Chapter OneTHE WORLD OF FRAUD
Once or twice in my career I feel that I have done more real harm by my discovery of the criminal than ever he had done by his crime. I have learned caution now, and I had rather play tricks with the law of England than with my own conscience.
Fraud presents us with a chicken and egg predicament. For all of the facts and war stories presented in this book, fraud is unavoidable, and for those in business, it is an occupational hazard. Our biggest challenge is to get it right-to ensure that business does not spend more money preventing and detecting fraud than it may possibly lose by it. Toward that end, when we receive a call or letter that someone is up to no good, we do not accuse the wrong person, or act on a tip that was given for the wrong reasons.
The cost of fraud and the long-term effects are many. Businesses that are victims of fraud not only bear the cost of the fraud itself (to the extent that they are unable to recover funds), but also the costs of investigating the fraud, of clearing up the problem, and of ensuring there is no recurrence.
Who steals my purse steals trash; 'tis something, nothing; 'twas mine, 'tis his, and has been slave to thousands; but he that filches from me my good name robs me of that which not enriches him and makes me poor indeed.
As recent corporate incidents have shown us, financial losses arising from fraudulent activity may lead to layoffs, plant closures, or even business failures. For those companies able to survive a fraudulent event, they may still miss key business opportunities. The misappropriated capital might otherwise have been used to create employment, build new facilities, or develop better products and services. Fraud also extracts a huge personal cost. It can have a traumatic effect on individuals, leading, in some cases, to marriage breakups, nervous disorders, and even suicide.
We have to accept that no business and no one is immune to fraud. A business, agency, or individual that thinks it is invulnerable to fraud is, in fact, the most inviting to fraudsters. Too often complacency is the fraudster's best ally. Conversely, the fraudster's toughest foe is a potential target that turns out to be both vigilant and well prepared to meet this challenge. The bad news is that external audits no longer seem to be the deterrent they once were. In its 2002 Report to the Nation on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE) reported that audited companies did suffer less severe fraud losses than unaudited ones. However, in its 2004 report, the ACFE noted that median losses are higher in organizations with an external audit, and it was "disappointing to find no trend indicating reduced losses as a result of external audits" (such a trend did exist in 2002).
It is important to note that while fraud does not occur randomly throughout an organization, neither does it occur in statistical proportions. Of course, there are areas of any business that are more vulnerable than others and the work environment is the key factor affecting the occurrence of fraud. Fraud, by its very nature, usually means that the activities are not easily uncovered or identified. While external audit accounts for approximately 10 percent of initial fraud detection, it is encouraging to note that internal audit accounts for approximately 24 percent (up from approximately 19 percent in 2002). Elsewhere in this book we discuss Sarbanes-Oxley and other pronouncements but clearly, effective internal controls and internal audits have proven useful in the fight against fraud. Discovering fraud through tips and purely by accident combine to account for approximately 61 percent of initial detections, and are similar to the ACFE's report of 2002.
It is also important to remember that for all the case studies and war stories, for all the statistics and for all the discussion, we only know about the tip of the iceberg. Fraud is essentially broken into three primary groups: fraud that has been discovered and is detailed in the public domain; fraud that has been discovered, but the details have not been made public; and fraud that has not been detected.
For those of us who have been investigating and talking about fraud for so long, it is interesting to see that the concept of the anonymous letter (years ago referred to as the "poison pen letter"), whether from a loyal employee or vindictive ex-employee, is still an important key to the discovery of fraudulent activity. Through education and legislation, the implementation of tip lines and hotlines has furthered the progress of this means of initial detection. The ACFE still believes that companies need to do a better job of communicating the fact that they have a hotline, and need to reach out beyond the boundaries of their own organization to customers, vendors, and other third parties.
WHO COMMITS FRAUD AND WHY?
From a caprice of nature, not from the ignorance of man. Not a mistake has been made in the working. But we cannot prevent equilibrium from producing its effects. We may brave human laws, but we cannot resist natural ones.
Contrary to people's notion that computers stole their funds, fraud is carried out by people. While computers and other electronic wizardry may enable the deed, it is still the result of human input and motivation.
Therefore, a discussion about the human element is crucial to an understanding of fraud and will assist in the prevention and detection process. It is generally accepted within fraud prevention circles that a certain element of our society, and hence the population of any given organization, is inherently honest. Conversely, a certain element of people is inherently dishonest and little will deter them from deceit. The remaining element may commit acts of dishonesty if the need and opportunity coexist. Opinions vary on the percentages assigned to each element, with some believing the extremes range from 20 to 30 percent. This means that up to 80 percent of the workforce is potentially dishonest depending on the circumstances. The circumstances, of course, will be affected to the degree that there are adequate internal controls in place and that they are enforced.
As crime does not occur statistically, the honesty of employees in a company is not predetermined based on a statistical relationship. The business environment and culture will set the numbers. Thus, an honest person with a high degree of personal integrity may commit fraud given a set of situational pressures and high opportunity. Conversely, a person of low personal integrity may not commit fraud if he is not exposed to situational pressures and there are strong controls, which provide little or no opportunity for fraud.
