How much fraud is acceptable within your organization? Finance and accounting professionals struggle with this question, not because of the answer, which is obviously "None," but rather the reality of how stringent of a control environment the company should establish.
No amount of fraud is acceptable, yet no company can stop all fraud. This creates the paradox of expecting zero tolerance for unethical behavior versus the reality of establishing a cost-beneficial control system. So, at what point does a particular fraud become unacceptable?
Suppose you assign a staff member the task of choosing a test sample of outside contractor invoices to determine whether any of the contractors are overbilling. Your company was billed $25 million in contractor fees last year, including external attorneys, public accountants, construction workers, and temporary help. After a couple of days' work, your staff returns to report no evidence of overbilling.
Two months later, your company's controller calls you and asks, "Didn't you recently send a staff to review contractor billings?"
"Well, we caught a contractor overbilling us."
"For how much?"
Should your staff have caught this? Does this amount of fraud upset you?
One week later, the controller calls you back with new information: several contractors have been padding their invoices to the tune of about $250,000. Concerned yet? How about $1.25 million? Somewhere between these two amounts people begin to believe the staff should have detected the error.
You likely could not state a specific amount at which fraud makes you uncomfortable. When fraud reaches between 1 and 5 percent of a transaction population, finance and accounting professionals become uncomfortable, and this is instructive in terms of how we must set up a control environment to prevent fraud. Whether employees bring home too many yellow sticky pads does not concern anyone. Someone bringing home too many of the company's fleet vehicles—that is something most managers want the ability to detect.
There are three factors that determine whether fraud has stretched beyond acceptable limits: its amount, its nature, and its duration.
There is no specific guidance for at what amount a fraud becomes unacceptable because it depends on the culture and nature of your business. The Federal Reserve Bank, for example, has a zero-loss control environment; they handle billions of dollars in cash, and their controls are set up to not lose any of it. High-tech start-ups in the late 1990s were much more risk-tolerant, where employees flourished in a chaotic, relatively uncontrolled arena. So a loss of up to 10 percent in an area might not have concerned them. And, even within your organization, managers will be far more risk averse with transactions involving electronic funds transfers versus the office supply closet.
Nature of the fraud essentially answers the question about whether frauds must involve high monetary losses to be damaging. They do not. A colleague of mine once investigated an invoice approved by his company's chief financial officer. The description on the invoice was composed of one word: "Services." He called the phone number on the invoice, and a woman answered. She was a call girl. The CFO expensed a prostitute to his company. It was not the largest monetary loss ever seen from a fraud, but the nature of it is particularly troubling.
Finally, the duration of a fraud can escalate an issue from an irritation to a serious concern. Suppose there is a driver at your company who was issued a gas card to refuel your company vans. Once a week he also fills up his personal truck with the card. While this is nothing that will drive a company into bankruptcy, over the course of 22 years, it adds up to $50,000. Then you discover all of the company's 25 drivers have been doing this for several years. Extended duration may drive an otherwise small fraud beyond acceptable limits.
A useful exercise I submit to auditors when I train them to find fraud is to have them write down the answer to this: List the one fraud—perpetrator and fraud act—that would land your company or client on the front page of the Wall Street Journal. It usually takes a minute for most people, and it is not always a monetary fraud—for instance, a field manager covering up a chemical spill or a maintenance contractor falsifying an airplane safety inspection.
Several of your managers can execute a similar exercise in a half-hour meeting with a white board. What frauds, if they were occurring right now, would be most troubling to your organization? What would bring out the reporters and the cameras? List them out by perpetrator (use titles, not people's names) and fraud act. If certain frauds are particularly concerning considering their monetary exposure, nature, or potential duration, then scour your policies and procedures to ensure there is some detective set of controls in place to identify the symptoms of such frauds.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.