Season 2
Season 2
S2:E12 - Positively Bedeviled with Red Flags: Uncovering & Preventing Fraud in Your Organization
/

It’s not a question of if your organization will be impacted by fraud, but when. Join us for this episode of It Figures as CRI Partners Ben Kincaid and Jimmy Woodall break down the facts about the costs and frequency of fraud, examples of red flags you may be blind to, and how performing internal audits can lead to more robust internal controls to deter fraud.


Intro:

From Carr, Riggs & Ingram, this is It Figures: The CRI podcast, an accounting advisory and industry-focused podcast for business and organization leaders, entrepreneurs, and anyone who is looking to go beyond the status quo.

Jimmy Woodall:

Alright, good afternoon, everyone. And welcome to another version of the CRI podcast. My name is Jimmy Woodall. I’m the consulting service line leader here at CRI, and joining me today is Ben Kincaid. He is a partner in our Destin office and he works, especially in fraud investigations and forensics. And so he’s going to join us and we’re going to talk about fraud today. I know fraud is a topic that we visited a couple of times here on the podcast. I know I’ve done myself, another podcast a couple of years ago with another partner, Nacho Garza, out of our Rio Grande Valley SPU. But this is something that keeps coming back and keeps popping into the news across the country, so it’s something that we felt was important that we would want to bring back. So I’m going to go ahead and let Ben introduce himself here.

Ben Kincaid:

Good afternoon, Jimmy. This is good to be here on the podcast with you. Again, as you mentioned, I’m a partner in the Destin office and that’s pretty much my sole focus. So we routinely work with law enforcement agencies, whether that be the FBI, Department of Justice, state law enforcement agencies, such as the FDLE or the GBI. And we work a lot with the state attorney offices, district attorneys, and sheriffs, and list just goes on and on. And so we help them in investigating the alleged frauds and helping them provide support and evidence for what is going on and expert witness testimony to support our conclusions. And so, much of our work leads into the rest and successful prosecution of the individuals that we’ve determined were responsible for the misappropriation. And it’s something that we work closely with law enforcement on, on a daily basis.

Jimmy Woodall:

Yeah, so we’re really fortunate here at CRI that we kind of cover fraud from a lot of angles. I guess we call that fortunate, right? So we got the work that Ben does and all the other folks that are a part of our evaluation forensics group in terms on the investigation. Then, we’ve got a great internal audit group that kind of helps follow up, it works with organizations on the prevention. But, Ben, I want to get started here talking about a report from the Association of Certified Fraud Examiners, their report to the nations. This is the report that that group puts out every couple of years. And so the latest one came out in 2020 and I always found this report just really fascinating. And just in terms of the breakdown of the case studies that they looked at here. And so, there’s three types of ways that fraud can occur three general types of ways.

One of them is asset misappropriation where folks are just stealing directly from the company. One of them is corruption where there’s lying and trying to manipulate maybe officials or some type of legal or compliance standards there. And then the other one’s financial statement fraud, where there’s intentional misleading of users of the financial statements. And so I’m looking at this report and I’m seeing that roughly there’s some overlap in terms of multiple frauds, which I always find that interesting as well. Cause it’s like you do one and you try to cover it up with the other, but I’m seeing 86% has to do with misappropriation, asset misappropriation, some form of that, where they’re stealing from the company. And I know that’s really, really important to our smaller business owners that we deal with out there. 43% have to do with some type of corruption and 10% have to do with the financial statement fraud.

Now the numbers, the median loss shown on these are a lot smaller. So you’re looking at about 100,000 with the asset misappropriation all the way up to 954,000 median loss with the financial statements. But again, there’s a lot more of those cases that you’re seeing with the asset misappropriation. What have you seen? Are your numbers similar to this, the things that you’ve come across?

Ben Kincaid:

Yeah. In most cases, you’re going to see most organizations are going to experience some type of asset misappropriation schemes. That’s definitely the most common that we see and deal with. The immediate loss is, in our experience, is usually pretty deflated. And that’s for a number of reasons, a lot of times law enforcement when you’re, or get into a case, you’re only going to go back so many years oftentimes, and it’s identified in that ACFE report that you’re talking about, that long-term employees, it can go back many, many years as far as the time period that they’re misappropriating a organization’s assets.

And so a lot of times law enforcement will only go back two or three years just because of statute of limitations or just investigative resources. And so the frauds are usually much, much greater than that. So oftentimes, we can see, even in small businesses that only make $1 million to $5 million a year in gross revenues will have frauds and the terms of, realms of 500,000 up to well over a million dollars in some cases.

Jimmy Woodall:

Yeah. And that brings up to another interesting port from the report. So a lot of times I’ll talk to folks, particularly in the internal audit realm, where they’ll just say, “We’re too small to have to worry about fraud. There’s not really an issue here. That’s for bigger companies. We don’t really have anything that anybody would want or anything that someone could take.”

And I generally find that it’s those smaller companies that tend to have less internal controls there to help prevent that fraud or help detect that fraud. And so I’m looking at the breakdown here that the report has got, and it shows that in companies with less than 100 employees, about 26% of the cases occurred there, 100 to 999 employees, 23%, 1,000 to just under 10,000, 27%, and those with over 10,000 employees, 25%. So it was a pretty even spread amongst those. Again, is that what you’re seeing?

Ben Kincaid:

Yes. Yeah, I mean, fraud unfortunately impacts all organizations of all sizes. Smaller businesses, like you said, that have less controls, or maybe don’t think about as much are definitely a little bit more vulnerable, but it definitely impacts all of these organizations and no one business or organization is immune to fraud.

Jimmy Woodall:

Yep. Well, one thing that’s interesting and that business owners should be aware of, or those in charge of governance should be aware of are the ways that these fraudsters conceal the fraud. And so again, another great point from the report that was looking at are the top four concealment methods. And you saw individuals that they one, they created fraudulent physical documents, or the number two was they altered physical documents. Number three was they altered electronic documents or files, or four is they created fraudulent electronic documents or files. And I know that is huge because again, we talk to a lot of folks, who thinks, “If everything’s going through the computer, it’s got to be safe. Right? It’s got to be okay.” But this evidence here shows that that’s a little bit different. Again, is that what you guys are seeing?

Ben Kincaid:

That’s absolutely what we’re seeing, and especially with technology being what it is in this day and age, it’s very easy to manipulate something you can, just a basic PDF, a document, you can pull that up, change numbers around and save it and print it. And it looks like the original document. We had a case with a city not too long ago where the employee was printing off hotel bills, submitting them for support for procurement card transactions. And what we were able to go through and identify was certain things didn’t add up exactly right for that specific trip. And so we went back and started doing a deeper dive of electronic records, looking at email files. And we identified where we found the original receipt or hotel ledger for that stay and compared that to the one that was submitted and the dates were all changed, the amounts were removed for upgrades and all sorts of things were manipulated. But just looking at the original support, you would never be able to tell the difference. And so, we see that unfortunately on a daily basis.

Jimmy Woodall:

Yeah. Technology does amazing things, right?

Ben Kincaid:

It does.

Jimmy Woodall:

So, a lot of our listeners out there may feel like that they’ve got some things in place and they feel like they’re somewhat insulated from fraud because maybe they have an external financial statement audit, or maybe they feel like they’ve got a certain level of controls in place. Looking at the statistics from this report to the nations, I see that 43% of the frauds that were detected were done so by Tip. So definitely those whistleblower hotlines and things like that are always good things to have, but then the number drops way, way off.

And the next highest is 15%. And 50% is detected by an internal audit department, which would be in place. And again, looking at controls and looking at the internal processes there in the organization. So you would think that that would be close to the top. The next one is 12% from effective management review. So that’s always a good thing, but it’s interesting, an external financial statement audit is down at 4% there, so I always think that’s interesting. You always hear that, a lot of expectations fall on the external auditor in terms of finding that. Any comment on that?

Ben Kincaid:

I mean, we see that unfortunately every day as well. One of the first questions that we’re asked getting to a forensic investigation is, “Well, why didn’t my auditor catch it? Why didn’t my external accountant catch this issue? They look at the books, they’re looking for fraud, don’t they?” And our response is, “No, they don’t. They consider fraud, especially, in a audit perspective, they consider fraud in the engagement, but that’s not the main purpose or the main goal of an external audit.” And a lot of people have a misconception of that. And those bear out in the ACFE report, as far as those percentages, you’re listing out there that external audits really account for a small percentage of the frauds that are being identified. And audits are a very valuable tool. They just serve a different purpose.

Just to give you one example, we had a government organization about two years ago that goes through external audits on an annual basis, and they went through, they didn’t find anything in relation to fraud. They had a clean opinion and going back through, the internal audit department was going back through looking at a certain things. They were looking at budget variances and some things weren’t adding up in some revenue variances. And so they just kept digging and digging and ended up that there was a substantial fraud of about $750,000 where a manager was essentially stealing funds that were incoming to the organization. And that was something that the internal audit department was able to catch. And that was what the internal op department was designed to go for versus the external auditor. They weren’t really looking at that those particular transactions and they had given a clean opinion in that particular year.

Jimmy Woodall:

Absolutely key difference there in the scope of internal versus external audit. They both have their purposes. They’re both great. But internal audit is really more suited toward helping design and develop those internal controls from a management perspective to not always get fraud, but certainly, fraud is part of what falls in there. So one thing I would add, as we get into talk about these, when management’s doing their risk assessment, that should be part of the internal control environment. I think they’d want to make sure that they’re assessing any type of incentives or pressures or anything that they may have internally that may drive fraud, or there’s some type of performance incentives or some type of external or internal pressures that might drive somebody to do that. And then of course, they want to assess the opportunities that are there for somebody to commit fraud.

