2018 ACFE Fraud Report to the Nations (Key Findings)

By Charles Hall | Fraud

Here are key findings from the 2018 ACFE Fraud Report. The survey is titled the 2018 Report to the Nations.

Every two years the Association of Certified Fraud Examiners (ACFE) issues a fraud report based on hundreds of actual fraud cases. The report provides great insights into how fraud occurs (the method), the persons stealing (the fraudster), and the damage (the amount of losses). 

If you are an auditor (internal or external), then you need to be familiar with the findings in this report. Understanding how theft occurs will enable you to detect and prevent it in the future.

Here are key points from the report.

2018 ACFE Fraud Report Findings

0 shares

Share0

Tweet0

• Organizations lose 5% of their revenues to fraud
• The median duration of a fraud was 16 months
• The median loss per case was $130,000
• The median loss per case when owners or executives were involved was $850,000
• Businesses with a 100 or fewer employees suffered a median loss per case of $200,000
• Businesses with more than 100 employees suffered a median loss per case of $104,000
  
• In 40% of the cases, tips were the initial detection method (53% of the tips came from employees of the organization; 32% of the tips came from vendors, customers, and competitors)
  
• Fraud losses were 50% smaller for organizations with fraud hotlines
• Only 4% of the fraudsters had a prior fraud conviction
  
• Occupational fraud was committed in the following categories: (1) asset misappropriation (89%), (2) corruption (38%), and (3) financial statement fraud (10%) -- in some cases, the fraudster used multiple schemes
• The median losses were (1) $114,ooo for asset misappropriation, (2) $250,000 for corruption, and (3) $800,000 for financial statement fraud
  
• 70% of corruption cases were committed by someone in a position of authority
  
• 82% of corruption cases were committed by males
  
• 50% of corruption cases were detected by a tip
• Internal control weaknesses led to nearly half of the fraud
  
• Small businesses typically have fewer anti-fraud controls than larger organizations, leaving them more vulnerable
• Data monitoring/analysis and surprise audits were correlated with the largest reductions in fraud losses and duration (yet only 37% of victim organizations implemented these controls)
  
• A majority of the victim organizations recovered nothing
• Fraudsters that were with the company for more than five years stole an average of $200,000
  
• Fraudsters that were with a company for less than five years stole an average of $100,000
  
• The industries with the highest levels of fraud were (1) Banking and Financial, (2) Manufacturing, (3) Governments, and (4) Health Care
  
• The departments with the highest level of fraud were (1) Accounting (14%), (2) Operations (14%), (3) Sales (12%), and (4) Executive/upper management (11%)
  
• 69% of frauds were commented by males with a median loss of $156,000 (the median loss from female thefts was $89,000)
  
• 61% of the fraud cases involved someone with a university degree or postgraduate degree
  
• When one fraudster was involved, the median loss was $74,000
  
• When two fraudsters were involved, the median loss was $150,000
  
• When three or more fraudsters were involved, the median loss was $339,000
  
• Living beyond their means was the primary behavioral red flag (41% of cases) 

89%

of fraud from asset misappropriations

Get Your Free Copy of ACFE Report

You can download the full ACFE Report to the Nations here. It's free.

Join the ACFE 

I have been a member of the Association of Certified Fraud Examiners since 2004. Why? Because I want to be a better auditor. And I have found that the ACFE has given me a much greater understanding of how fraud happens and how to prevent it. The organization has made me a much better auditor. Consider joining this organization. (You can join without becoming a Certified Fraud Examiner (CFE), though I recommend doing that as well. Learn more about becoming a CFE.) You'll be glad you did.

CPA Hall Talk Fraud Articles

For more information about fraud, see White Collar Crime is Knocking at Your Door. There you will see a list of fraud-related articles that I have written.

Fraudulent Payments Without Being on the Signature Card

By Charles Hall | Asset Misappropriation

Today I show you how bookkeepers can make fraudulent payments without being on the signature card.

Auditors often focus on authorized check signers when considering who can fraudulently disburse funds. But might it be possible to make payments without being on the bank’s signature card? The answer is yes. 

Courtesy of a DollarPhoto.com

Fraudulent Payments without Being on the Signature Card

Here are a few ways to disburse funds without being on a signature card:

1. Forgery
2. Unsigned checks
3. Wire transfer 
4. Electronic bill pay 
5. Signing checks with accounting software 
6. Use of a signature stamp

1. Forgery

Since banks don’t usually inspect checks as they clear, a forged check will normally clear the bank.

