A study on Fraud prevention and Detection

Category: Accounting

The aim of this writing is to present how fraud is defined today, why fraud prevention and detection is global concern and introduce main means of detecting and preventing fraud.

It can be seen that fraud can range from small employee theft, fruitless behaviour, embezzlement of company`s assets and fraudulent financial reporting. This kind of actions can have strong adverse effect on company`s market value, reputation and it reduces company`s power to achieve its strategic objectives, etc. Lately, numerous cases that found themselves in limelight of public attention, such as Enron and WorldCom, sensitized everyone's awareness about the effect of fraudulent and deceptive reporting. Therefore, large number of companies started to be more proactive in taking serious measures to prevent and detect its occurrence.

The jeopardy of fraud can be minimized through effective combination of prevention, deterrence and detection measures. As it will be described in more detail in the rest of this paper, fraud can be very hard to detect. As means of detection are becoming more sophisticated, so do the ways of committing fraud. For this very reason every company should strongly emphasise fraud prevention, which can definitely reduce chances for fraud to take place, and fraud detection, which can create atmosphere at work that fraud will be detected and committers will be punished. Moreover, costs for fraud prevention are less expensive than the time and money needed for fraud detection and investigation.

Definition

Defining fraud can be harder than it seems. It is a term that can be heard very often in everyday life. Though, what is meant by fraud in business world can be somewhat different. Finding consistent meaning and precise definition of fraud is crucial for understanding it. For this reason a few legal definitions of what is considered by fraud will be presented.

In UK fraud is defined in Fraud Act form 2006. In explanatory notes to Fraud Act 2006, Chapter 35 it can be seen that there are several ways fraud can be committed, such as:

by false representation (person must make dishonest and false representation with clear intention to gain or cause loss to other party),

by failing to disclose information (failing to disclose an important information to another person to which you have legal duty to disclose it, is considered as fraud),

by abuse of position (abusing privileged position, where by virtue of this position a person is expected to protect another`s financial interest and do not act against those intersperses),

by gaining or losing property dishonestly (whether material or intellectual), possession of items for use in fraud, making or supplying articles for use in fraud (for example manufacturing machines for false money making),

by participating in fraudulent business carried out on by sole trader (fraudulent trading for under the companies legislation),

by taking part in fraudulent business carried on by a company, obtaining service dishonestly (for example by avoiding payment)

and liability of company officers for offences by company (if a person has specific corporate role for which is responsible, it usually applies to directors, managers, etc).

In USA there are numerous state and federal laws which are regulating fraud in number of areas, such as consumer fraud, insurance fraud, corporate fraud, etc. Summary of what is generally perceived as fraud leads one to conclude that there are some similarities with fraud definition in UK by Fraud Act 2006. In both cases there must be purposive misinterpretation of facts made by one, fully aware party in order to cause injury or damage (material, intellectual, etc.) to other party. Fraud of failing to disclose information in U.S. is interpreted as omission or `purposive failure to state material facts, which nondisclosure makes other statement misleading` (www.uslegal.com)

Moreover, in Canada fraud is classified as criminal offence. In Canada`s Criminal Code, Article 380 (1) and 380 (2) it is stated clearly that fraud is considered to be any fraudulent behaviour designed to manipulate other party, so as this party will give something of value to him/her by means of

lying

purposively misleading the second party although fully aware of falseness of that act

hiding a fact from the other part which may have prevented the party to suffer any kind of loss or damage. Additionally, `every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service ... (or) ... with intent to defraud, affects the public market price of stocks, shares, merchandise or anything that is offered for sale to the public` Canada`s Criminal Code, Article 380 (1).

Contemporary researchers (Weirich and Reinstein, 2000; Albrecht et al., 1994, 1995) define fraud as intentional deception, stealing and cheating investors, creditors, public, government bodies, etc. Statement on Auditing Standards (SAS) No. 82 identifies two separate fraud types:

Fraudulent financial reporting or management fraud (managers try to report inflated profit, overstates assets and revenues or understate expenses and liabilities with intention to modify financial statements) and

Misappropriation of assets or employee fraud (employees steal money or other companies belongings).

This statement also points out different fraud schemes such as employee embezzlement, management fraud, investment scams, vendor fraud, customer fraud, and miscellaneous fraud.

