Many of you will be familiar with the Association of Certified Fraud Examiners (ACFE) and their annual Report to the Nations on Occupational Fraud and Abuse. This report identifies the major categories of fraud by employees, including Corruption, Asset Misappropriation and Financial Statement Fraud. Based on its research and surveys, the ACFE estimated in its most recent report that an average organization loses 5% of its revenues to all categories of employee fraud. In some years the estimate has even been as high as 7% of revenues. This is an amazing statistic – and represents a staggeringly large sum of money. What surprises me is that this does not generate more of a response among auditors and those responsible for risk management, fraud detection and various forms of compliance. If a reduction in even a small percentage of these losses results in improvements to the EBITDA of a business, you would think that companies would be throwing a lot of resources at solving the problem.
Data analysis technology can really help with the problem – but why isn’t it used more?
The good news is that a recent survey performed by ACL showed that internal fraud and abuse ranked as the highest area of concern among audit and risk management professionals. At least the issue is showing up clearly on people’s radar. Yet whenever I speak at internal audit and risk conferences on using technology to address risk and control issues, I usually find that participants can only point to relatively limited use of data analysis as part of a comprehensive anti-fraud strategy. The ACFE refers in its Report to the role of analytic technology and continuous audit as one of the important components of an approach to dealing with fraud. The ACFE also does a good job of identifying the typical types of fraud schemes and their relative occurrence. No great surprises here.
24.9% of reported asset misappropriation employee fraud related to fictitious or inflated invoices – often including the old “phantom vendor” scheme in which an employee sets up a fake vendor account through which invoices can be processed for payment – to the employee. This scheme has been around for a very long time – so it is a bit surprising to find that it still actually works! 14.5% of reported fraud related to expense reimbursements – with a surprisingly high median instance of $26,000. Both of these areas are natural ones for the use of fraud detection analytics. There must be at least 20 common tests that can be applied effectively in these areas – none of them particularly complex to implement.
Fraud relating to theft of inventory and of unrecorded cash was one of the more significant loss areas. Although analytics can be applied in this area it is probably not as obvious what tests can be performed that are really effective in detecting and preventing fraud.
One area in which I think analytics do have an important role to play – but are seldom used in practice – is that of employee theft of confidential and critical information. This is an area of growing cause for concern – but not one that is necessarily recognized – often because the loss itself and the financial impact can often go un-noticed.
In many systems it is often an easy task for certain individuals to download, say, an entire customer listing and perhaps the detail of every purchase made in the past year. The value of this could be immense to a competitor. It is worth thinking how difficult it would be for an employee in your organization to download data like this, put the data on a USB memory stick and then offer it to a competitor for a fee. If it could happen, how could you find out if it actually had happened? I can think of several ways that data analysis could be used to monitor for this occurrence. I would be interested to hear of your experiences in this area.
I was talking with a CAE of a fairly large Fortune 1000 company about this topic at a recent symposium. He commented – quite correctly – that the ACFE report shows that the vast majority of fraud is detected by tips or hotlines. What struck me is that the ACFE Report on employee fraud only reports on fraud that is actually detected. I wonder how much the ACFE statistics would change if every organization used analytics as part of a comprehensive approach to fraud detection and avoidance?
(Source: ACL Blog)