Strengthening the internal control system including the control environment will be instrumental in reducing the likelihood of fraud occurring as well as the impact of fraud, if an event occurs
Fraud has become one of the most worrying factors in recent times for business owners, board directors, senior members of management and even regulators. The increasing number of frauds in some markets over the recent past, significant loss of value and earnings due to fraud, increasing level of sophistication associated with fraud schemes and difficulties in uncovering fraud and recovering losses stemming from such frauds are amongst the leading factors that have given rise to these fears.
As per the PwC’s Global Economic Crime and Fraud Survey 2018, 49% of respondents subjected to the study had stated that their companies had experienced fraud or economic crime against 36% in 2016.
What is fraud?
Although definition of fraud differs amongst jurisdictions, ‘fraud’ generally includes theft, embezzlement, corruption, bribery, extortion, etc. One main definition of fraud describes fraud as ‘any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain’.
Types of fraud
Fraud can take diverse forms and the commonly found fraud types include:
- Frauds committed by employees such as misappropriation of assets, payroll frauds, etc.
- Frauds by businesses such as manipulation of financial statements, tax evasion, failure to remit EPF/ETF, money laundering offences, etc.
- Frauds by individuals or organised fraudsters such as credit card frauds, counterfeiting, etc.
- Electronic frauds such as hacking
We can identify several types of internal frauds committed within organisations, which include:
- Misappropriation of assets (e.g. theft of cash and inventory)
- Fraudulent statements (e.g. manipulation of financial statements, falsification of documents)
- Corruption (e.g. giving/acceptance of bribes, conflict of interest, misuse of confidential information)
Why do people commit fraud?
Reasons for committing fraud can be varied. The most common reasons (as depicted in the popular Fraud Triangle), which may assist in gauging the potential for fraud, can, however, be briefed as follows:
Motivation – motivation refers to greed or need, which could motivate a person to commit fraud, possibly caused by desire for a luxurious life or financial difficulties facing the individual. For example, the level of motivation for fraud could be higher where the employees are significantly underpaid relative to the market or where the employees or the management are under excessive pressure to show performance.
Opportunity – generally more opportunity for fraud exists in organisations with weak governance and internal control systems, weak management supervision, little likelihood of detection, non-existence of fraud risk management policies, procedures and anti-fraud culture. Lack of competent staff at supervisory capacities, high complexity of transactions and high complexity of systems caused by automation should not undermined too. Research and experience show that opportunity has often been a leading cause of many frauds.
Rationalisation – this refers to the ability of the fraudster to justify the fraudulent activity. For example, bribery being viewed as necessary for doing business and existence of high ethical laxity within the organisation could be used by culprits to rationalise their actions or behaviour.
How to combat fraud?
It may not be practically possible to eradicate fraud risk. However, timely adoption and maintaining of appropriate preventive and detective strategies can reduce the risk to an acceptable level and enhance the chances of their detection if fraud occurs.
While prevention and detection are both important in managing fraud risk, prevention should take priority as fraud often becomes costly in terms of the time, cost and effort needed for detection as well as subsequent recovery of any losses. Research and experience have shown that probability of recovering any loss is generally very low and the process involved could be cumbersome and time consuming.
Establishing a fraud risk management (FRM) strategy (anti-fraud strategy) is important in managing fraud risk in a systematic and proactive manner. A fraud risk management strategy sets out strategies (actions) to ensure effective prevention of, timely detection of and timely and effective response to fraud.
An organisation should formulate short and long-term action plans as part of its anti-fraud strategy to ensure that the fraud risk management becomes a sustainable process and to ensure that the FRM procedures are effectively embedded into the culture and systems of the organisation.
It’s imperative that the board formulates a well-conceived FRM strategy with a view to establishing a robust FRM framework and governance structure, which will be conducive to an effective anti-fraud culture, for effective prevention of, detection of and response to fraud risk and events. A fraud risk management program along with documented policies should be implemented as an integral part of the governance structure.
Some elements of FRM strategies aimed at prevention include:
I. Tone at the top and ethical culture – neglecting fraudulent and unethical practices, whether minor or significant, could lead to very serious implications, both financial and non-financial (e.g. reputational) over time. Thus, it’s important for the board to emphasise that unethical activities of any magnitude will not be tolerated, which clearly sets the tone against fraud. Articulated tone will only be effective if the board and senior management become an example of and be committed to ethical decision making and behaviour.
It’s important that the organisation creates a culture, which openly talks about morals/ethics and encourages ethical behaviour and unconditionally condemn any unethical activities, practices and attitudes. A culture of fraud awareness is an integral part of an effective anti-fraud system. FRM policies and procedures can effectively be embedded in culture by demonstrating an anti-fraud tone at the board level, rewarding and appreciating moral/ethical behaviour and enforcing strong punitive measures and condemning unethical behaviour. Moral muteness could turn out to be a dangerous deterrent to creating a sustainable anti-fraud culture within an organisation over time. As per the 15th Global Fraud Survey 2018 conducted by EY, 97% of respondents subjected to the study had recognised the importance of demonstrating that the organisation operates with integrity.
