An Investment No One Can Afford to Forego
Gary W. Adams, David R. Campbell, Mary Campbell, and Michael
2006 - The most cost-effective way to deal with financial
loss through fraud is prevention. According to the Association
of Fraud Examiners (ACFE; www.acfe.org), a company defrauded
is unlikely to ever recover its losses. In its 2004 “Report
to the Nation on Occupational Fraud and Abuse,” ACFE
estimated that fraud costs the typical U.S. company 6% of
its annual revenue. So, for a mid-market company with $500
million in sales, $30 million disappears annually from profits
because of corporate inattention to fraud and its prevention.
Indeed, in the 2004 ACFE report, the 508 cases of occupational
fraud studied accounted for more than $761 million in financial
of Fraud Prevention
purposes of this article, fraud is defined in terms of one’s
employment, as ACFE did in its 2004 study: “The use
of one’s occupation for personal enrichment through
the deliberate misuse or misapplication of the employing
organization’s resources or assets.”
Clearly, fraud is a pervasive corporate problem, affecting
organizations across industries and time zones without regard
to company size. Because of fraud’s disastrous consequences,
failure to put deterrent procedures in place could put a
company out of business within days. Fraud prevention, then,
is a defined program of proactive measures to avoid or mitigate
of relative scaling, the greatest financial impact of fraud
can occur in a small-business environment. A loss of 6%
of revenues is significant for any company, however large,
but a small operation whose margins are thin and reserves
nonexistent will go out of business. Even if an operation
survives the fiscal loss, its business continuity can be
in jeopardy and it may no longer be able to function as
an independent entity. Failing to address these issues places
a company at a competitive disadvantage when fraud becomes
a cost of doing business. Through cost avoidance, this impact
becomes doubly significant because competitors can lower
their product or service costs to their customers as their
revenue yield—unaffected, through fraud prevention—is
public disclosure of significant fraud can irreparably damage
a large organization’s brand. Customers and vendors
translate sensational media coverage of fraud into an early
warning sign of decreased market value in the product or
service offered, resulting in declining sales and revenue.
In extreme cases, it can even lead to the market collapse
of the business.
a fraud prevention program requires an accurate picture
of the organization’s current state of fraud risk.
The “Assess” phase in Exhibit
1 highlights key tasks, including assessing the likely
baseline behavior of the organization using cultural and
other assumptions of social behavior.
with key project stakeholders are an essential part of this
assessment. The board or audit committee executive sponsor
will probably have a good sense of the current state of
affairs as well as of why the company needs a new or improved
fraud prevention program. Interviews with them also allow
an assessment of the strength of the “tone from the
top” and of whether additional actions from senior
leadership are needed to reinforce communications. The owner
of the project, perhaps the CFO or the chief risk officer,
will have a good understanding of fraud and the associated
risks within both the organization and its industry. These
individuals can identify the three to five areas of greatest
fraud risk facing the company. Last, the internal audit
group or an independent third party hired to collect data
will provide guidance. Collectively, these factors will
influence assumptions and help guide the type of information
Risk Assessment and Additional Data Collection
formal fraud risk assessment survey provides an opportunity
to obtain additional information on the areas posing the
greatest fraud risk. The ACFE has a short, seven-statement
questionnaire providing a very high-level look at the major
gaps in a fraud prevention process. This survey is a starting
point for the process, to recognize major areas to address.
A comprehensive fraud risk assessment survey covers the
For larger companies, the current components of the Committee
of Sponsoring Organizations of the Treadway Commission
(COSO) Enterprise Risk Management (ERM) framework as they
apply to an assessment of fraud risk. The constituent
parts might include established fraud policies, fraud
training, fraud-reporting mechanisms, and adequate internal
controls. The COSO Internal Controls framework is very
similar and can therefore be used as well.
Potential areas of the fraud-risk tree, which lays out
different types of fraud pertinent for specific industries
or companies: fraudulent statements, corruption, and asset
Areas of highest risk, which require historical and benchmarking
data from the company and its industry.
2 features questions focused on fraud risk from a risk
assessment survey developed for a global professional-services
firm. This survey includes both quantitative and qualitative
information. In addition to the survey results,
other important data include the following:
Hotline activity, if a hotline is in place. What types
of reports have come in? What has management done to address
issues raised? Are these issues potentially symptomatic
of larger problems?
Previous fraudulent activity within the organization,
and how management handled it.
Existing programs relating to ethics and fraud prevention,
as well as the level of participation in these programs.
Sarbanes-Oxley Act of 2002 (SOA) requires the audit committee
of a public company to set up procedures for the receipt
of complaints and anonymous tips. This feedback could relate
to reported or observed abnormalities in the company’s
accounting methods, internal controls, or audit activities.
ACFE has found that hotlines or other confidential reporting
mechanisms are among the best tools to prevent fraud, significantly
reducing losses to the bottom line.
process analysis. As an organization analyzes
its findings, it is unlikely to obtain the same results
as other organizations because each company’s programs,
processes, and policies are unique. A company must identify
its areas of greatest risk to ensure that the proper controls
are in place to reduce or mitigate those risks. Typically,
an organization should use one key control for each risk.
