For those looking to protect their clients -- or themselves -- from fraud, Randy Wilson has a sobering warning.
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
"Fraud can't really be prevented," said Wilson, who is a partner and national director of fraud and fidelity services at Top 100 Firm RGL Forensics. "You can try to detect it early or in the normal course of business, but you can't prevent it in its entirety."
A CPA and Certified Fraud Examiner (along with a number of forensics-related credentials, including the American Institute of CPAs' Certified in Fraud and Forensics designation, and the American College of Forensic Examiners' Certified Forensic Accountant), Wilson is not suggesting that companies give up, or just resign themselves to fraud -- instead, he wants them to take a more informed approach to the subject, and he wants accountants to help. "Business owners just don't know what the risk really is. One thing accountants can do is to educate clients about the potential for fraud," he said, noting that the Association of Certified Fraud Examiner's authoritative annual Report to the Nations on fraud estimates that 5 percent of business revenue around the world, or approximately $3.5 trillion, is stolen through fraud every year. "The average business owner doesn't know the magnitude of fraud and they don't realize it could be siphoning off funds for decades."
One area they specifically need to be educated on is the protective value of an audit: "I'd like to let people know not to rely on an outside audit or review or compilation as a protection against fraud," Wilson said. "If you're going to have a system to detect fraud earlier, it has to come from the company. Too often, I hear business owners say, 'I thought my auditor was looking for fraud,' but no, they're not. Accountants do themselves a disservice when they don't make it clear to clients that they're not looking for fraud."
That may be a disservice, but there's a service opportunity there, according to CPA and CFE Alan Blass, the director of Fuoco Fraud and Forensics LLC, part of the New York- and Florida-based Fuoco Group: "Most companies in need react by bringing in a forensic accountant to quantify the fraud and, if possible, retrieve lost funds," he said. "Too few privately held small and midsized companies proactively hire a forensic accountant to review and test internal systems and controls before a fraud occurs. Often a relatively small and inexpensive system, control, accounting or reporting change could avoid the fraud or accelerate its detection" -- and a qualified accountant could help their clients by identifying the needed changes.
"More companies are [having] anti-fraud prevention assessments" performed by outsiders, Blass said. "It's money well-spent. It's tough for companies to analyze themselves."
When it comes to ways your clients can protect themselves, John Warren, a CFE and vice president and general counsel of the Association of Certified Fraud Examiners, goes right for what works: "Consistently, the most effective way to detect fraud is tips -- between 40 and 45 percent of frauds that are detected are caught this way, and the next closest method of detection only accounts for 15 percent or so," he said. Hotlines to allow employees to report potentially dodgy dealings can be hugely useful, but only about 50 percent of companies have them, he said -- and even when they do, employees have to know what they're reporting.
"Anti-fraud training is very effective," said Warren, who is also a co-author of the ACFE's Report to the Nations. "It seems obvious what a fraud would look like, and almost invariably, someone knows or suspects, but they don't report because they don't know how, or they aren't sure that it's wrong, or they don't want to be seen as a snitch."
"Companies spent a lot of money on new controls and external audits," he continued, "but the training and hotlines don't cost that much, and they are so effective that there's really no reason not to have them."
THE LATEST TRENDS
One of the reasons it's so hard to prevent fraud is that it keeps changing. While the profile of the fraudster may not change -- "The garden-variety under-appreciated employee with access is always going to be there," Blass said - their methods and the vulnerabilities of their victims are constantly changing.
"We didn't used to see schemes that were that creative -- we're seeing more of them," said Wilson. "There's more awareness now -- business owners read about it. That just leads the employee to be more creative. If they have the motive and the rationale, they're going to find the opportunity."
As an example of a new opportunity, he pointed to the downsizing of finance and accounting departments. "The economy is causing business to operate with fewer staff - less people on accounting, finance, purchasing, and so on, so they have less ability to put in place controls and procedures for double-checking," he said. "That's a risk that sometimes the business owner doesn't understand. They have to understand that they are giving something up when they do that."
He described a case that started with an employee in the bookkeeping department of a large school district, part of whose job was to go through a DVD of cancelled checks sent over by the bank, to make sure that the payee, amount and number were right. She wasn't the fraudster, though - she retired in perfect innocence, but her position was left unfilled, and "almost to the day," according to Wilson, her boss the bookkeeper started stealing, because there was no one to check the checks. The bookkeeper's scam went on for almost eight years, siphoning off around $400,000, and was only uncovered when the bookkeeper fell ill and her replacement found evidence of the fraud in her desk.
Many frauds only recur when certain circumstances arise. "Only forensic accountants look at disasters this way," Blass said, "but unfortunately, there's going to be a deluge of fraudulent insurance claims" related to Hurricane Sandy in the Northeast. Earlier in his career, Blass worked with the New York City Department of Investigations, and said that he had uncovered a lot of fraud related to the recovery from 9/11. "Disasters often bring out the greed in some companies."
The ACFE's Warren noted that new whistleblower laws are creating some unexpected issues: "Now staff have an incentive to take it outside the company. That's an exposure risk, not a fraud risk," he acknowledged, but it still brings along with it reputational risk, potential loss of market capitalization, and all the legal costs associated with an investigation. Better, he suggested, to create hotlines and implement training so staff are more likely to report fraud internally.
Warren pointed to data theft as a hot area for fraud. While most of the focus is on external hackers -- "We hear a lot about Eastern European syndicates" -- he said that he's more concerned about a different potential risk. "What keeps me up at night is what happens if an employee comes in intending to steal data? What if they come in and sit there for three or four months stealing data? I haven't seen a huge number of cases along those lines, but it's a big risk."
Of course, the overarching issue in much of fraud today is technology -- as both an enabler of fraud, and a potent weapon against it. "Just as people used the U.S. Postal Service for mail fraud, now they use computers for computer fraud," said Christopher Cassar, IT forensic director at the FuocoTech unit of the Fuoco Group.
The pace of change in IT can make it difficult to keep up, but he had a number of current suggestions for companies to protect themselves.
- Remind employees they're at work. When staff log on, have a pop up that reminds them the computer they're using is the company's, not their own, and shouldn't be used for personal purposes.
- Surf behind walls. "Whether you're Fortune 100 or a mom-and-pop shop, when you're using the Internet, everybody should be behind a firewall -- they're cheap at this point," said Cassar.
- Stay protected. Virus protection software needs to be kept up to date, and businesses should make sure it covers e-mail, as well.
- Stronger passwords. In addition to requiring passwords that are less easily guessed, Cassar offered this advice: "Passwords are like toothbrushes - they should never be shared, and they should be changed every three months."
- Treat phones and tablets seriously. With more and more business being done on these devices, users need to remember that, "Phones are just miniaturized computers -- they're vulnerable to attack, too. The same thing applies to PCs as to smartphones -- make sure the patches are there, and that virus protection is updated."
- Keep track of access. When staff are let go, the IT department should be the first to know, so their access can be revoked -- particularly now that data is so portable. "When you fire someone, are they walking out the door with their smartphone, going on the cloud and walking out with all of your data?"
- Read your SLAs. "When you're using the cloud, your data is no longer in your domain -- it's in California, in Ohio, overseas -- jurisdictions get complicated," Cassar said, so users should carefully check their provider's service level agreements to know what kind of protection they have, and what kind of assistance they can expect from the provider in the event of fraud or legal action.