Corporate Fraud: Acceptable Limits
January 2009
How much fraud is acceptable within your organization?
Finance and accounting professionals struggle with this question, not because
of the answer, which is obviously "None," but rather the reality of how stringent
of a control environment the company should establish.
by
Scott Langlinais
Langlinais
Fraud and Audit Advisory Services
No amount of fraud is acceptable, yet no company can stop all fraud. This
creates the paradox of expecting zero tolerance for unethical behavior versus
the reality of establishing a cost-beneficial control system. So, at what point
does a particular fraud become unacceptable?
Drawing the Line
Suppose you assign a staff member the task of choosing a test sample of outside
contractor invoices to determine whether any of the contractors are overbilling.
Your company was billed $25 million in contractor fees last year, including
external attorneys, public accountants, construction workers, and temporary
help. After a couple of days' work, your staff returns to report no evidence
of overbilling.
Two months later, your company's controller calls you and asks, "Didn't you
recently send a staff to review contractor billings?"
"Yes."
"Well, we caught a contractor overbilling us."
"For how much?"
"$5,000."
Should your staff have caught this? Does this amount of fraud upset you?
One week later, the controller calls you back with new information: several
contractors have been padding their invoices to the tune of about $250,000.
Concerned yet? How about $1.25 million? Somewhere between these two amounts
people begin to believe the staff should have detected the error.
You likely could not state a specific amount at which fraud makes you uncomfortable.
When fraud reaches between 1 and 5 percent of a transaction population, finance
and accounting professionals become uncomfortable, and this is instructive in
terms of how we must set up a control environment to prevent fraud. Whether
employees bring home too many yellow sticky pads does not concern anyone. Someone
bringing home too many of the company's fleet vehicles—that is something most
managers want the ability to detect.
Beyond Acceptable Limits
There are three factors that determine whether fraud has stretched beyond
acceptable limits: its amount, its nature, and its duration.
There is no specific guidance for at what amount a fraud becomes unacceptable
because it depends on the culture and nature of your business. The Federal Reserve
Bank, for example, has a zero-loss control environment; they handle billions
of dollars in cash, and their controls are set up to not lose any of it. High-tech
start-ups in the late 1990s were much more risk-tolerant, where employees flourished
in a chaotic, relatively uncontrolled arena. So a loss of up to 10 percent in
an area might not have concerned them. And, even within your organization, managers
will be far more risk averse with transactions involving electronic funds transfers
versus the office supply closet.
Nature of the fraud essentially answers the question about whether frauds
must involve high monetary losses to be damaging. They do not. A colleague of
mine once investigated an invoice approved by his company's chief financial
officer. The description on the invoice was composed of one word: "Services."
He called the phone number on the invoice, and a woman answered. She was a call
girl. The CFO expensed a prostitute to his company. It was not the largest monetary
loss ever seen from a fraud, but the nature of it is particularly troubling.
Finally, the duration of a fraud can escalate an issue from an irritation
to a serious concern. Suppose there is a driver at your company who was issued
a gas card to refuel your company vans. Once a week he also fills up his personal
truck with the card. While this is nothing that will drive a company into bankruptcy,
over the course of 22 years, it adds up to $50,000. Then you discover all of
the company's 25 drivers have been doing this for several years. Extended duration
may drive an otherwise small fraud beyond acceptable limits.
What To Do about It
A useful exercise I submit to auditors when I train them to find fraud is
to have them write down the answer to this: List the one fraud—perpetrator and
fraud act—that would land your company or client on the front page of the
Wall Street Journal. It usually takes
a minute for most people, and it is not always a monetary fraud—for instance,
a field manager covering up a chemical spill or a maintenance contractor falsifying
an airplane safety inspection.
Several of your managers can execute a similar exercise in a half-hour meeting
with a white board. What frauds, if they were occurring right now, would be
most troubling to your organization? What would bring out the reporters and
the cameras? List them out by perpetrator (use titles, not people's names) and
fraud act. If certain frauds are particularly concerning considering their monetary
exposure, nature, or potential duration, then scour your policies and procedures
to ensure there is some detective set of controls in place to identify the symptoms
of such frauds.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.