The more things change, the more things stay the same. As compliance matures as an industry, we sometimes forget the foundational best-practices that our programs are built upon. Every last Friday of the month, we revisit some of our most educational posts from the past. We think you’ll find they are just as relevant today.
Originally published July 2018
The Association of Certified Fraud Examiner’s (ACFE) biennial Report to the Nations consistently provides a detailed, and visually engaging, representation of the impact organizational fraud has on our organizations. Its tenth edition, released this year, is no different. In the report, we get a broad understanding of fraud ranging from the methods in which it is committed, to the characteristics of victimized organizations, to the impact of various types of schemes.
To provide more clarity, Jacob Parks, associate general counsel for ACFE and co-author of the report, adds his insight.
What particularly caught my attention in the 2018 report was the detection methods by which fraud is identified, and the impact those methods have on the cost and duration of schemes. To provide more clarity, Jacob Parks, associate general counsel for ACFE and co-author of the report, adds his insight.
1. The average cost of schemes detected by tip was $126,000, with an average duration of 18 months. Being that tips are classified as a potentially active or passive detection method, did you see a difference in cost and/or duration of schemes when whistleblower hotlines and incident management systems were present?
While any organization can receive a tip or complaint about fraud or other misconduct, it is possible to actively develop and encourage such reporting. At organizations that had some kind of misconduct reporting mechanism in place, we noticed substantial differences in how fraud was detected and the level of harm it caused.
Perhaps most eye-opening is that the median fraud loss was 50 percent smaller at organizations with hotlines than at those without them ($100,000 compared to $200,000, respectively).
Frauds reported by tip also tended to be discovered earlier (median 18 months to detection) than cases first detected by purely passive means, including detection by accident, confession or notification by law enforcement (each with a median 24 months to detection). This data indicates tips regarding financial misconduct are a valuable resource and that hotlines and reporting mechanisms are a good way to access that value.
2. Private companies were the most common victim in your study and tended to experience larger losses than other types of organizations. Can you share your thoughts on why?
The data in our Report indicates that internal controls are crucial to mitigate occupational fraud losses. Private companies are, generally speaking, less likely to have anti-fraud controls in place than other types of organizations. To understand the effectiveness of various controls, we compared the median loss and duration of frauds in organizations with a particular control versus those without it. We looked at 18 common anti-fraud controls, and all of them were associated with a reduction in median loss and duration. Specifically, organizations with a hotline or other reporting mechanism in place enjoyed a 50 percent reduction in both the cost and duration of fraud compared to those without one. It is difficult to assess the effectiveness of a control in a vacuum, since it is just one piece of an overall anti-fraud strategy. Still, the relative simplicity of implementing a hotline and the high variance in harm from fraud make it low-hanging fruit for organizations without a reporting mechanism.
3. Financial statement fraud is the least frequent type of fraud but the most costly. Catching just one case of financial statement fraud could save an organization as much as catching a number of other forms of fraud. Why is this type of fraud so expensive? And can organizations optimize their hotlines to capture financial statement fraud earlier?
The relatively large cost of financial statement fraud can be explained by a few factors. First, these schemes tend to last a while, with a median duration of two years. It’s intuitive that frauds that last longer tend to cost more, and our Report supports this. Additionally, who commits the scheme is closely related to the cost of a scheme. We found that frauds committed by owners and executives tend to cost much more than schemes by employees or managers. Owners and executives, along with accountants, often have some level of access to edit (and thus manipulate) financial statements. Indeed, when we look at the biggest risk of financial statement fraud by the perpetrator’s department, executive/upper management (30%) and finance (16%) are the most common.
Tips are the most common method of detection across all types of occupational fraud schemes, including financial statement fraud – 39 percent of such cases were detected this way.
Management review (15%) and internal audit (14%) were the next most common detection methods. Employees provided over half of the tips in our study, so it is critical to provide them with a means to do so. Given that financial statement fraud often involves the organization’s owners or executives, employees might fear retaliation if they blow the whistle. Communicating anti-retaliation policies and incorporating anonymizing capabilities into an employee hotline or reporting mechanism can help reduce those fears.
4. The report states that 14 percent of tips came from an anonymous source. Is there any indication that anonymous reporting has an effect on the duration or cost of schemes (e.g., anonymous tips are usually reported earlier/later, etc.)?
There does seem to be a correlation between anonymous reporting and the cost and length of the scheme. Fraud discovered by tip overall was associated with a median loss and duration of $126,000 and 18 months, while fraud first discovered from anonymous tips had a median loss and duration of $300,000 and 24 months. We can’t conclude from the data why that is, but my guess would be that it has something to do with fear of retaliation. Keeping in mind that owners and executives tend to commit bigger and longer-lasting thefts, it would make sense that some employees are more reluctant to reveal their identities in those situations.
5. Comparing the charts on pages 14 and 18 of the report: After a duration of 18 months, the loss associated with fraud goes up exponentially. Eighteen months is also the time frame in which “tips” surface schemes. After more proactive measures, are tips a last line of defense to catch fraud before major financial damage is caused to the organization?
I think tips being the last line of defense after proactive controls is a good way to put it. There are certainly faster ways to detect fraud than waiting for someone to report it, such as dedicated account reconciliation or IT controls. However, at 18 months into a scheme, the typical time for each proactive detection method to have “worked” has passed. Removing cases detected by tip, the remaining schemes tend to last upwards of two years and get detected in passive ways, such as notification by law enforcement. By then, the damage is much higher. Therefore, if organizations fail to detect fraud in a purely proactive manner, the harm can still potentially be mitigated if they receive and act upon a tip.