Fraud Risk Article - May 2008

FRAUD DETERRENCE Carl Burch, CMA, CIA Finance and Accounting Lecturer Moscow, Russia [email protected]

“To find fraud, one has to know what it looks like. To stop fraud, one has to know what causes it.”1 In criminal law, fraud is “a crime that entails deliberately deceiving another in order to damage them.” There are almost as many types of fraud as there are types of people who commit fraud. The most important thing to remember about fraud is that every company is at risk of being defrauded. Because of this, it is imperative for companies to understand the risks of fraud and how to protect themselves against fraud. In this article we want to focus our attention on fraud that is perpetrated against a company. This type of fraud is more commonly referred to as Occupational Fraud. By definition, Occupational Fraud is “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of employing organization’s resources or assets.” As we can see, this definition can, and does, include every employee within an organization, from the top executives all the way down the reporting line. Occupational fraud can vary from very sophisticated investment schemes, like the one committed by Nick Leeson against Barings Bank,2 or it might simply be the theft of petty cash. But whatever the fraud and no matter how small it may seem, the act is wrong. Before going any further we first want to discuss the three main categories of occupational fraud. They are: 1) Fraudulent Financial Statements. Fraudulent financial statements are financial statements that are intentionally misstated in order to mislead users. The general users of financials include management, financial analyst, shareholders, suppliers and others. 2) Asset Misappropriation. Another word for asset misappropriation is “stealing.” Asset misappropriation includes theft of any assets, or any other action that causes the company to expend cash or other assets for things that will not benefit the company. 3) Corruption. Corruption includes illegal gratuities, brides and kickbacks, conflict of interest, and economic extortion. These three branches of fraud are shown in Appendix A at the end of this article. This fraud tree chart gives a detail breakdown of the type of activities related to each branch. The accounting scandals that have occurred in the US and elsewhere the past few years are examples of occupational fraud. These scandals involved some of the worlds largest business, i.e., WorldCom, Enron, Parmalat (Italian milk processor), Adelphia, Tyco and many others. So what was the affect of these scandals? Taking just Enron and WorldCom; these two companies filed bankruptcy totaling more than $170 billion in assets ($107 billion for WorldCom and $63.4 billion for Enron). Think of the affect these bankruptcies had on thousands of people, either through lost jobs or lost pensions. In addition to the direct financial consequences, these bankruptcies also damaged the public’s confidence in the financial markets. Unfortunately too often it’s only after a crisis that a government will take action to help prevent fraud. Largely as a result of a series of accounting failures that were fraud related, the US government passed the Sarbanes-Oxley Act (SOX) of 2002. The primary purpose of SOX was to: 1

Internal Auditor, December 2007, pg. 63. Nick Leeson was a former derivatives trader for Barings Bank, whose unsupervised speculative trading caused the bank to collapse in 1995. At the time, Barings Bank was the UK’s oldest investment bank. 2

1



Improve quality and transparency of financial reports and independent audits and accounting services for public companies,



Enhance the standard setting process for accounting practices,



Strengthen the independence of firms that audit public companies,



Increase corporate responsibility and the usefulness of corporate financial disclosure, and



Protect the objectivity and independence of securities analysts.

SOX must be followed only by publicly traded companies that are registered in the US. Surprisingly, however, even private companies are now trying to implement some of the recommendations of SOX. Particularly in areas having to do with the audit committee and internal auditors. Whether public or private, all organizations realize that the importance of having strong internal control procedures.

Committing Fraud Now, we want to move on and discuss what motives a person to commit fraud. In order for fraud to be committed, three conditions need to be present. 1.

The person has be motivated to commit the fraud,

2.

The person has to have the opportunity, and

3.

The person has to have the ability to rationalize his or her behavior.

We will now look at each one individually in more detail.

