The Value of Risk Assessment:Evidence From Recent Surveys – by Barbara Apostolou, PhD, CPA, CGMA and Nicholas Apostolou, CBA, CPA, CrFA, DABFA, CGMA. This article was first published in fall, 2012 issue of The Forensic Examiner, published by Robert O’Block.
Lessons from Fraud Surveys
Financial fraud continues to plague both consumers and business firms; its detection and prevention is a serious concern for regulators and corporate managers. At the national level, President Obama established the Financial Fraud Enforcement Task Force in November 2009 to combat financial fraud related to mortgage lending, securities law, stimulus spending, and the federal bailout of the financial sector. The task force includes senior-level officials from more than 20 federal agencies, 94 U.S. attorneys’ offices, and state and local partners; it is the broadest coalition of federal, state, and local partners ever assembled to combat financial fraud. On June 17, 2010, the Financial Fraud Enforcement Task Force announced the results of the largest collective enforcement effort ever conducted in confronting mortgage fraud. The nationwide takedown, Operation Stolen Dreams, has involved 1,215 criminal defendants nationwide, including 485 arrests allegedly responsible for more than $2.3 billion in losses.
The new task force is the latest effort to bring to bear the resources of the government on a problem that defies easy solutions. In response to the dramatic collapse of Enron in 2001 and public outrage over the accounting scandals at prominent companies like WorldCom, Xerox, Merck, and Adelphia Communications, Congress passed the Sarbanes-Oxley Act of 2002 (SOX), the most significant legislation affecting securities laws and corporate conduct since both the Securities Act of 1933 and the Securities Exchange Act of 1934. SOX made it a criminal act to falsify financial statements and established severe penalties for fraudulent financial activity. In addition, SOX created the Public Company Accounting Oversight Board (PCAOB), which reports to the Securities and Exchange Commission (SEC) to regulate auditors and the nature of services they furnish to clients.
The federal government also responded to the public demand to curtail corporate fraudulent activity by creating the interagency Corporate Fraud Task Force in July 2002. By 2007, this task force was responsible for 1,236 total corporate fraud convictions, including 214 CEOs and presidents, 53 CFOs, 23 corporate counsels or attorneys, and 129 vice presidents. In November 2009, the Corporate Fraud Task Force was replaced by the Financial Fraud Enforcement Task Force.
Despite formal efforts from the public and private sectors, the incidence and extent of financial fraud continues to escalate. This article summarizes and compares the findings of five major surveys recently conducted on fraud by the Big Four accounting firms Deloitte (2011), Ernst & Young (2010), KPMG (2007, 2009), and PricewaterhouseCoopers (2009):
These five surveys offer insight into the consequences of fraud and present evidence on the effectiveness of programs and controls to reduce those fraud risks. Lessons can be learned because the surveys are based upon actual experiences with fraud internationally.
The term asset misappropriation describes any scheme that involves the theft or misuse of an organization’s assets. A salient example is the case of the United States v. United Technologies (1997), which involved false purchase orders and submitting false invoices, provides a real-world illustration of asset misappropriation. A division of United Technologies Corporation (UTC) paid the United States $14.8 million for conspiring to divert $10 million in United States military aid into a slush fund subject to the exclusive control of an Israeli Air Force officer.
The settlement resolved a claim filed by the United States in U.S. District Court in Miami, Florida, against UTC. UTC and former Israeli Air Force officer, Rami Dotan, set up a $10 million fund with U.S. military aid that could be spent at Dotan’s discretion, without the required oversight of the Defense Security Assistance Agency or procurement authorities within Israel. In 1991, Dotan was sentenced to 13 years imprisonment by an Israeli military court for his role in related schemes.
UTC acquired the $10 million in funds for Dotan through false billings under a contract with Israel to develop and manufacture a PW1120 turbojet engine for an Israeli LAVI fighter aircraft. UTC prepared false purchase orders and submitted false invoices to Israel between March and July 1987 to collect $10 million for engine improvement work that was never performed. UTC and Dotan unlawfully concealed a side-deal to use this $10 million as a “bank” for Dotan.
