Please consider the environment before printing this document.

Business Adviser Proactively managing fraud By Dennis Fortnum Canadian Managing Partner, KPMG Enterprise

Our experience shows there is an increased risk of fraudulent activities within private businesses where people hold multiple roles or differing responsibilities, with most internal embezzlement involving someone from within the accounting department. Warning signs of fraud related situations can therefore be that much more difficult to detect within private companies, especially where prevention procedures and policies might not be as rigorously established as within larger organizations. This can lead to a prolonged period of time before a fraudulent event within a company is discovered, on average up to 18 months.

The intent to commit fraud usually derives from an incentive or a personal need. Then, an opportunity to commit fraud needs to be present in order for the act to be undertaken. This can be exemplified sometimes when an employee holds the dual responsibility of bookkeeping and purchasing for example. Finally, fraudulent employees can rationalize and perpetuate their actions by the way they are treated in the workplace, whether those reasons are founded or not.

There are best-practices to prevent fraud that business owners might wish to consider in order to protect themselves and their businesses such as completing detailed background checks of employees, having a code of conduct including articulating clear policies regarding employee theft and repercussions, providing training programs to detect warning signs of fraud, and/or creating a reward system for reporting suspicious activities. Operationally, organizations could also implement the following:

• Analyze and review all expenditures
• Document all expense reports
• Review all bank statements
• Watch company credit cards
• Ensure cash balances are reported accurately
• Conduct frequent physical inventories
• Separate bookkeeping functions
• Audit at various times during the year

In the face of fraud, as with any workplace issue, business owners are advised to be proactive rather than reactive. Pre-establishing prevention procedures and devote time and resources to developing anti-theft policies in the workplace will ultimately help avoid the costly and time consuming process of investigating frauds and irregularities.

The Risk of Fraud Starts with the Bad Guy By James McAuley Senior Vice President, KPMG Forensic, Toronto

Fraud is a problem that has plagued business since people first started trading for profit. As renowned lawyer and judge, Sir Edward Coke said “Fraud and deceit abound these days more than in former times.” It should be added that Sir Coke was renowned before his death in 1634.

For enterprise companies, fraud is an issue that cannot be dismissed because of the close involvement of the owner with all or many aspects of the business. While this oversight can help to mitigate the risk of fraud, entrepreneurial businesses often lack the fundamental controls such as segregation of duties that are so central to minimizing and controlling the risk of fraud.

It is also worth noting that while it is the large frauds that tend to make the headlines, the real scourge for businesses are the smaller frauds that occur with annoying frequency. Whether the problem relates to forging cheques, paying falsified vendors, payroll manipulations or any number of other tried and true schemes, the impact is more than purely financial. The effect of fraud on victim businesses includes the loss of trust in employees, reputational issues, and the diversion of attention and effort from actually operating the business and being successful.

There are many aspects to the reduction of fraud risks. For example, assessing and addressing overt risks, understanding control weaknesses and compensating controls, and ensuring appropriate prevention, detection and investigation strategies are in place can all reasonably be added to the fraud risk agenda. A useful starting point, however, is to understand some of the fraud basics. One of the most fundamental elements is who actually commits fraud.

Over the years, KPMG Forensic has conducted research on this essential topic. Most recently, we published our 2011 global review of fraud trends. In that analysis, we focused on the profile of a typical fraudster. With this information, organizations can become more alert and responsive to fraud.

In our recent fraud report, we reviewed actual and recent fraud investigations conducted by KPMG member firms in 69 countries, including Canada. For the most part, these investigations were not large-scale significant frauds and were not publicized. This research showed that the typical fraudster is:

• Male
• 36 to 45 years old
• Commits fraud against his own employer
• Works in the finance function or in a finance-related role
• Employed by the company for more than 10 years
• Works in collusion with another perpetrator

Unsurprisingly, the overriding motivation for fraud is personal greed, followed by pressures on individuals to reach tough profit and budget targets. The survey highlights, more importantly, how control structures make the opportunity to commit fraud easier.

In the end, there are basic control issues that are fundamental to the addressing the risk of fraud. At the highest level, three broad imperatives are:

1. Tone at the Top – The most senior people in the company need to send the appropriate message and set the right example which must emphasize the conduct which is expected and the actions which are unacceptable. This should be supported by a Code of Conduct that clearly sets out expectations and is formally acknowledged by all employees, preferably on an annual basis. This will set the example for the organization and it will be noticed.
2. Know Your Team – Keeping those who will abuse your trust and take illicit advantage of any opportunities out of your business is critical. To do this, a program of background checks of all new hires is important.
3. Provide the Opportunity to Report Concerns – When fraud is discovered, it is too often found that employees were suspicious that something was amiss but they thought that they had no ability to voice their concern in an unthreatening way. A mechanism to make anonymous and confidential reports can be invaluable.