However, it can be concluded that though these countries have similar definitions of what fraudulent activities are considered to be, there are substantial differences. Businesses operating in different countries, especially multinational companies, must be aware of these differences, acts and statements as they are the one in greatest danger suffering from not thoroughly knowing them.

Causes associated with individuals committing fraud - Fraud Triangle

Before explaining main methods and bodies within company responsible for prevention and detection of fraud, psychological factors that might influence the behaviour of fraud committers must be mentioned.

It is suggested (Moyes and Hasan, 1996; Hernan, 2008) that the best way of fraud prevention is understanding what main drivers of fraud are. The three following drivers are most commonly known as fraud triangle.

Need - there are numerous types of financial pressure, gambling habits or maybe unreasonably high expectations of high returns that create enough pressure for management to commit financial statement fraud. Some warning signs of pressure in organization and among employees could be discovered by internal control questionnaires, interview with managers, surveys or communication with employees.

Opportunity - people often see opportunity to commit fraud when internal control system in organization is weak. Internal auditors and managers should from time to time test the effectiveness of various types of control in order to reduce opportunities for fraud.

Justification - the third component of fraud triangle is rationalization for fraudulent activity. There are a lot of different explanations and justifications of fraudulent activity. Some fraudsters concludes that they did not get a deserved promotion and want to make things right on their own. Others did not get 'deserved' bonuses at the yearend or they rationalize their act as 'just borrowing from the company'. The risk is higher in companies with poor management structure and unclear bonus system. Hernan (2008) suggests evaluation of management competences, objectivity and transparency in order to identify and spot on time fraud risks.

If management, internal control or any other entity in a company, which duty is fraud prevention and detection, is aware of these factors, then that entity will certainly be more effective in developing mechanisms of fraud detection and punishment

The Cost of Fraud

Before any prevention and detection method or entity within a company is discussed the cost of fraud must be explained as only then when we realise how big damage fraud can cause, we are able to truly understand significance of internal controls, audit committee, management, internal auditors, independent auditors and certified fraud examiners.

Fraud is a global problem affecting organizations of all types and sizes. According to the Association of Certified fraud examiners (ACFE) estimates that US companies loose approximately 5% of their annual revenues to fraud. Majority of frauds are detected by tips or accidently. The most frequently type of fraud are:

asset misappropriation (91,5% of reported frauds),

corruption accounts for 30,8% and

financial statements fraud accounts for 10,6% ,with median loss estimated at 2 million dollars.

Most recent large fraudulent schemes were Enron (63 billion dollars in assets) and WorldCom (107 billion dollars in assets) were investors lose billions of dollars.

According to Adams et al. (2006), the greatest financial impact of fraud is in small firms and businesses. The loss of 7% of revenues (estimated by ACFE) is also significant for large companies but small companies will probably be out of business because of it. On the other hand, when fraud occurs companies could suffer from damage of brand and reputation. Stakeholders could see that as an early warning sign. Big bills caused by fraud are almost never paid by committers, but unfortunately, by innocent parties such as consumers, insurance companies etc. This just amplifies opening statement how important job of bodies in charge of fraud detection and prevention is.

Fraud prevention and detection

Many authors (Mclnnes and Stevenson 1997, Adams et al 2006, Hernan 2008, Grambling et al 2009) suggests that prevention of fraud is the most cost-effective way to deal with possible financial and reputation loss.

For all of the reasons mentioned in previous sections of this work it is crucial for every company to develop mechanism for effective detection and prevention of fraud.

Statement on Auditing Standards No. 99 by AICPA (2002) suggest that there should be a body within a company with appropriate overight function. Oversight function can take many forms such as audit committee, board of directors etc. Measures this entities can implement are divided into three categories:

create atmosphere of honesty and high ethics;

evaluate the risks of fraud and implement adequate processes, procedures, and controls necessary to reduce the risks and the opportunities for fraud

develop an appropriate oversight process

The pivotal role in the process has the companies CEO. Although the management is responsible for implementing these activities, without CEO's support, this process is likely to be successful. In the oversight process specific company's entity has specific role in preventing and detecting fraud. The most important entities will now be discussed and their role will be explained.

Culture of honesty and high ethics

Every organization should posses a set of core values and nurture culture of honesty and high ethics. This set of values is often involved in company's code of conduct which has aim to guide employees in everyday activities (often include topics like ethics, confidentiality, conflicts of interests etc.).

