Fraud is on the rise across the globe. Criminals are exploiting the convergence of social media, technology, and social engineering to create more potent and widespread scams. No one, and no business, is completely safe from this new wave of fraud. In this podcast, JofA senior editor Drew Adamek talks with Melbourne-based Roger Darvall-Stevens, the national head of fraud and forensic services at RSM, a global tax, audit, and professional services firm, about what finance professionals need to know about emerging global fraud trends, what they can do to protect themselves and their firms, and what the future of fraud might look like.
What you’ll learn from this episode:
- The three types of fraud that are increasing around the world.
- How criminals are exploiting data breaches to perpetuate a variety of fraud.
- What firms should be doing to decrease their vulnerability to fraud.
- Why insider fraud may still be a firm’s biggest risk.
- What the future of fraud may look like.
Play the episode below:
To comment on this podcast or to suggest an idea for another podcast, contact Drew Adamak, a JofA senior editor, at Andrew.Adamek@aicpa-cima.com.
Drew Adamek: Fraud is on the rise. The combination of social media, technology, and social engineering is creating new, more potent global fraud trends. Accountants and finance professionals are at the vanguard in this new fraud landscape. Roger Darvall-Stevens is the Melbourne-based national head of fraud and forensic services for RSM, a global audit, tax, and professional services firm.
I'm Drew Adamek, Journal of Accountancy senior editor, and I spoke with Roger at a conference in June about the emerging global fraud trends that finance professionals and accountants need to be aware of, how firms can protect themselves against these trends, and why the biggest risk to your firm may come from within.
Roger, thank you so much for joining us.
Roger Darvall-Stevens: My pleasure, Drew.
Adamek: What are the three biggest issues that CFOs should be thinking about when it comes to global fraud?
Darvall-Stevens: So, I suppose it's the three different types in a way. The Association of Certified Fraud Examiners in their global Report to the Nations, which is produced every two years — the latest version is 2018 — talks about the three types. I think it broadly categorizes what organizations and heads of finance should keep a lookout for.
One is corruption in all its different forms, whether it's bribery or procurement fraud, conflicts of interest.
Another one is asset misappropriation, which is really anything of value that gets stolen. That can be accounts payable fraud, accounts receivable fraud, payroll, theft of assets, even theft of intellectual property.
The third is financial statement fraud. That can be cooking the books at the top level, but it can also be anyone throughout the organization misrepresenting performance, which then has an effect on misrepresenting the financial statements often.
Adamek: As you look out over the fraud landscape — the global fraud landscape — how do you see it changing over — or how have you seen it changing over the last four or five years and how do you see it changing in the next three to five years?
Darvall-Stevens: I think the main change has been one aspect that I didn't include in those three categories, which is cyberfraud, or the use of a whole lot of techniques that are used to really commit traditional fraud. So the traditional frauds that I mentioned of corruption, asset misappropriation, and financial statement fraud are always going to be there. They have always been there, and technology has really just changed the enablers to allow it to happen. But what I mean by the cyberfraud — I'll use one or two examples — is relatively new methods and techniques of stealing money. One that heads of finance will be well aware of — or they should be well aware of — is business email compromise or often called "CEO email fraud."
Where often, it might not be the financial controller or the chief financial officer, but it might be somebody in the finance team receiving an email purporting to be from the CEO. Criminals are very clever. They've often looked at someone's LinkedIn or their Facebook and seen that they're overseas at a conference. The CEO is overseas at the conference; they'll do their research on the website for the organization. There's a lot of really good information on the website of signatures on annual reports and a range of things. Then they'll pretend to be the CEO and say, "This has to be paid or else we're going to miss this major contract. Pay $200,000 into this account. Here's the account number. If it's not done ASAP, we'll lose this contract, and it will adversely affect the business."
What amazes me is that employees still don't do the normal thing of ringing the CEO or emailing and saying, "You just sent this. Is this correct?" because they'll just say "no."
