Regulators Stop Fraud with Whistleblowers Payments

Organizations are vulnerable to fraud, especially smaller organizations and nonprofits that have lower staffing levels and technology investments. Fraud losses are estimated total about 5% every year. That’s a lot of lost revenue or donations!

Federal regulators, like the Securities and Exchange Commission (SEC), focus on large-dollar fraud committed at public companies that usually involve mid- or high-level management. Some frauds go on for years, perpetrated by insiders who know the organization and its controls well enough to circumvent them.

In 2011, the SEC established a Whistleblower Program to provide incentives to whistleblowers to report federal securities law violations. Individuals who provide information that leads to a successful SEC enforcement action resulting in sanctions greater than $1 million are eligible for a monetary award. Whistleblowers may be an employee, an insider such as a consultant, or an outsider of the company. 

Since its inception, the Whistleblower Program has fined wrongdoers more than $1.7 billion, and the SEC has awarded more than $60 million to whistleblowers. Since the whistleblower rules took effect in 2011, the SEC has received more than 22,000 whistleblower tips. The annual number of tips submitted internationally has grown 75 percent since 2012.

Two fraud categories that tend to come up on the “Whistleblower Hit List” most often are Corruption and Financial Statement Reporting. Those tend to be large-dollar schemes perpetrated by senior-level members of an organization. Here’s a little information about each category to help you to recognize it, just in case:

Corruption

Corruption often involves senior management with authority over essential elements of an organization, like sales and operations. About 70 percent of corruption cases are perpetrated by someone who misused her or his authority to gain direct or indirect benefit. Examples include bribery, kick-backs and conflicts of interest.

Financial Statement Reporting

Financial statement fraud is less common, but is usually the most costly. The median reported cost is a whopping $800,000. This type of fraud is commonly perpetrated by middle or senior managers whose income is based on meeting projected financial targets.
The SEC Whistleblower Program is one way to tamp down on corporate fraud. With the monetary rewards increasing, reports to the SEC’s Whistleblower Program are likely to grow. Let’s hope that this upward trend dissuades fraudsters from corrupt practices altogether.

Prevent Fraud in Your Nonprofit

Nonprofits are even more susceptible to fraud losses than other organizations because of typically lower levels of staffing and technology. Fraud is also more prevalent in nonprofits due to a common assumption that everyone working there, especially volunteers, is nice, honest, and trust-worthy.

Unfortunately, high levels of trust and low levels of staffing and technology can give free reign to people who are unscrupulous or experiencing extreme financial pressures. A lack of processes and controls can give those individuals the opportunity to steal donations that nonprofits work really hard to raise. Not to mention that being a good nonprofit steward is part of the trust relationship with financial donors.

Recognizing that fraud can happen and implementing a proactive action plan help to prevent nonprofit fraud. Nonprofits can implement practical and cost-effective steps to minimize the chance that a fraudulent act will occur by taking these three fraud prevention tips:

 

  • Separate Tasks – The most powerful weapon against fraud is separating tasks or duties. Separation of duties prevents one person from having too much control over financial activities, like separating expense approval and check signing from the person who reconciles the bank account.

 

  • Report Anomalies – Identify anomalies, or exceptions, from expected conditions or results highlights events or actions for additional review and action. Reporting unusual activity or results to an independent reviewer could end up drawing attention to and ending fraudulent activities.

 

  • Independent Oversight – Periodic independent reviews performed by a knowledgeable party is another way to safeguard nonprofit financial assets. Methods include audits and effective governance, such as the Board’s financial statement review and the Treasurer’s review of all expenses incurred by the Executive Director.

 

Recognizing that fraud can happen and implementing a proactive action plan to minimize the risk are important steps for preventing nonprofit fraud. Powerful weapons like separating tasks, reporting anomalies and independent oversight reduce the risk of losing donations that nonprofits work really hard to raise.

Fraud and the CEO

I don’t usually cover the same topic three weeks in a row. But I couldn’t resist a third post about fraud after reading a recent Internal Auditor article, “The Lottery Loser,” by Art Stewart. The article highlights yet another example of bad things happening when one person has too much unchecked control.

