In acknowledgement of Fraud Prevention Month this March, CPA Alberta’s Kathryn Peartree sat down with David Elzinga FCPA, FCA, IFA, CFE, Managing Director at Froese Forensic Partners, to discuss the myths and truths of fraud and why the prevention, detection, and management of fraud risks are important for CPAs.
KP: We seem to be hearing a lot more about fraud these days. Is it becoming more prevalent?
DE: Fraud by its nature is hidden and tends to go unreported, so it’s difficult to say if it’s becoming more prevalent. We do seem to be hearing more about it, which I think is a good thing. As a colleague of mine says, “Sunlight is the best cleanser.” The reality is that fraud has been around for centuries and occurs across cultures. There are references to fraud in the Bible, Greek mythology, African legends, Chinese folktales, and novels by Charles Dickens. Sir Edward Coke, who was an English judge and politician in the 1600s, is reported to have said that “Fraud and deceit abound these days more than in former times.” So, it seems that fraud has been around for a long time and may be part of human nature. Most people, however, don’t believe that it will happen to them, which is also part of human nature—we don’t like to think bad things will happen. Like death and taxes, however, fraud seems to be an inevitable part of business and life. When I do a straw poll in the fraud courses I instruct, virtually everyone has encountered fraud in their career.
KP: Are there any trends you’re seeing?
DE: From what I’ve seen and read, there does seem to be a bit of a shift occurring. Historically, most organizations have been at risk for internal fraud, such as asset misappropriation, financial statement fraud, etc. While these types of fraud haven’t disappeared, a lot more organizations seem to be seeing an uptick in external fraud risks; primarily cyber-fraud, such as phishing emails, malware, ransomware, etc., where fraudsters are attempting to access sensitive business information or otherwise gain access to an organization’s system. I think the pandemic has had some impact on this shift, as working remotely physically removes people from the assets but at the same time increases the number of contact points that external fraudsters can exploit. The other thing I can say is that during good times fraud can hide in the growth curve, but when times get tougher or when there are significant changes in a company or the economy—such as the recent pandemic—fraud can become visible.
KP: You mentioned cyber-fraud but what about things like Bitcoin?
DE: Bitcoin is a type of crypto-currency, a subset of crypto-assets which also include things like Non-Fungible Tokens (NFTs). Like any kind of currency, crypto-currency can be used to pay for something or it can also be an investment in the same way that you can hold US dollars as an investment or a hedge against the value of the Canadian dollar. This type of currency also tends to be quite liquid. NFTs, on the other hand, are typically more of an investment and tend to not be as liquid as crypto-currencies. Crypto- currencies and crypto-assets are not fraudulent in and of themselves; however, they are not regulated in any way, which increases their risk. Also, as we have seen, these crypto-assets can not only be quite volatile in terms of their value but, like any kind of asset, they can also be a vehicle for fraudsters. This occurs because of their volatility and as a result of being promoted as the “next best thing.” That type of terminology tends to be a red flag for a fraudulent investment.
KP: What organizations are most susceptible to fraud?
DE: It depends. Not only does each industry have some unique risks, but every organization itself is unique. For example, customer fraud tends to be a higher risk in retail sector businesses and procurement fraud tends to be higher in resource sector businesses. As for cyber fraud, while all types of organizations are at risk, it appears to be the small- to medium-sized organizations that are most at risk, as they tend to not have the resources to put in the necessary measures to protect themselves. Regardless, the answer to the question is that the organization that is most susceptible to fraud is the one who believes that they won’t be a victim. You can’t eliminate the risk of fraud; you can only mitigate the risk of it occurring.
KP: Is there a typical type of person who commits fraud?
DE: There have been a lot of studies and surveys that have attempted to answer this question. While none of them are definitive, in my experience it tends to be a long-term employee in a position of trust. I’ve also observed that the size of the fraud is directly proportional to the seniority and tenure of the person involved. One of the most interesting books I’ve read on this topic is Snakes in Suits: When Psychopaths Go to Work, written by Paul Babiak and Robert D. Hare, which uses scientific studies applied to fictional scenarios to demonstrate how these types of individuals can infiltrate an organization. A more traditional view is the “fraud triangle,” developed by Dr. Donald Cressey, which suggests that there are three psychological elements behind a fraud perpetrator: first, a motivation to commit fraud due to financial pressure such as a lifestyle need; second, an opportunity to commit fraud, which is often due to weak corporate policies, ethics, and/or internal controls; and third, being able to rationalize committing fraud, which may be believing the fraudster deserves the proceeds of their fraud, they won’t get caught, etc. Based on this, virtually anyone could become a fraudster given the right circumstances. Organizations need to focus on the opportunity factor, as it’s the one they are most able to control. It is also important to recognize that tougher economic times will elevate each of these risk factors.
KP: How can organizations prevent or otherwise protect themselves from fraud?
DE: First, it’s important to recognize that all organizations are subject to fraud risks and it’s impossible to eliminate all fraud. As I said, it’s the organizations who believe they are not at risk which are the ones most likely to suffer. The Association of Certified Fraud Examiners conducts a bi-annual study which has consistently estimated that organizations lose an average of 5% of revenues to fraud on an annual basis. The total fraud loss in the cases included in the 2022 study exceeded $3.6 billion and had an average loss of $1.783 million (USD). There are several steps that organizations can take to protect themselves from fraud. These include promoting a culture of integrity; having good policies around fraud, such as a code of conduct, employee declarations, etc.; and instituting a whistleblower line, which has become the number one factor in detecting fraud for most organizations. In addition, organizations can undertake a formal fraud risk assessment to consider the unique nature of their environment. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a “Fraud Risk Management Guide” which was released in 2016 and is currently being reviewed and updated. The COSO guide provides a comprehensive approach to identify the risks of fraud unique to the organization, from which a scorecard is developed based on these risks. The organization can then decide what fraud control activities it wants to deploy to mitigate the risk of fraud occurring.
KP: What should organizations do when they suspect or discover fraud?
DE: In my experience, most organizations are not prepared when fraud occurs, and there are two typical responses: the first is denial and the second is lashing out. Neither of these responses work and often lead to more problems. It’s important for organizations to have a plan or protocol for when a crisis such as fraud occurs, in order to address the issue in a prompt, proper, and rational way. There are two sensitive issues to immediately address—first, stop the fraud from occurring to prevent future losses, and second, to secure the evidence, as that can disappear quickly. Engaging legal counsel with experience in these matters is also a key factor in the success of any fraud response. At the early stages, it’s important not to jump to conclusions, as you usually only have allegations or suspicions of fraud rather than proof. One of the first objectives is to determine whether there is any substance to these suspicions or allegations, after which a more detailed investigation plan can be developed based on the particular situation.
David Elzinga is the instructor of CPA Alberta’s professional development courses “Fraud risk management” and “Fraud happens! What to do when you suspect fraud.” He has practiced forensic and investigative accounting across various industries and geographies since 1989 and provided expert evidence on many occasions.
