One of the most interesting documents that comes across my desk each year is the Global Study on Occupational Fraud and Abuse published by the Association of Certified Fraud Examiners (ACFE). The 2018 study (which can be downloaded at the bottom of this post) contains an analysis of 2,690 cases of occupational fraud. The objective of the study is to compile detailed information about occupational fraud cases in 5 critical areas:
- The methods by with occupational fraud is committed
- The means by which occupational frauds are detected
- The characteristics of the organizations that are victimized by occupational fraud
- The characteristics of the people who commit occupational fraud
- The results of the cases after frauds have been detected and the perpetrators identified.
Occupational fraud is committed against organizations by their own officers, directors or employees. Highlights from the 2018 ACFE report include the following:
- Small businesses lost almost twice as much per scheme to fraud. The median loss for business with less than 100 employees was $200,000, while the median loss for businesses with 100+ employees was $104,000.
- Internal control weaknesses were responsible for nearly half of frauds. The study indicates that organizations can reduce the impact of fraud by pursuing internal controls and policies that actively detect fraud, such as management review, account reconciliation and surveillance/monitoring. Organizations that do not actively seek out fraud are likely to experience schemes that continue for much longer at a higher cost.
- There is a valuable list of common anti-fraud controls on page 27 of the study (Fig. 17). The most common is a code of conduct. Fraud training for employees, fraud risk assessments and whistleblower hotlines also appear on the list.
- Performing background checks on employees reduces fraud. Interestingly, of the organizations in the study that ran a check before hiring the perpetrator, 10% were alerted to a red flag regarding the perpetrator but chose to hire the person anyway.
- There is a valuable list of the characteristics of fraud perpetrators on page 45 of the study (Fig. 38). The list includes living beyond one’s means, financial difficulties, “wheeler-dealer” attitude and refusal to take vacations.
Use Case for Service Organizations Receiving SOC 2 Reports
For service organizations that receive SOC 2 reports, the ACFE fraud study can be a useful tool for addressing Common Criteria CC3.3 / COSO Principle 8: “The entity considers the potential for fraud in assessing risks to the achievement of objectives.” In order to address this criteria, companies should specifically address fraud in their risk assessments and risk management programs. The ACFE study can be an effective starting point to address CC3.3 and is a good way for organizations to identify the WCGWs (what could go wrong) related to fraud and design their risk assessments and risk management programs to address relevant WCGWs.
A copy of the full ACFE Report can be found here: 2018-report-to-the-nations