by Heather Raftery and Frank L. Holder
FTI Consulting
This article was originally published on the FTI Journal website and is reprinted with permission.
Fraud occurs every day all over the world. Some companies take an “it won’t happen to us” approach; others implement controls to try to keep individuals likely to commit fraud from entering the business; and still others outsource the work of combating fraud to external auditors. These tactics and strategies are helpful but are limited. Companies must create lower risk environments for fraud. To do so, organizations first must understand their own corporate ecology — the interrelations between people and their workplace — and tailor controls to the nature of those systems.
Fraud may be as old as civilization itself. Fraudulent activity was mentioned in the Code of Hammurabi, the oldest-known surviving code of law dating to around 1772 B.C. Modern archaeologists often unearth counterfeit coins from cities long forgotten.
As long as there have been opportunities, there have been fraudsters.
Today, in an increasingly interconnected world, digital technologies that enable business to be conducted in the wink of an eye also help disguise the identities and machinations of the people conducting that business, thereby enabling fraud to become vastly more sophisticated and pervasive. Likewise, fraud’s impact — on businesses, stakeholders and entire economies — has similarly magnified.
According to the Association of Certified Fraud Examiners (ACFE), fraud includes:
1. Corruption (such as conflicts of interest and bribery)
2. Asset misappropriation (through theft or illegal diversions of cash or other assets)
3. Financial statement fraud (such as asset/revenue overstatement or understatement)
In its 2014 ACFE survey (Report to the Nations on Occupational Fraud and Abuse) the association estimated that the typical organization loses 5 percent of its revenues every year to fraud, with an average cost per incident of $145,000 among all cases reported. The global loss in 2013 approached $3.7 trillion.
Globally, asset misappropriation represents the large majority of fraudulent activity, comprising nearly 85 percent of the total cases of occupational fraud in 2013, with a median cost of $130,000 per case. Financial statement fraud was rarer — just 9 percent of reported cases involved financial misstatements — but in these cases, the estimated loss per incident exceeded $1 million. Interestingly, two or more of these types of fraud occurred together 30 percent of the time.
According to the ACFE report, the sectors most often victimized by fraud are banking/financial, government and public administration, and manufacturing; within these sectors, the real estate, mining, and oil and gas industries reported the largest median losses. However, it is important to note that fraud differs by region. While billing (financial statement) fraud is the most common in the United States and Canada, in developing economies such as those in Latin America and Asia, corruption is rife. Therefore, companies operating in multiple jurisdictions must take regional differences into consideration when devising their anti-fraud strategies.
In other words, there is no one-size-fits-all approach to combating fraud. Nevertheless, as challenging as this might be, developing a customized approach is crucial. In the most recent ACFE survey, more than half the companies reporting fraud had not recovered any of their losses, and only 14 percent had been made whole.
Fraud Prevention: A Mug Shot
People commit fraud, but it’s nearly impossible to identify a potential fraudster with any degree of confidence. The overwhelming majority of people who commit fraud are first-time offenders. Only 5 percent of fraudsters caught have had a prior fraud conviction. Therefore, no matter how diligently a background check is conducted, the likelihood that it will unmask a person who eventually will steal from the business is vanishingly small.
This is not to say that companies should neglect conducting due diligence in their hiring processes. Just like internal and external audits, screening processes are among a business’ first lines of defense and should remain a part of the company’s good housekeeping practices. But these practices are not as effective as commonly believed; ACFE statistics show that external auditing — while essential to good corporate governance — is the least effective type of anti-fraud control, detecting only 3 percent of frauds, compared to the 7 percent that are discovered by accident.
The implementation of internal controls is more effective, and obviously more proactive, than external ex post facto audits. These controls should include management reviews, real-time (or as close to it as feasible) data analysis of transactions, robust whistleblower programs, rigorous client and partner vetting, and a wide range of soft compliance strategies, including tipster hotlines, qualitative interviews with employees and a process for continually collecting employee feedback. Not only do these strategies help companies keep their finger on the pulse of the organization, anti-fraud policies also help deter potential fraudsters who would take advantage of a company’s lack of such oversight.
Unfortunately, these anti-fraud strategies rarely are deployed in a repeatable, ongoing manner. Proactive data monitoring, for example, was used by only 35 percent of the victimized companies surveyed in the 2014 ACFE survey, even though companies that did deploy data monitoring experienced frauds that were 60 percent less costly and 50 percent shorter in duration.
Instead of working to create an environment less vulnerable and less hospitable to fraudsters and fraudulent activities, companies sometimes put undue attention on identifying individual perpetrators. This leads some businesses down the dangerous path of screening prospective employees for ill-defined desirable or undesirable personality traits and conducting employment interviews that frequently are biased and may open doors to discrimination lawsuits. This kind of personality-focused interviewing and testing (most often conducted by Human Resources (HR)) also can cause companies to miss out on top talent that might be screened out due to cultural differences but that could have been addressed easily through cultural-awareness training.
