Fraud Prevention
An Investment No One Can Afford to Forego

By Gary W. Adams, David R. Campbell, Mary Campbell, and Michael P. Rose

E-mail Story Print Story

Importance of Fraud Prevention

For purposes of this article, fraud is defined in terms of one’s employment, as ACFE did in its 2004 study: “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.”
Clearly, fraud is a pervasive corporate problem, affecting organizations across industries and time zones without regard to company size. Because of fraud’s disastrous consequences, failure to put deterrent procedures in place could put a company out of business within days. Fraud prevention, then, is a defined program of proactive measures to avoid or mitigate fraud.

Because of relative scaling, the greatest financial impact of fraud can occur in a small-business environment. A loss of 6% of revenues is significant for any company, however large, but a small operation whose margins are thin and reserves nonexistent will go out of business. Even if an operation survives the fiscal loss, its business continuity can be in jeopardy and it may no longer be able to function as an independent entity. Failing to address these issues places a company at a competitive disadvantage when fraud becomes a cost of doing business. Through cost avoidance, this impact becomes doubly significant because competitors can lower their product or service costs to their customers as their revenue yield—unaffected, through fraud prevention—is higher.

Finally, public disclosure of significant fraud can irreparably damage a large organization’s brand. Customers and vendors translate sensational media coverage of fraud into an early warning sign of decreased market value in the product or service offered, resulting in declining sales and revenue. In extreme cases, it can even lead to the market collapse of the business.

Assess Current Conditions

Developing a fraud prevention program requires an accurate picture of the organization’s current state of fraud risk. The “Assess” phase in Exhibit 1 highlights key tasks, including assessing the likely baseline behavior of the organization using cultural and other assumptions of social behavior.

Interviews with key project stakeholders are an essential part of this assessment. The board or audit committee executive sponsor will probably have a good sense of the current state of affairs as well as of why the company needs a new or improved fraud prevention program. Interviews with them also allow an assessment of the strength of the “tone from the top” and of whether additional actions from senior leadership are needed to reinforce communications. The owner of the project, perhaps the CFO or the chief risk officer, will have a good understanding of fraud and the associated risks within both the organization and its industry. These individuals can identify the three to five areas of greatest fraud risk facing the company. Last, the internal audit group or an independent third party hired to collect data will provide guidance. Collectively, these factors will influence assumptions and help guide the type of information gathered.

Fraud Risk Assessment and Additional Data Collection

A systematic, formal fraud risk assessment survey provides an opportunity to obtain additional information on the areas posing the greatest fraud risk. The ACFE has a short, seven-statement questionnaire providing a very high-level look at the major gaps in a fraud prevention process. This survey is a starting point for the process, to recognize major areas to address. A comprehensive fraud risk assessment survey covers the following:

• For larger companies, the current components of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework as they apply to an assessment of fraud risk. The constituent parts might include established fraud policies, fraud training, fraud-reporting mechanisms, and adequate internal controls. The COSO Internal Controls framework is very similar and can therefore be used as well.
• Potential areas of the fraud-risk tree, which lays out different types of fraud pertinent for specific industries or companies: fraudulent statements, corruption, and asset misappropriation.
• Areas of highest risk, which require historical and benchmarking data from the company and its industry.

Exhibit 2 features questions focused on fraud risk from a risk assessment survey developed for a global professional-services firm. This survey includes both quantitative and qualitative measures.

Additional information. In addition to the survey results, other important data include the following:

• Hotline activity, if a hotline is in place. What types of reports have come in? What has management done to address issues raised? Are these issues potentially symptomatic of larger problems?
• Previous fraudulent activity within the organization, and how management handled it.
• Existing programs relating to ethics and fraud prevention, as well as the level of participation in these programs.

The Sarbanes-Oxley Act of 2002 (SOA) requires the audit committee of a public company to set up procedures for the receipt of complaints and anonymous tips. This feedback could relate to reported or observed abnormalities in the company’s accounting methods, internal controls, or audit activities. ACFE has found that hotlines or other confidential reporting mechanisms are among the best tools to prevent fraud, significantly reducing losses to the bottom line.

Complete process analysis. As an organization analyzes its findings, it is unlikely to obtain the same results as other organizations because each company’s programs, processes, and policies are unique. A company must identify its areas of greatest risk to ensure that the proper controls are in place to reduce or mitigate those risks. Typically, an organization should use one key control for each risk. If concerns remain regarding a business process with a high likelihood for a risk exposure, the organization might choose to use business process improvements techniques, altering the process to remove risk rather than building controls upon controls.

