1. Compliance & Ethics
Professional
®
a publication of the society of corporate compliance and ethics www.corporatecompliance.org
October
2016
41
Fraud awareness training: Enhancing
a low cost, high impact control in
challenging economic times
Heidi Schubert, Lisa Zaharia,
and Bruce McKenzie
35
What new
cybersecurity
requirements mean
for contractors
Pamela Passman
25
A passion
for compliance
ethics
Cris Mattoon
29
Yes, a board can
positively affect
culture: 10
practical actions
Marjorie Doyle
Meet Lisa Fine
Director, Global Compliance
gategroup
Reston, VA
See page 14
This article, published in Compliance Ethics Professional, appears here with permission from the Society of Corporate Compliance Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.
2. +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 41
ComplianceEthicsProfessional®
October2016
FEATURE
by Heidi Schubert, Lisa Zaharia, and Bruce McKenzie
E
conomic downturn puts more
pressure on executives, employees
and vendors, increasing the
potential for good people to do bad things.
Fraud awareness training is an effective
way to equip employees with the tools
and knowledge to recognize and report
suspicious activity.
Three factors are generally accepted
as being necessary for a fraud to occur:
pressure (or motivation), opportunity, and
the ability to rationalize bad behavior.
The presence of each of these factors rises
during periods of economic hardship
impacting organizations and individuals
alike, both experiencing the
pressure of increased financial
strain. With the added job
responsibilities left behind by
departed colleagues, reduced
resources, and decreased morale,
remaining employees often
experience an increased pressure
to perform. In this environment,
opportunities for fraud proliferate.
Cuts to the workforce, as well
as programs and controls, can
lead to internal control gaps
and fewer proactive fraud
prevention measures.1
Fraud awareness training:
Enhancing a low cost, high
impact control in challenging
economic times
»» Economic downturn can enhance pressures that lead to increased fraud activity.
»» Staff re-organizations, lay-offs, and scrutinized spending present an opportunity for companies to uncover
fraudulent activity that was previously undetected during busier times.
»» Employees are an important source of tips, so by increasing fraud awareness training, employees can be
well equipped to know what to look for and how to report suspicious activity.
»» Fraud occurs at all levels and can lead to both financial and reputational consequences. Personnel
at all levels in the organization, including the board, management, and staff, have a responsibility
to understand fraud risk, the company expectation around mitigation measures, and their personal
responsibility to speak up and report suspicious activity or misconduct.
»» The key components of a fraud awareness training pack are contained in this article, including: types
of fraud, consequences, frequency and potential perpetrators, fraud indicators, controls, and how to
report suspicious activity.
Schubert
Zaharia
McKenzie
3. 42 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
ComplianceEthicsProfessional®
October2016 FEATURE
Fraud is an event that few people
and organizations like to acknowledge.
Unfortunately, it happens in every
organization and is committed at all levels.
Current estimates suggest that fraud
accounts for value leakage of up to 5% of
revenues.2
This excludes intangible costs
associated with fraud such as reputational
damage, investigation expenses, and
damage to the company culture. Employees
are a valuable source of information for
discovering potential fraud. According
to the 2014 Report to the Nations on
Occupational Fraud and Abuse, more than
40% of the reported fraud cases studied were
discovered through tips. Employees were the
source of almost half of all tips.3
Economic
downturns offer a unique opportunity
for fraud detection, and employees play a
key role.
Company restructuring and resulting
staff role changes offer a renewed
perspective on current business processes.
Budgets are tighter and under much
closer scrutiny—potentially uncovering
discrepancies and inconsistencies that could
be red-flags requiring further inquiry. Also,
because expenditures and operations are
more closely scrutinized and employees
are uncertain about their positions, they
might be more inclined to speak up to help
the company and preserve their job. So
the opportunity to uncover inappropriate
activity increases, but only if employees have
the awareness around what to look for and
how to report.
Employees trained in fraud awareness
can help to identify suspicious activity. In
a resource constrained environment, fraud
awareness training is a low cost, high impact
means to enhance fraud risk detection,
management, and expectations throughout
an organization. In other words, it is an
effective preventive control.
Programmatic approach: Ideal best practice
Compliance professionals are schooled
in the value of a programmatic approach
to risk mitigation, so it is no surprise to a
compliance professional that to be truly
effective, a fraud risk management program
needs to be managed holistically.4
It can be difficult to institute or reshape
a fraud risk management program in
tough economic times. There are limits
on an organization’s human and capital
resources and its overall capacity to
manage continuing change. There are also
constraints on how much can be spent on
designing, implementing, and conducting
systems of internal control. In these
times, there is often ”no appetite” for new
programs. Despite these realities during
strained economic times, there is a low cost
but high impact, effective tool to uncover
and mitigate fraud risks—interactive fraud
awareness training.