 

Mr. Stewart summarizes and comments on a CNBC news report about a New York credit union CEO who ran a fraud totaling $6 million since 2013. His methods included depositing credit union funds into his personal account and submitting personal expenses for business reimbursement. Read the full article here for Mr. Stewart’s take on three critical measures that organizations can take to prevent a fraud like this from happening. https://bit.ly/2sQWeyn

 

Here are a few of my thoughts:

 

Oversight – Regardless of power or position, financial activities conducted by senior leadership should be overseen by someone who is independent of that activity. Organizations can implement periodic, independent reviews of financial transactions and variance/trend reporting to detect and act upon inappropriate activity. Larger organizations often have an internal audit or compliance function to perform oversight duties. Nonprofits usually delegate these reviews to the Board’s Treasurer.

 

Financial Controls – Implementing exception reporting, segregation of duties and other financial controls decreases opportunities for inappropriate financial activity to go undetected – or could prevent them from happening at all. In the case of Mr. CEO, an authorized check signer should not have access to blank checks. The account reconciliation, another important financial control, must have been poorly designed or performed, since it failed to detect a flagrant check-writing fraud for four years! A poorly-executed control is just as bad as no control at all.

 

Human Resource Management – Trust is great, but organizations need to protect themselves with policies and processes to verify that people in positions of trust are trust-worthy. Processes are also needed for times when trust is broken. Periodic background and credit checks can reveal personal or financial stresses that could lead to fraud. Mr. CEO’s financial losses would have shown up in his credit report and raised a red flag at the credit union. Whistle-blower reporting policies and mechanisms provide an anonymous way to bring inappropriate activity to light without risk of repercussion.

 

A fraud that goes on for years means that one person had too much unchecked control over financial assets, transactions or reporting. When that “one person” is the CEO or other member of senior leadership, the risk of loss can spike due to his or her access to the organization’s finances. Taking Mr. Stewart’s and my advice on the three critical measures to prevent a fraud could keep your organization from being victimized like that New York credit union.

Fraud and Workplace Culture

Last week’s blog was about the three types of fraud and how to prevent them. Typically, organizations lose 5 percent of revenue to fraud each year. Think about how much that means to your organization’s bottom line. Not pretty. Fraud hits smaller organizations and nonprofits even harder, which means a bigger bite out of annual revenue.

 

The Association of Certified Fraud Examiner’s 2018 Report to the Nation on Occupational Fraud and Abuse says that the median loss of fraud cases examined over the last two years was $130,000. Twenty-two percent of losses exceeded $1 million!

 

Organizations can be reluctant to report fraud to law enforcement for two related reasons – bad publicity and poor internal disciplines. Reputations and bottom lines are hurt when a fraud case is exposed in the headlines. It’s even worse when the story behind the headline reveals that financial controls and oversight were so lax, the organization essentially handed the stolen funds to the fraudster.

 

Financial controls that fail to detect or prevent fraud are the symptom of a larger issue – poor workplace culture. What is that, and why is it important? Workplace culture is the personality of an organization – the values, accepted behaviors and attitudes that make the environment and its people work together.

 

Part of a strong workplace culture is promoting ethical, honest and transparent actions, starting with senior management. A strong tone at the top goes a long way to letting everyone in the organization know that dishonest and unethical behavior is not tolerated. Fraud is less likely to occur in an organization with strong workplace culture and tone at the top.

 

So here’s the ironic part. In a recent report, The Culture Economy, 60% of smaller business leaders think that strong organizational culture is a “nice to have” thing, not a necessity. What?! Just look at the fraud statistics to see how essential workplace culture is to the financial success of an organization. Sure, not everyone working in a place with lax financial controls is going to commit fraud; but lax controls make it easy for the dishonest or financially-stressed employee to steal or engage in corrupt practices.

 

A strong workplace culture lets your employees know that fraud and other dishonest behavior will not be tolerated. Of course, strong financial controls and oversight are important. Clear messaging about expectations and appropriate actions go a long way to making sure your employees know that fraud will not be tolerated.

