COVID-19 is driving up every sort of enterprise risk, from cybersecurity to health and safety to internal control, plus many more. Perhaps none, however, are rising as swiftly and broadly as the risk of fraud.
A recent report from the Association of Certified Fraud Examiners tells the tale. The report polled more than 1,800 anti-fraud professionals in late April and early May about ten types of fraud:
2. Fraud by vendors and sellers
3. Payment fraud
4. Health care fraud
5. Identity theft
6. Insurance fraud
7. Loan and bank fraud
8. Bribery and corruption
9. Employee embezzlement
10. Financial statement fraud
Respondents said they had already seen an increase in every single category. In fact,
- 68% saw an increase in fraud activity at their organizations since the COVID-19 crisis began.
- 93% expect fraud to increase over the next 12 months, and 51% expect it to increase significantly.
- Cyberfraud (defined as business email exploits, malware, and ransomware) led the way, with 81% of respondents seeing an increase in the last three months; followed by vendor fraud (68%), payment fraud (60%), and healthcare fraud (59%).
None of this should be a surprise. COVID-19 escalates the threat from all three sides of the famed Fraud Triangle—pressure, rationalization, and opportunity. It creates ideal conditions for fraud risk, and internal audit executives will need to respond with every tool at their disposal.
How to combat COVID fraud
First, audit executives should consider either doing a new fraud risk assessment or making fraud risk a higher priority in their existing audit plan. The company’s greater business environment, its operations, and internal controls have all changed—the company’s understanding of fraud risk shouldn’t lag behind.
The good news is that audit teams are already moving in this direction. The Institute of Internal Auditors just published a survey of nearly 500 corporate audit executives, and 53% said they’ll increase the frequency of their risk assessments in the next 12 months. Additionally, 68% said they’ll increase the frequency of updates to their audit plan.
That fresh risk assessment must focus on the pressure employees and executives feel to meet performance goals, and the fraud opportunities they might have because of ad hoc business processes with incomplete or ineffective anti-fraud controls.
To prevent fraud, auditors should assess:
- Performance goals. Some goals may have become unattainable in the current economy, like higher sales quotas when your target customers are unemployed or cutting spending. This creates pressure to get the job done any way possible.
- Incentive compensation schemes. Compensation plans that pit one employee against another can drive some workers, fearing job or income loss, to cheat the system.
- Vendor approval processes. COVID-19 has disrupted supply chains around the world, so some companies might need to source materials from new vendors quickly. That creates opportunity for employees to create fictional vendors or to hire “preferred suppliers” that are actually conflicts of interest.
- Management sign-offs. As we all work remotely, management review and sign-off of controls, account balances, reconciliations, and so forth may be harder to document. This creates an opportunity to bury or disguise fraudulent activity.
- Accounting estimates. Fudging the estimates on long-lived assets, accounts receivables, and other line-items is a time-honored way to commit fraud. Again, our work-from-home world makes verifying those estimates harder to do.
Those are only a few examples of how fraud risk might evolve in your organization as a result of this pandemic.
Each audit team will need to develop its own list of new or emerging fraud concerns—but the capabilities needed by the audit function to gain insight will remain constant.
What auditors must do to help prevent fraud
Audit teams need to work with all parts of the enterprise to assess fraud risks. Some of those conversations might be awkward; some might happen with far-flung corners of the enterprise that previously hadn’t had much contact with the audit team. Most will likely need to happen through virtual means, like video calls, instant messaging, or email.
Test and Document
Testing and documentation are important because fraud might happen in new ways or to a greater extent than previously possible. For example, a fraud risk might now rise to the level of materiality or the declaration of a material weakness—which needs to be documented and brought to the attention of auditors and the audit committee promptly.
Fraud risks need to be addressed. Audit teams need to develop remediation plans, assign responsibility for those remedial actions, and then assure that those steps happen in a timely manner.
Don’t Ignore Deeper Issues
For all the remediation of weak internal controls that might breed fraud, audit executives should also explore any deeper root causes of fraud that might reside in the corporate culture. For example, how do senior leaders communicate the importance of honest conduct and obedience to financial processes? If the corporate culture conveys a win-at-any-cost message, that can inspire fear, backstabbing, and desperate action more than stellar performance.
Or even if the company’s internal culture supports good conduct, employees do have lives outside the company. If they’re suffering from pressure outside their corporate lives (divorce, a spouse’s illness, gambling debts, tuition costs), do they feel comfortable voicing their fears and vulnerabilities to managers or friends at work?
Questions like those are more difficult to dig into, but they open a valuable window into corporate culture. Asking them gives the chief audit executive and the audit committee a chance to ponder how the company’s culture and core values support push back against fraud risk—and once the culture resists pressure, and values resist rationalization, developing strong internal controls gets a lot easier.
Detecting & preventing fraud with data analytics
This eBook covers:
- Key considerations for implementing a successful fraud program.
- The most effective data analysis techniques for detecting and preventing fraud.
- Practical analytics tests you can implement right now across different business areas.