By Curtis C. Verschoor, CMA
For the last six years, security consulting firm Kroll Advisory Solutions has commissioned the Economist Intelligence Unit to perform a global survey of fraud incidence. The 2012-2013 Kroll Global Fraud Report is based on a poll of 839 worldwide senior executives from a broad range of industries and functions – financial and professional services; retail and wholesale; technology, media, and telecommunications; health care and pharmaceuticals; travel, leisure, and transportation; consumer goods; construction, engineering, and infrastructure; natural resources; and manufacturing. More than half of respondents were from the C-suite, and about half represented companies with annual revenue of more than $500 million. All areas of the world were represented, with 26 percent from North America.
Although the incidence of fraud has decreased overall from 2011, 61 percent of companies reported they were still hit by fraud at least once. That's a decline from 75 percent in last year's report. The cost of fraud also decreased, going from 2.1 percent of revenues to 0.9 percent. Interestingly, global improvement wasn't particularly mirrored in the results from companies in the United States. Incidence in the United States dropped less dramatically, from 65 percent to 60 percent, while cost decreased from 1.9 percent of revenues to 1.1 percent, which is higher than the global average. Despite this favorable news, the incidence and cost of fraud are still significant issues for a majority of companies. Doing business requires trust in order to operate economically and effectively.
The three types of fraud that caused loss and were most commonly reported globally were:
- Theft of physical assets – 24 percent
- Information theft – 21 percent
- Management conflict of interest – 14 percent
Because of vigilance, the reductions in fraud are mostly seen in procurement fraud, internal financial fraud, corruption, and bribery. In the United States, the same major causes of loss from fraud were reported, but in a different order:
- Information theft – 26 percent
- Theft of physical assets – 24 percent
- Management conflict of interest – 16 percent
These were largely unchanged from last year, reflecting the more modest reductions in fraud incidence and cost in the United States compared with the rest of the world.
The Kroll report warns against becoming complacent toward fraud. Findings show that reported fraud concerns are dropping faster than fraud instances, and this becomes dangerous if it means respondents are giving greater credit to fraud-fighting efforts than is appropriate. Compared to last year, the global proportion of companies that describe themselves as highly or moderately vulnerable to the three most reported types of fraud declined significantly, and Kroll suggests the results seem to be directly related to whether or not the company experienced some kind of fraud in 2012. The percentage of companies that described themselves as vulnerable to theft of physical assets declined from 46 percent in last year's report to 26 percent. For information theft, the percentage went from 50 percent down to 30 percent. And those that reported being vulnerable to management conflict of interest fell from 44 percent to 23 percent.
In the United States, the declines were somewhat less dramatic:
- Information theft went from 52 percent to 33 percent,
- Theft of physical assets declined from 36 percent to 20 percent, and
- Management conflict of interest fell from 34 percent to 25 percent.
Again, these results seem to be directly related to whether or not the company experienced some kind of fraud in 2012. The difference between the United States and global percentages could suggest that more attention is given to fraud vulnerabilities in this country than elsewhere in the world.
The report also shows that the rising trend of insider involvement is accelerating. The key perpetrator or one of the leading culprits of 67 percent of frauds reported in 2012 was an insider, an increase from 60 percent last year and 55 percent in 2010. In 84 percent of reported frauds, only one perpetrator was involved. This suggests that following the internal control requirement that individuals with sensitive responsibilities should take forced vacations while someone else performs their duties should be effective in preventing many types of fraud.
Another major finding is that information theft remains a significant and multifaceted threat to which respondents feel most vulnerable. The endless range of information technology (IT) fraud continues to increase in variety, frequency, and sophistication, according to the report. Security breaches include undetected malware, a misplaced mobile device, and a hacker taking sensitive data hostage. These weaknesses make business assets, such as trade secrets, financial and customer data, and intellectual property, increasingly more vulnerable to cyberattacks, and 30 percent of respondents noted that IT complexity is the leading cause of increasing fraud risk.
According to Tim Ryan of Kroll Advisory Solutions",Cyber-based data destruction events are increasingly common. Rather than stealing a corporation's intellectual property, these attackers forensically destroy data. This causes enormous injury to companies, including lost production, lost revenue, remediation costs, and reputational damage." Mike DuBose, another Kroll expert, notes",We're seeing more economic espionage, much of it originating in Eastern Europe and Asia."
