3 Steps to Mitigate Occupational FraudACFE Report Highlights Latest Fraud Trends
Occupational fraud is quite possibly the largest form of fraud, says John Warren of the Association of Certified Fraud Examiners. So, how can organizations spot the potential fraudsters and prevent their crimes?
Warren, VP and general counsel of the ACFE, co-authored the new study, Report to the Nations on Occupational Fraud and Abuse, and says the trends in occupational fraud highlight some important lessons for organizations.
Based on his research, Warren recommends organizations:
- Set up an effective tip hotline: "We found that organizations with hotlines had a 44 percent lower loss per scheme than organizations without hotlines," Warren says in an interview with Information Security Media Group's Tom Field [transcript below]. Organizations need to do everything they can to encourage employees to report any misconduct and see, and to do so without fear of being retaliated against, Warren says.
- Train managers and employees: In order for people to report fraud, they have to know what it looks like and how to report it efficiently. "Many people after the fact ... say, 'Yes, I suspected he or she was doing something wrong,' but they weren't sure it was fraud or they weren't sure they should report it,'" he says.
- Have basic controls in place: Those controls include management review of employees and segregating work duties, Warren says. "Controls are the most basic and important anti-fraud measure."
In an exclusive discussion about the ACFE's 2012 Global Fraud Study, Warren discusses:
- The most common occupational fraud schemes - and how they have evolved;
- The most effective fraud detection and prevention solutions;
- Top traits to watch for in prospective fraudsters.
Warren has served as general counsel of the Association of Certified Fraud Examiners since September 2004. He is chief legal officer of the ACFE, responsible for providing guidance, oversight and direction to ACFE management and staff on all legal issues that affect the association.
Aside from his legal responsibilities, Warren is also responsible for producing the Report to the Nation on Occupational Fraud and Abuse, a bi-annual report issued by ACFE on the costs and effects of occupational fraud. He also has worked on behalf of ACFE to develop the Institute for Fraud Prevention, a multidisciplinary academic research center and consortium of universities dedicated to preventing and deterring fraud and corruption through research and education.
TOM FIELD: You've just released your 2012 Global Fraud Study that looks at occupational fraud themes, and I think it would be useful for our audience if one, you could define occupational fraud and then, two, give us some perspective on this particular scheme's place in the hierarchy of fraud schemes that typically plague organizations?
JOHN WARREN: Occupational fraud - we have a formal definition in our report which defines it as the use of one's occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization's resources or assets. That's kind of a mouthful, and what we're really talking about here is insider fraud.
Broadly this falls into three categories. There's financial statement fraud, which we've all heard about. Examples would be executives overstating an organization's assets or hiding liabilities to fudge the balance sheet or the income statement. The next category is corruption schemes which involve things like bribery, conflicts of interest, acts of economic extortion, or paying legal gratuities to officials as a reward for business or contracts. Then the last category is asset misappropriation. When we're talking about that, it's what most people typically think of as embezzlement - attempts to steal an organization's cash. Common examples would be submitting false invoices to the company, getting them to pay for non-existing goods and services or for personal purchases. Another example would be skimming, where an employee's skimming off receipts that come into the company before they're recorded, and it can also cover theft of physical assets, inventory or even theft of information in some cases. It's a pretty broad category, but again what we're really looking at is employees, managers and executives who are defrauding their employing organizations.
In terms of where it fits into the hierarchy of all fraud, we hear a lot about other kinds of fraud - healthcare fraud, identity theft - and those are huge, huge areas of fraud. We don't really know how large the problem of occupational fraud is for a few reasons. Most frauds run for a long time before they're detected, so at any given time there's fraud ongoing in a given organization that no one knows about yet. We can't really accurately measure how much fraud's going on at a given time. There's also no central repository where all fraud cases are collected, so we don't really have accurate data on how many cases of fraud occur within say the United States in a given year, and probably the most important problem is that organizations very frequently choose not to report fraud even after they've detected it. There may be concerns about lack of customer confidence. It could be out of desire to make sure the stock price doesn't take a hit. And very frequently they just don't want to deal with it or they deal with it civilly; they fire the perpetrator or they try to get some of the money back and they just try to kind of move on. They don't pursue criminal charges.
For all of these reasons, we don't have a real accurate measure of how large the problem is. However, I would speculate that it's probably the single largest form of fraud in the world in terms of both the number of occurrences and the losses. There are a couple reasons for that. Fraud schemes are by-in-large schemes of opportunity, meaning that people steal money where they have and see an opportunity to get access to money. When you consider the size of the global workforce, the number of people who are simply employed, and you consider that when a person finds himself in need of funds or with a desire to steal money from someone else, they will look to the place where they have the greatest opportunity to access someone else's funds. Their employer is usually going to be the most accessible avenue.