Motivation The motivation is the reason behind the fraud – the reason that the individual chose to commit fraud. There is no single reason why a person commits fraud, but some of the more common factors include: 1) Internal pressure from top management to meet other’s expectations (e.g., market or revenue expectations, etc.). Not meeting their expectations could lead to job loss or demotion. 2) External pressure from financers that threatens the organization’s financial stability. For example, not meeting various requirements in a debt agreement, etc. 3) Pressure to pay for a personal lifestyle, and or vices (i.e., gambling, drugs, etc.). 4) Pressure to maximize bonuses or compensation when it is performance based (e.g., the company has a contingent compensation structure, etc.)

Opportunity Simply having the desire to commit fraud will not allow a person to commit fraud if they do not have the opportunity to do that. Without opportunity, fraud could not, or would not be committed. Some of the factors and conditions that enable an individual to have the opportunity include: 1) The knowledge of the weaknesses of the company’s internal control systems, 2) Access to accounting records or assets, 3) Lack of supervision, 4) Unethical “Tone at the Top,” and 5) Belief that the person will not get caught.

2

Ultimately, it’s up to management to understand the opportunity factors that could lead to fraud being committed in a company and then to minimize the risk of fraud by reducing the opportunities that exist for fraud to be committed.

Ability to Rationalize Behavior The last factor that has to be present in order for fraud to be committed is the ability of the person to rationalize his or her behavior. Unless you can rationalize your behavior, you will not commit fraud – even if you have the motivation and opportunity. Quite simply what you are doing here is convincing yourself that there is a perfectly acceptable reason for what you are doing. The sense of ethics, morality and the idea of right and wrong is what prevents some individuals from rationalizing this behavior. Some examples of rationalization are: 1) The individual believing that they have not been properly compensated for their work. They believe the company owes them something for work that they have done in the past, and therefore, stealing money is not stealing, but just getting what is rightfully theirs. 2) Not getting the recognition an individual feels that they should be getting. 3) Needing more money in their personal life. 4) Or, perhaps the individual is able to justify the theft because they plan on returning the money in the future. Again, without some form of rationalization, together with the motivation and opportunity to commit fraud, fraud is not going to be committed.

Fraud Deterrence Now, that we have gone over what fraud is and what causes people to commit fraud, we want to turn our attention to what companies have to do to deter or mitigate the risk of fraud. This is one of the most important responsibilities for management in setting up the internal control system. Unfortunately, no matter how hard a company may try and as much effort as they put into this process, it is unlikely it will ever be able to guarantee that they have eliminated the risk for fraud. In short, this is because people may work together to get around the system and its controls, or intentionally avoid the controls that are in place. The two main inherent risks that all companies face are collusion and management’s override of controls. Collusion is where two or more employees get together to commit fraud. Even if there are proper segregations of duties, that segregation of duties will not be effective if the people whose duties are segregated work together. Management’s override of controls occurs when management simply ignores or orders others to ignore the controls that are in place. Studies have shown that in cases of fraudulent financial reporting, management has consistently been able to override systems of internal accounting control. Given these inherent risks, what can companies do to deter fraud? Fraud deterrence and prevention starts by being proactive in the way the company approaches fraud trying to prevent fraud before it occurs. When looking at potential fraud in your company, you have to ask yourself if management is truly serious about trying to deter fraud, or is it just talking about it without really intending to do anything. Fraud deterrence requires that the company persuade individuals not to commit fraud in the first place because of the likelihood of detection and punishment for those who do commit fraud. We have identified three proactive components of a fraud deterrence program that are very beneficial in the prevention and deterrence of fraud. These three components are: 1) Having an effective internal control system set up by management, 2) Establishing a whistleblowing program, and 3) Identifying fraud risk.

