The Association of Certified Fraud Examiners (ACFE) estimated in its 2008 Report to the Nation on Occupational Fraud and Abuse that organizations lose 7 percent of annual revenues to occupational fraud. This represents a 40 percent increase from the estimate in its 2006 report. In other words, fraud is an increasing risk in an organization’s risk portfolio that must be addressed.
This is particularly relevant to manufacturing companies. During periods of economic uncertainty, fraudulent activity generally tends to rise. Prior to the current economic crisis, the 2008 ACFE study revealed the following about the manufacturing environment:
- Manufacturers had the fourth most reported fraud cases and ranked second in total dollars lost.
- Manufacturers experienced the third highest median loss among all industry groups.
- In industries with at least 50 reported cases of fraud, the largest median losses occurred in manufacturing.
- The most common fraud schemes were corruption, fraudulent disbursements and fraudulent statements.
Some other interesting facts from the 2008 ACFE report:
- Typical fraud lasts two years before it is detected.
- Occupational fraud is more likely to be detected through tips or by accident than by internal audit, internal controls and external audit combined.
- Lack of adequate internal controls was most commonly cited as the factor that allows fraud to occur.
- Nearly half of all occupational fraud was committed by personnel in accounting and executive/upper management, with personnel in operations and sales accounting for nearly 30 percent.
- The implementation of anti-fraud controls, including a robust fraud risk management program, resulted in lower losses.
Fraud and misconduct threaten the ability of an organization to build its reputation, wealth and success. Laws and regulations enacted to address previous fraud scandals have charged organizations’ boards of directors, executive management and internal audit personnel with the responsibility for fraud risk management. However, these laws and regulations have not been sufficiently prescriptive on how to implement controls or programs that address fraud. In light of this, what steps can a manufacturing company take to deter fraud in its organization? Proven strategies include:
- Assessing the robustness of its fraud risk management program elements
- Performing a thorough fraud risk assessment of possible scenarios for the organization’s environment
- Preventing and detecting fraud through technology solutions
An Effective Fraud Risk Management Program
Many organizations have formalized various components of their fraud risk management programs, but have neglected to conduct a thorough assessment of these programs to identify “blind spots” or “weak links.” In 2008, The Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants (AICPA), and the ACFE put forth a comprehensive guide, Managing the Business Risk of Fraud: A Practical Guide, that defines key principles and theories for fraud risk management. At a high level, Managing the Business Risk of Fraud details five principles, as well as essential elements that organizations should consider when developing a fraud risk management program:1
As part of an organization’s governance structure, a fraud risk management program should be in place. It should include a written policy (or policies) to convey the expectations of the board of directors and senior management regarding fraud risk.
Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.
Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate the possibility of damage to the organization.
Fraud Risk Management Program Elements
- Roles and responsibilities
- Fraud awareness
- Affirmation process
- Conflicts disclosure
- Fraud risk assessment
- Reporting procedures and whistleblower protection
- Investigative process
- Corrective action
- Quality assurance
- Continuous monitoring
Detection techniques should be established to uncover fraud events in case preventive measures fail or unmitigated risks are realized.
A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and in a timely manner.
A Thorough Fraud Risk Assessment
An essential component of an effective fraud risk management program is the assessment of fraud and misconduct risk. A fraud risk assessment helps management understand areas of the organization that are most susceptible to fraud by ascertaining where potential fraud and misconduct could occur, who might commit such acts and what controls are in place to mitigate such risk.
There is no “one size fits all” approach to conducting a fraud risk assessment for manufacturing organizations. Size, structure and geographic location are important factors in determining who participates in a fraud risk assessment, as well as how fraud risk is identified and then evaluated by management.
An effective fraud risk assessment process incorporates the following:
- Identification of inherent fraud risks by developing fraud scenarios for the organization with input from board members, management and process owners
- Assessment of likelihood and significance of inherent fraud risks based on interviews with management and process owners, volume of transactions, significance to financial reporting, subjectivity, complexity of underlying transactions, and historical information, among other factors
- Identification of mitigating controls for fraud and misconduct risks rated as medium- to high-risk and assessment of controls effectiveness at reducing risk to a residual risk level that is acceptable to management
- Identification of gaps and performance of a cost-benefit analysis to determine whether the organization can implement preventive or detective measures
Detecting Fraud Through Technology Solutions
Techniques to help detect fraud within manufacturing organizations encompass a variety of manual and automated solutions, which are dependent upon technology systems, as well as the availability of accurate data. More manufacturing organizations have found it is necessary to employ techniques to analyze large amounts of data effectively and efficiently in order to eliminate the “human error” associated with manual controls.
Enterprise resource planning (ERP) applications, such as SAP and Oracle, are widely used by manufacturing companies and should be part of the first line of defense in helping to monitor for fraud risk. While segregation of duties (SoD) is often relied upon by management as an internal control, many companies today do not manage their security processes effectively, and SoD issues proliferate across the enterprise. It is not uncommon to find many ERP users with broad access to sensitive data and the ability to enter conflicting transactions, such as creating a vendor and vendor payments. Given the size of many organizations and the complexity of leading ERP systems, it is virtually impossible to manage SoD properly without some type of SoD or identity management tool to complement the ERP system.
In addition, configurable controls are the user-defined settings in an ERP system that determine tolerance limits and ranges, data integrity checks, data field requirements and workflow approvals, among other areas. Typically, these are not configured correctly when the software is shipped, and often, from a compliance standpoint, they are configured poorly during implementation. Through a detailed review of configurable controls, companies can take full advantage of the controls built into the software and strengthen the checks and balances that will help prevent fraud.
Another valuable mechanism to assist internal auditors in combating fraud is through data analysis or computer-assisted audit techniques (CAATs). The early detection of fraud schemes can help control an organization’s losses and may prevent the escalation of a fraud event into the national spotlight. Through implementing data analysis or CAATs, there is strong potential for companies to reduce the burden of manual-intensive testing while achieving more valuable results and enhancing the monitoring of fraud-related risks. Several fraud scenarios that may go undetected during limited sampling, manual testing can be uncovered through the use of data analysis.
Of note, Protiviti conducts an annual Internal Audit Capabilities and Needs Survey that includes responses from hundreds of chief audit executives, internal audit directors and other professionals. In the most recent study, respondents ranked CAATs and continuous auditing as the top audit process areas in need of improvement.2
Data analysis provides the ability to look into 100 percent of the population, which can include years of transactions. This ability offers the advantage of trending transactions, using tools such as the Benford Analysis, which identifies deviations between actual and expected occurrences of transaction dollar amounts. These analytics enable auditors to focus their efforts on nonroutine or unusual transactions, increasing the likelihood of detection of fraudulent occurrences.
Following are common analytics used in a manufacturing environment:
Industry statistics show that fraud is on the rise and that manufacturing organizations are particularly susceptible. As a result, the risk and associated cost of fraud to companies is on the rise as well. Therefore, manufacturing organizations should ensure that management has an appropriate focus on fraud risk management, including:
- Proactively assessing compliance with leading practices and elements, focusing on understanding the key threats and vulnerabilities of fraud to the organization
- Leveraging or implementing preventive and detective fraud controls built into existing technology systems
- Utilizing detective analysis techniques to determine whether the preventive mechanisms are operating as intended