With millions of dollars and company reputations at stake, financial services companies need an effective battle plan to win the war against internal fraud.
Here is an all too familiar example: Company A had inadvertently uncovered a fraud scheme involving a claims adjuster who had issued fraudulent payments totaling $1.5 million. After the adjuster’s arrest, management was perplexed. How could a trusted employee pull off such a fraud without setting off any red flags, such as obvious lifestyle changes?
The scheme also shocked management in its simplicity: Fraudulent payments were issued to third parties via insurance claim files under the adjuster’s control. The payees were family members of the adjuster, and the management reviews and audit processes failed to provide adequate detective or preventive controls.
Before this incident, management believed that all the critical components of a fraud control program were in place, including an Internal Audit function, an Internal Security director, a code of conduct and whistleblower hotline, and various controls over claim operations. But after pondering this case, they began to wonder how many more incidents could be occurring within the organization, and what steps they could take to detect such activity.
Unfortunately, Company A is not an isolated case. Fraud is on the rise in all organizations, and adequate controls over fraud are required by the Sarbanes-Oxley Act, which was enacted by Congress following a string of corporate scandals, many of which involved fraud on part of management. A standard on internal auditing proposed by the Public Company Accounting Oversight Board (PCAOB) mentions the word “fraud” over 40 times, with section 126 of the standard noting that “identification of fraud of any magnitude on the part of senior management” is a strong indicator of a material weakness in internal controls over financial reporting.
In its comprehensive “2002 Report to the Nation–Occupational Fraud and Abuse,” the Association of Certified Fraud Examiners (ACFE) found that over half of the 663 occupational fraud cases reviewed had resulted in losses of at least $100,000, while 1 in 6 cases exceeded $1 million in losses. The most common type of fraud involved asset misappropriation and lasted at least 18 months before being detected. These statistics suggest that despite increasing awareness of the fraud exposure within organizations, management needs to focus increased attention on this problem and intensify its efforts to mitigate fraud.
For financial services organizations, the risk of fraud is exacerbated by the very nature of the operations, since a large percentage of the workforce has the authority and ability to process large numbers of transactions and disbursements. Assessing fraud exposure in such companies therefore requires not just gauging the likelihood of an event, but also measuring the impact of individual events and the aggregate impact of long-term schemes.
Yet companies typically have failed to adequately assess the extent of the fraud exposure within their organizations. The reasons for failure can be attributed to management’s mistaken belief that a lack of any reported fraudulent activity means that none is occurring; the failure to consider the indirect and incidental costs of fraud, such as damage to business reputation and employee morale; and the failure to quantify risk exposures and identify specific fraud vulnerabilities.
Another reason why many past anti-fraud efforts have failed is that they are based on the assumption that fraud schemes are perpetrated by individuals who fit a preconceived profile. However, the results of the ACFE report and other studies have not shown profiling to be effective.
Profiling often will fail to address the biggest fraud exposures within the organization: fraud committed by management. Many earlier fraud detection and prevention efforts were not geared toward executives and senior management–the individuals who pose the greatest risk, possess the highest levels of trust, have the authority to circumvent routine policies and procedures, and are authorized to approve large disbursements. Often, false assumptions are made regarding the integrity of these individuals, resulting in reliance on trust rather than a system of controls.
Some executives will state they have a zero-tolerance policy toward fraud. While this position is commendable, the reality of day-to-day operations at a financial services organization is that fraud is a risk that cannot be eliminated entirely. Rather, the risk of fraud must be balanced against the realities of the business and the need to empower employees to effectively and efficiently process financial transactions.
To mitigate the occurrence of fraud, companies need to evaluate the current state of their internal fraud controls against their potential exposure to company-specific fraud vulnerabilities.
The steps involved in this process are to:
o Determine the current state of the fraud control framework by gathering data on existing controls in place to detect and prevent fraud.
o Compare current state with leading practices state (gap analysis).
o Identify company-specific fraud vulnerabilities.
o Assess vulnerabilities and quantify the potential monetary loss.
o Rank fraud risks and prioritize required remediation measures.
1.) Determine current control framework. An examination of the controls currently in place to detect and prevent fraud should include a review of entity-level elements of the control framework, such as a code of conduct, whistleblower hotlines and fraud-focused exception reports. Personnel practices also should be scrutinized, including background checks made before an employee is hired, disbursement authorization levels, journal-entry approvals, general IT controls regarding security administration, and self-audits. The scope of Internal Audit activity and the specific steps taken to both validate controls and identify fraud should also be considered, along with recent Section 404 documentation, including process maps and risk matrices that may include an evaluation of fraud risks.
2.) Compare current fraud controls with leading practices (gap analysis). A “gap” analysis compares the company’s fraud prevention practices with the best practices of leading organizations. Gaps may exist when the current state of controls has elements of significant weakness compared to leading practices. These weaknesses will receive appropriate weighting in subsequent calculations of the company’s fraud exposure.
3.) Identify the types of fraud to which the company is exposed. The specific types of fraud exposure will vary from company to company, depending on the nature of its operations. A bank, for example, will have more exposure to cash-on-hand shrinkage; whereas for an insurer, fraudulent claims payments are a major exposure. In the case of Company A, the insurer had 12 separate fraud vulnerabilities specific to its claim operations, ranging from the acts of a single claim handler to collusion between multiple parties (see Exhibit 1).