The other aspect is ransomware. So those sort of attacks where there's some sort of cyberattack on the organization, and suddenly all the computers are attacked and literally no one can get into the data on the systems. Then there's a ransom asked for by criminals saying, "We can release your data if you pay a certain amount of —" usually it's bitcoin or some cryptocurrency. What is a dirty little secret is that most organizations — when you're in this knowing what goes on — end up having to pay the ransom to free their information because it's not backed up. Or else they'd just say, "Forget it. We're not paying a ransom. We'll go to our backup of data."
Or they caught out so much that they have to pay the ransom. Ironically, these criminals will honor that and generally free the data because they won't last in criminal business, ironically, if they don't do it.
Adamek: I'm going to make an assumption here that fraud seems to be becoming more global. That if you owned a shop or a business, it required someone to be in your shop or business to steal from you. Now, someone anywhere in the world can steal from you. How does that change the relationship that finance departments and CFOs have with fraud? How does that change their responsibilities, in your mind?
Darvall-Stevens: It raises the bar on all staff needing to be aware a lot more — because I agree with you — and be more professionally skeptical. You're right. It could be somebody in an African country, for example, targeting another country — a business in another country. Sometimes these sort of email scams used to be so amateurish, you'd go, "Seriously? It's not even in correct English. It doesn't look professional." It's pretty easy to highlight that it's a scam. Nowadays, it can look pretty real.
So, yes, they need to be ever vigilant. What I observe is a lot of organizations are focusing on the core business, which is absolutely right, but they're not necessarily putting the investment into the sort of functions like compliance, internal audit, fraud control. And so therefore, there's not the people there necessarily to conduct training for people in finance, for example, to say what to look out for — or in procurement. They're not as well-trained as they could be. Especially to sort of emerging nuances of how things happen — as you pointed out — with technology as an enabler.
Adamek: Do you see — as you look across the fraud landscape — do you see a bigger risk to finance departments in companies coming from inside or outside?
Darvall-Stevens: I think it's probably a changing trend, and it will depend on the industry and the organization. But, traditionally the insider is a majority of the risk. I think finance departments would still need to absolutely be aware of the insider committing fraud and keeping a lookout for red flags of that. But, with the emergence and the prevalence of cybercrime, there's that external threat there all the time like the business email compromise example.
Adamek: How should companies — how do you recommend companies start to train their people differently to prepare for these new threats or these emerging technologies?
Darvall-Stevens: A lot of different risk areas in business require awareness. We're talking fraud, bribery, and corruption risk. Employees should have training. In short, the training should be what to look out for, what is fraud, bribery, and corruption, what are some examples, what are the red flags, and where should they report that? Because then at least management can at least know about it and then take some action.
So that's employee training, but also there's different tranches of training. So, you know, the finance — I would ask finance controllers or heads of finance, "Has your team received any training in fraud, bribery, and corruption control or awareness?" If they haven't, well, they need to.
Also in an organization, there's another trench of training of people who have fraud-control responsibility and response responsibility. So if they're going to investigate areas of corruption and fraud, do they have any training? That's internal training and that can be done internally, or it can be done through an organization like RSM to conduct training for clients.
Adamek: We've talked about how criminals have ramped up their efforts and ramped up their ability. How do you see the trends in law enforcement and fraud prevention changing and shifting?
Darvall-Stevens: So they're trying to keep up as best they can. It'll be a resource constraint and probably a training and an upskilling situation. I think law enforcement do as best they can within the limitations of their resources and how fast they can keep up with what is chasing the trends. So it depends on the law enforcement organization and which country it is.
Adamek: In talking about skills, when you are talking about management accountants, CFOs, finance professionals, what kind of skills do they need or which skills do they need to be developing to deal with this sort of new fraud environment?
Darvall-Stevens: So it's the professional skepticism, and I think it's the knowledge to know the similar things to what we talked about. What types of fraud there are, what are the emerging trends, what are the red flags to look out for, how do you prevent detect and respond to those areas? So even if finance professionals don't necessarily have that key fraud-control responsibility — they might be a fraud-control person with that responsibility or a compliance officer or the head of legal — they still need to have that understanding because they're an absolutely key stakeholder in the lines of defense for the organization.
