As the markets react to each update on COVID-19, a quote from Warren Buffet has seen increased circulation: “Only when the tide goes out do you see who’s been swimming naked”. The current environment has seen increasing news of corporate frauds such as TAL Education Group, iQiyi and Luckin Coffee, three US-listed Chinese firms which announced in April 2020 that they had manipulated their financial results. In Singapore, oil trader Hin Leong admitted the same month that it failed to declare USD 800 million in forex losses and had secretly sold inventory intended as collateral for banking loans.
In addition to hastening the discovery of existing frauds, the inevitable contracting of the economy can exacerbate pressures on existing or would be fraudsters. The Fraud Triangle is a common framework used to explain a fraudster’s reasoning, identifying opportunity, rationalization and pressure (financial or otherwise) as key drivers of fraud. As economies suffer under lockdowns, these pressures will inevitably increase. Existing fraudsters may find it harder to cover up fraud losses or face increased pressure to escalate their fraudulent behaviour. In addition, as companies move to remote work arrangements, the required adjustments to processes may provide additional opportunities for fraud.
How can companies manage heightened fraud risks in the age of COVID-19?
Increasing proactive fraud detection
The 2020 ACFE Report to the Nations, a yearly study commissioned by the Association of Certified Fraud Examiners, highlights the impact that detection methods have on the median duration and quantum of fraud schemes. Specifically, “active” detection methods (such as internal audit or account reconciliations) result in faster detection of fraud schemes, which can in turn result in lower losses. Certain methods of fraud detection can be considered a combination of “active” and “passive”, where the company has some level of control over the nature of the detection method. For example, tips would be considered a “passive” detection method, as it involves an external party bringing an allegation of fraud to the company’s attention. However, there are steps companies can take to encourage potential tipsters to come forward, making tips a potentially active as well as passive method of fraud detection.
Companies can also increase the likelihood of fraud identification by ensuring that all employees are aware of the ethical standards that they are required to adhere to and putting policies into practice. This can be achieved with a combination of training (in person or online) as well as reinforcement, such as printed material around the workplace or mentions during regular briefing sessions. Regular testing can also be undertaken to ensure that the standards being conveyed online and in person are being understood by staff across the company.
Digitizing records and enabling remote access
Digital transformation has been a long process for many companies, with each company at a different stage of the transformation process. In the current environment, telecommuting is at an all-time high and companies are racing to ensure that their workforce is adequately equipped. As forensic accountants, one of the common issues we encounter during our work with clients is a lack of remote access to data. This may occur for a number of reasons, including a failure to digitize records (where companies still operate via paper-based forms and in-person sign-offs) or where processes to digitize records have been improperly implemented or implemented in ad-hoc fashion, resulting in key data being unavailable for remote review.
In one case, a client had begun the move towards digitizing paper records, a process which required staff to scan paper forms and upload them to a central server for remote teams to access. However, a review identified that only partial copies of the forms were stored on the central server. The individuals responsible for scanning the forms had done so on a single-side basis when the forms in question were double-sided. This oversight meant that the proposed benefits from digitization did not eventuate and additional labour costs had to be incurred to rectify the oversight.
Ensure controls are appropriate for the task
Another oft-touted benefit of digitization is the ease of access to and review of financial and process data that previously was contained in disparate locations and required manual reconciliation. For example, a company that has digitized the payments approval process is clearly in a better position to undertake regular reviews and analysis of its payments data than one which still relies on paper forms and in-person sign-offs. Theoretically, armed with a fully digitized data set, a company can quickly and efficiently identify variances and outliers in its payments data such as a manager granting too many exceptional approvals or a spike in the number of employees usually paid during a traditionally low season, indicating a risk that ghost employees may exist on the payroll.
However, an exception approach to data analysis only works if exceptions are, as the name suggests, kept to a minimum. Many companies take an ad-hoc approach to fraud prevention, reacting to investigation findings by implementing specific controls to prevent a particular fraud from reoccurring, but failing to consider how the new control would interact with other existing business practices. This can result in a patchwork of controls, layered upon each other, resulting in what can be termed “control fatigue” – where employees, faced with an ever-increasing raft of steps to complete a single aspect of their job, end up taking shortcuts. This can vary from seeking exceptions for common issues or completing data fields with “junk” data to reduce the amount of time spent on data entry (e.g. filling the space with a dash rather than entering the full data required). These shortcuts may result in inefficiencies when the data is eventually reviewed, whether due to additional time spent on data remediation or investigative time spent on markers of convenience rather than indicators of fraud.
Conduct proactive reviews
Every organization’s fraud risk is a measure of its unique external threats such as geography, industry and culture. As a result, best practices to mitigate these risks will differ between entities. The coming wave of financial frauds will be a timely reminder that prevention is better than cure. Companies that invest time on proactive identification of fraud risks reduce the average duration and quantum of fraud schemes.
As more employees work from home, the current environment presents a unique opportunity to “strength-test” and holistically consider whether existing processes adequately address your company’s unique risk profile.