This is the third post in a series about fraud at organizations. Thefirst postcovered the need for strong corporate governance in managing fraud risk, and the second post focused on mitigating risk through fraud prevention and detection.
Fraud in most organizations, whether commercial or not-for-profit, is not totally preventable. When entrepreneurs or senior managers recognize and acknowledge that fraud could occur in their organization, their attention will likely shift to fraud detection.
Early detection can reduce fraud losses in many instances because organizational frauds tend to be ongoing. In this post, we discuss some ways that fraud might be detected.
Fraud detection by tip lines
An anonymous tip line (or website or hotline) is one of the most effective ways to detect fraud in organizations. In fact, tips are by far the most common method of initial fraud detection (40% of cases), according to the Association of Certified Fraud Examiners (ACFE) 2018 Report to the Nations. Moreover, the ACFE study found that fraud losses were 50% smaller at organizations with hotlines than those without.
In order for tips to be independently investigated, it is desirable they go directly to an organization’s internal auditor, inspector general, legal department, or even to outside legal counsel.
Tip lines should provide a disclosure policy that sets forth the following:
- Types of tips accepted (Tips that do not fall within the scope of accepted items are rejected, ignored, or referred to a different authority. For example, many tip lines accept tips for not only fraud, but also ethics or policy violations.)
- The rights of the accused
- Protections for the tipster (i.e., anonymity, confidentiality, and whistleblower protection)
For tip lines to be most effective, organizations should promote them and incorporate them into employee training. For example, some companies provide information about their tip lines on employee pay stubs.
Fraud detection by external auditors
AU-C section 240, Consideration of Fraud in a Financial Statement Audit (American Institute of Certified Public Accountants, Professional Standards) requires that financial statement auditors conduct their audits in such a way so as to obtain reasonable assurance that financial statements are free from material misstatement, whether caused by fraud or error. Consequently, in some cases, especially those with large losses, an organization’s external auditors may detect fraud.
While financial statement fraud schemes are among the least common, according to the ACFE report, they tend to be the most costly, resulting in a median loss of $800,000. Asset misappropriation schemes, on the other hand, are most common (89% of cases) and among the least costly, with a median loss of $114,000.
AU-C section 240 provides substantial guidance regarding the auditor’s responsibility to detect fraud. Some aspects of the guidance include: the auditor’s consideration of the risks of misstatement in light of the organization’s existing programs and controls; the likelihood of management override of controls; retrospective reviews of management’s judgments related to significant estimates and fraud risk factors.
The fraud triangle is a framework designed to explain the reasoning for fraud and suggests three factors that generally apply to fraud perpetrators:
- Pressure
- Opportunity
- Rationalization
Pressure typically exists in the form of a non-sharable problem, such as a large (secret) gambling debt, medical bill, or money needed to support an excessive lifestyle. Pressure can also come from the organization itself or stockholders in the form of pressure to perform or in covering up negative results in order to look good.
Opportunity is usually much more obvious than pressure and generally applies when an organization’s employees violate trust. In order for any organization to function, a certain level of trust must be placed in employees, but such trust will be counterbalanced by an effective fraud detection system.
Rationalization is typically the excuse for committing the fraud. In many cases, fraudsters rationalize by telling themselves that they are only temporarily borrowing from the organization. In other cases, fraudsters rationalize with thoughts like, “They won’t miss the money,” or “They deserve what they’re getting.”
Fraud detection by internal auditors and inspector generals
An organization’s internal auditor does a lot of the same type of work as its external auditor, but an internal auditor is concerned with all fraud rather than just the fraud that impacts the financial statements. As such, an internal auditor will likely discover some frauds as a routine part of internal auditing work. The ACFE study found that internal audit is the second most common method of initial fraud detection.
Further, an internal auditor plays a key role in developing a system of fraud indicators, so that suspicious activities are flagged and investigated. Finally, internal auditors may be concerned with violations of the organization’s policies and procedures even when they do not involve fraud.
In many governmental organizations (e.g., federal agencies), an inspector general monitors for, detects, and investigates fraud. Inspector generals and internal auditors often work together in managing fraud risks.
Fraud detection by dedicated departments
Many organizations have departments devoted to information security and fraud detection. For example, a bank may have an internal security department (i.e., loss management department) devoted to customer account fraud. Such departments may operate independently in their functional areas or under the control of a chief information officer, the controller, or the internal auditor.
Fraud detection by accident
Passive fraud detection refers to cases in which the organization discovers the fraud by accident, confession, or unsolicited notification by another party. Fraudsters frequently make mistakes by failing to adequately cover their tracks. For this reason, efficient organizations will train their employees to spot and report irregularities.
“Frauds detected passively tended to last much longer and have larger median losses,” according to the ACFE report, so it’s important to have active detection methods in place, such as the ones mentioned above, to help identify fraud cases as early as possible.
Contact a Kaufman Rossin risk advisory or forensic advisory professional to learn more about how you can be better prepared to prevent and detect fraud at your organization.
NOTE: This material is adapted from the following text:
Essentials of Forensic Accounting, Michael A. Crain, William S. Hopwood, Carl Pacini, George R. Young, Copyright 2015. American Institute of Certified Public Accountants, Inc. All rights reserved. Reprinted with permission.
