Patrick Voss gives some guidelines on managing fraud risk

There are three common reactions which crop up whenever the subject of fraud risk is discussed. In simple terms these are:

  • it could not happen here
  • it is bound to happen and there is not much we can do about it
  • it is a risk, but we have bigger problems to deal with.

    The first and second responses are respectively unduly optimistic and unduly pessimistic. The third suggests a cost-benefit approach to the problem. This is sensible as far as it goes. However, my own firm's experience is that people tend to overstate the easily quantifiable costs and understate the less easily quantifiable benefits of managing fraud risk.

    What does fraud mean?
    Fraud means different things to different people. It is a generic term, which covers a wide range of economic crimes and impropriety and may cover one or more of the following broad categories:

  • misappropriation of company assets: theft of cash or other tangible assets; theft or misuse of intellectual property; unjust self-enrichment through abuse of one's position within the company
  • fraudulent financial reporting: manipulation or falsification of financial statements, accounting records or underlying documentation
  • other legal or regulatory breaches: money laundering, corruption, or other breaches where the acts or omissions of individual employees can render them and the company they work for (and/or its directors) liable to criminal and civil sanctions.

    In practice, real cases of fraud will often cross the boundaries between these categories. However, my primary focus here is on the first kind – misappropriation of assets – although many of my comments may apply to the other types of fraud as well.

    How prevalent is fraud?
    In a recent survey1) conducted by PricewaterhouseCoopers, nearly three quarters of all larger2) companies questioned in the UK said that they had been the victim of serious fraud in the last two years. The average cost to these companies of the frauds was E15m (£9.4m). If that does not sound too disastrous, note that the average hides some very large individual cases – nine respondents cited losses in excess of E100m (£62.5m).

    The survey revealed some other startling statistics. For example, in 58% of cases the fraud had been discovered more or less by chance. In 28% of cases tip-offs had played a part. Frauds were overwhelmingly perpetrated by insiders – management and other employees – although sometimes with the help of outsiders. Against this background, the argument that 'it couldn't happen in my company' starts to look a little threadbare. No company, regardless of size, location or industry, is immune. Fraud can strike any organisation and it pays to be prepared for it when it does.

    Can fraud be prevented?
    Given that prevention is generally better than cure, what can be done to prevent fraud? The bad news is that no system of controls and supervision is foolproof. Good risk management can mitigate, but not eradicate, the risk of fraud. There is no typical fraudster. Fraudsters may share some similar traits, but these are unlikely to help you identify one in advance.

    Nevertheless, this is not an excuse for inaction. It may not be possible to spot a potential fraudster, but it is certainly possible to identify potential opportunities for fraud within the company, and to take action to remove or reduce those opportunities. The details of an effective anti-fraud regime will be specific to each company, so it is only possible to suggest some general approaches here.

    All organisations can usefully ask themselves the following (by no means exhaustive) list of questions.

  • Is the culture of your company conducive to the reduction of fraud risk? Does top management set the tone by promoting a strong anti-fraud stance and through leading by example?
  • Has the company recently undergone a top to bottom assessment of its fraud risk exposure? Has it addressed any significant gaps which emerged from such an exercise?
  • Does the company have a formal fraud response plan, which sets out clear actions, roles, responsibilities and reporting lines should fraud be discovered?
  • So that management and staff know what is expected of them, does the company have a written code of ethics, with guidance on conflicts of interest and the consequences of ethical breaches?
  • Have past cases of fraud been adequately dealt with? Have the the right messages been sent to others inside and outside the company?
  • Are employees appropriately screened before they join the company?
  • Does the company have well publicised and promoted formal whistleblowing procedures?

    If the honest answer to any of these questions is 'No', then you should consider appropriate remedial action.

    When fraud strikes
    Risk management does not stop at prevention. Effective action when fraud strikes can limit the damage and send a strong deterrent message for the future. No two frauds are alike, and each case presents a unique combination of problems and challenges. However, there are a variety of 'dos and don'ts' which are likely to be relevant in most cases. These are some of the key points.

