Fraud risks amid the current financial crisis

By Rose S. Javier, 04 June 2009

Will 2009 be better than 2008? Have we seen the bottom of this crisis? Is the worst yet to come? Do we feel the impact of the economic crisis more this year than we did in 2008? How has the crisis affected the business environment in terms of frequency of fraud?

The 2008 report of the Association of Certified Fraud Examiners (ACFE) to the Nation on Occupational Fraud and Abuse reported some interesting findings. The ACFE, which is an international organization with headquarters in the US, releases this report every two years; the last one was in 2006.

Some of the main points of the 2008 ACFE report are the following:

• Occupational fraud schemes are extremely costly; more than 25% of the surveyed cases cost more than $1 million.
• A typical fraud lasted two years from the time it began to the time it was discovered.
• The most common fraud schemes were corruption (27%) and fraudulent billing scheme (24%).
• About 46% of fraud cases were detected by tips from employees, customers, vendors and other sources.
• The implementation of anti-fraud controls appears to have measurable impact on the organization’s exposure to fraud.
• Lack of adequate internal control was cited by 35% of respondents as a factor that allowed fraud to occur.
• Occupational frauds were most often committed by the accounting department (29%) or top management (18%).

While the statistics presented mostly involved companies operating in North America, fraud transcends race, gender, political belief and religion. Fraud presents itself in various shapes and sizes whether these are in the domestic front, the corporate setting, government as well as nonprofit organizations.

What is fraud and how do you find fraud?

It is generally accepted that fraud should have three conditions. These are commonly referred to as the three elements of the fraud triangle: opportunities, rationalization and incentive. One needs to have the right environment to allow him/her to commit the fraud, reasoning by the perpetrator that the action is not wrong, and sufficient incentive to commit it.

In the workplace, fraud is committed to defraud the company (so-called "bad" fraud) or done for the benefit of the company ("good" fraud). In a tax evasion case, the perpetrator’s motive is to present lower taxable income so that the company pays less taxes. On the other hand, an employee can divert company funds to his personal account and then cover it up through bad record-keeping. The company is ripped off.

Window-dressing financial statements accounts for the highest dollar value of fraud losses, averaging $2 million, and takes around 30 months before this type of fraud is detected.

Some examples of where fraud can occur are in revenue recognition, where the sales department is in cahoots with customers to increase sales deliveries towards yearend and in the purchasing department where buyers connive with suppliers to get special concessions.

Fraud can happen in far-flung branches and subsidiaries when no one is looking or right inside the head office in the president’s chambers.

In these hard times, when people are retrenched, there is a likelihood that one person gets to have access to a complete transaction that detection of fraud being committed in a particular area — say, sales and receivables — becomes impossible until such time that a tip is received from a customer or co-worker.

When we see financial statement fraud, questions that come to mind include who is to blame? Why was the fraud not discovered earlier? Who audited the financial statements? How come the auditors missed the telltale signs?

Interestingly in the corporate setting, according to the survey, 69.6% of the companies use external auditors as an anti-fraud control — even higher than the use of internal audit departments, which account for 55.8% of respondents.

On the other hand, external auditors detected only 9.1% of fraud cases.

The most effective mode of fraud detection is via tips from employees, suppliers, customers and other parties which accounted for 46.2% of the cases.

There is a gap between what companies expect from external auditors and what external auditors actually do in an audit.

The objective of the audit is to provide an opinion that the financial statements are fairly stated in accordance with generally accepted accounting principles and not to find fraud per se.

The skills necessary to find fraud are totally different from what external auditors have, although auditors possess professional skepticism. Skepticism alone is not enough to detect fraud.

Still, external auditors are not totally blameless in an external audit failure. There are instances of gross negligence, involving having selected the right audit samples and not pursuing a financial variance that does not make sense.

What should companies use as anti-fraud control to effectively detect fraud?

There should be a strong, clear signal from the top brass that it adheres to transparency and accountability, coupled with a robust internal control environment that includes both preventive and detective controls.

Breakdown in these two areas account for almost 50% of the fraud cases related to financial statements, according to the 2008 ACFE report.

Hiring people with the right competencies, good ethical values and work attitudes is just as critical.

The way to prevent fraud in the company starts at recruitment, i.e., by putting in place a good vetting procedure to check the integrity and credentials of the people being hired.

Simply put, if you allow thieves to enter your house, you can bet that within a short period of time and when the opportunity comes, you will come home to an empty house!

The Committee of Sponsoring Organizations of the Treadway Commission, otherwise known as COSO, established a standard framework for good internal control.

COSO defines internal control as a process effected by the board of directors and management, designed to provide reasonable assurance regarding the achievement of objectives in terms of effectiveness and efficiency of operations, compliance with applicable laws and regulations, as well as reliability of financial reporting.

COSO provides the five elements for a good internal control: control environment, risk assessment, control activities, communication and information and monitoring.

While company controls play a significant role in fraud detection and prevention, an effective corporate culture, including the following, is just as important: setting the tone at the top; senior manager accountability; clear understanding of ethical guidelines and training staff on these guidelines; attitude of "zero tolerance" toward fraud among employees; and loyalty towards company that is engendered by its honest, fair and transparent actions.

Internal controls, no matter how well conceived, can only provide reasonable — but not absolute — assurance that corporate objectives will be achieved.

There is still that probability that internal controls will be deliberately circumvented and loopholes abused. For example, when a new system is being implemented and unknowingly allows access to unauthorized persons or when management deliberately overrides controls to window dress its financial statements.

Internal and external auditors can help identify internal control weaknesses in the course of their reviews, but management remains responsible for establishing and maintaining an effective internal control system at reasonable cost. This includes designing controls that indicate when other controls are not functioning effectively.

When fraud does occur, management is responsible for developing controls over the investigation process, including developing policies and procedures for effective investigations and standards for handling the results of investigations, reporting, and communications. Such standards are often documented in a fraud policy, and internal audit may be involved in developing the policy.

However, special teams with skills different from the external or internal auditors need to be called in to do the investigation and reporting.