Tuesday, September 1, 2009

Detecting Fraud

Money Back GuaranteeImage by Roby© via Flickr

KPMG released their Fraud Survey 2009 the other day. Among some of their findings were:
  • Nearly a third of executives expect some form of fraud or misconduct to rise in their organizations
  • 66% of respondents reported that inadequate internal controls or compliance programs at their organizations enable fraud and misconduct to go unchecked.
  • Roughly a quarter of respondents lack effective protocols on how investigations should be conducted and what point the board of directors should be alerted to potential concerns. (check out our website in the next few days to sign up for a webinar addressing internal investigations)
There was a lot of thought-provoking data in addition to the stats above. But the one thing that got me thinking was their finding that 47% of executives believed that Internal Audit, Legal or Compliance would be the most likely to uncover fraud in their organization - the number one source for detection. Yet they note in their report that this contrasts with the findings in both the ACFE Report to the Nation 2008 (tips were identified there as the number one source) and their own KPMG Integrity Survey 2008-2009 that cited Internal Audit as among the least likely channels to which employees would feel comfortable reporting misconduct.

From an EthicsPoint perspective, we've always said the venue is not important - whether fraud is detected by people reporting via a hotline, though face to face conversations with their manager, HR or other appropriate personnel, through controls or other methods - what's important is that your organization have a strong ethical culture, a way to collect reports of misconduct, and a system to consistently investigate, document, resolve and ultimately analyze each report.

But I'm curious as to your reactions - In your own organization or experience, what do you think is the most important channel for detecting fraud?
Reblog this post [with Zemanta]

Comments

3 Responses to "Detecting Fraud"

Andrew Mitton said... September 2, 2009 at 4:06 PM

A strong ethical culture is one that wants to receive and respond to all reports even if it hurts them. The culture understands that ignoring the holes in the ship will ultimately sink it. So they make sure everyone understands that they have a duty and obligation to report any holes in the ship or everyone sinks. So yes, an ethical culture is where it's at. Otherwise the program is just a paper program that collects dust on the shelf.

meric bloch said... September 8, 2009 at 1:52 PM

The most important channel is probably HR because any discovery of fraud is going to have employee-specific consequences. They seem to be the first to know.

And I agree 99% with Andrew. I don't think it is the culture as much as the leadership. The bosses have to believe that (i) there is always misconduct happening in any company, and (ii) the sooner it is discovered, investigated and learned-from, the better.

John Hanson said... September 19, 2009 at 7:00 PM

The statistic regarding the perception by Execs that internal audit (IA), legal or compliance would be the most likely to uncover fraud is not surprising. There remains, in general, a perception that audits uncover fraud, both by the public about external audits and, I find, insiders about internal audits, et al.

I have generally found that though IA is more likely to find fraud than external auditors (an opinion supported by the ACFE surveys year after year), there is still a wide gap as it relates to this between executive expectations and practical reality.

Last year, my firm was appointed as the Monitor of a company after many of their Sr. Execs had been involved in a False Claims scheme. In response to the fraud, about a year prior to our appointment, the company had tasked their internal audit, along with their external auditors (a “Big 4 Firm”) and another external consultant to analyze the internal controls in their financial processing functions (i.e. Accounts Payable, Cash, etc…). As a result of their assessment, they made significant changes in these areas, many of which decreased the risk of fraud. Despite this, I was obliged to conduct my own internal control assessments, which included the areas they had covered. To the company’s amazement, after speaking with several people in one of their departments, I was able to find two ways by which significant fraud could still be committed in that department.

To be fair, I think they did a very good job in the assessment they did and the changes they made. The point is only that most companies do not have significant fraud expertise in-house and most internal & external auditors and compliance personnel have not developed an effective investigative mentality. I was able to find these areas because of the extensive experience I have in conducting fraud investigations where internal controls have been circumvented, failed or didn’t exist. Significant interviewing skills and experience played a role as well.

When I was an instructor at the FBI Academy, I developed a fraud course that was specifically designed to affect how New Agents think. Specifically, the course was designed to instill an effective investigative mentality. Since leaving the Bureau, I’ve redesigned and re-tooled this course, which I now use in the private sector for the same purpose. I call it “Advanced Forensic Accounting” and for anyone in the New Orleans area, I’m teaching it on Oct 16, 2009 (link for more info: http://thefraudguy.com/2009/09/19/advanced-forensic-accounting.aspx).

I agree with Ethicpoint’s perspective as written above that what’s important is a strong ethical culture (which begins at the top) and “a way to collect reports of misconduct, and a system to consistently investigate, document, resolve and ultimately analyze each report.” Though I think it is implied within that statement by the use of the word “resolve,” another key area revolves around how the company reacts or responds (i.e. fire and prosecute equally at all levels for fraud, remediation of control failures, etc…). A solid compliance program must prevent, detect and react with equal fervor.

To get back to the original question of what is the most important channel for detecting fraud, it is people. This seemingly simple response, which is consistent with the ACFE’s findings (after all, tips come from people), is dramatically complicated by the factors that affect it. But the more that an organizations’ people are aware of why people commit fraud (occupational fraud as opposed to “predatory fraud”) and the red flags of fraud, combined with the less they accept/tolerate it (institutionally and personally) and have the ability to report it, the more likely an organization is to more quickly detect fraud. Within this, internal audit, compliance and legal all play an important and necessary role.

John “The Fraud Guy” Hanson
Email: Jhanson@thefraudguy.com
Web: www.thefraudguy.com

Post a Comment