Interactive fraud awareness training
Personnel at all levels in the organization,
including the board, management, and
staff, have a responsibly to understand
fraud risk, the company expectation
around mitigation measures, and their
personal responsibility to speak up and
report suspicious activity or misconduct.
To ensure this occurs, every member of
the organization should have some form of
fraud training both at the time of hire and
annually thereafter. In-person, interactive
sessions that maximize engagement through
discussion are more effective training
venues over online training. Tapping into
this type of engaging awareness sessions is
a source of valuable information that is an
enhancement to an internal control. Effective
fraud awareness training is one of the best
ways to equip employees with the tools and
knowledge to recognize and report fraud.
4. +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 43
ComplianceEthicsProfessional®
October2016
FEATURE
What follows is a guide to the key
topics for an effective fraud awareness
training program:
·· Fraud definition and the types of fraud
·· Consequences, frequency, and perpetrators
·· Recipe for fraud
·· Fraud indicators
·· Fraud controls
·· Reporting suspicious activity
Fraud definition and the
types of fraud
Fraud: A deliberate deceit
which is planned and executed
to deprive an individual
or company of property,
money, or any other valuable
security. A deceit being a
mischaracterization of the
actual transaction.5
According to the
Association of Certified Fraud
Examiners (CFE) there are three
general categories of fraud:6
1. Financial statements (e.g.,
underestimating liabilities
and/or over estimating
revenues);
2. Corruption (e.g.,
transactions that are not
arm’s length, acquisition of
company property for less
than market value); and
3. Asset misappropriation (e.g. falsifying
expense claims, stealing money from
the company account, falsifying supplier
invoices, theft of stock, fictitious invoicing,
and/or theft of raw materials).
The types of fraud activities will vary
between organizations and is a function of the
type of business activities in which the entity
is engaged, its inherent risks, and the fraud
controls in place.
Consequences, frequency, and perpetrators
The financial impact of fraud is bigger than
one might think. In terms of overall impact
on an organization, the CFE estimates fraud
losses are approximately 5% of annual
revenues. In real dollars, this means an
organization with annual revenues of
$3 billion could be losing up to $150 million
per year. This would be the equivalent of
losing over $400,000 per day.
Although the frequency of fraud related
to asset misappropriation is the highest at
over 80%, the value per incident is the lowest
at about $125,000 per incident (See Figure 1).
While the frequency of fraud related to
manipulating financial statements is lowest
at 10%, the cost per incident at $975,000
per incident is the highest.7
Although
the occurrences are much less frequent,
when committed by executive and senior
management, the fraud incidents have a much
higher financial impact.
Financial
Statements
Corruption
(…Ethics)
Asset
Misappro-
priation
10
%
35%
84%
$975k
$200k
$12k
Legend
Frequency (%)
Median Loss
Executive/Management
Employees
Frequency value of fraud by type
Adapted from Association Of Certified Fraud Examiners. 2016 Report to the Nations on Occupational Fraud
and Abuse.
Note: The percentages do not add up to 100% as some of the fraud cases
involved more than one of the three categories of occupational fraud.
Figure 1
5. 44 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
ComplianceEthicsProfessional®
October2016 FEATURE
Recipe for fraud
Fraud is committed by individuals. Even
fraud within large corporate entities is
ultimately through decisions and actions of
individuals. The decision to bend or break
the rules is a personal one.
As mentioned in the opening
paragraphs, economic turbulence can
increase fraud activity. Understanding how
the three factors – motivation (or pressure),
rationalization, and opportunity – work
together to facilitate fraudulent activity
helps employees understand what to look
for in the organization and how to identify
misconduct. Two main motivators/pressures
stand out as the most significant and are
enhanced in difficult economic times: the
pressure to “do whatever it takes” and to
seek personal gain.8
Below are listed the three factors along
with phrases or rationales (in brackets) that
might be heard in an organization.
1. Motive (or pressure)– The need for
committing the act (i.e., want of money
or the need to please).
