corporate fraud: the cost of doing nothing
TRANSCRIPT
www.advancedcomputersoftware.com/absVersion 2.1 0810 Copyright Advanced Business Software and Solutions Limited 2011
Did you know...
...Fraud continues to pose a significant threat to our economy which is evident from the National Fraud Authority’s recently published Annual Fraud Indicator. This puts the loss to the UK economy from fraud at £34.8 billion representing a cost to each individual member of the adult population of £750 each year.
Corporate fraud: the cost of doing nothing
WhitePaperOctober 2011
Introduction With little to look forward to financially as the cost of living continues to increase and at a time when household incomes are being frozen or reduced, even inherently honest individuals are becoming more ‘creative’ as they look for ways to make up the monthly shortfall. This is leading to record levels of corruption in the workplace, ranging from expenses ‘fiddling’ and fraudulent procurement to more sinister and calculated crimes against businesses.
Given that most companies are struggling to achieve healthy growth in the current climate, fraudulent activity cannot be tolerated, however minor some of the individual ‘crimes’ being committed appear to be. While the typical employee misdemeanour may not be on the same scale as those that transpired from the recent MPs’ expenses scandal, the amounts involved soon add up and can present a risk to company profits.
Over the last year a whole host of surveys have been conducted into business crime at an employee level, with the findings demonstrating that no organisation is immune. The public and private sectors are equally affected, while managers and their subordinates are likely to be similarly culpable.
A YouGov survey in late 2010 revealed that as many as a quarter of all staff eligible for expenses admitted to having inflated their claims (23% said they regularly added between £11-50 each month). More than a fifth (22%) of all respondents to the poll deemed the practice to be acceptable, while as many as 84% said their employer had never queried their expense claims. (http://www.guardian.co.uk/money/2010/dec/19/inflated-expenses-claims-rise-uk-yougov)
Fraud among senior finance personnel and even chief executives is on the increase too, according to international research published by KPMG in June 2011 (http://www.accountingweb.co.uk/topic/practice/kpmg-highlights-fraud-senior-management-level/507389). It found that chief executives, financial directors and other senior financial staff are far more likely to be involved in committing white collar crime, with board members at divisional, subsidiary and corporate level accounting for almost a fifth of business fraud - an increase from 11% in 2007 to 18% in 2011.
Alarmingly, KPMG uncovered a dramatic increase in the number of cases involving the exploitation of weak internal controls – up to 74% in 2011 from 49% in 2007. This suggests that many organisations are not adequately protecting themselves from losses incurred through employee crime.
It is also likely that the problems are more widespread and costly than these surveys suggest, since many cases of fraud go unreported either because companies are failing to monitor and measure instances of internal crimes, particularly below a certain threshold, or because they prefer to handle any cases that do emerge internally to minimise any negative PR.
WhitePaperOctober 2011
Fraud in the newsWhile the 2009 MPs’ expenses scandal monopolised the headlines for several months and continues to run as a story today, there are many other high-profile examples of fraud that have made the news, highlighting how vulnerable even large and apparently robust companies can be to employee dishonesty.
Some poignant examples are listed on the web site of 192 Business, a fraud prevention specialist (http://www.192business.com/news/2011/9/5/staff-fraud-hits-the-headlines.html). Cases cited include that of:
• An employee at ToyWorld who was found guilty of stealing £160,000 worth of goods using customer credit card details he copied while working as a cashier at the store;
• A Wickes trade DIY store employee who stole almost £10,000 by falsifying refunds and paying them to himself;
• Three members of staff at Thomson who paid themselves false compensation, resulting in £372,000 of losses.
Common types of workplace fraudAny behaviour which illicitly deprives an organisation of money or assets can be considered to be fraud, whether it involves embellishing mileage claims, entertaining friends and family ‘on expenses’, buying personal items using a company credit card, or siphoning funds from the business’s bank account.
