Fighting Fraud: A Shared Responsibility
Introduction
In March 2024, the Association of Certified Fraud Examiners (ACFE) released Occupational Fraud 2024: A Report to the Nations (report). The cases in this report were submitted by Certified Fraud Examiners (CFEs) throughout the world who each responded to the ACFE’s 2023 Global Fraud Survey, answering a detailed questionnaire with 86 questions about one fraud case they investigated between January 2022 and September 2023. Drawing from 1,921 occupational fraud cases investigated by CFEs, this 13th edition of the ACFE’s study presents statistical analyses related to the methods used to commit, detect, and prevent occupational fraud, as well as the fraud perpetrators, the organizations they victimized, the losses those organizations suffered, and their responses to the frauds.
In this blog, we explore what this report means for all stakeholders with a responsibility for fighting fraud.
Checks and balances
Before diving into the report, it is important to understand the system of checks and balances in our U.S. capital markets. In a recent survey conducted by the Center for Audit Quality (CAQ), we found that investors have an overall positive view of corporate reporting in the U.S. – believing that the system of checks and balances that is in place delivers reliable information. This has not always been the case. In the early 2000s, public confidence in the U.S. capital markets was notably undermined. A series of significant frauds at large public companies resulted in corporate giants like Enron and WorldCom collapsing, with devastating losses for employees and investors. In the wake of these calamities, there was public debate to understand what went wrong and what needed to be done to restore public confidence in our capital markets and protect investors.
The result was definitive legislative action that resulted in the near unanimous approval of the Sarbanes-Oxley Act of 2002 (SOX). These provisions recognized that audit quality was not solely the responsibility of auditors, and that no one stakeholder in the U.S. financial reporting ecosystem alone could produce both high-quality financial reporting and high-quality audits. Rather, it takes regulators, company management, audit committees, and external auditors all working in concert. Over two decades since its passage, SOX is recognized around the world for its effectiveness in promoting trusted financial reporting and high-quality audits.
A series of significant frauds at large public companies resulted in corporate giants like Enron and WorldCom collapsing, with devastating losses for employees and investors.
Fighting fraud takes everyone
High-quality financial reporting and high-quality audits depend on all stakeholders in the financial reporting ecosystem. Similarly, protecting companies and investors from fraud requires the collective effort of all stakeholders. Gurbir Grewal, Director of the Securities and Exchange Commission (SEC) Division of Enforcement has stated that “restoring trust requires more than SEC enforcement actions. We must all work together to ensure companies are following the rules. When gatekeepers are living up to their obligations they serve as the first lines of defense against misconduct.”1
Fraud detection
In the ACFE’s 2024 Report to the Nations, the most common way a fraud came to light was through a tip from a whistleblower (43% of cases). The next two most common sources of fraud detection were internal audit (14%) and management (13%). External auditors detected fraud in 3% of the cases in the ACFE’s study. Some may look at this statistic and question whether auditors are fulfilling their responsibility to detect a material misstatement as a result of fraud. As CPAs, we know how much effort our profession puts forth to fulfill their professional responsibilities, including designing and executing audit procedures that are responsive to the assessed risks of material misstatement from fraud. We also know that even the highest-quality audits are only one component of a comprehensive anti-fraud program. In fact, external auditors are the last line of defense in many cases, due to the timing and scope of their engagements. So, to us, 3% of fraud cases being detected by external audit means that our system of checks and balances is working. In other words, a number much higher than 3% would mean companies are not taking the layered, proactive steps necessary to prevent and detect frauds.
As CPAs, we know how much effort our profession puts forth to fulfill their professional responsibilities, including designing and executing audit procedures that are responsive to the assessed risks of material misstatement from fraud.
Active fraud detection methods
To further explore the role and effectiveness of various fraud detection mechanisms, the ACFE report analyzes the median loss and duration of frauds based on how they were uncovered. Their findings emphasize that proactive fraud detection efforts are essential to protecting against fraud risk in general. Active detection methods — such as thorough management review, account reconciliation, and surveillance/monitoring — are associated with much faster detection and much lower fraud losses than passive detection methods (e.g., the perpetrator confessing, or the victim being notified of the fraud by law enforcement). Organizations can dramatically reduce the impact of fraud by implementing internal controls and policies that actively detect fraud.
