Fraud is one of the biggest threats to organisations of all types, including not-for-profit organisations. Scale of fraud is probably the only difference in different industries and in different functions. Over the past, many organisations have openly admitted being victims of fraud, while others have not. On the other hand, there are organisations which are aware of their fraud risks and then there are many organisations who are not even aware of their risks. Organisations lose significant amounts of money simply because of lack of awareness about ethics enforcement and anti-fraud controls. Historically, only a small percentage of lost amounts are actually recovered by organisations.

Fraud is possible in every organisation and every process. A global fraud survey conducted by ACFE in 2018 found that maximum cases of occupational frauds occurred in Banking & Financial Services, Manufacturing, and Government & Public Administration.

It is difficult to identify the exact scale of fraud and any study or survey can only reflect the instances of frauds discovered. Many go undetected. In some cases, frauds are not reported even after detection, due to fear of negative publicity. Due to this, any study conducted is not able to provide an exact amount of fraud; but can only present an indication to the extent of the problem. The Association of Certified Fraud Examiner (ACFE) survey based on 2690 real cases of occupational fraud that were investigated between January 2016 and October 2017 across 125 countries and 23 industries highlighted some of the following key findings:

  1. Median loss of US$ 130,000 per case
  2. Median loss of US$ 130,000 per case
  3. 22% of cases caused a loss of over US$ 1 Million
  4. Median duration of fraud scheme lasted for 16 months
  5. Corruption was a widespread issue in every global region
  6. Asset misappropriate schemes are most common and least costly in global regions, with median loss of US$ 114,000
  7. Average cost of frauds in corporate organisations is ~5% of annual revenue
  8. Per case loss of small businesses was twice as much as large businesses. Companies with over 100 employees had a median loss of US$ 104,000 per case as opposed to a median loss of US$ 200,000 per case for companies with less than 100 employees.

According to the ACFE, there are three main categories of fraud: Asset Misappropriation, Fraudulent Financial Statements and Corruption. While almost all cases of fraud are a direct result of weak controls or governance, corruption related frauds are a genre in themselves and subject of a larger study. This article primarily focuses on the first two categories of fraud.

Width and depth of fraud

Fraud is possible in every organisation and every process. A global fraud survey conducted by ACFE in 2018 found that maximum cases of occupational frauds occurred in Banking & Financial Services, Manufacturing, and Government & Public Administration. The size of the organisation and the complexity of the business is also relevant from fraud risk perspective. Smaller organisations often lack robust internal controls and segregation of duties. This makes smaller organisations more susceptible to fraud risk.

Departments which posed greatest risk of occupational fraud are Executive/ Upper management, Finance & Accounting, Sales, and Operations. Billing and payment processing had higher risk of fraud as compared to payroll and expense reimbursements. Interestingly almost all frauds, especially those that have a financial benefit at the end, involve the accounts and finance departments, which in most cases is primarily a shared services division or an external BPO company.

Finance SSC/ BPO environment - fraud susceptible processes and inherent fraud risk

Almost every organisation has either set up their captive Shared Services Centres (SSC) or outsourced their processes to external Business Process Outsourcing (BPO) organisations. While SSC/ BPOs provide multiple benefits, there are certain challenges/ risks associated with these models of delivery. A key characteristic of SSC/ BPO is the huge amount of end-to-end transaction processing that gets carried out at a single location. This allows employees with mala fide intentions to carry out their fraud with opportunity to cover the tracks from end-to-end.

Most common types of transactions processed in SSC/ BPO include:

  1. Procure to Pay - Purchase order processing, supplier invoice processing and payment
  2. Order to Cash - Sales order processing, billing to external customers and collections
  3. Travel and Expense - expense processing and payment,
  4. Hire to Retire - payroll processing and payment
  5. Record to Analyse - Journal entries processing, Reconciliations, Reporting, Monthly/ Quarterly/ Yearly closing activities
  6. Taxation - Tax calculation and payment
  7. IT application hosting
  8. Support Function cost controlling

It is not humanly possible to verify or double-check each transaction string, which leads to an increased risk of fraud. Further, the resources working in SSC/ BPO environment are generally trained to be laser focused on their own processes and may be less control or outcome conscious. This further increases the risk of fraud. An indicative list of process-wise fraud risks within the Finance Function is:

Procure to Pay

  • Duplicate/ dummy invoice processing/ payment
  • Price variance exceeding tolerance limits
  • Multiple payments to one-time vendors
  • Splitting PO to bypass approval limits
  • Unfavourable payment terms (loss of working capital)
  • Huge manual payments against normal online batch payments
  • Post-facto purchase orders
  • Related party transactions
  • Wire transfer frauds

Order to Cash

  • Unusually high credit limits
  • Unusually high discounts and waivers
  • Overbilling to customers
  • False rebates or refunds to customers
  • Write-off of receivables
  • Billing to fictitious customers
  • Unrecorded sales or receivables

Travel and Expenses

  • Expense claims by terminated or non-existent employees
  • Duplicate expense claims (of same expense item) on different dates
  • Same employee on multiple meal submissions for same date (including on per-diem as well as named as attendee on itemized meal expense)

Record to Analyse

  • Journal entries impacting revenue and control accounts
  • Duplicate/ unauthorized Journal entries
  • Frequently reversed Journal entries
  • Aged open items in balance-sheet reconciliations
  • Huge and old balances in clearing accounts
  • Inflating revenue/ profit
  • Misstatement of assets, expenses and liabilities

Hire to Retire

  • Terminated/ non-existent employees on payroll
  • Multiple payroll deposits to the same bank account
  • Major variations in gross pay, deductions, hourly rates, salary amounts, etc.
  • Falsifying pay-check by altering overtime hours

Cause and Effect

While it is possible to have a fraud case in almost any area of business, a few examples of general causes and the related fraud risks are mentioned below:

Limitations of Traditional Controls

Every organisation deploys certain control mechanisms to address fraud risks, but frauds still continue to occur, mostly due to inadequate/ ineffective controls. While risk of fraud could be inherent in most of the process, many organisations still use the traditional manual controls to mitigate the fraud risks. These controls include maker-checker controls, audit by team lead, control testing by internal/ statutory audit team, whistle blower, etc. However, these control mechanisms are hardly enough in today’s technology led environment.

