First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

How significant is the risk of fraud?

fraudThe best resource for understanding the level of fraud risk is the Association of Fraud Examiners’ (ACFE) annual Report to the Nations, their global study of occupational fraud and abuse.

Their 2018 Report is now available and, as always, shares some useful and important insights. The ACFE analyzed 2,690 cases from January 2016 to October 2017 from around the world (48% from the USA, the rest evenly split among other regions).

As far as I can tell, the report did not include any thefts (usually of IP) through cyber breaches.

Here are some key facts:

  • The median loss was $130,000 but the mean was $2.75 million.
  • 22% of cases involved losses greater than $1 million. Clearly, there were a relatively small number of very large frauds, but the report sheds no additional light on the frequency or magnitude of significant frauds.
  • The median duration of a fraud was 16 months.
  • As in prior reports, tips by employees identified more frauds than any other mechanism. Internal audit found 15% and management 13%.
  • Financial statement frauds were the least common but the most costly (median loss of $800,000).
  • Owners and executives (down to manager level, apparently) were responsible for a small percentage of cases but the median loss was $850,000.
  • Fraud detection through analytics and surprise internal audits were the most effective internal control measures when it comes to fraud.
  • Only 4% of fraudsters had a prior fraud conviction.
  • Only 63% of organizations have a whistleblower hotline. Those that do not rely on telephone (42%), email (26%), and web-based (23%) mechanisms.
  • 85% of fraudsters displayed at least one behavioral red flag, with living beyond their visible means the most common (41%).
  • Only 65% of identified fraudsters are fired. 58% are prosecuted. Civil suits are litigated in 22% of cases.
  • In some cases, the victim organization was fined, with a median of $100,000 and 20% exceeding $1 million.

So what does this all mean?

I am a strong believer that the resources dedicated to addressing fraud risk (by management or by internal audit) should be commensurate with the level of risk.

Those organizations with high risk should allocate more resources. Those with lower levels of risk should spend their precious resources elsewhere—given a basic minimum to keep the risk low, such as a code of ethics with training and annual certification, a whistleblower hotline, and prompt and capable investigation of every allegation.

That brings us to the need for a fraud risk assessment.

  1. I believe that this should ideally be a management responsibility. The CRO can also take it on. But the internal audit team has the expertise to at least assist, at most complete the assessment on behalf of management.
  2. It should be updated at least annually and every time a fraud is detected.
  3. The fraud risk assessment for SOX should be focused on the potential for a deliberate material misstatement of the financial statements filed with the regulators. I prefer it being a separate document than the enterprise fraud risk assessment.
  4. Management should obtain assurance that the controls in place to keep fraud risk at or below desired levels are effective.

Some internal auditors feel it is their obligation to detect and investigate fraud. I agree with the second part for most organizations (some have a separate unit of fraud examiners), but not the first.

It is management’s responsibility to have appropriate controls in place to prevent and detect fraud, not internal audit.

However, the board or audit committee may decide it is better to charge internal audit with fraud detection. I am OK with that as long as it is in the audit department charter and they have additional resources (beyond what they need to address more significant risks).

Unfortunately, IIA guidance can be read to mean that fraud risk needs to be addressed in every audit. In fact, it only says that it should be considered. When it is not high risk or there are better ways to address the risk (such as by auditing how management addresses it), it should not be included in the scope of individual audits.

Recommended reading:

Managing the Business Risk of Fraud
IIA Guidance on Fraud

What do you think? Do you agree?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , , , ,

Comments are currently closed.