–– Do “whatever it takes” to meet goals
–– Personal gain (i.e., greed such as
the need to keep up appearances in
the community)
–– To get out of a temporary situation
(e.g., the borrower: “It’s only until we
get our bonus”)
–– Expensive habits such as drugs or
gambling (e.g., an executive with a
cocaine habit)
–– Desire to maintain lifestyle that one
had during better economic times
(e.g., keeping the summer cottage)
–– Need to make ends meet to support a
family (e.g., children in university)
–– Over-committing oneself to assets
that have dropped in value (e.g.,
real estate)
–– Making business or personal
performance targets (e.g., not reporting
accidents to meet HSE targets)
2. Rationalization– The mindset that justifies
the fraudulent act:
–– Everyone else is doing it
–– Culturally acceptable (i.e., “That’s the
way we do business around here”)
–– Belief they will not get caught (i.e.,
“They never check”)
–– “I deserve it” because my salary has
been cut or bonuses are less this year
–– What I’m doing is not fraudulent,
I’m just borrowing money from
the company
–– We are doing more with less around
here, and I have to work harder now
3. Opportunity– A situation that enables
fraud to occur (i.e., position of financial
authority). Opportunity is most directly
affected by the system of internal controls
and generally provides the most actionable
route to deterrence:
–– Minimal controls or controls are
not enforced
–– Tone from the top (moral compass)
–– Cost-cutting measures may include
some fraud control mechanisms (e.g.,
data monitoring, fraud detection teams,
surprise audits, etc.)
–– Potential loss of segregation of duties as
staff is reduced
–– More responsibility on fewer people
Fraud indicator: Behavioral warning signs
Understanding the indicators of fraud is critical
for staff to recognize and report potential
fraud. Equally important, employees when
identifying fraud warning signs must not jump
to conclusions that fraud has or is actually
occurring. Reporting the suspicious activity
should initiate the investigative process, which
6. +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 45
ComplianceEthicsProfessional®
October2016
FEATURE
will ultimately determine if
fraudulent activity has occurred.
The Association of Certified
Fraud Examiners in the 2016
Report to the Nations noted
several behavioral warning signs
that were present in the majority
of reported fraud cases.9
The six
most common red flags shown
on the graphic to the right have
consistently been the six most
common red flags in every report
since 2008 (See Figure 2).
Fraud indicators: Financial
warning signs
These warning signs need to be
tailored to a particular business,
but the following are some of the more
common financial warning signs:
·· Unexplained variances between
budget and actual amount
·· Abnormal changes in account
balances or invoices just under
approval authority amounts
·· Abnormal invoice volume
·· Rounded amount invoices
·· Infrequent or late financial reports
·· Accounting staff is 3-4 months
behind on preparation of monthly
bank reconciliations
·· Missing documents
·· Large liabilities related to
unexpected contracts
·· Significant internal control issues
being reported
·· Supplier complaints
Fraud controls
For fraud controls to be effective, they
need to be communicated and understood.
This section is an opportunity for the
organization to review the controls they
have in place and the expectations around
compliance. This section would need to be
tailored to a particular organization.
Most common fraud controls as surveyed
by Fraud Examiners: Frequency of Anti-Fraud
Controls.10
1
0 5 10 15 20 25 30 35 40 45 50
Complained About Lack of Authority
Instability in Life Circumstances
Excessive Family/Peer Pressure for Success
Social Isolation
Past Legal Problems
Other
Excessive Pressure from Within Organization
Past Employment-Related Problems
Refusal to Take Vacations
Complained About Inadequate Pay
No Behavioural Red Flags
Addiction Problems
Irritability, Suspiciousness, or Defensiveness
Divorce/family Problems
Wheeler-Dealer Attitude
Control Issues, Unwillingness to Share Duties
Unusually Close Association with Vendor/Customer
Financial Difficulties
Living Beyond MeansLiving beyond their means
Financial difficulties
Excessive family/peer pressure for success
Divorce/family problems
Other
Past legal problems
Social Isolation
Wheeler-dealer attitude
Irritability, suspicious or defensive
Addiction problems
No behavioural red flags
Unusually close with vendor/customer
Control issues, unwillingness to share duties
Complained about inadequate pay
Refusal to take vacations
Past employment-related problems
Excessive pressure from within organization
How to identify fraud: Behavioral
Warning Signs of Fraudsters
Complained about lack of authority
Ø Work
Ø Family pressure
Ø Character
Ø Financial
Association Of Certified Fraud Examiners. 2016 Report to the Nations on Occupational Fraud and Abuse.