Three Types of Fraud and How to Prevent Them

Every organization is vulnerable to fraud. According to the most recently published Report to the Nations on Occupational Fraud & Abuse, the typical organization loses 5 percent of its revenues to fraud each year. Smaller organizations and nonprofits are even more susceptible to fraud losses because of lower staffing levels and technology investments.

Understanding the types of fraud and how they can happen is the first step to preventing and detecting fraud, and minimizing the impact. Fraud can be broken down into three major types — asset misappropriation, corruption and financial statement reporting.

 

Here is some insight on each type of fraud and tips to prevent them:

 

Asset Misappropriation

Asset misappropriations involve an intentional theft or misuse of the organization’s financial or non-financial resources. Common examples are stealing cash, over-billing, and inflated expense reports. This is by far the most common fraud, making up almost 90 percent.

 

The most powerful weapons against asset misappropriations are segregating duties and exception reporting. Segregating duties prevents one person from having too much control over financial activities, like separating expense approval and check signing from the person who reconciles the bank account. Exception reporting highlights things that are out of the ordinary or shouldn’t happen, like an expense report submitted for a business trip that the employee didn’t take.

 

Corruption

Corruption is the next most common form of fraud. Thirty-eight percent of the studied cases involved some form of corrupt act, often involving senior management with authority over essential elements of the organization, like sales and operations. About 70 percent of corruption cases were perpetrated by someone who misused her or his authority to gain direct or indirect benefit. Examples include bribery, kick-backs and conflicts of interest.

 

Segregation of duties and exception reporting are also useful tools to detect and prevent corruption. A zero-tolerance policy from the top is another useful deterrent to corrupt practices.

 

Financial Statement Reporting

Financial statement fraud is less common than the first two types, but is usually the most costly. While only 10 percent of fraud cases are from manipulating financial statements, the median cost is a whopping $800,000. This type of fraud is commonly perpetrated by middle or senior managers whose income is based on meeting projected financial targets. Methods to thwart financial statement fraud are independent oversight, such as audits, and effective governance. Not exactly the easy stuff.

 

Recognizing that fraud can happen and implementing a proactive action plan to minimize the impact are two steps to prevent and detect the three types of fraud. Powerful weapons like segregating duties, exception reporting and zero-tolerance policies can minimize the impact of fraud in your organization.

Basic IT Controls Still Reduce Cyber Fraud

Last week’s Institute of Internal Auditors (IIA) cyber fraud webinar was a great reminder. Basic IT controls that we learned years ago are still valuable to follow. Sales reps may promise that their product is the “silver bullet” for preventing cyber fraud, but those apps don’t replace good old fashioned IT controls and training.

 

Fraud has existed for a long, long time. Technology gives criminals new opportunities to perpetrate bigger frauds more quickly than ever before. Many data breaches occur because basic IT controls are neglected, leaving systems vulnerable to hacks and malware. Purchasing advanced solutions doesn’t replace basic IT controls.

 

Four basic IT controls that reduce cyber fraud are:

 

  1. Update and Patch Management

Skipping system updates and patches create vulnerabilities, such as those that were exploited by hackers in some recent cyber fraud events (e.g., Equifax and Home Depot). Excuses for skipping updates and patches include lack of time and concern about impacts on other systems. Updates and patches are crucial — they protect systems with up-to-date security processes.

 

  1. Monitoring

System logs and periodic monitoring should be established to detect operating activities or conditions that should not occur. Anomalies, such as after-hours transaction volume spikes and data transmitted to an unauthorized IP address, should be monitored and acted on. Automated alerts and error reports require follow-up and action to be effective.

 

  1. Password Management

Passwords are the key to the front door of an organization’s systems. Sharing passwords and keeping factory-issued passwords are like hanging the keys on the door knob. One example is when a system administrator fails to change the manufacturer’s default password, leaving the door to that system wide open to unauthorized access.

 

  1. Fraud Risk Training

Traditional methods, like training and documentation, make people aware of cyber threats and vulnerabilities. Real life examples of the risks and costs of a data breach, and techniques used by hackers to manipulate people and data, help workers to recognize risks and how to avoid them.