II. Assigning specific responsibilities and establishing a clear chain of command/communication channels for dealing with suspected frauds are essential for responding to fraud effectively. Board level leadership should always be present either directly or by delegating to a board subcommittee to review the fraud risk management system and controls periodically.
III. Establishing strong FRM policies and procedures – Board has the responsibility to establish appropriate policies for assessing, monitoring and reporting fraud risk including the whistleblowing policy and policy on action to be adopted in the event of a fraud being detected. Further, an organisation should establish and implement policies on confidentiality and nondisclosure of information and privacy. Frequent monitoring to ensure their operational effectiveness will also be important.
IV. Robust systems of internal controls – a strong internal control system is vital in both preventing and detecting fraud. The ultimate overall responsibility for establishing a sound internal control system rests with the board and management. Serious deficiencies in internal controls could create opportunities for fraud that a perpetrator could use for personal advantage. The 2018 Global study on Occupational Fraud and Abuse conducted by the Association of Certified Fraud Examiners (ACFE) states that internal control weaknesses had been responsible for nearly half of frauds.
Strengthening the internal control system including the control environment will be instrumental in reducing the likelihood of fraud occurring as well as the impact of fraud, if an event occurs. Although the nature of internal controls to be established largely depends on the nature and complexity of business operations, systems used, risk appetite of the organisation, etc., some key controls to be considered may include:
a. Adequate and timely approval of transactions along with adequate prior review. Ideally multiple approvals would be preferable
b. Frequent review and monitoring of high value transactions and those of non-routine nature. Additionally, data analytics could be used to identify any anomalies and high risk transactions. Further, personnel with sufficient calibre and independence should be deployed at supervisory/review capacities
c. Establishing strong physical security controls such as security personnel, surveillance cameras in critical locations subject to frequent monitoring, access control devices, supervised and trained security personnel subject to periodic rotation, etc. Further, adequate safe custody of valuable assets such as cash, inventory, etc. should not be ignored
d. Conflicting roles and tasks should be segregated and should be assigned to separate personnel (segregation of duties). Processing of entire transaction should not be carried out by one individual. Where segregation of duties is not possible due to practical reasons or resource constraints, additional review and monitoring of transactions and exception reporting and review by independent personnel should be considered as an alternative control mechanism
e. Being vigilant of the employees’ behavioural/lifestyle changes, especially of those who are entrusted with sensitive and high-risk responsibilities
f. Periodic rotation of job roles of key employees
Some high-risk areas such as cash handling, procurement, journal entry posting, high value inventory and complex transactions may demand special attention. The board should review and monitor the effectiveness of internal control system including fraud risk mitigating controls for effective design, implementation and continuous operating on a periodic basis.
V. Recruiting the right personnel – strong recruitment procedures including pre-employment screening reduces the possibility of recruiting crooks who often seek to misuse any loopholes in internal controls for committing fraud. This is one reason for why the board should not tolerate creating opportunities (for fraudsters to utilise) by way of significant deficiencies in internal controls and unauthorised overriding of controls to the same extent as fraud is not tolerated. Comprehensive background checks, search for employees’ criminal/fraud history, etc., would be some possible measures.
VI. Fraud Risk Assessment (FRA) – a comprehensive fraud risk assessment is an integral part of an organisation’s FRM process, which includes assessing the significance of identified fraud risks and their prioritisation in terms of their likelihood and potential impact (e.g. potential loss/cost). This process should assess the fraud risk exposure, both at gross and residual levels, of the organisation and identify potential internal as well as external fraud events.
Further, this process is vital for the effective risk mitigation. Consideration of the employees’ interactions with and custody of cash and other resources in the light of the fraud triangle elements discussed above would also be a practical means. This exercise will assist in identifying which departments, processes and employees present the greatest fraud risk for the organisation. However, as per the PwC’s Global Economic Crime and Fraud Survey 2018, only 54% of global organisations subjected to the study had conducted a general fraud or economic crime risk assessment within the preceding two years. It would be interesting to forecast the results in the local context.
VII. Fraud risk awareness – the level of employees’ awareness of fraud could play a pivotal role in both prevention and detection of fraud. Employees should be aware of what constitutes fraud, the commonly found fraud risk factors/indicators and how to respond to fraud when identified or suspected. Fraud awareness assists effective embedding of FRM in culture and systems. Additionally, research shows that tip off by employees has been one of the main means of fraud detection, for which a fraud awareness culture is critical.
In the light of its wider implications, both financial and non-financial, it’s important that frauds and attempted frauds are detected at an early stage in order to minimise their possible impact and to recover any losses.
