Stealing the corporate ladder: preventing, detecting and investigating occupational fraud at all levels
February 2017 | SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION
Financier Worldwide Magazine
Each year, Fortune magazine lists the 500 most profitable US corporations – known as the Fortune 500. In 2016, these companies represent about $12 trillion in revenue. The Association of Certified Fraud Examiners (ACFE) estimates in its 2016 ‘Report to the Nations’ that a typical organisation loses 5 percent of annual revenues to fraud. Applying this figure to the Fortune 500, one can estimate that these organisations are losing $600bn to fraud each year.
In fact, in preparing the report, the ACFE analysed 2410 occupational fraud cases with losses from these cases totalling over $6bn. Fraud is a problem in all businesses and for all employees, which is why it is imperative for organisations to have procedures in place for preventing, detecting and investigating occupational fraud.
For those outside the anti-fraud profession, detection of fraud may seem like a simple task. Most large, international organisations have layers of controls including policies and procedures, internal audit functions and external audits. With all of these safeguards, how is it that fraud still occurs so frequently? First, the employees committing fraud are actively trying not to be discovered; fraud is usually a clandestine activity. These employees are familiar enough with the policies and procedures in their areas that they are able to see the loopholes and workarounds that may be invisible to outsiders.
Second, while internal and external audit functions serve an important purpose, these functions are limited by sampling and materiality levels which may not catch fraud that is occurring below materiality levels or may not catch fraud at all. External audits, in particular, are not even designed to detect fraud. Employees that are ‘in the trenches’ know what authorisation limits, as in threshold for transaction approval or cheque signing, are in place in their divisions and know which thresholds could send up red flags.
Perhaps this is why the most effective detection method for fraud are tips from a hotline. According to the 2016 ‘Report to the Nations’, tips detect occupational fraud 39.1 percent of the time, which is more than internal audit (16.5 percent), management review (13.4 percent) and external audit (3.8 percent) combined. Implementing a fraud hotline is a simple, cost effective way to help combat fraud. In fact in some countries, fraud hotlines are required by regulators for publicly traded companies. Education regarding the existence and purpose of the hotline is key and assists the organisation in establishing an anti-fraud culture.
In addition to a hotline, education of non-audit personnel regarding common internal control lapses and red flags of fraud may increase awareness, and in turn, detection of fraud. An internal auditor may be able to look at a function and instantly recognise a problem, such as lack of segregation of duties, but if management overseeing that function does not understand why lack of segregation of duties is a problem, management may choose to circumvent controls to improve efficiencies or meet other benchmarks.
Managers and supervisors work with employees on a daily basis, as opposed to internal auditors who may only interact with the same employees during an audit. As such, managers and supervisors are more likely to be aware of behavioural indicators of fraud, like an employee living beyond his or her means, or an employee who avoids delegating work or resists taking vacation days. Like education regarding the existence and purpose of a hotline, this type of anti-fraud education further establishes the organisation’s stance and culture of not tolerating fraud.
Once predicate exists, meaning fraud has been detected, appropriate personnel – internal audit, corporate security or an external consultant – should perform an investigation. The importance of a thorough, accurate, professional investigation cannot be overemphasised. Too often top management will rush to action regarding fraud which can impede actual investigation of the incident, create potential liabilities to the organisation and prevent successful litigation. However, before any investigation can begin, the investigative team needs to determine the goals of the investigation and the implications the investigation can have on the organisation. Three key areas of discussion when planning an investigation are employment laws and potential liabilities related to these laws, subsequent criminal prosecution or civil litigation related to the incident, and communication regarding the incident both internally and externally. Legal counsel should be included on the investigation team to help address these key areas, or other legal issues that may arise during the investigation.
Understanding employment law is crucial in a fraud investigation. If employee rights are violated, the organisation may be held liable for wrongful termination or may be forced to rehire an employee who is suspected of fraud. Additionally, because many organisations have an international presence, employment laws are likely to vary depending on the location of the employee or the fraud. In the instance of a global organisation, corporate security may be in a different location than the employee committing fraud and may not be familiar with international employment laws or other customs that could impede an investigation. Similarly, an understanding of criminal and civil laws in the appropriate jurisdiction is necessary. If an organisation does not have internal staff with appropriate knowledge, hiring an external consultant with experience in the jurisdiction may be the best path.
Pursuing litigation can be a strategic decision by the organisation. While criminal and civil penalties can act as a deterrent against fraud, not only for the suspected perpetrator but also for other employees who may be tempted, it does open the organisation to public scrutiny and reputational risk. This touches on the third key area – communication of the fraud both internally and externally. While the investigation will need to be kept confidential until definitive results can be determined, once the investigation has concluded the organisation needs to consider how to communicate the results to other employees, if appropriate, and how to communicate the results to regulatory agencies or lenders.
Some organisations may debate the merits of not communicating the results, but that decision comes with its own risks. The ‘rumour mill’ and ‘scuttlebutt’ can convey messages that could be detrimental to the organisation. External communication is just as important. Public perception and brand reputation are exceptionally important. Getting in front of the message and providing the media with an accurate perception can prevent damage to the organisation. Again, these are strategic decisions management must make based on organisational goals and corporate culture.
After a fraud has been detected and investigated, one vital question remains: how does the organisation prevent future occurrences? Obvious answers are filling the holes in internal controls and additional training for employees. Consideration should also be given to an important preventative tool – tone at the top. Executive management and the governing body of the organisation determine the tone and culture of the organisation as it relates to fraud. Communicating a strong anti-fraud stance can act as a deterrent to employees who may be tempted by flaws in internal controls. This stance can also affect shareholders and the public when it comes to fraud. A recent example of this is the Wells Fargo scandal in the US. For those who are not familiar, employees for the bank were creating fictitious accounts for existing customers to meet sales goals. These acts were purportedly encouraged by senior management in the area, and the corporation has been criticised publicly for the actions of these employees. What would have occurred if management had a different tone? If an employee had suggested the fraudulent tactic to others and had been rebuked instead of encouraged? A whole host of trouble could have been prevented just by having a different culture.
There is no magical cure for fraud. Fraud will be a continuing problem for all organisations. However, it is possible to reduce the amount of fraud loss and the impact of fraud by having effective mechanisms for preventing, detecting and investigating fraud. It is possible that up to 5 percent of your organisation’s revenues are walking out the door as a result of fraud. What is your organisation doing at all levels to fight fraud?
Anne M. Layne is a senior manager at McHard Accounting Consulting LLC. She can be contacted on +1 (505) 554 2968 or by email: firstname.lastname@example.org.
© Financier Worldwide
Anne M. Layne
McHard Accounting Consulting LLC