The typical company fraudster is a trusted male executive who gets away with over 20 fraudulent acts over a period of up to five years or more, according to a major new international study by KPMG Forensic.

KPMG’s study takes a look at 360 actual company fraud cases which the forensic departments of KPMG firms in Europe, the Middle East and Africa have investigated over recent years.

The patterns are similar right across geographical regions. While 85% of fraudsters are male, the typical fraudster is aged between 36 and 55. By the time he starts enriching himself by illegal means, he has usually been employed by the company for six or more years. He typically works in the finance department and commits the fraud single-handed. In 86% of cases he is at management level – and in two thirds of cases he is a member of senior management. Greed and opportunity are his motivating factors.

Getting away with it for years
Worryingly for companies, the typical fraudster commits multiple offences over an extended period of time before being detected. Over half (51%) commit twenty or more frauds, and a third commit more than fifty. Two thirds commit frauds for between one and five years, and nearly one in ten get away with it for over six years. With the total financial loss caused per fraudster being more than 1m euros in 42% of cases, the financial toll on companies can be significant.

Richard Powell, partner at KPMG Forensic in the UK, said: “Companies clearly have a challenge on their hands. Over 60% of perpetrators are members of senior management, whose status in the company makes it easier for them to bypass internal controls and inflict greater damage on the company. Given the repeated and extended nature of most frauds, companies need to work extremely hard to detect frauds earlier, through tighter internal controls, data analytical tools, and more widely publicised fraud reporting mechanisms. Engendering the right culture is also important, to create an environment where it is less likely that fraud can take root.”

Controls and tip-offs
Weak internal controls are the most usual enabler of frauds (in 49% of cases). Not surprisingly therefore offences are most commonly discovered through staff ‘whistleblowing’ (in 25% of cases). Management reviews are the second most common vehicle for detection (21%).

How sensitively the affected companies react to fraud is shown by the fact that two thirds issue incomplete information or none at all about the incident. The employees, authorities and media are rarely informed for fear of loss of image. Consequently, offences only occasionally undergo criminal investigation. Mostly, independent investigations are carried out without the police or the public authorities being informed.

The financial damage inflicted by fraudsters can be severe. In many cases, the affected companies have to bear the losses themselves.

Richard Powell from KPMG commented: “Recoveries of losses from fraud can take several years to be completed. Prevention (such as introducing ethics and integrity measures at the top management level) is always a more efficient and cost-effective means.”

Amongst the cases KPMG analysed, in Europe the highest proportion occurred in the public sector (29% of cases), with the rest fairly evenly split amongst other sectors such as industrials, communications and financial services. In Africa meanwhile, 48% of cases were in the public sector, while this fell to just 15% in the Middle East.

Fraud in small and medium-sized organisations
For almost 20 years, KPMG has been tracking major fraud cases reaching the UK courts. Its findings for 2006 showed that 277 cases, totalling £837m, went before the courts. While the majority of these cases related to big business, small and medium-sized entities and owner managed businesses were also affected.

While SMEs and OMBs may not face the broad range of threats faced by big business, most frauds perpetrated against businesses don’t depend on size. Ghost employees, bogus invoicing, accounts manipulation, counterfeiting and identity theft can strike any organisation. And advances in technology, the internet and e-business have provided new opportunities for fraudsters.

SMEs and OMBs are at equal risk from both internal and external threats. External threats include customers or suppliers and organised crime. Internal threats include employees and management. Internally committed frauds usually impact on the profitability of the business by either concealing costs or else inflating revenues.

The threat within
Frauds against SMEs are often committed by the owner managers or majority shareholders. In a survey of around 100 fraud cases, it was found that long-serving, male managers were the most likely people to commit company fraud. Directors and senior managers committed almost two-thirds of the frauds surveyed and, generally, were four times more likely to steal than employees. This is usually because managers have the opportunity to abuse or override controls and often have access to a company’s most valuable assets.

Any discussion of why people commit fraud invariably refers to the Fraud Triangle. This describes the three conditions needed to allow a fraud to occur: opportunity, motive and rationalisation.

The opportunity is usually provided if a company has poor controls or often, in the case of management fraud, a situation whereby controls are simply over-ridden. SMEs and OMBs often struggle to operate and maintain good controls. The effective segregation of duties can be difficult to achieve if the finance department only consists of a few individuals.

Culture also plays an important part in providing an opportunity for fraud. A business run by an autocratic manager does not lend itself to the open or questioning environment that is needed to deter fraud. On the other hand, managers in more open businesses may have a better feel for what is happening around them and across the entire business.

Fraudsters are invariably driven either by financial or personal pressures. Within the business this may be a pressure to perform to a certain standard, or meet unrealistic forecasts or budgets, or simply to keep a job. On a personal level it may be lifestyle, marriage or divorce problems, an addiction, or the inability to deal with personal debt.

Finally, fraudsters need to rationalise and justify their actions. Owner-managers are just as likely to try to do this as directors and managers of SMEs. An open and honest culture both deters fraud and also encourages it to be reported. Often colleagues suspect fraud or misconduct, but are reluctant to report it. Creating an environment in which concerns can be raised is vital: research suggests that only one-in-four frauds are detected by audit or management review, while one-in-three are discovered by a whistleblower.

