For more than 30 years I’ve been investigating fraud: figuring out how it happened, tabulating the costs, repairing the failed internal control systems and consoling the victims. Although the case studies vary, there is one constant: It was always a surprise.  Even worse, management’s response is invariably the same: “We never saw it happening. We never thought he/she could do something like that.”

The economic losses are often significant. The emotional and organizational impact is always worse.

That’s the way it is with fraud. It is an act of betrayal by your own employee, and, unlike other losses, you can never fully shrug it off as “just part of the cost of doing business.” It is far too personal.

Yet, in most of these cases, the company’s leaders had never implemented serious fraud prevention measures. They had addressed their other business risks, routinely scrutinizing business operations from a cost/benefit perspective and making control decisions accordingly. They bought property, liability and D&O insurance, even though they do not anticipate losses. But when it came to fraud protection, their standard evaluation methods were somehow forgotten, and they blithely plunged ahead without noticeable concern.

Why does it matter? It matters because fraud risk is a constant in the marketplace. It matters because fraud’s impact on American business is staggering. It matters because I’ve seen the impact of these cases on my clients. It matters because management can make an impact.

The statistics are sobering, if not downright scary. The Association of Certified Fraud Examiners estimates that U.S. organizations lose 7 percent of their annual revenues each year to fraud. That is approximately $994 billion, based on the ACFE’s estimates. In nonprofits, fraud accounts for $40 billion in losses each year … roughly 13 percent of all philanthropic giving. The median fraud loss is $175,000. That equates to more than 5.7 million fraud incidents a year – 228,000 in nonprofits alone.

Who is at risk? Everyone. The median losses are approximately the same in all businesses: large corporations, small companies, governments and nonprofits. Of course, the impact of that $170,000 loss is much greater to the small company or nonprofit. In fact, if you are a small business with fewer than 100 employees, the news gets worse, with a median loss closer to $200,000 (look for check tampering and fraudulent billing schemes).

Who has been wreaking this havoc? The greatest losses are perpetrated by managers or officers who have been with the firm for more than five years. They are usually working alone and have no prior history of illegal activities.  Accounting departments commit 29 percent of all fraud, executives another 18 percent. When the executives are involved, expect the median loss to exceed $850,000. If that isn’t bad enough, the average fraud usually covers an 18 to 30 month period before discovery, so the perpetrator may already be working his craft at your expense.

Why tell you this? Because your external auditors won’t find it for you. The police won’t find it for you. In fact, you’re as likely to find fraud by accident as you are to find it through internal audit. You can’t make it go away. If you haven’t taken action, tips are your best, and maybe only, hope.

The sad truth is that no one has figured out how to eradicate fraud. As defined in Cressey’s “Fraud Triangle,” there are three elements that have to exist for fraud to be committed: need, opportunity and rationalization. So, how do you address these elements? As a manager, you have little control over a potential fraudster’s perceived need. You have some control over the rationalization process, but not a lot (it is harder to justify stealing from someone you like and respect than from someone you don’t). However, you do have a significant ability to control opportunity.

So, if you want to reduce the risk of fraud loss, there are a couple of routes open to you. You can passively invest in dishonest types of insurance policies and/or bond your employees. Or, you can actively spend a little bit of time improving your internal controls and internal auditing capabilities. Both solutions can reduce your financial risk. However, only the improvement in internal controls will reduce the likelihood of the fraud occurring at all or allow you to detect it earlier.

In the fraud cases studied by the ACFE, lack of adequate internal controls was most commonly cited as the factor that allowed fraud to occur. In 78 percent of those cases, the victim organizations modified their anti-fraud controls after discovering that they had been defrauded.

Put some of these in place and it will make a difference. However, don’t confuse anti-fraud controls with SOX-related internal controls. Sarbanes-Oxley was passed in response to several large financial statement fraud schemes and is targeted toward preventing and detecting financial statement manipulation. Although those frauds are by far the most expensive, they are not the most prevalent. In fact, seven other categories of fraud (corruption, billing, skimming, non-cash, check tampering, expense reimbursements and cash on hand) are more frequent. If your goal is the reduction of all types of fraud, then the controls will benefit you the most. The choice is yours.

You can buy insurance policies that will reduce the financial risk of a potential fraud. You pay the premium, take out a deductible and hope you are lucky. Or, you can also invest some time (the labor premium) to strengthen your internal controls and reduce both the likelihood of occurrence as well as the financial risk. Maybe if you do a little of both, you’ll rest easier and be better protected.

Prevention, deterrence and detection are the basis of risk management … and the basis of good business strategy. Don’t let fraud be the one risk you ignored.


Clark Keeler, a Certified Fraud Examiner (CFE), leads Burr Pilger Mayer’s (BPM) risk management, internal control and forensic Investigation practices. He brings 35 years of experience in identifying, mitigating and managing organizational and fraud risk, while improving existing infrastructure, systems and internal controls. He helps clients assess risk, then helps them identify, design and implement improvements in internal control processes, fraud prevention programs and advises on other cost and risk reduction initiatives. You can reach him in the Santa Rosa or San Francisco office at ckeeler@bpmcpa.com.



Median Loss Based on Presence of Anti-Fraud Controls

Control% of Cases ImplementedYesNo% ReductionSurprise Audits25.5%$70,000$207,00066.2%Job Rotation/Mandatory Vacation12.3%$64,000$164,00061.0%Hotline43.5%$100,000$250,00060.0%Employee Support Programs52.9%$110,000$250,00056.0%Fraud Training for Managers/Executives41.3%$100,000$227,00055.9%Internal Audit/FE Department55.8%$118,000$250,00052.8%Fraud Training for Employees38.6%$100,000$208,00051.9%Anti-Fraud Policy36.2%$100,000$197,00049.2%External Audit of ICFR53.6%$121,000$232,00047.8%Code of Conduct61.5%$126,000$232,00045.7%Management Review of Internal Controls41.4%$110,000$200,00045.0%External Audit of Financial Statements69.6%$150,000$250,00040.0%Independent Audit Committee49.9%$137,000$200,00031.5%Management Certification of F/S51.6%$141,000$200,00029.5%Rewards for Whistleblowers5.4%$107,000$150,00028.7%