In today’s economy, companies should be doing everything they can to prevent or eliminate temptation on behalf of their employees. Many employees are truly struggling financially and putting food on the table is a basic need for all of them. Where will the money come from? Many will look to the most ready source of cash: their employer.
“Knowing what might provoke an employee, even an otherwise lawful, ‘good’ person, to blur the line between legal and illegal activity is the key to fighting fraud effectively,” says Randy Cochran, a director with Crowe Horwath LLP.
Smart Business spoke to Cochran about how businesses leaders can effectively limit any perceived or real opportunity for employees to commit fraud within their organization.
What drives employees to commit fraud?
Famed criminologist Donald R. Cressey first identified three elements — opportunity (including general knowledge and technical skill), pressure and rationalization — as the ‘fraud triangle’ to explain why people committed fraud. Cressey’s classic fraud triangle helps to explain many, but not all, situations.
Fraud is more likely to occur when someone has an incentive (pressure, like medical bills) to commit fraud, weak controls provide the opportunity for a person to do so, and the person is able to rationalize the fraudulent behavior.
Today’s fraudster is more independent-minded and armed with more information and access to corporate assets than was the perpetrator of Cressey’s era.
More technology, matrix organizations, performance-based pay and a corporate culture that celebrates wealth and fame have led to greater autonomy and authority to effect change across the organization. These differences support the need to expand the fraud triangle to a five-sided fraud pentagon, where an employee’s competence, or power to perform, and arrogance, or lack of conscience, are factored into the conditions generally present when fraud occurs.
How can a business address these driving factors?
With the changes to organizations listed above and employees’ increasing responsibilities in their respective roles, competence and arrogance are at an all-time high. Pressure is being generated both inside and outside the company at an ever-increasing rate. But of the five elements of fraud, the company has the greatest influence and control over opportunity. In fact, the company is almost entirely in control of the opportunity side of the triangle.
Opportunity for fraud to take place is marked on one end by controls — physical, logical, automated, manual, visual, etc. — and on the other end by management review, monitoring and reporting. Somewhere in the middle is separation of duties, reconciliations, internal audits, external audits, and all other means of checking the numbers on a regular, periodic and sometimes on a surprise basis. All of these control measures fall within the purview and responsibility of the company.
What common mistakes do businesses make when attempting to prevent fraud?
So let’s say all of the controls above are in place. The company contributes further to opportunity when the controls are not effectively implemented, executed and monitored. This is where most companies fall woefully short.
Controls that were effective for the way the company operated five years ago often become ‘false’ indicators of control due to system, process, procedural and organizational changes, and diversification of responsibility.
Many companies are doing such a poor job of managing opportunity that they unknowingly cause or contribute to many otherwise good people ‘going bad’ on the job. You need look no further than the Association of Certified Fraud Examiners (ACFE) 2010 Report to the Nation to see that this issue is supported by data from more than 1,800 actual cases of fraud. In the 2010 report, ACFE reported that ‘lack of controls, absence of management review, and override of existing controls were the three most commonly cited factors that allowed fraud schemes to succeed.’
What steps should companies take to limit the ‘opportunity’ for fraud to take place?
Companies should start with an enterprise-wide risk assessment.
Start with a control review. While the company may have wonderful controls in place, it may not be controlling its biggest, most common, or most obvious risks, or those unique to its business and/or industry.
In performing a risk assessment, there is a need for a common language or nomenclature, a process to identify and rate the risks, and the ability to determine mitigation strategies for the company’s chosen level of risk (risk profile). Management will want to invest the time necessary for thorough discussion of the risks and the rating, because this will drive the mitigation effort and investment.
With the risk assessment complete, compare the current controls in place to the risks that require mitigation and see where you stand. Obvious gaps will show up, which will require modification and/or redesign of your control environment, including new and specific control techniques.
Last, for companies of all sizes above 25 employees, implement a process by which employees, vendors and customers can access and report suspicious activity via a tip line. It may sound overly simple, but ACFE reports that occupational frauds are detected by tips more than any other means, including management review, internal audit and review of documentation. The tip line, and the awareness of its existence and use, is the primary way to limit the perception of opportunity in companies big and small.
Randy Cochran, CFE, is a director with Crowe Horwath LLP in the Dallas office. Reach him at [email protected] or (214) 574-1018.