As economic crime around the world is becoming more widespread and sophisticated, mitigating the growing threat requires significant investment and effective controls.
The global average cost of a data breach in 2019 was $3.92 million, a 1.5% increase from 2018, according to the Ponemon Institute’s Data Breach report.
The COVID-19 pandemic has made fraud detection all the more urgent, with tightening cash flows at companies large and small meaning there’s even less ability these days to cover an unexpected loss.
Sophisticated thieves, too, are stepping up their efforts to siphon off money in the confusing global environment that has resulted, said Nigel Iyer, a fraud expert living in Norway and the UK who is a partner with B4 Investigate and a co-founder of the Fraud Academy. Iyer is also a CIMA fellow and chartered accountant.
“The criminals are really desperate today,” Iyer said, with cross-border commerce slowed significantly and other disruptions to criminal organisation. “You look at the cybercrime rate and it’s going up.”
The more time it takes an organisation to identify and contain a breach, the higher the cost. In 2019, the data breach life cycle was 279 days, and more than half of the data breaches in 2019 were a result of malicious and criminal attacks; others resulted from system glitches and human error, according to the Ponemon Institute report.
But preparation pays off, literally and figuratively.
Entities with dedicated fraud programmes spent 42% less responding to actual fraud incidents and 17% less on remediation costs than those without dedicated teams, according to a survey of more than 5,000 corporate executives for PwC’s 2020 Global Economic Crime and Fraud Survey. The survey also found that nearly 40% of respondents say they plan to increase their spend on fraud prevention in the next two years.
Here are some tips for the top anti-fraud investments finance departments and CFOs can expect to make in 2020:
Many organisations are still addressing fraud prevention as a reactive, defensive approach. According to the PwC report, nearly half of global organisations don’t perform a risk assessment or perform only an informal one.
But companies must implement proactive measures to prevent fraud before it can manifest, and a fraud risk assessment is the first step, according to Jules Colborne-Baber, Deloitte partner and economic crime lead based in London.
An appropriate fraud risk assessment encompassing the full scope of an organisation’s activities allows it to understand the risks to which it is exposed and then map its controls to those risks, Colborne-Baber said.
“You need to understand where your risks lie, so you can develop your fraud risk management framework accordingly. Further, do you have the right people in place to monitor and assure against that framework and to investigate as things go wrong?” Colborne-Baber said.
The best assessments, according to Colborne-Baber, make use of qualitative and quantitative data and can employ workshops or surveys to gather information. Inherent risks are assessed — typically on axes of likelihood and significance — and then controls are identified and mapped against the risks to arrive at a residual risk. The assessment must be continuously updated as the business and its environment changes.
Companies can invest in and conduct risk assessments in many ways, according to Colborne-Baber, but typically it is one that is driven by the second line with business frontline involvement. Businesses may do the assessment internally or hire outside consultants; the key for Colborne-Baber is that it is a collaborative effort. The cost of such assessments depends on the scale and nature of the business.
Fraud awareness training
Training and communicating with employees about the organisational culture, internal policies prohibiting fraudulent activities, and warning signs and risks of fraud must be consistent. Whistle-blowing programmes should be implemented and made available to employees. This should include a well-publicised open-door or hotline policy internally and externally for vendors, according to PwC, that can act as an early-warning system of potential problems in an organisation.
“It’s quite important to create anti-fraud and anti-corruption awareness in the organisation,” said Ricardo Noreña, head partner for Western Europe at EY, based in Madrid.
Noreña recommends holding training sessions, perhaps as part of company meetings, and publicising organisational principles and dos and don’ts throughout the office. Fraud-prevention training should be conducted for new employee orientation.
“Most [fraud] cases prove it was insufficient awareness in the organisation,” Noreña said.
A key goal is making those trainings interesting, Iyer said. Too many companies rely on providing the information during dry seminars without spending too much effort in ensuring it will captivate and interest staff. Those uninspiring training sessions narrow the chances of the message getting through and of employees actually deploying the techniques needed to prevent and stop fraud, he said.
“You’ve got to make it fun,” Iyer said. He finds the most successful training makes a game out of fraud detection, where accountants and others can play the roles of fraud detectives.
Employees are often a company’s greatest defence against fraud.
Many fraudulent schemes are caught by astute staff in finance or other departments who notice things seem amiss, Iyer said. That’s why management should make sure there is regular and consistent messaging about the need to probe and report suspicious vendor behaviour and invoices, Iyer said.
He warns against relying too heavily on technology to catch all fraud and suggests companies focus on how engaged staff are often the first to spot suspicious scenarios.
“It’s almost never the process that finds the fraud — it’s the people,” Iyer said.
It is a challenge with remote workforces during the COVID-19 pandemic, without the ability to walk into a colleague’s office and ask them to take a look at a strange invoice or purchase order.
“People are often more comfortable walking over to someone’s desk to say, ‘This is a bit strange, what do you think?’,” Iyer said.
Historically, organisations respond to fraud as it happens and then advance their control environment. But increasingly companies must shift to a more proactive approach, and that includes the use of data analytics throughout the fraud risk management process, Colborne-Baber said. Analytics can be used to identify control weaknesses or detect anomalies that could be indicators of fraud.
“The big one for me is around monitoring analytics,” Colborne-Baber said. “We are seeing businesses investing in capabilities to monitor activity around waste, misconduct, and fraud risk.”
These areas could include, for instance, procurement and employee expenses to identify and prevent issues and enhance processes.
This takes the form of analytical capabilities, which involve data capture and transformation, use of sophisticated analytics techniques, and the visualisation of those results onto a dashboard for review and follow-up. The cost of the investment will vary enormously depending on the nature of the organisation, but the key for any organisation, according to Colborne-Baber, is to start small with a pilot or proof of concept to demonstrate the value and then build from there.
Organisations will need to spend to build more robust internal controls that target opportunities to commit fraud.
According to the PwC survey, fewer than three in ten companies perform limited testing of the operating effectiveness of their controls, and another 12% do no testing at all.
For Noreña, such controls would include investing in both technology and people-focused measures. “Investing in technology controls, but not technology only — it’s all the controls around the technology that are very important,” Noreña said.
Organisations also need to invest in controls that account for management override or collusion. Because internal controls can be manipulated by employees or third parties, having independent experts is essential to avoiding complacency in the organisation, Noreña said. Segregation of duties, documentation of transactions, job rotations, and mandatory time off to prevent fraudsters from sole control of the books are examples of possible controls. These controls must be consistently monitored for their effectiveness and updated as technology evolves.
By encouraging their companies to take steps to invest in fraud detection and prevention, management accountants can help their organisations reduce and prevent future losses.
— Annie Hylton is a freelance writer based in Switzerland. Sarah Ovaska is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.