Management must show to employees through their actions that dishonest or unethical behaviour will not be tolerated. It is also important for management to create:

a positive workplace environment. For example, if employees work in bad work environment, the chances of committing fraud against a company are greater

To hire and promote appropriate employees

Provide training to new employees and introduce them with code of conduct

Require from employees to annually sign code of conduct and to write about possible breaking of code of conduct

If fraud occurs in organization, the appropriate steps should be taken to examine all aspects of fraud and to improve existing internal controls

Implement and Monitor Appropriate Internal Controls

As mentioned before in work, people often see opportunity to commit fraud when internal control system in organization is weak. That is the main reason why organization should be put more effort to minimize fraud opportunities.

According to AICPA (2002) some risks are inherent within the environment of the company, but large number of them can be most can be discovered with a proper internal control system. One process for assessment of fraud risk takes place; the company can recognize controls, processes and other procedures that are crucial for reducing identified risks.

Committee of Sponsoring Organizations (COSO) report of the Treadway Commission states that effective internal control should include:

a well-developed control environment

an effective and secure information system,

appropriate control and monitoring activities.

Information technology plays pivotal role in operations and transactions over information generated by computers. For this reason management need to implement and sustain proper controls (automated or manual). Especially, management is obliged to assess whether internal controls have been implemented in those areas where high risk of fraud exists and in entities where financial reports are processed. Reporting of fraudulent activities can be going on temporary basis, hence management should evaluate internal controls responsible for short term financial reporting.

The institute for fraud prevention in 2007 mentioned that upper level management is usually involved in fraudulent financial reporting by overriding internal controls involved in controlling the process

that fraudulent financial reporting by upper-level management typically involves override of internal controls within the financial reporting process. Because management has the ability to override controls the need for a strong value system and a culture of ethical financial reporting becomes more important. This helps create an environment in which other employees will decline to participate in committing a fraud and will use established communication procedures to report any requests to commit wrongdoing. The potential for management override also increases the need for appropriate oversight measures by the board of directors or audit committee which will be discussed in the following section.

Fraudulent financial reporting by lower levels of management and employees may be detected by appropriate monitoring controls, such as having higher-level managers review and evaluate the financial results reported by individual operating units or subsidiaries. Unusual fluctuations in results or the lack of expected fluctuations may indicate potential manipulation by some department managers or employees.

DEVELOP AN APPROPRIATE OVERSIGHT PROCESS

After implementation of code of conduct, core values and internal control process into organization, management should also develop an appropriate oversight process to overlook internal controls and reduce as much as possible risk of fraud. The oversight process contains management, internal auditors, audit committee, independent auditors and certified fraud examiners.

Audit Committee or Board of Directors

Gramling et al. (2009) in his work argue that audit committee is critical element of internal controls and have important stewardship responsibility to shareholders. Also he cited former SEC chairman Arthur Levitt who described audit committee as '' one of the most reliable guardians of the public interest'' ( Gramling et al.,2009,p.24).

According to research taken by Cohen et al.(2009), audit committee effectiveness has been improved since Sarbanes-Oxley act of 2002. From auditors perspective, audit committee has enough expertise to identify main risks and oversee internal controls. It is crucial that audit committee members be independent of management to provide oversight and comply with regulations. This could be a problem especially in smaller companies. Also smaller companies facing with another problem- How to find and recruit quality and qualified members for audit committee.

AICPA(2005) suggested to audit committee to consider periodical meetings with representatives from each of the above mentioned groups (internal auditors,external auditors etc.) to discuss any matter could affect the financial reporting process and increase the risk of fraud.

The main duties of audit committee should be to: evaluate management's identification of fraud risks and implementation of antifraud measures. Audit committee can by active oversight support management in implementation of appropriate fraud prevention measures. The final aim is better protection of all stakeholders.

The Report of the NACD Blue Ribbon Commission on the Audit Committee (2000) emphasized the importance of role which audit committee plays in helping the board of directors in oversight duties, with regard to company's financial reporting processes and internal control systems.

