One of the most common observations made at the commencement of any fraud investigation, regardless of who the client is – Prosecution, Defence or the victim – is why on earth the fraud was allowed to happen. It is a fact that most frauds are preventable with a little forethought.
That said, it must not be forgotten that the fraudster can be the most dangerous problem an organisation can face and that the risk of fraud is often the number one business threat to the survival of any company. A fraudster will often seek out and exploit the smallest weakness within the financial control environment, causing substantial damage before losses are noticed. However, it is normally the most obvious avenues of control failure that the fraudster takes advantage of, avenues that are easy to mend and thereby prevent the bulk of opportunities for the fraudster.
Almost all businesses will have some form of anti fraud defence system, or fraud prevention controls, as it is natural for assets to be guarded. Thus in a small concern run by an owner manager, the principal will control the purse strings, authorise transactions and generally monitor the business. As the size of the business grows, responsibilities are delegated so that for the largest concerns, the owners are completely remote to the day to day running. Often it is during the growth phase of any business that control systems break down, too much trust is given to “loyal workers” without installing the necessary checks and balances. At the other end of the scale, in large multinationals for example that may have been running for many years, seemingly without a fraud problem, there is the tendency for complacency to creep in and provide massive opportunities for the observant fraudster.
Fraud prevention is a specialised area, yet most businesses will rely on the advice of their auditors alone when monitoring their internal financial control systems. Even those companies that utilise the services of major accountancy firms who might have some element of in-house fraud expertise will receive no more advice than the list of control weaknesses provided each year in their annual audit letter to management.
Fraud risk is a subject that every finance director should have near the top of his list of priorities. It is true to say that fraud risk requires proportionate attention according to the size and complexity of an organisation – but even smaller concerns can find themselves victim of the fraudster. Every business or organisation, no matter what the size, should go through a number of fraud management processes. These must not be “tick box” exercises that are sometimes sold by internal control consultants as part of often statutory regulatory requirements – but a defined path of activity requiring active participation by management and staff along each step of the way.
Fraud risk assessment
Protecting a business from financial irregularities starts with fraud risk assessment. This is where the scale, nature and activities of a business are assessed generally to decide what appropriate level of fraud protection is needed. Thus a small business, a sole trader or manager-owned and run business may not need to do anything more than a fraud risk assessment to gain a reasonable level of comfort that he is protected against fraud.
The questions asked include “Am I aware of the risk of fraud?” and “What measures do I take on a day to day basis to avoid it?” If the answer is “Yes, I review my finances regularly and control spending within my business on a day to day basis” then the sole trader is well on the way to reducing his fraud risk. If the answer is a complacent “My business is not prone to fraud” then the risk of fraud is much greater.
Such a basic approach is valid for much larger businesses, but will lead to a much more detailed examination of the business structure and activity. In this case, further questions will be directed at all areas of the business, which could include diverse trading operations, diverse locations and a complex corporate and human resource structure. These questions will essentially be “Could fraud take place if…”
Installing the fraud policy
Possibly the only standard piece of anti-fraud prevention is the corporate “Fraud Policy”. Even this must be tailored for each organisation, but is essentially a formal declaration of being “fraud aware”. Having a fraud policy starts with formally documenting it. Thus a very large organisation may publish a glossy booklet whereas a small firm may state its policy on a single sheet of A4 paper. The important point is that a policy exists and even more so, its contents are taken seriously.
For example, a fraud policy will state that the organisation understands the threat of fraud risk and is prepared to be pro-active in its stance against the problem. It will explain the impact that losses from fraud can have on both profits and the ability to pay staff. It will confirm that all fraud will be dealt with and that it expects all staff to be of the same view, reporting any instances – should they be discovered.
Being aware of fraud and having a strict policy of dealing with it whenever it is reported means that sufficient effort is taken to protect against the problem in the first place. It is all very well to rely on internal controls advised by the organisation’s auditors, but there can be no comparison to the effectiveness of ongoing fraud monitoring.
If a fraudster perceives that a company is actively looking for fraud, he will think twice about stealing and potentially move to a more complacent company. Therefore, one of the most effective fraud prevention controls is the frequent “fraud review” carried out irregularly within the organisation. A fraud review, or fraud monitoring, is the most effective and efficient measure an organisation can introduce to reduce its risk of fraud once a fraud policy has been installed. It is not an expensive exercise, at least not when compared to fraud losses or the cost of investigating fraud.
A typical fraud review might involve the fraud expert selecting an area of the business – say a subsidiary of a multinational situated in a remote location to the parent – and undertaking an unscheduled visit. Depending on the size of the subsidiary, the visit may only take a day or two at the most.
The fraud expert will consider the activities and performance of the business and compare them to benchmarks he has developed for the company as a whole. He or she will conduct a sample check of standard controls in various areas of the business, perform a recent transaction history review using cash, nominal and sales records and hold brief meetings with a cross section of staff and management.
The results of a fraud review will depend on the selection of work that the fraud expert deems to be appropriate in a particular case. The trouble is, such a review can never be sure that it has uncovered weaknesses or even frauds taking place. It can on a cumulative basis, perhaps from visits once or twice every year, build up a picture of sound fraud control and awareness that will provide an adequate level of assurance to the parent company stakeholders that the subsidiary is doing all it can in the area of fraud prevention to minimise fraud risk.
But the fraud review, or fraud audit as it is sometimes termed, has one massive beneficial impact on the business fraud risk. It demonstrably sends the message out to all managers and employees that a robust fraud policy is in place, the business is being monitored and the risk of a fraudster getting caught is significant. Not only will a fraud review reduce the risk of serious fraud considerably, it will also reduce the level of petty theft such as expense claim exaggeration as well.
The fraud review will build, over a series of visits spanning a number of years, a level of fraud protection necessary for any business. Stakeholders can be confident that their business is being properly looked after. And the cost – probably no more than a fraction of the current internal audit costs that the business already pays – and it will give a service that will provide relatively more assurance than other internal audit activities. Although fraud monitoring is a specialised area of activity, it should form part of every corporation’s internal control structures.