraudsters are adept at taking advantage of weaknesses or gaps in a company’s internal controls. A perfect example of such a weakness is when business systems do not share or cross-check information. Specific tests for matches of database fields can be an effective way to uncover potential anomalies. Some types of analytic procedures are fairly simple – looking for duplicate payments of an invoice. Data analytic tests, however, have to be carefully designed to avoid an excessive number of exceptions that may overwhelm fraud detectives.
Data analysis software is available for audit, fraud detection and control testing. These tools usually include pre-established analytic tests, such as classification stratification, duplicate testing, aging and match-and-compare. In implementing a software solution, a company has to ensure that the software logs all procedures performed and audit trails to support fraud investigations.
Data analysis can address control gaps that often exist in ERP systems. While most ERP systems have certain fraud prevention and detection capabilities, these internal tests are insufficient. In many cases, an ERP system turns off controls when running certain operations to function more efficiently. As a result, it is important to conduct independent data analysis to examine transaction details across a broad range of data. In doing so, an independent examination can include combination and comparison of data from different systems within the company.
After establishing a roster of effective data tests, companies should employ such testing on a continuous or regular basis, depending on the nature of the transactions (continuous for daily payments and periodic for regularly scheduled payments). Continuous monitoring detection should generate a dashboard and reports. Most companies maintain fraud detection in business processes (e.g., purchase to pay, payroll, travel and entertainment) or areas that are high risk.
The Mindset of Employee Fraudsters
Technology and computer analytics are important tools in the fight against fraud, but they are not a magic and exclusive bullet. Fraud is committed by humans and investing in the human element, while difficult to measure, is an important part of every fraud prevention strategy.
The fraud triangle is an essential framework for understanding fraudster behavior. The fraud triangle is no panacea, but it is a powerful tool. It begins with an incentive, an expectation to perform in an organization, followed by an opportunity and an internal rationalization. All three of these drivers must be present for an act of fraud, and each can be addressed.
Companies have to reduce the opportunities for fraud. Building effective internal accounting controls is a critical aspect to reducing fraud opportunities. Technology is important here in designing, revising and maintaining effective internal controls. Companies are not devoting significant resources to counteract incentives and rationalizations. Incentives and pressure continue to push employees toward committing fraud.
Internal fraud usually involves gaps in a company’s internal controls and culture. An effective set of internal controls can be effective but should not be relied on as the only strategy for preventing fraud. Controls can be evaded and circumvented, and human actors have the authority in certain situations to override or rely on exceptions to controls.
Financial incentives can create opportunities for fraud. However, financial incentives are important for motivating positive sales and related conduct. Human nature searches for and relies on incentives.
At the root of fraud, however, is human rationalization. This is exemplified by a focus on the self – meaning a rationalization for why an individual is justified in engaging in misconduct, usually because of some perceived slight or mistreatment. A narcissistic employee who is passed over for a specific promotion can feel justified in stealing from the company because of such mistreatment.
The human mind can be difficult to manage when it comes to the mix of emotional and so-called rational thinking patterns. Employee fraudsters are good at rationalizing their misconduct. They perceive their misconduct as victimless – no one is hurt, it is just money. Employees rely on such rationalizations for committing human resources fraud, asset misappropriation, procurement fraud and accounting fraud.
Employee fraud that is directed at advancing a corporate objective – meeting a sales target for a company/revenue goal – can be easier to rationalize because of the importance of satisfying a corporate objective (while earning a personal benefit such as a bonus).
In balancing these concerns, a corporate culture of ethical conduct is an essential aspect of any anti-fraud program. An effective culture will reduce opportunities and instances for employee rationalization while promoting employee reporting of potential misconduct.
Companies have to find the right balance between technology and human behavior. Fraud is a difficult and intractable problem. Proactive strategies are essential to combat and minimize a company’s exposure to fraud risks.
This article was republished with permission from Michael Volkov’s blog, Corruption, Crime & Compliance.