When taking the oversight responsibility, the audit committee must take care not to override managements control responsibilities. Therefore, they should have a good communication with internal and external auditors and may consider to review from time to time firm`s reported information with forecasted ones and industry averages as well. In addition to this SAS 60 in AICPA (2002) argues that communication with external auditors could improve strength of the firm's internal control and give higher potential to deal with fraudulent financial reporting

10 See Statement on Auditing Standards No. 60, Communication of Internal Control Related Matters Noted in an Audit (AICPA, Professional Standards, vol. 1, AU sec. 325), and SAS No. 61, Communications With Audit Committees (AICPA, Professional Standards, vol. 1, AU sec. 380), as amended.

Audit committee, as part of their oversight duties, should try to motivate management to encourage all employees to report everything that looks like unethical behaviour, fraud, or any violations of the code of conduct. The committee should then receive periodic reports from management and employees, describing the nature of any possible unethical behaviour.

Report of the NACD Best Practices Council (1998) suggests that if senior management is involved in fraud (according to Deloitte survey 2008, which is the case in 68 per cent of all financial statement fraud), next management level is very likely to be cognizant of it. Hence, it would be recommended that audit committee has an open communication with one or two levels of management under senior executives. In this way they could take part in fraud identification at the top positions of the organization.

Usually, the audit committee has the power to investigate all suspicious activities that catch their attention and within the realm of their responsibilities. They could also benefit from assistance of accounting and professional advisors. All committee members must be educated about finances and have at least one expert in that field.

Management

Mclnnes and Stevenson (1997) argue that according to statements in SAS 110 management is responsible for the prevention and detection of fraud. Also Cadbury committee (1992) requires from directors to report on effectiveness of a company's internal control system. On the other hand, Kranacher and Stern- Cpa journal argue that despite the responsibility for preventing fraud lies on management of company, auditors should be also prepared to detect fraud. Authors underpin their statement with presentation of SAS 99-Consideration of fraud in financial statements, which set new fraud standards for auditors. It requires from auditors to discuss with management about possible frauds in organization and to be aware of risk that fraud may occur and be material for financial statements.

The main concerns about fraud prevention could be data presented from The institute for fraud prevention in 2007 that executive directors (CEO and CFO) could deceive auditors and audit committee by providing false information. Their analysis further indicates that in 21% of the financial statements fraud cases, external auditors were named as participants. Also in 40% of companies where fraud took place, board members were participants. This can be significant obstacle in effective fraud detection.

Similar evidences could be seen from Deloitte's survey taken in 2008 about financial statement fraud. CEO, CFO and controller of the company were involved in 68% of individuals who committed financial statement fraud. Other members of management were involved in 24% of all financial statement fraud. That survey can give us a lot of interesting data about financial statement fraud. For example, most common fraud schemes are revenue recognition (38%, especially recording of fictitious revenue), manipulation of expenses (12%) , improper disclosures (12%) and manipulation of liabilities and assets etc. The financial fraud schemes are most common in industries like telecommunications, technology, media and entertainment. The average duration of fraud schemes has been seven years in 2008 and has increasing trend.

Responsibility of management is to supervise the employees` activities. They typically do that by implementing and montiroing all control means previously mentioned. Management is also able to commence, take part in, or direct means against fraudulent acts. Audit committee is responsible (if there is no audit committee the board of directors is in charge) to supervise activities of senior managers and think about risks that fraudulent financial reporting brings.

Mclnnes and Stevenson (1997) in their work conclude that although general public perceive external auditors as strongest defensive against corporate fraud that is not their primary objective. Board of directors have a duty to safeguard the assets of their companies and to report on the effectiveness of their companies internal control system (section 404 of SOX).

The most effective way of implementation of measure for reducing wrongdoing is to establish them on a range of core values that could be embraced by the company. These values consist of important key principles that have the potential to guide all employees` actions. Then this values could be taken a step further and a platform for detailed code of conduct could be forms. Company's code should entail specific descriptions about what is permitted and what is prohibited. At the end management must be clear in stating that all employee`s will be hold accountable in the company`s code of conduct.

Also Mclnnes and Stevenson (1997) argue that board of directors are responsible for prevention and detection of fraudulent activities by others in the company, but on the other hand it is not clear who has a legal responsibility for preventing and detecting fraudulent activities by directors.

Internal Auditors

Organized audit team can very effectively be involved in many aspects of oversight control. Their familiarity with how entity operates can help them identify indicators of fraud. The Standards for the Professional Practice of Internal Auditing (IIA Standards), issued by the Institute of Internal Auditors, state "The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud." Internal auditors are in position to asses fraud risks and control, and suggest actions for risk minimization and control improvement.

