Five percent of annual revenue—that’s the estimate of how much money the typical organization loses to fraud, according to participants in the 2010 Report to the Nations on Occupational Fraud and Abuse.
The report, prepared by the Association of Certified Fraud Examiners, an international organization of more than 50,000 fraud examiners, CPAs, law enforcement professionals, government officials and others, examines a wide swath of business-related fraud in an effort to pinpoint problems and highlight solutions. The fraud cases at issue in the report lasted a median 18 months before being detected. While million-dollar-plus financial statement frauds made up a small percentage of the crimes, the majority were less complex asset misappropriation cases involving billing, check tampering, payroll and expense report schemes.
Joseph T. Wells, CPA, CFE, has made the study of such frauds and their fallout his life’s work. After a stint on the audit staff of Coopers & Lybrand, Wells became an FBI special agent. His decade of work with the FBI included investigating former U.S. Attorney General John Mitchell’s role in the Watergate cover-up. In 1982, Wells left the FBI to form Wells & Associates, a firm specializing in fraud detection and prevention. He created and became chairman of the Association of Certified Fraud Examiners in 1988.
Wells discussed with the JofA the 2010 report and how CPAs can put the findings into practice. Excerpts from the discussion follow. Click here to read more questions from the interview or read the full report, released June 2, at acfe.com/rttn.
JofA: What was the most surprising finding in this year’s report?
Wells: Perhaps the most striking—if not exactly surprising—finding is the overall consistency of our data from one study to the next, in terms of the losses, schemes, detection methods and perpetrators of occupational fraud. This is our sixth study of this nature, and each time we’ve noted remarkable evenness in these trends. Now, with international data for the first time, we can see that the fraud problems of non-U.S. companies are much the same as our own.
JofA: Accounting departments appear to be particularly vulnerable to fraud schemes, according to the report. Any observations/ suggestions related to that finding?
Wells: If we drill down into asset misappropriation schemes, we classify them as “cash” and “other assets.” Historically, over 80% of all asset misappropriations are cash. The accounting department is the financial nerve center of the organization, where receipts and disbursements are documented. It would therefore be logical to be a target of insider misdeeds. One of the three key elements to the fraud triangle is opportunity, and obviously, the people who deal with incoming and outgoing cash on a daily basis are going to have greater opportunities.
Ironically, in most organizations the accounting department is the place where controls are most strongly enforced, and yet we’re still seeing more fraud there than anywhere else. This shows that traditional controls alone are insufficient to keep occupational fraud from occurring. A large part of the reason is that accounting department employees are more likely than just about anyone in the company to be familiar with the controls and how to develop methods to circumvent them.
JofA: The report takes a detailed look at asset misappropriations and their toll. What are the most effective ways to snuff out threats such as billing schemes, one of the most common and costly occupational frauds?
Wells: Billing schemes are common because they’re easy to commit, especially in a small business environment. The typical billing scheme is where an employee causes a payment to be issued to either a nonexistent vendor or to a company controlled by the employee. Many employees in these situations have checks sent to their residence. So there are several simple steps that will help prevent or detect billing schemes. First, know the vendors by vetting them. This can sometimes be as easy as verifying that they are listed in the phone book. Second, make sure that the same employee who is authorized to set up a vendor doesn’t have check-writing or check-approval authority.
Third, run vendors’ addresses against the home addresses of employees. If there is a match, probably a billing scheme is afoot. There is much antifraud detection software on the market that will perform these kinds of tests and many more. CPAs and their clients are encouraged to use them; the programs are quite affordable. (For a closer look at some common asset misappropriation schemes, click here.)
JofA: Financial statement fraud in the U.S. represents a small percentage (in terms of number of occurrences) of the problem compared to corruption and asset misappropriation, but when measured by dollars, its piece of the pie is much greater. How should CPAs in business or public practice determine where to place their fraud-fighting emphasis given those results?
Wells: Without question, large financial frauds have been the bane of the auditing profession and get big headlines. But the lion’s share of the problem is in small business; 85% of U.S. enterprises gross less than $5 million, and it is those businesses that have the greatest risk of occupational fraud. The “average” CPA (if there is such a thing) doesn’t audit multibillion-dollar conglomerates and is much more likely to come across an asset misappropriation scheme in a smaller entity. As data in the report reflect, these schemes are quite common, and most companies have or will experience them.
In small business, there is really no such thing as an “immaterial” fraud. Granted, the dollar loss might not be large, but there are lots of them, and they can undermine trust and morale. If someone in a small organization is fired and/or prosecuted for fraud, it sends shock waves throughout the company. When a fraud occurs, no matter the amount, there are no winners. That is why it is important to spend limited audit and organizational resources on trying to prevent fraud from occurring.