Adamek: In your view, for companies now it's not just cash that's at stake. What do you see at risk for companies aside from financial damage?
Darvall-Stevens: So, certainly, there's been a ramping up of the traditional risks associated with intellectual property, privacy, private information, data protection, and with changes in data protection laws all around the world. So, criminals are after any sort of private information. It can be a list of customers with their banking records where criminals can then commit identity theft and then identity fraud. I think that's probably the main nonfinancial aspect. Then that, of course, dovetails into reputation risk, where it's probably not even the financial aspects, it's the reputation risk that can impact shareholder — you know, the share price, stock market, and have a massive impact on companies.
Adamek: How do you see the nature of fraudsters changing?
Darvall-Stevens: I just heard a speaker speak at the conference today, Theresa Payton, who's the former White House chief information officer and cybersecurity authority. She predicted that one of the trends emerging — the misinformation that's happening with some of the political circles around the world — that how does an organization prepare themselves for that sort of attack and misinformation on an organization that is completely fraudulent. That is sort of an emerging trend that could occur that organizations probably haven't considered and could actually bring them down.
Adamek: What do you see as the emerging trends in combating fraud moving forward?
Darvall-Stevens: What I see is the opposite of the answer to your question, which is I see organizations reducing or minimizing their resources for fraud control rather than realize that the sort of line of defense that fraud professionals — anti-fraud professionals, internal audit, compliance professionals — they're absolutely key in keeping the organization ethical and operating effectively.
So it might not be the core business of producing the good or service the company is producing, but it's key to the successful governance risk and compliance of the organization. So, to answer your question, it's about keeping those resources, keeping them skilled, and making a difference to the organization to maintain that governance risk and compliance.
Adamek: What are the most common misconceptions that companies have about fraud?
Darvall-Stevens: Often, it will be "It hasn't happened to us. I don't think it will happen to us. We'll do something that's commensurate with that understanding of the risk of fraud, bribery, and corruption." However, you ask them — I ask clients and often get involved in doing it, "Have you done a fraud and corruption risk assessment?" The answer is "No." So therefore, if you don’t know what the risks are, how do you know that they're being mitigated?
Another aspect of this is whistleblowing. Often there may not be an effective whistleblower avenue or avenues in an organization. So, if employees in particular don't know where to go, they might either not report something that's a suspicion or a concern, or they go to the media or law enforcement. I'm not saying that's bad, but what I'm saying is management would prefer that an employee goes to them first so they could take the right management approach, investigate something, and know what's going on, and take the right management action.
Adamek: It's not just companies and finance departments that are at risk, individuals are increasingly at risk as well, aren't they?
Darvall-Stevens: Of course, yes. So we're talking organizational or occupational fraud generally, or external criminal groups preying on those organizations. But you and I and people who listen to your podcast and their families are potential victims of identity theft, and fraud, and cyberattack. You know, we all probably have stories of a transaction on our individual bank accounts that wasn't authorized. These days the banks are pretty good at sort of telling you straight away, "We've had a transaction in another country; did you authorize this?" you say "No" and they shut it down pretty quickly. But, yes, we're very vulnerable to this, absolutely.
And a good example of what I do when I make any purchases is I literally never let my credit card out of my sight. Coming to America from Australia it's hilarious because you actually do let your credit card out of your sight. I've had some people working at restaurants who I've had to follow behind the counter. They say, "Well, the public aren't allowed here." I say, "Well, you give me the card machine and I'll put in my number and all that sort of thing." So it's quite funny. Yes, we do need to be vigilant of that. We're all potential victims of that.
Adamek: Roger, thank you so much for joining us.
Darvall-Stevens: Thank you, Drew.
Adamek: I'm Journal of Accountancy senior editor Drew Adamek, and I have been speaking with Roger Darvall-Stevens, national head of fraud and forensic services at RSM, a global tax, audit, and professional services firm about emerging global fraud trends and what finance professionals and accountants can do about them.