Download (direct link):
In thinking about controls and their role in occupational fraud, we may conclude they operate much like the uniformed police. Their presence is meant to deter fraud. Their track record in detecting it is more problematic. Statistics from the ACFE may be useful in assessing their efficacy in this regard. In August 2001 the ACFE posted an online poll of its 25,000 members, asking the following question: How is fraud most frequently discovered in your organization?
The results, published the following month, were as follows:21
If we take “Other tips by employees” and add “Hotline tips,” which are really the same thing delivered through a different medium, we see that almost two-thirds of frauds discovered (61.3%) were probably surfaced by co-workers.
Such findings are also reflected in the ACFE’s 2002 Report to the Nation. This survey reported that data from 532 respondents indicated that internal controls surfaced only 15.4 percent of frauds reported and internal audits identified only 18.6 percent. The report advised that 46.2 percent of frauds covered were brought to light by tips from employees, customers, vendors, or anonymous sources.22
Such statistics may be seen by some as an argument against the effectiveness of internal controls, but that would be contrary to the sentiments of the people offering the assessments. In the same survey, The Report to the Nation asked respondents what they believed, from their professional experience, to be the most effective antifraud strategies and measures. Participants were asked to rate eight measures on a scale of 1 (most effective) to 8 (least effective).23 The winner, by far, was “internal controls”:
Other tips by employees Audits
Management review Hotline tips Lifestyle changes Other
Strong internal controls 1.62
Background checks on
new employees 3.70
Regular fraud audits 3.97
Established fraud policies 4.08
Even though the controls in place in these victim organizations did not prevent these frauds from occurring, the report offers data that suggests that the presence of controls appears to have a tempering effect on fraud losses. In organizations that did not perform preemployment background checks of employees, the median fraud loss was $130,000, versus $90,000 for organizations that did perform such checks. In organizations that had in place an anonymous reporting mechanism, such as a hotline, the median fraud loss was $77,500, versus $150,000 for organizations without such a capability. Likewise, organizations that had periodic internal audits or fraud surveys had median fraud losses of $87,500, while organizations without such processes had median losses of $153,000. Finally, organizations with external audits had median fraud losses of $100,000, while those without external audits had median losses of $140,000.24
The professional services firm of KPMG Peat Marwick has reported survey findings that seem both to contradict and support some of the data reported by the ACFE. In a survey released in 1999, KPMG reported that it surveyed 2,000 large companies that had experienced fraud. These frauds were discovered in the following manners (percentages may add to more than 100 because some respondents experienced more than one fraud and some frauds were discovered through a combination of factors):25
Internal controls 59 %
Internal auditors 47 %
Notification by customers 38 %
Accident 32 %
Anonymous letter 28 %
Notification by supplier 13 %
Notification by police 12 %
Notification by employee 10 %
Notification by government 10 %
External auditor 3 %
It seems reasonable to infer two findings from these data: (1) the presence of one or more control mechanisms either tended to restrain the size of the fraud loss or, remembering the issue of the length of time schemes were reported to
have been committed, caught it earlier; (2) we may presume, I would argue, that an organization with some element of control structure in place has announced to its employees its position on financial integrity and occupational fraud. Given that the teacher is watching, the classroom may not become as loud or rowdy.
As intriguing as these data are, it would be interesting to attempt to tease even more information out of them. For example, can we show a proportionality between levels of organizational controls effort and reduction of fraud incidence and loss? That is, does the organization with two controls mechanisms in place have lower losses than an entity with but one, and are three controls mechanisms even more effective? Until we can avail ourselves of further and more detailed research, we can only speculate.
It is not surprising that the respondents to the survey opined that controls were the primary issues in the vast majority of frauds these organizations experienced: 46.2 percent cited “Insufficient Controls” as the reason the fraud(s) took place, while 39.9 percent advised that controls had been ignored. Only