Compliance & EthicsProfessional

®

a publication of the society of corporate compliance and ethics www.corporatecompliance.org

October

2016

41Fraud awareness training: Enhancing

a low cost, high impact control in challenging economic times

Heidi Schubert, Lisa Zaharia, and Bruce McKenzie

35What new

cybersecurity requirements mean

for contractorsPamela Passman

25A passion

for compliance & 

ethicsCris Mattoon

29Yes, a board can positively affect

culture: 10  practical actions

Marjorie Doyle

Meet Lisa Fine

Director, Global Compliance

gategroup

Reston, VA

See page 14

This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.

+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 41

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

®

Oct

ober

201

6

FEATURE

by Heidi Schubert, Lisa Zaharia, and Bruce McKenzie

Economic downturn puts more pressure on executives, employees and vendors, increasing the

potential for good people to do bad things. Fraud awareness training is an effective way to equip employees with the tools and knowledge to recognize and report suspicious activity.

Three factors are generally accepted as being necessary for a fraud to occur: pressure (or motivation), opportunity, and the ability to rationalize bad behavior. The presence of each of these factors rises during periods of economic hardship impacting organizations and individuals

alike, both experiencing the pressure of increased financial strain. With the added job responsibilities left behind by departed colleagues, reduced resources, and decreased morale, remaining employees often experience an increased pressure to perform. In this environment, opportunities for fraud proliferate. Cuts to the workforce, as well as programs and controls, can lead to internal control gaps and fewer proactive fraud prevention measures.1

Fraud awareness training: Enhancing a low cost, high impact control in challenging economic times

» Economic downturn can enhance pressures that lead to increased fraud activity.

» Staff re-organizations, lay-offs, and scrutinized spending present an opportunity for companies to uncover fraudulent activity that was previously undetected during busier times.

» Employees are an important source of tips, so by increasing fraud awareness training, employees can be well equipped to know what to look for and how to report suspicious activity.

» Fraud occurs at all levels and can lead to both financial and reputational consequences. Personnel at all levels in the organization, including the board, management, and staff, have a responsibility to understand fraud risk, the company expectation around mitigation measures, and their personal responsibility to speak up and report suspicious activity or misconduct.

» The key components of a fraud awareness training pack are contained in this article, including: types of fraud, consequences, frequency and potential perpetrators, fraud indicators, controls, and how to report suspicious activity.

Schubert

Zaharia

McKenzie

42 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

®

Oct

ober

201

6FEATURE

Fraud is an event that few people and organizations like to acknowledge. Unfortunately, it happens in every organization and is committed at all levels. Current estimates suggest that fraud accounts for value leakage of up to 5% of revenues.2 This excludes intangible costs associated with fraud such as reputational damage, investigation expenses, and damage to the company culture. Employees are a valuable source of information for discovering potential fraud. According to the 2014 Report to the Nations on Occupational Fraud and Abuse, more than 40% of the reported fraud cases studied were discovered through tips. Employees were the source of almost half of all tips.3 Economic downturns offer a unique opportunity for fraud detection, and employees play a key role.

Company restructuring and resulting staff role changes offer a renewed perspective on current business processes. Budgets are tighter and under much closer scrutiny—potentially uncovering discrepancies and inconsistencies that could be red-flags requiring further inquiry. Also, because expenditures and operations are more closely scrutinized and employees are uncertain about their positions, they might be more inclined to speak up to help the company and preserve their job. So the opportunity to uncover inappropriate activity increases, but only if employees have the awareness around what to look for and how to report.

Employees trained in fraud awareness can help to identify suspicious activity. In a resource constrained environment, fraud awareness training is a low cost, high impact means to enhance fraud risk detection, management, and expectations throughout an organization. In other words, it is an effective preventive control.

Programmatic approach: Ideal best practiceCompliance professionals are schooled in the value of a programmatic approach to risk mitigation, so it is no surprise to a compliance professional that to be truly effective, a fraud risk management program needs to be managed holistically.4

It can be difficult to institute or reshape a fraud risk management program in tough economic times. There are limits on an organization’s human and capital resources and its overall capacity to manage continuing change. There are also constraints on how much can be spent on designing, implementing, and conducting systems of internal control. In these times, there is often ”no appetite” for new programs. Despite these realities during strained economic times, there is a low cost but high impact, effective tool to uncover and mitigate fraud risks—interactive fraud awareness training.

