Fraud Control Gap
Implications for companies
By its nature, fraud is hard to detect. In fact, a perfect fraud would never be detected. People committing fraud plan from the outset to keep their actions hidden until they achieve their illegal objectives, and for as long after that as possible. But that does not mean that companies should throw up their hands and accept fraud as a cost of doing business. Surprisingly, a short list of proactive behaviors separates those companies that are considered more effective at preventing and detecting fraud from those that are not.
“The face of fraud is very fluid – it is constantly changing,” says Tim Wolfe, director, Special Investigations Unit at CNA in Chicago. “Perpetrators have become more creative, devising more complex fraud schemes that are increasingly difficult to detect. This, in turn, requires companies to be more sophisticated in their approach to fraud prevention and detection.”
The Deloitte Forensic Center recently commissioned a survey and analyzed the responses of hundreds of executives charged with fraud control, eliciting their views on how effective their companies were at controlling fraud. "The study reveals relatively weak performance in many companies’ fraud controls," says Toby Bishop, a partner in the Forensic & Dispute Services practice of Deloitte Financial Advisory Services LLP and Director of the Deloitte Forensic Center. He adds, "It also raises potential concerns about the effectiveness of key aspects of corporate compliance and ethics programs. Executives interested in preventing and deterring fraud should consider how this new study’s findings might apply to their company and whether they should respond by enhancing their compliance, ethics, and risk management programs."
Here are five key findings and observations from the study:
- We found a substantial self-reported “ fraud control gap” between the minority of companies that were considered in the study to be more effective at fraud control and the majority of less-effective companies. The gap – which is puzzling in light of all the public and legislative attention paid to corporate fraud since Sarbanes-Oxley – is large enough to raise concerns about the fraud risks that less-effective companies may be running.
- Executives reported that their companies were much less effective in controlling external fraud than internal fraud. This vulnerability poses special risks for companies that are increasing their business activities outside their home countries.
- Effective whistle-blower hotlines are a critical part of compliance, ethics and fraud risk management programs. But only about one-third of respondents viewed their hotline programs as “very effective.” This underwhelming level of confidence suggests that many companies need to enhance their hotline programs significantly.
- Among companies deemed less effective at fraud control, only about one respondent in eight rated their employee training on fraud as “very effective.” Again, this raises questions about the effectiveness of employee training on fraud and other risk and compliance issues at many companies.
- Executives at the more-effective companies anticipated that instances of fraud were much less likely to occur over the next 12 months. This supports the business case for pursuing more-effective fraud controls.
You can use this study’s results to identify ways to improve the performance of your company’s compliance and ethics programs that deal with fraud and other corporate criminal issues.
We explore each of these findings and their implications in detail below. The sidebar explains the study methodology.
1. Fraud control gap
The “fraud control gap” between more-effective companies and less-effective ones is stark. This chart compares the two groups for six elements of fraud control:
Percent of companies responding “Effective” or “Very effective” (4 to 5 on 5-point scale)
The size of the performance gap between the more-effective and less-effective companies is striking. For example, 93 percent of more-effective companies considered their organizations to be “very effective” at detecting internal fraud, compared to only 17 percent of less-effective companies – a difference of 76 percentage points. This statistical chasm should raise questions for corporate executives, boards of directors, and counsel for the majority of companies that are considered less effective at controlling fraud.
“Ongoing, formal fraud risk assessments are a key element of any successful fraud control program,” says CNA’s Wolfe. “A company cannot have adequate protections against fraud risk without first identifying its specific risk exposures.”
Would your company be classified as “more effective” or “less effective” at fraud control? If the latter, what steps should your company take to catch up with more-effective ones?
2. Not ready for external fraud
The chart above also shows that all companies rated themselves significantly less effective at dealing with external fraud than with internal fraud. Fifty-six percent of more-effective companies considered their organization to be “very effective” at detecting external fraud, compared to 93 percent for internal fraud. At less-effective companies, only 4 percent of executives considered their organization “very effective” at detecting external fraud, compared to 17 percent for internal fraud.
External fraud risks pose special challenges, some cultural and some technological. Globalization and outsourcing add a new dimension of complexity. Many companies now conduct business in countries where they lack experience – increasing their exposure to fraud risks in areas where they have not established effective fraud controls. Accelerating business complexity, expanding reliance on technology, and increasing attention of organized criminal groups on corporate assets all multiply opportunities for external fraud. And it is simply harder for companies to stay current on external fraud schemes that may affect them infrequently or not at all.
A number of factors explain the surprisingly low use of technology in fraud prevention and detection, according to Wolfe. First, “there is no off-the-shelf, one-size-fits-all solution; and that the cost of customized solutions can be prohibitive. What’s more, the success rate varies tremendously. “There are numerous examples of companies that spent a lot of money on fraud-detection systems that didn’t work,” says Wolfe. The biggest problem has been the tendency for the systems to yield false positives. “There are some success stories. But in each case, Wolfe says, the companies devoted significant resources – both personnel and dollars – both before and after implementation.”
