U.S. businesses need to institute stronger safeguards against potential corporate losses resulting from fraud, compliance breaches, and cyberattacks.
That's the overriding message of KPMG's 2022 Fraud Outlook report, A Triple Threat Across the Americas.
Two-thirds of U.S. executives surveyed by KPMG said that their companies have experienced external fraud in the past 12 months, but just 35% of those companies have a program in place to prevent, detect, and respond to fraud. In addition, more than half of those companies have no plans to increase their budgets for anti-fraud measures.
This leaves companies vulnerable to increased losses resulting from a triple threat of external fraud, compliance breaches, and cyberattacks, according to the report, which also found that:
- Almost half of U.S. respondents (42%) said their company has experienced losses of 0.5% to 1% of company profits due to fraud and crime.
- The majority of U.S. respondents (62%) said their company expects a loss as a result of regulatory fines and/or compliance breaches that ranges from 0.1% to 2.5% of profits.
- 38% of U.S. respondents said their companies expect the risk of fraud committed by external perpetrators to somewhat increase in the next 12 months.
- 43% of U.S. respondents said their companies indicated that the shift to remote working has increased the risk of fraud.
Battling the 'threat loop'
In addition to being widespread and growing, the triple threats of fraud, compliance risks, and cyberattacks are also intertwined into a "threat loop." Companies need to look at and defend themselves against the damage these threats can do in conjunction, as opposed to focusing only on the risks each threat poses in isolation.
For example, an employee stealing client data from their company while working from home raises all three threats simultaneously.
To combat the threat loop, companies must address the dangers with a collective interconnected effort, according to the report, which recommends a five-step process for mitigating the risks.
- Set the right tone from the top: In addition to promoting a culture that encourages ethical conduct and a commitment to compliance, the board and senior management should put in place standards and procedures to prevent and detect fraud, mitigate compliance and cybersecurity risks, and monitor company compliance with those standards. Companies should also implement protocols that ensure the board is knowledgeable enough to exercise reasonable oversight over compliance and ethics.
- Carry out a risk review: Companies should develop and deploy a comprehensive process for an enterprise risk assessment that focuses on real, not hypothetical, risks related to compliance, cybersecurity, and fraud and misconduct. Management, the board, internal audit, compliance operations, and other stakeholders must work together to identify risk areas and design controls to mitigate those risks.
- Communicate effectively: Senior management must ensure that it clearly communicates to all relevant people that they must take control responsibilities seriously. In addition, employees should be provided with targeted training that helps them understand their personal role in safeguarding company assets and enhancing internal control systems.
- Strengthen detection: Companies should develop and publicize ways for employees and relevant third parties to report suspected wrongdoing and seek clarity and advice on laws, regulations, and company standards of conduct. Employees play a critical role in uncovering major fraud and misconduct. Companies need to create a culture that encourages employees to raise their hands to report misconduct without fear of retaliation from management.
- Create a culture of enforcement and accountability: Companies would be wise to consider updating their policies and protocols with nonpunitive elements of accountability and enforcement. For instance, a company could make ethical behavior, integrity, and principles part of employee performance evaluations and provide rewards for achieving ethics-related or performance targets. Such changes promote the message that disciplinary measures for fraud and noncompliance are enforced consistently regardless of rank, tenure, or job function.
KPMG surveyed 642 executives across the Americas, with 34% of the respondents based in the United States and 42% in North America. The surveyed companies are roughly evenly spread among seven industries: consumer products and retail; energy; financial services; industrial manufacturing; insurance; life sciences and pharmaceutical; and telecoms, media, and entertainment and technology.
The companies ranged in size as well, with 40% having annual revenue of less than $1 billion, 34% with annual revenue of $1 billion to $10 billion, and 26% with annual revenue exceeding $10 billion.
— To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.