Commercial crime is a massive global problem and one that can often remain undiscovered for years. Statistics are hard to come by, especially as it is often a loss that companies do not wish to be publicized. Financial Lines insights (6.12MB/pdf)
According to the Association of Certified Fraud Examiners, the figures are extraordinary: survey participants from 106 countries estimated that the typical organization loses 5% of its annual revenue to fraud*. Applied to the estimated 2009 Gross World Product, this figure translates to a potential global fraud loss of more than USD 2.9 trillion. Nearly a quarter of the frauds involved losses of at least USD 1 million.
Ways to spot crime within your business
Commercial crime takes many different forms. It may arise internally through employee fraud or theft, or externally with criminal gangs and cyber thieves. Past experience shows that there is an increase in criminal activity during an economic downturn, and companies should be extra vigilant about the possibility of employee fraud, especially where redundancies, cost savings, and salary freezes are being implemented.
There are some classic risk indicators that companies should be aware of, though clearly caution should be exercised before considering whether fraud is taking place:
- Employees over-stressed, working late, reluctant to take holidays.
- Employees with unexplained wealth or living beyond apparent means.
- Increase in customer or supplier complaints.
- Subsidiary results ‘too good to be true’.
- Close relationship between individual employee and contractors/suppliers.
Beating the criminals
criminals Overseas offices
Commercial crime often takes place well away from the head office, often in small subsidiaries and overseas offices, where the local manager may have considerable power, legally and/or culturally. There is also the potential problem of using ex-patriots from head office as managers where they do not fully understand how the local business works, or the local language and culture. It is, therefore, important not to forget about remote subsidiaries when it comes to internal auditing, as well as ensuring compliance with the corporate policies, especially in relation to approvals and authorities.
Another area that requires careful attention is where part of the business, a subsidiary or a division, is doing extraordinarily well, to the point where senior management or the board of directors decide simply to let them carry on and often will ignore warning signs from internal auditors.
An example of this, which involved the collusion of senior management at a subsidiary of a major listed business, saw the alleged theft of in excess of USD 25 million over more than five years, which was overlooked by internal audit, partly because the subsidiary had been expanding and was extremely profitable.
Segregation of duties is an absolute necessity but it doesn’t always happen. ‘One person approves, another person executes’ should be the rule, but all too often there are situations where individuals have been able to approve and execute on their own.
Often, it is about simple prevention measures. For example, in the case of the employee in a finance department who obtained the pass codes for online banking for all his colleagues, which had been left in an unlocked desk drawer. He personally only had access to the system for small payments, but because he had the pass codes for others, no approvals were required, and over several years he stole around USD 5m. Thorough reference checks for potential employees who will have responsibility for stock and/or money can reveal issues.
Lots of companies will have whistle-blowing policies but they need to convince their workforce that these are meaningful. Allegations have to be properly investigated for the policy to be effective. And there must be no negative outcome for a whistle blower whose allegations are established to be unfounded when the whistle blower acted without malicious intent.
External fraud – customers and suppliers
As far as external threats are concerned, one area that is a concern is where individuals/companies purport to represent genuine suppliers or customers, and defraud the company. Companies need to be vigilant, and it is vital to check out potential suppliers and customers to ensure that they are who they say they are. It is all too easy to establish fake websites, premises, phone lines and so on. A change in bank account details for a supplier should always be carefully checked.
In one case, thieves stole the identity of businesses with excellent credit ratings. They then placed an order for a large number of mobile phones, which ended up in Africa and racked up a large amount of airtime costs.
Investigating the crime
Investigating the crime
Crimes obviously need to be investigated either internally or by the police, to ensure that companies know and understand exactly what has occurred.
The decision to reveal to employees and externally is difficult. Employees, suppliers and customers may have heard rumors and if a company has been cheated in a fraud it may want to show the market, as well as employees, that it won’t be tolerated. Because of the potential risk to reputation, it is important to have a crisis management plan in place which includes a media response plan.
It is vital to think about protecting recovery rights as soon as the crime is uncovered. One issue is whether to notify the police, because with their involvement there is the potential to lose control over the investigation and, more importantly, lose control over the recovery action.
Identifying where the money has gone can be difficult. Many companies will automatically turn to lawyers and/or auditors, but this can involve huge costs. Companies should ensure that they obtain a basic cost benefit analysis before progressing with recovery action. In one recent case, a company that was looking to recover from an employee who stole several million pounds incurred legal, investigation and forensic fees of more than GBP 700,000.
The message is that just because you have had a loss, it doesn’t mean that you can’t recover some of it. But think carefully before engaging lawyers and auditors.
While commercial crime is a sensitive issue, it does not mean that it should be ignored or covered up. Discovering commercial crime is often simply a matter of luck, but there is still much that corporates can do to deter criminal activity. And where a crime has been committed, there are measures that can be taken to mitigate the risk and perhaps recover some of the loss.