Weak controls key factor in majority of fraud cases worldwide, KPMG finds

Even as governments around the world ramp up their coordination efforts with each other and their enforcement actions to combat corruption and other types of fraud, the problem of corporate fraud continues to grow. A recent survey by KPMG finds that weak internal controls were a contributing factor in 61 percent of 750 fraud cases studied, up from 54 percent of fraud cases examined in the previous survey in 2013.     

The accelerated pace of change both within large global companies and in the regulatory sphere requires more regular risk assessments, with a particular focus on areas of expansion, such as into new foreign markets. New regulations also compel companies to evaluate the most relevant risks they face, which will inform decisions around how to allocate resources. In some cases, that may result in having to redirect resources away from some control elements tied to standard business practices, says Phillip Ostwalt, global head of investigations at KPMG International.

Implementation of new computer systems usually demands a new set of controls that need to be evaluated, and therefore is often responsible for any holes in a company’s control environment, says Ostwalt. The latest survey shows that 27 percent of all fraud cases involved exploiting weak controls, up from 18 percent in the 2013 study.

Technology is proving to be more helpful to fraudsters than companies combatting fraud, according to KPMG’s survey report, Global profiles of the fraudster. Nearly a quarter of fraudsters rely on technology, while companies ‘could do a great deal more to use technology as a tool to prevent, detect and respond to wrongdoing,’ the report says. Data analytics has become the key anti-fraud technology, enabling a company to sift through millions of transactions in search of anything that looks suspicious. Yet just 3.0 percent of companies used pro-active anti-fraud data analytics to help detect the fraudsters surveyed, the report says.

More companies are seeing a need to provide risk-based training according to which groups of employees are found to be most vulnerable. That’s ‘due to the fear of penalties and reputational risk that’s associated with being identified’ by a government agency, he says.

The survey also finds that a high percentage of those committing fraud within companies are members of senior management. The latest results show that 34 percent are executives or non-executive directors, up from 32 percent in 2013, while 32 percent are managers versus 20 percent in 2013, and 20 percent are staff members, compared with 16 percent three years ago.

The 86 fraud cases that cost a company $5 million or more tended to last much longer than other kinds of fraud and were harder to detect because the fraudsters were more senior than average and they involve more collusion, which enables perpetrators to evade controls, KPMG finds. A much higher proportion of them took place across national borders -- 34 percent versus 11 percent for lesser frauds.

Regarding fraudsters from senior levels of management, Ostwalt says, ‘I find that they’re oftentimes [leading] the business that on paper is performing very well.  It’s an executive who’s fairly highly regarded in a company.’

In fact, a fraudster is four times more likely to be somebody who has a higher reputation within a company than someone of low repute, and he or she is also usually someone who’s likeable, he adds. ‘It points to the person who you never thought would do it. ‘

The largest matters that Ostwalt says he has dealt with have been ones in which a company hasn’t applied its normal level of audit and review of a business unit generating returns above its objectives. ‘It’s almost like they don’t want to mess with it,’ he says. He cites one example where the company’s general auditor mentioned a business that had been acquired two years earlier had yet to be audited, at the direction of senior management.

‘My point to boards is don’t let [better than expected business results] be a reason not to apply the controls and other elements of corporate governance that you’re applying to the rest of the business,’ he says. ‘Don’t let it be too good to question. In fact, you probably ought to put a spotlight on it to figure out how are they achieving those types of results.’

Corporate secretaries should be helping to prepare boards to evaluate what’s occurring within their organizations, starting with advising them to ask the right questions to learn what‘s been detected so far relating to fraud. The board needs to probe for deficiencies in the compliance program and confirming whether managers have conducted risk assessments, and if so, what areas have been found to be most vulnerable.

Ostwalt says he’s advising board members to get to know their company’s compliance officers very well. The chief compliance officer needs to be someone who has the means to communicate with the board and is often the person responsible for taking on major investigations based on an understanding of how the company is addressing the risks it has in various areas subject to regulation.

‘I find [compliance officers] oftentimes believe they’re underinvested in and they have some strong opinions about what a company should do,’ he says. ‘For them to have a direct line of communication to the board will help the board understand what some of the real issues are that the company is dealing with.’