Triangles, fraud, and misconduct

Just a caveat before you go on reading, the concepts that will be presented below are not new. This can be attested to by most auditors and risk practioners. The main goal is to present these concepts in simple terms that you can easily recall and apply to your work activities, and in your dealings with co-employees and workers.

Black’s Law Dictionary defines fraud as any intentional act committed to secure an unfair or unlawful gain. Textbooks define it as the intentional misrepresentation of a material fact that includes fraudulent financial reporting and misappropriation of assets. Elements of fraud include: (1) that the intentional deception was believed and acted upon by a victim; and (2) it was to the victim’s damage. Misconduct generally refers to violations of laws, regulations, internal policies, and market expectations of ethical business conduct. Aside from incurring monetary losses and non-monetary penalties, fraud and misconduct can severely undermine public trust and damage an organization’s reputation for integrity. Eventually, this will adversely impact the business’ profitability.

So, what do triangles have to do with fraud and misconduct, and how can these help mitigate these risks? Let me share with you three triangles related to fraud and misconduct. The first one exists, the second one I’ve had to coin to fit the title of the article, and the last is my pitiful attempt to remain true to the article title.

1. The Fraud Triangle. Opportunity-Motive-Rationalization.

There is opportunity, generally, when internal controls of an organization are weak. Motive may come from financial pressure resulting from a fraudster’s excessive lifestyle, real or perceived gap between financial remuneration earned and the responsibility held by the individual, pressure to meet financial targets, plain ego or basic greed. Rationalization is the internal process where the fraudster self-justifies his actions, and convinces himself  that the act is a remuneration owed to him or her by the employer.

Just remember, if these three factors are present, then there is a high risk of fraud and misconduct in your organization.

2. The Objectives Triangle. Prevention-Detection-Response

According to the KPMG Fraud Risk Management White Paper, Developing a Strategy for Prevention released in November 2006, there are three objectives that should be addressed by controls, for an effective, business-driven fraud and misconduct risk management approach.

Prevention is addressed when there are controls in place designed to reduce the risk of fraud and misconduct from occurring in the first place. Detection is achieved when there are controls in place designed to discover fraud and misconduct when it occurs. Response objective is achieved when there are controls designed to take corrective action and remedy the harm caused by the fraud or misconduct.

A board of directors and senior management team’s commitment to ethical and responsible business practices is the foremost prevention against fraud and misconduct.  The “tone at the top” influences employee actions and fosters a culture of high ethics and integrity in the organization.  You will know that it’s just not lip-service when resources are actually allocated for anti-fraud efforts. These can range from the purchase of costly anti-money laundering system, to establishing a comprehensive risk assessment system headed by a senior leader, such as a Compliance Officer.

With the rise in outsourcing of activities, a key prevention control is the conduct of third-party due diligence in the accreditation and performance monitoring of agents and vendors.

But really, prevention can also be simply achieved through Human Resource policies and practices. These would include conduct of background checks on candidates, job rotation, opportunities for career advancement, commensurate financial remuneration, communication and implementation of provisions of the organization’s code of conduct. Remind them what are considered acceptable business standards or conversely, what are inappropriate actions, i.e. acceptance of extravagant gifts from customers, gambling, extensive debt, etc.

As part of detection controls, highlight also what are their obligations and accountabilities concerning reporting of fraud and misconduct. Establish mechanisms that give protection to employees who have knowledge of and would like to report fraud and misconduct, especially in cases wherein fraudster to be reported is a superior, i.e. hotlines that afford confidentiality and anonymity. In the same way, malicious reporting should be dealt with accordingly.

Critical detection controls include auditing and monitoring systems focusing on high-risk areas identified in the organization’s comprehensive risk assessment system, and proactive forensic data analysis tools, i.e. sophisticated analytic testing, computer-based cross matching, and non-obvious relationship identification.

Response controls would include a thorough and well-planned investigation to gather facts leading to a credible assessment of the suspected violation as basis for management action; a consistent and credible disciplinary system that enforces accountability for those involved in the inappropriate actions, as well as those in management positions who failed to prevent or detect such events; and corrective or remedial action. These actions may include disclosure of the fraud and misconduct to the government or other relevant regulatory body, restitution, identification of root causes of the relevant control breakdowns and strengthening of controls, and lastly, communicating to employees the appropriate and responsive actions taken by management.

Having these mitigating factors and controls lowers the risk of fraud and misconduct in your organization.

3. Two-Triangles-to-Make-a-Square

In the same paper, it was noted that an effective, business-driven fraud and misconduct risk management approach is not static, but rather, is dynamic with changes in the environment. It is an ongoing process, consisting of four phases:

Assess Risks. Profile the current state of fraud risk management, set targets for improvement, and close any “gaps”.

Design. Develop a program that encompasses controls to prevent, detect, and respond to incidents of fraud and misconduct.

Implement. Deploy a strategy and process for implementing the new controls throughout the organization. Assign a senior individual to lead the overall effort.

Evaluate. Assess existing controls against legal and regulatory frameworks and leading practices.

Hopefully, these little triangles, and square, will help you “shape” (up) your organization.

(Carmel Lynne M. Balde is a Director for Business and Financial Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG International, a Swiss Cooperative. This article is for general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email manila@kpmg.com.ph or cbalde@kpmg.com)

Show comments