  • You must act quickly and decisively to limit the damage, optimise recovery options and preserve evidence.
  • Do not panic or act with undue haste. An ill-considered move in the early stages could have damaging and unforeseen consequences later on.
  • In consultation with HR, lawyers and others, decide how to handle employees who are under suspicion. Firing them on the spot may not be the best course of action. They must not, however, be allowed to remove or destroy evidence.
  • Do not do anything which might destroy or compromise evidence. Safeguard potentially relevant documents. Resist the temptation to pull files apart and never write on, or otherwise mark, originals.
  • Secure computer equipment used by suspects. Do not attempt to turn on, or otherwise tamper with, relevant computers, as you may inadvertently alter data and irrevocably damage evidence. Handling this sort of evidence requires specialist assistance and equipment.
  • Gather together the people with the right skills. These may include in-house lawyers, external legal advisers, forensic accountants, internal auditors, HR people and others.
  • Nominate an appropriate person to oversee the process and coordinate the efforts of different parts of the team. This person should have the authority to make strategic decisions as the investigation progresses.
  • Think carefully before involving people close to the suspects in the investigation. This includes those charged with their direct or indirect supervision – such people may not be able to act objectively, and may even themselves be implicated.

    Investigating fraud
    The precise scope and methodology of an investigation will depend on the nature and scale of the fraud, the company in which it takes place and the answers to the questions raised above. An investigation is an iterative process. Information and evidence gathered in the early stages may well create additional, previously unidentified leads to be followed up.

    The key phases of an investigation are:

  • determination of the initial case strategy
  • information gathering and analysis – see below for more detail
  • documentation of how the investigation has been carried out and the evidence collated
  • reporting to management, audit committee and third parties (police, regulators, etc) as appropriate.

    Agreeing on an initial scope and strategy is vital. As the investigation progresses, the strategy may need to be adjusted in light of the findings. However, from the outset, the aims of the investigation should be clear.

    Consider early on how you intend to manage the potentially large amount of evidence from documents and data. Leaving this sort of decision until too late could result in avoidable inefficiencies, or loss of valuable evidence.

    Information can be gathered in a number of ways from a myriad of sources, including company records, e-mail and other data, third party documents, publicly available information, employees and other potential witnesses. These sources can be accessed using a variety of techniques including interviews, computer forensic techniques and good old-fashioned trawling through documents.

    Interviews need to be carefully planned and prepared for. It makes a big difference whether you are interviewing a suspect or a witness. The former is generally better left until you have a good idea of the facts of the case and the key evidence. Witness interviews also need preparation, but are less likely to be adversarial – and you have to start somewhere. Timing can be crucial: it may sometimes be difficult to go back to an interviewee for a second time. Lack of preparation and failure to have the right documents to hand can lead to a wasted opportunity, as you will not be able to challenge an interviewee's assertions.

    A suspect's computer can reveal a great deal, including data which has been deleted, but it must be handled carefully. You are likely to need specialist help, as special hardware and software are required to take a forensic image of the hard disk without tainting the evidence it may contain. All too often, enthusiasm gets the better of people who attempt to investigate without appropriate support. Few appreciate that simply turning a computer on can alter and even erase data, which may in turn jeopardise the investigation and actions leading from it.

    Another key information gathering and analytical tool is the use of data mining techniques. Data mining involves taking (usually large volumes of) selected company data and sorting and filtering it to identify potentially suspicious patterns of transactions. This is a particularly important method where either there are general suspicions of fraud but no actual cases have been identified or where there is a concern that the frauds so far identified may be symptomatic of a more widespread problem. Well designed and focused data mining can hugely reduce the amount of work needed to identify additional instances of certain types of fraud and increase the level of assurance that they have all been identified.

    It is vital to document how the investigation has been conducted. How and where evidence was obtained is crucial, particularly where criminal proceedings may ensue.

    Finally, the form of reporting will vary, depending on the recipients of the report and their requirements. It may be necessary to create different reports for different constituencies. From the start, having a clear idea what the various reports should look like will help to focus the investigation.

    1) The PricewaterhouseCoopers European Economic Crime Survey 2001. Over 3,600 companies in 15 European countries were surveyed.

    2) Larger companies were defined as those with at least 5,000 employees.

    Patrick Voss is a partner in PricewaterhouseCoopers Forensic Services, Tel: 020 7213 8276. More information at: