The fundamentals of fraud and how organisations and internal audit can prevent and detect this

Sylvester Shamy

by Sylvester Shamy

Chairman of the Institute of Internal Auditors NZ
and 2016 NZ Internal Auditor of the Year

I remember a moment of bemusement as an undergraduate at university when, during a lecture on auditing, our Professor asserted that fraud in its purest form is almost impossible to prevent and that once perpetrated is very difficult to identify. It followed, then, that audit’s role was less to prevent or detect but instead help the organisation to respond, including as much as possible, reducing its risk of recurrence.

As I sit here now recalling that “truism” I still require a digestive moment to process the depth of that message and its implication.

Fresh out of university and into professional practice I was educated on the realities of fraud sophistication, and therefore why, as a consequence, audit could never be expected to identify and highlight all instances of fraud. This caveat was enshrined in our engagement contracts with audit clients.

Admittedly, this was before the wide use of computer-assisted audit techniques (CAATs), data mining, information intelligence and their technology-enabled cousins. The audit profession was also, at that time, largely backwards glancing—“the rear-view mirror, not the windscreen” as someone once explained to me.

Thankfully, times have changed. But fraud, its preconditions and the motivations of its perpetrators, has not. Auditors are now better equipped than ever to combat this, and we have modern auditing techniques to assist us in this endeavour.

By its very definition—illegal acts that are characterized by deceit, concealment or violation of trust—fraud is broad in practice. There is a myriad of frauds that can, and are, committed against individuals on a daily basis. Phishing schemes, online lotteries, targeted emails, identity impersonation, credit card theft; the list goes on and on.

My focus in this article is on corporate fraud, which can be less sophisticated than fraud targeting individuals, but with potentially greater consequences both in financial and emotional terms. This article examines its preconditions. In the next issue of Transparency Times, I will discuss the many ways in which internal audit can help organisations prevent and detect corporate fraud.

The preconditions for a fraud

The Fraud Triangle

The Fraud Triangle

The fraud triangle is a framework designed to explain the reasoning behind an individual’s decision to commit workplace fraud. The three stages, categorised by the effect on the individual, can be summarised as pressure, opportunity and rationalisation, illustrated in the diagram above.

The theory is that a combination of demand side (pressure and rationalisation) and supply side (opportunity) dimensions are needed for fraud to be perpetrated. To elaborate:

  • Pressure—fraudsters often face financial pressure to pay off debts or to support their lifestyles. This is hardly unique. We all have financial commitments that need to be met. The fraudster however, is able to rationalise their actions.
  • Rationalisation—often, the rationalisation is less about committing the act of fraud (i.e. acknowledging the immoral action) and more about: convincing oneself either that:
    • the assets being misappropriated are minor (e.g. “The company has lots of money and this will not be missed”)
    • that the crime is a victimless one (“It’s not like I’m stealing money from a person”), or would be the last in the chain
    • that the individual is entitled to the assets (“I pay my taxes, do really good work and I’m underpaid and undervalued”).
    Usually, it’s a combination of the above.

If there’s one thing internal audit can admit defeat on, it’s changing human nature, or at the very least being able to positively influence those with a predisposition to commit crime. Audit can and should however, influence the third dimension:

  • Opportunity—here, fraudsters are often aided by weaknesses in organisational processes, especially around recruitment, procurement, contract management and financial management.

Design—processes and controls

A way to prevent fraud is for recruitment, procurement, contract management and financial processes to be designed and stress-tested from an end-to-end perspective, as opposed to siloed design and evaluation.

Base minimum anti-fraud mechanisms should be incorporated into key processes, including:

  • Pre-employment identity vetting and screening checks should be implemented.
  • Due diligence should be performed over new vendors to confirm no relationship exists with existing staff and/or contractors. This should include a Companies Office check against the vendor’s directors and shareholders.
  • Similarly, a cross-reference check should be performed on vendor bank accounts against employee and contractor bank accounts before the vendor is created in organisational systems.
  • A relationship/conflict declaration should be completed by all staff directly involved in the sourcing and creation of each new vendor with proper processes to manage any identified issues.
  • A change to vendor details, such as their bank account, should only be accepted when supported by a bank deposit slip and matched to the vendor invoice. Each instance of change should trigger an employee/contractor bank account cross-reference check.
  • A contract’s manager should be different to the contract’s approver, to ensure independent oversight and monitoring.
  • Organisational systems should be designed to identify, hold and escalate all instances of delegation breaches on a one-up basis.
  • Wherever possible, and especially for large value purchases (per item or cumulatively), the authoriser of goods and services should similarly be independent from the contract manager and approver. This authoriser should be satisfied that goods and services have been received prior to authorising the payment of the invoice. This accountability should be clearly outlined.
  • Regular vendor performance reviews should be performed, prioritised by performance track-record and expenditure volumes, and these should be conducted by staff independent of vendor set-up, approval, management and invoice authorisation responsibilities.

Final words

Fraud may be impossible to completely prevent. Internal auditors are a wonderful cadre of professionals, but we still lack the requisite mind-reading and mind-bending powers that would enable us to mitigate fraud’s “Pressure” and “Rationalisation” preconditions. However, with proactive organisational support we can reduce the “Opportunity”.


Recent Activity

Protect our whistleblowers
Transparency International New Zealand (TINZ) is calls for better whistleblower protection. 8 Aug, 2017

Auditor General resignation requires transparency
Transparency International New Zealand (TINZ) calls on Parliament to release the report by Sir Maarten Wevers that lead to the resignation of Auditor-General Martin Matthews. 5 Aug, 2017

TINZ applauds decline in foreign trusts
Government implementation of tougher disclosure requirements for foreign trusts have led to around 75% discontinuing or exiting New Zealand. 9 Jul, 2017

Public Sector Integrity Media Release
State Services Commission took a very positive step in addressing a key recommendation of TINZ's Integrity Plus 2013 New Zealand National Integrity System Assessment by advertising a role for Deputy Commissioner, Integrity, Ethics and Standards. 11 May, 2017

Corruption Perceptions Index 2016 TINZ media release
Transparency International 25 Jan, 2017