One place to start is with a checklist (see sidebar, “Fraud-Prevention Checklist”). Even if a CPA doesn’t audit clients, providing them with a similar checklist could be valuable. An ideal situation, in my opinion, is where CPAs offer small businesses antifraud consulting to help identify control weaknesses and to provide limited services such as periodic reviews of cash accounts. Most small businesses don’t need and can’t afford a full audit. But they do need help developing basic antifraud measures, and this can be a revenue opportunity for practitioners.
JofA: How can the accounting profession improve its response to fraud?
Wells: The first is that accounting students need to get more antifraud education at the undergraduate level. That can and must be fixed. The second is that looking for fraud, even with adequate training, adds cost to the audit, and the process is by no means foolproof. But many frauds can be prevented with simple, common-sense measures. It is up to the CPA to understand these measures and enlist their clients in helping prevent frauds. There is also guidance in Statement on Auditing Standards (SAS) 99, which is more detailed than its predecessor, SAS 82.
JofA: What do you think the CPA’s role should be in helping management understand that a financial statement or internal control audit does not serve the same purpose as a forensic audit?
Wells: The disconnect between client expectations and auditor capabilities in detecting fraud was formally addressed by the Treadway Commission in the mid-1980s by using the phrase “expectation gap.” As much as CPAs over the last 25 years have tried to educate clients about what an audit can’t accomplish, public expectations remain largely unchanged. Although engagement letters typically address the limitations on fraud-detection capabilities, we also need to emphasize this point in the initial face-to-face meetings with clients and in audits thereafter.
JofA: You have said that, although respondents cited the lack of internal control as the primary internal control weakness in occupational frauds that occurred, you believe that too much emphasis is placed on that factor. Can you describe why?
Wells: Saying that there is deficient internal control when fraud occurs is much like saying that when there is a fire, heat is present; it doesn’t tell us much that we don’t know. Hindsight is always 20/20. One thing we know about internal control is that it provides only reasonable, not absolute, assurance. In short, I think we ask internal control to do too much. While controls are necessary, that isn’t what really deters fraud; it’s the perception of detection. Succinctly stated, those who perceive that they will be caught committing fraud are less likely to commit it.
A simple example illustrates. One control in a small business is to have the bank statement delivered, unopened, to the owner. He or she examines the deposits for reasonableness and looks for checks paid to inappropriate parties. This is an excellent way to detect fraud. But in order to prevent it, others in the organization should know the boss is going to go through the bank statements. The moral of this story is that auditors should not conduct most fraud-related audit tests in secret, but rather let others in the company know about them when appropriate. This increases the perception of detection.
JofA: You have observed that audits, per se, are not particularly effective in detecting occupational frauds but have a significant role in preventing them. Can you elaborate?
Wells: Frauds at audited companies were both caught more quickly and caused smaller losses than those at unaudited organizations. This makes audits an excellent fraud-prevention tool. However, external audits by themselves detected fewer than 5% of the frauds in our study. In comparison, 8% of the cases were detected by accident. This shows that external auditors are catching relatively few occupational frauds compared to other means of detection. I’ve discussed two of the main reasons earlier.
But another reason we don’t detect many frauds in audits is that the clues can be largely behavioral and not necessarily financial. This covers such things as noticing employees who live beyond their means; who have known financial problems; and/or who have a bad attitude toward their employers. These behavioral clues are least likely to be observed by auditors who spend a limited amount of time in a company or department, and most likely to be observed by people who work there all of the time.
Nonetheless, the true antifraud value of audits lies in their ability to increase perception of detection discussed previously. This is particularly true when two things are incorporated into the audit process: (1) an element of surprise and (2) an explicit fraud focus. When employees believe that auditors are on the lookout for fraud and can show up anywhere at any time, audits become an even better fraud-prevention tool.
JofA: The report points out clearly that tips and complaints are the No. 1 method of fraud detection. Why is that?
Wells: The reasons that employees furnish tips vary. For some, it is a sense of duty to their employers. Others are upset that a co-worker has committed fraud. And then some tipsters do so for revenge. But the important thing is whether or not the information furnished is accurate, not the motivation of those reporting the conduct. Third-party hotlines have the advantage of anonymity for the person furnishing the information and likely increase tips. For those companies that want to detect fraud in their midst, though, that starts with a hotline but doesn’t end there.
Fraud prevention is a joint effort between management and employees. If workers are taught that fraud costs jobs, raises, reputations and individual dignity, they become stakeholders in fraud prevention. (For more on hotlines, see sidebar, “Audit Committee Considerations for Whistleblower Hotlines.”)
