October 21, 2013
The Importance of Preventing Occupational Fraud
Occupational Fraud is an issue that most organizations know about but may not be doing enough to prevent. In addition, the continuing growth in information technology increases ways in which fraud can be committed. The Association of Certified Fraud Examiners (“ACFE”) defines Occupational Fraud as “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” According to the ACFE, each year “organizations lose an estimated 5% of their revenues to fraud.” The cost of fraud to an organization is far greater than the cost to prevent fraud.
The Cost of Fraud to an Organization
Two of the main costs of being a victim of fraud are financial costs and the cost to your organization’s reputation. Financially, each fraud case costs an organization roughly $120,000 with the median loss increasing to $147,000 for organizations with fewer than 100 employees. Additionally, the majority of fraud cases go unreported to the authorities in fear of the price to the organization’s reputation.
The price of fraud to an organization’s reputation cannot easily be measured and quantified. Once fraud occurs within an organization, the damages to the reputation of the organization can be devastating. In the non-profit industry, an employee who committed fraud can damage the trust that stakeholders had placed in the organization. The loss of trust can diminish the number of donations received each year or the number of new or continuing members of the organization. Failure to maintain proper internal controls to prevent fraud will increase the likelihood of fraud and the price the organization will pay.
The cost of fraud to an organization with fewer than 100 employees is higher due to the general lack of anti-fraud controls that are generally in place within larger organizations. Due to the lack of controls, the fraud schemes seen in smaller organizations tend to be billing schemes, check tampering and expense reimbursements which all can be minimized with proper internal controls. According to a study done by ACFE, the most frequent cause of fraud is the lack of internal controls, which was cited as the “primary weakness in more than 35% of cases” studied. Many organizations believe that since they undergo an external audit each year that they are doing enough to prevent fraud.
Roughly 80% of the cases studied by ACFE obtained an external audit. However, external audits have only uncovered roughly 3.3% of the frauds studied. The most common detection method of uncovering fraud is actually through tip lines (43.3%), and management review (14.6%). The cost of implementing these two fraud preventative measures is inexpensive compared to the potential loss due to fraud. Yet, only 54% and 60.5% of organizations implement a tip line or management review, respectively. When implementing these controls there are a few items that should be kept in mind during the implementation:
- Controls are only effective if they are implemented properly and are being monitored. For a tip line, it is best to have a third party manage the tip line and give reports back to the board of directors and management. This will allow employees to feel more comfortable in reporting fraud and will eliminate any bias from management. If outsourcing the tip line is not feasible, the most important aspect of the tip line is the ability for employees to report tips anonymously in order for them to feel comfortable enough to report fraud.
- A person committing fraud will do whatever they can in order to conceal their fraud. This stresses the importance of management reviewing, on a regular basis, bank statements, current period to prior period analytics and current period to budget analytics. The review of these items will allow management to spot anything that appears unusual, unexpected or any patterns and will allow them to investigate accordingly.
The ACFE study has also shown that with the implementation of these two controls, the cost of fraud is reduced by 44.4% and 45.9% respectively. However, controls will never eliminate fraud completely, because of the deceptive nature of fraud in itself.
The goal of having internal controls in place is to reduce the likelihood that someone will have the opportunity to commit fraud and the length of time that fraud will go undetected. The average fraud lasts roughly 24 months without proper internal controls in place at an organization. Once controls are in place, the average length of time that fraud goes undetected decreases to about 12 months. The quicker fraud is detected, the lower the cost of the fraud. Some of the stronger controls in reducing the detection time are offering rewards for whistleblowers and job rotation and/or mandatory vacation.
By offering rewards and or protection to whistleblowers, employees will be more inclined to report fraud to the board of directors and management. Currently, there is little to no laws protecting private-sector whistleblowers. The only, “federal protection for private-sector whistleblowers is largely limited to these piecemeal protections in environmental and other statutes.” The whistleblower laws established usually only protect public-sector whistleblowers and those blowing the whistle on public policy issues. Employees are worried about retaliation from their employer if they blow the whistle on management. If employees cannot feel that their job is projected, they are much less likely to report any cases of fraud to management or the board of directors. Therefore, it is extremely important for organizations to implement a protective clause into their employee handbook, protecting whistleblowers from retaliation from other employees and management. A complementary control to rewards for whistleblowers is job rotation and mandatory vacation.
Job rotation and mandatory vacation will force employees to take time off or change job roles. Employees who commit fraud tend to need to be continuously working in order to conceal their fraud. However, when the employee is forced to perform another job or take a vacation, the employee will no longer be able to hide their fraud activities. During job rotation, one of the most important aspects is that the employee’s previous access, to certain aspects of the organization’s software, is revoked and that new accesses are established for their new position. Without the change in access, they will still be able to continue to cover up their fraud activities.
Fraud in the Information Technology World
While the advancements in technology over the past years have generated software to help detect fraud, it has also opened up new doors for fraudsters. A study had interviewed a group of Information Technology (“IT”) managers to determine what they felt was the greatest challenge to protecting an organization from IT fraud. One of the results from the interviews showed that “although many monitoring capabilities and fraud detection controls are in place, they are not effectively used because of limited staff, shrinking budgets, and time constraints.”
The most important aspect of information technology in preventing fraud is the accessibility that employees’ have to certain applications. Unauthorized access is one of the easiest ways an employee can commit and conceal fraud. For example, one employee should not have the ability to submit an electronic payment and have access to make entries into the accounts payable system. In order to fully have segregation of duties between employees, the employee’s user access should be restricted to only what they need in order to accomplish their role within the organization. For example, an employee who has access to the HR system to update employee’s personal information should not have access to whether that employee is deemed an active employee. If they do, then once an employee leaves they could delay changing the resigned employee’s status from active to inactive and could easily change the resigned employee’s address to their own and begin receiving fraudulent payments. The ability to activate or inactivate employees should be kept separate from the ability to change employee’s personal information. Additionally, all employees should be restricted from direct access to the data log of an IT system.
The data log of the system acts as an audit trail. The data log tracks user’s activities, such as what applications they’ve opened or entries that they’ve posted. If a user has access to this log, including IT personnel, they can easily conceal fraudulent activity by erasing the data log and in essence their fraud trail. Additionally, IT equipment and software purchases and inventory should be periodically monitored.
Most management at an organization will not know how many servers or software applications the organization needs. They will rely on their IT personnel for guidance on what the organization needs as it relates to IT. This allows IT personnel to purchase additional IT equipment and keep it for personal use. They can also generate false software licensing invoices and receive payments for the fraudulent invoices. Therefore, it is important to establish IT procurement procedures, to reconcile hardware and software procurement records with actual IT inventory and to inspect IT equipment purchases to ensure that the equipment is actually being put into use. Without these simple controls, IT personnel can effortlessly misappropriate IT equipment or software.
1. “Report to the Nations on Occupational Fraud and Abuse” ACFE, n.d. Web. 24 July 2013. www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf
2. “Understanding Your Legal Rights.” Alaska Forum. N.p.,n.d. Web. 25 July 2013. www.alaskaforum.org/understanding.htm
3. Behling, Susan, Kevin Floyd, Terry Smith, Alex Koohang, and Robert Behling.”Managers’ Perspectives on employee information technology fraud issues within companies/organizations.” Issues in Information Systems X, No. 2, 2009(2012): 76-81. Print
4. Johnstone, Dale, and Ellis Chung, Yee Wong. “Practicing Information Technology Auditing for Fraud.” Information Systems Control Journal 1, 2008 (2008): 1-5. Print.