“Fighting fraud” by Roderick M. Vega (January 4, 2010)

SUITS THE C-SUITE By Roderick M. Vega
Business World (01/04/2010)

In our line of work, we have seen clients who have shown anger, disappointment and even sadness over fraud committed by an employee — worse when the person who committed the fraud is a trusted officer or longtime employee.

After the perpetrator is terminated, the same client will run “business as usual,” simply replacing the erring employee with another “trusted” person, hoping that such an incident will not happen again in the future.

Many executives seem inclined to concede that you really cannot predict or anticipate fraud, or identify who among your employees are likely or capable of committing fraud, and that all you can do is to move forward and hope that the fraud was just an aberration in your business cycle.

Does it really work that way? Is a company always vulnerable to fraud? Should businesses be resigned to the unpredictability of fraud, and the difficulty of anticipating, even more so avoiding or fighting fraud?

While we commiserate with clients who would like to “move on” and forget about the fraud that victimized their business, there have been instances when those “trusted” persons that replaced the terminated employees were later found to commit the same fraud, sometimes on a bigger scale.

Whenever we hear of these things, we surmise that the situation that allowed the fraud to happen in the first instance is most likely still present (for example, the same weaknesses in internal controls).

There is no shortage of rationalization when people see the “opportunity” to get more money. People are known to do irrational and foolish things for money.

Fortunately, there are ways of fighting fraud in business.

Companies do not need to be hapless victims, waiting for fraud to strike.

One way is for companies to conduct a fraud risk assessment of their business. For those who are familiar with Enterprise Risk Management (ERM), fraud risk assessment is like a sub-branch of ERM, but in this case, the focus is solely on fraud risks in all facets of the company’s business.

There are three major categories of fraud; these are: fraudulent statements, asset misappropriation, and corruption.
Senior management should identify all relevant fraud risks of the company in each of these three major categories, and then prioritize those fraud risks that are significant and highly probable.

Companies will have their own peculiar fraud risks that are highly probable and may have significant impact on the business, depending on the nature of the industry that they belong to. Those in the banking sector, for example, will have different fraud risks compared with those in the mining or telecommunication industries.

However, there are fraud risks that are present, regardless of the industry or type of business — procurement fraud, for instance, is one of the most common and should always be considered in any fraud risk assessment.

Identifying a company’s significant and likely fraud risks is only half of the equation.

Simply conducting a fraud risk assessment does not get the job done and management must be prepared and committed to act on the results. The next critical step would be to identify controls that will prevent, deter or detect the identified fraud risks.
Controls over fraud risks are normally categorized into three — preventive, deterrent and detective controls. Ideally, more controls should be in place as the particular fraud risks become increasingly significant.

Highly significant and probable fraud risks should have all the three major categories of control, especially detective controls.

This is where many companies are lacking. They may have the usual preventive and deterrent controls like code of conduct, segregation of duties, rotation of key personnel, or levels of approvals, but we have seen very few that have detective controls which involve the conscious and integrated effort to deliberately look for indicators of significant fraud risks in the business.

Keep in mind that large-scale fraud usually involves people who are in a position to — and do — override internal controls, rendering them ineffective. Thus, having preventive and deterrent controls will not be sufficient in this instance, as they will either be ignored or circumvented.

Organizations need more robust controls that are designed to detect indicators of significant fraud risks in the business. Examples of these detective controls are data analytics and predictive modeling, which aim to identify unusual trends and relationships among a set of data that may pinpoint to “red flags” or fraud indicators.

There is also a new methodology called “text analytics” that focuses on unstructured data like company e-mails. These detective fraud controls need not be expensive or time-consuming to implement, as long as those who will be tasked to do them have the proper training and tools to execute such testing.

Lastly, companies should not forget that there is one detective control that is simple yet proven to be effective in exposing frauds — the whistle blower. Some companies either do not have a whistle blower policy yet, or what they have does not encourage those who would like to report fraud in the work place, which is clearly something that management needs to work on.

After all, while management cannot entirely predict when and what types of fraud will hit your business, it always makes good business sense to get the right information that can help you in the fight against fraud.
(Roderick M. Vega is a partner of SGV & Co. and a Certified Fraud Examiner.)

This article was originally published in the BusinessWorld newspaper. It is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.