Some standards, such as IIA Standards, even require from internal auditors to perform assessment of possible company`s risk. These assessments of risk then provide starting point for audit plans and internal control tests are based on them. Additionally, the same standard demands that all audit plans are presented and permitted by the audit company (where audit committee does not exist this should be presented to board of directors). Furthermore, audit plans provide guarantee for affirmation of management`s control.

Internal audit can have two roles - detection and deterrence. Internal auditors are included in fraud deterrence by analysing and evaluating the appropriateness and efficiency of internal control systems, though Hillison et al (1999) states that it is responsibility of management.

In executing this responsibility, internal auditors should:

- evaluate the control environment

- identify control weaknesses

- have strong communication with management

Hillison et al (1999) argue that internal auditors should pay attention on cash transactions as well as on other non-balance sheet assets. The following steps should be taken:

- increased use of analytical review (because ratio analysis and trend analysis sometimes could show us unusual relations with other accounts, especially when we have several years data to analyse and compare

-

Cohen et al.(2009) stated that reliance on internal auditors has increased in the post-SOX period, mainly because of section 404.

Internal auditors could use a lot of techniques (analythical or other procedures) to prevent and detect fraudulent behaviour in organization. They could search for particular types of fraud or they could check high-risk accounts for frauds. Every suspicion of fraud or management involment should be directly reported to the audit committee.

Independent Auditors and existing audit approach to prevent fraud

External auditors have a significant role in oversight process. They should provide information to management and audit committee about possible risks. In order to have full benefit from external auditors, management should have open communication with them.

Glover and Aono (1995) in their work presented basic audit-risk model which consists of three elements: inherent risk, control risk and detection risk. They stressed that auditors should understand client's internal control system because they should determine how much they can rely on accounting information generated from client's financial reporting system.

On the other hand, McKee and Norway (2006) argue that auditors become too predictable in their audits and that fraudsters could anticipate their actions. Moreover, the public and stakeholders expects from auditors to do better job at fraud prevention (that is the main reason of existence of audit expectation gap). Audit plans should incorporate an element of unpredictability according to SAS 99 and ISA 240 in order to decrease fraud risk.

The main benefits of unpredictable auditors approach according to authors would be increasing chances of fraud discovery (more effective audit), deterrence of fraud will be also increased (because of reduced 'opportunity' to commit fraud) and audit will become more enjoyable. On the other hand, this will have impact on costs associated with unpredictable audit approach: extra planning time, extra time to perform necessary procedures and additional training time. Also, authors suggested a following procedures for 'unpredictable' audit approach: random sampling, unannounced inventory observation, changing techniques from prior years, test some small and low risk accounts etc.

Certified Fraud Examiners

Certified fraud examiners as professionals could have the important role in oversight process. They have a lot of knowledge and experience in fraud detection and prevention and could use their knowledge to assist the audit committee and internal auditors. As professionals from outside the company they can give more objective opinion about internal control system. Also, they can evaluate possible risks of fraud ( especially fraud committed by top management) and implement appropriate measures in order to minimize it.

fraud.5 5 Association of Certified Fraud Examiners, 2006 Report to the Nation on Occupational Fraud and Abuse (Austin, TX:

ACFE, 2004), p. 18

Ernst & Young International Fraud Group, Fraud: the Unmanaged Risk: An International Survey of the Effects of Fraud on Business (London, UK: Ernst & Young, 1998), p. 2.

To conclude, despite management have responsibility to conduct adequate fraud risk assessment, audit committee should overlook quality of the financial reporting process. According to Silver et al. (2008), audit committee should not only apply traditional fraud risk assessment (like segregation of duties), but to consider and incorporate proactive approach. In order to be good in their stewardship role they should improve their accounting and fraud knowledge , search for collusive fraud and obtain feedback.

Conclusion

Some organizations have significantly lower levels of misappropriation of assets and are less susceptible to fraudulent financial reporting than other organizations because these organizations take proactive steps to prevent or deter fraud. It is only those organizations that seriously consider fraud risks and take proactive steps to create the right kind of climate to reduce its occurrence that have success in preventing fraud.

It was also found that organisations with strong internal controls, internal

auditors and audit committees were better equipped to deal with fraud in any form according to Alleyne and Howard(2005)