Back to newsletter

The Evolution of Fraud Prevention

What's changed and how it impacts your bottom line

by John Brocar, Vice President, Fraud Risk Solutions, APEX Analytix

You may not see top corporate execs taking "the perp walk" on the nightly news, but internal and external skullduggery is bigger than ever, despite beefed up internal controls, anonymous hotlines and all the other countermeasures put in place since the Sarbanes-Oxley Act of 2002. Some recent evidence:

• More than 6,100 hotline tips for fraud last quarter reported by 1,000 organizations worldwide and representing a 60 basis-point gain in the Quarterly Corporate Fraud Index co-sponsored by The Network and BDO Consulting, compared to the previous quarter.
• Fraud losses increased 20 percent in the last 12 months from $1.4 million to $1.7 million per billion dollars in sales, according to Kroll's 2010/2011 Global Fraud Report.
• Eighty-eight percent of businesses surveyed were victims of corporate fraud, based on a survey of more than 800 senior executives at 760 companies around the world over the prior 12 month period, Kroll reported.
• Five percent of annual revenue is lost to fraud and abuse of all kinds, says a study of fraud cases worldwide detailed in the Association of Certified Fraud Examiners (ACFE) 2010 Report to the Nation.

Complimentary Webinar Getting a High Payoff from a Fraud Risk Analysis When accounts payable considers fraud detection products and services to safeguard the company against losses, it makes good sense to look for ways that a project can benefit more internal groups than just the A/P department. During this APEX Expert™ webinar, you'll learn how data collected and analyzed during a disbursement risk analysis -- especially when it involves employee data -- can provide real value to a number of other departments. Topics include: Educating internal stakeholders on "company-wide" benefits of fraud risk analysis. Collectively determine "high-risk" vendors. Detecting internal control issues. Recognizing patterns through statistical analysis. Register and attend this on-demand Webinar at no charge.

Any way you look at it, the risk for disbursement fraud is significant.  In APEX Analytix's experience over the years, focusing on the world's largest and best-run companies, the risk range for billing, a sub-category of asset misappropriation, is roughly .008 percent to .023 percent of revenue. For a company with $5 billion in revenue, the billing risk range is roughly $400,000 to $1.2 million.

The ACFE report places billing fraud at 0.039 percent of revenue, or roughly $2 million for a company with $5 billion in revenue. Although lower than the broader ACFE estimate cited above, that's still a hefty amount that ought to go to the bottom line. And over the past five years, a chunk of the responsibility for preventing it has increasingly become the purview of accounts payable departments.

Not so long ago, A/P teams primarily focused on operations and transaction processing. While that hasn't changed, they've added fraud detection and prevention responsibility to the mix. After all, guarding against losses is a natural fit because A/P is the gatekeeper when it comes to disbursing cash.

Millions of dollars at risk

You don't have to be a global player to face wallet-draining risks. As mentioned, a $5 billion company faces losses ranging from roughly $400,000 to $1.2 million at about 3 percent of revenue. If you use the 0.039 percent number that ACFE estimates, the potential risk reaches $1.9 million.

In reality, to face that kind of risk, a company probably has to be void of internal controls, policies and procedures, separation of duties, oversight and all the other basics you look for in a professionally run organization. Most larger companies already have good internal controls in place, thanks to Sarbanes-Oxley and other regulations. APEX Analytix has found the range of 1 to 3 percent more realistic for our clients.

Even at companies where duplicate payment errors follow the 0.1 percent industry norm, though, the idea of 0.1 percent fraud risk can be difficult to accept. We've spoken to CFOs who employ third parties to track down and resolve duplicate payments or other errors, but don't see that fraud could have the same impact. Part of the problem is that duplicate payments are easier to define, identify and manage, while fraud is not. You cannot investigate and review it in the same way you stop duplicate payments, because fraud doesn't follow the same patterns.

