For more than 30 years I’ve been investigating fraud: figuring out how it happened, tabulating the costs, repairing the failed internal control systems and consoling the victims. Although the case studies vary, there is one constant: It was always a surprise. Even worse, management’s response is invariably the same: “We never saw it happening. We never thought he/she could do something like that.”
The economic losses are often significant. The emotional and organizational impact is always worse.
That’s the way it is with fraud. It is an act of betrayal by your own employee, and, unlike other losses, you can never fully shrug it off as “just part of the cost of doing business.” It is far too personal.
Yet, in most of these cases, the company’s leaders had never implemented serious fraud prevention measures. They had addressed their other business risks, routinely scrutinizing business operations from a cost/benefit perspective and making control decisions accordingly. They bought property, liability and D&O insurance, even though they do not anticipate losses. But when it came to fraud protection, their standard evaluation methods were somehow forgotten, and they blithely plunged ahead without noticeable concern.
Why does it matter? It matters because fraud risk is a constant in the marketplace. It matters because fraud’s impact on American business is staggering. It matters because I’ve seen the impact of these cases on my clients. It matters because management can make an impact.
The statistics are sobering, if not downright scary. The Association of Certified Fraud Examiners estimates that U.S. organizations lose 7 percent of their annual revenues each year to fraud. That is approximately $994 billion, based on the ACFE’s estimates. In nonprofits, fraud accounts for $40 billion in losses each year … roughly 13 percent of all philanthropic giving. The median fraud loss is $175,000. That equates to more than 5.7 million fraud incidents a year – 228,000 in nonprofits alone.
Who is at risk? Everyone. The median losses are approximately the same in all businesses: large corporations, small companies, governments and nonprofits. Of course, the impact of that $170,000 loss is much greater to the small company or nonprofit. In fact, if you are a small business with fewer than 100 employees, the news gets worse, with a median loss closer to $200,000 (look for check tampering and fraudulent billing schemes).
Who has been wreaking this havoc? The greatest losses are perpetrated by managers or officers who have been with the firm for more than five years. They are usually working alone and have no prior history of illegal activities. Accounting departments commit 29 percent of all fraud, executives another 18 percent. When the executives are involved, expect the median loss to exceed $850,000. If that isn’t bad enough, the average fraud usually covers an 18 to 30 month period before discovery, so the perpetrator may already be working his craft at your expense.
Why tell you this? Because your external auditors won’t find it for you. The police won’t find it for you. In fact, you’re as likely to find fraud by accident as you are to find it through internal audit. You can’t make it go away. If you haven’t taken action, tips are your best, and maybe only, hope.
The sad truth is that no one has figured out how to eradicate fraud. As defined in Cressey’s “Fraud Triangle,” there are three elements that have to exist for fraud to be committed: need, opportunity and rationalization. So, how do you address these elements? As a manager, you have little control over a potential fraudster’s perceived need. You have some control over the rationalization process, but not a lot (it is harder to justify stealing from someone you like and respect than from someone you don’t). However, you do have a significant ability to control opportunity.
So, if you want to reduce the risk of fraud loss, there are a couple of routes open to you. You can passively invest in dishonest types of insurance policies and/or bond your employees. Or, you can actively spend a little bit of time improving your internal controls and internal auditing capabilities. Both solutions can reduce your financial risk. However, only the improvement in internal controls will reduce the likelihood of the fraud occurring at all or allow you to detect it earlier.
In the fraud cases studied by the ACFE, lack of adequate internal controls was most commonly cited as the factor that allowed fraud to occur. In 78 percent of those cases, the victim organizations modified their anti-fraud controls after discovering that they had been defrauded.