Common types of internal business fraud include:
1. Fiddling expenses. One of the most startling aspects of the UK MPs’ expenses controversy, which first hit the headlines in 2009, was the extent to which the culprits considered their actions to be acceptable practice - believing their associated gains to be justifiable compensation in the light of salary ceilings or disruption to their home lives. Business employees often take the same stance, believing expenses to be a way of bumping up meagre wages, or a ‘perk of the job’.
2. Procurement fraud. Here, individuals purchase their own items at the company’s expense, using their purchasing or company credit card. This is one of the most common and costly examples of internal company fraud.
3. Stealing company money. Stealing money from the company bank account is also a common crime committed against organisations. Examples include an individual switching the account details for a payment shortly before selecting ‘confirm’ (and then reverting back to the original information); misuse of the company cheque book or petty cash reserve; ‘misprocessing’ a credit note while handling invoice payments; and the same member of staff requesting and approving a payment.
4. Falsifying supplier invoices or customer refunds, or acting in collusion with a supplier or customer to pay invoices for which goods or reciprocal services were not provided or offering refunds on goods or services that were actually received.
WhitePaperOctober 2011
5. Fictitious invoicing – where, due to poor accounting controls and inadequate segregation of duties within the finance and accounts department, an individual arranges the payment of invoices for services that have not been delivered.
6. Theft of assets/stock. Employees may consider it harmless and almost a wasted opportunity to not pilfer home office stationery for their own use. Yet even such seemingly minor transgressions will soon add up, not to mention lead to more sinister behaviour. More serious cases of theft might include theft of company equipment or tools, or the wares a company is responsible for manufacturing or selling. Companies that turn a blind eye to such practices, or fail to have measures in place to detect such thefts, only have themselves to blame when internal costs are found to escalate at the expense of profits.
7. Manipulating targets to wrongfully secure a bonus. A simple example of this practice might involve booking sales one month (usually at the quarter end), then crediting them back the next. Another example is booking orders as sales. Even if the sales figures tally eventually, the crime is the extraction of a bonus that should not have been paid, and a deterioration in real sales achievements because it is too easy to play the system.
8. Dodgy deals. Examples of this include favouring friends and family instead of abiding by a competitive tender situation, designed to enable the company to choose the best service at the lowest cost. Bribery also falls into this category, where ‘backhanders’ are given to individuals in return for preferential consideration for business.
9. Tax evasion or corporate fraud. From restaurants changing their names, premises and/or ownership structures to larger-scale fraud as uncovered at Enron, this level of crime can have devastating consequences for a business, not only financially and through jail sentences for the perpetrators, but in damaging the company’s brand and reputation.
10. Property fraud. This includes the acquisition of company property at less than the market value, through the collusion of at least two senior personnel. The property is then resold at market value, and the profit split between the conspirators.
PriceWaterhouseCoopers, which conducts a comprehensive global study of business fraud every two years (it is currently conducting its 2011 poll), found a sharp rise in accounting frauds in its 2009 Global Economic Crime Survey, in which asset misappropriation and accounting frauds were found to be the most common crimes suffered by companies.
BDO, meanwhile, notes that procurement fraud, which has long been a costly problem for organisations, is now giving way to ‘revenue dilution fraud’, where business managers set up companies within companies or divert lucrative contracts to third-party accomplices. Insider dealing is also on the increase, it claims. Here, while the perpetrator might not defraud their own employer directly, their actions leave their organisation open to severe and often highly public enforcement action by financial regulators.
WhitePaperOctober 2011
The real cost of fraudEstimates of the real cost of fraud to businesses vary, but by anyone’s calculations are significant enough that organisations should take the matter seriously no matter what size they are and however much they trust their staff.
According to the Fraud Advisory Panel, deceptive practices cost the UK economy £38.4 billion in 2010, equating to £765 for every adult (source: National Fraud Authority, January 2011). The NFA’s Annual Fraud Indicator suggests this splits roughly into a £12 billion cost to the private sector, £21.2 billion to the public sector, £1.3 billion to the charity sector, and £4 billion to individuals.