With active detection methods being so critical to early detection, companies have invested billions of dollars in systems to support strong fraud risk management programs that include internal controls and policies to achieve that goal. According to one report, companies spent up to $44 billion globally on fraud detection and prevention programs in 2023.2 As the ACFE report shows, programs that support internal parties detecting fraud — whether through employee tips, management review, or internal audit — increase the likelihood that the fraud will be detected sooner and minimize the losses incurred. When the external auditor is the one identifying the fraud, it often means the early detection methods have not worked, and it is likely the fraud has gone on for a longer duration, resulting in higher losses to the company and ultimately investors.
A closer look at frauds detected by the external auditor
New in this year’s study, survey respondents who selected that the fraud was detected by the external auditors were asked, “Through which audit procedure(s) did the external auditors first discover the fraud?”
Standard audit procedures
More than half (58%) of the respondents where the fraud case was identified by the external auditor noted that the fraud was detected though standard audit procedures. Maintaining professional skepticism throughout the audit helps auditors remain vigilant to indicators of a possible misstatement due to fraud. The evidence that auditors gather throughout the audit does not always corroborate the anticipated results or available information. Disconfirming evidence obtained might also provide reasons to question the results or information. Check out this resource, Skepticism in Practice, from the Anti-Fraud Collaboration (AFC) to learn more about maintaining professional skepticism.
The evidence that auditors gather throughout the audit does not always corroborate the anticipated results or available information.
Fraud inquiries
The next most common way external auditors discovered frauds was through fraud inquiries (33%). Auditors should approach fraud inquiries with professional skepticism and consider ways to enhance their inquiries.
- Consider who should be part of the fraud inquiry. Some research suggests that fraud inquiries conducted by two auditors can influence deceptive members of management to talk more freely and perhaps make them more likely to reveal information related to fraud.
- Consider when to conduct the inquiry. There is research that suggests interviewees are more likely to “let their guard down” in inquiries that take place later in the afternoon when they are tired.
- Consider resources available on common fraud schemes to enhance the auditor’s assessment of fraud risk, which can also assist the auditor in designing and performing fraud inquiries responsive to those common fraud schemes. In addition to the ACFE’s Occupational Fraud 2024: A Report to the Nations, auditors can look to Mitigating the Risks of Common Fraud Schemes: Insights from SEC Enforcement Actions from the AFC, which analyzes 531 accounting and auditing enforcement action releases (AAERs) related to financial statement frauds. This study provides observations on higher-risk areas susceptible to common fraud schemes.
The value of audits in the fraud landscape
In addition to examining how frauds were detected, the ACFE report explores the anti-fraud controls that were in place at the victim organization when the fraud occurred. External audits of the financial statements were the second most common anti-fraud control (84% of cases), surpassed only by a code of conduct (85% of cases). The ACFE also took a closer look at how the presence or absence of various anti-fraud controls related to the median loss and duration of the frauds in their study. Organizations that included external audits as part of their anti-fraud programs had losses that were 52% smaller and caught frauds twice as fast as organizations that did not undergo audits. This further reinforces the value of high-quality audits as part of a comprehensive approach to managing fraud risk.
Conclusion
The AFC is dedicated to advancing the discussion of critical anti-fraud efforts and developing resources focused on enhancing the effectiveness of financial fraud risk management. The ACFE’s report is a valuable tool to understand fraud that has been perpetrated, how it was detected, and the ultimate impact of the fraud schemes. We agree with Paul Munter, SEC Chief Accountant, Office of the Chief Accountant, who has stated, “Auditors are gatekeepers and therefore the importance of their responsibilities with respect to the identification of risks of material misstatement due to fraud and the detection of material misstatements in the financial statements due to fraud should not be underestimated.” This year’s ACFE report confirms that external auditors do identify fraud. It also confirms that companies with active and holistic programs to detect instances of fraud can minimize the duration and losses of fraud. All stakeholders can benefit from understanding the findings in the ACFE’s report and what it means for their role in fighting fraud.
Endnotes