Recent corporate events, and indeed the ensuing legislation, have recognized that management can control the situational pressures and the personal integrity of employees by not only knowing their people, but setting the tone themselves. Management can control the opportunities for fraud through internal controls, good management, good policies, and good procedures.
To illustrate this discussion further, let us imagine a person who is a pillar of their community, a well-respected, honest employee, a person with a background no more criminal than that of most of us. This person finds himself with an unshareable problem and an opportunity to steal money from his company. The chances are very good that if in that situation you walked up to him and said, "Fred, steal the money from your boss," he would look at you in horror as if you had suggested he could solve his problem by sticking a pistol into the face of the local liquor store owner. "Fred, steal the money from your company" probably would bring about less of a horror reaction. Still, honest and trusted persons just don't do those things. However, honest and trusted persons do "borrow," and if you were to suggest that Fred secretly borrow some money from his firm, you would have helped him over a tremendous hurdle. Then he would be able to tell himself that he is borrowing the money and he can continue to believe that he is an honest citizen, even as he is robbing the boss blind.
CASE 1.1 $3.28 Million Embezzled Over 9 Years-Discovered When Savings Bank Alerted Victim of Suspicious Transactions
A Maryland woman, on a salary of $36,000 a year, embezzled $3.28 million from a union general fund over a period of nine years before union officials became suspicious when a credit union notified union officials that large sums of money were moving in and out of union accounts. She had been responsible for transferring employee automatic payroll deductions to a credit union. She was required to issue one check to the credit union each pay period to cover all the employee deductions, to be credited to each employee's credit union account. Her scheme involved writing a larger check than was necessary and keeping the excess. She was able to cover the fraud by falsifying financial records and was also responsible for assuring that the accounts were in balance.
FRAUD PREVENTION AND DETECTION
There is no special recipe, checklist, or manual on detecting fraud that can assist a business owner in his work. No such thing exists and no such thing is truly capable of being developed to address all forms of fraud. And therein, perhaps, lies a blessing. The development of material to assist the auditor in detecting fraud may create standards against which he or she may be held accountable. However, armed with a heightened awareness of the reality of fraud and the environmental factors and red flags that may signal the potential presence of fraudulent activities, accountants and businesses may be able to be more proactive in the prevention and detection of fraud.
However, what recent legislation has done is to instill in management the notion that they must:
Accept that fraud exists and could occur. Acknowledge the importance of fraud awareness. Deal with the human factors by hiring honest people and keeping them honest via deterrents to fraud. Deal with the environmental factors by implementing adequate and enforced controls, policies, and procedures, including following up on all dishonest acts.
If you are a businessperson or work in the private sector or have clients in that position, protecting your or their bottom line from fraud is a challenging goal. But it can be achieved through the implementation of an effective prevention and detection strategy.
The elements of such a strategy include the need to:
Understand why fraud is committed. Ensure that factors that may motivate employees to commit fraud are minimized. Understand the opportunities for fraud in the business. Pinpoint the exposures and high-risk areas and reduce the opportunities for fraud. Know the symptoms of fraud. Communicate expected behavior to employees. Respond appropriately to identified problems and seek out appropriate sanctions against the perpetrators.
CASE 1.2 The Protracted Payroll Fraud
Accidentally discovered, this case involved a woman who was employed by a university for 20 years. She embezzled $158,000 from the university over a period of seven years and no one at the university seemed to notice, despite the fact that during the seven years she was active, some of her thefts involved $149,190 in payroll checks written to ghost employees. The auditors certainly did not suspect her, and it is likely that they were never engaged in fraud-specific investigations. She was a highly respected employee of the university and was given the President's Award as the university's most valued employee.
Her luck changed, however, when postal service inspectors suspected her husband as being involved in a stolen check ring. While searching her residence for evidence of her husband's suspected crime, they found university payroll stubs under different names that she had saved. Their suspicions led to detection of her fraud. In a replay of the old story where the farmer locked the door to the barn after his horse was stolen, the university tightened payroll procedures.
In Chapter 2, we will discuss the role of the auditor in greater detail. However, it should be noted that historically internal auditors were perceived as not having enough training or experience to proactively detect fraud. Because many internal auditors came from independent auditors, and with little in accounting pronouncements until SAS 53, 82, and then 99, they brought no fraud investigation experience with them.
In addition, companies seemed reticent to spend a lot of resources, both physical and financial, for proactive investigations. While companies would spend money on fire insurance, hoping there would never be a fire, they questioned the value of fraud-specific examinations, because they had never had the problem in the past.
As a result of a combination of factors, the proactive and reactive landscape of fraud seems to have changed in the past couple of years. After the well-publicized scandals of WorldCom, Enron, and others, the era of Sarbanes-Oxley, greater corporate governance, and new auditing standards have all contributed to a more watchful eye and increased accountability.
As we noted earlier, you can never eliminate fraud, but you can reduce the possibility of it happening. The fact that initial detection of fraud by internal audit and internal controls has increased, as noted in the ACFE survey, points to increased awareness, accountability, and spending on such preventative methods.