JofA: What new or recent technologies are changing the way CPAs investigate fraud?
Wells: There are, of course, many software programs available to do traditional data analysis. Perhaps the most inventive up-and-coming fraud-detection method is the use of textual analytics. It is still being perfected, but in a pilot research project by the ACFE and Ernst & Young, we developed a comprehensive list of key words and phrases that appear in e-mails that might be indicative of fraud. Examples include “can’t make the numbers,” “override,” “fudge” and “get caught.” There are many more.
Companies and auditors might use this kind of software as a component of a fraud risk assessment or fraud-detection system. Or, in response to a suspected fraud, auditors or fraud examiners could run textual analysis to help define the scope of the investigation, seek out additional evidence, and identify suspects. Because of potential privacy issues, these types of programs should be discussed with counsel before being used.
Though such advancements greatly enhance the way frauds are detected, the Holy Grail for CPAs would be a program or checklist that would easily point to material fraud. It does not yet exist, and I doubt that it will in the future. Because in many frauds, we are forced to go beyond the numbers to the complex human behavior that causes it in the first place.
For a detailed look at the report’s findings on common asset misappropriation schemes, click here (PDF).
To read additional questions from this interview, click here.
Kim Nilsen is the JofA’s editorial director. To comment on this article or to suggest an idea for another article, contact her at firstname.lastname@example.org or 919-402-4048.
Wells: There are a number of things that businesses can do to reduce occupational fraud at minimal costs by simply going back to the basics. For employees with access to cash, credit cards and other easily stolen company assets, they should be vetted by background checks before they are hired. These are not expensive, and the real value is letting the potential employee know about the check. That by itself discourages would-be thieves from applying. But the No. 1 fraud prevention tool is education. The more businesses, employees and auditors know about fraud, the less likely they will become victims.
JofA: It looks from comparing the 2008 and 2010 reports that the median loss and the median duration were both down slightly ($175,000 to $160,000 and 24 months to 18 months). What does that tell you?
Wells: An optimistic hypothesis might be that we are getting better at detecting occupational frauds, thus limiting the amount of financial damage they cause. However, it’s important to remember that our report looks at individual cases, not aggregate fraud within organizations. So while we’re seeing that the median loss in this study was $160,000, it’s possible there are actually more frauds happening, just with slightly lower amounts.
JofA: Can you talk about why the Report’s scope was widened from the U.S. to include other countries, how the countries were selected and what were some of the most interesting national differences in the responses?
Wells: The reason the Report’s scope was widened is that now over 40% of ACFE members do not live or work in the U . S. The result is that the data in our current study reflects real fraud cases that occurred in 106 countries. It is important to note that, although the ACFE has many accountants as members, we are not an accounting organization; law enforcement and private-sector fraud examiners are major elements of our membership and they are therefore able to furnish us unique information. One significant finding is that corruption cases were a much larger element in countries outside the U . S . and Canada. This is probably due to cultural differences; paying bribes and kickbacks to do business in some foreign countries is common. In addition, we saw measurably higher losses in non-U.S. regions, particularly Asia and Europe. A third finding is that gender differences were significant in our study. Occupational frauds are more often committed by males than females, but the imbalance of men is quite pronounced in regions outside the U.S. and Canada. An educated guess for this is that more and higher level financial positions are occupied by males in the international environment.
JofA: What are the future trends in fraud?
Wells: Right now we are seeing serious transnational frauds; that is, the perpetrators being from one nation and the victim or victims residing in another. This is being caused by two reasons. First is the connectivity of computers worldwide. The second is the economic rise of some countries—specifically China and the nations of the former Soviet Union. Transnational frauds are a law enforcement nightmare, and no easy solutions exist. Other trends in fraud are ones that currently exist: financial statement frauds and frauds against the government. I expect both to get worse before they get better. The economic stimulus package is also likely to stimulate more instances of fraud.
Moreover, health care costs are provided in large part by the government. According to a 2009 report by the Kaiser Foundation, 16% of the country’s GDP is spent on health care, about $2.2 trillion. That percentage is more than double what it was in 1970. And this number is growing. Several years ago, knowledgeable experts estimated that about 10% of health care costs involved fraud in some form. Unless there are some significant changes in the way heath care payments are administered, it will continue to be a significant problem probably for decades to come.
Do you need to size up how vulnerable your company might be to fraud? Ask the following questions. CPAs in public practice can use this list to help clients test the strength of their fraud-prevention and -detection measures.
Is ongoing antifraud training provided to all employees of the organization?
- Do employees understand what constitutes fraud?
