How to identify and measure the extent of your corruption and procurement fraud risk

Proactive versus a reactive response to fraud and corruption allegations, which would you choose? In trying to understand your financial crime, procurement fraud, and corruption risk, building a risk profile for your organisation including its insider threat is an important starting point to fighting fraud and corruption locally, throughout your organisation and its global supply chain.

Information rules the world

If you are about to build a profile of your organisation risk, you should not only look at internal sources of information but also international assessment of risk that outline the current risks and themes that may impact your organisation. One such source is the Report to the Nations published by the Association of Certified Fraud Examiners.

The ACFE study covered 2505 cases from 125 countries with a total loss of more than $3.6 billion. The average loss per case is $1,509,000. A number of the key findings in this year’s report include:

  • Corruption was the most common scheme in every global region and is the most common scheme across all sectors

  • 43% of schemes were detected by tip

  • 56% of tips were received from individuals that had received formal fraud training compared to 37% without fraud training

  • The 3 primary categories of occupational fraud include asset misappropriation, corruption and financial statement fraud

  • The median duration of fraud, from when it begins to when it is detected is 14 months. 7% lasted over 5 years with the largest median loss

  • Occupational fraud is concealed through creating fraudulent physical documents, altered physical documents, altered electronic documents or files and created fraudulent electronic documents or files

Are these areas that you're currently considering?

The awareness of common fraud methodologies and the controls necessary to detect and mitigate risks is essential in protecting organisation revenues. The key findings of control risks from ACFE included;

  • A lack of internal controls contributed to a third of the fraud

  • More than 40% of cases in the study were uncovered by tips, which is almost three times as many cases as the next-most common detection method

  • Four anti-fraud controls, in particular, were associated with a 50% or greater reduction in both fraud losses and duration; a code of conduct; an internal audit department; management’s certification of financial statements; and regular management review of internal controls, processes, accounts, or transactions

  • 64% of victim organisations had hotlines

  • All sectors are impacted by occupational fraud however sectors with significant values of loss included construction, energy, healthcare, manufacturing, and telecommunications. However, the biggest loss was within this analysis is the mining sector

  • The presence of fraud controls not only reduced the median loss but also the duration of the fraud

  • The primary internal control weaknesses that contribute to occupational fraud, include; the lack of internal controls, override of existing internal controls, lack of management review, and poor tone from the top

The significant value in control measures can't be underestimated, the ACFE research clearly highlights the importance of being able to collect your own data to detect and respond to fraud risk.

Although receiving tips is only one information source in building a risk profile, it is clearly a powerful tool and when linked with staff that receives formal fraud training, the insider threat is clearly identified quicker and financial losses reduced, where your organisation is a target of fraud.


So once you have a clearer picture of your risk, what is the next step? Do you introducing controls to mitigate these identified risks and then sit back and wait to see if they work or do you continually measure their performance? Are your policies and procedures, systems and controls or expertise and capabilities sufficient to mitigate these risks?

To support this risk measurement do you introduce proactive detection techniques such as data analysis or audit to scrutinise the areas of risk that will assist in understanding whether they are a high, medium or low risk.

Do you recognise the value of data, the data that can be used to assess your risk and where to collect it, or how it can be used to drive your short, medium and long term approach to risk?