Compare results to benchmark data. An organization needs benchmarking data to put its results in perspective. This data can be found by using the COSO framework for identifying best practices, ACFE reports and whitepapers, and studies by industry trade groups the organization belongs to. Comparing the organization’s current situation and its level of risk tolerance with best practices helps define a desired state as it moves toward implementing its program.

Design and Implementation

The design and implementation phases should begin with a vision for the fraud prevention program along with the strategic objectives. A strategy or white-board session with audit committee members and senior leadership sponsors can be used to present the results of the assessment and to obtain buy-in for the priority items.

Process. Process changes provide a repeatable method to ensure consistency. Process changes could relate to administrative issues, such as the screening and employment of new staff, or to business process improvement. After analyzing key risk areas, the organization can prioritize business processes for revamping.

Policy. An organization’s fraud prevention program may have numerous policies dealing with tighter controls, new responsibilities, and other data requiring consistent documentation to ensure consistent application. One of the most important policies in a fraud prevention program is the collective group of policies referred to as a code of conduct. A code of conduct presents a set of ethical standards or policies designed to frame the behavior of individuals. Under SOA section 406, public companies must disclose whether they have established a code of conduct or ethics for their officers and senior financial management, and file a copy of it with the SEC. Exhibit 3 lists websites for a number of large organizations that have codes of conduct; some of these pertain to directors and senior management.

Programs. Of the programs that can advance a company’s fraud prevention agenda, a hotline and an ethics program are the two most popular and effective. A hotline program allows a company to establish an anonymous process for employees to report questionable activities. To provide a more complete solution, a program to address ethics in a comprehensive fashion goes beyond a simple code of conduct. Companies that want to help employees make the correct ethical choices relating to environmental, legal, and social decisions may consider an ethics program. Through courses, policies, ethics call lines, and other means, these companies help their employees align business practices with enterprise values and beliefs. Corporate ethics programs are a new area, without much guidance from the SEC or other regulatory groups.

Systems. Computer technology brings new risks in terms of online fraud, but it also brings a host of tools to help prevent fraud. Changes such as the switch from manual controls to automated controls require no significant revamping of systems. Companies can implement new technologies, such as data mining, to make material differences in a company’s fraud prevention efforts. The major credit-card issuers use data-mining techniques to scan purchases for potentially fraudulent activities. If these companies detect unusual patterns, they contact the cardholder to verify that recent transactions are legitimate. As technology costs continue to fall, continuous auditing and other new technologies will provide even more tools to help in fraud detection.

Education and training. Education and training are needed to supplement corporate communications and create awareness at all levels of the organization. The board, senior leadership, and financial personnel may need more extensive training in the inner workings of the programs and ethical issues, as well as a broader and deeper perspective on how and where fraud occurs.

Monitoring

As management develops and implements components of its program, the organization must monitor the program’s employment and usefulness. Process checks are appropriate to monitor hotline activity, controls, and red flags. Quick action in the face of suspected fraudulent activity can dramatically cut losses. Internal forensic experts, or an external team, should investigate all suspected fraudulent activities.

Communications and change management are essential to the monitoring phase because employees must use the new programs before the organization can assess their effectiveness. Making people aware of the new programs and getting them to change from the familiar requires a comprehensive program of change management. Communicating the organization’s messages requires consistent messaging themes and a variety of media. The organization should begin laying out a communication strategy by listing each stakeholder group. At a minimum, different messages must be tailored to employees, management, and groups with specific fraud-prevention responsibilities, such as internal audit, senior management, and the board. Senior management should incorporate into its messaging strategy a message of zero tolerance, proven to be an effective deterrent.

Next Steps

Because financial loss is a company’s greatest worry about fraud, the most cost-effective way to deal with it is to prevent it. According to ACFE, an organization defrauded is unlikely to ever recover its losses, with almost 40% of victims recovering nothing at all.

The most effective deterrent to fraud is a strong “perception of detection.” A complaint or tip hotline can help strengthen the perception of detection as calls are monitored and acted upon and the results publicized. Available to constituencies both internal and external to the organization, this deterrent is valuable and relatively inexpensive. Outsourcing the phone line to a third-party vendor provides the added benefit of ensuring there is no organizational bias in its operations.

Companies and their auditors must develop more-effective internal controls to detect fraud. According to ACFE, fraud uncovered by internal controls tends to be relatively small, ranking the lowest in value recovery of any detection method. Because senior executives are responsible for the largest instances of fraud, management must place even greater stress upon internal control design that can detect senior personnel overriding or circumventing traditional control mechanisms.