This article was updated August 30, 2022
Occupational fraud can sometimes equal millions of dollars in revenue loss. But the bottom line isn’t the only thing that suffers.
Small amounts, taken over the course of several years can equal substantial loss. It also has the potential to break trust with management, employees, customers, and clients—sometimes a more devastating consequence.
Ultimately, fraud is detectable, but prevention requires diligence. Given the high cost of occupational fraud loss, taking precautions, and implementing risk reduction measures should be necessary steps for any organization, no matter its size.
According to the Association of Certified Fraud Examiners (ACFE) in 2022, 5% of revenue is lost each year to employee and executive fraud.
There are a number of possible risk factors that might make an organization more vulnerable to various fraud techniques. Here are some examples of both:
An organization is vulnerable to fraud when these three conditions occur together:
Together, they form what’s known as the fraud triangle, and help explain why people within an organization commit fraud. For example, an employee can succumb to the pressures of money problems—such as student loans, medical bills, or gambling debt—when they see a temporary opportunity to commit fraud. Then, they’ll find a way to rationalize and justify the fraudulent behavior.
Fraud impacts and risk may vary depending on the number of employees. Here’s a breakdown of specific risks and their impact for organizations of varying sizes.
Fraud transactions are often small sums of money that result in large losses over time. For a small organization, the impact can be devastating.
The average median loss was $117,000 per incident according to the ACFE. If the fraud incident continued for over five years, the average loss grew to $2.2 million. If it continued for 10 years or more, the number could be as high as $5.4 million, according to a 2017 Hiscox study.
Smaller transactions make theft harder to detect and the origin more difficult to pinpoint. Small organizations—or small branches of larger organizations—also tend to have fewer anti-fraud controls in place. The lack of these controls can lead to process loopholes and structure gaps, which allow employees an opportunity to exploit an organization.
Approximately 29% of fraud incidents are caused by lack of internal controls and 23% are committed by an owner or executive, according to the same 2022 ACFE report.
In addition to financial loss, a lack of trust may develop between an organization and its employees or between the employees and the management team. The staff might be asked to pull double duty and assist in the investigation at a time when caution should be exercised.
They may also be asked to allocate resources to cover key operational priorities, such as ongoing monitoring, taking funds away from their teams and tasks, and drawing further attention to the incident.
Although large organizations may have more resources to invest in their anti-fraud programs, their median loss is still $138,000 per incident, according to the 2022 ACFE report.
They also face greater exposures to risk, such as:
Larger organizations may feel safer because the average financial loss of each incident is lower, but more incidents of fraud could happen at a faster rate than smaller organizations.
It can be easy to fall behind on risk reduction measures because fraud can originate from multiple sources, such as:
Technology also continues to evolve, introducing new vulnerabilities and related fraud considerations. For example, blockchain and decentralized finance (DeFi) have simultaneously strengthened security and controls while also establishing new environments for fraud of various types to thrive, including Ponzi schemes, digital asset scams, and rug pulls.
If adopting such technologies, whether internally or through a third-party service provider, it is important for entities to consider the impact to internal controls and fraud risk.
When an organization is tackling a fraud prevention plan, they tend to face three key challenges:
Although these factors can lead to a higher risk of fraud occurring at an organization, they often go ignored until an incident has occurred.
Imagining that employees, management, executive leadership, or external partners are willing to commit fraud against an organization can be difficult. Even when ready to admit that employee fraud is a common occurrence, management may not to be proactive about detection given that incidents result in difficult outcomes.
Here are potential outcomes when fraud is discovered:
Risk management is a continuous process. Once a fraud incident is identified, an organization must assess and respond to the occurrence. Then, it should continue to carefully monitor its risks because inaction presents the perfect opportunity for future incidents to occur.
Performing an independent assessment of an organization’s internal controls provides an objective view of procedures and potential vulnerabilities. It’s an effective method of laying a strong foundation for anti-fraud objectives while controlling costs at the same time.
An assessment often causes minimal interference for an organization. The findings can help bolster education and training initiatives for internal resources. There’s also the added benefit of building employee confidence in an organization’s fraud identification approach.
Fraud losses are found to be 50% smaller at companies when a confidential reporting hotline is in place. Employees, vendors, customers, and clients can use the hotline to make a report when they suspect violations of ethics.
In 2022, 42% of employees reported credible fraud tips and 50% of corruption cases were detected by a tip, per the ACFE.
Anti-fraud management technologies are effective methods for fighting emerging fraud risks.
Data monitoring and analysis help identify trends in data-quality metrics and data values that alert an organization to preestablished rule violations. Continuous monitoring could help spot variances from cyclical runs and notice when data exceeds preset limits. It can also provide incident notifications and analyze cost quantification for violations.
For example, blockchain technology uses public key encryption, identity authentication, and proof-of-work methods to create a chronological record of each transaction. This record helps trace the owner of any individual transaction, which discourages employees from committing fraud and makes perpetrators easy to identify.
It’s important for companies to thoroughly vet clients and vendors. As a first step, they may want to ask service providers for their System and Organization Controls (SOC) report, which is an independent report of internal controls. Vendor and client portals can also be valuable tools for automated data validation.
When organizations provide a method to customers and vendors to report suspected violations —such as a confidential reporting hotline—it reinforces the message that they’re serious about fraud prevention.
While fear of findings and uncontrolled costs prevent many organizations from acting, the cost of fraud far exceeds the cost of improving preventive and detective controls.
For more detailed information about how to approach fraud prevention at your organization and the benefits of a fraud risk assessment, contact your Moss Adams professional. You can also visit our Internal Audit Services page for additional resources.