Home > Risk > Fraud is always with us

Fraud is always with us

Even with the COVID-19 crisis dominating our thinking, fraud persists. People with unbelievable levels of immorality are taking advantage of the pandemic with new ways to steal from people and organizations who cannot afford any further losses.

For internal auditors, fraud has always been a concern.

Some nations even have regulations that require internal auditors to make the detection of fraud and the auditing of controls around fraud to be one of, if not their top priority.

But should it be?

Every year since 1996, the Association of Certified Fraud Examiners (the ACFE) has shared a revealing look at fraud in their Report to the Nations. It is always worth our time.

The ACFE has just released their Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse.

Here are some key points:

  • The results of their study are based on a global survey of Certified Fraud Examiners (CFEs) in 2019. In other words, this is a perspective from fraud practitioners, not business executives.
  • Overall, the CFEs estimate that organizations lose about 5% of revenue to fraud each year. It is unclear in this year’s report what is included in that estimate, but in prior years it has included a variety of both monetary and non-monetary frauds, including both significant (such as financial statement fraud) and trivial activities (such as personal use of a company computer).
  • The median loss per case was $125,000 and the average $1,509,000 – indicating that there were a huge number of small losses and a limited number of large ones.
  • A typical fraud lasts 14 months and costs $8,300 per month.
  • 43% of frauds were uncovered by a tip. The next most common detection was by internal audit at 15%. (Internal controls are split out among management review, 12%, account reconciliation, 4%, document examination, 3%, surveillance/monitoring, 3%, and IT controls, 2%; the total for internal controls is therefore around 24%.)
  • Certain fraud schemes, such as check and payment tampering, were far more common in smaller businesses.
  • As to be expected, frauds involving senior executives or owners were far more significant, averaging $600,000.
  • In 46% of cases, organizations decided not to refer those involved to law enforcement.
  • The typical loss varied widely by region. It will surprise some but the typical loss in Asia Pacific of $1 million dwarfs that in the US of $563,000 and in Western Europe of $638,000.
  • Only 21% of cases involved losses exceeding $1 million.

Every year, I come to the same conclusion.

Fraud is rarely one of the top ten sources of risk to an organization!

These losses are (with few exceptions) immaterial to the overall success of the organization.

That doesn’t mean fraud should be ignored, but it shouldn’t be assumed that every audit has to assess controls over fraud.

I am fine with every audit planning exercise (including the periodic and continual risk assessment processes) consider the risk of fraud. But then, work should be performed that is commensurate with that level of risk.

Having said that, this report provides interesting and valuable information on fraud schemes around the world, differentiating between each region.

I highly recommend it.

What do you think?

  1. April 20, 2020 at 9:58 AM

    I agree that fraud is rarely material to the organization. However, the optics are problematic for IA. Boards and executives experiencing an embarrassing fraud may look to IA and assign the incident undue weight in their evaluation of the IA function, relative to say a business not meeting its profit target. While the latter may be more material, IA is rarely blamed for a profit shortfall, no matter how much operational auditing we’re doing in an area.

    In other words, the Audit Committee’s expectations around fraud may cause IA to assign extra weight and time to controls designed to cover the more likely fraud scenarios. For instance in a real estate business, IA has to look at controls around wire fraud. Due to more capable cyber criminals, everyone should be checking controls designed to make sure that employee and supplier bank account information has not been changed prior to major disbursements.

    I don’t think fraud emphasis in moderation is a problem, as larger organizations have quality and process improvement specialists covering key operational risks. Fraud is simply the type of risk where leaders look to IA for protection.

    • Gary Lim
      April 21, 2020 at 12:46 AM

      David, I like your ending statement “Fraud is simply the type of risk where leaders look to IA for protection.” IA is a qualified professional accountant like in Malaysia Listed Company the Chairman for Audit committee must be an accountant. The approach of the fraudsters, I would like to think that they are also very “material” savvy, they learn the existing systems and look for the weakness and if there is collaboration of the CEO, by the time the case is discovered the company is already in deep trouble.

  2. April 21, 2020 at 3:12 AM

    Norman, I entirely agree with you but one problem with fraud is the emotion surrounding it. This can make an ‘immaterial’ fraud become ‘material’ because all those affected (including the board) feel in some way betrayed by the perpetrator, particularly if they were a trusted individual.
    Another problem is the reaction to a fraud. In my experience, it can lead to the implementation of many new controls, some of which are totally ineffective and possibly cost far more than any fraud they might stop. This over-reaction needs to be costed into materiality.

  3. Richard Fowler
    April 21, 2020 at 5:02 AM

    Almost half of the identified fraud cases are handled internally, and this is likely due to a desire for avoiding the reputation risk that attends a public disclosure. The risks to the organization from fraud are not just the monetary losses. There are associated risks that should be considered. That’s a big part of why fraud is included in the IIA standards (and ISACA standards) and why fraud detection is included in audit planning. You’re right that the level of materiality is low from the fraud itself, but the loss of stakeholder confidence can be much more damaging.

    • Norman Marks
      April 21, 2020 at 6:16 AM

      Richard, when fraud losses are small (as shown in the report), how can they be material to investors and affect confidence? I agree that when senior management is involved, they are often material – but those are far less frequent.

  1. May 6, 2020 at 5:32 AM

Leave a Reply to dmgriff Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: