By Pete Miller, CPA, CFE
Fraud continues to be a rampant epidemic and a terrible economic reality. If occupational fraud were a country it would have a national economy ranking in the top-10 across the globe.
For a lot of not-for-profit organizations (NFPs), resources available for robust internal controls and fraud prevention measures are quite limited. An NFP’s ability to protect itself against fraud is made doubly challenging by the fact that an NFP will have a much harder time replacing the lost funds when compared to other organizations. The risks are greater. For this reason, small businesses and NFPs alike need to be very deliberate with the internal controls and fraud prevention measures they implement. Organizations can’t afford to implement every fraud prevention tool available to them, and what is more, not all fraud prevention tools are created equal. Some have proven to be far more effective at detecting ongoing fraud.
In order to help stretch your fraud prevention dollar, an organization needs to understand the power of good fraud prevention techniques, identify the most effective internal controls, and understand how they might align with the risks and goals of their organization. This is quite a challenge.
Thankfully, we have resources like the Association of Certified Fraud Examiners (ACFE) to provide knowledge about the problem and tools to assist in our defense. Every two years the ACFE publishes their global study on fraud – Report to the Nations (find the report at acfe.com).
Occupational fraud is very different from other forms of fraud. It relates to “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” The ACFE study polls CFEs and asks them to report on actual cases they’ve worked on over that two year period (1,483 cases from over 100 countries in this most recent study). Based on the study’s results, by extrapolation occupational fraud alone has created a $3.7 trillion annual problem worldwide. The study has fascinating statistics for how fraud is perpetrated, who is doing it, where it is happening, and how it is getting caught. Not only that, but it also helps identify which preventive measures are the most effective and it provides an effective Fraud Prevention Checklist that will help you get your fraud prevention program under way. This article will examine statistics found in that study that are specific to NFPs with the intent of helping build out a starter kit for a fraud prevention program.
The ACFE has been conducting this study since 1996, and the results are remarkably consistent from study to study. Despite the evolving methods available to fraudsters to obtain their ill-gotten funds, the path to fraud remains relatively the same and the methods used to detect/prevent it are just as effective today as they have been, if you use them. The good news for organizations looking to shore up their defenses is that there are proven tools available to you. Although this article will summarize some of the key points for NFPs, the entire study should be used by organizations as they consider fraud in the overall risk assessment process. First, a few highlights from the 2014 study and its predecessors:
- On average, 5% of an organization’s top line revenue is lost to fraud every year. That is noted in the 2014 study and has been a consistent metric over the years. Moreover, the median loss for all organizations noted in the study was $145,000. For most organizations 5% of their top-line budget, or $145,000, is a significant number and one that would be budgeted for very intentionally and carefully. This is the low-end of the range for this potential problem and requires just as much, if not more care.
- Tips, most commonly surfaced by a 24×7 fraud hotline, are by far the most common way fraud is uncovered (42% of cases). Someone out there – an employee, a customer, a vendor – knows what is going on and all they need is an anonymous and protected mechanism to speak up. Nearly 50% of all tips come from employees.
- Organizations that used hotlines experienced frauds that were 41% less costly and detected them 50% more quickly than those organizations experiencing fraud that did not employ a hotline.
- The most effective controls are often overlooked by victim organizations. For example, only 35% of victim organizations used proactive data monitoring in their control regimen, but the presence of these controls was correlated with frauds that were 60% less costly and 50% shorter in duration.
- The vast majority of frauds are perpetrated by first-time offenders. Only 5% of offenders had been previously convicted of a fraud-related crime, while 82% had never previously been punished or terminated for fraud-related conduct. This proves that good people can do the wrong thing under the right circumstances (new costs associated with kids in college or ailing parents, too much debt, any variety of addiction issues, or other financial pressures). A critical and often unnoticed control is for an organization’s leadership to simply get to know the people with access to assets and understand what is going on in their lives and what pressures they face. Understanding and reacting to that can be extremely helpful.
- Passive detection methods (confession, notification by law enforcement, external audits, or by accident) tend to take longer to bring to management’s attention, which allows the related loss to grow. You must be intentional and implement specific fraud prevention/detection controls to have a fighting chance at fighting fraud.