Interactive fraud awareness trainingPersonnel at all levels in the organization, including the board, management, and staff, have a responsibly to understand fraud risk, the company expectation around mitigation measures, and their personal responsibility to speak up and report suspicious activity or misconduct. To ensure this occurs, every member of the organization should have some form of fraud training both at the time of hire and annually thereafter. In-person, interactive sessions that maximize engagement through discussion are more effective training venues over online training. Tapping into this type of engaging awareness sessions is a source of valuable information that is an enhancement to an internal control. Effective fraud awareness training is one of the best ways to equip employees with the tools and knowledge to recognize and report fraud.

+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 43

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

®

Oct

ober

201

6

FEATURE

What follows is a guide to the key topics for an effective fraud awareness training program:

· Fraud definition and the types of fraud · Consequences, frequency, and perpetrators · Recipe for fraud · Fraud indicators · Fraud controls · Reporting suspicious activity

Fraud definition and the types of fraudFraud: A deliberate deceit which is planned and executed to deprive an individual or company of property, money, or any other valuable security. A deceit being a mischaracterization of the actual transaction.5

According to the Association of Certified Fraud Examiners (CFE) there are three general categories of fraud: 6

1. Financial statements (e.g., underestimating liabilities and/or over estimating revenues);

2. Corruption (e.g., transactions that are not arm’s length, acquisition of company property for less than market value); and

3. Asset misappropriation (e.g. falsifying expense claims, stealing money from the company account, falsifying supplier invoices, theft of stock, fictitious invoicing, and/or theft of raw materials).

The types of fraud activities will vary between organizations and is a function of the type of business activities in which the entity is engaged, its inherent risks, and the fraud controls in place.

Consequences, frequency, and perpetratorsThe financial impact of fraud is bigger than one might think. In terms of overall impact on an organization, the CFE estimates fraud losses are approximately 5% of annual revenues. In real dollars, this means an organization with annual revenues of $3 billion could be losing up to $150 million per year. This would be the equivalent of losing over $400,000 per day.

Although the frequency of fraud related to asset misappropriation is the highest at over 80%, the value per incident is the lowest at about $125,000 per incident (See Figure 1). While the frequency of fraud related to manipulating financial statements is lowest at 10%, the cost per incident at $975,000 per incident is the highest.7 Although the occurrences are much less frequent, when committed by executive and senior management, the fraud incidents have a much higher financial impact.

Financial Statements

Corruption (…Ethics)

Asset Misappro-

priation

10%

35%

84%

$975k

$200k

$12k

Legend Frequency (%) Median Loss Executive/Management Employees

Frequency & value of fraud by type

Adapted from Association Of Certified Fraud Examiners. 2016 Report to the Nations on Occupational Fraud and Abuse.

Note: The percentages do not add up to 100% as some of the fraud cases involved more than one of the three categories of occupational fraud.

Figure 1

44 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

®

Oct

ober

201

6FEATURE

Recipe for fraudFraud is committed by individuals. Even fraud within large corporate entities is ultimately through decisions and actions of individuals. The decision to bend or break the rules is a personal one.

As mentioned in the opening paragraphs, economic turbulence can increase fraud activity. Understanding how the three factors – motivation (or pressure), rationalization, and opportunity – work together to facilitate fraudulent activity helps employees understand what to look for in the organization and how to identify misconduct. Two main motivators/pressures stand out as the most significant and are enhanced in difficult economic times: the pressure to “do whatever it takes” and to seek personal gain.8

Below are listed the three factors along with phrases or rationales (in brackets) that might be heard in an organization.

