K MOODLEY FRAUD & RISK MANAGEMENT NOTES

FRAUD AND RISK MANAGEMENT

INTRODUCTION

Fraud can happen anywhere. While only relatively few major frauds are picked up by
the media, huge sums are lost by all kinds of businesses as a result of the high number
of smaller frauds that are committed. The risks of fraud may only be increasing, as we
see growing globalisation, more competitive markets, rapid developments in
technology, and periods of economic difficulty.

Among other findings, the various surveys highlight that:

• organisations may be losing as much as 7% of their annual turnover as a result

of fraud
• corruption is estimated to cost the global economy about $1.5 trillion each year
• only a small percentage of losses from fraud are recovered by organisations
• a high percentage of frauds are committed by senior management and
executives
• greed is one of the main motivators for committing fraud
• fraudsters often work in the finance function
• fraud losses are not restricted to a particular sector or country
• the occurrence of fraud is increasing in emerging markets.

WHY FRAUD

Most managers and owners eventually discover a case of fraud and abuse in their
organization. The fraudster is often a trusted, long-time employee or manager who
had or created access to some of the organization’s assets and helped him or
herself to it.

Why does this happen?

1
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

The answer is not simply greed, but most, maybe even all, people want things and
want more things. There are studies that show an amazingly high proportion of
employees or managers have taken small things from their organization. However,
there is a line between this petty theft and intentional fraud that a few people cross
over.

What is fraud?

Definition of fraud

The term ‘fraud’ commonly includes activities such as theft, corruption, plot,
cheating, money laundering, bribery, and coercion. The legal definition varies from
country to country.

Different types of fraud

Fraud can mean many things and result from many varied relationships
between offenders and victims.

Examples of fraud include:

• crimes by individuals against consumers, clients or other business

people, e.g. misrepresentation of the quality of goods; pyramid
trading schemes
• employee fraud against employers, e.g. payroll fraud; falsifying
expense claims; thefts of cash, assets or intellectual property (IP);
false accounting
• crimes by businesses against investors, consumers and employees,
e.g. financial statement fraud; selling counterfeit goods as genuine
ones; not paying over tax or National Insurance contributions paid
by staff
• crimes against financial institutions, e.g. using lost and stolen credit
cards; cheque frauds; fraudulent insurance claims
• crimes by individuals or businesses against government, e.g. grant
fraud; social security benefit claim frauds; tax evasion

2
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

• crimes by professional criminals against major organisations, e.g.

major counterfeiting rings; mortgage frauds; ‘advance fee’ frauds;
corporate identity fraud; money laundering
• e-crime by people using computers and technology to commit
crimes, e.g. phishing; spamming; copyright crimes; hacking; social
engineering frauds.

This guide focuses on fraud against businesses, typically by those internal to the
organisation. According to the Association of Certified Fraud Examiners (ACFE), there
are three main categories of fraud that affect organisations. The first of these is asset
misappropriations, which involves the theft or misuse of an organisation’s assets.
Examples include theft of plant, inventory or cash, false invoicing, accounts receivable
fraud, and payroll fraud.

The second category of fraud is fraudulent statements. This is usually in the form of
falsification of financial statements in order to obtain some form of improper benefit

It also includes falsifying documents such as employee credentials.

The final of the three fraud categories is corruption. This includes activities such as
the use of bribes or acceptance of ‘kickbacks’, improper use of confidential

3
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

information, conflicts of interest and collusive tendering. These types of internal fraud
are summarised in Figure 1.

Surveys have shown that asset misappropriation is the most widely reported type of
fraud in UK, although corruption and bribery are growing the most rapidly.

Why do people commit fraud?

There is no single reason behind fraud and any explanation of it needs to take
account of various factors. Looking from the fraudster’s perspective, it is necessary
to take account of:

• motivation of potential offenders

• conditions under which people can rationalise their prospective crimes away
• opportunities to commit crime(s)
• perceived suitability of targets for fraud
• technical ability of the fraudster
• expected and actual risk of discovery after the fraud has been carried out
• expectations of consequences of discovery (including non-penal
consequences such as job loss and family stigma, proceeds of crime
• confiscation, and traditional criminal sanctions)
• actual consequences of discovery.

Critical Thinking! Who commits fraud? Why do they commit fraud?

Students to answer this question during lectures with the lecturer.

Different types of fraudster

4
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

Fraudsters usually fall into one of three categories:

• Pre-planned fraudsters, who start out from the beginning intending to commit
fraud. These can be short-term players, like many who use stolen credit cards
or false social security numbers; or can be longer-term, like bankruptcy
fraudsters and those who execute complex money laundering schemes.

