Post-mortem of a fraud – what small and large companies do differently

Written By Jess Bousa

I believe that each instance of fraud provides companies with an opportunity to reassess their entire fraud defense. Some would call this continuous improvement; others would view it as a best practice. Whatever you call it, fraud defenses must be reviewed, tested and re engineered on a regular basis. Waiting for fraud to happen then scrambling to implement controls after the fact makes very little sense. In the airline industry it is called “Tombstone legislation” – someone has to die for changes to be made – only in this case it is small companies that are “dying”. Large companies live to fight another day. At least most of the time – even when the losses are in the millions…

Things to do on first day with new employer:

  • Turn up on time – check

  • Find desk and log in to computer – check

  • Figure out way to embezzle $1 million…

If the reports are to be believed, when Brenda L. Jones started working with Sirius XM Radio she almost immediately embarked on a fraud scheme that resulted in a seven figure loss.  A co-conspirator with the mysterious initials “VP” was not indicted (any guesses why they were not indicted?)

What makes this fraud particularly interesting is the size of the victim company. Sirius XM Radio is not a “Mom & Pop” company with limited resources to deploy in the fight against fraud. Yet, they suffered a huge loss. Had this fraud happened at a small company, it is highly likely that they would have been forced in to bankruptcy.

I am often asked to detail the size of company that I help fight fraud. My answer is small, medium and large – they all need help! Fraud happens at companies of all sizes and many of the best practices are applicable regardless of size.

  • Over the course of a year, fraud losses at a large company will typically exceed losses for a small company. But on a per incident basis, there is very little difference. To illustrate the point, take a look at the graph below from the Association of Certified Fraud Examiners 2010 Report to the Nations. There really isn’t that much of a difference between the median loss at a small company (less than 100 employees) and losses at companies with more than 100 employees. With that said, a $155,000 fraud at a small company can close the doors. A $164,000 fraud at a Fortune 500 company is a blip on the radar.

The biggest difference between how fraud is handled at small and large companies can be found in the post-mortem process:

  • Not surprisingly, the post-mortem at a large company is focused on preventing the fraud from happening again. Often, employees that failed to uncover the fraud are disciplined or terminated. If the company has an internal audit function, they are often asked to prepare a report that details the control failures and provide recommendations to avoid a similar fraud in the future. Management of the operation where the fraud took place is expected to implement, and subsequently own the changes to the internal control environment. Invariably, the fraud will receive a nickname and over time, the mere mention of the fraud will either silence a room or result in embarrassed chuckles. No one wants to see that fraud happen again.

  • The post-mortem at a small company is an entirely different matter. Instead of internal audit reviewing the situation and recommending improvements, the owner or senior executives normally dive in and do their best to understand what really happened. The entire company – not just the department where the fraud took place – is on tender hooks. They literally don’t know whether they will have a job next week. A law firm is normally involved in some shape or fashion and their mere presence sends concerned employees scurrying up and down the corridor looking for someone to tell them what is happening.

Quite simply, the stakes are not the same for large and small companies.

I believe that the post-mortem process at most companies is in need of an overhaul. Very rarely do small or large companies do anything more than deploy controls to stop exactly the same fraud that they just experienced from happening again. That’s understandable. “Scope creep”, “trying to boil the ocean’, “not trying to solve world hunger” are all euphemisms for don’t over engineer the solution.

I agree that it is important to solve the problem at hand. With that said, it is almost guaranteed that a company will experience more than one fraud in its lifetime. Subsequent frauds may duplicate a previous fraud, be a variation on a theme, or something entirely brand new. Will your company be ready?

As for Sirius XM Communications, I am sure the post-mortem process is over by now. I wonder what they did to stop a similar fraud from happening in the future? Anyone want to bet that they expanded the post-mortem process to include an assessment of fraud risk within the entire accounts payable department.

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com


Jess Bousa https://www.myexpomedia.com
Previous

Who is to blame for $10.2 million embezzlement?
Next

The confession – the “how” and “why” of employee fraud