Fraud preventionIn the current climate, no business can afford to let even minor instances of fraud slip through the net. The increasing cost of doing business (due to the rising cost of raw materials and increased rights for employees and contractors) and reduced demand for goods and services are conspiring to drive down company profits. To counteract this, businesses must reduce internal costs. Wherever possible, they must do this without harming the quality of their goods and services, which means stripping out anything which does not add value to the customer experience. Counteracting fraud is an obvious approach, especially given the correlation between tough financial conditions and increased criminal activity among employees.
This means acknowledging and identifying the problem so it can be addressed logically and effectively.
Chartered accountancy and business advisory firm Crompton Ward & Co offers some useful advice about combating business fraud (http://www.cromptonward.co.uk/business/business-finance/dealing-fraud/identify-and-prevent-fraud-your-business).
To prevent fraudulent schemes involving personal or company cheques the firm proposes that business managers should:
• Examine bank reconciliations thoroughly;
• Scrutinise bank statements and cancelled cheques for cheques made out to cash, employees, or new or unusual suppliers;
• Instruct the bank to send company statements to the managing director or financial director’s home address.
To strengthen measures associated with credit control business managers should:
• Verify credit notes and write-offs with receiving records and check for other documentation to support the transaction;
• Compare credit notes with previous ones processed by a suspected employee, especially if they are unfamiliar with the accounts of the customer.
In purchasing and payroll sharpened practices should include:
• Checking selected invoices for signs of doctoring;
• Checking supplier invoices for unusual amounts, pricing, or volumes;
• Keeping a close eye on payroll cheque distribution and monitoring of unclaimed cheques;
WhitePaperOctober 2011
Last, but certainly not least, organisations should look to prevent fraud with internal controls. Crompton Ward & Co note that “effective internal controls can drastically reduce the risk of fraud”, adding that many of these measures needn’t be expensive – for example:
• Separate key duties. Having the same person in charge of more than one procedure such as placing orders, running credit checks, delivering goods, preparing invoices, recording transactions, or collecting debts is tantamount to inviting fraud. Wherever possible, companies should separate or rotate these duties among several employees.
• Require purchase or payment authorisation. Decide on a reasonable figure and ensure that single transactions above that amount require an authorisation from a trusted senior employee.
• Compare actual to budgeted expenditure. Since the most frequent unauthorised transactions take place via expense accounts, it is important to compare the budget to the actual amounts being claimed by employees, to enable discrepancies to be identified and more sinister-looking patterns to be investigated further.
Many of these measures can be automated within existing finance and purchasing systems, avoiding the additional time and resources needed to implement these controls..
Creating a ‘zero tolerance’ cultureSince technology alone is unlikely to eliminate the risk of fraud, it is essential that companies adopt a comprehensive approach, for instance a company culture and set of policies that does not leave room for criminal behaviour.
According to US business advisory and accountancy firm Kostin, Ruffkess & Co, (http://www.kostin.com/admin/uploads/16864333994be1882a306a6.pdf), this strategy should include:
1. An assessment of the risk. Businesses are accustomed to assessing and evaluating business risk. In order to properly design and implement the proper internal controls, management should also assess the risk of fraud. Management and other employees should be included in a brainstorming session to evaluate how fraud could be committed in their respective areas of responsibility.
2. Effective internal controls (checks and balances). Proper internal controls, including clear segregation of duties and timely reconciliations, are critical to early detection and fraud prevention. Automating application and sign-off of payments can ensure the additional internal controls do not impact on speed of processing transactions and that they do not create additional work.
3. Monitoring of controls and operations (detection). It is important not only to establish proper internal controls to detect and prevent fraud, but also to ensure that these measures are implemented fully and appropriately and are followed effectively. Management must verify that control procedures are being followed as designed (this will also send out a clear message that the financial director is doing everything reasonable to prevent fraudulent activity within the organisation). This can be achieved by setting alerts within the finance and accounting system to flag any unusual events. By improving control over some of the critical financial processes, organisations can reduce the risk of fraud being perpetrated by users of the system. The processes most open to fraudulent abuse are those where there is some interaction with a third party – for example, customers or suppliers.
WhitePaperOctober 2011
Companies can also apply limits and restrictions to individual users and processes, so that when these limits are exceeded (even if this is for a valid reason) an alert is sent to another individual within the organisation who can check the authenticity of the action.