• Intermediate fraudsters, who start off honest but turn to fraud when times get
hard or when life events, such as irritation at being passed over for promotion
or the need to pay for care for a family member, change the normal mode.

• Slippery-slope fraudsters, who simply carry on trading even when,

objectively, they are not in a position to pay their debts. This can apply to
ordinary traders or to major business people.

In 2007, KPMG carried out research on the Profile of a Fraudster (KPMG

survey), using details of fraud cases in Europe, India, the Middle East
and South Africa. The ACFE carried out similar research on frauds
committed in the US. These surveys highlight the following facts and
figures in relation to fraudsters:

• perpetrators are typically college educated white male

• most fraudsters are aged between 36 and 55
• the majority of frauds are committed by men
• median losses caused by men are twice as great as those caused by
women
• a high percentage of frauds are committed by senior management
(including owners and executives)
• losses caused by managers are generally more than double those
caused by employees

5
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

• average losses caused by owners and executives are nearly 12 times

those of employees
• longer term employees tend to commit much larger frauds
• fraudsters most often work in the finance department, operations/sales
or as the CEO.

The ACFE report also found that the type of person committing the
offence depends on the nature of the fraud being perpetrated.
Employees are most likely to be involved in asset misappropriation,
whereas owners and executives are responsible for the majority of
financial statement frauds. Of the employees, the highest percentage of
schemes involved those in the accounting department. These
employees are responsible for processing and recording the
organisation’s financial transactions and so often have the greatest
access to its financial assets and more opportunity to conceal the fraud.

FIVE (5) PRINCIPLES:

1. Fraud Risk Governance

2. Fraud Risk Assessment
3. Fraud Prevention
4. Fraud Detection
5. Monitoring and Reporting

1. Fraud Risk Governance

Fraud risk management needs to be embedded in an organization’s DNA in the form

of written policies, defined responsibilities, and on-going procedures that implement
an effective program. There needs to be a clear role for the Board and top

6
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

management in setting these policies with reporting in place to convey the required
information about the program and its performance to them. The tone from the top
will be reflected in the perception of fraud prevention and detection throughout the
organization.

It is important to have a responsible person with adequate resources and access to

top management running the program. This person should be charged with
designing and evaluating the program, and for communicating it throughout the
organization as appropriate. Since organizations vary greatly in complexity, inherent
risk, and size, there is no one-size-fits-all program, but all programs will address
issues such as:

• Roles and responsibilities

• Fraud awareness
• Conflict disclosure
• Fraud risk assessment
• Reporting procedures
• Whistle-blower protection
• Investigation process
• Corrective action
• Quality assurance
• On-going monitoring

2. Fraud Risk Assessment

The foundation for the prevention and detection of fraud is a structured risk
assessment that addresses the actual risks faced by the organization as determined
by its purpose, industry (products or services), complexity, scale, and exposure to
network risks. The goal of the assessment is to determine the type, likelihood, and
potential cost of risks in a traditional expected value framework. This allows the
organization to tailor program efforts toward cost effective mitigation, which may
include a greater or lesser toleration of a specific risk.

Assessing fraud risks necessarily involves looking at how employees—including top

management—interact with the resources of the organization. Their incentives and

7
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

opportunities compose one of the legs of the Fraud Triangle that is mostly
determined by the organization itself. As such, the risk assessment effort has to be
very clear and detailed about how controls, policies, and procedures interact with
specific roles. It is important to note that the sources of these risks may be external
as well as internal, especially in highly networked and data dependent operations.

3. Fraud Prevention

Preventing fraud is far preferable to detecting it after the fact. In practice, the same
systems and controls established to prevent fraud may help in detecting it (e.g.,
segregation of duties for a certain procedure may help boost the chances that
someone will be in place to report potential fraud).

However, prevention is rooted in a culture of fraud awareness, understanding

common policies and procedures, a safe harbor for whistle-blowers, and continuous
communication about the importance of fraud prevention from the top on down.
When everyone knows that fraud is possible and a serious problem for which the
organization has developed detection mechanisms, it is less likely to occur.

4. Fraud Detection

Controls, monitoring, and reporting promote faster detection of fraud. Key detection
measures include a whistle-blower policy, reports designed to highlight potential and
common indicators of non-standard outcomes over time, and other controls that alert
people to potential fraud. It goes without saying that installing these indicators will
have no effect if they are not monitored.

5. Monitoring and Reporting

Creating information that does not get to the right person to take action is useless.
One of the key elements in the initial planning for a fraud prevention program is to
set up responsibilities and processes to ensure that timely information is reported to
someone who can address a problem. These systems trigger responses that have
strong legal implications, so one of the essential components is review for legal
rights of affected parties and compliance with applicable law.

