Rakesh Pardasani, a partner at RSM Dahman audit firm, assesses the ability of external auditors to detect scam risks in organisations
OF ALL the occupational frauds busted in organisations each year, external audit detects only 3% of them worldwide, according to a global fraud study report.
The research titled ‘Report to the Nations on Occupational Fraud and Abuse’ also finds that as far as racket fighting measures go, external audits were the most common control being present in 80% of victim organisations. In my opinion then, external audits are not a fraud fighting mechanism.
So who gets the job done? Internal audits, I hear? Let’s see.
Busting the fraudster’s party
Internal audits detected 14% of occupational frauds. Internal audits as a control were however, present in 68% of victim organisations. The figures are getting better, don’t you think? Phew, I’ve started some making sense for myself as well as all the auditors out there. But I still don’t think 14% is a strong enough case for internal auditors to be held responsible for fighting frauds.
In consequence, who is actually busting the fraudster’s party here? Who is detecting the rest of the frauds? Think about it. Who is the first person to know when a fraud does happen in an office? Obviously not the external auditor (as he comes in once or twice a year) or the internal auditor, as any fraudster would first ensure that internal auditor doesn’t get a hang of what he is trying to do.
In most cases, a colleague / co-worker is actually the first person who feels something is not right. What does that suggest? Your employees are your best fraud fighting mechanism at least when it comes to fraud detection. Research agrees.
‘Tips’ are the most common method of initial detection and have detected 43% of occupational frauds. The next best method, that is, ‘Management review’ is not even close, detecting only 14.6% of frauds.
The importance of ‘Tips’ as a fraud detection tool, cannot be emphasised enough. The findings of the research were consistent with studies done in the earlier years as well. Tips have outperformed any other method across geographies, across size of organisations and across the various types of frauds.
Their importance is, if at all, understated by the fact that ‘Tips’ performed well even in those organisations which did not have a reporting mechanism or a ‘hotline’ as we simply call it. And who is giving these tips? 51% of tips came from employees. Your employees are indeed, your best fraud detection tool.
The research is based on data compiled from a study of 1,388 cases of occupational fraud that occurred worldwide over two years – 2010 and 2011. What is perhaps most striking about the data gathered is how consistent the patterns of fraud are around the globe. While some regional differences exist, for the most part, occupational fraud seems to operate similarly whether it occurs in Europe, Asia, South America or the United States.
Formal reporting mechanism
What can an organisation actually do to get ‘Tips’ from employees then?
To start off, employee education and awareness are the key. I’ll give you a recent example. One of our clients showed us a letter that he had received. It was copied to the Chairman, Group CEO, Group Financial Controller, Group Finance Manager and the General Manager. The letter blamed a few employees of conducting a fraud and also blamed their immediate supervisor. No details were given and no documents / evidence were produced. The letter was of course, anonymous.
This was in an organisation where there was no formal reporting mechanism. We were as perplexed as management as to what could be done about this letter. There weren’t any details to investigate into, except names of a few employees.
Now, if this organisation had a proper reporting mechanism and the employees were educated and informed about how to provide proper tips and at the same time how to maintain confidentiality, the letter would have been addressed to an appropriate person in the organisation given the responsibility for investigating frauds, thus keeping the matter confidential.
Secondly, this tip, if genuine, would have come much sooner. Thirdly, if the employees were educated, the tip would have clearly provided documentary evidence and a lot more details about the actual instances of fraud instead of just name calling and that would have ultimately made the management’s job as well as our job as internal auditors, a lot easier to investigate the instance.
Little knowledge on managing losses
Therefore, I suppose the question to ask yourself is, how many of you actually have a hotline or reporting mechanism in your organisation that enables people to tip off against possible fraudsters? And how many of you have actually then trained your employees on providing quality tips.
Obviously, reporting mechanisms are one part of the puzzle. In order to fight frauds effectively, organisations need to have a three pronged approach. Given the number of high profile cases which cause a lot of grief, not only to shareholders but to entire economies, you would imagine that fraud would rank as one of the key risks any organisation faces.
However, it is surprisingly far from the truth. Most organisations focus on increasing sales and maximising profit. There are a number of best sellers that focus on selling but not many on frauds. MBA courses do not educate a lot about fraud.
You will find a lot of best practice on maximising profits but very little knowledge on minimising and managing losses. But we know from experience now that a single fraud can wipe out years of profit, drive away investors, ruin a brand and even bankrupt an entire organisation. We find that fighting frauds is often not included in a risk management policy and investigation of a fraud is a knee-jerk reaction to a problem that has exploded, sometimes for the want of basic controls.
An integrated strategy
Only when an organisation accepts that it is exposed to fraud (and no organisation is immune to fraud), the next step is to apportion responsibility for fraud risk management. And the responsibility never lies with any one particular department or service provider.
An organisation needs to have an integrated strategy for fraud prevention and control, in order to draw all the elements of the strategy together, to form a holistic circle of measures to counter fraud. Those organisations with a proper strategy are less likely to suffer catastrophic losses than those without.
The strategy has to be owned at the top and cascade downwards through the organisation. It has to start with the company policies which basically set the tone at the top. A ‘Fraud Policy’ statement is a good idea to start with. Such a statement will emphasise the organisation’s attitude to all types of frauds; its determination to combat and prevent fraud and a commitment to punishing those found guilty of wrongdoing.
Circumventing controls
Additionally, a code of ethics / code of conduct supports the fraud policy. The organisation should clarify in simple terms, the norms and values expected from employees in daily activity. For instance, it may spell out the organisation’s approach to payment of illegal commissions and consulting fees or acceptance of gifts. This will ensure that the staff is aware of what is and what is not allowed.
It is also important that employees understand why they need to be serious about fighting fraud. They need to be explained that any loss to the organisation is indirectly a loss to them. The research also indicated that 33% of tips were provided by people outside the organisation which includes customers, vendors and competitors.
The management should consider if it wishes to publicise their policies to an external audience as well. Think about it, if the external audience sees how serious you are in fighting frauds, they would consider your organisation as one that stands by ethics and hold it in high esteem.
The next step is strengthening the controls and integrating fraud risks into your risk management framework. Adherence to procedures often requires more effort and it is easier to take shortcuts. But that is where the most risk lies; in taking shortcuts, in circumventing controls, in overriding controls.
No system is fool proof
Most fraudsters resort to such practices to commit fraud. You also need to consider that the control procedure in place is effective and efficient. At a lot of times, companies adopt a procedure without adequately identifying and assessing control risks. This results in either too many controls or too less controls or even both. Whatever controls are implemented, they need to be in response to identified risks.
While the emphasis should be clearly on preventing fraud, the reality is that no system is fool proof. Every organisation will at some time, or other, suffer from an incident of fraud. The existence of a fraud response plan reduces the likelihood of panic and ensures that effective action is taken and evidence is readily available. The fraud response plan shall specify the steps to take as soon as a fraud is discovered to prevent further damage, safeguard evidence and the nature and form of communication with stakeholders, if required.
Most of the times we are called in after discovery of the fraud; to investigate it, to investigate the weaknesses that made it possible, the extent of loss and suggest measures to avoid this from happening again in the future.
The one thing I always try and explain to these companies is that fraud fighting cannot be an ad-hoc exercise, performed to obtain quick fixes. It needs a well-rounded approach, a positive tone at the top that employees can visibly see and an acknowledgment of the fact that regardless of the controls you put in place, frauds will happen and so, there needs to be a well laid out plan to deal with such instances.