A change toward monitoring

In a recent 2010 Compass Benchmarking Survey, 57 percent of respondents indicated that they have implemented a continuous monitoring process to assess vendor risk. This represents a significant departure from earlier years, when most fraud was uncovered largely by accident or through anonymous tips, versus intentionally looking for questionable issues worthy of further investigation. The A/P practices in place were operational in nature and only coincidentally helped prevent and detect fraud.

A straw poll of roughly 50 attendees at APEX Analytix's recent FUSION 2011 conference showed the same kind of shift in emphasis:

• Sixty-one percent said their companies had faced a documented disbursement, travel and entertainment (T&E) or payroll fraud in the past 12 months. Almost all of the fraud uncovered was in the T&E category.
• Fully 54 percent of attendees said that fraud prevention had become a primary initiative for their A/P team, evidenced by written objectives or goals.

Priorities around fraud

In the same APEX Fusion event straw poll, attendees were asked to rank their priorities around fraud.  Safeguarding disbursement dollars topped the list, while monitoring for compliance or regulatory issues, such as not making payments to anyone on the OFAC list, ranked second.

This represents an important shift in A/P department priorities around fraud detection and mitigation compared to five years ago. That said, 46 percent of attendees said their  departments still played no active role, leaving primary responsibility for fraud detection up to internal audit, which leaves the company at higher risk of loss, for a variety of reasons:

• Internal audit at most companies is pressed for time and may only look at purchasing and payables once a year.
• Auditors may not have the necessary resources, technology or skill set to identify anomalies or potential frauds. (According to the ACFE, only 13 percent of frauds are identified as a result of internal audit.)
• Traditional audit sampling techniques may not uncover clever vendor fraud at all, or do so only after a scam has gone on for months.

Recognizing this, some A/P departments step up their effort at internal self-auditing. For example, monthly or quarterly employee-vendor audits can look for employee-vendor crossover and identify connections. You can compare social security numbers, addresses, phone numbers and such to identify any overlaps.

Another option is to conduct a fresh Vendor Risk Analysis quarterly, especially since you can tailor VRA risk parameters to "slice and dice" data in different ways -- and spot things that might slip through a routine audit sample. Typically A/P reports results to leadership, and anything suspicious gets investigated further.

Reporting suspicious activity

One in three companies surveyed (33 percent) report that they now have a formal process to report suspicious incidents, activities or transactions up the food chain, either to internal audit, corporate investigations, security, human resources or the legal department. In most cases, this process also involves regularly scheduled meetings with major stakeholders from other departments.

It's important to note that most companies that implemented a formal process did so only in the last year or two. Of the total companies surveyed, 50 percent have only an informal process, and a minority (17 percent) report they either have no process or don't know what it is. That means two out of three companies (67 percent) have no formal process in place at all, and are unprepared to deal swiftly with situations that develop and either resolve or escalate them.  

At APEX Analytix, we have been working to bring accounts payable teams that use our software solutions together with other stakeholders to improve communication and dialog. In one case, we found that A/P had never met with corporate security or even talked on the phone. We arranged a meeting where A/P could learn what information corporate security would like to see, what research they needed and what sort of process would work best.

The stakes in A/P are high and getting higher. And despite all of the work to prevent fraud and abuse, ranging from tougher internal controls to reviews required under Sarbanes-Oxley, fraud risk continues to increase. Organizations need to remain vigilant. And because companies are doing more with fewer resources, they need to use the kind of automated solutions APEX Analytix offers to monitor and guard against fraud.

John Brocar, vice president of Fraud Risk Solutions, is responsible for working with new and existing clients, developing strategic partnerships, coordinating the fraud benchmarking survey and contributing to product design and development. He has conducted hundreds of internal and external fraud investigations for clients in industries including retail, distribution, telecommunications, healthcare and manufacturing.

Brocar has been instrumental in the design and implementation of internal control and loss prevention programs in the retail and commercial segments. Brocar is a noted speaker and trainer on investigations, employee fraud detection, external fraud prevention, inventory shrinkage and operational excellence. Before joining APEX Analytix, he was a national practice leader in the loss prevention practice with Kroll and Deloitte & Touche.