Closing the loop on fraud

According to the findings of the KPMG Fraud Survey 2008, 45 per cent of the Australian organisations surveyed experienced fraud, with an average loss of $1.5 million. Much has been recently written on fraud and this is well founded, particularly in these economic times.

In addition to the direct dollar costs of fraud, organisations must cope with a range of indirect costs. Damage to a company’s and indeed a director’s reputation can have substantial fallout and lead to punishing market setbacks. Loss of customer confidence translates directly into reduced revenues and profits. Employee morale can suffer, affecting productivity and the ability to attract and retain qualified staff. Directors may also be in breach of their duty of care under the Corporations Act.

In simple terms, frauds fall into three broad categories: asset misappropriation, corruption and fraudulent statements.

How fraudsters exploit systems

The KPMG Fraud Survey 2008 reported that of the factors contributing to fraud in organisations, poor internal controls rated as the highest at 26 per cent and the overriding of internal controls was second at 22 per cent.

Typically, fraudsters detect or stumble upon areas with weak cross-departmental or cross-organisational controls, often the site of the interfaces between two or more computer applications or systems. The perpetrator is confident there is very little regular cross-system validation, given the challenges inherent in accessing and analysing frequently incompatible data formats. Many organisations lack the in-house capability to carry out such complex tasks efficiently and in a frequent, timely fashion. The complexity of finding fraud grows when there are multiple systems involved.

In many organisations, systems and their underlying transactions have become increasingly complex, with data volumes growing at an exponential rate. While strong internal controls and audit procedures play a role in preventing and detecting fraud, it is unrealistic to assume they are completely effective. For many organisations, there remains a strong likelihood that a significant number of frauds are simply never detected.

Even when frauds do come to light, many detection methods, such as audit procedures, only occur long after the fraud has occurred. The longer frauds go undetected, the larger the likely financial loss and the smaller the chance of recovering the funds or assets.

The Audit Committee

The detection of fraud and serious errors must not be the responsibility of IT or the finance function, as it is possible the fraud emanates from these functions or that these departments might assume because they run the systems and procedures, that all is correct. The detection should be run under the direction and control of the Audit Committee and the nature of the detections in place should be unknown to employees for maximum results.

Monitoring than runs 24/7 must fall under the board’s responsibility and key business process transactions and controls must be constantly assessed. This permits continuing insight into the effectiveness of controls and the integrity of transactions running within them. Given that the board is responsible for maintaining effective control systems, it follows that it should have the primary responsibility for monitoring the effectiveness of controls. It also has the most to benefit from obtaining timely insight into transactions resulting from fraud, error or abuse. When an anomaly is detected, there must be closed-loop reporting and monitoring of the investigation, all reported back ultimately to the Audit Committee.

Building a better mousetrap

Associations and leading audit organisations advocate the use of data analysis technologies to assist in fraud detection. This technology allows auditors and fraud investigators to obtain a quick overview of the company, develop an understanding of relationships between various data elements and easily drill down into specific areas of interest.

Transactional analysis is one of the most powerful ways of detecting fraud within an organisation. To maximise its effectiveness, it needs to:

• Allow easy comparisons of data and transactions from separate business or operational systems.
• Work with a comprehensive set of indicators of potential fraud, taking into account the most common fraud schemes and those that relate specifically to the unique risks a particular organisation may face.
• Analyse all transactions within a given area and test them against the parameters that highlight indicators of fraud.
• Perform the analyses and tests as close to the time of the transaction as possible, ideally even before the transaction has been finalised, and preferably on a continuous monitoring basis.

Many suspicious transactions or patterns only come to light when transactional data from one system is compared with that of another. In a simple example, this would involve comparing addresses of paid vendors with employee addresses to detect potential “phantom vendor” schemes. Individuals intent on fraud seek out organisational “soft spots” where there is little regular cross-system data validation.

Ad hoc, repetitive and continuous investigation

A fraud detection and prevention program should incorporate a spectrum of analysis – from ad hoc to repetitive to continuous. Based on key risk indicators, ad hoc testing will pinpoint areas for further investigation. Should this initial testing reveal control weaknesses of suspected cases of fraud, repetitive testing or continuous analyses should be considered. Continuous review of internal controls is required to ensure they remain in place and effective. The challenge for auditors and fraud examiners is also to look beyond the controls and find loopholes in the system where fraud could occur.

Benefits of using technology

A well-designed and implemented fraud detection system, based on transactional analysis of operational systems, can significantly reduce the chances of frauds occurring and then remaining undetected. The sooner indicators of fraud are available, the greater potential to recover losses and address any control weaknesses. Effective detection techniques serve as a deterrent to potential fraudsters; employees who know experts are present and looking for frauds are less likely to commit fraud because of a greater perceived likelihood they will be caught. Lastly, these days these closed-loop continuous monitoring systems can run as a service on demand 24/7 and thus don’t require any purchase of software or servers. They therefore generally have a payback measured in hours, if not days, and certainly within weeks.

Mark Skipper FAICD
Adviser, Satori Group

Article Source: http://www.companydirectors.com.au/Media/Company+Director/2009/August/Opinion+Closing+the+loop+on+fraud.htm