Any anti-fraud measures that take the organization’s eye off its own culture — either by chasing after individuals or outsourcing the problem to third parties — will leave an environment that is wide open for providing fertile ground for fraud and fraudsters to take root and thrive.
The Ecology of Fraud
Remember: People commit fraud, and because people are social animals, their actions, in great measure, are governed by the culture and environment in which they find themselves.
For instance, after a giant engineering and electronics conglomerate paid $1.6 billion in 2008 to settle anti-bribery charges in the United States and Germany, the facts revealed that the company maintained an annual budget of between $40 million and $50 million for the express purpose of paying bribes to keep and win business. The headline in The New York Times — “Bribery Was Just a Line Item” — told the story. Investigators described bribery as the company’s “business model,” and when global anti-bribery laws became stricter, the organization created a “paper [anti-fraud] program” to cover its continuing illegal practices.
In this case, the company incentivized winning and maintaining business to the extent that it winked at law breaking, nurturing an environment in which corruption could flourish. In fact, the environment in which company employees worked led them to feel they were not acting abnormally but rather in the best interests of the business while protecting their colleagues’ jobs.
A similar ecology existed at a large global retailer. To improve the appearance of profitability, its managers were pressured to conceal inventory shrinkage losses. The evolution of this practice has been blamed on the low staffing levels the company maintained, making accurate inventory management difficult. This established an environment of scarcity in which deceptive inventory processes were, at best, ignored by managers and, at worst, applauded, thereby discouraging those in charge from coming forward. In essence, the corporate ecology normalized financial statement fraud, creating fraudsters where, in a different environment, this might not have happened.
Deception need not be intentional nor a business strategy. In late 2012, a major European financial institution agreed to pay $1.9 billion in fines related to money laundering. According to the U.S. Department of Justice, the bank laundered $881 million in drug profits and failed to invest in its anti-money laundering compliance programs. In 2009, it appointed an inexperienced director to run them. With substandard processes and governance, the bank basically was asleep at the switch, ignoring numerous red flags that otherwise would have alerted it to sketchy clients engaged in dubious transactions. By failing to understand and then to communicate the seriousness of the problem to its employees, the bank allowed these practices to continue and ultimately paid a steep price for snoozing.
An even steeper price was paid by another large European financial institution. In 2008 it admitted to a conspiracy to defraud the Internal Revenue Service (IRS), agreeing to pay $780 million in fines and to exit its highly profitable U.S. wealth management business. As was the case with the engineering and electronics company, breaking the law seemed to have been part of the organization’s business model. According to a whistleblower (who was ignored by the bank’s chief compliance officer), the company had trained its employees to avoid detection in the U.S., equipped them with encrypted laptops, and incentivized them through bonuses and promotions to sell the company’s products to United States clients without the proper licenses to do so.
The whistleblower, who ultimately was awarded $104 million by the IRS (the largest whistleblower award to date), described a culture that was insular, hierarchical and aggressively entrepreneurial, encouraging law breaking in the pursuit of profit even as its own policies declared the activities it promoted to be illegal. Not only would such a culture encourage fraudsters, it would attract them.
Creating a Fraud-Resistant Corporate Ecology
As noted, it’s nearly impossible to predict whether any given individual will be inclined to commit fraud. However, the environment in which an employee works can be controlled by a company’s leadership in both formal and informal ways to make fraud more difficult and cast it as an affront to the business’ social norms. Most people wish to act as their colleagues do, and, therefore, if the corporate norm is one of zero tolerance for fraudulent activity, the commission of antisocial acts within the context of the business becomes, ideally, inconceivable. Companies must strive to make their offices and facilities places where it is hard for an individual to commit fraud and even harder to imagine that he or she could get away with it.
It is up to the company to establish a low-risk environment for fraud and provide incentives for ethical behavior by its executives, managers and employees. (According to the ACFE study, almost a fifth of reported frauds were perpetrated by owners/executives. Not surprisingly, ACFE found a high correlation between the organizational level of the fraudster and the financial impact of the fraud on the company; in other words, the higher up the fraudster, the more extensive the losses.)
Conduct a Risk Analysis
To begin creating a fraud-resistant environment and culture, companies must begin with a thorough risk analysis that should include a review of existing corporate policies, an analysis of internal compliance systems and processes, and an examination of the organization’s communications strategies and practices. These reviews will enable leadership to assess the company’s risk profile holistically. It should be kept in mind that various regions have different risk profiles, and organizations operating in multiple jurisdictions must conduct a risk assessment in each one.
This risk analysis should not be wholly quantitative since such a confined assessment would neither register nor reflect the ecology of the workplace. Ideally, an independent analyst, whose vision would not be clouded by the current culture, could provide open-minded leadership with an understanding of how people in the company are interacting, how managers are relating to employees and how informal information is shared in the workplace. Such an analysis could reveal where pockets of discontent exist, where dysfunctional behavior is tolerated and where there are cracks in more formal compliance processes — cracks that breed fraud. In effect, such an analyst would function as a corporate anthropologist, observing how people actually perform their job. This, as Harvard Business School’s Tom Davenport has written, is the only way of “actually knowing what’s happening and why in organizations.”
