With a new report from the Chartered IIA and AuditBoard telling us fraud is on the rise, we should be asking why and mustering our counter-offensives. Organisations lose an average of 5% in revenue annually to fraud, a total approaching £200bn for the UK alone, not to mention the reputational and related impacts. At a human level, it is the crime to which more of us are likely to fall victim than any other.
When big names suffer major damages from fraud (think Carillion, Patisserie Valerie, and Wirecard) we take notice. And yet organisations are routinely under-prepared. It’s not that fraud is ignored but the assumption is we have it covered. Too often fraud fails to be seen as a key risk deserving of regular attention.
Internal auditors, however, have a critical role in keeping fraud on the radar and being part of the solution. While tips (42%) remain the most common method of initial fraud detection, internal auditors (16%) are the second, according to the latest ACFE report.
In this article we consider practical measures organisations can take and important ways internal auditors can help keep fraud risk in the spotlight and enable greater preparedness.
What Is Fraud?
To fight fraud first we must understand it. While definitions vary, fraud is a very broad concept covering any attempt to gain an illegal advantage without physical force or threats of violence (armed robbery or breaking and entering are not usually regarded as fraud). Intentionality distinguishes it from other risks — fraud is different from error, incompetence, or bad luck. It is a deliberate act (of commission or omission) to exploit an opportunity through misuse, misrepresentation, or misappropriation for unwarranted benefit.
One of the challenges in the battle against fraud is its sheer breadth — bribery, money laundering, embezzlement, corruption, cyberattacks, theft, identity theft, insider trading — added to the fact It may be perpetrated by individuals or groups operating inside and/or outside the organisation. A useful way to get our arms around it is to consider root causes.
Root Causes of Rising Fraud
Why is fraud on the rise? With reference to the well-known fraud triangle we see that increases in fraud are being fuelled by:
- Increased opportunity: Disruption often creates change, putting pressure on controls that fraudsters exploit. Covid-19 is no exception, generating unprecedented financial handouts and major shifts in operations to a distributed home-based workforce. Other economic, environmental, and social upheaval, like war in Ukraine, force rapid adjustments to supply chains and working practices, while new digital tools make it even easier to commit fraud online. Especially when combined with poor tone from top and inadequate accounting policies, these disruptions create an environment more likely to produce fraud.
- Increased motivation or pressure: If opportunity is a pull factor, motivation is a push. Fraudsters may be prompted by economic hardship, job insecurity, health insecurity, even climate insecurity, all of which are on the increase for many in the UK with prospects for a long, deep recession.
- Increased rationalisation: “If the opportunity is there, why not? They deserve to be exploited. I deserve to be rewarded.” Greater insecurity and disparity increase feelings of entitlement and resentment. Furthermore, when business, political, and social leaders are considered untrustworthy or corrupt, and are seen to get away with it, fraudsters are more likely to feel justified.
Despite this, organisations may assume their internal controls are sufficient without regular review and adjustment.
So, when fraud occurs, what goes wrong?
- Too often there is limited focus at the top with leaders preoccupied with other looming risks.
- There may be insufficient awareness and a lack of training regarding fraud.
- Controls lose their effectiveness as conditions change. Additionally, leadership may be too trusting of their staff and therefore reluctant to review, assess, or add additional internal controls.
- Perceived inconsistent handling of actual or suspected fraud can build resentment and feed rationalisation.
- New structures, processes, responsibilities, and remuneration models create uncertainties and insecurities, as does excessive internal competition or a focus on the wrong kinds of goals.
- Employees may be reluctant to speak up for fear of retaliation such as being treated unfairly or even losing their job.
Take a Proactive Approach to Tackling Fraud
Tackling fraud is not a once-and-done and requires a proactive approach including regular risk assessments. Counter-fraud measures need to push back against each side of the fraud triangle.
Internal control tends to focus on reducing opportunity but even here there is room for continuous improvement. Technology, big data, and analytics help monitor for early indicators as well as detecting actual fraud. Given the primacy of tips for fraud detection, awareness is of critical importance. Open discussions and transparent processes foster a fraud risk culture.
To reduce rationalisation it is important to demonstrate a consistent approach that treats everyone the same. It is not possible to eliminate fraud risk but organisations can demonstrate zero tolerance by pursuing suspected and actual fraud. Policies for recognition and reward must be fair and transparent to avoid generating feelings of resentment.
Motivation and duress are harder to address as they often have individual and external sources but organisations can demonstrate they are aware of and sensitive to those pressures and offer whatever relief they can, such as financial advice and increased options for home-working.
Overall, a change in mindset is needed to recognize the pervasiveness of fraud risk. It often arises with other risks and precipitates yet more. According to one Head of Internal Audit quoted in the recent report:
“You can look at risks from a process point of view, in which case every process has fraud risk associated with it. Or you can look at macro risks, such as cybersecurity, which is in itself a fraud risk. Fraud is really a subset of every risk.”
What Can Internal Auditors Do to Counter Fraud?
Internal auditors are well placed to challenge organisational leaders and should be proactive rather than waiting for controls to be found wanting. Internal auditors are encouraged to:
- Think big picture. Fraud risks and controls should be addressed holistically and consistently.
- Use the fraud triangle. It is a very powerful tool for communicating fundamental principles and for getting the attention of senior management and the board.
- Be an advocate. Promote fraud awareness and offer training.
- Be a trusted advisor. Maintain an active watch on increasing regulatory requirements, especially in areas such as AML and data protection.
- Leverage tools and relationships. Utilise frameworks and standards such as COSO’s Fraud Risk Management Guide as benchmarks. Work with external auditors, specialist fraud examiners, and regulators.
- Foster improvements. Review existing controls including whistleblowing processes and recommend innovations.
Fraud is likely to remain a significant and ever-evolving risk for all organisations. As auditors it is our job to make sure it gets the attention it needs while being a ready part of the solution.
Aaron Wright is a Director of Product Solutions, UK&I at AuditBoard. Before joining AuditBoard, Aaron was an Internal IT Audit Advisor at Cardinal Health, where he managed a risk-based audit plan and led internal audit projects focused on infrastructure, cybersecurity, and applications. Connect with Aaron on LinkedIn.
Kira Eilfield is a Manager of Product Solutions at AuditBoard. Kira joined AuditBoard from Endeavor, where she provided expertise on internal controls aligned with the Sarbanes-Oxley regulatory requirements, and has previously worked at RSM’s Risk Assurance function and PwC’s External Audit practice. Connect with Kira on LinkedIn.