The worst injuries are often the ones that go undetected. In far too many cases, companies that report no fraud are simply unaware of the leakages inside their own area of operations, which tend to be significant in scope. The most recent edition of Report to the Nations: Occupational Fraud, by the Association of Certified Fraud Examiners, estimates that organisations lose 5% of revenue to fraud each year. While the median loss per case is USD 117k, the average loss is an eye-watering USD 1.78 million.
The nature of this problem, however, means that it can be difficult to detect and quantify. Indeed, many associations and organisations conduct studies and surveys in an attempt to establish the cost of fraud for organisations. The findings vary from study to study, and from survey to survey, though they reliably point to vulnerable areas of organisations which are more prone to fraud.
Yet targeting these areas is not so simple. There is no specific or common area where fraud exists, or modus operandi for those involved, as the vulnerable areas of an organisation depend on the nature of its business, as well as its geography and the environment in which it operates. The key takeaway is that fraud is prevalent in almost all organisations. Fraud losses are not restricted to a particular sector or country, and there are multiple points through which the average organisation loses money through fraud.
When we as forensic professionals talk with clients about our services, we often hear from the company leaders or relevant stakeholders that all is well in the business, their controls are working, all risks are monitored, there are zero reports on incidents of fraud, and other such responses. Yet when the same client later approaches us regarding an incident of fraud which the business has witnessed and wants investigated, it turns out that even basic controls are missing.
Why don’t organisations take proactive measures to fight fraud?
The decision of not opting for any pro-active mechanisms of detecting fraud largely boils down to the fact that businesses do not budget for such activities. In such cases, companies also fail to recognise the indirect costs associated with fraud, such as reputational damage and the costs associated with investigation and remediation of the fraudulent acts. The cost of the direct and indirect consequences of fraud is substantial, and additionally include the time and resources spent on investigative and cleanup efforts, as well as other resources that an organisation will dedicate to dealing with the issue, which must be diverted away from its day-to-day work.
The other reason that organisations tend not to proactively fight fraud is that they often expect their statutory auditors and internal auditors to be able to flag irregularities and/or instances of fraud. Simply put, the common expectation regarding auditors is that they will be able to detect and/or prevent fraud.
While auditors doubtless have a role to play in fraud risk management, this is not their primary responsibility. Fraud prevention is the responsibility of company management, as well as those charged with governance of the organisation. In a real-world scenario, neither external nor internal auditors have the expertise of a person whose primary responsibility is detecting and investigating fraud. By contrast, forensic professionals specialise in undertaking investigations which involve interviews, digital forensics, data analytics, and other methods to gather evidence of the existence or non-existence of fraud.
Risks are never constant, but constant monitoring of risks is needed
It is the need of the hour for organisations to change the lens through which they evaluate risks and fraud. Even in organisations that follow corporate governance requirements and general risk management principles, both the causes and effects of fraud are often missed. OFAC guidelines on the topic state: “While there is no one-size-fits all risk assessment, the exercise should generally consist of a holistic review of the organisation from top-to-bottom and assess its touchpoints to the outside world.”
Measures to detect fraud
It is not surprising that organisations consider internal audit as a proactive method to detect frauds. But, as per ACFE’s last report, this method is only second-best. A whistleblowing hotline is the most common method to detect instances of fraud or wrongdoing, though this channel is somewhere in between an active and passive method. Other detection methods include risk assessments, due diligence, management reviews, document examinations, reconciliations, and the monitoring of data and transactions.
In our experience as forensic professionals, we have seen that the monitoring of data and transactions is the least leveraged method amongst the ones listed above. Very few organisations have been able to fully leverage the benefits of proactively monitoring and analysing their data to detect fraud, or to be better prepared for risks which the business is exposed to. While many organisations analyse financial data for various other reasons, such as to gain customer insights, perform cash flow analyses, and project revenue, such activities typically take place in silos. Most organisations do not realise that similar data can also be used to detect patterns of frauds which may be potentially taking place in the organisation, or to produce insights about risk which merit proactive attention before this risk turns into an issue for the organisation.
Combating fraud risk proactively
During their regular assessment processes, organisations across industries go through the cycle of Prevent-Detect-Respond – yet they still experience fraud or other instances of wrongdoing. The reason is that regular risk assessments tend to review only select or key processes, and only in limited ways due to the finite resources available. While it is reasonable to focus efforts on the processes which are more vulnerable or prone to fraud risk, it is best if all risks are explored using a multifaceted approach.
Some of the best ways to identify risk areas involve interviews, brainstorming, questionnaires, process mapping, industry risks, instances observed in the past, and risk observed by peers. Following the use of these methods, it is important to identify data points which are ready to be analysed. Modern technology has made it possible to analyse 100% of this data, unlike the traditional approach wherein only sample data would be reviewed. Transactions which are flagged as outliers (based on the risk identification) can be selected for detailed review. Subsequently, the reviewer can identify the symptoms of fraud and investigate these instances in greater detail.
The team at Grant Thornton in Thailand consists of forensic and risk professionals who have multi-sector experience, and a knack for detecting instances of wrongdoing. We can break the process into important sections such as risk and data points identification, smart rules, and industry specific rules and patterns, to help identify instances of wrongdoing.
Our eye for detail lets us gather material evidence from the instances of wrongdoing, and take it to its logical conclusion. We can also suggest pragmatic controls to prevent fraud from occurring in the first place. Contact us today to learn more.