A comprehensive risk analysis also must take into account the propensity for fraud in various departments. Accounting, for example, has the highest incidence of fraud, many times that of Legal and Research and Development, and, therefore, should be allotted commensurate attention. For instance, it makes sense to deploy tools and processes that monitor and double check billings, accounts receivable, collections and other accounting functions. There are software systems that automatically provide warnings when, for example, a receipt or payment surfaces in excess of a given, predetermined amount and prevents an invoice from being processed without a designated manager’s approval.
Although certain behavior — such as an employee living beyond his or her means or an HR report saying a worker is resistant to guidance or an executive demonstrating a wheeler-dealer mentality — can be an important red flag and part of building a risk profile, companies must be very careful not to fall victim to cultural biases or to be influenced by hidden agendas. Again, this points to the usefulness of engaging independent third parties to cross check these flagged individuals. Focusing on specific people, however, is of limited utility; what’s critical is the overall ecology of the workplace in which these employees either succeed or fail.
Create a Transparency Forum
Much of the fraud in companies (as we’ve seen) is conducted by upper management. The only way to constrain undesirable conduct by executives is to increase the visibility of their actions.
Fraud is a shade-loving plant. Transparency creates an environment that’s uncomfortable for fraudsters, making actions that hide illegal activity and information difficult. It would be wise for companies to invest in systems to ensure that transparency exists in the organization from top to bottom by making alerts, reviews and certain communications visible to employees at different levels of the company, whether via dedicated committees or individuals embedded in various functional areas. At the European financial institution, for example, the written policy that prohibited its wealth managers from selling its financial products on their business trips to the United States was hidden deep inside the corporate intranet. No one outside the compliance function knew of the policy’s existence — certainly not the wealth managers — until it was discovered by accident by the whistleblower. Had that policy been broadly visible, the penalties levied on the bank might have been significantly less.
Be Alert to Cultural Red Flags
Employee dissatisfaction can point to deeper problems within an organization. At the aforementioned retailer, complaints about understaffing that overstretched employees — and made it hard for them to perform the accurate inventory counts that likely would have revealed the fraudulent reporting much earlier — should have been a warning signal to company leadership.
It, therefore, is critical for managers to enable qualitative, in-depth, anonymous interviews with employees on a regular basis. These interviews could be conducted by HR, but it generally is safer and more effective to look outside the company for a third party that can provide a less culturally proscribed picture. And lest these interviews be construed as invasive and needlessly time consuming, they should be conducted in as fluid and unintimidating manner as possible.
Inefficient communications — such as those that buried the European financial institution’s cross-border business policy in its intranet — exposed the institution to large fines and loss of business. Dysfunctional management styles (unwarranted pressure on employees at the retailer) can encourage fraudulent activity, and the absence of compliance training even when policies are in place (such as they were at the engineering and electronics company) can lead companies astray. Corporate settings that lack clear policies or have policies that are poorly communicated and/or followed or that allow the immediate and long-term consequences of fraudulent activity to remain ambiguous or unstated are environments in which fraud is more likely to take root and flourish.
Have a Robust Whistleblower Program with Appropriate Protections
As the ACFE reported, almost half the tips that lead to fraud exposure come from employees. But merely having a whistleblower platform and encouraging people to come forward are only part of the equation. These whistleblowers also must be confident that the company will not turn on them. For example, at the retailer, some employees who brought their concerns about the inventory process to their managers allegedly were discharged later. And after the European financial institution whistleblower brought the Wealth Management division’s policy violations to the attention of the bank’s chief compliance officer, the whistleblower was denied a raise, was isolated and was advised by independent counsel to leave the company.
A robust whistleblower program is essential to creating an environment in which a fraudster will fear exposure, but without equally robust protection for a whistleblower, the program will be toothless.
The Sweet Spot: Where Ethics and Good Business Meet
Companies must vigorously instill an exemplary code of conduct at every level, not only because it’s right to do so, but — in the current political environment in which governments and their regulatory agencies are becoming increasingly aggressive and less tolerant of violations — it’s simply good business. Companies must not just talk the talk; they must walk the walk by implementing strong internal controls and establishing an ethical environment for conducting business. We have seen — with Enron and others — how quickly an unethical environment can destroy value for innocent stakeholders, as well as how swiftly a company can crumble.
The roots of a fraud rarely can be traced to a single unethical individual operating maliciously in a vacuum. A fraud is perpetrated when that person meets a specific environment. Companies can control those environments by defining both formal and informal rules and by understanding the mostly unseen, unexplored ecology of their organization. More than ever before, that understanding is not a “nice to have”; it’s a “must have.”
Heather Raftery is a Consultant, Forensic & Litigation Consulting, FTI Consulting. Frank L. Holder is Chairman, Latin American Region, Forensic & Litigation Consulting, FTI Consulting. This article was originally published on the FTI Journal website and is reprinted with permission.