James Tebbs and Kassem Younes, Senior Managing Directors at Ankura, take an in-depth look at fraud prevention in this article, presenting an intuitive ‘cycle’ that any organisation can use to drive change in its resilience against fraud.
“Fraud – it’s a hot topic.” Not a very inspiring or original headline.
At any time, and in almost any place, the anti-fraud agenda can be heard linked to global crises, national agendas, corporate imperatives or simply personal security – yes, it affects us all. The COVID-19 pandemic: fraud is on the rise. Increased use of digital tools: fraud is on the rise. Working from home: fraud is on the rise.
What are we to make of this in reality? Surely there is some ‘numbing’ effect here. We become so used to hearing that there is a problem that the risk becomes a background consideration, or worse, the cost of fraud becomes an operational hazard rather than something we can really get our teeth into.
This poses the obvious question: for all the technological development, advancement of systems, training programs, fraud awareness weeks, regulatory fines and the clear costs of these activities, how much fraud has actually been prevented, detected, or prosecuted above what might otherwise have been the case? How do you calculate the true ‘value’ of these activities to the individual, organisation, state or global agenda?
This is a question that has plagued anti-fraud and indeed anti-financial crime[1] practitioners and risk professionals for years. Consider also the same question of the prevention of money laundering, terrorism financing or proliferation financing often levied of financial institutions. The ever-repeated phrase ‘cost of compliance’ is balanced with the calculation of any reduction in actual criminal activity arising specifically from these preventive and detective activities. Whilst we cannot provide a quantified answer, we firmly believe that anti-fraud is a significant value-adding activity, and it starts at the organisational level.
We become so used to hearing that there is a problem that the risk becomes a background consideration
How are organisations moving to address this?
In a previous article in this publication, our colleague Peter Glanville provided clarity on the new landscape of fraud investigation[2] and the collaborative efforts of legal professionals and investigators. Investigation is a fundamental – and highly effective – tool in the prevention of fraud. It actively demonstrates zero tolerance for incidents of fraud, both internal and external, and is the ‘teeth’ of any anti-fraud program. It sends a clear message that if wrongdoing is suspected, it will be followed up thoroughly and professionally and dealt with accordingly.
In this article we explore the practical steps organisations should take to prevent fraud from happening. Our experience is that any organisation, of any size and budget, can find a solution through these steps and can recognise that there really is a benefit to this, and it might be greater than you think.
The cycle below attempts to show how this continuous loop could be viewed in practice:
Understanding the cycle
The first point of note is that fraud prevention is a cycle. It should not be viewed as a series of independent activities. To highlight this, refer to the ACFE and COSO work on Fraud Risk Management, including the Anti-Fraud Playbook[3], which provide valuable insights linked to the COSO framework, a founding basis for internal controls.
In recent years, the tendency to focus on compliance activities through the lens of a regulatory imperative (including mitigating the risk of a fine) has created ‘pools’ of activity which are not always well synchronised. For example, consider the ‘Governance’ component as ‘tone of the top’ – in our experience there is often a disconnect between the senior executives/Board Directors involved or informed at this stage, and the monitoring (including MI) and reporting that follows later. Ownership at the top is essential.
Ensuring the link between anti-fraud steps not only provides a better view of overall risk but facilitates more efficient and effective use of resources.
What should an organisation prioritise in its anti-fraud strategy?
Each step of the cycle is an inherent component of the overall strategy, and the strategy fails without each step playing its part.
Governance and Risk Assessment
Setting the anti-fraud agenda at the outset is key. The Board is responsible for determining corporate strategy and risk appetite, and the anti-fraud agenda stems from these commercial imperatives. Once the risk appetite is set, a risk assessment is fundamental in determining how to build effective controls. After all, how can any system of control be well-designed if it is not informed of the risks it is supposed to mitigate?
To conduct an effective risk assessment, engage the business directly and avoid undertaking the process as an academic compliance exercise. Try to put yourself in the shoes of a would-be criminal, or even consider engaging some of the new breed of consultants who have themselves previously been fraudsters, for real insight.
