Fraud protection should be a priority for businesses
The perpetrators often come from within the firm and are first-time offenders
The most common type of fraud in Ireland, according to PwC, is asset misappropriation and/or stealing from a company
Most businesses have to contend with fraud, but trying to establish the scale of the problem is not easy.
With many organisations reluctant to admit that they’ve been victims, working out the cost of fraud remains something of a guessing game.
Fraud is wide-ranging and can cover everything from deception, bribery, forgery, extortion, corruption, theft, conspiracy and embezzlement to misappropriation, false representation, concealment of material facts and collusion.
According to an estimate from the Association of Certified Fraud Examiners (ACFE), the world’s largest anti-fraud organisation with more than 75,000 members, internal fraud alone costs organisations worldwide an estimated 5 per cent of their annual revenues.
Robert Kelly, co-founder and director of FraudEdge, a Dublin-based consultancy that advises on the issue, confirms concrete figures are hard to obtain.
“It is difficult to determine how big an issue fraud is to organisations because there are no concrete statistics available in Ireland.
“ There have been a number of surveys carried out by the big accounting firms and by the likes of Isme but most of these studies are focused on reported fraud.
“But I would estimate that probably only about one in 10 cases detected actually get reported, so the figures we hear about are lower than the reality,” he said.
Isme, in its last annual crime survey, found that small and medium-sized Irish companies currently spend about €930 million a year on crime prevention, including measures against fraud.
The group’s chief executive Mark Fielding said many SMEs can’t afford to fight back properly.
“Resource issues often prevent businesses from employing all the anti-fraud measures they believe would be beneficial,” he said.
“Budgetary considerations are definitely an issue for businesses, particularly as the return on investment, in terms of crimes prevented, aren’t tangible, which makes it difficult to know if the money invested in this area is worthwhile,” Mr Fielding added.
While there may be some uncertainty about how big the problem is, most of those working in the area of fraud prevention and detection are sure of one thing – it is becoming more of an issue.
The Isme survey conducted last year revealed 15 per cent of Irish businesses were affected by fraud compared to 11 per cent a year earlier.
Separately, the PricewaterhouseCoopers Irish Economic Crime survey showed that a quarter of Irish companies surveyed had experienced it.
Despite this, it seems that many companies don’t take the issue as seriously as they might.
“No organisation is immune from the threat of fraud. However, in Ireland, many of them appear to suffer from the mindset of ‘it can’t happen here’.
“Our research indicates that it is inevitable that organisations of all sizes, across all regions and across every sector will be affected by fraud,” said Ciaran Kelly, head of advisory services at PwC.
“Although many Irish organisations are aware of the rising threat posed by fraud, they do not appear to be taking a proactive approach to protecting themselves.
“In fact, some organisations appear reluctant to tackle the threat of fraud, bribery and corruption with proactive steps such as conducting regular risk assessments,” he added.
The most common type of fraud in Ireland, according to PwC is asset misappropriation and/or stealing, followed by cybercrime. ]
Mr Kelly said that given the increasing incidence of economic crime and the significant direct and indirect costs of fraud, organisations need to realise that prevention is always better than cure.
“Fraud can have a very damaging impact on a business in a number of ways, including obviously financially but also in regard to reputation, share price, employee morale and relations with regulators and other businesses.
“Given this, it is preferable to stop fraud before it happens, or at worse while it is happening,” he said.
He suggests a number of steps that can be taken to help stop fraud before it becomes an issue including internal audits, whistleblower mechanisms, employee monitoring and management reviews.
With plenty of media coverage of cybercrime, Irish companies are at least aware of the phenomenon, even if they don’t do enough to tackle the problem.
While budgetary factors can have an impact, information security consultant Brian Honan says the rise in online fraud is caused, in part, by sloppiness on the part of many businesses.
“Many companies are still becoming victims to online fraud as they fail to treat risks to their cybersecurity seriously.
“When you analyse the type of incidents Irish businesses become victim to, we see that many of the root causes of them are due to poor basic cybersecurity hygiene,” he said.
Identity theftMr Honan cites a number of online fraud examples that companies here have been victim to in recent years, including stealing company data to conduct identity theft, encrypting data and holding it to ransom, and tricking companies into paying false invoices.
He believes Ireland lags other countries in tackling the issue, in part because of the large number of SMEs here that don’t have the skills of knowledge needed to address the problem.
“Issues such as weak passwords, failing to run appropriate anti-virus software, not updating systems with the latest security updates or failing to train staff in how to use systems in a secure manner are all factor that aid fraud,” he said.
While online-related fraud committed by outsiders may be big news, it is by no means the biggest fraud issue.
“Members of staff by their very nature are in trusted positions within companies with access to sensitive data and systems.
“This access can be abused by employees or they can be targeted by criminals to assist them to commit fraud. Given this, it is important that business regularly review the level of access staff have to sensitive information and to put in places alerting mechanisms to detect when attempts are being made to abuse the access staff have to company systems,” said Mr Honan.
Mr Kelly of FraudEdge is keen to confirm that insiders rather than outsiders remain the biggest threat to organisations.
“Cybercrime is really glamorous and makes all the headlines so we’ve gotten used to the idea of strangers with hoodies trying to hack systems.
“The reality though is that about four out of five frauds committed against companies are done internally.
“Despite this, most companies continue to have an outward looking strategy with regard to fraud and many have a big blind spot when it comes to their own staff,” he said.
“It’s also worth adding that something like 85 per cent of fraudsters are first-time offenders with the standard profile being that of a trusted staff member who is given the opportunity.
“Up to 60 or 70 per cent of the cases I’m involved in occur because a person is given too much power and there isn’t enough segregation of duties,” Mr Kelly said.
The fraud triangle is one of the main theories put forward to explain the circumstances that lead to acts being committed.
Developed by the US sociologist Donald R Cressey, it suggests three common elements – pressure, opportunity and rationalisation – that make a perpetrator able to justify their actions.
According to PwC’s Ciaran Kelly, any business looking to protect itself against fraud needs to consider all these factors.
“Most importantly, organisations should reduce the opportunity to commit fraud by increasing the perception of detection through strong internal controls and building a fraud-resistant corporate culture,” he said.
While acknowledging that financial constraints can make fraud prevention a challenge, he insists that ignoring the issue is not the answer.
“It is always a challenge to prioritise budgets but good risk assessment should ensure it is spent in the most high-risk areas.
“The first step in addressing the issue is being aware of the fraud risks your organisation faces. You cannot control what you are not aware of,” said Mr Kelly.