There are three common reactions which crop up whenever the subject of fraud risk is discussed. In simple terms these are:
The first and second responses are respectively unduly optimistic and unduly pessimistic. The third suggests a cost-benefit approach to the problem. This is sensible as far as it goes. However, my own firm's experience is that people tend to overstate the easily quantifiable costs and understate the less easily quantifiable benefits of managing fraud risk.
What does fraud mean?
Fraud means different things to different people. It is a generic term, which covers a wide range of economic crimes and impropriety and may cover one or more of the following broad categories:
In practice, real cases of fraud will often cross the boundaries between these categories. However, my primary focus here is on the first kind – misappropriation of assets – although many of my comments may apply to the other types of fraud as well.
How prevalent is fraud?
In a recent survey1) conducted by PricewaterhouseCoopers, nearly three quarters of all larger2) companies questioned in the UK said that they had been the victim of serious fraud in the last two years. The average cost to these companies of the frauds was E15m (£9.4m). If that does not sound too disastrous, note that the average hides some very large individual cases – nine respondents cited losses in excess of E100m (£62.5m).
The survey revealed some other startling statistics. For example, in 58% of cases the fraud had been discovered more or less by chance. In 28% of cases tip-offs had played a part. Frauds were overwhelmingly perpetrated by insiders – management and other employees – although sometimes with the help of outsiders. Against this background, the argument that 'it couldn't happen in my company' starts to look a little threadbare. No company, regardless of size, location or industry, is immune. Fraud can strike any organisation and it pays to be prepared for it when it does.
Can fraud be prevented?
Given that prevention is generally better than cure, what can be done to prevent fraud? The bad news is that no system of controls and supervision is foolproof. Good risk management can mitigate, but not eradicate, the risk of fraud. There is no typical fraudster. Fraudsters may share some similar traits, but these are unlikely to help you identify one in advance.
Nevertheless, this is not an excuse for inaction. It may not be possible to spot a potential fraudster, but it is certainly possible to identify potential opportunities for fraud within the company, and to take action to remove or reduce those opportunities. The details of an effective anti-fraud regime will be specific to each company, so it is only possible to suggest some general approaches here.
All organisations can usefully ask themselves the following (by no means exhaustive) list of questions.
If the honest answer to any of these questions is 'No', then you should consider appropriate remedial action.
When fraud strikes
Risk management does not stop at prevention. Effective action when fraud strikes can limit the damage and send a strong deterrent message for the future. No two frauds are alike, and each case presents a unique combination of problems and challenges. However, there are a variety of 'dos and don'ts' which are likely to be relevant in most cases. These are some of the key points.
The precise scope and methodology of an investigation will depend on the nature and scale of the fraud, the company in which it takes place and the answers to the questions raised above. An investigation is an iterative process. Information and evidence gathered in the early stages may well create additional, previously unidentified leads to be followed up.
The key phases of an investigation are:
Agreeing on an initial scope and strategy is vital. As the investigation progresses, the strategy may need to be adjusted in light of the findings. However, from the outset, the aims of the investigation should be clear.
Consider early on how you intend to manage the potentially large amount of evidence from documents and data. Leaving this sort of decision until too late could result in avoidable inefficiencies, or loss of valuable evidence.
Information can be gathered in a number of ways from a myriad of sources, including company records, e-mail and other data, third party documents, publicly available information, employees and other potential witnesses. These sources can be accessed using a variety of techniques including interviews, computer forensic techniques and good old-fashioned trawling through documents.
Interviews need to be carefully planned and prepared for. It makes a big difference whether you are interviewing a suspect or a witness. The former is generally better left until you have a good idea of the facts of the case and the key evidence. Witness interviews also need preparation, but are less likely to be adversarial – and you have to start somewhere. Timing can be crucial: it may sometimes be difficult to go back to an interviewee for a second time. Lack of preparation and failure to have the right documents to hand can lead to a wasted opportunity, as you will not be able to challenge an interviewee's assertions.
A suspect's computer can reveal a great deal, including data which has been deleted, but it must be handled carefully. You are likely to need specialist help, as special hardware and software are required to take a forensic image of the hard disk without tainting the evidence it may contain. All too often, enthusiasm gets the better of people who attempt to investigate without appropriate support. Few appreciate that simply turning a computer on can alter and even erase data, which may in turn jeopardise the investigation and actions leading from it.
Another key information gathering and analytical tool is the use of data mining techniques. Data mining involves taking (usually large volumes of) selected company data and sorting and filtering it to identify potentially suspicious patterns of transactions. This is a particularly important method where either there are general suspicions of fraud but no actual cases have been identified or where there is a concern that the frauds so far identified may be symptomatic of a more widespread problem. Well designed and focused data mining can hugely reduce the amount of work needed to identify additional instances of certain types of fraud and increase the level of assurance that they have all been identified.
It is vital to document how the investigation has been conducted. How and where evidence was obtained is crucial, particularly where criminal proceedings may ensue.
Finally, the form of reporting will vary, depending on the recipients of the report and their requirements. It may be necessary to create different reports for different constituencies. From the start, having a clear idea what the various reports should look like will help to focus the investigation.
1) The PricewaterhouseCoopers European Economic Crime Survey 2001. Over 3,600 companies in 15 European countries were surveyed.
2) Larger companies were defined as those with at least 5,000 employees.
Patrick Voss is a partner in PricewaterhouseCoopers Forensic Services, Tel: 020 7213 8276. More information at: www.pwcglobal.com