KPMG International’s “Global Profiles of the Fraudster,” based on input from forensic professionals worldwide on 750 fraud investigations in 81 countries, is a fascinating – and chilling – read. Now in its third edition, it includes many eye-opening findings, including the use of technology to perpetrate fraud – and shockingly little evidence that technology as a tool is effectively detecting fraud. Phillip Ostwalt, KPMG’s head of global investigations, discusses this and other key takeaways from the fraudster report below. His remarks have been edited for length and style.
MCC: Tell us about your background as it relates to your role as head of global investigations at KPMG.
Ostwalt: I started in public accounting with a small firm, but then found forensic accounting nearly 25 years ago. Initially, it was more of a litigation support/expert witness type of role, but increasingly I began to turn my attention toward corporate internal investigations. There was a lot of need from companies in the early 2000s for assistance with issues related to financial reporting, and that quickly moved into areas such as backdating stock options and regulatory-related issues. For a number of years, a lot has been happening related to the FCPA [Foreign Corrupt Practices Act]. It’s much more of a global environment now, and over 60 percent of our large investigations have a cross-border element.
MCC: How did the fraudster study come about?
Ostwalt: A lot of our client work concerns misconduct and misappropriation. That indicated to us that it would be interesting to look at our work and the fraudsters we are investigating, and to identify some of the characteristics and traits of those individuals. Initially, we focused on demographics, but we learned they don’t necessarily change a lot. So we became more interested in examining what was contributing to the fraud. What was the environment at the company? How much emphasis was being placed on controls and ethics and compliance programs? What enabled the fraud to occur? How was it detected? At the end of the day, if you understand how the fraud is perpetrated, you can feed that back to companies to help them prevent fraud from occurring in the first place.
MCC: What’s been the biggest change in the face and the nature of fraud since the first fraudster study in 2010?
Ostwalt: The fundamental characteristics of the fraudster haven’t significantly changed. Fraud is still mostly committed by males, though female participation has been increasing – up from 13 percent to 17 percent. In the investigations we do at KPMG, we find that fraudsters are mostly middle-aged and senior-level, except when technology is the principal enabler. Then we’re seeing a younger fraudster emerge. Collusion is much more prominent than frauds involving individuals going at it alone. The reason is that control structures have improved as companies addressed the requirements of Sarbanes-Oxley and other regulations. The only way you’re going to perpetrate a fraud is by working with someone else.
The impact of technology has been interesting. People using technology to perpetrate a fraud by, for example, sending an email disguising themselves to extort money from the company, or simply abusing access to computer systems, now accounts for 24 percent of all frauds. On the other hand, only 3 percent of frauds were detected using technology.
MCC: That’s quite a gap.
Ostwalt: A huge gap and a wake-up call for companies rightfully investing in analytics, but the question needs to be asked whether they are doing it the right way or deploying the right routines.
MCC: What developments in technology are being used to detect, prevent, and mitigate damage? Are you seeing a lot of positive momentum?
Ostwalt: There are tremendous things happening. Some are working well, and some have yet to be fully realized.
Regarding analytics, we feel there is a need to not just rely on the routines that come off the shelf but to customize routines. There needs to be continuous monitoring and learning processes, evaluating not only what is happening at your company but also at peer groups. Then adopt routines to fit whatever those risks might tell you.
I’m encouraging companies to consider doing fraud and other compliance risk assessments as frequently as every 90 days. We’ve begun to build libraries of routines – standardized and, in many cases, very specialized, based on our experience in investigations and helping companies proactively fight fraud.
We also look at third-party suppliers, distributors, and even joint venture partners. Technology is now enabling companies to monitor those integrity risks on a more regular basis, if not on a continuous basis. That’s a very positive trend in terms of the use of technology.
Another area is insider threat analytics – the rise of insiders and how they can cause more damage than they once did. Companies are asking if they can head off and prevent a problem before it occurs. They can start by looking at a combination of transactional and behavioral analysis, such as when they enter and exit the building or access their email, and then combine that data with public record information, such as when people change addresses, when they get married, when they acquire assets or start a new business venture. If you combine it all, you can begin to identify changes in an individual’s profile that might flag an issue sooner than if you wait for somebody to report it.
MCC: The study shows that a sizable amount of fraud is opportunistic. What are the opportunities enticing those who might not otherwise engage in fraudulent activity?
Ostwalt: It’s when the control structures are not as strong as they should be, or when there is a weakness that can be exploited. This is often in areas at the forefront of corporate strategy. For example, the company is deploying new technology such as a new ERP system or a new accounting system. You want to get the benefits of that new system, but you have to reevaluate your controls and conduct another risk assessment. Or when a company goes global, either by acquisition or moving into a new market, that’s going to raise a whole new set of fraud risks.
