Key insights from the 2018 ACFE “Report to the Nations”
Trends and statistics on occupational fraud detection and prevention
INSIGHT ARTICLE |
The Association of Certified Fraud Examiners (ACFE) recently published its semiannual “Report to the Nations.” The report presents global findings on occupational fraud and abuse, aggregating and analyzing data from over 2,500 fraud cases between January 2016 and October 2017. This article highlights several key recommendations that organizations should consider as they implement controls that help deter and detect occupational fraud, waste and abuse.
External audits are not enough to deter and detect fraud
Organizations can make the common mistake of believing that an unqualified or “clean” audit opinion renders their company free of occupational fraud and abuse. However, the ACFE report found that only 4 percent of fraud cases were detected by external audit. Therefore, it is critical for organizations to use other anti-fraud controls to minimize risk during interim periods.
Strong internal controls are essential to help deter and detect fraud
The ACFE report found that internal control weaknesses were the leading cause for fraud—responsible for nearly half of all frauds analyzed. Lack of internal controls were the leading cause in 30 percent of cases, while override of existing controls represented 19 percent of cases. It is important for organizations to understand their internal control environment, including control gaps, risk of management override and residual risks, when evaluating fraud risks.
We have found that in many cases, particularly at middle market organizations, those with the ability to override controls are often responsible for implementing and monitoring the control environment. This minimizes the effectiveness of internal controls and can increase opportunities for fraud. The ACFE report highlights that smaller businesses exhibit elevated incidences of fraud that are primarily driven by internal control weaknesses.
Organizations can combat these risks through the establishment and empowerment of robust internal audit and compliance departments. In many cases, middle market companies do not have the resources available to hire full-time staff in these departments and can struggle to establish and monitor an adequate anti-fraud program. Engaging external consultants to perform independent testing on an annual or as-needed basis can help mitigate these risks while balancing financial concerns.
Data monitoring and surprise audits are essential elements of an effective anti-fraud program
The ACFE report noted data monitoring and surprise audits were among the greatest drivers in the reduction of financial loss and duration of occupational fraud. The table below presents the effect of these controls on financial loss and duration of fraud schemes:
Despite their effectiveness, the ACFE found that only 37 percent of organizations implement these controls. It is critical that organizations take proactive steps such as these to help mitigate the occurrence of fraud within their operations.
We have found that this proactive approach can be particularly meaningful to limited partners, private equity firms and companies with key third-party relationships (e.g., distributors, sales and marketing). In many cases, contracts in these contexts include provisions to exercise audit rights. A proactive forensic audit can uncover troubling patterns that may indicate unknown related parties, embezzlement, and bribery and corruption risks. This can be especially important in the case of international third parties. Recent enforcement actions have made it clear that companies and individuals are not free of liability by delegating “dirty jobs” to third parties. These organizations have collectively been fined well over a billion dollars in part due to lack of due diligence and monitoring of third parties. 1,2,3 These risks manifest domestically as well, as exhibited in a recent case in which the Department of Justice named a private equity firm as a co-defendant in a false claims act lawsuit against one of the firm’s portfolio companies for their alleged involvement in a kickback scheme.4
Concealment of electronic evidence is prevalent
The ACFE found that in concealing their actions, 80 percent of fraudsters created false documents, 80 percent altered existing documents and 43 percent deleted or destroyed documents. Electronic evidence was involved in 84 percent of these instances. Organizations must be mindful of these risks and take steps to protect their information technology systems. It is important to have the proper archive procedures in place and the right professionals to analyze activity to identify and recover lost, damaged or altered electronic records. Be mindful of two common IT weaknesses:
- Disparate systems that do not interface with one another create opportunities for manipulation and obfuscation. Manual reconciliation processes of non-integrated information systems can create opportunities for fraudsters to hide their activities, slowing or inhibiting the ability to detect fraud and establish an audit trail. In many cases, syncing data between systems is a complicated process that only a limited number of employees understand. This complexity can allow fraudsters to explain their way out of inquiries without detection. Further, independent systems often have varying degrees of internal control strength, and motivated persons can exploit these weaknesses to commit fraud. In other words: an organization’s control infrastructure is only as good as its weakest system.
- Information systems may not log read-only actions. Logging actions such as a “view” or “query” can provide insight into the fraudster’s pattern of behavior, targeted areas and the extent to which sensitive information such as Social Security numbers or banking information was compromised. If systems are not configured to log this type of activity, investigators may encounter large gaps of activity and have difficulty evaluating the scope of exposure.
This ACFE report is an important reminder to ensure your organization is constantly assessing its fraud risk and updating its controls to keep pace with the evolving world of fraud.
Visit RSM’s fraud awareness resource center for additional information on this topic.