What to do if you suspect fraud
Someone blows the whistle when they tell their employer, a regulator, customers, the police or the media about a dangerous or illegal activity that they are aware of through their work.

The person blowing the whistle is usually not directly, personally affected by the danger or illegality. Consequently, the whistleblower rarely has a personal interest in the outcome of any investigation into their concern - they are simply trying to alert others. For this reason, the whistleblower should not be expected to prove the malpractice. He or she is a messenger raising a concern so that others can address it.

This is very different from a complaint. When someone complains, they are saying that they have personally been poorly treated. This poor treatment could involve a breach of their individual employment rights or bullying and the complainant is seeking redress or justice for themselves. The person making the complaint therefore has a vested interest in the outcome of the complaint and, for this reason, is expected to be able to prove their case.

Public Concern at Work (PCaW) is an independent authority on public interest whistleblowing. Established as a charity in 1993 following a series of scandals and disasters, PCaW provides free advice to people concerned about danger or malpractice in the workplace but who are unsure whether or how to raise the matter.

Although the law does not require an employer to do so, PCaW recommends that companies have a whistleblowing policy that should make the following things clear:

1. The organisation takes malpractice seriously, giving examples of the type of concerns to be raised, so distinguishing a whistleblowing concern from a grievance.
2. Staff have the option to raise concerns outside of line management.
3. Staff are enabled to access confidential advice from an independent body.
4. The organisation will, when requested, respect the confidentiality of a member of staff when raising a concern.
5. When and how concerns may properly be raised outside the organisation (e.g. with a regulator).
6. It is a disciplinary matter both to victimise a bona fide whistleblower and for someone to maliciously make a false allegation.
7. Organisations with a particularly small number of employees may feel it is not necessary to set up a full whistleblowing policy. The PCaW website contains practical tips that may be useful in these circumstances.

There is no general legal duty on an employee to blow the whistle. In the UK the courts have established that senior managers, responsible to their employer for a sector of the business, will generally have a duty to report the frauds of their subordinates on the organisation. However the law does not presently suggest that employees have a duty to report their manager's fraud elsewhere within the organisation and there is no general legal duty on employees to report the frauds of their organisation to the authorities.

What is clear in the UK is that employees are subject to broad contractual duties of confidentiality which seek to prevent them from disclosing any confidential aspect of their employer's business - including its fraud. However it should be noted that where an employee makes an unauthorised disclosure of fraud or serious malpractice to the regulatory authorities the case law is clear that this is lawful and in the public interest - notwithstanding that it contravenes an employees' contractual duties. At present the courts have not developed this principle so that an employee who acts in the public interest in this way is himself protected from victimisation.

However, it is important to note that the rules on money laundering are markedly different. If you suspect a colleague is laundering money, you have an obligation to notify the Financial Services Authority (FSA) immediately.

The best thing you can do is to seek independent advice from an experienced organisation before blowing the whistle. If you are in the UK, Public Concern at Work's helpline can provide you with free, confidential and practical advice if you are unsure of whether or how to raise a concern about danger or illegality that you have witnessed at work. If you are in this position, PCaW aims to help you identify how best you can raise the concern while minimising any risk to you and maximising the opportunity for any wrongdoing to be addressed. PCaW does not investigate cases.

If you live in another country, PCaW suggests you contact your trade union, a lawyer or, if there is one in your country, an organisation that specialises in advising whistleblowers. Contact details for other whistleblower organisations can be found on the PCaW website.

While every situation is different, and so it is sensible to seek advice before blowing the whistle, there are some general points to keep in mind when raising a concern.

• Stay calm.
• Remember that you are a witness, and not a complainant (see above).
• Think about the risks and outcomes before you act.
• Let the facts speak for themselves - don't make ill-considered allegations.
• Remember that you may be mistaken or that there may be an innocent or good explanation.
• Do not become a private detective.
• Recognise that you may not be thanked.

Prevention better than cure.
Smaller businesses usually struggle to survive the impact of fraud, yet prevention is often low on the list of priorities for SMEs. By conducting regular fraud risk assessments, businesses can ensure they identify and understand the fraud threats they face and ensure that existing controls match those threats.

The objective for every SME and OMB should be to establish an anti-fraud culture. A clear fraud policy statement endorsed by the highest levels within the business should make clear that everybody has a responsibility for the prevention and detection of fraud. Such a policy should be highly visible both within and outside the organisation. Ideally, employee contracts should set out the expectations of what is acceptable and what is not.

Finally, don’t let fraudsters in the front door. The recruitment process must ensure that all CVs are thoroughly vetted and all references and qualifications checked. Recent research in the UK showed that more than 75% of CVs contain irregularities.

Links

Public Concern at Work http://www.pcaw.co.uk

KPMG http://www.kpmg.com

DeskDemon.com wants to hear your experiences

Where do you draw the line between ‘little white lies’ and a manager committing serious fraud? How do you think you would react? Perhaps you have been asked to work on a project you felt was a bit dodgy – or worse. Did you have doubts about the legitimacy of expense claims you were asked to process? What did you do? Have you worked in an organisation that was affected by internal fraud? Do you want to share your story – anonymously? Please give us your view using the form below.