4. Introducing a clear company policy. All business should have a code of conduct or ethics policy as well as a policy that specifically addresses the business position on fraud and sets out the associated consequences. This policy should be provided to each employee and the signed acknowledgment of receipt retained in the employee’s personnel file. Research has shown that a written policy – outlining the expectation that certain behaviours are unacceptable - has a greater impact on employee behaviour than a verbal discussion alone. Again, this can act as reinforcement that senior management are taking all measures possible to deter fraud. Having a comprehensive code of conduct can also act as the basis for implementing the checks and balances within the company’s finance and accounting system, ensuring any behaviour outside of these parameters is highlighted and dealt with accordingly.
5. Communication. It is no good getting tough on crime if no one in the organisation knows about it. Businesses must clearly communicate to employees the expectation that all internal and external business is to be conducted ethically and transparently. This messaging should also alert employees that they have a responsibility to report fraud when they are aware it is occurring. More advanced finance systems contain reporting mechanisms that can be used to record potentially interesting ‘events’ to a manager monitoring the system. Sometimes the awareness within the employee base that these reports are even in existence is enough to deter potential fraudsters.
6. Fraudawarenesstrainingformanagers(redflags). Management-level employees should be given training on how to recognise and identify fraud risks as well as fraudulent behaviour. Since this can be a time-consuming process, an interim step might be to employ an automated ‘red flag’ alert within the finance system or business-processes themselves.
7. Fraud hotline. The introduction of a fraud hotline has been shown to reduce losses by up to 60% when fraud is occurring in an organisation, with employees found to be 70% more likely to use an external hotline to report concerns than initiate a discussion with a manager (source: Association of Certified Fraud Examiners’ Report to the Nation on Occupational Fraud and Abuse, 2004). The implied anonymity may make them feel more comfortable about blowing the whistle on a colleague or manager.
8. Taking action when fraud is detected. There is little value in introducing tough new policies if immediate action is not taken when fraud is suspected or detected. This should include immediate investigation, reporting and prosecution. Updated internal controls should be implemented to ensure that the type of fraud committed is prevented in the future.
9. Employee screening. According to the ACFE’s Report to the Nation, 87.4% of fraud perpetrators have no criminal history and 82.6% have never been punished or terminated from prior positions. However it is still important to properly screen new employees. One organisation, G4S Employment Screening and Vetting, has been warning companies to be more vigilant in screening employees following the introduction of the new Bribery Act. G4S estimates that up to a quarter of CVs contain inaccurate information, and notes that prosecution powers are now in force for businesses that fail to adequately screen employees.
WhitePaperOctober 2011
10. IT and data security. The final and most rapidly changing area affecting fraud prevention is IT and data security, which is becoming an increasingly critical component of companies’ internal control systems. As well as the implementation of basic IT policies concerning computer, email, web use and passwords, more advanced controls within the finance system itself are proving to be an increasingly important part of a company’s fraud prevention efforts.
Automated controlsClose monitoring of employee behaviour and routine transactions is a labour-intensive practice, which may jar with businesses that are already overstretched due to the current economic climate. Companies could well be dealing with company restructuring and cutbacks.
It is for this reason that automated fraud detection and prevention solutions, designed for use within internal accounts departments, are growing in appeal. Using their customisable rules, organisations are able to set the controls and then leave it to the software to act as a reliable first alert and barrier to unauthorised or questionable activity. Whereas a busy member of staff might rush or suffer a lapse of attention, missing something crucial, a rules-driven software application will pick up all behaviour that falls outside of acceptable parameters, flagging up anything suspicious so that further action can be taken, thereby helping to prevent any dubious activity from progressing any further in the interim.
Similar approaches to those used by credit card companies to identify unusual and potentially suspicious activity on consumers’ bank accounts are now being extended to businesses. These include tracking potentially fraudulent behaviour based upon unusual patterns of behaviour picked up by the accounting system.
