In the mail I received an early copy of the “2008 Report to the Nation on Occupational Fraud and Abuse” from the Association of Certified Fraud Examiners. The 2006 report has represented de facto standard for qualitative fraud calculations and risk mitigation efforts. While there is no substitute for reading the full report I will highlight the following key areas – Audience, Nuggets, and Action items.
The report is written for those that have both fraud responsibilities within the organization and those who have assets worth being exploited. Therefore the audience I see (beyond the obvious Fraud professionals) includes:
- Chiefs – CFO, CRO (Chief Risk Officer), CAO, CIO, CISO
- Business Owners – VP, Directors
- Team Leaders – of small teams
- 67 pages of facts sum up 959 cases of occupational fraud
- 7% of Annual Revenues are lost due to fraud (up from 6% two years ago
- In the U.S. that is approximately $994 Billion in fraud losses
- 25% of the fraud sample were a million plus in damages
- Tips identified 46.2% of all frauds
- Small Business suffers more frequently (39.1% of all frauds) and greater (nearly double that of a public company)
- Independent audit of financial statements was the most common control and nearly the worst in mitigating fraud (accountability of perception high error area)
- Most Effective Controls: Internal Audit, Surprise Audits, Management review of Internal Controls and Fraud Hotlines
- Re-prioritize internal controls to address fraud
- Identify what roles are truly accountable for fraud detection (i.e., address the perception vs. reality conundrum)
- Emphasize training of employees of fraud (recognition) and the safeguards (whistleblower policies) and mechanisms (confidential hotlines)
- Institute a mature process that follows-up on all leads completely and objectively (damages of a fraud grow over time, so quick elimination of identified fraud has strong rewards)
- Establish Surprise Audits and mandatory job rotation
Again, this ACFE report is incredibly valuable and should be a cornerstone of any control environment. Segments may be adopted today and into the future. In addition, the ability to eliminate subjective values in risk calculations is tremendous.
James DeLuccia IV
Looking forward to seeing everyone at the ACFE 19th Annual Fraud Conference next week in Boston. My session on Best and Worst IT controls is on Monday!