It is critical to recognize that fraud risk is not exclusively about the “good guys” catching “bad guys.” Given the right (wrong) circumstances, even the best people can do some of the worst things. In light of that, an organization should approach fraud risk in a comprehensive manner so that the business does not put any individual in a position where they will be tempted to do something that they would not normally do—as well as rigorously prevent, detect, and respond to the “bad guys” where they exist.
Managing fraud risk is a complex task that involves understanding business processes, controls, and, most importantly, behavioral economics and social psychology. Or, stated differently, understanding both the business and what drives human behavior.
In this illustration, a fraud triangle depicts the forces that act together to create an environment for fraud and includes the following dimensions:
Rationalization. Individuals need to convince themselves that the fraudulent conduct is not really wrong at all using excuses such as:
The company owes me
Everyone is doing it
I was told to do it
The lawyers said it was “OK”
It is for the greater good
We will do it this just once
Opportunity. Individuals need an opportunity to actually commit the fraud, including:
The skills to design and execute the scheme
Weaknesses in the organization's controls to exploit
Controls that can be overridden
“Partners in crime” to help out
Pressure/Incentive. Individuals require some sort of motivation to commit fraud such as:
Financial gain
Reputational gain
Saving a job
Reduced pressure to perform
Reduced job stress (just being lazy)
Pressures and incentives can be associated with either or both the individual and the organization itself. Consider the degree to which different types of schemes will help (or hurt) the individual and/or the organization. In a broad sense, there are four “quadrants” or scenarios to consider.
Save the Company. Here, the direct individual incentive is low but there may be significant indirect or organizational incentives and pressures to commit fraud. An example is where an individual feels that their job or the entire company is in jeopardy and that committing fraud can “save my job” or even “save the company.” Individuals, departments, or business units under significant pressure to survive will have increased risk of fraud that is motivated in this quadrant.
Broken Windows. Here, the individual gain is low and the organizational harm is low—for example, expense report fraud where an individual fudges a cab receipt for $50 instead of the actual $20. This type of fraud typically does not raise the ire of investors or enforcement because it is not material. However, pervasive low-impact fraud may create an environment for high-impact fraud to be committed. Zealous enforcement can send a signal that even “trivial” fraud is detected and will not be tolerated by the organization. Some organizations favor a streamlined detection and monitoring approach where they seek to find only one or two violations each quarter rather than all violations. Once a violation is found, it is publicized.
Rogue Agent. Theft or other schemes that result in significant personal gain at the expense of the organization can result in operational losses. The organization has a vested interest in catching and punishing the individual. Typically, this type of fraud does not invite unwanted interest from the media or investors unless the magnitude suggests pervasive lack of control and oversight of business processes.
Perfect Storm. Here, both the organization and the individual experience direct benefits from fraud. Significant media, enforcement, and investor attention are drawn to this type of fraud. This represents a “perfect storm” where significant resources should be devoted to prevention, detection, and quick response. The challenge here is that this type of fraud is typically committed by senior executives. It can be uncomfortable to approach the c-suite with a fraud prevention program that focuses on them!
The best way to keep an act of fraud from adversely affecting an organization is to keep the act of fraud from happening in the first place. That's a simple lesson, but one that a surprising number of organizations, it would seem, haven't yet learned. Too many fraud management programs depend on detection, often to the detriment of prevention efforts. A high-performance fraud management program will emphasize both, but focus on the latter.
That being said, Larry Harrington, Vice President, Internal Audit, at Waltham, Mass.-based Raytheon Company, notes that the cost of preventing some frauds exceeds the benefit of doing so. Thus, relying on detection controls can be more effective in those cases. But more often the opposite is true. Prevention is usually cost-effective. Dave Richards, President at The Institute of Internal Auditors in Altamonte Springs, Fla., reminds us that it's far more important to an organization to have an environment where employees are encouraged to do the right thing—and not tempted to do the wrong thing. “It's better not to have a problem at all,” he says, “than to have to identify it and correct its ill effects.”
A critical element of an environment that encourages honesty is swift, decisive action by management whenever and wherever fraud is found. Let employees know that fraud is on management's mind, and potential fraudsters will think twice about taking a chance. “An environment where employees believe that fraudulent behavior is not acceptable and that they'll be caught if they perform a fraud will do more to prevent fraud from occurring than any policy or procedure,” Richards points out. And the company grapevine—“Did you hear what happened to Simmons in accounting?”—might be one of the best tools available to instill an understanding of that fact in potential fraudsters. “The fear of being caught is still one of the prime reasons that more frauds are not committed,” Richards adds.
Of course, it's important to balance that approach with a very visible emphasis on rewarding positive anti-fraud behavior, too. Scaring employees with “Big Brother” tactics is ineffective and inappropriate. Making it easy for employees to understand what the company will not tolerate and rewarding employees who toe the line and punishing those who don't—up to and including immediate termination—is the recipe for an effective fraud management program. Acceptable and unacceptable conduct should be clearly defined as part of a code of conduct—and communicated in presentations and other formal statements from the board and senior management.
One very important side effect of creating an environment where employees know that fraud will be detected and swiftly punished is this: It blunts just about every excuse a potential fraudster could use to rationalize his or her actions. And the Rationalization side of the fraud triangle is the side where a coordinated antifraud effort can have a powerful effect. There will always be pressure to commit fraud, because there will always be cash flowing through commercial organizations. And there will always be opportunities, so long as employees process that cash flow. But none of the standard excuses a potential fraudster could use to rationalize a fraud hold up against a clearly stated and consistently enforced anti-fraud program.
No comments yet