With millions of dollars and company reputations at stake, financial services companies need an effective battle plan to win the war against internal fraud.
Here is an all too familiar example: Company A had inadvertently uncovered a fraud scheme involving a claims adjuster who had issued fraudulent payments totaling $1.5 million. After the adjuster’s arrest, management was perplexed. How could a trusted employee pull off such a fraud without setting off any red flags, such as obvious lifestyle changes?
The scheme also shocked management in its simplicity: Fraudulent payments were issued to third parties via insurance claim files under the adjuster’s control. The payees were family members of the adjuster, and the management reviews and audit processes failed to provide adequate detective or preventive controls.
Before this incident, management believed that all the critical components of a fraud control program were in place, including an Internal Audit function, an Internal Security director, a code of conduct and whistleblower hotline, and various controls over claim operations. But after pondering this case, they began to wonder how many more incidents could be occurring within the organization, and what steps they could take to detect such activity.
Unfortunately, Company A is not an isolated case. Fraud is on the rise in all organizations, and adequate controls over fraud are required by the Sarbanes-Oxley Act, which was enacted by Congress following a string of corporate scandals, many of which involved fraud on part of management. A standard on internal auditing proposed by the Public Company Accounting Oversight Board (PCAOB) mentions the word “fraud” over 40 times, with section 126 of the standard noting that “identification of fraud of any magnitude on the part of senior management” is a strong indicator of a material weakness in internal controls over financial reporting.
In its comprehensive “2002 Report to the Nation–Occupational Fraud and Abuse,” the Association of Certified Fraud Examiners (ACFE) found that over half of the 663 occupational fraud cases reviewed had resulted in losses of at least $100,000, while 1 in 6 cases exceeded $1 million in losses. The most common type of fraud involved asset misappropriation and lasted at least 18 months before being detected. These statistics suggest that despite increasing awareness of the fraud exposure within organizations, management needs to focus increased attention on this problem and intensify its efforts to mitigate fraud.
For financial services organizations, the risk of fraud is exacerbated by the very nature of the operations, since a large percentage of the workforce has the authority and ability to process large numbers of transactions and disbursements. Assessing fraud exposure in such companies therefore requires not just gauging the likelihood of an event, but also measuring the impact of individual events and the aggregate impact of long-term schemes.
Yet companies typically have failed to adequately assess the extent of the fraud exposure within their organizations. The reasons for failure can be attributed to management’s mistaken belief that a lack of any reported fraudulent activity means that none is occurring; the failure to consider the indirect and incidental costs of fraud, such as damage to business reputation and employee morale; and the failure to quantify risk exposures and identify specific fraud vulnerabilities.
Another reason why many past anti-fraud efforts have failed is that they are based on the assumption that fraud schemes are perpetrated by individuals who fit a preconceived profile. However, the results of the ACFE report and other studies have not shown profiling to be effective.
Profiling often will fail to address the biggest fraud exposures within the organization: fraud committed by management. Many earlier fraud detection and prevention efforts were not geared toward executives and senior management–the individuals who pose the greatest risk, possess the highest levels of trust, have the authority to circumvent routine policies and procedures, and are authorized to approve large disbursements. Often, false assumptions are made regarding the integrity of these individuals, resulting in reliance on trust rather than a system of controls.
Some executives will state they have a zero-tolerance policy toward fraud. While this position is commendable, the reality of day-to-day operations at a financial services organization is that fraud is a risk that cannot be eliminated entirely. Rather, the risk of fraud must be balanced against the realities of the business and the need to empower employees to effectively and efficiently process financial transactions.
To mitigate the occurrence of fraud, companies need to evaluate the current state of their internal fraud controls against their potential exposure to company-specific fraud vulnerabilities.
The steps involved in this process are to:
o Determine the current state of the fraud control framework by gathering data on existing controls in place to detect and prevent fraud.
o Compare current state with leading practices state (gap analysis).
o Identify company-specific fraud vulnerabilities.
o Assess vulnerabilities and quantify the potential monetary loss.
o Rank fraud risks and prioritize required remediation measures.