The ‘forensic’ capabilities of such systems are designed to detect, flag and prevent suspicious transactions until they can be examined in person, alleviating individual personnel from the burden of having to spot questionable activity themselves. This ensures that the business is protected and that the time and attention of the finance team can be focused where it is needed.
Financial ‘forensics’All good business software systems incorporate a certain level of security to protect organisations from employee abuse. In the case of accounting systems, this is usually split between controlling access to certain functions, such as allowing a user into supplier maintenance functions and controlling access to data such as company, bank account or supplier records. The systems usually provide audit trails to retrospectively allow the examination of transactions and user behaviour.
As systems have become more sophisticated, they have incorporated process controls such as workflow tools that provide extra layers of review and approval. In addition, most systems now incorporate some kind of interactive alerting that can be configured to contact key users when certain events occur. Although such controls, which come as standard with most modern accounting systems today, are impressive, there are now cutting-edge finance applications which go the extra mile, applying ‘forensic’ techniques to accounts handling, with potentially significant results.
These systems, which include the ‘Forensix’ solution within the latest release of OpenAccounts (version 7) from Advanced Business Solutions, have been developed by studying patterns of behaviour in accounting as computer users have become more sophisticated in understanding business processes.
WhitePaperOctober 2011
For example, many standard accounting systems are not designed to anticipate collaborative fraud, which is often far more damaging and difficult to detect than single rogue transactions. Here, successful deception might involve an internal employee making unusual arrangements with an external supplier or customer; the result could take the form of credit notes, write-offs, discounts, special-order conditions or one-off payments that are particularly difficult to detect.
Special ‘forensic’ capabilities of advanced accounting systems detect and counter such behaviour by applying a broad range of pre-defined conditions (which can be easily and quickly set by approved senior managers). The right blend of parameters, conditions and alerts makes for highly effective protection against internal fraud, particularly when the facilities can be applied across multiple applications and where they are able to incorporate and harness existing tools – for example within security and workflow. Where suspicious activity is detected, knock-on actions can be triggered, as specified by the management – for example, automatic escalation of the situation to someone in authority.
Other valuable capabilities to look for in a ‘forensic’ accounting system include:
• The ability to disallow unallocated payments on certain documents, to identify duplicate addresses and PO Box references and to require mandatory credit note reason codes on transactions;
• Tracking of procurement, stock and customer conditions - identifying first orders to new suppliers, unusual order values and placing extra control into invoice-matching to identify any late cost additions;
• Customer billing monitoring, through the monitoring of credit note values and reasons, as well as write-offs on contract invoices.
A case in point: fraud prevention in actionOnce an organisation has pinpointed where its areas of vulnerability are, it becomes easier to focus specific actions. This is another reason it is important to look for solutions that can be flexed and moulded to a company’s particular needs, using adaptable rules; and which can drive positive changes in business behaviour through a tightening up of policies and processes as gaps are uncovered.
One feature suggested by a user who uncovered a fraud internally involved the replacement of supplier credit notes with cashed cheques – something that would have been automatically detected by a system like OpenAccounts in the event of an unusual encashment pattern.
WhitePaperOctober 2011
ConclusionsSimple, standard measures are clearly not enough for organisations that are serious about combating internal company fraud. If they were, high-profile cases of business crime would not continue to make it into the newspapers.
Increasingly, companies are discovering that they need a ‘belt and braces’ approach to maintaining vigilance with regards to internal fraud – a strategy where detection and prevention relies less on manual intervention but is able to draw on ‘forensic’ techniques via software that has been ‘trained’ to identify, highlight and disrupt rogue behaviour.
CIFAS, the UK’s fraud prevention service, warns that not only is employee fraud on the rise, but patterns of criminal behaviour are changing too, making it harder for organisations to develop foolproof countermeasures without the use of specialist technology. CIFAS notes, for example, that:
• Staff fraudsters are getting younger;
• Younger staff are more likely to target data-related fraud;
• More established members of staff are now committing frauds.
Successful fraud prevention is more than a matter of employing good security measures, because these typically rely on risks being known and predictable and assume that regular reviews of user profiles and other variables are being conducted.
