August 2008

“No Fraud Here” – Can Management Afford to Continue Ignoring the Threat?

By Peter Goldmann

According to research recently conducted by the anti-fraud consulting firm, Protiviti*, management at a majority of organizations is still surprisingly complacent about the threat of fraud.

For example, the Protiviti study determined that only 49% of executives believe their organizations’ strategies for addressing fraud risk are “very well defined.”

Translation: Less than one-half of organizations proactively identify fraud risk and have anti-fraud programs, policies and controls in place that are monitored and enforced by the board and senior management.

Similarly, a Deloitte Forensic Center survey** concluded that only 41% of executives considered their companies to be “more effective” in the area of fraud control, compared to the remaining 59% who described their organizations’ fraud control efforts as “less effective.”

While Deloitte notes that companies overall have in recent years enhanced their efforts to implement effective anti-fraud measures, a substantial “fraud control gap” is still glaringly evident from the data collected.

Disturbing implication: Six-plus years into the "Sarbanes-Oxley era”, most companies are still highly vulnerable to fraud of all kinds and management appears to show little intention of “tightening up" anti-fraud defenses.

This, unfortunately, is not surprising. Fraud remains an issue most managers still find easy to ignore. Why? Because fraud is unpleasant… investing in fighting it has no immediately quantifiable ROI … and it is desirable — indeed reassuring — to assume that the organization is so well managed that it is at minimal risk of being victimized by fraud. Moreover, many executives of large public companies have convinced themselves that the multi-millions spent on compliance with Sarbanes-Oxley is more than enough to protect them against major fraud.

Serious Fraud Losses

As detailed in the ACFE’s 2008 Report to the Nation on Occupational Fraud & Abuse, Certified Fraud Examiners (CFEs) who participated in an ACFE survey estimated that U.S. organizations lose 7% of their annual revenues to fraud.

That represents an upward spike of two full percentage points since the last survey was published two years ago—or nearly fifty percent. This is another in a long series of indicators that no matter how daunting the fraud threat, management still finds ways to convince itself that fraud is a “second-class” priority—that there are far more pressing demands than taking an active role in the organization’s defenses against financial crime.

For us anti-fraud folks, the writing on the wall just keeps getting clearer and clearer. As the fraudsters continue to keep a step (or three) ahead of those fighting the war on fraud, it matters little whether or not another Enron-type disaster hits the headlines. The fraud epidemic in America will slowly but surely claim more and more victims. And more often than not, we can be sure that those victims will be the organizations that persist in believing in their inherent invulnerability.

A Better Way...

This all begs the obvious question: Why doesn’t management see the fraud risk the way the fraud prevention profession does? Why is it not obvious to senior management that fraud losses far exceed the financial outlay that would be required to substantially reduce those losses? After all, as the ACFE’s 2008 Report further concludes, the costs of implementing key anti-fraud measures is dwarfed by the savings in fraud losses directly stemming from such measures.

For example: Organizations that implement fraud awareness training, hotlines and other key elements of a Fraud Risk Management (FRM) program are rewarded with a more than 50% reduction in fraud losses.

So again, with such an abundance of authoritative evidence supporting a vigorous assault on fraud, why aren’t senior executives jumping on the FRM bandwagon in droves?

Part of the answer lies in simple human nature. It is always easy to put off dealing with a risk that is described on paper until becomes reality –in our world, via a costly fraud.

Swimming Against the Current

Management that wisely chooses to operate counter to this mindset of course immediately earns the reputation of being shrewd and forward-thinking as soon as its anti-fraud actions pay off in the apprehension of one or more would-be fraudsters.

Unfortunately, as already noted, “forward-thinking” is not the preferred corporate attitude when it comes to proactive anti-fraud strategies. This, despite ample evidence that significant reductions in fraud risk can be achieved by, among other things…

• Conducting annual Fraud Risk Assessments

• Tightening and vigorously monitoring the effectiveness of all anti-fraud controls.

• Implementing stringent anti-fraud policies.

• Training employees and managers in basic fraud awareness — to enable them to spot red flags before fraud occurs.

• Conducting surprise audits.

• Continuously monitoring financial transactions.

Pressing the Case for Action

So what can those of us who know that an organization with a cavalier attitude toward fraud risk is asking for trouble do to convince management to act before the inevitable occurs?

According to Peter Callaway, head of the Australian Chapter of the ACFE and a seasoned fraud prevention consultant, it often helps to regularly bring to management’s attention the misfortunes of others – preferably those in the same industry.

In addition, suggests Callaway, internal auditors and risk managers should take every available opportunity to alert top management to the findings of their fraud risk assessments which identify the specific vulnerabilities to serious fraud that must be addressed in order to minimize risk.

Callaway further urges internal auditors to continuously and assertively present to management the above-mentioned comparison of the cost of implementing anti-fraud controls to the much larger number reflecting the potential for the loss of up to seven percent of revenue.

Additional effective tactic: Have the organization’s audit committee exert pressure on the management team to implement anti-fraud measures. In organizations with proactive audit committees whose membership includes individuals with a keen appreciation of the potentially devastating impact of fraud, the leverage that comes along with board membership should be exploited at every opportunity to prod management to move aggressively against fraud risk.

In the succinct understatement of the AICPA Audit Committee Toolkit: “The members of the audit committee should understand their role of ensuring that the organization has antifraud programs and controls in place to help prevent fraud.”

With these actions and a bit of luck, some organizations may actually make a noticeable dent in the ACFE’s latest seven percent fraud loss estimate.

Footnotes:

* Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today’s Largest Organizations, www.protiviti.com

** Ten Things about Fraud. How Executives View the “Fraud Control Gap”, available at www.deloitte.com/us/forensiccenter

© 2008 White-Collar Crime 101 LLC, All Rights Reserved.

Peter Goldmann Peter Goldmann is Editor and Publisher of the monthly newsletter, White-Collar Crime Fighter, http://www.wccfighter.com.