HIAS forum briefing: Fraud risk in a recession
30 March 2009 - Neil Baker
Fraud is always an important issue for internal audit functions. But in a recession, there is probably even more need to direct resources at this risk. When the economic climate is bleak, the temptation to commit fraud increases and organisations need to make sure they have appropriate defences in place.
A recent meeting of the IIA’s Heads of Internal Audit Service Forum discussed the growing fraud threat, and how organisations should respond. Many of the auditors who attended the session were actively reviewing their fraud policies, or were about to start a review. Bill Cleghorn, the forensic accountant and fraud investigator who gave a presentation to start the debate, told delegates “there are no new frauds, just different ways of perpetrating them.” But he did provide some valuable insights into how the law on fraud has changed recently and some emerging fraud trends and risks.
What is fraud?
The external auditing standard SAS 110 defines fraud as:
“The use of deception to obtain an unjust or illegal financial advantage and intentional misrepresentation affecting the financial statements by one or more individuals among management, employees or third parties.”
Fraud can also involve:
Falsification or alteration of accounting records or other documents
• Misappropriation of assets or theft
• Suppression or omission of the effects of transactions from records or documents
• Intentional misapplication of accounting policies
• Wilful misrepresentation of transactions or of the entity’s state of affairs
Until recently, there was no specific criminal offence of fraud in the UK. However, this changed with the introduction of the Fraud Act 2006, which created three main offences:
• False representation
• Failing to disclose information (i.e. where someone has a legal duty to disclose)
• Abuse of position
It also created four lesser offences:
• Possession of articles for use in the course of fraud (such as credit card skimming devices)
• Supplying articles for use in frauds
• Participating in fraudulent business by a sole trader
• Obtaining services dishonestly
Fraud risk
Cleghorn identified just some of the ways in which a recession can increase the risk of fraud. With a squeeze on profit margins, pressure on personal targets, or a reduction in staff numbers, for example, people are more likely to override or disregard internal controls or engage in unethical business practices.
A downturn also exposes frauds that have been running for some time, undetected. Fraudulent “black holes”, caused by inflated stock values or a refusal to write down bad debts, cannot be sustained indefinitely. As the recession worsens, frauds like these are flushed out.
Recession also increases the personal financial worries that can lead people to commit fraud. Fear of redundancy can make existing difficulties worse. A lack of money can make it hard for someone to sustain a cash draining habit, such as a drug or gambling addiction.
Furthermore, in tough economic times, organisations take decisions that their employees don’t like. A desire to “get back at my bosses”, is a common reason for fraud, said Cleghorn.
These pressures create a series of what Cleghorn divided into internal and external fraud risks. Common internal risks include expenses fraud, target manipulation, payroll fraud, supplier fraud, funds diversion, data theft and asset theft. External risks include supplier over-pricing, double invoicing, procurement fixing, contractual irregularities and identity theft.
Red flags
Cleghorn identified some of the “red flags” that internal auditors should watch out for as an indicator of potential fraud. These include:
• Invoices from different companies in the same style
• Handwritten invoices
• Invoices that only carry mobile phone numbers
• Unusual invoice numbers or dates
• Odd documentation, such as handwritten alterations
• Information provided reluctantly or after a long delay
• Incomplete or inadequate accounting records
• Unsupported transactions
• Unusual transactions – by nature, volume or complexity – especially if they are near a year-end
• Transactions not properly recorded
Sharing
After the opening presentation, delegates broke into smaller groups to discuss the issues raised. Here are three of the points they shared:
• Most frauds are small and might not therefore appear in a risk-based audit plan by virtue of the monetary value involved, yet the impact of even a small fraud on morale and corporate reputation can be huge. It is important, therefore, to audit the effectiveness of the organisation’s fraud policy, including staff awareness of it, as a weakness here would be a high risk.
• Internal audit can give a higher profile to fraud awareness and controls simply by including questions on fraud in every audit assignment.
• Writing the fraud policy should be a role for management, although internal audit might have input as a specialist control function. However, the extent to which internal audit should be involved in preventing, detecting or investigating fraud is an issue that can often cause confusion (see the guidance on this mentioned below).
Resources
• The IIA – UK and Ireland published a Position Statement on fraud in 2003. This outlines the role and responsibilities of the internal auditor in relation to corporate fraud: Click here to access it (login required).
• The IIA – UK and Ireland has also published a short guidance note to answer the specific question of whether directors have a fiduciary responsibility to investigate a fraud, if it has been drawn to their attention: Click here (login required).
• The Fraud Advisory Panel is a charity that works to raise awareness of fraud and helps organisations to prevent it. Its website has a wealth of useful information, including some model corporate fraud policies.
For the Panel’s website click here.
For the model policies click here.
• The Global IIA’s website has a section dedicated to fraud resources, including a practical guide, Managing the Business Risk of Fraud: Click here to access it.