If I got to work and I see checks passing across my desk everyday - say I work in accounting or I have access to the payable system and I run invoices through payables all the time for large of sums of money - it doesn't take such a big shift in my mental outlook to rationalize that, "Well, I'll just run a couple of checks through the system and then I'll pay the money back. That way I don't feel like I'm really a criminal; I'm just somebody who has had a hard time." Then of course, as time goes on, I don't pay it back. I end up stealing more and more money and the crime goes on until eventually I'm caught or I just disappear. That's basically when we're talking about occupational fraud - that's why I believe the problem is so incredibly large.
Costs of Fraud
FIELD: That's a great description of the types of occupational fraud. What do you find to be in your survey the hard, soft and even some of the hidden costs of these incidents you've described?
WARREN: In our study we looked at 1,388 actual cases of fraud that occurred in different regions around the world and different companies. The median loss per scheme was $140,000 per fraud. That's not per company; again, I want to emphasize that. That's per scheme. We only look at one case at a time. In a large company, you may have dozens or hundreds of fraud schemes going on at one time, so the loss can obviously be very large.
In addition, I would point out we measure median loss as a conservative estimate of the loss an organization has experienced. In other words, median means if you took all the frauds and arranged them from the smallest dollar loss to the largest, the median would be in the middle. If you look at the mathematical average, the average loss in these cases is well over a million dollars per scheme. We're talking about really high dollar, hard losses.
In addition to those, you have other costs involved, including the cost of investigating the fraud. Once the organization discovers it's been defrauded, there are significant costs involved with investigation, both through your internal resources and very often you'll bring in outside accounting firms, law firms and investigators to help you sort through and figure out who took the money or how much money is missing. There are costs in terms of assessing that damage for attempts at recovery, trying to track down the money.
Another cost that's involved is just the resources you divert from other operations, especially in the case of a very large fraud. You can find easily that a significant portion of your executive management, your audit staff, your outside accountants, are focused on dealing with this fraud that has already occurred instead of dealing with the primary operations of your business, which is a really big problem.
Then, other hidden costs are the loss of trust within your organization. A company cannot function without placing trust in its employees. We have to at some level choose to trust that our accounting department is going to process payments in the correct way [and] they're not going to steal us blind; that our executives are going to operate in the best interest of the company and so forth. When you have a fraud scheme like that, it can really sever those bonds of trust. It can cause incredible damage to a company's morale and then you can have other ancillary financial losses - loss market capitalization; loss of consumer confidence; the company itself may end up facing criminal or civil legal action depending on the type of fraud. There is any number of costs that are associated with these crimes that go far beyond the median and average loss that we report in our study.
Who's Committing the Fraud?
FIELD: Who do you find is most commonly committing these crimes?
WARREN: We break down the perpetrators of the fraud in a number of different ways. We gather quite a bit of information on the demographics of the fraudsters. At a high level, we break them down by position within the organization, from general level and authority. We find that about 42 percent tend to be employees, 38 percent managers and then the smaller number - just under 20 percent - fall into the category of owner/executive, although those individuals are the ones that cause the highest dollar losses. About half of the fraudsters fall in the age range of 31-45, but when you look in terms of loss it's the older fraudsters, the people 50 and above, who tend to cause the largest losses.
Curiously, only about eight percent of fraudsters in our study historically commit fraud within the first year of tenure at their organization. When you're encountering an occupational fraud, it's usually somebody who has worked for you for a while. I think that probably relates to those people needing time to understand the company's internal controls, their culture, to know how to commit a fraud as well as the fact that most people don't start work at a company with the intent of defrauding it. They usually end up choosing to do that because they face some sort of financial problem of the kind I mentioned before - gambling debts, healthcare bills or whatever.
About 65 percent of fraudsters tend to be male and that has been consistent throughout our study. Males also interestingly cause much higher losses per scheme, which has been very consistent since we started tracking that data back in '96. Then in terms of department within the organization - I think maybe the most important - we find that about 80 percent of frauds come from six departments within an organization typically. The most come from accounting, which usually makes up just under a quarter of the fraud cases we see, and then primary operations, sales, your executive/upper management department, the customer service and your purchasing department. Those are the six groups that will typically account for about 80 percent of the fraud in a given organization.
FIELD: How are they most commonly being caught? Is it through technology? Is it through human audits? What's the break down?
WARREN: Interestingly, despite all the advances we have in technology and emphasis on control, we find every year far and away the most common means of detection is through a tip. In 2012, it was 43 percent. Usually somewhere between 40-45 percent of cases are caught by somebody simply telling somebody else, "I think this person is stealing or I think this person is doing [something] unethical."
The next most common methods are internal audit and management review, but we're looking at 15, 14 percent for those two categories. You're about three times more likely to detect a fraud via a tip then you are through any other method - internal audit, management review and so forth. What's interesting about that is that has been a consistent statistic since we started gathering detection data in 2002, and yet when we look at the controls that our victim organizations have in place, only about half of the companies, government agencies or whatever who were victimized had a hotline at the time they were defrauded. That's significant because a hotline, while not all tips come through a hotline, it's a very effective way of encouraging employees, customers and vendors to report concerns about misconduct. We think that's a relatively inexpensive way organizations could do a lot to bolster their anti-fraud efforts that are going to detect and prevent fraud.