The Kroll report notes that the popular misconception that hackers are the biggest risk today is untrue. Employees, either as culprits or as points of weakness, are far more responsible than hackers for information loss. In 51 percent of the cases where information was lost, the loss was caused by the theft of a technology device (phone or computer) or an employee mistake. Employee malfeasance was involved 35 percent of the time, whereas external hacking was the issue in only 17 percent of the reported cases.
Perhaps the most positive and uplifting news in the report is that taking anticorruption more seriously is paying dividends for companies. Even though a small number of companies have more work to do, far more have taken steps to improve their compliance with anticorruption legislation. These steps include integrating corruption issues into their due diligence activities, training senior managers appropriately, and performing an entity-wide risk assessment. During the past year, the prevalence of corruption has declined from 19 percent to 11 percent, with companies that have active compliance programs benefiting the most. Only 7 percent of companies with active compliance programs reported suffering an incident of corruption compared to 13 percent of all other companies.
In short, a strong ethical culture supported by effective compliance brings many dividends for a company.
Need for Credit Rating Oversight
On February 4, 2013, the US Department of Justice (DOJ) filed a fraud lawsuit against credit rating agency Standard & Poor's (S&P), seeking $5 billion in damages. The US Securities and Exchange Commission (SEC) didn't join in the suit, once again appearing to side with issuers of securities rather than with investors (see "Credit Rating Agency Performance Needs Improvement").
The DOJ complaint against S&P outlined the methodology the company utilized to assign credit ratings to mortgage securities, including subprime and other mortgages wrapped into complex structured debt instruments. Some of these were purely speculative (synthetic) instruments. In some cases, mortgage data provided by the securities issuer was passed through an apparently proprietary financial model known as the Loan Evaluation and Estimate of Loss System. Results were shared with the issuer, who would provide additional data if it were needed to improve the rating. A committee certified the system's result, and an analyst presented a summary to a rating committee. This practice seemed quite perfunctory, as the complaint states: "Most rating committees took less than fifteen minutes to complete. Numerous rating committees were conducted simultaneously in the same conference room." The complaint sets forth many examples of how S&P personnel viewed their services as highly profitable assistance to the issuer who had employed them rather than as an independent opinion.
The DOJ asserted that S&P committed fraud by falsely claiming its ratings were objective while it inflated ratings and understated risks associated with mortgage-backed securities, actions driven by a desire to gain more business from the investment banks that issued those securities. "Put simply, this alleged conduct is egregious – and it goes to the very heart of the recent financial crisis", said Attorney General Eric Holder.
Securities markets operate on the basis of trust that the information provided to investors is presented fairly. Without effective oversight of the agencies providing assurance of the creditworthiness of debt instruments, these markets won't be able to operate effectively. Since 2009, the Council of Institutional Investors has advocated the formation of a Credit Agency Oversight Board. Professionalization of the credit rating agency industry should be undertaken by an independent board under the oversight of the SEC or some other agency. This would involve setting standards of performance and ethical behavior and then monitoring compliance. This is the most efficient way to bring about effective assurance of the published credit risks inherent in debt instruments.
About the author:
Curtis C. Verschoor, CMA, is a member of the IMA Committee on Ethics. He is the Emeritus Ledger & Quill Research Professor at the School of Accountancy and MIS and an honorary Senior Wicklander Research Fellow in the Institute for Business and Professional Ethics, both at DePaul University, Chicago. He is also a Research Scholar in the Center for Business Ethics at Bentley University, Waltham, Mass. He was selected by Trust Across America as one of North America's Top Thought Leaders in Trustworthy Business Behavior-2012. His e-mail address is [email protected].
©2013 by the Institute of Management Accountants (IMA®), www.imanet.org; reprinted with permission
For guidance in applying the IMA Statement of Ethical Professional Practice to your ethical dilemma, contact the IMA Ethics Helpline at (800) 245-1383 in the United States or Canada. In other countries, dial the AT&T USADirect Access Number from www.usa.att.com/traveler/index.jsp, then the above number.