At the direction of Dotan, the complaint said, UTC paid approximately 2.4 million of the $10 million to Yrretco Inc. and Airtech Inc., two New Jersey companies. The manager of Yrretco and Airtech deposited hundreds of thousands of dollars of the U.S. military aid into the personal bank accounts of Nehemia Oron, a former IAF Colonel, and Yoram Ingbir, the owner of Ingbir Engineering. In 1992, the United States recovered $2 million from Yrretco, Airtech, and Oron, a co-conspirator. Dotan confessed to the Israeli police that he and Ingbir planned to split Ingbir’s earnings.
Corruption describes any scheme in which a person uses his or her influence in a business transaction to obtain an unauthorized benefit contrary to that person’s duty to his or her employer. The Foreign Corrupt Practices Act of 1977 (FCPA) specifically prohibits bribery of foreign officials in an effort to win foreign government contracts. An example of the application of the FCPA was the $24,800,000 fine assessed to Lockheed Martin in 1995 (Amato, 1996). Lockheed agreed to pay criminal and civil fines after pleading guilty to violating the FCPA by paying a consultant from a funding source that disallowed it.
The case resulted from the 1989 contract between Lockheed and Egypt calling for the sale of three C-130 aircraft for approximately $79 million. The investigation uncovered payments by Lockheed to its Egyptian consultant, Dr. Leila Takla, in exchange for her assistance in making the sale. The contract, which was funded by U.S. taxpayer money through the Defense Security Assistance Agency (DSAA) Foreign Military Financing (FMF) program, required Lockheed to certify that no consultant fees were being paid out of FMF grant money. The DCIS was alerted to a possible violation when DSAA, during a routine review, discovered Lockheed had an agreement to pay a $1.8 million commission to Dr. Tekla. Once DSAA discovered the agreement, Lockheed canceled its consultant arrangement, but subsequently wired $1 million to Dr. Takla’s Swiss account in consideration of the earlier agreement. Dr. Takla was a member of Parliament in Egypt and thus a foreign official as specified under the FCPA.
Financial Statement Deception
Financial statement fraud occurs when an organization’s financial statements are falsified to make it appear more or less profitable. Many of the famous cases like Enron and WorldCom illustrate this type of fraud. Another illustration of financial statement fraud is provided by a recent case in which the SEC charged Dell Inc. for accounting manipulations in violation of the Securities Acts (Securities and Exchange Commission, 2010).
In March 2006, it was reported that Dell’s board uncovered evidence of misconduct, including accounting errors and “deficiencies in the financial control environment” while conducting an ongoing investigation of the company’s accounting. The board’s investigation was prompted by an SEC inquiry that began in August 2005. In August 2007, Dell announced it would restate four years of financial results (fiscal years 2003-2006 and the first fiscal quarter of 2007) after a separate internal audit found that senior executives sought accounting adjustments “motivated by the objective of attaining financial targets.”
According to Dell, “a number of these adjustments were improper,” and “(t)he investigation found that sometimes business unit personnel did not provide complete information to corporate headquarters and, in a number of instances purposefully incorrect or incomplete information about these activities was provided to internal or external auditors.” In July 2010, Dell agreed to pay $100 million to resolve the SEC investigation. The settlement also resolved allegations that Dell misrepresented aspects of its commercial relationship with Intel Corp.
The SEC’s complaint alleged that Dell’s senior accounting officials engaged in improper accounting by maintaining a series of cookie jar reserves that it used to cover shortfalls in operating results from 2002 to 2005. Cookie jar accounting refers to the practice of using unrealistic estimates and strategic choices of accounting methods to smooth out its earnings. Dell CEO Michael Dell and former CEO Kevin Rollins each agreed to pay a $4 million civil penalty; former CFO James Schneider agreed to pay a $3 million penalty plus over $121,000 in disgorgement and interest; and former regional vice president of finance Nicholas Dunning agreed to pay $50,000 penalty. The company and the individual executives settled without admitting or denying SEC’s allegations.
Deloitte’s GCC Fraud Survey 2011
The Gulf Cooperation Council (GCC) consists of six Arab states that have formed a political and economic union: (1) Bahrain, (2) Kuwait, (3) Oman, (4) Qatar, (5) Saudi Arabia, and (6) United Arab Emirates. The GCC reflects a significant concentration of economic activity with global impact. The purpose of Deloitte’s survey was to determine how organizations have been impacted by fraud in the face of the recent financial crisis. The confidential web-based survey of 1,100 corporate executives consisted of 28 questions related to the detection and prevention of fraud.
