In its 2013 report, the National Fraud Authority put fraud loss to the UK economy at £52 billion. The Association of Certified Fraud Examiners (ACFE) estimates the typical loss, to any organization through fraud, as 5% of its revenues which translates to a potential global fraud loss of over $3.5 trillion.
The ACFE report continues: in 81% of cases, the fraudster usually displays one or more behavioural red flags associated with fraudulent conduct, such as living beyond means, financial difficulties, unusually close association with vendors or customers or excessive control issues. In the latest report this year, Financial Fraud Action UK dedicated over 30 pages alone to fraud statistics. But there is one statistic that is not and never can be published: the amount of fraud that goes undiscovered. If it were possible to publish a figure, it is likely it would result in a tsunami caused by the rush by businesses to at last implement effective proactive fraud detection. Further, in the UK there is no requirement for auditors to be trained in fraud detection and, equally worrying, there is no requirement for staff to undergo any routine fraud awareness training.
Is it better we face the truth or live on in the belief that fraud is something that “doesn’t really happen in our organisation”?
In the UK, all public companies and selected private companies (mainly financial services related) are required to undergo an annual audit. The remainder have no such requirement. However, no companies are compelled to undergo specific fraud audits i.e. proactive reviews aimed at uncovering fraud. When asked where fraud is most likely to occur in a business, my stock answer is “wherever there is an opportunity”. This is because, in fraud terms, there are three types of people:
- the person who will always be scrupulously honest no matter what the circumstances,
- the person in the middle i.e. the one who will never proactively look for a opportunity but will find difficulty in resisting an obvious opportunity
- the person who will actively look for opportunities to steal and defraud
It is because of the two latter that companies cannot afford to be complacent and why effective controls are necessary. In regards to the second type of person, it is in many ways incumbent upon the company to protect weaker individuals from themselves. An analogy I often draw is that if you leave the door to the bank open over the weekend do not be surprised if someone goes in and helps themselves to a stack of cash. Sure they are guilty of theft but remember, if the bank had not left the door open putting temptation in their way, that individual might have carried on living an honest life. The moral is that companies must have effective controls, not only for their own security but also to save people from themselves. If they fail to do so and the weakness is exploited, then they must share the blame for that individual’s downfall.
So all reasonable steps should be taken to remove opportunities and beyond that, proactive fraud detection tests should be undertaken as a matter of course annually.
A typical Fraud Audit includes the use of manual and automated detection software which sifts millions of pieces of data, in client accounts, to quickly identify exceptions often indicative of fraud. These may include round value invoices, payment date before invoice date, duplicate payments and false VAT numbers. Also, to identify matches such as an employee and a supplier with the same address or phone number (indicative of the employee being behind the supplier), a supplier operating from an accommodation address (often indicative of fraud) and repeated invoices from the same supplier signed off by the same person just below their authorisation level (split invoicing – indicative of a special relationship).
Tests such as these will ensure that any underhand activity is identified in its infancy prior to losses becoming catastrophic and which could otherwise continue undetected.
There are many good auditors around but at the end of the day they are only auditors, not fraud detection specialists and, until they are trained as such, fraudsters will continue to thrive.
Another common mistake in companies which have sudden reason to suspect fraud is to call in their auditors. This is a fundamental error for two reasons:
- They have a clear conflict – if a fraud has occurred under their audit watch, and it transpires that they have been negligent, is it likely they will provide you with evidence of such with which to sue them?
- If they were not alert enough to spot it in the first place, is it likely they will be equipped to investigate it?
But the “we have nothing to worry about” attitude is one of the biggest problems. “We know our staff and, in any case, if anything was going on our auditors would find it”. These are the exact words said to me by a public company CEO to whom I was trying to explain the benefit of a proactive fraud audit. The fraud audit did not go ahead but I persuaded the CEO that any hint of fraud and he would speak to me before any action was taken. Six months later, the CEO called. He had received an anonymous letter stating that his property director was being paid kickbacks by construction company suppliers. He still did not believe it was true but nonetheless retained my company, Haymarket Risk Management Ltd, to investigate.
Through a forensic examination of the original anonymous letter we were able to identify the author– a former director of a construction company that was a supplier to our client. Was it sour grapes resulting from a broken relationship, or was there substance to the allegation? It was decided that an immediate approach to the former director would be too risky so the CEO and the fraud litigation lawyers since appointed, accepted our recommendation that a covert investigation should be conducted.
In the investigation we deployed a variety of techniques:
- We looked at the property director’s home and noted that he had an Aston Martin in the driveway, a car that he never used to commute or on business.
- We examined records at the local Planning Department and found that plans had been approved three years earlier for a large rear extension and a swimming pool
- The plans were examined and found to have been prepared by an architectural firm that was used by the company. There was also reference to a building firm (*see 4) which had won major contracts with our client company to construct new retail outlets
- Our Forensic Quantity Surveyor carried out re-measuring of parts of selected contracts (involving the above-mentioned building firm*) which identified significant overcharging
- We examined the property director’s company mobile phone records and found that calls had been made to a real estate agent in the Costa del Sol. This was followed by discreet enquiries in the Costa del Sol leading us to a stunning villa near Puerto Banus – purchased in the name of the property director’s wife three years earlier
- Out of hours, we took a forensic image of the property director’s desk top computer and, in analysis of deleted files we recovered; we identified a portfolio of properties he had amassed, in the preceding four years, in the South of England.
Having seen our report, the CEO was devastated but determined to right the situation. He agreed that everything pointed toward a series of substantial kickbacks and accepted that these could only have been afforded had there been massive overcharging on contracts to cover costs.
This is a typical example of a fraud carried out by a person who had seen an opportunity. There were no safeguards in the company to prevent him from benefiting. It was easy to prevent, but having made the recommendations, it led to a successful prosecution of the property director and financial recoveries from external parties.
Haymarket Risk Management Limited is owned and led by George McKillop, the Managing Director and a former UK Customs investigator. The Haymarket team includes experienced financial fraud investigators, a Forensic Quantity Surveyor whose Construction Fraud Division has responsibility for retrospective cost analysis in construction fraud cases where costs inflation is suspected; Computer Forensics analysts who are charged with recovering evidence from amongst the deleted files of suspects’ computers, and a professional research team whose job it is to provide desk-based support to field investigators.
George McKillop, Managing Director, Haymarket Risk Management Ltd