These are not Your Grandparents’ Fraud Risks
Whatever happened to the good old days when fraud concerns consisted of someone pocketing cash from the till or writing a check to themselves? Even the infamous Charles Ponzi’s sophisticated scheme from the 1920s pales in comparison to the antics dreamt up by today’s would-be fraudsters. Not to be forgotten, the tried and true approaches involving check-writing schemes, credit card and/or expense reimbursements, and fake employees are still alive and well today. These schemes routinely rank among the more frequently perpetrated as reported by the Association of Certified Fraud Examiners.
As a result of today’s technology, the risks related to fraud require stronger and more extensive preventive measures than simply locking up the organization’s checkbook. But the reality is that organizations of any size have a limited amount of resources they can devote to the accounting and IT functions in general, and fewer still that can be dedicated specifically to fraud prevention measures. Deeper analysis and careful consideration are required to understand how to develop the right-size fraud prevention program for each organization.
Understanding how fraud occurs will assist in implementing “risk responses” and “monitoring processes” that will reduce the possibility of fraud. The following is a list of steps to help your organization better understand fraud and design a fraud prevention program that is tailored to fit your needs. Steps 2 through 4 relate to getting the right pieces in place; steps 5 and 6 address consideration of the specific risks facing an organization.
1. Understand the Fraud Triangle
The fraud triangle is a concept that was developed by Dr. Donald Cressey, a sociologist who studied fraud cases for patterns of behavior. He found three elements common and nearly universal in the perpetration of a fraud scheme: motivation, rationalization, and opportunity. Someone must be motivated to perpetrate the fraud. That motivation is often fueled by some sort of private financial need that can take the form of excessive debt, substance abuse, an ailing parent, or any variety of “life events.” The perpetrator also has to have a rationalization to commit the fraud. Rationalizations are found in common statements such as “they do not know how much I do for them,” or “I deserve a little extra,” or “the company is doing so well they will not even notice.” Finally, fraud would not be possible unless an opportunity was presented to the perpetrator. Opportunity comes in the form of disregarded or absent internal controls and safeguards, ineffective supervision of the accounting function, and the general perception that fraud can be committed without detection or adverse consequences.
Understanding the fraud triangle sets the table for a fraud prevention program and helps the organization understand what it is up against. If you think of the fraud triangle as a three-legged stool, all you have to do is knock one of those legs down to prevent the scheme from taking shape. Think about how you can identify individuals on your team that have experienced “life events” and may have new motivations; how people on your team could rationalize their needs and how you can deflate those justifications; and how you can properly safeguard your assets and/or data and monitor financial reporting to close off any opportunity in the eyes of a would-be perpetrator.
2. Set the Right Tone at the Top
Tone at the top is an often-used phrase, but in the context of fraud prevention it is a critical one. Without a proper tone at the top and executive support for internal controls and complete, accurate, and transparent accounting and financial reporting, the “operators” of the system will not follow through and execute on the specifics of the plan. Leaders can demonstrate this proper tone in their dealings with fellow employees, customers, vendors, and regulators. Leaders can also demonstrate this by always complying with internal control requirements themselves, professing their beliefs in honesty and integrity, and publicizing the organization’s code of conduct.
3. Hire and/or Retain Qualified Employees
A great way of positively influencing the organization from top to bottom is through a careful hiring (and retention) process. It is essential to ask only those persons to join your organization who possess not only the technical wherewithal needed for the specific job but who also demonstrate a personal integrity that is consistent with the mission of the organization. It is important to conduct background checks and follow up with references, especially when hiring for “positions of trust.”
Continuing the qualifying procedure is an important element in the risk assessment process. It is important to keep close enough to your employees to understand how their “motivations” may be changing. The ACFE studies have shown that fraud perpetrators are more frequently long-term employees and that their schemes did not start until later in their tenure with the organization, suggesting that the motivation and rationalization portions of the fraud triangle manifested over time.
4. Provide Adequate Accounting Resources
Aside from having the right accounting personnel in place – both quantity and quality – an effective accounting group will also provide timely and meaningful information to management to help them assess the health of the organization and its financial performance. A well-organized chart of accounts is a great place to start. In addition, providing sufficient human resources to allow for a timely periodic close is critical. In this case, information is only useful if it is delivered timely to allow for an unusual trend to be investigated and remedied quickly; or in the worst case, allowing fraud to be identified and caught before it gets out of hand.
An effective accounting operation will also capture and report on non-financial metrics (i.e. number of units produced, number of members, number of families served). These metrics provide a wonderful analytical tool when compared to the financial results of the organization to explain unusual variances or to identify simple errors or signs of fraud.
5. Perform a Risk Assessment
A fraud prevention program should be something that is continually evolving and periodically revisited. Many organizations are operating in a dynamic environment with potentially new programs, partners, and economic challenges facing it every day. The risk equation for an organization is constantly shifting and those new risks need to be properly assessed and appropriate internal controls need to be established and monitored.
The risk assessment process should be inclusive of a wide variety of risks; operational, economic, financial, market competition, fraud, etc. A great place to start with an assessment is to hold a brainstorming session of key stakeholders in these processes to understand the variety of risks the organization is facing and how you can respond to mitigate those risks. Assessments specific to fraud risks would include understanding the major transaction cycles within the organization, how processes within those cycles change depending on which of the organization’s programs are involved, and which of the organization’s possessions are susceptible to theft. Think of possessions broadly, to include fairly liquid assets like cash and investments, somewhat liquid assets like inventory, receivables and fixed assets, and non-financial items like customer lists, human resources data, intellectual property, and trade secrets. Then assess how your current systems are addressing each of these and how you might need to supplement those systems. It could be that at this stage a consultation with an expert might be necessary to fully understand your exposure; for instance, consulting with an IT Security Auditor to understand the risk of a data breach.
It is also important to assess the risks of potential fraud related to reporting of financial statement information. Understanding the areas that are susceptible here–estimates, items requiring manual calculation, journal entries, etc.–and the appropriate response is key as well.
Risks should always be properly weighted based on the likelihood of occurrence and the severity an instance of each event would have on the operation of the organization. Those that would be both non- severe and unlikely to occur only merit a minimal allocation of resources, if any. Those that would be both severe and likely to occur need immediate attention and an adequate allocation of resources.
6. Establish and Monitor Internal Control Procedures
Once the initial assessment process has been completed, the next logical step is to shore up those areas identified that need additional resources, apply those resources, and then establish and monitor internal controls to make sure those risk areas are getting the proper amount of attention. Expectations on the execution of internal controls should be well documented, used as a performance measurement for those personnel involved, and periodically tested for functionality and effectiveness.
The risk of fraud is a concern for all enterprises, but fraud can be particularly damaging to a not-for- profit organization’s reputation with potential devastating consequences. An effective fraud risk assessment program should be established as a formal written policy, and the procedures above should be documented. The results of the assessment should be communicated to the Board of Directors.