The latest information on fraud risk

For 13th years, the Association of Certified Fraud Examiners (ACFE) has shared with us the results of their annual survey, with the latest being Occupational Fraud 2024: A Report to the Nations.

I have been reading and commenting on their reports for years and you can find a few blog posts here using the Search function.

This year’s report is based on 1,921 fraud cases investigated by CFEs between January 2022 and September 2023, of which 38% were in the USA.

The ACFE broke the cases into three categories:

• Asset theft or misuse represented 89% of the cases with a median loss of $120,000.
• Corruption (bribery, purchasing or sales schemes, extortion, etc.) was involved in 48% of the cases, with a median loss of $200,000.
• Financial statement frauds were only 5% but the median loss was $766,000.

38% of the cases had more than one of the above, with 35% of the cases involving both asset theft or misuse and corruption.

The ACFE found it interesting that less than 1% of the cases involved financial statement fraud alone.

The median duration of a fraud was 12 months, and the average loss per month was $9,900.

Internal controls can have a significant impact on reducing fraud risk. The ACFE reported that:

…four controls—surprise audits, financial statement audits, hotlines, and proactive data analysis—were associated with at least a 50% reduction in both fraud loss and duration. Surprise audits and proactive data analysis were among the least commonly implemented anti-fraud controls in our study…, which shows some opportunity for many organizations to reinforce their anti-fraud efforts by considering the addition of these controls.

The report has an interesting chart on this on page 40.

As might be expected, the more senior the perpetrator, the more expensive the fraud.

…frauds committed by individuals at the owner/executive level only represented 19% of cases but caused the highest median losses by far. Perpetrators at the owner/ executive level caused a median loss of USD 500,000, which was more than eight times as much as staff-level employees (USD 60,000) and almost three times as much as mid-level managers (USD 184,000). Frauds carried out by employees and managers were much more common, representing 37% and 41% of the cases submitted, respectively. Similarly, fraud cases perpetrated by individuals at higher levels of authority took longer to detect. The median duration of frauds perpetrated by employees was only 8 months—one-third as long as those perpetrated by owner/executives (24 months)—while frauds committed by mid-level managers had a median duration of 18 months.

There’s a wealth of information in the report, and I will quote just two more factoids:

• …more than half (54%) of the frauds in our study were carried out by multiple perpetrators colluding, rather than a single fraudster acting alone. Schemes committed by sole perpetrators also had the lowest median loss (USD 75,000), and frauds perpetrated by three or more perpetrators caused losses more than twice as high as those perpetrated by only two coconspirators. The higher losses associated with collusive schemes could be related to easier circumvention of controls, such as separation of duties, when multiple perpetrators work together.
• …the vast majority of perpetrators in our study (87%) had never been either charged with or convicted of a fraud-related offense, meaning that traditional criminal background checks would not have prevented the frauds from occurring. Interestingly, 5% of cases involved perpetrators with a prior fraud conviction that either was not known to the victim organization at the time of hiring or did not prevent the organization from hiring them.

None of us will be surprised to see that the more senior the perpetrator, the less likely they will be punished when caught.

That brings us back to what should we do about fraud risk.

Some believe that internal audit is responsible or should be responsible for detecting fraud, assessing fraud risk, etc.

No.

I will repeat what I said in 2018 on this blog:

I am a strong believer that the resources dedicated to addressing fraud risk (by management or by internal audit) should be commensurate with the level of risk.

Those organizations with high risk should allocate more resources. Those with lower levels of risk should spend their precious resources elsewhere – given a basic minimum to keep the risk low, such as a code of ethics with training and annual certification, a whistleblower hotline, and prompt and capable investigation of every allegation.

That brings us to the need for a fraud risk assessment.

I believe that this should ideally be a management responsibility. The CRO can also take it on. But the internal audit team has the expertise to at least assist, at most complete the assessment on behalf of management.

It should be updated at least annually and every time a fraud is detected.

The fraud risk assessment for SOX should be focused on the potential for a deliberate material misstatement of the financial statements filed with the regulators. I prefer it being a separate document than the enterprise fraud risk assessment.

Management should obtain assurance that the controls in place to keep fraud risk at or below desired levels are effective.

Some internal auditors feel it is their obligation to detect and investigate fraud. I agree with the second part for most organizations (some have a separate unit of fraud examiners), but not the first.

It is management’s responsibility to have appropriate controls in place to prevent and detect fraud, not internal audit.

However, the board or audit committee may decide it is better to charge internal audit with fraud detection. I am OK with that as long as it is in the audit department charter and they have additional resources (beyond what they need to address more significant risks).

I encourage you to read the ACFE report. You may want to print and highlight the more interesting statistics and comments, then share them widely within your organization.

My congratulations to the ACFE on yet another excellent study, very well presented.