If concerns remain regarding a business process with a high
likelihood for a risk exposure, the organization might choose
to use business process improvements techniques, altering
the process to remove risk rather than building controls
results to benchmark data. An organization
needs benchmarking data to put its results in perspective.
This data can be found by using the COSO framework for identifying
best practices, ACFE reports and whitepapers, and studies
by industry trade groups the organization belongs to. Comparing
the organization’s current situation and its level
of risk tolerance with best practices helps define a desired
state as it moves toward implementing its program.
design and implementation phases should begin with a vision
for the fraud prevention program along with the strategic
objectives. A strategy or white-board session with audit
committee members and senior leadership sponsors can be
used to present the results of the assessment and to obtain
buy-in for the priority items.
Process changes provide a repeatable method
to ensure consistency. Process changes could relate to administrative
issues, such as the screening and employment of new staff,
or to business process improvement. After analyzing key
risk areas, the organization can prioritize business processes
An organization’s fraud prevention program
may have numerous policies dealing with tighter controls,
new responsibilities, and other data requiring consistent
documentation to ensure consistent application. One of the
most important policies in a fraud prevention program is
the collective group of policies referred to as a code of
conduct. A code of conduct presents a set of ethical standards
or policies designed to frame the behavior of individuals.
Under SOA section 406, public companies must disclose whether
they have established a code of conduct or ethics for their
officers and senior financial management, and file a copy
of it with the SEC. Exhibit
3 lists websites for a number of large organizations
that have codes of conduct; some of these pertain to directors
and senior management.
Of the programs that can advance a company’s
fraud prevention agenda, a hotline and an ethics program
are the two most popular and effective. A hotline program
allows a company to establish an anonymous process for employees
to report questionable activities. To
provide a more complete solution, a program to address ethics
in a comprehensive fashion goes beyond a simple code of
conduct. Companies that want to help employees make the
correct ethical choices relating to environmental, legal,
and social decisions may consider an ethics program. Through
courses, policies, ethics call lines, and other means, these
companies help their employees align business practices
with enterprise values and beliefs. Corporate ethics programs
are a new area, without much guidance from the SEC or other
Computer technology brings new risks in terms of online
fraud, but it also brings a host of tools to help prevent
fraud. Changes such as the switch from manual controls to
automated controls require no significant revamping of systems.
Companies can implement new technologies, such as data mining,
to make material differences in a company’s fraud
prevention efforts. The major credit-card issuers use data-mining
techniques to scan purchases for potentially fraudulent
activities. If these companies detect unusual patterns,
they contact the cardholder to verify that recent transactions
are legitimate. As technology costs continue to fall, continuous
auditing and other new technologies will provide even more
tools to help in fraud detection.
and training. Education and training are needed
to supplement corporate communications and create awareness
at all levels of the organization. The board, senior leadership,
and financial personnel may need more extensive training
in the inner workings of the programs and ethical issues,
as well as a broader and deeper perspective on how and where
management develops and implements components of its program,
the organization must monitor the program’s employment
and usefulness. Process checks are appropriate to monitor
hotline activity, controls, and red flags. Quick action
in the face of suspected fraudulent activity can dramatically
cut losses. Internal forensic experts, or an external team,
should investigate all suspected fraudulent activities.
and change management are essential to the monitoring phase
because employees must use the new programs before the organization
can assess their effectiveness. Making people aware of the
new programs and getting them to change from the familiar
requires a comprehensive program of change management. Communicating
the organization’s messages requires consistent messaging
themes and a variety of media. The organization should begin
laying out a communication strategy by listing each stakeholder
group. At a minimum, different messages must be tailored
to employees, management, and groups with specific fraud-prevention
responsibilities, such as internal audit, senior management,
and the board. Senior management should incorporate into
its messaging strategy a message of zero tolerance, proven
to be an effective deterrent.
financial loss is a company’s greatest worry about
fraud, the most cost-effective way to deal with it is to
prevent it. According to ACFE, an organization defrauded
is unlikely to ever recover its losses, with almost 40%
of victims recovering nothing at all.
most effective deterrent to fraud is a strong “perception
of detection.” A complaint or tip hotline can help
strengthen the perception of detection as calls are monitored
and acted upon and the results publicized. Available to
constituencies both internal and external to the organization,
this deterrent is valuable and relatively inexpensive. Outsourcing
the phone line to a third-party vendor provides the added
benefit of ensuring there is no organizational bias in its
and their auditors must develop more-effective internal
controls to detect fraud. According to ACFE, fraud uncovered
by internal controls tends to be relatively small, ranking
the lowest in value recovery of any detection method. Because
senior executives are responsible for the largest instances
of fraud, management must place even greater stress upon
internal control design that can detect senior personnel
overriding or circumventing traditional control mechanisms.
W. Adams is a consultant who assists companies with
the implementation of strategic initiatives.
David R. Campbell, CPA, is a professor of
accounting and department head at Drexel University in Philadelphia.
Mary Campbell is a consultant who assists
companies with the implementation of strategic initiatives.
Michael P. Rose, CPA, CIA, CCSA, CISM, is
a senior partner for GR Consulting, LLC with offices in Philadelphia
and New York.