- Have the costs of fraud to the company and everyone in it—including lost profits, adverse publicity, job loss, and decreased morale and productivity—been made clear to employees?
- Do employees know where to seek advice when faced with uncertain ethical decisions, and do they believe that they can speak freely?
- Has a policy of zero tolerance for fraud been communicated to employees through words and actions?
Is an effective fraud-reporting mechanism in place?
- Have employees been taught how to communicate concerns about known or potential wrongdoing?
- Is there an anonymous reporting channel available to employees, such as a third-party hotline?
- Do employees trust that they can report suspicious activity anonymously and/or confidentially and without fear of reprisal?
- Has it been made clear to employees that reports of suspicious activity will be promptly and thoroughly evaluated?
To increase employees’ perception of detection, are the following proactive measures taken and publicized to employees?
- Is possible fraudulent conduct aggressively sought out, rather than dealt with passively?
- Does the organization send the message that it actively seeks out fraudulent conduct through fraud assessment questioning by auditors?
- Are surprise fraud audits performed in addition to regularly scheduled fraud audits?
- Is continuous auditing software used to detect fraud and, if so, has the use of such software been made known throughout the organization?
Is the management climate/tone at the top one of honesty and integrity?
- Are employees surveyed to determine the extent to which they believe management acts with honesty and integrity?
- Are performance goals realistic?
- Have fraud-prevention goals been incorporated into the performance measures against which managers are evaluated and that are used to determine performance-related compensation?
- Has the organization established, implemented, and tested a process for oversight of fraud risks by the board of directors or others charged with governance (for example, the audit committee)?
Are fraud risk assessments performed to proactively identify and mitigate the company’s vulnerabilities to internal and external fraud?
Are strong antifraud controls in place and operating effectively, including the following?
- Proper separation of duties
- Use of authorizations
- Physical safeguards
- Job rotation
- Mandatory vacations
Does the internal audit department, if one exists, have adequate resources and authority to operate effectively and without undue influence from senior management?
Does the hiring policy include the following?
- Past employment verification
- Criminal and civil background checks
- Credit check
- Drug screening
- Education verification
- References check
Are employee support programs in place to assist employees struggling with addiction, mental/emotional health, family or financial problems?
Is an open-door policy in place that allows employees to speak freely about pressures, providing management the opportunity to alleviate such pressures before they become acute?
Are anonymous surveys conducted to assess employee morale?
Audit committees should consider the following questions when assessing the design effectiveness of a hotline:
- Does the hotline have a dedicated hotline number, fax number, website, e-mail address, and regular mail or post office box address to expedite reports of suspected incidents of misconduct?
- Does the hotline demonstrate confidentiality, including showing how caller ID, e-mail tracking, and other technologies cannot be used to identify the whistleblower? Has the entity considered use of an independent hotline operator to enhance the perception of confidentiality in addition to any real improvement?
- Does the hotline use trained interviewers to handle calls to the hotline rather than a voice mail system?
- Is the hotline available 24 hours a day, 365 days a year?
- Does the hotline have multilingual capability to support hotline callers with different ethnic backgrounds or who are calling from different countries?
- Are callers provided with a unique identification number to enable them to call back later anonymously to receive feedback or follow-up questions from investigators?
- Does the entity have a case management system to log all calls and their follow-up and to facilitate management of the resolution process, testing by internal auditors and oversight by the audit committee?
- Has the entity established protocols for the timely distribution of each type of complaint, regardless of the mechanism used to report the complaint, to appropriate individuals within the company and to the audit committee and board of directors where appropriate? Are complaints of any kind involving senior management automatically and directly submitted to the audit committee without filtering by management or other entity personnel?
- Does the entity effectively distribute comprehensive educational materials and training programs to raise awareness of the hotline among potential users? Are these materials available in all relevant languages given the potential user base, and do they take into consideration cultural differences that may require alternative approaches to achieve the desired goal?
- Does the entity support outreach to potential stakeholders other than employees?
- Do the entity’s internal auditors periodically evaluate the design and operating effectiveness of the hotline? What were the internal auditors’ conclusions regarding (a) how the hotline reflects changes in the company’s operations and in best practices, (b) whether the hotline is receiving satisfactory support from management, employees and other participants, and (c) whether protocols established for forwarding information to the audit committee have been followed?
—Prepared by the AICPA Antifraud Programs and Controls Task Force.
JofA: ACFE did a study in 2009, Occupational Fraud: A Study of the Impact of an Economic Recession, which showed businesses were not increasing their level of spending on fraud prevention. Dollars are tight everywhere. What advice do you have for businesses looking to heighten their efforts in a low-cost way? Where can they get the biggest bang for the buck?