“Should someone, whether its Internal Audit, or anyone else for that matter, actively be looking for the red flags of fraud and corruption…even when there are no current suspicions? And when the red flags are discovered, is this good or bad news for manage-ment?”….
When I first came to work in Norway in April 1989 in Norsk Hydro Internal Audit they definitely knew about fraud (we had just had a rather big one in Metals Trading), but I can’t say it was a topic on management’s or internal audit’s agenda. Fraud and Corruption was seen as an isolated incident, a one-off rarity. We most certainly did not go out there looking for it.Today, I think in Norway, and most other countries there is an acceptance that fraud and corruption is pretty common-place. Most people, especially internal auditors, know it happens. Fraud is an ever present factor in most organisations. And depending on which surveys and studies you want to believe, the true cost of fraud and corruption can be measured and lies somewhere between 1 and 5% of sales.
As Michael J Comer1 remarked: “S**t happens and so does fraud”.
At a recent Nordic conference in Oslo a colleague and I were holding a session for a group of IT-risk professionals on how to detect the red flags of fraud and corruption in transaction payment streams. It was an interactive session and the 40 or so participants were con-stantly challenged to be able to spot fraud in realistic data-files of payments and on documents. In this competitive atmosphere I thought that they managed rather well. At the end I asked them the question “How many of you think there should be someone in your organisations looking for red flags like you have just done now?” I was a little surprised when only ONE person put his hand up. Later on it dawned on me that they were probably afraid of the next question… “should it then be them?”
When I ask this question answers vary from “Yes we should really do it, but the management won’t be so pleased”, “we are aware of it and should be able to spot it if we come across it” (which is not really the same thing), to “it’s not our job to poke our noses around… people may think we are the police….”.
To be fair, I can sympathise with all of these responses. I mean, who really wants to have the job of delivering “bad news”? Would the conversation at the start of this article ever really happen? Would John, the top guy really be able to see that the discovery of potential fraud and corruption in their own organisation, by his own organisation was good news? for the senior management?
Just before Christmas I worked with Internal Audit in a Scandinavian financial company. They wanted to study where internal controls were being abused and along the way we discovered (together with them) about 30 examples, big and small, where it looked like they were being defrauded - suppliers overcharging them, deals with front companies and conflicts of interest.
Bad news or Good news? If YOU were the senior manager receiving this sort of news would you be genuinely pleased that someone had found all these things and told you that there was probably a lot more. Would you immediately THANK the internal auditor?
Or how would you actually feel? Ambushed? Angry? Defensive? Would you feel uncomfortable that someone else had “interfered in your affairs”. Anyway if there was something going on then of course you would have found it?
In reality when someone tells us some-thing which does not match up with what we want and expect to see, we experience what psychologists call “dissonance”. We are not hearing pleasant news and it does not agree with what we WANT to believe, so we need to find ways to deal with it.
What happens is that we try to find ways to rationalise that “there must be some logical explanation”, or that “the auditor is wrong”, or that “it can’t be true because no one has ever spotted it before”. The list of possible excuses we could find can go on and on. If we don’t want to see something and if we are not looking for it, then we will most probably NOT see it.
There is this famous experiment called “The Monkey Business Illusion” by Daniel Simons. It’s been used hundreds of times to demonstrate that people tend to focus on what they think they SHOULD be looking for. You are asked to watch a basketball game and are supposed to count the passes made by the team in WHITE. It’s just under a minute long and most people come up with the right answer, which is SIXTEEN passes. Excellent. But then the presen-ter asks you “Did you spot the gorilla?” About half of the audiences I have seen are rather surprised by this question, but when we replay the video we see that this HUGE GORILLA actually walks onto the court waves at everyone and walks off. It’s not a real Gorilla of course, it’s someone in a gorilla suit, but the point is over half of us don’t even SEE IT. And there are several other things that happen around the game which we don’t notice either.
The message is, if you are not specifically looking for the gorilla (or fraud for that matter) then you probably won’t see it. When I ask senior management the question “if there was big fraud, then they would expect the auditors to find it?” the almost overwhelming answer is “yes, I would expect my auditors to spot it”. When I ask them if they mean internal or external auditors, then they often reply “any auditors”. Try asking your management the same question.
I believe that there is a simple paradox: We are all much more aware that fraud and corruption happens around us, but we would like to believe that it does not happen to us. So why should anyone bother to look?
Over the past 2 years I have been recording in my notebook some of the very valid reasons why companies prefer not to go out and look for the red flags. Here are my “top seven” reasons:
1. We are so swamped by a “tsunami” of new rules and regulations which we have to comply with, we don’t have time for much else.
2. We have established a hotline or whistle blower line as our detection apparatus.
3. It’s not the job of the internal auditor to go out and detect fraud (even if we know that it happens) – it’s our job to ensure that there are controls to detect fraud. Management are aware of fraud and corruption, we have a code of conduct and have developed proce-dures. If there were fraud, then management should be detecting it.
4. It does not feel comfortable going out and detecting fraud – people would see us as if we were the police, or even worse “Sherlock Holmes”.
5. We do not have the skills to look for fraud and corruption, we have tried but we did not find it last time.
6. If we found lots of red flags, we would feel that we were compelled to investigate them- that would just swamp the organisation and cause lots of fuss and disruption.
7. It may, as you say, be easy to find red flags – finding hard evidence is virtually impossible.
Given these valid reasons it’s not difficult to understand why over the past 25 years I feel I have seen an actual decrease in the desire to look for fraud and corruption - it’s just not a job worth taking!
Getting started looking for red flags is, in fact, rather easy. When I start looking for fraud in any organisation, one of the first things I do is to sketch out a picture of where I think the simplest frauds will be and how I could find them. Sometimes just letting your imagination fly is best way. Here is an example of one of these pictures. Please excuse the fact that it’s hand-drawn. Sometimes I like to be a little more free from the constraints of technology.
And while there isn’t an easy answer to the conundrum “since there is probably lots of fraud out there how should we look for the red flags of fraud?”, I think there is a way to get there, one which will both enhance the standing and reputation of Internal Auditors with management and also protect them from being seen as the “bringers of bad news” or worse “the secret police”. But first some common ground rules need to be established.