The ‘F Word’ is enough to get people quite agitated in any discussion. Particularly when it relates to our business processes . . .Yep, I’m talking about Fraud.
We all know it happens, but not in our companies. But it does remind me of a related comment I heard a few years back “Everyone’s talking about it, some people are doing it and no-one is doing it very well’.
The Association of Certified Fraud Examiners (ACFE) reports that organizations lose on average 5% of annual revenues to fraud, waste and error. If you look at the impact on the bottom line, that is a big number, equivalent to as much as 30% of net profits of a healthy company. But look behind the headline and there are a couple of hidden warnings. It is reasonable to assume that Certified Fraud Examiners have a vested interest in having a reasonable amount of fraud to examine. To take the opposing position might be akin to turkeys voting for Christmas (or Thanksgiving depending on your religious or poultry eating habits). Secondly, the critical subtlety is that this 5% is not all about fraud, rather “Fraud, Waste & Error”. This is a critical distinction.
Working in the business of helping large organisations drive improvements to business process efficiency, effectiveness, and of course, cashflow, it has become pretty clear that ‘fraud’ itself is largely a diversionary label. To determine ‘fraud’ requires an understanding of the human intent behind spurious activities. After all, if someone transfers money into my bank account without my knowledge and I don’t realise it and did not engineer it, that’s not fraud. Business, as opposed to law enforcement, is much more interested in identifying anomalous behaviour in process execution, understanding it, resolving it, eliminating it where appropriate and streamlining processes. In short, as business people, especially in the finance function, we want to prevent egregious errors where possible and have an effective safety net that detects any other error, waste and potential fraud as soon as possible after they are attempted. We want to do this so we can better understand our processes, develop better preventive controls and improve process efficiency.
By the way, I am getting to the ‘smart data analytics’ topic, but let’s stay with ‘fraud’ a moment longer . . .
PwC have just published an excellent, enlightening report, “2014 Global Economic Crime Survey” with input from 5000 respondents around the world. Here, the term ‘economic crime’ encompasses fraud, IP infringement, corruption, cybercrime and accounting fraud. As well as highlighting that economic crime threatens the integrity of business processes it is also clear from our own experience how reputation is critical to business today. Reputation is often the highest level concern with respect to risk management and financial control in global organisations.
The PwC report highlights that 37% of organizations report being victimized by economic crime (and that is those that know AND who are prepared to admit it), 53% of CEOs surveyed reported being concerned about bribery and corruption (and who wouldn’t be with the hefty FCPA & UK Bribery Act investigations and settlements in the news) and 48% reported that cybercrime risk has increased.
An interesting finding from the survey is that 55% of instances of economic crime were uncovered by internal controls, up from 50% in 2011. The fascinating sideline here is that the report suggests that these internal controls may have been preventive or detective. If the crime was committed, my observation is these must all have been detective, or the crime would not have been perpetrated in the first place! The report also deals with systemic and episodic crime which is a useful distinction.
Consistent with our own experiences, the “BIG 3” areas of economic crime, which also happen to be the BIG 3 of error and waste, are:
• Asset Misappropriation – 69%
• Procurement Fraud & Disbursements – 29%
• Bribery & Corruption – 27%
In terms of future expectations, asset misappropriation remains by far the biggest threat. So perhaps we start bolting valuable inventory and assets to the floor!
By far the most successful method of detection reported is suspicious transaction reporting/data analytics, which has grown by 30%. NOW, we are getting there. Let’s look at data analytics . . .
When we started our business over 10 years ago, I remember senior finance executives telling me that these bad things didn’t happen to them. “We hire good people and trust them” was the refrain. Often I would meet the same executive a year later and would hear tales of woe about some errant finance manager who had been caught with his hands in the cookie jar. Interestingly, the PwC survey shows that in the past 10 years the defence & detection approaches against economic crime has shifted from a largely even split between Controls, Culture and Accident to 55% focussed on controls, and low 20%’s each for culture and accident. You can read the full PwC report here.
Our own experiences with organizations around the world show that both preventive and detective controls are the keys to good fraud prevention. What is very obvious is that we need a healthy balance. No amount of preventive controls will give sufficient assurance or coverage as my favourite car park photo shows below. It is important to have the barrier, but equally important to monitor the tyre tracks . . .
Remember that a ‘detective’ control which captures some anomalous activity may still be ‘preventive’ at a business process level. For example, the detection of a duplicate supplier invoice can prevent the critical duplicate payment and associated cash flow impact.
We certainly need effective tools and processes to monitor and ensure our preventive controls are working (Segregation of Duties, Tolerances, 3-Way Match etc.). By the same token, we need a healthy balance of detective controls in the form of smart data analytics capabilities to alert stakeholders to anomalies, both within a process stream and after the fact.
We see the key focus areas being the processes around:
And of course, we consider ALL anomalies related to fraud, waste and error. Some of our hot hit-list of such smart data analytics scenarios include . . .
- Unusual Depreciation
- Creation/Maintenance of assets – inappropriate asset type and valuation classes
- Segregation of Duties of purchasing roles against Asset Acquisition/Creation/Maintenance
- Early Asset Write-Offs (potential misappropriation of assets)
- Unnecessary early replacements
- Hire vs. purchase expenses for similar assets
- Duplication of assets
- Scattered purchase (loss of volume discounts)
- Lack of physical stock checks vs. book value
- Improper capitalisation of purchases
- Reported Asset Damage/ Loss (potential misappropriation of assets)
- Asset GL Account credits without corresponding purchases
- Vendor terms variances from policy
- PO Payment term variances
- Vendor Invoice term variances
- Segregation of Duties between vendor management, purchase requisition, approval, receipt and payment
- After the fact POs
- Recurring payment items not monitored
- Old AP balances cleared by cash payments or new bank account
- Duplicate POs, invoices, payments
- Expense journal entries matched to accruals not purchases
- Irregular JE/Invoice/payment activity
- Payments > invoice value
- PO/GR/Invoice matching including payment tolerances
- Payments to fabricated employee
- Fictitious payments to employees
- One time vendor payments
- Scattered purchase (loss of volume discounts)
- Fraudulent collections (may be exposed through disputed balances)
- Credit notes
- Discounts terms conflicting with policy
- Payment terms conflicting with policy
- Early settlement discounts
- Pro-forma invoicing
- Customer invoices with no delivery and no payment
- False journal entries corresponding to accrual rather than payment
- A/R Write-Offs to cover misappropriation of funds
- Sales over credit limit
- Un-authorised extended credit
- Re-issuing invoices (to spuriously reduce debtor days)
- Significant increase/decrease in debtor balances
Of course, to transform these analytics into truly smart data analytics requires a level of expertise and detailed definition to eliminate false positives and to identify only those anomalies where action needs to be taken.
I hope this has given you some food for thought.
Enjoy the journey and, of course . . .
Thanks for reading.