The Association of Certified Fraud Examiners has released their bi-annual report, analyzing reported frauds in nearly 100 countries. I highly recommend that all involved in combatting fraud read and consider this report. The ACFE does a good job of analysis and provides a clear discussion of its results.

In this post, I want to review the ACFE report and then discuss what it should mean (IMHO) to governance, risk management, and audit practitioners.

Over the years, the ACFE’s annual report has been referenced as a measure of typical losses from fraud. The number this year is 5%, consistent with prior years (the same percentage was referenced in the 2010 report). But it is important to remember that the ACFE includes many different forms of fraud and abuse, some of which may not result in significant losses.

In fact, while it is important for any organization to limit the risk of loss from fraud, it is equally important not to chase fraud with measures that cost several times any potential for loss (taking possible fines, reputational loss, and other consequences into account). For example, the typical expense report fraud averages $26,000, payroll scams average $48,000.

For example, the median loss from the frauds studied in the report was only $140,000, and only 20.6% exceeded $1 million – far less than material for almost any company, and lower than in prior years (23.7% in 2010 and 25.3% in 2008).

Of note is that financial statement fraud represented just 8% of the cases and the median loss was only $1 million. (In 2010, the average was $4.1m and in 2008 it was $2m). My guess is that the typical financial statement fraud was to protect individual managers or operating units. I have seen this myself, where the fraud enhanced bonus opportunities, etc.

Other points of interest include:

• The typical fraud scheme lasts 18 months before it is detected. Experience shows that if fraud is undetected for any period, those involved start expanding their ‘work’ with additional or larger schemes.
• 87% of the cases were some form of asset misappropriation, with a median loss of $120,000. The report includes a breakdown of what is covered in this class.
• A third of the cases involved corruption, costing an average of $250,000.
• Tips continue to be the way most frauds are uncovered (50.9%). Internal audit is second at 16.3%. However, nearly half of the victim organizations did not have a hotline at the time of the fraud!
• Banking and financial services, government and public administration, and manufacturing were the hardest hit by fraud.
• When owners/executives are involved, the loss if far larger ($573,000 on average) than if committed by a manager ($180,000) or employee ($60,000).
• Most of the culprits were first-time offenders with clean records.
• 81% of the cases might have been detected by one or more typical red flags. See page 58 for details.
• The geography with the largest median fraud loss was Latin America and the Caribbean ($325,000) while Canada ($87,000) had the lowest. Asia ($195,000) was lower than Europe ($250,000).
• The weaker the controls, the greater the loss and the longer the fraud lasted before it was detected. Surprise! (OK, not really.)
• Management review had the greatest effect on reducing losses – those with this in place had 45.9% smaller losses than those that did not.
• Tone at the top was only a factor in 9% of all the cases, and was cited as a primary factor in just 18% of cases over $1 million.
• Collusion was involved in 36% of cases (down a little from prior years), but the loss when collusion is involved is about double ($250,000 on average, down from prior years).
• Men are more active – about 2:1, but this varies significantly by geography. Men also take more.
• About two thirds of the cases were prosecuted. In my experience, this is a surprisingly large percentage, possibly indicating a flaw in the research as only reported cases can be studied.
• About half of the victim organizations had not recovered any of their losses.

So what does all of this mean? I want to repeat, first, what I said above:

“While it is important for any organization to limit the risk of loss from fraud, it is equally important not to chase fraud with measures that cost several times any potential for loss.”

My advice is this:

1. Understand the risk that fraud, abuse, and corruption represent to your business. The averages discussed in this report are just that: averages. Your risk might be much higher or lower. Don’t forget to include the cost of reputational damage, business disruption, etc. of fraud.
2. Consider the controls that you have in place relative to fraud. Do you have the obvious and less expensive controls in place and operating effectively? Consider (for US companies) the controls you need to have an adequate compliance program under the US Sentencing Guidelines. Having that as a defense if something goes wrong has significant value.
3. Go beyond the obvious and less expensive controls. Are they justified when you consider the level of risk? Look at the typical costs of the different kinds of fraud: how much money should internal audit spend on data mining and investigations on expense reporting, payables, and payroll fraud when the typical loss is less than $100,000 (for payment of fraudulent invoices; much less for expense reports or payroll fraud)?
4. When it comes to internal audit, it is understandable that the audit committee of the board and management will look to them and expect them to detect and investigate fraud. But, my advice is to ensure that internal audit only allocates resources that are justified considering the risk to the business. While it may be satisfying to detect and stop frauds that cost the company hundreds of thousands of dollars, don’t do so at the expense of performing audits that will improve business processes and the bottom line by millions.

What do you think?