To anyone who fights white-collar crime, it comes as no surprise that U.S. companies lose an estimated 5 percent of their annual revenues to fraud—about $638 billion last year alone, according to research by the Association of Certified Fraud Examiners.
What is surprising: the people committing the fraud. In a study of 360 fraud investigations conducted by KPMG, 89 percent of the perpetrators committed fraud against their own organizations. And mostly, those perpetrators weren’t low-level employees trying to rip off the corporate brass; they were the brass themselves.
“It’s mainly senior management that committed the frauds in our cases, which tend to be larger cases,” says Anne Van Heerden, KPMG’s head of financial forensics in Switzerland.
KPMG’s 2007 “Profile of a Fraudster Survey,” based on actual cases in Europe, the Middle East, and Africa, found that 86 percent of perpetrators in the cases studied held management positions; 60 percent of those were members of senior management or board members. Eleven percent were chief executive officers. Most conducted their fraud schemes for more than a year before discovery.
Van Heerden
“They commit frauds of smaller amounts, but multiple frauds over a period that usually last longer than one year,” says Van Heerden.
Upper managers typically have the responsibility for, and access to, company information that can create a risk of fraud, the report says. Such managers also usually have the authority to override the internal controls intended to catch fraud in the first place and mask their true objectives.
Many worked in the finance department (36 percent) or operations and sales (32 percent), where the access to and responsibility for accounts, cash, checks, financial reports, and credit lines offer a greater opportunity to commit and conceal fraudulent acts than for employees working in other departments, according to the report.
For that reason, boards must consider “not only internal controls aimed at the average person, they have to consider those controls around their higher level managers,” Van Heerden says. “They need to look at the risks of the company, consider what can be achieved by management override, and make sure there are controls in place around that.”
Audit committees should ensure that management identifies the company’s risk areas, starting with the higher-level areas and working down to look at the type of people working at the company, he says. “To understand what is possible in a company, one should not only look at formal controls.”
For example, Van Heerden says, companies should interview employees “to find out what the possibilities are for people in certain positions.” Questions to ask might include, “What’s within their power?” and “How can they defraud the company?”
“A company can have a lot of internal controls and procedures in place, but the board and management have to understand the dilemmas people have in the company when they’re doing business,” he adds.
KPMG’s report findings also highlight the need for companies to improve their risk-management policies. In about half the cases, the perpetrators exploited weak internal controls, while they abused existing controls in 36 percent of the cases. Collusion occurred in only 15 percent of the cases.
FRAUDSTER PROFILE
Below is the average age of fraudsters investigated by KPMG...
Age Range
Percent
Older than 55
13 %
46-55
31 %
36-45
39 %
26-35
14 %
18-25
3 %
... and their typical seniority within the defrauded company.
Rank
Percent
Staff
14 %
Management
26 %
Senior management
49 %
Board member
11 %
Profile Of A Fraudster Survey 2007 (KPMG Audit, Tax, Advisory Group; April 2007)
Van Heerden says companies must focus on the ethics and integrity within the organization. “The bigger challenge for companies is to invest in prevention before they have the issues,” he says. “Not investing now will cost much more later.”
Indeed, in 42 percent of the cases, the total loss was more than 1 million Euro (about $1.35 million). In almost all of the cases in the study (91 percent), the perpetrators committed multiple frauds; in 65 percent of the cases, the fraudster acted more than 10 times. The vast majority of the frauds (76 percent) went undetected for more than a year.
The findings also suggest that tenure on the job doesn’t build loyalty. More than a third of the fraudsters (36 percent) were at the company for three to five years, while 29 percent were there six to 10 years. Twenty-two percent were employed at their company for more than 10 years.
The “fraudsters” had other commonalities. Eight-five percent of them were men, which Van Heerden says is probably at least partly because more men than women hold senior-level positions. The majority (70 percent) was between the ages of 36 and 55. Misappropriation of money was the most common type of fraud.
Exposing Fraud
Like other studies of white-collar crime, KPMG’s report found that whistleblowers were the primary source for detecting fraud (25 percent), followed by management review (21 percent). Only 10 percent of the frauds were uncovered by internal controls, the same number detected by external controls.
And if companies aren’t doing a great job of preventing or detecting fraud, often they also aren’t much better responding to the fraud when they do finally discover it, the report says. Half of the affected companies didn't communicate information about the fraud within the company, while another 15 percent only disclosed the offense selectively, by either only informing the board, audit committee, and top management, or by providing only limited information.
While most companies may want to keep mum when a fraud occurs to avoid bad publicity, Van Heerden says they should do the opposite.
“It’s a good thing to make public that a fraud happened and to let people know that the company is aware and took strict actions in response,” he says. “That should be a signal—the ‘tone at the top’—that the company will investigate any fraud case and will take it seriously and take active measures.”
It’s also critical for companies to have a plan for responding when a fraud occurs or for when they receive a whistleblower report. While larger companies typically have a response plan, Van Heerden says many midsized companies don’t. Managers and boards “should know how to respond, who should be informed, and what steps should be taken,” he says.
While most companies taking action to strengthen fraud controls are still those companies already victimized by fraud, Van Heerden says that attitude is slowly changing. “Companies are moving from reaction to prevention,” he says. “More and more companies are working on preventative measures now because of all of the fraud cases in the press.”
No comments yet