In terms of the tips that are received, about 51 percent of those come from employees. When we first started gathering that data, we thought that number would be higher. You would expect that 80-90 percent of your tips about misconduct would come from employees, but it turns out only about 50 percent. Customers tend to report fraud about 20 percent of the time. About 12 percent are anonymous so we don't really know where those come from. That's probably a mix of customers and employees. And then vendors are about 10 percent of the time, then sort of a hodgepodge in the other categories. But to the extents that an organization can take steps to encourage employees to understand what fraud is and how to report it, and to alleviate fears about being retaliated against if they do report it, I think that organization will go a long way to either reducing incidents of fraud or at least limiting its exposure to those schemes.
Trends by Region
FIELD: In your survey results, do you see different trends by region or by industry, or are they pretty much the same?
WARREN: ... I should say we opened up the data internationally in 2010. This is the second year that we've gathered international data. Before that it was exclusively U.S. data. When we did that in 2010, we were expecting significant changes to our data set. We thought with gathering case information from Asia, Africa and Europe, we just expected we'd see a lot of different trends and surprisingly we found very few differences. The breakdown of perpetrators, the breakdown of losses, the most common schemes - it's all very, very common regardless of what region you seem to be operating in or even really with any industry.
There are some small discrepancies. A couple of trends that have been surprising and we don't really know quite why we're seeing this data [is] losses have tended to be much lower per scheme in the United States and Canada than in other regions such as Asia, Africa and Europe in our studies. [We're] not really sure why that is. It may be just that to a large extent the data we gather, we're looking at cases that were investigated by certified fraud examiners. To a large extent that data is dependent on what kinds of cases CFEs are being asked to investigate and right now a big focus of the Department of Justice is in prosecuting FCPA violations, meaning Foreign Corrupt Practices Act violations. So there's a big emphasis on dealing with corruption cases overseas.
In our study, not only did we see higher losses overseas - and corruption cases tend to result in higher losses - but we see higher levels of corruption outside the U.S. and Canada. Now there could be any number of reasons for that, but one very likely reason is that our members outside the U.S. are devoting an inordinate amount of time right now to investigating cases of corruption because of the FCPA compliance responsibilities.
The other trend that appears every time we do this survey is small businesses are disproportionately victimized by fraud. Organizations with fewer than 100 employees typically have the largest median loss per scheme, or if not the largest the second largest. They typically have losses per scheme higher than the very large store organizations we look at. Obviously, these small companies are generally not equipped to deal with these large losses, so fraud can be especially damaging to them.
In [our] 2012 data, 32 percent of cases impacted companies with less than 100 employees and the median loss was $147,000 per scheme. Again, we see case after case after case where small businesses go out of business as a result of fraud cases. It's a terrible shame, and we also track the anti-fraud controls that organizations have in place and you can pretty directly trace this. Small companies tend to have fewer anti-fraud controls which make them more vulnerable, which causes them to have higher fraud losses and it's just sort of a vicious cycle these small companies get into.
Essential Steps for Organizations
FIELD: Final question for you. If you could boil it down, what would you say are the essential steps that organizations really need to take to curtail the incidents of occupational fraud?
WARREN: It's such a broad issue [and] topic. There are so many things we need to do, but what I would say, if there's a takeaway, is this - everybody knows about internal controls, that we should separate our duties, and people are taking in cash and not be the ones who are recording. We need to segregate duties. We need to have management review of our employees, and we need to check each other's work and so forth and that's all great; and controls are the most basic and important anti-fraud measure.
But if people are going to take anything away from this study, what I would say is to look at the data on tips and the effectiveness of hotlines. We found that organizations with hotlines had a 44 percent lower loss per scheme than organizations without hotlines. Our data consistently shows that most frauds are detected by tips. You need to do everything you can to encourage your employees, your customers and your vendors to report any misconduct they see to you so that you can jump on these cases earlier and catch them before they spiral out of control into really large losses.
What goes hand-in-hand with the implementation of hotlines is training for your managers and for your employees, because in order for these people to be able to report a fraud they have to know what a fraud looks like, and they have to know how to report it. Many people after the fact when we go in and look at these cases say, "Yes, I suspected he or she was doing something wrong," but they weren't sure it was fraud or they weren't sure they should report it, or they didn't know who to talk to. You need to train your people on this. Tell them if you see something questionable, this is the phone number you call. What goes along with that is they have to know they won't be retaliated against. Many people who are aware of ongoing misconduct don't report it because they're afraid they will be fired or they'll be punished or they'll be associated with the complaint and be known as a snitch or something. You need to have an anonymous reporting mechanism where people can feel comfortable making the report without fear of retaliation. That's going to go a long way to reducing your exposure.
Then the other thing would be all the basic controls you have in place - enforce them. We see so many cases where a company had controls but either they did not routinely enforce them so people were allowed to override controls and segregation of duties broke down, or a high level person was able to override controls and just basically ignore the control structure in place. Have a hotline, train your people and enforce the controls you have in place. That's what I would say people ought to take from this study.