You may want to evaluate how well your company has insulated itself against external fraud. You might start with management’s fraud risk assessment. Does it even address external fraud risk exposure? Does it identify particular fraud schemes and their potential perpetrators, significance, and likelihood? Is it country-specific? Are you using the latest technology to anticipate, detect, and prevent fraud on your company? Don’t be surprised if you have some catching up to do.
3. Not enough whistles blown
Across all the companies surveyed, only 32 percent of executives considered their company’s whistleblower hotline to be “very effective” at uncovering or preventing fraud. More-effective companies rated themselves more highly than did less-effective ones (46 percent versus 22 percent), but neither result is impressive. Tips are the most common way that fraud is detected, so hotlines are a key detection mechanism for fraudulent activity in a company – especially in the case of senior executives perpetrating fraud. Respondents’ lack of confidence in hotline performance would seem to indicate that this key mechanism is not being used to its potential.
Is someone in your company responsible for benchmarking your hotline annually using industry-specific performance statistics such as call volume, call mix, anonymity usage, and prior notification of management? Does every employee in your company know exactly how to blow the whistle on suspected fraud?
Consider surveying employees anonymously to measure their willingness to use the hotline and their degree of trust in management to resolve issues appropriately and without retribution against whistleblowers. Analyzing the survey results by operating unit or by geography can identify where the hotline may be less effective – or completely ineffective – so you can devote resources to the right spot to improve performance.
4. Employee training deficient
Training employees on fraud presents an area ripe for significant improvement for both more-effective and less-effective companies. The proportion of executives at the two groups who thought their company’s fraud training was “very effective” was 58 percent and 12 percent respectively.
Other questions in the study revealed that only about 30 percent of companies’ senior management had effectively communicated the importance of fraud control and ensured that their employees had a clear understanding of their responsibilities in this area. It is not surprising that fraud continues to occur if 70 percent of companies are not effectively communicating the importance of fraud control to their employees.
Does your company’s ethics, compliance, or risk management program include adequate fraud training? Could an employee quickly find the information needed to “blow a whistle” on your intranet or in your employee handbook?
5. Reduced fraud expectations
Not surprisingly, the study results suggest that improving the effectiveness of fraud controls reduces the likelihood of future frauds. The chart below shows that executives at companies more effective at fraud control expected significantly lower rates of fraud over the next 12 months than those at less-effective companies.
Likelihood of types of fraud in next year
Percent of executives responding that fraud is somewhat, very, or extremely likely
Note: “Pretexting” refers to gaining information under false pretenses.
While 60 percent of executives at less-effective companies thought it was at least somewhat likely they would experience a misappropriation of assets fraud over the next 12 months, the proportion was only 38 percent at more-effective companies. The results are even more striking with respect to the significant issues of fraudulent financial reporting and FCPA (Foreign Corrupt Practices Act) violations: Executives at the more-effective companies were about half as likely to consider these issues to be somewhat, very, or extremely likely over the next 12 months. Given the financial costs and potential reputational harm of such incidents, the benefit of more-effective fraud controls and programs is apparent.
About half of respondents also reported that their companies had devoted more resources to fraud control over the past 12 months, citing increased publicity about fraud, pressure from the board of directors, and a recent instance of fraud as the main reasons.
Is your company positioned to achieve the lower rates of fraud expected at companies more effective at fraud control? If you perceive that your company needs to implement new fraud control programs or bolster existing ones, you will be in good company.
Most companies have substantial work to do before their fraud control programs can be considered to be among the leaders, and even companies with more-effective programs have considerable room for improvement. But to meet the expectations of regulators, investors, the public and the media today, and to manage the growing fraud risks that go with today’s “flat Earth” business environment, companies need to do more than just make incremental improvements. Instead, they need to create a fraud control culture where all employees understand their responsibilities for helping prevent and detect fraud.
1 Deloitte Forensic Center “Ten Things About Fraud Control: How Executives View the ‘Fraud Control Gap,’ ” 2007.
2 Association of Certified Fraud Examiners, “2006 Report to the Nation on Occupational Fraud and Abuse.
The Deloitte Forensic Center commissioned an online survey of executives involved with fraud control, drawn from functions including internal audit, compliance, finance, risk management and legal. The 277 participating executives came from a broad range of industries and from companies of all sizes, about two-thirds of which (64 percent) were subject to Sarbanes-Oxley.
Respondents ranked their companies’ effectiveness on a five-point scale in preventing and detecting both internal and external fraud. The survey firm chose 3.5 as the breakpoint for separating “more effective” companies from “less effective” ones.
Only four in 10 of the respondents (41 percent) rated their companies high enough to qualify as “more effective.” We observed few differences across industries in the ratings of fraud control effectiveness – except for financial services, where 53 percent of executives rated their companies’ performance high enough to be considered more effective at fraud control.***