Jimmy Woodall:

What are some red flags or some things that you think, Ben, should be there that management should look at, management of an organization should look at, to consider whether they are a target for fraud, and or if they maybe have fraud already occurring in their organization?

Ben Kincaid:

Sure. So, yeah, I think it’s safe to say that all organizations are at risk of fraud. It’s not a matter of if, but a matter of when an organization is going to be impacted by some type of fraud. And so it’s really just assessing that degree of fraud risk. Some areas are going to have a much higher risk and some areas are going to have much lower risk. And so just going back through and really kind of doing a internal overview and seeing what your environment looks like.

One of the things that is harped on in audits, as well as in our engagements from a forensic perspective is the tone at the top of the organization. And that’s a very important factor in a organizations fraud risk.

And so just some red flags that might indicate that there might be a higher fraud risk is policies and procedures. When we go into a forensic investigation, one of the first documents that we ask for is for their policies and procedures. And oftentimes there’s the response that there’s no policy procedures or that the policies or procedures, they’re going to have to go back and dig in the drawers, dust it off, scan it in because it hasn’t been looked at in years and it’s dated in 1990. And we’ve had so many organizations where that’s the case, and no one’s trained on those policies and procedures, no one’s following those policies and procedures.

And so those controls, they say, they’re there, but they really are not practicing those policies or procedures. They’re really not in place. And that just kind of precipitates and leads to people seeing that, “Hey, I can do essentially whatever I want. I can do what the manager’s doing, cause they’re not following the policies and procedures,” and just increases the fraud risk. That may not necessarily mean that there is fraud occurring, but it definitely increases the chances and the opportunity for that fraud to occur.

Another case is, Jimmy, you mentioned this as well as, parts of a management oversight. There’s a lot of times where we’ve gone into cases, whether the beef not-for-profit organization, a government organization, or a business organization where there’s just really no oversight, no one’s taking responsibility to check the bookkeeper, check the finance department, or other departments and make sure that everyone’s doing what they’re saying, they’re doing.

We’ve had a not-for-profit organization forensic investigation that we went in on and the board, just in talking to the board, it was almost as if their heads were down in the sand, they weren’t paying attention to anything. They were relying on this one board member to handle the bookkeeping, all the deposits, paying the bills. No one was looking over this individual shoulder and as they were going through and we started asking, “Well, did you see this?” They would say, “Yes.” And “Why didn’t you inquire further?” And the response was, “Well, we trust them. We know them.” And there was no oversight of that position. And in that one particular case, over a six year period, that board member took several hundred thousand dollars that equated to one year worth of annual revenue for that organization.

Jimmy Woodall:

Wow.

Ben Kincaid:

A very substantial impact. And they’re still trying to recover from not only the financial impact of that, but also the reputation impact, because it’s just really damaged their presence of community.

Jimmy Woodall:

Absolutely. Absolutely. And again, it’s those entities like that, those not-for-profits and those governmental entities, a lot of times that feel they’re at less risk for things like fraud that are the most vulnerable when it comes to that public opinion risk that they encounter.

And so, yeah, as we’re wrapping up here, I would like to kind of circle back to a couple of points there that Ben made about the tone at the top about the policies and procedures. And all of these things fall into what is laid out in COSO’s Integrated Internal Control Framework. And again, those are things that I would encourage any organization, if you do not have an internal audit function or someone at least helping you somewhat along those lines, either, part-time, full-time, look into that because those are great ways that you can help develop controls, develop those policies, develop those safeguards for all types of fraud. Nothing is a hundred percent certain, there’s always the chance to be fraud out there. And it’s almost like if there’s a will, there’s a way. Right?

Ben Kincaid:

Absolutely.

Jimmy Woodall:

But, absolutely. But certainly having those things in place would go a long way toward establishing some safe guards to help your organization out. So with that, Ben, do you have anything else to add?

Ben Kincaid:

I think we’ve covered it. Obviously, we’re not able to list out every single red flag that an organization may have, but that’s something that we can definitely have a discussion with your organization on using additional red flags, but there’s many out there. And at the end of the day, it’s important that organizations take proactive approaches to fraud and fraud awareness. You don’t want to be the organization that fraud occurs and then, you have to explain to the stakeholders, whether that be the citizens, or the owners, or the community, of why you let this fraud occur on your watch.

Jimmy Woodall:

Yeah. Certainly something you want to do. Well, CRI would love to help any of you guys out there if you’ve got any questions on this. Contact us. Go to cricpa.com. We’re on all of the social media accounts. Looks us up. Press there. And with that, I’m going to go ahead and sign off for the day. Thanks Ben, for being with us.

Ben Kincaid:

Thank you.

Outro:

If you want more CRI insights or are interested in learning about our firm, please visit our website at cricpa.com. Thanks for listening to this episode of It Figures: The CRI podcast. You can subscribe to It Figures on iTunes, Spotify, or wherever you prefer to listen to your podcasts. If you liked what you heard today, please leave us a review.