1. Motive (or pressure)– The need for committing the act (i.e., want of money or the need to please). – Do “whatever it takes” to meet goals – Personal gain (i.e., greed such as

the need to keep up appearances in the community)

– To get out of a temporary situation (e.g., the borrower: “It’s only until we get our bonus”)

– Expensive habits such as drugs or gambling (e.g., an executive with a cocaine habit)

– Desire to maintain lifestyle that one had during better economic times (e.g., keeping the summer cottage)

– Need to make ends meet to support a family (e.g., children in university)

– Over-committing oneself to assets that have dropped in value (e.g., real estate)

– Making business or personal performance targets (e.g., not reporting accidents to meet HSE targets)

2. Rationalization– The mindset that justifies the fraudulent act: – Everyone else is doing it – Culturally acceptable (i.e., “That’s the

way we do business around here”) – Belief they will not get caught (i.e.,

“They never check”) – “I deserve it” because my salary has

been cut or bonuses are less this year – What I’m doing is not fraudulent,

I’m just borrowing money from the company

– We are doing more with less around here, and I have to work harder now

3. Opportunity– A situation that enables fraud to occur (i.e., position of financial authority). Opportunity is most directly affected by the system of internal controls and generally provides the most actionable route to deterrence: – Minimal controls or controls are

not enforced – Tone from the top (moral compass) – Cost-cutting measures may include

some fraud control mechanisms (e.g., data monitoring, fraud detection teams, surprise audits, etc.)

– Potential loss of segregation of duties as staff is reduced

– More responsibility on fewer people

Fraud indicator: Behavioral warning signsUnderstanding the indicators of fraud is critical for staff to recognize and report potential fraud. Equally important, employees when identifying fraud warning signs must not jump to conclusions that fraud has or is actually occurring. Reporting the suspicious activity should initiate the investigative process, which

+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 45

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

®

Oct

ober

201

6

FEATURE

will ultimately determine if fraudulent activity has occurred.

The Association of Certified Fraud Examiners in the 2016 Report to the Nations noted several behavioral warning signs that were present in the majority of reported fraud cases.9 The six most common red flags shown on the graphic to the right have consistently been the six most common red flags in every report since 2008 (See Figure 2).

Fraud indicators: Financial warning signsThese warning signs need to be tailored to a particular business, but the following are some of the more common financial warning signs:

· Unexplained variances between budget and actual amount

· Abnormal changes in account balances or invoices just under approval authority amounts

· Abnormal invoice volume · Rounded amount invoices · Infrequent or late financial reports · Accounting staff is 3-4 months

behind on preparation of monthly bank reconciliations

· Missing documents · Large liabilities related to

unexpected contracts · Significant internal control issues

being reported · Supplier complaints

Fraud controlsFor fraud controls to be effective, they need to be communicated and understood. This section is an opportunity for the organization to review the controls they have in place and the expectations around

compliance. This section would need to be tailored to a particular organization.

Most common fraud controls as surveyed by Fraud Examiners: Frequency of Anti-Fraud Controls.10

1 0 5 10 15 20 25 30 35 40 45 50

Complained About Lack of Authority

Instability in Life Circumstances

Excessive Family/Peer Pressure for Success

Social Isolation

Past Legal Problems

Other

Excessive Pressure from Within Organization

Past Employment-Related Problems

Refusal to Take Vacations

Complained About Inadequate Pay

No Behavioural Red Flags

Addiction Problems

Irritability, Suspiciousness, or Defensiveness

Divorce/family Problems

Wheeler-Dealer Attitude

Control Issues, Unwillingness to Share Duties

Unusually Close Association with Vendor/Customer

Financial Difficulties

Living Beyond Means Living beyond their means Financial difficulties

Excessive family/peer pressure for success

Divorce/family problems

Other Past legal problems

Social Isolation

Wheeler-dealer attitude

Irritability, suspicious or defensive Addiction problems

No behavioural red flags

Unusually close with vendor/customer Control issues, unwillingness to share duties

Complained about inadequate pay Refusal to take vacations

Past employment-related problems Excessive pressure from within organization

How to identify fraud: Behavioral Warning Signs of Fraudsters

Complained about lack of authority

Ø  Work

Ø  Family pressure

Ø  Character

Ø  Financial

Association Of Certified Fraud Examiners. 2016 Report to the Nations on Occupational Fraud and Abuse.