Controls Design
We often see cases of organisation controls developed ‘after the fact’ – that is without any proper assessment of risk. The risk assessment does not have to be expensive and overly time-consuming, but it drives well-designed and properly targeted controls which bring much-needed efficiency and effectiveness.
Each step of the cycle is an inherent component of the overall strategy, and the strategy fails without each step playing its part.
A large volume of literature is publicly available to support this[4], but remember there is no such thing as a fraud control, only controls. Segregation of duties, effective passwords, authority limits, approvals, independent reviews and other control groups prevent errors and keep activities on budget and on target, and they also happen to prevent fraud. Do not allow this exercise to overshadow broader operational controls.
Monitoring and Detection
These represent the activities of the controls in practice. Proper KPIs and reporting data should be generated to help those charged with governance to determine whether the controls are effective and to identify early when a potential fraud or other anomaly may be taking place so that these can be immediately followed up.
If designed correctly, this information should be fully aligned with commercial objectives and provide more than fraud monitoring alone.
Investigation
Normally managed by an independent team within either Internal Audit or another risk function, and in many cases with support from external investigators and legal counsel, thorough investigation provides a wealth of information on individual cases and the crystallisation of perceived risks, often allowing senior leaders to see their organisations from a new perspective.
Recommendation and Reporting
No investigation can be complete without detailed and clear reporting and clear recommendations. Always consider two key outputs: what controls have failed (or been circumvented) in allowing this fraud to happen, and where else in the organisation the same scheme might be possible. Actively answering both of these questions can then complete the ‘cycle’ and feed back into enhanced controls design and monitoring.
The above steps really do apply to any business, of any size. The cycle is designed not to demand more resources, but to ensure that resources are efficiently allocated and focused on the most relevant activities. As highlighted, whilst this is presented through an anti-fraud lens, the results should provide far more commercial value.
What can we expect to see in the future?
As a wise colleague once pointed out, there has been no ‘outbreak of honesty’. The human psychology of fraud is well documented and will likely not change. Our advice therefore is clear – focus on your risk assessment and focus on the cycle.
There are, however, developments in anti-fraud which are bearing fruit. Perhaps the most effective of these, outside of individual organisations, is the growing tendency for cooperation amongst public and private sector organisations. Examples of this include:
- In the Kingdom of Saudi Arabia, the central bank has recently inaugurated its Joint Operations Centre to combat financial fraud, involving all Saudi banks, tasked with following up and monitoring cases of financial fraud[5].
- In the UAE, the Financial Intelligence Unit has published useful guidance on fraud typologies and trends which provides specific information organisations can incorporate into their own risk assessments.
These examples demonstrate the willingness and ability of government bodies to engage with the private sector to combat fraud. Whilst further cooperation is undoubtedly needed, these initiatives demonstrate a state- and global-level commitment to working together to combat fraud.
[ymal]
Concluding
What should we take from this? Whilst fraud does continue, and new attack vectors develop every day, anti-fraud activities can be efficient and effective and achieve more than just anti-fraud at the organisational level. With the right collaboration at an organisation and state-level, moving the needle on fraud might not be so far from our grasp.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
James Tebbs
Senior Managing Partner, Dubai
T: +971 (0) 4 381 9000 Main
Kassem Younes
Senior Managing Director, Riyadh
T: +966 11 261 1522
James Tebbs is a Senior Managing Director at Ankura and leads the firm’s risk, forensics and compliance team in the Middle East. He has over 20 years’ experience in fraud prevention, detection and investigation, including 10 years in the Middle East.
Kassem Younes is a Senior Managing Director at Ankura in Riyadh. Kassem’s experience covers a variety of cases including corruption, money laundering and asset misappropriation and he has appeared on several occasions as an expert witness.
Ankura is an independent global expert services and advisory firm that delivers services and end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy and transformation.
[1] For the purposes of this article, we refer to anti-financial crime as a narrower concept related to AML, CFT, Sanctions compliance and the financing of proliferation.
[2] What is the Reshaped Landscape of Fraud Investigation? (lawyer-monthly.com)
[3] https://www.acfe.com/fraud-resources/fraud-risk-tools---coso
[4] Including the ACFE/COSO anti-fraud framework referenced above
[5] Saudi Central Bank governor launches operations center to combat financial fraud (arabnews.com)