As high profile fraud scandals gain attention in the news, executive management looks to their legal counsel for a defensive game plan. In order to avoid serious financial impact (such as the CityTime fraud scandal that cost a government contractor $500 million), attention to weak internal control structures must be addressed. Proactively assessing an organization’s risk factors for fraud can support sound fraud risk oversight and an intelligent internal control structure, deterring fraudulent activity.
There are many definitions of fraud. In legal terms, fraud is a _knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment. Fraud usually causes material gain to the perpetrator(s) and material loss to the victim(s). Fraud is commonly understood as dishonesty calculated for advantage.
A fraud risk assessment involves a deliberate effort of outlining or brainstorming fraud schemes and determining what controls are in place to mitigate such schemes. Organizations struggle to maintain the balance of controls needed to meet regulatory requirements while protecting themselves against fraudulent activities. Internal controls, policies, and procedures are only effective if they align with the risk associated with an organization’s operations and growth strategy. Formalized practices must be continuously monitored and assessed in relation to the overall risk an organization faces as it evolves and changes. An enterprise wide fraud risk assessment can highlight opportunities to strengthen an organization’s control environment.
Identifying and evaluating potential fraud schemes is best done utilizing “The Fraud Triangle”, a widely used model to describe and understand fraud. This model was developed by Dr. Donald Cressey who hypothesized that three factors are present in a fraudulent act: pressure, opportunity and rationalization.
Fraudulent activities are a business risk more than a compliance risk. Knowledge of the industry in which the organization operates is key to understanding potential internal control weaknesses, ultimately helping to prevent a fraud from happening.
Take, for example, the case study of Atlas, Inc., a spin-off from a large multi-national corporation. The seasoned executives were excited at the opportunity to enter the market without the bureaucratic burden of a larger corporation. With contracts and experienced personnel already in place, Atlas aggressively hit the market and their bottom-line grew quickly. The message from executive management was for employees to get back to the basics of doing good business and have fun while doing it. The president articulated that he did not want the web of policies and procedures from the previous corporate culture to follow them to Atlas. No one heard that message louder than John, the Vice President of Operations. Without oversight, John’s spending habits dramatically increased as a false sense of power overtook him. Unable to cover his debts through his corporate expense account, he took a different course of action to increase his earnings.
After four years of Atlas’ strong growth and performance, an anonymous tip led executives to uncover that Atlas had been paying a false vendor for two years. The false vendor fabricated reports for the services it was supposed to have provided to Atlas.
The perpetrator of this fraud was John, Atlas’ own Vice President of Operations. An ineffective and poorly designed process for the selection of new vendors allowed John the authority to approve a new vendor, review the vendor’s reports, and approve the vendor’s invoices for payments. Atlas prided itself on allowing employees to provide referrals to vendors who had the best experience serving Atlas’ unique market; however, in the absence of checks and balances, this created an environment ripe for fraud. As a result, John simply created a fake company and recommended this company to Atlas.
In this scenario, all three elements of the fraud triangle existed:
In the case of Atlas, results of a fraud risk assessment at a global level for the organization would have identified the vendor selection process as a high risk area. Atlas operated in a unique international market where not many vendors could perform the services necessary; that fact alone created a risky environment for vendor selection. Management had not identified this as a risk area and, further, perceived their experience in the industry as a strength in identifying vendors who could serve Atlas. Management relied upon the sole opinion of its experienced personnel to make vendor selections. This process and the lack of perceived risk were at odds with the actual risk. If Atlas had addressed risk at an organizational level, the environment that allowed fraud to occur could have been avoided.
What else can be learned from the Atlas story? An organizational governance structure with internal controls, policies, and procedures based on a fraud risk assessment brings a higher level of integrity to a company’s operating environment and a lower chance of ending up on the front page of a newspaper.
[1 ]Bryan Garner, ed., Black’s Law Dictionary. 8th Ed. (2004), s.v., “fraud.”
 All the names of businesses and individuals are fictitious.