Managing Fraud Risk

Oct. 27, 2008
KPMG Integrity Survey points the way to risk management

Most of us believe we know fraud when we see it, but few of us feel comfortable actually defining the term “fraud.”

First and foremost, fraud is a legal concept. Only a court of law can determine if and when it has occurred. By definition, fraud always involves an intentional deception.

Fraud typically comes in the forms of fraudulent financial reporting, asset misappropriation and misconduct. In particular, fraudulent financial reporting is the misrepresentation of financial information that is required for management and/or external reporting. Asset misappropriation is the embezzlement or misuse of company assets for personal gain, while corruption includes activities that involve illegal or unethical conduct or violate law (involving criminal or civil penalties), government regulations or company policies.

Three Conditions of Fraud

There are typically three conditions present when a fraud occurs. These conditions comprise what is known as the fraud triangle. Understanding the concepts included in the fraud triangle is imperative to understanding how to manage fraud risk effectively.

The first condition typically present is opportunity, which may include poor or insufficient internal controls, the absence of proactive fraud detection measures, or a faulty tone at the top from executive management.

The second condition often present is incentive or pressure to commit fraud. In cases of fraudulent financial reporting, the pressure or incentive may be to meet budget targets, consensus-earnings expectations or debt covenants. For asset misappropriation, the pressure or incentive may be to support a drug or gambling habit, meet burdensome financial obligations or support a lifestyle not commensurate with income.

The third condition is rationalization, a concept that is often more difficult to understand. Simply put, most individuals cannot perpetrate wrongdoing unless they can justify it to themselves or others. Typically, perpetrators of financial fraud may say such things as, “We were going to make up for it next quarter,” “We are helping the company,” “We are protecting jobs” or “No one gets hurt.” With respect to asset misappropriation, you may expect to hear such statements as “I was only borrowing the money,” “I was doing it for a good cause” or “No one would miss it.”

How Broad a Problem Is Fraud?

How broad a problem is fraud? To find out, KPMG LLP conducted a blind survey of prescreened working adults who fell into demographic categories spanning all levels of job responsibility, 16 job functions, 11 industry sectors, and four thresholds of organizational size. The survey, now released as KPMG's 2005-2006 Integrity Survey, asked respondents whether they had personally seen or had firsthand knowledge of misconduct within their organizations over the past 12-month period. Seventy-four percent answered yes, compared with 76% in 2000.

These results demonstrate that fraud and misconduct remain prevalent and are not demonstrably declining. Around three-quarters of respondents were aware of fraud in their organizations, which makes one wonder: What are companies doing about it?

How Are Companies Responding to Fraud Risk?

In response to changes in the regulatory environment and recent events in the marketplace, companies are revisiting existing internal control policies and procedures as they relate to fraud and misconduct.

While many organizations intend to “do the right thing,” often their efforts in this area have been reactive and focused upon meeting deadlines and minimum requirements. Also, many of the new guidelines and frameworks are not very prescriptive and fail to provide clear guidance. Some organizations, though, have embraced the new requirements and frameworks and are transforming the way they approach fraud.

All of the frameworks come down to the establishment of programs and controls to prevent, detect and respond to fraud and misconduct risks. Understanding how to mitigate fraud risk requires considering three processes beyond prevention, detection and response. These are the design, implementation and evaluation of programs and controls to prevent, detect and respond to fraud.

Key Element 1: Fraud Risk Prevention

The first step to effective fraud risk mitigation is to look at the design, implementation and evaluation of programs and controls to prevent fraud. Key aspects of such programs and controls may include fraud and misconduct risk assessments, codes of conduct, board and audit committee oversight, employee communication and training, hiring, promotion and third-party due diligence, and control activities.

But before you implement such prevention programs, you must examine the root causes of fraud. For its 2005-2006 Integrity Survey, KPMG asked respondents what factors might cause employees and managers to engage in misconduct.

Again, per the fraud triangle, the number-one root cause is pressure to do whatever it takes. Typically, when assessing the risk of fraud, an organization should conduct an evaluation of where the pressures and opportunities are among their own employees.

• Conduct a Complete Assessment

Ensure that the fraud risk assessment is a collaborative process, with input from control owners and line employees as well as the people closest to the risks. This will help to ensure that issues and risks are understood.

Determine at what level to perform the assessment. Should it be conducted at the enterprise-wide level, the business unit level, or the transactional level? In addition, the assessment must encompass such criteria as the attributes of risk, including type of risk (e.g., fraudulent financial reporting, misappropriation of assets, internal/external organizational corruption, or collusion between employees and third parties) and significance of risk in terms of financial or reputation impact.

Another key assessment area is the pervasiveness of risk. Does it affect the entire organization, like an unsupportive or uncaring tone from top organization executives, or does it affect a specific line item of the financial statements? An important emerging trend in this area is consideration of management override of controls.

• Codes of Conduct and Compliance

An undervalued tool for fraud prevention, despite the attention it has received, is the creation and use of codes of conduct. Some of the leading-edge thinking with respect to the use of such codes encourages robust annual certification, where the results of issues raised in certifications are investigated and used for training or internal audit needs.

Also, codes should provide explicit guidance on how to seek advice and report observed misconduct, and they should reference separate materials that may provide more in-depth coverage of specific topics, such as anti-trust, Office of Foreign Assets Control (OFAC) and the Foreign Corrupt Practices Act (FCPA). Many companies are also now requiring that their vendors begin certifying compliance with their corporate codes of conduct.

Key Element 2: Fraud Detection

The next key element of an effective program is detection. Some of the more important aspects of an effective fraud detection program include hotlines and similar reporting mechanisms, data mining and transactional analysis, substantive testing, ongoing monitoring and separate evaluations.

• Hotlines and Reporting

When considering the use of hotlines, remember that your employees are your first line of defense. Many fraud investigations result from tips or reports from the company's own employees, and many fraud-related surveys list tips and reports from employees as some of the most common vehicles for bringing fraud to light.

Some companies are even making their hotlines available for both misconduct reports and ethics-related advice. Companies are thinking about maintaining real-time reporting statistics so that such information is not just available immediately in advance of board meetings, but whenever it may be needed.

The opening and closure of reported instances of fraud or misconduct should be monitored, and protocols should be in place that guide when to inform the board or management of reported allegations. Also, some organizations are beginning to monitor hotline reports to help ensure that there has been no retaliation.