Consider the following few examples of simple changes in shared services environment:

Mitigation of today’s technology led fraud risks can be achieved only by deploying robust digital application controls, restricting access controls, implementing segregation of duties, etc. Probably the most important step is to develop an automated solution, which supports data analytics and therefore, can provide assurance on huge volume of transactions.

Today’s Finance functions are using advanced Enterprise Resource Planning (ERP) applications, Robotics Process automation (RPA), Artificial Intelligence (AI) and other cutting-edge technologies for business. Due to this, the inherent risk of fraud by manipulating these technologies is very high.

Need for an Improved Controls Framework

While there is possibly no way to completely eliminate fraud risk, organisations can certainly reduce it by creating a strong control environment and enforcing comprehensive fraud prevention policies. Traditional control mechanisms are clearly not adequate. Mitigation of today’s technology led fraud risks can be achieved only by deploying robust digital application controls, restricting access controls, implementing segregation of duties, etc. Probably the most important step is to develop an automated solution, which supports data analytics and therefore, can provide assurance on huge volume of transactions.

Key features of a good risk and controls framework:

  1. Anti-fraud policies and processes - not just on paper but also its implementation, communication and enforcement
  2. Education of employees and other internal stakeholders on said policies and processes
  3. Reliability on IT based general controls, application controls, access controls and segregation of duties
  4. Robust test controls technology solutions for the areas where automated controls are failing
  5. Minimal testing of manual controls

Fraud Analytics: A Strong Fraud Prevention and Detection Tool

As stated earlier, today’s environment needs a fraud analytics tool, which can help management to:

  • Identify suspicious patterns in entire population of data.
  • Test entire population of data as fraudulent transactions may not be captured in samples selected for testing

Fraud analytics can be carried out through customized technology solutions, or use of Computer Assisted Audit Techniques (CAAT) tools like ACL, IDEA etc. Irrespective of whether one uses a customised solution or CAAT, the approach and methodology for performing fraud analytics are standard:

Plan

  • Identify suspicious patterns in entire population of data.
  • Test entire population of data as fraudulent transactions may not be captured in samples selected for testing

Execute

  • Run custom query and extract data from company applications / data warehouse
  • Assess current state maturity of controls

Analyse

  • Validate the exceptions
  • Bifurcate the exceptions into false positives and real exceptions
  • Determine sampling strategy and testing approach for manual controls

Finalize exceptions

  • Perform Root Cause Analysis
  • Finalize and prioritize exceptions
  • Report to management.

Improve and sustain

  • Make necessary changes to plug the gaps in existing systems and processes
  • Setup strong governance to monitor performance of risks and controls
  • Create awareness programs
  • Create awareness programs

Use of a defined and well-rounded technology solution vastly improves the organisation’s chances of both fraud prevention as well as detection.

Conclusion

The business environment, and along with it the finance function, has grown meteorically complex with process being carried out using advanced technology solutions. Consequently even the control mechanisms of the organisations have to be kept in pace. In today’s technology led environment, it advisable to place maximum reliance on automated controls rather than testing and relying only on manual controls. It is also strongly advised to develop a technology-based fraud analytics solution, which can provide assurance on the entire population of data rather than sample-tested transactions. And finally, it is critical to have a strong governance framework, perform root-cause analysis on an on-going basis, and create a mechanism of rectifying the errors to minimize repetition. This will help the management to build a sustainable process to mitigate the risk of fraud.

ABOUT THE AUTHOR

Ajay Gupta

Ajay is a risk management and transformation professional with over 26 years of Post qualification experience across both service and manufacturing industries like Telecom, Engineering, automotive spare parts, Passive infrastructure, FMCG etc. He has worked with organizations like Deloitte (Formerly known as AFF & Co.), PwC, Infosys, Protiviti Consulting, Satyam Computers etc. Ajay has also worked with IBM USA and World Bank USA as contractor. He has rich experience in Shared Services Management, Finance and accounts operations management, Process transformation, Automation, and Governance Risk and Compliance covering Internal audits, risk assessments (both IT and non IT), ERP implementation, Cybersecurity Preparedness review, Post implementation review, Access controls review, Segregation of Duties (SoD) review.

Ajay has played a key role in expanding the Systems and Process Assurance (SPA) team in PwC, Delhi. He has worked as a Business and finance Analyst for World Bank, USA and GE Credit Card Services. He has been the Operations head for 6 teams managing a team of 200 FTE’s. and involved in financial reporting for an Indian MNC Telecom company and currently working as head of Shared Services for Capgemini Nordic countries. He has helped companies to reap benefits of automation thereby helping cost reduction, process efficiency and increased governance. He has also provided solutions on Governance Risk and Compliance including IT risks, business risks and fraud risks.