2. Unsigned Checks

Again, since banks don’t normally inspect checks as they are processed, an unsigned check can clear the bank. (I saw one just last month.)

3. Wire Transfer

Many times–at the client’s direction–banks wire money with just one person’s approval. One nonprofit administrator stole $6.9 million in less than an hour because of this control weakness. 

I have also seen small-town business bookkeepers drop by a local bank and ask them to wire money. Banks, desiring to help their client, sometimes do.

Businesses should use the controls offered by banks. Otherwise, they might be on the hook for fraudulent wires.

4. Electronic Bill Pay

Anyone with the right passwords can make electronic bill payments to themselves or anyone else.

5. Signing Checks with Accounting Software

This one scares me the most.

Many businesses, in an effort to expedite the disbursement process, have authorized signatures embedded in the payables software, enabling the payables clerk to make a payment to anyone. If the payables clerk has access to check stock (and they usually do), watch out. Even if a second person is normally involved in processing checks with automatic signatures, how easy is it for the clerk to go by in the evenings and make fraudulent payments? This danger increases if the payables clerk also reconciles the bank account. Why? No second person is reviewing the cleared checks.

6. Use of a Signature Stamp

I cringe every time I see a signature stamp. Why not just ask the authorized signer to just sign plenty of blank checks? (Yes, I am being facetious.)

Just last year I worked on a case where the bookkeeper wrote manual checks to herself but entered payments in the general ledger to legitimate vendors for the same amounts. Why? To mask the payments.

Recipe for Disbursement Fraud

Give anyone (1) the ability to sign checks, (2) access to blank check stock, and (3) the ability to make the bookkeeping entry, and you have the recipe for theft–particularly if that same person reconciles the bank statement or if the person reconciling the bank statement does not examine the payee on cleared checks. If you can’t segregate duties (there are too few employees), here’s how to lessen segregation of duties problems in two easy steps. 

How to Audit Accounts Payable

Click here for detailed information about how to audit accounts payable and expenses.

Corporate Account Takeover (the Importance of Using Bank Security Procedures)

By Charles Hall | Accounting and Auditing , Fraud , Local Governments

Some thieves gain control of company bank accounts using a corporate account takeover scheme. And with that control, they steal money. Below you’ll see how this type of theft occurs.

On March 17, 2010, cyber thieves hacked into the computers of Choice Escrow and stole the login ID and password to their online banking account. With that information, the thieves were able to submit a $440,000 wire transfer from Choice Escrow’s bank account to an account in Cyprus.

Courtesy of istockphoto.com

When Choice Escrow and the bank were unable to resolve their differences, Choice Escrow filed suit. The back-and-forth legal battle lasted until March 18, 2013, when a court ruled the loss was the responsibility of Choice Escrow. A major determining factor in the decision was Choice Escrow’s refusal of the dual control security mechanism offered by Bancorpsouth Bank. According to Article 4A of the Uniform Commercial Code, if an institution offers a reasonable security procedure to a commercial customer and that customer turns down that security procedure, then the customer is liable in the event of a loss.

Bancorpsouth Bank offered dual control to Choice Escrow twice. Not only did the bank offer this security feature to Choice Escrow, but Bancorpsouth also documented the customer’s refusal to use the security feature. The documentation of the customer’s refusal of the security features was a determining factor in this case. From a bank’s perspective, this case underscores the importance of a written agreement with commercial online banking customers and, more importantly, the importance of documenting the security procedures offered to those customers. From a user’s perspective, the case highlights the need to use the security procedures offered.

Corporate Account Takeover

Corporate account takeover is a term which has become more prevalent over recent years. Generally speaking, corporate account takeover occurs when an unauthorized person or entity gains access or control over another entity’s finances or bank accounts. This usually results in the theft of money in the form of fraudulent wire transfers or ACH transactions.

These fraud schemes first began to be noticed in 2005 but have since become much more widespread and frequent. Recent statistics have revealed that the fraudsters carrying out these schemes are actually becoming less successful in getting money out of a bank account. This reduction is due to both increased efforts on the part of the financial institutions, as well as better education of the customer to help them avoid becoming a target.

Usually, the financial institutions themselves are not the targets of the attack but rather the corporate customers of the institution. Using malware, social engineering, and various other methods, the fraudster obtains information about the customer’s online banking credentials. Once the online banking credentials have been obtained, a request for wire or ACH transfers is placed by the thief. Any business may be targeted for these types of attacks, but those at risk mostly are small businesses, governments, and nonprofits who have limited resources to protect against such threats.

Three Powerful Receipt-Fraud Tests (for Auditors)

By Charles Hall | Asset Misappropriation

Useful Governmental Internal Controls that You Need Know

By Charles Hall | Fraud , Local Governments

Below I provide useful governmental internal controls that you need to know.

Why am I providing this list of useful controls? Most small governments struggle with establishing sound internal controls. So, the list provides a foundation for preventing theft in your government. While not a comprehensive list, I thought I would share it.

Many of the internal controls listed below are also pertinent to nonprofits and small businesses as well. You will find this same checklist in The Little Book of Local Government Fraud Prevention (available on Amazon) which provides many more fraud prevention ideas.

I am providing general fraud prevention controls and then transaction-level controls for:

• Cash receipts and billing
• Cash payments and purchasing
• Payroll

Useful Governmental Internal Controls

General Internal Controls

1. Have bank statements mailed directly to someone outside of accounting; recipient should peruse bank statement activity before providing it to accounting
2. Perform surprise audits (use outside CPA if possible)
3. Elected officials and management should review the monthly budget to actual reports (and other pertinent financial reports)
4. Map internal control processes by transaction cycle (preferably done by a seasoned CPA); once complete, provide the map to all employees involved in the cycle; when control weaknesses exist, institute additional controls (see 11. below)
5. Use a whistleblower program (preferably use an outside whistleblower company)
6. Reconcile bank statements monthly (have a second person review and initial the reconciliation)
7. Purchase fidelity bond coverage (based on risk exposure)
8. Periodically request from the government’s bank a list of all bank accounts in the name of the government or with the government’s federal tax I.D. number; compare the list to bank accounts set up in the general ledger
9. Secure computer access physically (e.g., locked doors) and electronically (e.g., passwords)
10. Do not allow the electronic transmission (e.g., email) of sensitive data (e.g., social security numbers) without the use of protected transmission technology (e.g. Sharefile); create policy and train staff
11. Where possible, segregate who (1) authorizes transactions, (2) records transactions, (3) reconciles records, and (4) has custody of assets; when segregation of duties is not possible, require documented second-person review and/or surprise audits

Transaction Level Controls

Cash Receipts and Billing Controls

1. Use a centralized receipting location (when possible)
2. Assign each cash drawer to a separate person; require daily reconciliation to receipts; require second person review
3. Deposit cash timely (preferably daily); require the composition of cash and checks to be listed on each deposit ticket (to help prevent check-for-cash substitution)
4. Immediately issue a receipt for each payment received; a duplicate of the receipt or electronic record of the receipt is to be retained by the government
5. A supervisor should review receipting-personnel adjustments made to accounts receivable
6. Do not allow the cashing of personal checks (e.g., from cash drawers)

Cash Payments and Purchasing Controls

1. Guard all check stock (as though it were cash)
2. Do not allow hand-drawn checks; only issue checks through the computerized system; if hand-drawn checks are issued, have a second person create and post the related journal entry
3. Do not allow the signing of blank checks
4. Limit check signing authorization to as few people as possible
5. Require two employees to effectuate each wire transfer
6. Persons who authorize wire transfers should not make related accounting entries
7. Require a documented bidding process for larger purchases (and sealed bids for significant purchases or contracts); specify procedures for evaluating and awarding contracts.
8. Limit the number of credit cards and the chargeable maximum amount on each card
9. Allow only one person to use an individual credit card; require receipts for all purchases
10. Require a street address and social security or tax I.D. numbers for each vendor added to accounts payable vendor list (P.O. box numbers without a street address should not be accepted)
11. Signed vendor checks should not be returned to those who authorized the payment; mail checks directly to vendors
12. Compare payroll addresses with vendor addresses for potential fictitious vendors (usually done with electronic audit tools such as IDEA or ACL)

Payroll Controls

1. Provide a departmental overtime budget/expense report to governing body or relevant committee
2. Use direct deposit for payroll checks
3. Payroll rates keyed into the payroll system must be supported by proper authorization in the employee personnel file
4. Immediately remove terminated employees from the payroll system
5. Use biometric time clocks to eliminate buddy-punching
6. Check for duplicate direct-deposit bank account numbers
7. A department head should provide written authorization for overtime prior to payment

Your Recommendations

What additional controls do you recommend? Share your thoughts below.