Protecting Your Company Against Fraud
I collect fraud case studies.
Why? Because it is my job to understand how fraud occurs, how it is discovered, and how much damage it causes. I have a responsibility to help my clients prevent these situations, or at least mitigate the damages. I analyze and observe the circumstances surrounding fraudulent activity. I pay close attention to how management acts, both before and after the fraud is discovered. I incorporate that knowledge in my practice.
One of my most frustrating observations is this: fraud is almost certain to occur, and create significant loss, whenever Management assumes that somebody else will take the responsibility for fraud prevention. Repeatedly, I have seen members of management convince themselves that their risks of business fraud will mitigate without their direct involvement. They look to government, regulators, auditors, internal auditors, and even basic employee integrity to provide the protection that they haven’t put in place themselves.
It simply does not work! The only effective solution rests solely with the leadership and its consistent commitment to addressing the risks of loss. No one else can be as effective as Management.
Fraud risks are not inconsequential. The Association of Certified Fraud Examiner’s (ACFE) 2008 Report to the Nation estimates that there are 5.7 million fraud incidents a year, resulting in losses approaching $1 trillion! That is almost 7% of all annual business revenues. The median fraud loss approximates $175,000…regardless of the size of the company. Fraud by your long time employees and managers increases those losses significantly. If you run a small business or a nonprofit, those losses can be devastating. The organizational damage will take months, if not years to repair.
The elements of fraud, Need, Opportunity and Rationalization, are always present. We live in a capitalist society where the differences between need and greed are often hard to distinguish. We incentivize those who take risks. We encourage the competitive desires of our workers to strive for something better. We venerate the successful and the wealthy. In doing so, we reinforce need and rationalization, two of those three basic fraud elements.
Yet, we continue to be surprised when those super stimulated elements coalesce into the taking of an opportunity…. the commission of fraud. The statistics published by ACFE indicate that the perpetrator is frequently a trusted, experienced employee or colleague who knows how ‘the system’ works. By the time we discover what has been done, it’s usually been going on for a year or two. And when the shock is over, the recriminations begin:
“The auditors should have caught it.”
“Don’t we have any internal controls?”
“Why wasn’t the audit committee paying closer attention?”
“What do I pay my internal auditors for?”
“Why didn’t the SEC investigate?”
Sadly, the recriminations only voice the frustrations of the victims. They come too late to do anything constructive. The damage is done. However, we don’t hear these cries from those who took responsibility for their own protection. They either haven’t been victimized, or have been able to react fairly quickly to minimize their losses. Planning and vigilance will do that.
Studies have shown that Management can decrease fraud opportunities, reduce rationalization, create ongoing monitoring tools that identify fraud indicators, and reduce fraud losses. The tools are available to anyone who wants to invest a little time and effort. If you don’t choose to be one of the victims, you simply can’t leave the responsibility to others.
I’ve managed and consulted in businesses of all kinds for more than 35 years. In all those years, I have never found an effective shortcut for good management. The Sarbanes-Oxley Act attempted to put some regulation into “The Tone at the Top.” COSO, the organization that created the most accepted guidance on control frameworks, addressed a myriad of management best practices. MBA schools teach all the right techniques. Consultants make millions trying to improve corporate cultures. They create roadmaps for action.
But only Management can effectively execute those actions.
You can never dictate good behavior and good business practices. If Management doesn’t believe in the importance of what is being done, it will not follow through, and the initiative will fail. Employees know what Management cares about. They see it in the daily words and actions of their leaders. No policies, procedures or good ideas will ever succeed without persistent reinforcement. If your employees know you care, and are going to check up and follow through….because you care….they will gladly follow. Convincing them requires conviction, attention, and consistent behavior. Initially, that isn’t easy. However, once your employees begin to accept your commitment, they will quickly perpetuate your programs and goals throughout the organization.
There are many actions that have been proven to reduce the impact of fraud. Surprise audits, job rotations, mandatory vacations, whistleblower hotlines, employee support programs, anti-fraud policies, defined codes of conduct and fraud training for executives and employees are just some of the most effective ones. There are a myriad of tools that are readily available on the internet, and from other sources. Those tools can assist you in designing and implementing useful control activities that can reduce or eliminate much of your risk.
Management should establish a “no tolerance” attitude toward fraud. Provide your employees with the ability to report what they observe without recrimination (whistleblower policies). Studies show that employees need to know that reports of misbehavior by others will be addressed. They also want to know that they can report problems without directly confronting their supervisors. Make it easy for them to support you.
Treat your employees fairly and with respect. Set up impersonal monitoring controls that will help you detect the indicators of fraud. Communicate your concerns and goals to your employees. Most of all, show up every day reinforcing where you stand….in words and actions. No auditor, government regulator, or law enforcement official is ever going to be able to build or monitor the control environment that can mitigate your risks. Hoping that they can is an abdication of basic leadership responsibility. Hope is not a strategy!
Figuring out what to do isn’t hard. Implementing a comprehensive program…and keeping it running effectively…is! In the end, it is Management’s commitment to create and maintain an effective anti-fraud environment that will keep your risks to a minimum.
So? Who are you going to trust? Will you rest easy hoping that someone else is watching over your business for you?
Can you afford to?
This publication contains information in summary form and is intended for general guidance only. It is not intended to be a substitute for detailed research nor the exercise of professional judgment. Neither BPM nor any member of the BPM firm can accept any responsibility for loss brought to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.
View Clark’s Bio
