Introduction
The topic is “Fraud - The Unmanaged Risk.” and I want to show you why I think it’s unmanaged and demonstrate to you the fact that I believe it is unmanaged. I want to talk a little bit about how I believe it can be better detected. And I want to talk finally about how I think it can be managed better. And I think in both of those issues you have a very significant role to play.
How do we know that fraud is not managed and not managed well? Last fall Ernst & Young sponsored a survey conducted for us by Ipsos Reed where we decided to ask the people who ought to know about fraud, the people who do it, whether or not they had in fact either done it or personally witnessed somebody who did. We surveyed a statistically legitimate sample of Canadian employees last fall and asked them that very question. Have you stolen from your employer in the last 12 months or if you haven’t have you personally witnessed somebody who has? One in four of those people said yes to that question. Now that means that unless you happen to have fewer than four employees you have almost certainly been a victim of fraud if you are an employer. That would include Ernst & Young and all the universities that are represented here.
The sorts of things we are talking about are:
- Financial statement manipulation where people are actually altering records to make results look better. I suppose it is possible they could alter them to make them look worse but that’s not been my experience.
- Cases of people creating fictitious suppliers.
- Charging expenses that haven’t been incurred for their own personal benefit.
- Another sort of list of similar types of fairly routine common place activity in the workplace.
I want to now turn, having I hoped demonstrated that fraud at least by the results that we see is not well managed, to look at the issue of detection of fraud. I have a few homilies one in particular I can’t get away from. It’s the one at the bottom of that slide that says “if you want to find fraud, you have to know what it looks like.” I believe that’s one of the fundamental reasons that audits are such poor tools for finding fraud because auditors by and large do not know what fraud looks like. I’ve been in this business now for close to 15 years and I am beginning to understand the scope and dimension of the problem. I surely don’t have all of the solutions. This is not something that you can take a course on and be an expert in. But it’s not complicated. This is not rocket science.
If you want to find fraud you have to acknowledge some basic premises.
- You have to acknowledge that it does happen a lot and it happens in your organization and mine, and in every organization in Canada and in North America and around the world. So that’s the first proposition — that it does happen and it happens a lot.
- You have to acknowledge that it is deceptive. It’s hard to find because you are not supposed to find it. The whole idea about fraud is that you don’t find it. If people who committed fraud made it easy to find then it wouldn’t last very long.
- You also have to acknowledge that people commit fraud. This is not a neutral, it is not an abstract concept. It can’t happen if there are no people to do it. Systems, data, controls, those things don’t commit fraud. People do it. And so you cannot look at an environment in contemplating fraud without thinking of who in this environment can do it and what is the opportunity to do it and what would it look like if they did do it.