By Jonathan Le Roux – Certified Fraud Examiner, Chairman of Johannesburg ACFE Local Interest Group
When companies start out, the biggest way they can control their business is by placing trust in others. The people they bring on board are assessed to a large degree on whether they can be trusted, are trustworthy and will be truthful.
As trust is defined as ‘the firm belief in the reliability, truth, or ability of someone or something’, it is not hard to see why most companies do see trust as the de facto control in business. As companies move through their business lifecycle and mature to reach their prime or stable business levels, trust is still at the forefront of control and the saying of ‘we trust our people, they won’t steal from us’ seems to still resonate within some businesses.
The reality is that the only thing ‘trust’ and ‘fraud’ have in common is that they’re both five letter words. Barring that, having trust does not translate into ‘no fraud’ will happen. In my time working across various industries, I have found this to be a common thread with those in charge of the business, they are so focused on strategy, profit and margins, that their view of those seated around the C-Suite table or senior management boardroom tends to be ‘these people know what to do and I trust they will get it done’.
While this is a good standpoint to have, to enable the trustworthiness two elements are required to be present, namely ‘doing the right thing’ and ‘doing things right’.
Some of the problems I have seen at companies in respect to these include:
■ Their business growth plan does not leave room for proper corporate governance – so trust becomes the ‘go to’ place on their business Monopoly board to take a ‘Chance’ or hope ‘Community Chest’ is kind to them
■ Those people that they trusted don’t see the need for controls as it restricts their ‘freedom to operate’
■ The concept of fraud is a foreign one and most don’t associate fraud with their business or what they deem to be business as usual
■ As change happens fast in a growing business, focus is on getting the change implemented, so no time is spent on other less critical areas (leaving the company vulnerable to the opportunity for fraud)
■ Fraud risk management efforts and initiatives are at best reactive and detective in nature
■ Lack of commitment and buy-in from staff at various levels in the organisation regarding fraud responsibilities
■ Any compliance-related aspect becomes a tick-box exercise focusing on having the ‘stuff in place’ as opposed to whether it is effectively understood and implemented and is achieving the desired result
Given the above commonalities experienced across businesses, a number of strategies or recommendations were suggested:
■ Install corporate governance checkpoints as the business grows, so that at key business milestones the appropriate level of control can be implemented to enhance the balance appropriate to the risk/reward considerations – and document reasons on your risk register where risks have been highlighted.
■ Inform and educate those in charge with their respective duties as executives or directors, as to how their accountability and liability will be brought into question should they operate with negligence and/or ignorance in the execution of their duties.
■ With various fraud surveys, reports, LinkedIn groups and courses on fraud, all those in charge of any business should be acutely aware of fraud and its impacts. No business is immune from fraud. This information should be placed regularly on the tables of those in charge to always have fraud top of mind especially at audit, finance and risk committee meetings (to name a few).
■ Change is a fraud incubator and management should be consciously aware that when change occurs in an organisation that the potential or prevalence for fraud increases. To this effect, management should take note of and monitor changes within the organisation and determine its impact and exposure.
■ To be truly effective in the implementation of fraud risk management requires a collaborative approach that includes prevention, detection, investigation and correction efforts. The greatest return or value add will be on implementing proactive measures (like training, policies, pre-employment screening), detective measures (like data analytics, hotlines, fraud risk assessments), investigative measures (like understanding the modus operandi of the fraud that was perpetrated) and corrective measures to ensure that same fraud does not occur again through better risk identification and control efficacy.
■ Without a proper fraud awareness and communication plan, staff within your organisation will not see fraud as their responsibility or even care if fraud happens. Only through various mediums of communication (emails, posters, websites, competitions, training and courses) will staff have an opportunity to engage and dialogue on how they play a fundamental role as their organisation’s front-line of defence against fraud.
■ Compliance and adherence to rules, laws and regulations serves a purpose in getting organisations to better manage their risk and also allows for the organisation to consciously think about its environment and exposure thereto. Key compliance reviews and monitoring serves to enhance the combined assurance approach to bring governance, risk and compliance together.
Many organisations have made strides in the implementation of these suggestions, but where they fall short is on the sustainability of these initiatives. Where a dedicated person or persons is not directly responsible for these actions, these tasks drop down the business priority list.
Trust and fraud is best explained with the following quote: “Fraud, like other crime, can best be explained by three factors: a supply of motivated offenders, the availability of suitable targets and the absence of capable guardians – control systems or someone ‘to mind the store’, so to speak.” (Cohen & Felson 1979). If we don’t have capable guardians, who know that trust (although important) does not make the business environment immune for fraud, then your business is heading down a rocky road.