Instability in life circumstances
Figure 2
Control %
External Audit of Financial Statement (F/S) 81.7
Code of Conduct 81.1
Internal Audit Department 73.7
Management Certification of Financial Statements (F/S) 71.9
External Audit of ICOFR 67.8
Management Review 64.7
Independent Audit Committee 62.5
Hotline 60.1
Employee Support Programs 56.1
Fraud Training for Employees 51.6
Fraud Training for Managers/Executives 51.3
Anti-Fraud Policy 48.6
Dedicated Fraud Department, Function or Team 41.2
Formal Fraud Risk Assessments 39.2
Surprise Audits 37.8
Proactive Data Monitoring/ Analysis 36.7
Job Rotation/ Mandatory Vacation 19.4
Rewards for Whistleblowers 12.1
Figure 3
7. 46 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
ComplianceEthicsProfessional®
October2016 FEATURE
Reporting suspicious activity
High performing organizations embrace the
concept of transparency and speaking up,
but it isn’t always easy to achieve. As noted
earlier, employee tips are a valuable source
of fraud detection
information, but
employees need to be
comfortable reporting
suspicious activity.
Reporting suspicious
activity is the job of
everyone, and everyone
is encouraged to bring
their concerns forward.
In a July 2013 IPSOS
Reid News release,
the authors reported
that 42% of Canadian
workforce members
that were surveyed had
observed some form of misconduct in the
workplace.10
Of those 42%, approximately
50% did not report it. This means that over
20% of the Canadian workforce surveyed
was holding on to information about
misconduct that potentially could have
assisted their employer in either detecting or
preventing further damage. How to speak
up and report suspicious activity will vary
from organization to organization. While
there are a number of reasons for failing
to speak up (the subject matter of many
papers), one commonly cited reason is that
the employee did not know how. This section
of the training should include a message of
encouragement around the organization’s
expectation to speak up, a corporate
commitment to the protections provided
to individuals that come forward with
information, and the various mechanisms
available to make a report (i.e., speaking to a
supervisor or chief compliance officer, calling
into a hotline, and online reporting).
Conclusion
During an economic downturn, companies are
often required to reduce staff and scrutinize
spending. This presents an opportunity for
companies to uncover fraudulent activity
that was previously
undetected during
busier times. By
increasing fraud
awareness training,
using inexpensive
interactive training
programs, employees
can be well equipped to
know what to look for
and how to report any
suspected fraud.
“After all, you only
find out who is swimming
naked when the tide
goes out.” Warren
Buffett, 2001 Chairman’s Letter – Berkshire
Hathaway ✵
1. Oversight Continous Monitoring. The 2007 Oversight Systems
Corporate Report on Fraud, Available at: http://bit.ly/2bHfCDs
2. Association of Certified Fraud Examiners. 2016 Report to the
Nations on Occupational Fraud and Abuse, p. 8. Available at:
http://www.acfe.com
3. Ibid., Ref #2, p. 36
4. Institute of Internal Auditors, American Institute of Certified
Public Accountants and Association of Certified Fraud Examiners.
Managing the Business Risk of Fraud: A Practice Guide, p. 8. Available at:
https://na.theiia.org
5. Deepankar Sanwalka. Tools and Rules to Combat Fraud, p. 2. Available
at: http://bit.ly/2bcmqHT
6. Ibid., Ref #2, p. 10
7. Ibid., Ref #2, p. 12. Note: 32% of the fraud cases analyzed involved
more than one type of fraud, therefore, the sum of the percentages
on the graphic do not equal 100, but are greater than 100.
8. Ibid., Ref #1, p. 2
9. Ibid., Ref#2, p. 68-71
10. Ibid., Ref#2, p. 38, Figure 47: Frequency of Anti-Fraud Controls.
11. Ipsos: “Four in Ten (42%) Employed Canadians Have Observed
Some Form of Workplace Misconduct; One in Five (17%) Cite
Witnessing Privacy Violations” News Polls, July 3, 2013. Available
at: http://bit.ly/2bx0Tiz
Heidi Schubert (heidifschubert@gmail.com) is the founder of Heidi F.
Schubert Legal and Business Advisory Services in Calgary, Alberta, Canada
Lisa Zaharia (lisamzaharia@gmail.com) is the Director of ZBCo. Inc in
Calgary, Alberta, Canada
Bruce McKenzie (mckenzie.bruce@ymail.com) is Principal at Above Ground
Risk Ltd. in Ladysmith, B.C., Canada
While there are a
number of reasons for
failing to speak up (the
subject matter of many
papers), one commonly
cited reason is that
the employee did not
know how.