Of those responding to the survey, 35% reported at least one instance of fraud during 2010. The most frequent types of fraud were asset misappropriation, theft of information, procurement fraud, and corruption or bribery. The survey requested information about fraud risk management programs in place. Most of the respondents report the presence of a corporate code of conduct and ethics policy, which are both widely regarded as effective deterrents. However, only 50% have a whistle blowing policy that would permit anonymous tips, which generally is believed to be the most effective means for detecting fraud. Only about half of the respondents had a fraud risk assessment or fraud prevention plan in place. In spite of the fact that fraud losses typically are in the millions, 40% of the respondents state that $50,000 or less was spent annually on fraud prevention. These findings suggest that resources should be invested in fraud detection and deterrence, especially since the economy is in decline.
E&Y’s Global Fraud Survey 2010
E&Y’s global fraud survey was conducted on behalf of its Fraud Investigation & Dispute Services practice and published in 2010. E&Y interviewed more than 1,400 chief financial officers, as well as heads of legal, compliance, and internal audit in 36 countries between November 2009 and February 2010 to obtain their views on how companies are managing the risks associated with fraud, bribery, and corruption. Consistent with the findings of the other surveys, companies are finding that fraud and corruption are on the rise. Almost one in six of all the respondents had experienced a significant fraud in the past two years.
Recent Experiences of Fraud
Fraud is still commonplace in virtually every country in the world. More than a quarter of the respondents were from Western Europe, which has experienced a significant upsurge in fraud since the previous survey, from 10 to 21 percent. The financial crisis of the last two years has increased the pressure on upper management to meet financial goals, which becomes particularly onerous when companies are operating in the recessionary phase of the business cycle.
Frequency of Fraud Risk Assessments
In spite of the widespread attention to the fraud problem, there exist executives who have never performed a fraud risk assessment. This step is essential if a company is attempting to preempt the possibility of fraud. The incentive for fraud increases when resources are scarce and budgets are tight as they are now in the current economic environment faced by business firms.
Well-Defined Investigative Roles
An organization should have well-defined responsibilities for the different groups who respond to the first indication that fraud, corruption, or other malfeasance has been detected. Roles for internal audit, legal, compliance, and finance should be clearly delineated. For example, the steps taken to respond to information provided by whistleblowers have to be specified. The CFO often plays a central role in the process of responding to indications of fraud. It is symptomatic of a company’s deficiency in its anti-fraud policies if the CFO’s role in conducting investigations is not well-defined. Many companies lack clear investigative roles for the key participants in the process.
Directors’ Concern about Potential Liability
Directors have become increasingly more concerned about potential liability. Worldwide economic doldrums leading to incentives to engage in fraud certainly are a dominant reason for this concern. However, companies are still not doing enough to educate directors in their role as safeguards against fraud and corrupt practices.
Factors Mitigating Fraud Risk
Internal controls are perceived as the most important factor to mitigate fraud risk (74% of those surveyed). SOX requires audits of the effectiveness of internal controls over financial reporting, which no doubt leads to heightened awareness of their significant role in reducing fraud risk. The internal audit department is viewed by many as a pivotal defense against fraud and corruption by the great majority of respondents. In an environment where budgets for internal audit departments have become constrained, internal audit department heads have to find the resources to properly train their employees to detect and respond to instances of fraud. Further, many internal audit departments find themselves pressured to focus less on risk and more on operating efficiency.
Fraud risk increases when management has the ability to override internal controls, and it is an issue that receives considerable attention by both internal and external auditors. Respondents expressed confidence that a stronger internal audit department is the best line of defense to prevent management from overriding established internal controls. However, internal audit departments face a conundrum difficult to resolve: assessing the possibility of management committing fraud while not fostering management mistrust. Direct communication with the audit committee can ease this concern.
KPMG Profile of a Fraudster 2007
In 2007, KPMG analyzed hundreds of actual fraud investigations conducted by its forensic departments within the EMA region (Europe, India, Middle East, and Africa) to produce a profile of the individuals who commit fraud and what conditions permit fraud to occur. A total of 360 fraudulent acts were included in the analysis. A male finance department employee aged 36-55 acting independently was most likely to perpetrate asset misappropriation in the cases examined. Motivation for committing fraud was most often cited as greed for position, power, or influence. Weaknesses in internal control were noted as the most prevalent condition permitting a fraud to occur. Whistle blowing (i.e., anonymous tip) was the most common means of fraud detection (25%).