3

First and foremost, the deterrence of fraud starts with management. The deterrence of fraud is not the responsibility of either the internal auditor or external auditor, although they can be part of the process to review and possibly recommend improvements to the current control system. It is management that has to establish and maintain controls, which must be cost effective. Cost effective means that the benefits of implementing controls outweigh its costs. Management always has to be looking at this when implementing any control. It’s very possible that there may be a control weakness but the cost to eliminate the weakness could be prohibited. Another benefit of having an effective control system is that it can improve stakeholder confidence in the company, which in turn can be used to attract new investors and lower financing costs. Lenders will feel more comfortable lending to a company that is serious about its controls. When we talk about strengthening controls, we have to make sure the company has the ‘right tone at the top’. Having the ‘right tone’ reinforces management’s position on fraud by demonstrating that these are not only words, but that management will back them up with actions. The ‘right tone’ means 1) Transmitting guidance both verbally and by example. What management says, management does. 2) Explicitly communicating organization’s values, standards and ‘code of conduct.’ If there are violations then management follows up on the violations and some sort of punishment must be given to those who violate the controls. 3) Fostering a “control conscience” by setting formal and clearly communicated policies and procedures that are to be followed at all times, without exception, and which result in shared values and teamwork. 4) Hiring and retaining competent people. 5) And finally, appropriately assigning authority and responsibility throughout the organization. Our second proactive component is the establishment of a whistleblowing program. A whistleblower is the person who reports a violation of internal controls or a fraud that is being committed. A whistleblowing program is intended to encourage employees who witness wrongdoing to report the incident rather than looking the other way. Though, as we learned not too long ago regarding the French bank, Société Générale, the bank had been repeatedly warned about the behavior of one of its traders, Jérôme Kerviel, but took no action. This inaction directly led to the bank losing €4.9 billion (approximately $7.6 billion). This shows that even when someone informs management about a potential problem, management may often not be willing to take action, for whatever reason. A proper fraud investigation from the onset would have stopped this rogue trader much earlier and saved the bank billions of dollars. The fact that the information was not acted on was a complete breakdown of controls. In many cases when fraud is detected by an employee, or is known to be occurring, people are afraid to raise the alarm because they do not know what will happen to them after speaking out. Companies should encourage people to make their worries known by establishing whistleblowing procedures and protecting the future jobs of people who do blow the whistle. Because of the potential benefit of having an effective whistleblowing program, Sarbanes-Oxley Act requires U.S. publicly traded companies to have a whistleblowing program in place. Our final proactive component is fraud risk assessment. By this, we mean that management should identify as many threats as possible, and evaluate them to determine which ones require action, and the priority for that action. Whenever you are review controls you should be aware of some of the factors (red flags) that could indicate the presence of fraud. These red flags, which are a source of risk identification for management, include: 1) No segregation of duties, 2) Not limiting the access to assets, 3) Failing to compare existing assets with recorded assets,

4

4) Executing transactions without proper authorization, 5) Lack of personnel or qualified personnel that leads to improper controls, 6) Collusion among employees, 7) Unrestricted access to computer disks, 8) The existence of high-value, small, liquid assets, 9) The ability of management to override the controls in place, and 10) Not having proper compensating controls for computers at off-site locations We can see that fraud risk assessment is a comprehensive undertaking. But, once the assessment is complete the company’s key stakeholders should be able to capitalize on the work by implementing controls that are able to reduce the risks to an acceptable level. A fraud risk assessment is not the end of the process. Circumstances change constantly and some changes may trigger the need to revise the assessments. “A fraud risk assessment process should be ongoing, dynamic and reflect the organization’s current business conditions.”3

3

Internal Auditor, December 2007, pg. 65.

5

Appendix A THE FRAUD TREE The three main branches of fraud have been identified as corruption, asset misappropriation, and fraudulent financial statements. The chart below shows examples of fraudulent activities for each branch.

Asset Misappropriation

Corruption

Conflict of interest

Bribery

Purchasing Schemes, Sales Schemes, Other

Kickbacks, Bid rigging and others

Larceny

Illegal Gratuities

Fraudulent Disbursements

Asset / Revenue Over or Under Statement

Economic Extortion

Inventory and all other Assets

Cash

Fraudulent Statements

Skimming Misuse and Larceny

False Sales and Shipping

Purchasing and Receiving

Timing Differences

Fictitious Revenue

Concealed Liabilities and Expenses

Nondisclosure

Improper Asset Valuation

6

7