BDO Audit Partner Justin Crowley outlines some basic steps to follow in managing fraud risk within businesses.
WHETHER OR not we might like to admit it, it is likely that our businesses will be the victim of fraud at some point.
Whether in the form of petty theft, or large scale complex fraud involving manipulation of sophisticated systems, fraudsters will seek to find ways of beating the system – some will be motivated by their personal circumstances while others may simply enjoy the challenge.
While we may never actually establish accurate data as to the extent or cost of fraud (much of it goes undiscovered), there are some published official data sources that provide an indication. In the UK for example, the governments National Fraud Agency, in its 2013 fraud indicator report quoted the latest estimated annual value of frauds committed within the UK at GPB 73billion (appx AED 430billion) – equivalent to 3% of GDP. On average, according to the NFA, businesses lose 1.5% of their annual revenue to fraud.
Key tips to manage fraud risk
We can all take actions to reduce our exposure to fraud, and this needn’t be a terribly complicated exercise. This article aims to set out some basic steps to follow in managing fraud risk within your business:
1. Know your enemy
Spend time mapping out your transaction flows and identify where your higher risk areas lie. You might find that it is useful to do this with your management team as they might best understand how controls can be over-ridden.
Pull together a fraud risk register of all of the ways in which fraud might be committed, and what assets might be at risk of abuse or theft and then set about identifying any existing controls that mitigate these risks – the chances are you’ll identify gaps that can be plugged with fairly straightforward controls.
2. Adopt a culture of openness
Let your staff know that you acknowledge the risk of fraud in your operations and that you are actively managing and monitoring that risk. Ensure that staff fully understand policies and procedures and continually emphasise the importance of following them.
Most of your staff will also acknowledge the reality of fraud risk to the business, so none of them should be troubled by discussing it. Some of the best counter-fraud control environments I have come across have been in organisations which talk openly about fraud control – examples include the UK health service which many entities have dedicated counter-fraud personnel who work alongside internal auditors.
Announce your intentions in combating fraud and let staff know what to do if they themselves have suspicions.
Case Study 1
Company 1 is a large group involved in the provision of care to vulnerable adults. Management had concerns regarding possible abuse of consumables ranging from housewares to foodstuffs and fuel. After making an announcement to staff of their intention to monitor such expenditure more closely and revise procurement procedures, finance staff reported an immediate change in purchasing trends and a reduction in expenditure without implementing a single change in procedure.
3. Monitor trends
Some of the most effective of all counter-fraud controls are those that involve monitoring of data and trends and comparing them to expectations. Take a step back from your business and think about the way in which resources are consumed – try to formulate high-level expectations about efficiency in different processes, whether that involves throughput of raw materials in a complex process, or something as simple and fuel usage.
Once you have mapped out your processes and set tolerance levels for efficiency or loss, monitor causes of deviance against those standards.
Case study 2
Company 2 is involved in the manufacture and distribution of products used in the construction industry. Very careful tolerance levels were set for production processes, but monitoring of costs ended once products had left the factory gates. Monitoring of delivery costs per mile identified significant variations between drivers. Surveillance of those drivers later uncovered a practice of fuel theft wherein drivers would fill illicit on-board barrels with fuel for subsequent black market re-sale.
4. Segregate duties
Auditors are forever advising their clients to make sure that as far as possible, duties are segregated, but for good reason – if done properly this can restrict the ability of the fraudster to act in isolation. For example, in a creditor payments cycle it is preferable to have different personnel responsible for setting up creditor accounts, setting limits, completing and reviewing orders, inputting and approving orders, approving invoices, approving payment, and then processing payment.
Limitations on the size of accounting team can of course restrict the extent to which segregation is possible. It is usually necessary to find a balance between efficiency and absolute control in the real world. Also give consideration to changing the duties of accounting staff on a rotational basis – this can help to increase their skill and versatility levels but it also makes it more risky for the fraudster themselves.
Case study 3
Company 3 is in the government sector. Teams of staff are responsible for making collections, either in cash or cheque, from a large population. Each staff member has responsibility for a wide geographical area. Following a recommendation to rotate staff by geographical area, the new staff member for a particular area started to uncover a large number of anomalies within client accounts. His predecessor had been teaming and lading for a number of years, shifting funds from one client to another so that no particular account breached credit limits. Incidentally, monitoring controls detailing the average age of debt by geographical area would also have identified this fraud earlier.
5. Restrict the use of portable assets
Portable assets, particularly cash, are usually more prone to fraud or theft due to their very nature. The use of cash as a medium for transactions should be discouraged at every level unless there are compelling reasons otherwise.
Recent years have seen a very significant increase in the use of online banking, including online banking for companies. Be sure to use banking staff/IT staff to give you comfort over the continuing appropriateness of inbuilt controls and delegation limits/authorities over transactions.
Encourage your clients/customers as far as possible to also avoid using cash.
6. Undertake random spot checks
This does not have to be intrusive, particularly if part of a routine controls review process. The checks you perform will be driven by your own business risk. You might for example review key customer accounts for appropriateness of transactions. You might want to consider reviewing the overall commerciality of rates being applied to customer accounts, or being charged to your business for certain supplies. Even in a well controlled accounting environment, the creative fraudster may collude with an external party.
Case study 4
Company 4 is in the service industry and has a large number of employees, each of whom is issued with various high-tec mobile and static devices. Spot checking of supplier accounts identified one supplier (who also was the preferred supplier) charging significantly above market rates for devices. Upon further investigation it was discovered that the purchasing manager received a ‘loyalty reward’ personally from the supplier in the form of gifts delivered directly to his home.
It is an unfortunate truth that most of our businesses have been, or will be victims of fraud. There are relatively simple steps we can all take in countering the cost of fraud. The first and most important steps are to acknowledge the risk and make a register of all of your susceptibilities – then start to plan your response in a co-ordinated manner.
* Justin Crowley is an Audit Partner at BDO. After graduating with a degree in Economics from the London School of Economics, Justin joined the Audit & Advisory Department at PwC in the UK where he spent 9 years before taking up audit principal roles with other leading firms.
He has led internal and external audit assignments on a large number of clients working within regulated industries, the oil & gas sector, manufacturing, construction, financial services and government departments.
An internal control specialist, Justin has delivered complex Sarbannes-Oxley assignments across a wide range of sectors and has led teams supporting the work of the Serious Fraud Office in the UK.