Peeling back the onion: Common misconceptions about occupational fraud

Most organizations today recognize that it’s not a matter of if, but rather when they will be victimized by fraud. So why do certain occupational fraud schemes—or frauds committed from within an organization—go undetected for months and often years?

Most organizations today recognize that it’s not a matter of if, but rather when they will be victimized by fraud. So why do certain occupational fraud schemes—or frauds committed from within an organization—go undetected for months and often years?

There are certain misconceptions about fraud that could help explain this, while assisting organizations to uncover potential schemes. Let’s explore some of these:

Misconception #1: Technology reduces the “paper trail” that could uncover fraud

Some would argue that technology is eliminating the paper trail that organizations traditionally relied on, to catch fraud. For example, cheques are being replaced by wire transactions and email transfers; purchase orders and invoices are being prepared on web-based systems or sent in pdf, rather than in hardcopy form; transaction approvals are being done online rather than on paper; and hardcopy pay stubs are being replaced with electronic stubs.

Notwithstanding the reduction of “paper”, the advent of technology has arguably resulted in more of a “paper trail” relating to employee activity, than ever before. It’s a function of having the appropriate mechanisms in place to monitor such activity.

Our phone calls have been replaced with corporate and web-based email, text messages and various other messaging forums. Our face-to-face meetings have been replaced by online video conference calls, which are often recorded. In fact, we tend to say things in electronic communication, which we would likely not say to when face-to-face. All of these technological advancements have added conveniences to our lives—and a “paper trail”.

While some believe that bypassing work email is a strategy to avoid detection, a recent scandal emerging in the United States (U.S.), reveals that even the most sophisticated users, can get careless and get caught.

Although fraud allegations are not the basis for this story, the media has been replete with information about the alleged affair and emerging “love triangle” involving the recently resigned Chief of the U.S. Central Intelligence Agency, Chief, David Petraeus (Petraeus), his ex-mistress Paula Broadwell (Broadwell) and Tampa socialite Jill Kelley (Kelley).

The Associated Press (AP) reported that Petraeus and Broadwell apparently used a trick–known to terrorists and teenagers alike—to conceal their email traffic. The AP stated,

“…rather than transmitting emails to the other's inbox, they composed at least some messages and left them in a draft folder or in an electronic dropbox…Then the other person could log onto the same account and read the draft emails, avoiding the creation of an email trail that might be easier to trace.”

While details of this matter are just starting to trickle in, it appears that like my fraudsters, Broadwell’s little scheme actually did work under normal scrutiny. However, Broadwell appears to have made some very unsound choices and placed all of her communications under much greater scrutiny, which ultimately led to her identity (i.e., IP address) being revealed.

Most organizations have responded to risks associated with the use of IT with strong workplace computer policies, whereby the organization maintains the right to monitor their employees’ computers, electronic communication as well as internet activity.

However, a recent Supreme Court of Canada decision may send organizations back to reviewing their ‘proper use of IT’ policies, in a case that effectively ruled that employees can expect some privacy on work computers. According to the decision of Mr. Justice Morris Fish 1, it states,

“Whatever the policies state, one must consider the totality of the circumstances in order to determine whether privacy is a reasonable expectation in the particular situation. While workplace policies and practices may diminish an individual’s expectation of privacy in a work computer, these sorts of operational realities do not in themselves remove the expectation entirely…."

Misconception #2: The only enemy is the fraudster

Many organizations place undue reliance on the fact that they have a strong corporate governance structure, which includes a series of extensive policies and procedures and well-documented internal controls, specifically designed to prevent and detect fraud.

But how effective are these at mitigating fraud? Just because a company posts its policies and procedures on their intranet, does not necessarily mean they are widely understood, adhered to by the majority of its employees—or even monitored for compliance.

To combat this issue, many organizations are providing their employees with training on such policies and requiring employees to sign-off annually that they have reviewed such documents, understand their contents and agree to adhere to their terms and conditions. While this is a good start, it is unfortunately not enough to eliminate fraud.

The last several years, we have witnessed some of the most difficult and challenging economic times since the Great Depression. Some companies are struggling just to maintain their ‘going concern’ status. One of the first places to cut back is staff resources.

In making staff cutbacks, many organizations focus on the bottom line impact, but fail to consider or recognize the potential impact that such cutbacks can have on the effectiveness of their internal controls.

One of the most basic internal controls is segregation of duties. Due to recent cutbacks, the work that was previously done by two individuals is now being done by one. As such, there is no longer a segregation of duties for that function.

By extension, the remaining employee is so overwhelmed with their new role and responsibilities, their biggest challenge becomes getting through the day; fraud inherently falls to the bottom of their list of priorities.

