While the infamous Madoff Ponzi scheme has raised client concerns about the financial stability of service providers, company executives need to examine whether their own risk management practices would be enough to detect internal fraud.
The costs of internal fraud can be significant. In the case of the alleged former Société Générale trader Jerome Kerviel, the damage was almost US$7 billion. Meanwhile, the now disgraced financier Bernie Madoff caused an estimated US$50 billion in losses through fraudulent investment schemes.
Whilst these losses point to a severe vulnerability for financial institutions exposed to such monetary transactions, internal criminal activity is by no means limited to the financial services industry.
A sizeable problem
According to KPMG’s recent Australian Fraud Survey, nearly 45 per cent of the companies surveyed experienced at least one case of fraud during 2008.1 Having chosen organisations across a diverse range of industries in both the public and private sectors, KPMG reported that the average value of fraud was $1.5 million in 2008.
Consistent with findings from previous surveys, KPMG found that the level of fraud suffered was higher in large organisations. It revealed that 62 per cent of businesses with between 1000 and 10,000 employees experienced at least one fraud, as did 89 per cent of companies with more than 10,000 employees. Rather alarmingly, KPMG also found that the majority of frauds were perpetrated internally (71 per cent).
According to global risk consultancy Kroll, asset misappropriation, accounting fraud and intellectual property infringement were the biggest fraud risks in Australia during 2008.2 They also concluded that fraud was prevalent in industries as diverse as construction, healthcare and retail.
The global nature of the modern economy means that risks are rapidly evolving and new types of crime are constantly on the rise.
In the post-global-financial-crisis environment, the risk of internal crime is now likely to be greater than ever. Increasing personal debt levels, social pressure and salary/bonus freezes all provide a fertile breeding ground for internal crime.
At the same time, new technologies have not only made it easier to produce and store an increasing array of company assets, but sometimes also easier to steal and re-sell them.
Assets that are increasingly being held electronically include client data, product designs, staff information, new software, entertainment products and so on.
The ease with which employees can access these assets serves to demonstrate increasing gaps within infrastructure and the difficulties faced by businesses in resolving security issues.
Additionally, the need for continual product innovation has also given rise to new types of fraud in areas not traditionally suspected of crime risk, such as information theft and threats to intellectual property.
There is also an added risk dimension for companies with a multinational presence, as globalisation has meant that crime can often involve more than one jurisdiction. Goods stolen in one country can be offered for sale in another country. In turn, the proceeds may go to a third country and be banked in a fourth.
The usual suspects
According to KPMG, the typical fraudster is a non-management employee with no known history of dishonesty, who is flying beneath the company’s radar. The usual suspect:
- Is a male aged 38 years, who is acting alone
- Has been employed by an organisation for six years and in his current position for four years at the time of detection
- Is motivated by greed and misappropriates cash to an average value of $262,000.Even where red flags are raised, KPMG says that improper financial gain is usually not detected by the organisation’s internal controls until 11 months after the commencement of the fraud. The organisation usually recovers just 12 per cent of losses.1
Conflicts of interest
Resource companies help to illustrate many of the latent risks that exist in the corporate world. They provide ample cause for would-be fraudsters because of their remote locations, where access to infrastructure, water, electricity, housing and skilled labour is often limited.
According to a recent Kroll survey, kickbacks and conflicts of interest are commonplace occurrences in this industry, where 92 per cent of companies have experienced some type of fraud and average losses are estimated at $18.1 million.2
The need to bring operations online means that site managers for resource companies are given a high degree of flexibility for finding staff, equipment and support services.
A lack of suppliers in a given area can often lead to site managers favouring certain providers, from whom they might receive kickbacks to secure ongoing business. Likewise, limited supply options can easily give rise to conflicts of interest if left unmonitored – particularly if the decision maker has financial links to major suppliers.
Effective anti-fraud strategies generally require greater investment in financial controls and measures. In addition, companies will also benefit from greater investment in information security as this type of theft, loss or attack is the biggest risk facing not only resource companies but many other industries today.
Of course, investment in physical security and stock control is just as important, given that a significant proportion of the industry also regularly suffers from theft of physical assets, such as stock.
Industries where personal information can be accessed by many parties are especially susceptible to identity fraud risk.
The healthcare sector is a good example given the high concentration of personal information captured about each patient and the large numbers of people who can potentially access it (eg doctors, other patients, interns, suppliers, vendors and visitors coming and going at will). Patient records often include names, dates of birth, social security numbers, medical histories, insurance details and sometimes even credit card details.
Theft of such data can have implications beyond financial loss: patients can suffer from insurance eligibility issues, the potential for misdiagnosis due to compromised data, and even the use of stolen information to receive treatment.
Additionally, the practice of outsourcing many services within the healthcare industry – from food preparation to landscaping, maintenance and collections – provides contractors with physical access to large volumes of both paper and electronic patient data. Compounding this risk, the level of background screening and data security maintained by third party providers is often unknown.
For data breaches, the financial cost has been estimated at $197 per compromised record, not including the costs of discovery, response and notification, loss of trust by patients, regulatory fines and damage to reputation.3 Whilst there are financial costs to data theft or loss, there is also a compliance cost that can deter companies from investing adequate resources due to inconsistent state and federal legislation and a diverse range of laws and definitions.
The following practices can be utilised to mitigate these risks:
- Keep centralised records to reduce the number of copies and/or versions of patient records (multiple records increase the likelihood of inappropriate access)
- Restrict access to certain types of information
- Apply time/use limits for data that has been disclosed to third parties
- Conduct ongoing employee training to raise awareness of the problem and encourage the reporting of suspicious behaviour.
Limiting the risks
Companies can avoid and detect criminal activity by undertaking simple activities that address common areas of risk, such as:
- Maintaining adequate financial controls and consistent reporting
- Ensuring a clear allocation of responsibilities and duties among relevant staff
- Preparing sufficient written guidelines and procedures
- Raising general awareness and understanding of fraud risks amongst staff.
These practices not only help companies reduce the risk of criminal activity but can be applied across any industry, allowing risk managers to leverage existing expertise.
Zurich launches Commercial Crime Insurance
Zurich’s Commercial Crime Insurance is designed to cover an extensive range of crime exposures. Tailored for mid to large businesses, it provides protection for companies and their subsidiaries against direct financial losses arising from internal or external (third party) criminal acts including theft, fraud, forgery, counterfeiting or any other act where the intention is to cause a loss in order to seek improper financial gain.
The Zurich wording provides cover for an exhaustive list of losses, such as property, money and financial instruments incurred because of criminal acts. In addition, cover for financial loss is not restricted, with wording provisions capturing the economic value of the financial interests insured.
Key benefits of Zurich’s Commercial Crime Insurance include up to $20 million in policy limits and cover for:
- Forgery, counterfeiting and computer fraud
- Loss of property, money or securities under the care, custody and control of the insured
- Court attendance costs and any interest payable or receivable
- New subsidiaries, as well as run-off cover for ceased subsidiaries.
Optional cover is also available for Business Interruption, contractual penalties, data reconstitution and extortion.
1 KPMG Forensic Fraud Survey 2008.
2 The Kroll Global Fraud Report 2008/2009.
3 Fourth Annual US Cost of Data Breach Study, Benchmark Study of Companies, Ponemon Institute, January 2009.© Zurich Financial Services Australia October 2009