The regulatory environment has its own set of requirements necessitating new controls. Companies have limited resources to put toward their control structures. As new regulations come into place, companies need to comply. That may take away from your ability to monitor and detect more of the traditional fraud issues.
MCC: What are some of the most effective controls and processes you’ve seen? Take us through the steps an organization that wants to do a great job should be taking.
Ostwalt: You start with an understanding of what your risks are, and you do it regularly. Don’t do it just once a year. Begin to build a regular cadence. We’re beginning to see many more companies establish compliance functions. It may or may not be a part of the legal function, and they’re investing in the people and the systems to manage their compliance function, and it’s really beginning to transform the risk environment. I’ve even seen a couple of companies that, as part of their management training program, rotate people through the compliance program. That really underscores the criticality of compliance.
As you’re doing those risk assessments, bring in legal, bring in internal audit, bring in members from operations, bring in senior management. Get a broad perspective from a host of people. Do some brainstorming around where opportunities might exist or what they’re seeing out in the field.
Develop a culture of open communication and transparency around the issues of fraud and misconduct. Encourage people to raise their hand and report. We continue to see that the number one means of detection of these issues is through whistle-blowers or others who bring an issue to the attention of others in the company. Nothing beats setting the right tone at the top. If that’s in place, and you have executives with high integrity and they’re talking about the importance of ethics and compliance, there’s a direct correlation to preventing and detecting these types of activities.
MCC: Are there better and worse ways to make sure that happens?
Ostwalt: You must have multiple ways of communicating when something is detected. Many companies have formal whistle-blower programs so people can report anonymously, but that’s only one channel. What you really like to see are people who will take it to their supervisor without concern about retaliation or retribution. When a company has a whistle-blower line, but they’re also encouraging employees to raise their hands and go to their managers, that’s what you like to see. Something’s happened right within the culture of that company – probably setting the right tone from the top.
What really can make a difference in an organization is making sure that when something is reported, there is a very thoughtful response. You see a lot of things reported into whistle-blower lines, and people who monitor these lines will tell you, “They’re not worth following up on.” You have to stop and consider why that was reported. It may not seem like a big deal to the company, but it might be a big deal to the person who reported it, and may require some level of follow-up. You need experienced people calling on the right resources internally and externally to come up with a plan to follow up whenever an allegation is made. That’s key for companies that want to effectively manage fraud.
MCC: Are there characteristics of collusion and the groups that come together to perpetrate frauds?
Ostwalt: We looked at collusion with someone inside the organization and outside, and the one that really stands out to me in this area is the female fraudster, who is more likely to go it alone. There was also a huge correlation between the cost of the fraud and the number of colluders. Obviously, if the fraud is occurring for a longer period of time, it is more costly to the company. We began to refer to it as “the fraudster on steroids.” It’s the fraudster who has found ways to work with insiders and outsiders to circumvent the controls for a long period of time and those are just the frauds that you detect. You don’t know about the frauds that you haven’t detected.
MCC: You talk in the report about the interplay between fraud and corruption. Describe the nature of fraud as opposed to the nature of corruption.
Ostwalt: Corruption is largely where a company is making a bribe for business, or there’s a kickback to obtain business and gain a competitive advantage. When we looked at corruption versus other frauds, there was a much higher proportion (51 percent) of executives involved as opposed to typical fraud, and corruption usually lasted longer before it was detected. In 63 percent of the instances, it had gone on three years or more, whereas in a typical fraud it was 47 percent.
The final point is that whistle-blowers and tips are by far the main means by which corruption is detected, as opposed to management review or detection by external auditors. It’s usually off the books, so the traditional audit is not going to catch it. Management review’s not going to catch it. It’s going to be up to somebody blowing the whistle.
MCC: I’m a CEO or a CFO, I’ve read your report, and I’m chilled. What’s my most important takeaway, and what can I do to act on it?
Ostwalt: Be vigilant. It’s surprising when I look at the results every year and see how many of these fraudsters in our profile are members of senior management. They have been with the company for over six years. Many of them are well regarded, they’re considered friendly within their organization, and it’s the last person you would ever expect is perpetrating the fraud. The largest fraud investigations I’ve worked on occurred in a segment of a business or in a market that is experiencing high growth rates. They’re contributing significant dollars to the bottom line, and because of that, they’re being left to their own devices. There’s one matter that I can recall in which a company acquired a business and it was the most profitable business out there. Internal audit was told, “Pass on that division this year. They’re doing really well. There’s nothing we need you to look at.” Well, guess what. The numbers weren’t real.
If I’m that CEO or CFO, and I sense there’s a part of my business that’s going better than what I expected on a regular basis, that’s where I say stop, pause, and consider, particularly if somebody brings up any hint of a concern. Deal with it when you see it. Don’t let it sit around. Be mindful. Be careful.