The Association of Certified Fraud Examiners’ (ACFE’s) 2012 Report to the Nations on Occupational Fraud and Abuse estimates the global cost of internal fraud at US $3.5 trillion, or 5 percent of total revenue. And, as we all know, internal fraud is only part of the picture.
Everything is moving faster these days, including fraudsters. Today, a rogue employee with a smartphone, given a weak enough control environment, could transfer significant sums of money offshore in the blink of an eye. According to the ACFE, the average fraudster takes US $160,000 out of a company before the fraud is detected. Little of that money is ever recovered.
Detection technology is advancing as rapidly as fraud, with real-time transaction monitoring exposing anomalous patterns that otherwise might go undetected. Means for collecting tips (e.g., hotlines) and a robust internal audit function also have been shown to be effective fraud detectors. Detection, however, should never be your first line of defense.
In fraud, as in health care, an ounce of prevention is worth a pound of cure. Donald R. Cressey, the late criminologist, is credited with identifying the three ingredients required for fraud: motive, opportunity, and rationalization. Today these are collectively known as The Fraud Triangle. With appropriate risk assessment and controls, an organization can effectively shrink the “opportunity” side of the triangle.
As a federal Inspector General, I had a key responsibility to prevent and detect fraud in my agency. I was fortunate to lead a well-resourced cadre of auditors and criminal investigators. In retrospect, I would give us high marks for our ability to detect and investigate instances of fraud that had already occurred. However, I always felt that the real opportunities where fraud was concerned was to have been more effective in prevention. Leveraging our knowledge of fraud risks and getting in early, before the frauds occurred, would have added so much more value.
The IIA’s Practice Guide, Internal Auditing and Fraud — included in the International Professional Practices Framework — offers five key steps to fraud risk and controls assessment:
As always, this is just a conversation starter. Volume 3 of the recently published 6th Edition of Sawyer’s Guide For Internal Auditors offers an excellent overview of fraud, ethics, and people risk. Does your organization do a good job of fraud risk management? Tell us your story. Share your best practices.