KPMG Fraud Survey 2009
KPMG sponsored a formal survey that involved telephone interviews of executives of U.S. organizations with annual revenues of $250 million about fraud risks and associated panned responses. Sixty-five percent of those responding stated that fraud continues to pose a significant risk. The top three types of fraud reported were (1) asset misappropriation (35%); (2) corruption (31%); and (3) financial statement fraud (14%). The number one concern facing the executives is the loss of public trust (71%) if a fraud were to occur, followed by legal fines/sanctions (54%). Most of those surveyed expected that fraud risks would increase in the future. A second part of the study was to identify fraud risk management plans.
The executives were asked about the best means to detect fraud in their organizations. Internal audit (47%), employee tips (20%), line managers (13%), and external auditors (9%) were cited as the top four sources of information. Only 10% of those responding reported that no formal program was in place to deal with a fraud discovery. The areas that have the most room for improvement in terms of fraud risk mitigation are (1) employee communication and training and (2) technology-driven continuous auditing and monitoring techniques, with 67% and 65%, respectively, reporting the existence of a moderate to significant room for improvement.
PwC’s Global Economic Crime Survey 2009
PwC’s fifth biennial report is based upon a web-based survey of 3,037 senior representatives of organizations in 54 countries. The 2009 survey investigated the root causes of economic crime, and the way in which it affects businesses worldwide. Of those responding, 905 (30%) had experienced at least one incident of fraud in the previous 12 months. The backdrop of the global economic downturn has affected most of the companies, with 62% reporting a decline in financial performance. In addition, 40% of all respondents believed that the risk of economic crime had risen due to the recession.
Factors Contributing to Fraud
The economic downturn has made achieving financial targets more difficult, increased competitive pressure, and made employees concerned about job security. As a result, employers are increasingly tempted to artificially enhance revenues and/or reduce. The increasing pressure to achieve financial targets is accompanied by worries over bonus and fear of losing employment. When employees are terminated in cost-cutting efforts in a recession, the anxiety level among those remaining inevitably rises.
Types of Economic Crime
The three most common types of crime are (1) asset misappropriation, (2) accounting fraud, and (3) bribery and corruption. Asset misappropriation, the theft or misuse of assets was experienced by two-thirds of the companies in the survey. Accounting fraud was the second most frequent type of economic crime, but has experienced the steepest upturn. The rise in accounting fraud could be a byproduct of intense pressure to meet financial goals caused by the economic downturn. The survey defines accounting fraud as including an assortment of acts that use financial data to perpetrate a deceit.
Fraud Risk Assessment
A fraud risk assessment is a crucial tool in preventing fraud because it can identify potential risks and weaknesses in internal controls that create the opportunity to commit fraud. In a period in which economic crime is on the increase, 28% of those responding do not even engage in a fraud risk assessment, and 12% do not even know if it is performed. Thus 40% are not benefiting from this very critical strategy. A company’s failure to perform this procedure is a serious deficiency in their effort to combat fraud. Going further, the survey correlated reported frauds and the frequency of fraud risk assessments. As expected, the more frequent the fraud risk assessment the more often that fraud is discovered in a timely manner.
Size as a Determinant of Fraud
A company’s likelihood of fraud is directly related to its size. Only 15% of the small companies surveyed experienced fraud, while 46% of organizations with more than 1,000 employees reported having experienced economic crime within the last 12 months. Several reasons account for the correlation of size of company and incidence of fraud, including:
Larger companies often engage in more complex transactions that can lead to more opportunities to engage in fraud;
Larger companies can implement a greater number of controls and risk management tools to increase their chances of detecting fraud; and
The larger and more complex the organization, the greater the anonymity of the employees.
Fraud and Industry
The four most fraud-prone industries in the 2009 survey are (1) communications, (2) insurance, (3) financial services, and (4) hospitality and leisure. Insurance and financial services have reported consistently high levels of fraud over the ten years the survey has been conducted. In addition, financial services is the sector that has experienced the largest increase in fraud according to the survey, with 56% of respondents reporting an increase in the number of incidences in the last 12 months.
