More than half of UK companies have suffered from one or more cases of economic crime in the past two years, according to the PricewaterhouseCoopers (PwC) Global Economic Crime Survey 2003, published this summer. Most commonly, this took the form of misappropriation of cash or other assets by management or employees.
The vast majority of companies are confident that their internal controls should enable them to prevent economic crime. Yet in almost half of the cases, the survey revealed that accidents and/or tip-offs had been instrumental in detecting the problem. Roughly half of UK respondents said they had formal whistleblowing policies and procedures in place; but while this was twice the global average, given the importance of tip-offs as a means of detection, the other half may be missing a trick.
Looking to the future, around three-quarters of respondents globally thought that the risk of economic crime would remain at least as great as it is currently, with a third or so expressing the view that the prevalence of fraud would increase.
These statistics and others in the survey should be of more than academic interest to business leaders and others with an interest in the fight against economic crime – in fact, society as a whole. Contrary to a still surprisingly prevalent misconception, no fraud is a victimless crime. Depending on its nature and its target, it costs us all dearly as taxpayers, insurance policyholders or consumers. More directly and obviously, it costs individuals and companies that fall victim to it millions of pounds a year. Nor do the costs stop at the direct losses: nearly two-thirds of companies reported a negative impact on staff morale, while a third had suffered significant reputational damage and/or damage to business relationships.
Economic crime is obviously an umbrella term covering a wide range of crime and impropriety, which generally falls into one or more of the following broad categories:
• Misappropriation of company assets: theft of cash or other tangible assets; theft or misuse of intellectual property; or unjust enrichment through the abuse of one’s position within the company.
• Fraudulent financial reporting: manipulation or falsification of financial statements, accounting records or underlying documentation.
• Other legal or regulatory breaches: money laundering, corruption or other breaches, where the acts or omissions of individual employees can render them and the company they work for (and/or its directors) liable to criminal and civil sanctions.
In practice, real cases will often cross the boundaries between these categories – for example, accounting manipulation commonly occurs as a means of covering up the misappropriation of company assets.
As many organisations have learnt the hard way, it pays to be prepared for economic crime before the event. All too often an inadequate or ill-considered early response can turn a drama into a crisis. At best, not knowing in advance who should be doing what can lead to indecision and delay; at worst, it could exacerbate an already difficult situation by compromising potentially vital evidence, breaching a suspect’s rights or otherwise jeopardising the company’s chances of making recoveries and/or pursuing a successful prosecution.
While the details of a fraud response plan will be tailored to the nature, size and needs of the individual organisation, the key elements should include: clear reporting lines with one person in overall charge; predetermined roles for key individuals or departments (for example, internal audit, in-house counsel, HR) within the organisation and for any external advisers as may be necessary; and clear guidelines for all those likely to be involved as to what should and should not be done.
In anything but the most straightforward cases, the early involvement of lawyers, whether in-house or external, and forensic accountants can only be recommended. The interaction between the two will determine the success or otherwise of the investigation. An effective response to fraud nowadays requires the safe negotiation of a minefield bristling with, on the one hand, legal and regulatory issues such as human rights, data protection and employment and anti-money laundering law and, on the other hand, increasingly sophisticated business, accounting and IT processes. In addition, the appropriate involvement of lawyers should help to ensure that the investigation is covered by legal professional privilege.
Agreeing on an initial investigation strategy and scope is vital. Issues to be considered will include: what is already known about the case and what needs to be done to corroborate (or otherwise) the known allegations; who is involved; what sources of information will be used; what else may have gone wrong; who (if anybody) does the company need to report the matter to and what will be required in order to do so? As the investigation progresses, the case strategy may need to be adjusted in light of additional findings.
Other practical points for consideration include:
• How to manage the potentially large amount of documentary and data evidence. Leaving this sort of decision until too late could result in considerable inefficiencies, or worse, loss of valuable evidence. Not only for larger investigations, serious consideration should be given to establishing an electronic document management system into which documents can be scanned and machine read by optical character recognition (OCR). OCR enables documents to be searched for particular names, words or phrases, which makes it a potentially powerful and highly efficient investigative tool, and not simply a clever way to store documents.
• Timing and content of interviews. Timing can be crucial and in certain circumstances it may be difficult to go back to an interviewee for a second time. Lack of preparation and not having the right documents to put to the interviewee can lead to a wasted opportunity, as it may not be possible to challenge their assertions.
• Use of computers as a source of evidence. Company computers can reveal a great deal, including data that users have deleted, but they must be handled carefully. You are likely to need specialist help with this, as special hardware and software are required to take a forensic image of the hard disk without tainting the evidence it may contain. Many do not appreciate that simply turning a computer on can alter and even erase data, which may in turn jeopardise the investigation and actions leading from it.
• Use of data mining techniques. Data mining involves taking selected company data (usually large volumes) and sorting and filtering it to identify potentially suspicious patterns of transactions. This is a particularly important method where either there are general suspicions of fraud but no actual cases have been identified at the outset, or there is a concern that the frauds so far identified may be symptomatic of a more widespread problem (the ‘tip of the iceberg’ syndrome). Well-designed and focused data mining can hugely reduce the amount of work required to identify additional instances of certain types of fraud and increase the level of assurance that all instances have been identified.
Some final thoughts
The occurrence of fraud in any form can cause massive disruption and cost, the diversion of valuable management time and considerable collateral damage. Although the risk of fraud can never be eradicated, it can be mitigated. Any company can usefully ask itself the following (by no means exhaustive) list of questions:
• Is the culture of the company conducive to the reduction of fraud risk, ie are management and employees motivated to behave with integrity, or must they simply ‘make the numbers’ come what may? Do bonuses and other incentive schemes strike the right balance in motivating high performance but not financial manipulation?
• Has the company recently undergone a top to bottom assessment of its fraud risk exposure?
• Does the company have a formal fraud response plan?
• Does the company have formal whistleblowing procedures that are well publicised and promoted internally?
• Does the company have a written code of ethics with guidance on conflicts of interest and clear statements about the consequences of ethical breaches and other impropriety?
• Does top management set the tone by publicising and promoting the above and leading by example?
• Have past cases of fraud been adequately dealt with, in particular in terms of sending out the right messages to others within and outside the company?
• Are employees appropriately screened before they join the company?
If the honest answer to any of these questions is ‘no’, then remedial action should be considered.
Will Kenyon is a partner in the fraud investigations team at PricewaterhouseCoopers Forensic Services