To uncover financial fraud, it is critical that employees—and auditors for that matter—change the way they think. In fact, they must be reminded constantly that fraud is an ongoing risk. They must ensure that they look out for the indicators or “red flags” and that potential anomalies identified, are appropriately addressed within a timely manner. For example:

  • Most organizations issue sales invoices that follow either a computer generated numerical sequence or use pre-printed sales invoices. Sometimes sales invoices are issued outside of this sequence. This could be an indication of a fictitious billing scheme for the purpose of artificially inflating revenue.
  • When a “one-time” vendor is set up in the vendor master file, it might have been done to pay a certain vendor for non-recurring work. However, it is later discovered that additional invoices are then paid to this same vendor over several quarters. To boot, the vendor’s contact information is the same as one of the company’s employees. This could be an indication of a fictitious vendor/invoice, for the purpose of concealing a misappropriation of assets scheme.
  • A company notices that the unit costs for certain inventory have recently gone up, along with increases to physical inventory balances. At the same time, the number of vendors from which inventory is purchased has decreased from 5 to 3, and one particular vendor is getting a disproportionate amount of business, relative to prior periods. This could be an indication that someone in the procurement department has negotiated a kickback scheme in return for directing business to one vendor.
  • A company notices that its total payroll costs for hourly employees are rising over a particular period, which is inconsistent with its drop in production during that period. This could be an indication that a ghost employee was added to payroll for the purpose of concealing a misappropriation of assets scheme.

As illustrated by the above examples, when you start to peel back the onion, you may find that a situation or transaction that appears on the surface to have a rationale business explanation might actually reveal a fraud.

Misconception #3: Trust is an internal control

With the benefit of hindsight and experience, forensic accountants will tell you that the majority of occupational fraud schemes are actually not that complicated. Very often, they went undetected because employees took advantage of the unconditional trust placed in them by their organization.

Surveys consistently find that frauds are more likely to be committed by long-term, senior employees. There are several reasons that may help to explain this:

  • the more senior the employee, the greater the responsibility and access that individual has to sensitive company records;
  • senior employees are less likely to be scrutinized by superiors, as they are one of the superiors; and,
  • senior, trusted employees tend to have the experience and knowledge of how an organization’s systems work; as such, the more senior the employee, the greater the likelihood that person knows how the systems work—and more importantly—how controls can be overridden.

While this may seem counter intuitive, it would appear that the longer an organization keeps an employee, the more “on-the-job” training they are providing to the would-be fraudsters.

In short, regardless of the level of the individual, from the CEO to the rank-and-file employee,nobody should be trusted blindly. There should be a healthy level of skepticism exercised in respect of the potential risk of an employee committing fraud. This “tone-at-the top” messaging has to come from the Board and filter throughout the organization.

Misconception #4: Employees who are “rich” do not commit fraud

When we think of a white-collar criminal, we tend to paint the picture of the stereotypical profile of a traditional criminal. However, many fraudsters are normal, law-abiding citizens whose biggest crime may be jaywalking.

Many fraudsters are driven to commit their acts by a trigger event—an addiction, such as gambling, alcohol, or drugs. There are also cases of retail addictions that have driven individuals to cross the ethical boundaries.

Individuals may also be driven to commit fraud due to personal financial pressures, such as living a lavish lifestyle that exceeds their financial means from legitimate sources or an extramarital affair. Keeping an eye out for one of these potential “indicators” can play a critical role in identifying fraud.

One of the most common drivers of fraud is greed. As such, even those who have the financial means have been known to commit fraud. Did I mention that nobody should be trusted blindly?

If all else fails...prevention—rather than detection—is the best deterrent against fraud.

To the extent that we maintain fraud top-of-mind, we increase the likelihood of deterring would-be fraudsters from engaging in illicit activity, because the fraudsters are now aware that every person around them is looking out for the “red flags” of potential schemes.

One of the most common criticisms raised by the various accounting oversight bodies is the lack of professional skepticism exercised by auditors when addressing fraud risks. Client relationships aside, auditors must be prepared to ask the “tough” questions and not hesitate to “dig” further, should they uncover these “red flags”.

Given that ‘fear’ is arguably the number one deterrent preventing people from coming forward with allegations of fraud and other acts of wrongdoing, individuals must feel safe reporting their concerns. Organizations must therefore foster an environment of transparency by encouraging employees to come forward with suspicions—either through existing channels (such as a supervisor) or through an anonymous ethics hotline.

Lastly, fraudsters do not engage in illicit activity with the intention of getting caught; otherwise, they would likely not commit such acts. As such, the best method of mitigating fraud, is to prevent it from occurring in the first instance.

1 Source: R. v. Cole, 2012 SCC 53

About the Author

Edward Nagel, CPA, CA•IFA, CBV

Forensic accountant