8
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

Fraud can be taken down a notch, even if it cannot be completely eliminated. A

systematic program following these five principles is the place to start.

Summary

A major reason why people commit fraud is because they are allowed to do so. There
are a wide range of threats facing businesses. The threat of fraud can come from
inside or outside the organisation, but the likelihood that a fraud will be committed is
greatly decreased if the potential fraudster believes that the rewards will be modest,
that they will be detected or that the potential punishment will be unacceptably high.

The main way of achieving this must be to establish a comprehensive system of control
which aims to prevent fraud, and where fraud is not prevented, increases the likelihood
of detection and increases the cost to the fraudster.

RISK MANAGEMENT

DEFINITION

Risk management is the process of identifying, assessing and controlling threats to an

organization's capital and earnings. These threats, or risks, could stem from a wide
variety of sources, including financial uncertainty, legal liabilities, strategic
management errors, accidents and natural disasters. IT security threats and data-
related risks, and the risk management strategies to alleviate them, have become a
top priority for digitized companies. As a result, a risk management plan increasingly
includes companies' processes for identifying and controlling threats to its digital
assets, including proprietary corporate data, a customer's personally identifiable
information and intellectual property.

Learn how to conduct effective Risk Analysis to identify and manage risk in your
organization.

What Is Risk Analysis?

9
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

Risk Analysis is a process that helps you identify and manage potential problems that
could undermine key business initiatives or projects.

To carry out a Risk Analysis, you must first identify the possible threats that you face,
and then estimate the likelihood that these threats will materialize.

Risk Analysis can be complex, as you'll need to draw on detailed information such as
project plans, financial data, security protocols, marketing forecasts, and other
relevant information. However, it's an essential planning tool, and one that could save
time, money, and reputations.

When to Use Risk Analysis

Risk analysis is useful in many situations:

• When you're planning projects, to help you anticipate and neutralize possible
problems.
• When you're deciding whether or not to move forward with a project.
• When you're improving safety and managing potential risks in the workplace.
• When you're preparing for events such as equipment or technology failure,
theft, staff sickness, or natural disasters.
• When you're planning for changes in your environment, such as new
competitors coming into the market, or changes to government policy.

How to Use Risk Analysis

To carry out a risk analysis, follow these steps:

1. Identify Threats

10
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

The first step in Risk Analysis is to identify the existing and possible threats that you
might face. These can come from many different sources. For instance, they could
be:

• Human – Illness, death, injury, or other loss of a key individual.

• Operational – Disruption to supplies and operations, loss of access to
essential assets, or failures in distribution.
• Reputational – Loss of customer or employee confidence, or damage to
market reputation.
• Procedural – Failures of accountability, internal systems, or controls, or from
fraud.
• Project – Going over budget, taking too long on key tasks, or experiencing
issues with product or service quality.
• Financial – Business failure, stock market fluctuations, interest rate changes,
or non-availability of funding.
• Technical – Advances in technology, or from technical failure.
• Natural – Weather, natural disasters, or disease.
• Political – Changes in tax, public opinion, government policy, or foreign
influence.
• Structural – Dangerous chemicals, poor lighting, falling boxes, or any situation
where staff, products, or technology can be harmed.

You can use a number of different approaches to carry out a thorough analysis:

• Run through a list such as the one above to see if any of these threats are
relevant.
• Think about the systems, processes, or structures that you use, and analyze
risks to any part of these. What vulnerabilities can you spot within them?
• Ask others who might have different perspectives. If you're leading a team,
ask for input from your people, and consult others in your organization, or
those who have run similar projects.
•

Information Technology and Fraud Risk

11
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

Organizations rely on IT to conduct business, communicate, and process financial

information. A poorly designed or inadequately controlled IT environment can expose
an organization to fraud. Today’s computer systems, linked by national and global
networks, face an ongoing threat of cyber fraud and a variety of threats that can result
in significant financial and information losses. IT is an important component of any risk
assessment, especially when considering fraud risks. IT risks include threats to data
integrity, threats from hackers to system security, and theft of financial and sensitive
business information.

Whether in the form of hacking, economic espionage, Web defacement, sabotage of

data, viruses, or unauthorized access to data, IT fraud risks can affect everyone. In
fact, IT can be used by people intent on committing fraud in any of the three
occupational fraud risk areas defined by the ACFE.

CASE STUDY: RESEARCH ANY TWO RECENT ARTICLES ON FRAUD AND

DISCUSS WITH THE STUDENTS. RELATE IT BASED ON INFORMATION
MANAGEMENT & TECHNOLGY.

END

COMPILED BY: K MOODLEY

12
K MOODLEY FRAUD & RISK MANAGEMENT NOTES

13