Beyond these high level issues, control basics are imperative. Segregation of duties, management oversight and well structured policies, processes and procedures will go a long way to reducing risks of fraud, misconduct and error.

Battling fraudsters can get personal for owner operators By John Williams Partner, KPMG Enterprise, Calgary

For independent business owners, fraud is a very real and growing threat. Private enterprises have always been quite vulnerable to fraud because of the nature of their businesses. Many do not have the organizational wherewithal to detect and/or deal with an event, often opting to accept defeat and move on.

This does not mean they are helpless victims. As with any large-scale enterprise, there are measures that can be taken to detect the signs of fraud and mitigate damage within your organization. A recent KPMG study, "Who is the typical fraudster?", looked at 350 investigations into fraud. What it revealed was a “typical pattern” of characteristics and activities on the part of fraudsters. Understanding these warning signs is an integral part of any risk management strategy.

According to the study, the majority of fraudulent acts are either attempts to conceal losses or poor performance or involve the misappropriation of assets (embezzlement or procurement fraud). One interesting thing that comes out of the survey is that that the primary reason for most frauds occurring continues to be the exploitation of weaknesses in internal controls (up to 74% of all cases had weak internal controls). In other words, there has to be opportunity.

Another factor is a very human one: motivation. Fraudsters are typically driven by greed to fulfill a need such as an addiction or financial crisis. Closely tied with that is psychological rationalization. This element needs to be there in order for people to cross the line into illegal activity. For example, they might convince themselves they’re not getting their fair share, or are only “borrowing” funds with the intent to pay them back.

When fraud is perpetrated, more often than not, it’s personal; and because it’s personal, private enterprises can be highly susceptible to significant losses. More importantly, the sense of betrayal can run significantly deeper in an environment in which long-standing employees are also considered close friends.

In our work with private enterprise clients, we see a number of common organizational characteristics that increase the potential for fraud. First, they have not set up internal control systems, either because of lack of expertise, time or simple blind faith. Second, employers tend to develop deeper personal relationships with their employees and are more inclined to trust them with significant responsibilities.

This leads to a third threat. Trusted personnel in private enterprise often work independently, and in many cases, handle a cross-section of functions. A large organization would never have a single person handling mail, deposits and bank statement reconciliation for example. It stands to reason that having a single person control both record keeping and assets increases opportunities for them to take assets and manipulate accounting to cover it up.

So what can a private enterprise do to mitigate the risk of fraud? Following are some best practices that can play an important part in your risk management picture:

1. Don’t have a single person controlling your assets. This practice can place you in a highly vulnerable position and increases the risk of financial fraud significantly. Ensure that banking functions (e.g. deposits, account reviews, etc.) are handled separately.
2. Be vigilant about financial activity. Make sure you have access to e-banking and transfer activity information. Insist upon monthly statement reporting and reviews and ensure that numbers reconcile with sub-ledgers.
3. Do not sign blank cheques. This may seem obvious, but we have seen many businesses using this practice as a means to simplify payables. Monitor who those cheques are going to. Are they companies you know?
4. Perform independent reviews of financial activities and scrutinize the numbers. Over time business owners build up their trust in individuals and stop overseeing these types of activities.
5. Do background checks on new hires. Fraud is not exclusive to long-term employees. There are individuals who make a career of moving between businesses to perpetrate fraud.
6. Watch for the “red flags” with your employees such as a pattern of confrontational behaviour, arrogance, secrecy, signs of stress, tendency to micromanage, blame shifting and intimidation, among others.
7. Don’t let your need to run “lean and mean” lead you to discounting the value of legal advisory services. The right expertise can play an important part in helping help you flag potential threats, implement controls and avoid potential losses.

It is clear that private enterprise is not immune to fraudulent activities. Often these businesses have built a culture based on close personal ties and trust. As such, while the dollars may be smaller, the opportunities for fraud are that much greater, which means the financial consequences can be significantly larger and that much more devastating. Implementing processes and controls can help you avoid disaster without jeopardizing the corporate culture you’ve worked so hard to build.

KPMG Enterprise™ is a network of professionals devoted to helping business owners and entrepreneurs grow thriving enterprises and build value in their business.

For further information about how KPMG Enterprise can help private companies, visit kpmg.ca/enterprise.