Fraud Risk Management: Awareness, prevention, detection and investigation.
By Stefan Lia
According to the 2016 ‘Report to the Nations’ by the Association of Certified Fraud Examiners, professional fraud examiners estimate that a typical organisation loses 5% of its revenue to fraud. In a competitive market, that could be your profit margin!
The definition of internal fraud is wide. It is understood to occur when a current or former employee steals, alters or destroys business information (such as customer data) or assets (such as computer software or physical assets) for personal gain. It may involve corrupt arrangements involving extortion from or collusion with others individuals, or can involve falsification of financial or other company records.
The local landscape
The last couple of years have seen a number of high profile cases of internal fraud in Malta - in some cases being associated with the termination of a business. For organisations which are going concerns, when a case hits the press, reputational costs can add insult to the injury of the financial cost. Well publicised incidents in the public sector, remote gaming and the finance sector show that all sectors can be affected, with possible negative consequences on consumer trust in business.
On the other hand, companies are investing in anti-fraud systems. Establishing a framework for fraud risk management and a robust system of internal financial control can help organisations to reduce the risk of loss through fraud and financial crime and many organisations employ or engage internal audit and risk management experts to ensure a strong anti-fraud framework. For a number of years, retail businesses have been looking at a mixture of technological solutions and internal control reviews to detect and prevent such fraud.
The profile of a fraudster
It’s a myth that insiders who commit fraud need to be technically proficient or command a position of special trust or power, although the size of frauds are positively correlated with seniority. For example, a part-qualified accountant in a small consultancy firm used false invoicing, false salary payments and other acts of fraudulent accounting to steal thousands of euros from his employer. The crime was uncovered by the business owner, but not before the fraudster had fled abroad, taking the money with him.
Key to detection and prevention of fraud is to understand its nature. A common pattern is a “low and slow” approach to fraud. The fraudster misappropriates “low” amounts of money and conducts their activities “slowly” over a long period of time, possibly to avoid detection. Such fraudsters accomplish more damage and escape detection for a longer period of time. Given this typology, internal fraud needs to be tackled differently from external fraud, which tends to be “high and fast”.
Bearing in mind that awareness of fraud risks can provide a business with protection, a useful model to know when considering the likelihood of fraud occurring is the fraud triangle. The fraud triangle is a model for explaining the factors that cause someone to commit occupational fraud. It consists of three components which, together, lead to fraudulent behaviour.
A potential fraudster facing a perceived unshakeable financial need (motivation) and having the means to commit a fraud (opportunity) may well find a way to justify the fraud within the constraints of his own belief system (rationalisation). In the ‘low and slow’ typology the rationalisation might be that the employer won’t miss a small amount and/or that the fraudster deserves it to compensate for something else, such as an unpaid bonus or overtime.
Breaking one of the sides of the triangle will stop the potential crime from happening. As shown in the diagram, this build up takes a number of months, even years, from conception to action – time during which the organisation could have detected and prevented the crime from happening.
In addition to a theoretical understanding of fraud risk, fraud workshops that focus on the risks that particular organisations face can be a useful technique to create better fraud awareness amongst management and employees.
A Deloitte UK survey revealed myriad opportunities and motives for fraud. Some of the top ones included disgruntled employees and external pressures on individuals. Ineffective internal controls were also a factor. Whilst it is true that one size does not fit all, a comprehensive plan, with the involvement of key internal functions, could go a long way to prevent and detect internal fraud.
For example, apart from internal audit mentioned above, the involvement of Human Resources function is key in fraud prevention. A robust recruitment stage through pre-employment screening is a key detective measure. This would involve the process of checking that information provided by a prospective employee is accurate and complete. The results are used to make an informed decision about the suitability of an applicant for a particular vacancy. It can also deter dishonest individuals from applying in the first place, thus having the added benefit of being a preventative measure as well.
When it comes to investigation, this can be a very delicate matter. Whilst there is a temptation to try to maintain a ring of secrecy around embarrassing fraud events, if you are serious about recouping financial losses or seeing the fraudster punished, the involvement of professionals should be seriously considered. Forensic work and evidence gathering is important.
It is clear that this is not an issue that will simply ‘go away’. Organisations need to tackle it strategically and will benefit from being proactive rather than reactive, by preventing fraud before it can succeed. Awareness, prevention, detection and investigation are integral elements of an effective anti-fraud strategy. Its success will be of great benefit to any organisation.