1.) Determine current control framework. An examination of the controls currently in place to detect and prevent fraud should include a review of entity-level elements of the control framework, such as a code of conduct, whistleblower hotlines and fraud-focused exception reports. Personnel practices also should be scrutinized, including background checks made before an employee is hired, disbursement authorization levels, journal-entry approvals, general IT controls regarding security administration, and self-audits. The scope of Internal Audit activity and the specific steps taken to both validate controls and identify fraud should also be considered, along with recent Section 404 documentation, including process maps and risk matrices that may include an evaluation of fraud risks.
2.) Compare current fraud controls with leading practices (gap analysis). A “gap” analysis compares the company’s fraud prevention practices with the best practices of leading organizations. Gaps may exist when the current state of controls has elements of significant weakness compared to leading practices. These weaknesses will receive appropriate weighting in subsequent calculations of the company’s fraud exposure.
3.) Identify the types of fraud to which the company is exposed. The specific types of fraud exposure will vary from company to company, depending on the nature of its operations. A bank, for example, will have more exposure to cash-on-hand shrinkage; whereas for an insurer, fraudulent claims payments are a major exposure. In the case of Company A, the insurer had 12 separate fraud vulnerabilities specific to its claim operations, ranging from the acts of a single claim handler to collusion between multiple parties (see Exhibit 1).
Although the vulnerabilities shown in the exhibit may appear similar, each is unique due to the distinct activities required to perpetrate that type of fraud. In addition, there are aspects of each fraud that require unique controls to adequately mitigate the exposure to the fraudulent acts. Most perpetrators will not commit multiple types of fraud, but they will rely upon their knowledge of certain processes–as well as the trust management places in them–to exploit a single weakness in the control framework.
4.) Assess vulnerability and quantify potential monetary loss. Once the inventory of fraud exposures has been created, it can be mapped to the previously constructed gap analysis. The value of this vulnerability assessment is that it can stand as a “living” document that the organization can use to gauge and refine its fraud controls. For each vulnerability identified, the organization should consider the following factors to facilitate quantification of the potential impact to the organization, adjusting the factors as needed if there is a change in the environment:
Event description. Categories of activities representing exposure to criminal activity facilitated or orchestrated by personnel. These represent the internal fraud vulnerabilities unique to the organization’s business operations.
Per-event severity (exposure). Anticipated monetary loss from a single act for this type of vulnerability. Two factors play a primary role in determining event severity: authorization limits, which define the extent to which funds can be disbursed or moved without requiring unusual actions, and management exception reports, which serve as “radar” points that the perpetrator will seek to avoid.
Events per month. Anticipated frequency of the described events based on the benchmarks for similar schemes. Factors influencing frequency include the proportionality of the fraudulent disbursement to the total business activity for the month. Frequent disbursements throughout the month exponentially increase the amount of actions required by the perpetrator. Research has also shown that once a pattern of fraud has been developed, the perpetrator will often maintain a fairly routine pattern based on what he or she is doing with the money. Often, illicit proceeds are used to fund compulsive habits such as gambling, drugs, extramarital affairs and lavish lifestyles.
Duration (detective controls). Estimated duration of the scheme, considering the strength of detective controls and the likelihood that the fraud will be discovered. Few fraud schemes are halted voluntarily by the perpetrator, who typically believes the activity will go undetected. Therefore, detective controls are a critical element in a strong anti-fraud program. A subjective measure can be applied to the score for detective controls based on the comparison with leading practices and existing fraud research.
Nominal frequency (preventive controls). The frequency estimate adjusted to recognize the effectiveness of preventive controls. The effectiveness of the organization’s preventive controls can be measured by assuming a current-state value of 1.0 and then making adjustments to this baseline estimate to quantify the differences between the current state and the state that would exist if the organization adopted leading practices designed to prevent the subject event from occurring.