 

Even after investing in silver bullet applications, organizations can still fall victim to cyber fraud due to a breakdown in basic IT controls. Following these four basic IT controls help organizations reduce their vulnerability to expensive cyber fraud.

Fraud and Cyber Risk

Last week, I attended a cyber risk workshop offered by the local chapter of the Institute of Internal Auditors. One of the presenter’s slides listed data breaches that occurred so far in 2017, including Equifax, the Securities and Exchange Commission, and Home Depot. It’s pretty scary, especially when you think about what the cyber criminals are after – your money.

 

Fraud has existed for a long, long time. Technology gives criminals new opportunities to perpetrate bigger frauds more quickly than ever before. Organizations fight back by adding more technology skills to their fraud prevention and investigation teams. According to the Association of Certified Fraud Examiners’ (ACFE’s) In-house Fraud Investigation Teams: 2017 Benchmarking Report, building forensics and cybersecurity expertise is a big focus.

 

Of the nearly 1,500 anti-fraud professionals who responded to the global survey:

 

  • 43% say their organization is seeking or expecting to add expertise in digital forensics to its fraud investigation team.
  • 36% say their fraud team has cybersecurity skills, while 37% are looking to add those skills.
  • Only 16% teams investigate data breach incidents frequently and 27% investigate them occasionally, indicating a possible lack of expertise.

Responding organizations cited that their fraud investigations were related to:

  • Employee embezzlement (40%)
  • Frauds committed by customers (40%)
  • Frauds committed by vendors or contractors (32%)
  • Human resources issues (30%)

IT security professionals often think that their organizations have the controls needed to prevent cyber threats that can lead to fraud. That is not enough! Everyone connected to your systems needs to understand and follow security practices and know why they are important.

 

Clarify your organization’s fraud controls and each person’s role to protect data and funds by:

 

  • Documenting responsibilities for security and secure work practices. Security is part of everyone’s job.
  • Training everyone about security and why it is important. People tend to follow procedures that they understand.
  • Implement incident detection to locate and shut down attacks that can become data breaches.

 

Fighting fraud requires that organizations ensure they have adequate technology skills on their fraud prevention and investigation teams. Recent reports – as well as recent events — tell us that many organizations still need to beef up their cyber teams to protect our money from fraud.

Could your Organization Fall Victim to Fraud?

Did you know that about 5% of all revenue earned by organizations in the United States is lost to fraud? That’s 5% of everyone’s hard work being siphoned off every year! The statistics are even worse for small businesses and nonprofits because they usually have fewer people and resources.

 

So exactly what is fraud? How can it happen, and how can it be prevented?

 

Fraud is an illicit act of deceit or mistrust to obtain money, or derive business or personal advantage. Fraud is perpetrated with intent to inflict suffering on another to achieve financial or other gain.

 

Frauds fall into three categories:

 

  1. Asset misappropriation represents the highest volume of fraud instances, but the lowest dollar amount. Examples include taking home office supplies and using a company vehicle for personal transportation.

 

  1. Financial statement manipulation represents the lowest volume and the highest dollar amount. This is due to the position and motives of the organization’s senior management. They have access to alter reported revenue and expense information.

 

  1. Corruption includes submitting fraudulent invoices from fictitious vendors and paying bribes. These frauds may also involve regulatory breaches, such as under the Foreign Corrupt Practices Act (FCPA).

 

Organizations that take these three actions reduce their chances of falling victim to fraud.

 

  1. Zero Tolerance – Communicate and train everyone in your organization that fraud and related activities will not be tolerated. Address the ramifications of engaging in fraud, such as termination and prosecution. Be prepared to take those actions, if necessary.

 

  1. Segregate Tasks – Assign transaction tasks in a way that makes it difficult for funds to be diverted from your bottom line. Examples include separating payment request and preparation from spending approvals and signing checks.

 

  1. Reconciliations/Independent Review – Someone who has no responsibility for initiating, preparing, or approving transactions must reconcile the books. Periodic reviews should be performed by someone who is independent of the transaction process, but familiar enough with the organization to identify inappropriate activity.

 

Avoid losing 5% in revenue to fraud by taking these three actions, and reduce the chance that your organization will fall victim to fraud. Your bottom line will thank you.