Fraud fighters rarely break the rules. They are meticulous, focused and hold themselves to a high ethical standard while ferreting out wrong-doers. However, Steve Morang, CFE, CCEP, CIA, senior manager at Frank Rimerman & Co LLP, argued that sometimes holding yourself and your thoughts to a too-strict ethical framework can backfire against realistic fraud prevention.
In his session, “Ethical Baselines and Fraud Risk Assessments: A Holistic Approach,” at the 29th Annual ACFE Global Fraud Conference, Morang urged the audience to take off their “auditor goggles” and put on their “fraudster googles” when assessing fraud risk in an organization. “Fraudsters tend to be more creative and they’re willing to take risks that some auditors can’t even imagine … they don’t care about the rules.”
Morang has helped numerous organizations perform Fraud Risk Assessments (FRAs) and he said one of the key parts in getting a realistic view of the fraud risk in an organization is to get employees to be candid about how they would commit fraud. “Ask ‘how would you steal $10,000 from your organization? How would you commit fraud? … put aside that you’re a good person — how would you do it?’” People are often uncomfortable answering that question. They’re afraid they will be judged by their colleagues and potentially seen as a future fraud risk. However, Morang explained how thinking creatively and answering that question honestly can expose risks otherwise unthinkable to honest people.
He shared the story of one FRA he helped perform where he had a small focus group of mid-level employees and he asked them that very question. No one answered at first, being too scared to be looked at differently by their peers. But eventually one participant who arranged for hiring and payment of contractors said he could easily create a fictitious contractor, submit it as legitimate to the other departments in the organization and pocket the payments.
One member of the focus group was quick to dismiss that as a possibility, explaining that he would need to submit a contract that had been literally rubber-stamped by their legal department, showing they had researched that the contractor was legitimate, before passing it on to payroll. The employee that brought up creating the fictitious contractor responded that all he would need to do is “go down to the copy shop, make a stamp and it would be ok.”
Since it was a physical stamp, there was nothing stopping a determined fraudster from just purchasing another one or creating a forgery. Morang explained that honest, ethical people sometimes can’t comprehend the mindset and determination of someone set on committing fraud. “If [the fraudster] was willing to do that, he could do that,” Morang said. “Those are the types of discussions where everyone is uncomfortable but they’re so important.”
Morang acknowledged it takes nudging and trust to get people to a place where they feel comfortable brainstorming about how to commit fraud. If you’re leading an FRA, stress to them it’s only an exercise and that there won’t be judgement. You need to set the tone by being “creative, honest and as bad as possible” yourself. Asking yourself how you would commit fraud doesn’t need to denote any ethical lapses, and answering that question realistically could end up saving your organization a great deal of money otherwise lost to a creative fraudster.