Direct cost (computed). The anticipated cost of one fraud scheme adjusted for detective and preventive controls. After the appropriate credits have been applied to the organization, we can begin to see the inherent benefit of applying the leading practice controls. In the example shown in Exhibit 2, the differential between the sample organization’s current state and the leading practices’ state is dramatic. While the organization has an exposure of $3.4 million to this particular vulnerability, the leading practice organization has been able to reduce this exposure to $540,000, representing an 84% reduction in monetary exposure.
Damage multiplier. Collateral damage over and above the direct cost of the fraud. Affected areas include business reputation, lost business, employee morale, regulatory relationships, litigation and investigative costs, and banking relationships. As seen in recent press stories about corporate frauds, the damage multiplier can easily increase the amount of the fraud to a figure far in excess of the actual loss. Failure to consider these costs would greatly diminish management’s ability to effectively anticipate organizational losses and properly weigh the true value of various control options.
Total fraud costs. Anticipated cost of a single fraud scheme adjusted for detective and preventive controls, including the cost of collateral impact as calculated using the damage multiplier.
Scaling index. A scaling index can be applied by dividing the total employee population with access to the fraudulent activities by the event with the smallest number of employees with access. Upon completion of the vulnerability matrix, some organizations may feel it is a daunting task to determine which exposures merit the often-limited budgetary commitments to strengthen controls. By applying a scaling index, the organization can develop a ranking of the vulnerabilities driven by the likelihood of their occurrence. This is based on the belief that the frauds which the greatest number of employees have the capability to commit are those most likely to occur.
Organizationally scaled cost of fraud. A methodology to allow the organization to prioritize its investment in detection and prevention of fraud. This number is not intended to be a true representation of the actual fraud amount at risk. Rather, it is a way in which the organization can rank fraud exposures based on the current organizational structure
Exhibit 2 illustrates the vulnerability of a collusive fraud involving both management and staff at an insurance organization with relatively high authorization limits for personnel and a decentralized control structure, based on a comparison between its current-state preventive practices and best practices.
When the results of the top vulnerability assessments are evaluated, the organization is likely to see a dramatic variance between its current and the leading practice state. This should be viewed as an opportunity to proactively mitigate the fraud risk to the organization.
When we applied this technique to the 12 top vulnerability categories for Company A, the results showed that the company could have reduced its monetary loss exposures by from 50% to more than 80% in each category–a result that certainly would place the company in the position of substantially mitigating its losses.
5.) Rank risks and prioritize remediation measures. The ranking of fraud risks through numerical quantification provides management with a basis upon which valuable resources can be allocated for anti-fraud measures. The final fraud control framework will depend on the individual company’s vulnerabilities and management’s risk tolerance.
Two measures that can be used to assess which remediation actions should be taken are the amount of time required to implement the measures and the cost involved. In evaluating these measures, it is critical to review the current control measures and evaluate how they can be revised or enhanced to provide an acceptable level of control.
For instance, in the case of Company A, it was determined that enhancing management exception reports was a remediation measure that could be implemented within 3 months at a cost of less than $50,000, while enhancing due diligence hiring protocols could be accomplished within 6 months at a cost of between $51,000 and $100,000. For every remediation measure identified, management’s perception of the reasonableness of the time and cost involved will determine whether that measure is worthwhile.
By applying the methodology described in this article, management can evaluate and quantify its specific risk to fraud as well as the estimated “cost” of achieving the desired control state. It must be stressed, however, that this exercise cannot be static, and management must periodically revisit all assumptions and vulnerabilities to properly measure the risk of fraud in the ever-changing business environment.
Too often, companies take a fatalistic approach to the risk of internal fraud, assuming that it is nearly impossible to combat. However, with millions of dollars and company reputations at stake, financial services companies cannot afford to give up the war without even waging a battle. While, given human nature, total elimination of internal fraud is out of the question, mitigation is a realistic goal. By understanding their vulnerabilities and implementing appropriate preventive measures, companies can make dramatic progress in conquering the enemy within.