As fraudsters generally take advantage of deficiencies in internal controls to commit fraud, detection of frauds provides a useful basis for management and audit committees to improve the internal control systems to prevent repetition of fraud in future.
In the same way as for prevention, the culture, the governance structure and the internal control system of the organisation play an important role in timely detection of fraud. Therefore, corporates should have strong detection mechanisms in place to uncover fraud in the event preventive controls fail or unanticipated or unmitigated risk events materialise.
Further, special attention should be paid to the possibility of collusion amongst employees in committing fraud along with involvement of managerial staff in overriding controls, which could be hard to detect and may lead to substantial losses.
While there are various means by which frauds could come to light, the common ones are identified below.
I. Strong risk management and internal control systems
As identification of frauds is a prime objective of risk management and internal control systems, robust risk management and internal control systems can identify frauds at an early stage.
II. Internal audit
Research has shown that an effective internal audit function has been an effective means of timely detection of frauds in many organisations. However, the effectiveness of internal audit function depends on diverse factors including the level of supervision over the function by senior management (e.g. board, audit committee, etc.), its organisational independence, competence and independence of internal audit staff and the audit approach and technology adopted.
III. Setting and monitoring fraud risk indicators (warning signs)
While there are many different indicators of fraud risk, their early identification will enable an organisation to assess its fraud risk accurately, proactively and in a timely manner and direct its effort and resources to effectively mitigate the risk and monitor the same.
Though not comprehensive, some examples of these indicators include absence of proper pre-employment screening procedures, lack of adequate competent staff, lack of management supervision, management incentives linked to too ambitious financial targets, absence of segregation of duties, insufficient physical security of assets, poor financial reporting controls including period end reviews, week internal audit function, absence of a strong anti-fraud culture and governance framework, poor information security practices including poor general and application controls and user access rights, etc.
If few or more of these indicators are deemed to exist, the fraud risk assessment should accordingly factor the same in its assessment and adopt necessary precautionary measures including frequent monitoring to mitigate the associated risk.
Additionally, management needs to identify and monitor fraud alerts (red flags), which may indicate fraud (events).
While most of these red flags tend to be circumstantial and largely differ amongst organisations, some commonly found fraud alerts include unusual and unexplained fluctuations (and patterns) in transactions and account balances (e.g. certain payments and payables, advances, stocks, wastes and write-offs) including variance reports, excessive usage of suspense (or similar) accounts, absence of original documents and reliance on photocopies, unusual journal entries, frequent or unresolved discrepancies between the main ledger (control accounts) and subsidiary ledgers, lack of audit trails (e.g. system logs) for transactions/alterations/modifications, unusual repeated or unresolved discrepancies in physical verifications, etc.
Additionally, management needs to identify any behavioural clues, which could constitute possible indicators of fraudulent activity.
Having an effective and efficient whistleblowing system will strengthen both fraud prevention and detection programs of the organisation. Research bears evidence that whistleblowing and internal and external tip-off have become a leading means of uncovering fraud. As per ‘The 2018 Global Study on Occupational Fraud and Abuse by Association of Certified Fraud Examiners (ACFE)’, 50% of corruption cases had been detected by a tip.
However, the effectiveness of whistleblowing as a means of fraud detection largely depends on the commitment of the senior management towards protection of whistle-blowers and acting on the information. Senior management has a vital role to play in establishing trust in potential whistle-blowers (employees and even third parties) and encouraging them to speak out regarding any known or suspected frauds.
The board should provide leadership to convince the employees that combating fraud is everyone’s responsibility and that the whistle-blowers will be safe afterwards. A strong whistleblowing system will facilitate uncovering problems including fraud at an early stage.
V. Continuous monitoring of data
A mechanism should be established for independent personnel to monitor the organisation’s data residing in diverse information systems in an integrated and holistic manner against pre-set fraud red flags, which will enable management and auditors to identify frauds and attempted frauds at an earlier stage. Additionally, action should be taken to monitor suspicious activities on company’s network.
The role of leadership
With the increasing automation and complexities in business operations and increasing volatilities in economic conditions, the nature of and the exposure to fraud risk has changed significantly along with the degree of sophistication associated with fraud schemes.
While the Board of Directors are held accountable for managing fraud risk, business owners, shareholders as well as regulators should exert adequate pressure on management to implement strong preventive and detective anti-fraud programs within organisations in order to protect as well as enhance value of the business.
Though many corporates have realised the importance of anti-fraud programs, the level of their readiness to combat fraud does not seem to be satisfactory. Thus, it’s imperative that the fraud risk management will always be placed at the top of the Board agenda with a view to minimising any possible incentives (motivation) and opportunities for fraud and preventing scope for rationalisation of fraudulent acts by promoting a strong anti-fraud culture.