Actions against Fraudsters
Actions taken against internal fraudsters extend from doing nothing to dismissal and filing of criminal charges. When discovered, the majority of internal fraudsters were dismissed. Interestingly, 22% of respondents reported issuing warnings or reprimands as the only consequence. For external fraudsters, the majority of respondents chose to bring civil action and/or criminal charges and terminated the business relationship. Perhaps more serious consequences would serve as a stronger deterrent.
Profile of Fraudsters
Of the respondents who reported fraud by external fraudsters, 45% had experienced fraud by customers and 20% by agents/intermediaries. The survey highlights the increase in frauds committed by middle management. Economic crimes committed by middle managers now account for 42% of all internal frauds, up from 26% in 2007. Reasons cited for the rise in frauds committed by middle management include the need to maintain living standards and jealousy of higher earners whose compensation or bonuses were believed to be unfair.
Fraud and corruption are on the increase. The worldwide financial may account for a large part of this upsurge, but it will be interesting to see if the trend changes as the world economy recovers. Many companies still need to be more proactive in anticipating fraud and corruption. Internal controls cannot be depended upon alone to detect and discourage fraud. Fraud can be committed in many different ways; deterrence and detection requires companies to employ a range of tools. Each survey offers a different vantage point, yet the lessons are consistent: fraud is still a problem and efforts can be made to defeat it.
The U.S. government has invested considerable resources into fighting the problem of fraud, which is a global problem. The importance of effective internal controls led to the SOX requirement for audits of the effectiveness of controls. However, the surveys reveal that weak controls persist as a condition that permits fraud to occur. Continued emphasis on the importance of controls by both regulators and managers is essential.
Every organization should undertake a fraud risk assessment on a regular basis. It is startling how many companies fail to exercise due diligence to prevent fraud and/or corruption. For example, surprise audits have been found to be an important tool in the struggle against fraud but they are implemented by less than 30% of companies victimized by fraud. In addition, anonymous tips have been shown by various surveys to be a very effective method that can be used to detect fraud. The critical importance of tips in detecting fraud suggests that every organization should implement a fraud reporting system, which can be done with the assistance of vendors who will ensure anonymity to the whistleblower. Fraud hotlines should be a necessary part of a fraud reporting system because of their effectiveness in encouraging anonymous tips from employees.
Fraud and corruption remain a worldwide problem. The global economic downturn has significantly increased pressure on organizations to maintain profitability, thereby creating incentives to engage in fraud. The results of these five surveys can provide management with information on how to direct scarce resources to deter fraud and/or detect it in a timely manner.
Amato, C. (1996). Lockheed-Egypt: An investigation of foreign corrupt practices act violations. The Journal of Public Inquiry: Fall 1996 (29-30).
Deloitte (2011). GCC fraud survey 2011: Facing the challenge of fraud. Retrieved December 28, 2011 from http://www.deloitte.com/assets/Dcom-Lebanon/Local%20Assets/Documents/FAS/Deloitte%20%20GCC%20Fraud%20%20Survey%202011.pdf.
Ernst & Young (2010). Driving ethical growth—new markets, new challenges, 11th global fraud survey. Retrieved December 28, 2011 from http://www.ey.com/Publication/vwLUAssets/EY_11th_GLOBAL_FRAUD_Survey/$FILE/EY_11th_GLOBAL_FRAUD_Survey.pdf.
KPMG (2007). Profile of a fraudster survey. Retrieved December 28, 2011 from http://www.kpmg.co.uk/pubs/ProfileofaFraudsterSurvey%28web%29.pdf.
KPMG (2009). Fraud survey 2009. Retrieved December 28, 2011 from http://www.ethicspoint.com/Upload/Articles/21001NSS_Fraud_Survey_082409.pdf.
PricewaterhouseCoopers (2009). The global economic crime survey: Economic crime in a downturn. Retrieved December 28, 2011 from http://www.pwc.com/en_GX/gx/economic-crime-survey/pdf/global-economic-crime-survey-2009.pdf.
Securities and Exchange Commission (2010). SEC charges Dell and senior executives with disclosure and accounting fraud. Retrieved December 28, 2011 from http://www.sec.gov/news/press/2010/2010-131.htm.
United States v. United Technologies Corporation, No. 95-8251-CIV-MARCUS (1997).