Do you know how to beat the fraudster?
Increased business complexity and erosion of traditional controls due to more integrated systems, decentralization and matrix organisation have reduced management oversight. Keeping in mind that the “primary responsibility for the detection and prevention of fraud rests with both those charged with governance of the entity and management” (ISA 240), it is essential for managers to be able to get critical information which can allow them to understand and respond to the risks of fraud and corruption in a dynamic and effective way.
Who is in charge of identifying the risks and detect fraud?
With limited resources, clear mandates are key, and expectations need to be set right from the start. This will save everyone from having to produce (and/or review) too much information and from missing out on relevant knowledge. Significant information missed out can easily lead to blaming each other when problems arise, something very typical when fraud in an organisation is uncovered.
Employees in charge of internal control, monitoring and finance are usually expected to have far deeper insight into processes and business, not to mention more time to pursue issues further. Even though informative internal assessment and reporting may sound like a reasonable and straightforward expectation, it demands quite a lot from those responsible: they have to act as the “organisation’s critical friend”, advising managers at all levels, evaluating and anticipating risks, analysing and confirming information, and on top of everything, coordinating with other assurance providers to guarantee to executive management and the board that risks are being dealt with effectively. And what if we add early detection of fraud and corruption to the list? Do your employees in charge receive practical fraud training and are they tasked with actively looking for fraud and identify potential loopholes and weaknesses opening for malpractice or are they expected to do that in their spare time?
Why is fraud risk different?
Fraud and corruption risk differ from most other risks in that it is based on deception; things are not as they appear to be. Identifying risks which are not already well known requires both creativity and the ability to approach the task from different perspectives. In focusing specifically on early detection and risk identification of corruption and fraud, we have experienced the benefits of using two techniques:
1. Identify and explore weaknesses, loopholes, and possible methods of circumventing existing processes, routines and controls, by “thinking like fraudsters”
2. Analyse transactions and other data from accounting systems to recognize indicators and early warning signs of potential malpractice
Think like a fraudster
Our “think like a fraudster” methodology begins with a simple question: ‘How would YOU defraud your organisation in the next year without getting caught?’. People are challenged to put themselves into the shoes of a fraudster and devise ways to beat the system, through facilitated fraud risk mapping workshops. This approach is more effective than simply going through a list of pre-defined risks to see if they are applicable. This technique is widely used in organisations and companies to identify control weaknesses. In the world of information security for example, experts are engaged to perform penetration testing, i.e., to try to hack their way into a system just to see if they can find a method. If they succeed, the method they used is then identified as a weakness to be corrected. In a similar way, by stimulating individuals to think of creative ways of defrauding their organisation, it is possible to generate a series of risks based on their real experience, knowledge and insight. The methodology can then be developed further into an alternative way to map the risks of fraud within the organisation.
Follow the money
We must keep in mind that fraud is a dynamic risk, with perpetrators continually seeking to circumvent internal controls. Therefore, in order to identify the early warning sings of fraud effectively, it is important that: 1) the search criteria are designed by those with experience in looking for and detecting fraud, and 2) the results are interpreted by experts able to apply their fraud knowledge to the specific business context.
When working with early detection we can for example analyse money flows with suppliers and customers, looking for suppliers and customers that match a series of potential fraud criteria. For each, we select a few documents relating to transactions red-flagged for possible malpractice. Red flags, do not constitute fraud in itself, so it is crucial to be able to understand and interpret the various discrepancies and inconsistencies and try to conceive the possible “fraud scenarios” they could indicate. Just to mention a few, insufficient specification on a supplier invoices, for example, might result in not knowing what goods or services are purchased, or from whom they are sourced, with the risk of being overcharged or unnecessarily sourcing items from non-value-adding middlemen instead of producers. If a transaction is approved without the documentation substantiating it, then anyone could submit a claim and get paid without a legitimate reason. This could lead to legal and financial consequences, but also severe reputational damage where unsubstantiated transactions hide bribes or facilitation payments, either to private individuals or to organisations. Having only one employee acting as point of contact with many customers risks collusion, whereby some are given special treatment at the expense of the company’s reputation and bottom line.
Key for success: mandate, support, training
With specific support, training and a mandate, the benefit of detailed knowledge of the business, as well as access to a range of internal information, we can assist internal audit and control to be very well placed in order to proactively identify irregularities and early warning signs of fraud. If, in addition to that, we can count on the valuable input provided by key employees across business units and functions stimulated to think like fraudsters, the amount of relevant material which can be gathered to support the work of any internal audit and control function can be even greater.
With this enhanced information analysed and properly summarised, management (and the compliance function) will be better equipped to take informed decisions on whether and how to perform deeper investigation or take other follow-up actions to mitigate identified risks.