To assess their current levels of protection, organisations need to ask themselves:
• How often are we testing for rogue transactions or unusual behaviour?; and
• Even where there are comprehensive security measures available,
• What if detailed security criteria are not being set?
• What if records are being accessed where they shouldn’t be?
• What if rogue users are allowed to complete the process?
• What if a dishonest member of staff is working in collusion with a supplier?
• What if they are working in collusion with a customer?
• What if the volume of transactions is too great to easily spot any issues manually?
By integrating forensic capabilities into core accounting systems, companies can confidently overcome any gaps they uncover when checking their existing countermeasures against this list.
WhitePaperOctober 2011
Sources & resourcesIncrease in public sector fraud, PriceWaterhouseCoopers: http://www.ukmediacentre.pwc.com/News-Releases/Fraud-in-public-sector-increases-as-cuts-bite-106b.aspx, http://www.pwc.co.uk/ni/press_release/ni_publicsector_fraudsoars.html
Management fraud, KPMG: http://www.accountingweb.co.uk/topic/practice/kpmg-highlights-fraud-senior-management-level/507389
BDO research/July 2011 – business fraud on the rise: http://www.accountancyage.com/aa/news/2094635/reported-business-fraud-rise
BDO: fraud trends, and how to guard against them: http://www.bdo.uk.com/press/2011/7/drop-reported-cases-belies-extent-uk-fraud-problem
Inflatedexpenses,YouGovsurvey,December2010: http://www.guardian.co.uk/money/2010/dec/19/inflated-expenses-claims-rise-uk-yougov
Business fraud statistics, Fraud Advisory Panel: http://www.fraudadvisorypanel.org/new/fraud-facts-and-figures.php
Ten types of fraud, Ken Frost, Executive Director, Phoenix Commercial Ventures Ltd: https://www.gplus.com/accounting-fraud/insight/ten-types-of-fraud-42347
Real cases of employee fraud, c/o 192 Business: http://www.192business.com/news/2011/9/5/staff-fraud-hits-the-headlines.html
Bribery Act/Employee screening concerns: http://www.prosecurityzone.com/News/Guarding__equipment_and_enforcement/Vetting_and_credential_management/New_bribery_act_in_uk_penalises_companies_for_failure_to_screen_employees_17120.asp#ixzz1ZuLGjrtX
Fraud protection recommendations, Crompton Ward & Co: http://www.cromptonward.co.uk/business/business-finance/dealing-fraud/identify-and-prevent-fraud-your-business
AssociationofCertifiedFraudExaminers(ACFE)ReporttotheNationonOccupationalFraudandAbuse, 2004: http://findarticles.com/p/articles/mi_m4153/is_3_63/ai_n16546015/
10 recommendations for reducing fraud, Kostin, Ruffkess & Company: http://www.kostin.com/admin/uploads/16864333994be1882a306a6.pdf
BDO’s Top tips for tackling fraud: http://www.bdo.uk.com/press/2011/7/drop-reported-cases-belies-extent-uk-fraud-problem
WhitePaperOctober 2011
About Business SolutionsAdvanced Business Solutions, an Advanced Computer Software Group plc company, provides leading integrated business applications and services that enable public, private and third sector organisations to retain control, improve visibility and gain efficiencies whilst continually improving corporate performance. It’s award-winning software systems comprise core financial management, procurement, human resource and payroll systems, integrated with a range of collaborative, document management and business intelligence solutions . It also provides managed and bureau service options.
Advanced Computer Software Group plc is the UK’s leading supplier of software and IT services to the health, care and commercial sectors. It comprises 3 main divisions and has 7000 customers and 800 staff worldwide.
For more informationAdvanced Business Solutions is a brand name of Advanced Business Software and Solutions Limited, registered in England, company number 03214465. Registered office: Munro House I Portsmouth Road I Cobham I Surrey I KT11 1TF.t: +44 (0) 08451 606 162 f: +44 (0) 1932 584 001 e: [email protected] www.advancedcomputersoftware.com/abs
Advanced Business Software and Solutions Limited recognises the trademarks of other companies and their respective products in this document.