- It takes a lot of time and effort to recover fraud losses. According to the ACFE study, 58% of organizations experiencing fraud didn’t recover any of their losses and only 14% recovered all of their losses.
The ACFE study breaks cases down in a variety of ways, including the entity type and industry affiliation of the victim organization. Most entity types have seen a reduction in frequency over the past three studies. The tale of the tape is different for NFPs in this case however. In 2010 NFPs were impacted in 9.6% of the cases and that has grown to 10.8% of the cases. By contrast, private companies have gone from 42.1% in 2010 to 37.9% in the 2014 study. In addition, the median loss experienced by NFPs has also grown over this time. In 2010 the median loss was $90,000 and that amount has grown to $108,000. Again, in contrast private companies have seen a reduction from a $231,000 median loss in 2010 to $160,000 median loss in the 2014 study. This is clearly still a significant problem for NFPs.
Armed with the awareness that fraud is a growing problem for NFPs, the study also shows us the types of schemes that are most prevalent by industry as well. For religious, charitable and social service organizations the study shows that three types of schemes were all present in more than 30% of the cases (note, many cases involved more than one scheme so this information totals to more than 100%). Those three schemes are (1) billing schemes, (2) check tampering, and (3) expense reimbursement fraud. As these are the areas targeted by NFP fraudsters, these should be the areas of focus for fraud prevention. Other areas may be necessary to consider as well, but billing schemes, check tampering and expense reimbursement fraud would be a good starting point for the risk assessment conversation.
Hotlines have continued to be the leading detection method for ongoing fraud schemes. As previously mentioned, 42% of frauds were detected by tips. That is more than twice the frequency of the next highest ranking method (management review at 16%). Furthermore, organizations that used hotlines had an even higher rate of detection by tip with 51% (33% for those without a hotline). Hotlines certainly remain a central component to any fraud prevention and detection program; however, a new highly effective technique was measured for the first time in the 2014 study: proactive data monitoring. Those organizations that employ proactive data monitoring saw a 50% reduction in duration of the fraud and a 60% reduction in median loss compared to organizations that did not use these tools.
Proactive data monitoring is more commonly referred to as dashboarding. This is where the operational statistics of an organization are married with the financial results to provide for meaningful key performance indicators. Every organization has a “story” attached to its operations. The story of the organization is much more organic and difficult for one person to manipulate than financial data. For that reason, the best internal control systems and fraud prevention techniques will find a way to harness the key points of the story of the business and compare them with financial data. If the financial data is inconsistent with the operational story, the dashboard will tell us (e.g., we have had huge increases in patron visits this month, but our revenues are slipping; why?).
Hotlines and proactive data monitoring are two very effective tools, but there are several others as well. The study organizes the data on fraud controls to help the reader identify which controls are the most effective at reducing the median loss of a fraud and its duration. They measure this by comparing the duration and median loss of a fraud for victim organizations that had a particular control in place, compared to those that did not have it in place. This provides us with a measure of effectiveness and a menu from which fraud prevention program architects can select the most effective and appropriate controls for their organization. Not all of the controls in the following tables will be appropriate or cost effective for every organization, but they serve as a great starting point.
The following tables are excerpts from the study and show the most effective controls (all controls with a reduction factor greater than 40% are shown):
One last note from a practitioner that has seen far too many victim organizations impacted by fraud; the cost of fraud is like the proverbial iceberg. The direct losses – the dollars diverted from the organization’s donation boxes and into the pockets of the perpetrator(s) – are the piece you see floating above the water. They are significant in and of themselves, but pale in comparison to the rest of the invisible iceberg under the water’s surface. The costs to investigate the incident, remedy ineffective controls, fight to recover the losses, opportunity costs of your employees, and then the immeasurable loss of trust in the accounting function can equate to a Mount Everest-sized portion of the unseen iceberg.
Fraud continues to be a significant problem for all organizations and, in many ways, even more so for NFPs. An ounce of prevention is worth a pound of cure. Start investing in your ounce by reading the ACFE report and incorporating elements into your risk assessment process.
© Clark Nuber PS, 2014. All Rights Reserved