Instability in life circumstances

Figure 2

Control %

External Audit of Financial Statement (F/S) 81.7

Code of Conduct 81.1

Internal Audit Department 73.7

Management Certification of Financial Statements (F/S) 71.9

External Audit of ICOFR 67.8

Management Review 64.7

Independent Audit Committee 62.5

Hotline 60.1

Employee Support Programs 56.1

Fraud Training for Employees 51.6

Fraud Training for Managers/Executives 51.3

Anti-Fraud Policy 48.6

Dedicated Fraud Department, Function or Team 41.2

Formal Fraud Risk Assessments 39.2

Surprise Audits 37.8

Proactive Data Monitoring/ Analysis 36.7

Job Rotation/ Mandatory Vacation 19.4

Rewards for Whistleblowers 12.1

Figure 3

46 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

®

Oct

ober

201

6FEATURE

Reporting suspicious activityHigh performing organizations embrace the concept of transparency and speaking up, but it isn’t always easy to achieve. As noted earlier, employee tips are a valuable source of fraud detection information, but employees need to be comfortable reporting suspicious activity. Reporting suspicious activity is the job of everyone, and everyone is encouraged to bring their concerns forward. In a July 2013 IPSOS Reid News release, the authors reported that 42% of Canadian workforce members that were surveyed had observed some form of misconduct in the workplace.10 Of those 42%, approximately 50% did not report it. This means that over 20% of the Canadian workforce surveyed was holding on to information about misconduct that potentially could have assisted their employer in either detecting or preventing further damage. How to speak up and report suspicious activity will vary from organization to organization. While there are a number of reasons for failing to speak up (the subject matter of many papers), one commonly cited reason is that the employee did not know how. This section of the training should include a message of encouragement around the organization’s expectation to speak up, a corporate commitment to the protections provided to individuals that come forward with information, and the various mechanisms available to make a report (i.e., speaking to a supervisor or chief compliance officer, calling into a hotline, and online reporting).

ConclusionDuring an economic downturn, companies are often required to reduce staff and scrutinize spending. This presents an opportunity for companies to uncover fraudulent activity

that was previously undetected during busier times. By increasing fraud awareness training, using inexpensive interactive training programs, employees can be well equipped to know what to look for and how to report any suspected fraud.

“After all, you only find out who is swimming naked when the tide goes out.” Warren

Buffett, 2001 Chairman’s Letter – Berkshire Hathaway ✵

1. Oversight Continous Monitoring. The 2007 Oversight Systems

Corporate Report on Fraud, Available at: http://bit.ly/2bHfCDs2. Association of Certified Fraud Examiners. 2016 Report to the

Nations on Occupational Fraud and Abuse, p. 8. Available at: http://www.acfe.com

3. Ibid., Ref #2, p. 364. Institute of Internal Auditors, American Institute of Certified

Public Accountants and Association of Certified Fraud Examiners. Managing the Business Risk of Fraud: A Practice Guide, p. 8. Available at: https://na.theiia.org

5. Deepankar Sanwalka. Tools and Rules to Combat Fraud, p. 2. Available at: http://bit.ly/2bcmqHT

6. Ibid., Ref #2, p. 107. Ibid., Ref #2, p. 12. Note: 32% of the fraud cases analyzed involved

more than one type of fraud, therefore, the sum of the percentages on the graphic do not equal 100, but are greater than 100.

8. Ibid., Ref #1, p. 29. Ibid., Ref#2, p. 68-7110. Ibid., Ref#2, p. 38, Figure 47: Frequency of Anti-Fraud Controls.11. Ipsos: “Four in Ten (42%) Employed Canadians Have Observed

Some Form of Workplace Misconduct; One in Five (17%) Cite Witnessing Privacy Violations” News & Polls, July 3, 2013. Available at: http://bit.ly/2bx0Tiz

Heidi Schubert (heidifschubert@gmail.com) is the founder of Heidi F. Schubert Legal and Business Advisory Services in Calgary, Alberta, Canada

Lisa Zaharia (lisamzaharia@gmail.com) is the Director of ZBCo. Inc in Calgary, Alberta, Canada

Bruce McKenzie (mckenzie.bruce@ymail.com) is Principal at Above Ground Risk Ltd. in Ladysmith, B.C., Canada

While there are a number of reasons for failing to speak up (the subject matter of many papers), one commonly

cited reason is that the employee did not

know how.