If fraud were a virus, almost everyone would be slightly ill
The annual Global Fraud Survey, commissioned by Kroll and carried out by the Economist Intelligence Unit, polled more than 800 senior executives worldwide from a broad range of industries and functions in July and August 2010.
Of the respondents, 88% report that they had been hit by at least one type of fraud in the past year, a figure broadly similar in every region and consistent with those of previous years.
Record-setting, headline-grabbing scams, such as the Madoff or Satyam frauds, can give a false impression of fraud's financial impact on business. The most successful pathogens do not kill the host, but live off them. Of course, huge, company-destroying losses do occur, but they are very rare. More typical are smaller losses over months or years.
In isolation, this appears to be good news. The frequent repetition of small losses, however, can create a significant problem in aggregate. In the past, this report has presented the figures for an average overall fraud loss, but such a figure is less instructive than it might seem: levels of loss are closely associated with the size of companies. Instead, it is more meaningful to report losses as a proportion of income. By this measure, the take of fraudsters from business rose by more than 20% in the last 12 months, from $1.4 million per billion dollars of sales to $1.7 million.
Fraud, then, is only rarely an acute disease threatening the whole body. It is frequently, however, a widespread virus that, while usually draining limited resources from the host, is always ready to flare up when the opportunity arises. And like a virus, fraud is constantly mutating, and can, if left unchecked, become life-threatening.
This year's Global Fraud Survey digs deeper than previous years to offer an insight into the sources and impact of fraud and the perceptions of senior business executives around the world. The findings highlight several key trends.
Theft of information and electronic data surpass all other frauds for the first time
Information theft has become the most common form of fraud. In previous Global Fraud Surveys, the theft of physical assets or stock has always been the most widespread fraud by a considerable margin. In 2009, for example, 28% of companies surveyed reported suffering physical theft, while the next most common fraud – management conflict of interest – affected only 20%.
This year, however, information theft, loss or attack has become, by a small margin, the most commonly reported fraud. It is not that fraudsters are switching away from other methods: the increases and decreases in other categories are of the sort that could be expected in this type of survey. Rather, information theft grew significantly. Such growth is never uniform across the economy. Information-rich industries such as Financial Services, Professional Services, and Technology, Media and Telecoms itself are the most likely to be hit.
However, the problem is far from isolated. The survey suggests that things may get worse before they get better. Information theft or attack is the type of fraud to which respondents are most likely to describe their companies as vulnerable (37%). Again, their concerns are not isolated. This type of crime is regarded as the greatest weak spot for three of the 10 industries covered in the survey – Financial Services, Professional Services, and Natural Resources – and the secondgreatest for three more – Construction, Technology, Media and Telecoms, and Retail.
Corporate information technology systems are increasingly under threat
Criminals have always targeted physical assets because they are present in almost all companies, are frequently simple to steal, and have a tangible value which makes them easy to convert to financial gain. The increasing prevalence of information technology has made the same attributes increasingly true of data.
The rise in information theft and attack is best understood as part of a more general problem of the exploitation of information systems by criminals. Poorly defended technology is increasingly easy to exploit for fraudsters with ever more advanced tools of their own, ranging from sophisticated hacking to a simple memory stick that can let a disgruntled employee walk into the office and walk out with details of the company's most valuable intellectual property.
Of course, not all information theft is digital. Mishandled paper can reveal as much as mishandled data files. Nevertheless, the pervasiveness of information systems shapes the context of the theft. This year's survey shows how far technology has become an issue for those fighting fraud. Respondents report that the complexity of information infrastructure is the single most widespread factor in raising exposure to fraud, cited by 28%. Moreover, when respondents were asked which of a series of 10 elements were involved in frauds they had suffered in the last year, the two most common elements were technology-related: phishing attacks (20%) and the increased use of technology (18%).
As elsewhere, this is a cross-industry issue – these two responses were the top answers in five of the 10 sectors surveyed. Anonymous email allegation, another increasingly common fraud element, will be closely observed as a result of the new US Dodd Frank Act, which requires the Securities and Exchange Commission (SEC) to reward whistleblowers. This growing technological challenge, however, is not eliciting as large a response as might be expected. In the coming 12 months, 48% of companies expect to spend more on information security. Although that figure makes this the most common field of anti-fraud investment, it is actually down from 51% from last year.
Fear of fraud is dissuading a significant number of companies from going global
In the survey, 48% of respondents indicate that fraud has deterred them from engaging in business in at least one foreign country. Nearly two-fifths (39%) of respondents list at least one type of fraud that had dissuaded them from doing business in a foreign market, and 36% name a country or region where their experience or perception of fraud had deterred them from operating.
The issue affects small and large companies alike. The breakdown of respondents by revenue for those companies which fraud had dissuaded from investing was the same as that for the survey as a whole. This is not merely a developing world problem: 7% of those surveyed say that fraud has dissuaded them from operating in North America. Nevertheless, its biggest impact is on emerging economies. Fraud has deterred 11% of those surveyed from doing business in China and Africa, and 10%, in Latin America. These respondents manage risk by simply staying out of these three regions, even though they may present a large investment opportunity.
Moreover, developing countries appear to have more issues to clear up. In our survey, respondents were asked to rank the types of fraud that had dissuaded them from entering certain markets. Twice as many types were listed for developing regions than for North America and Western Europe. Globally, the leading worry is corruption. It has dissuaded 17% of all businesses – and 37% of those who have in fact been deterred – from investing somewhere.
Consistent with the other findings in the survey, information theft is also an important concern, ranking second with 9% of all respondents and 19% of those deterred citing it as the reason not to invest.
Although corruption is the most important deterrent to investment in every region, the impact is far from universal. Corruption was named by 63% of respondents as the main reason for not doing business in Africa and by 59% for avoiding Central Asia. By comparison, only 21% of those who were dissuaded by fraud from doing business in North America list corruption as a leading reason.
In most geographies information theft is the second biggest deterrent to investment, but that varies widely, from 7% in Western Europe to 31% in neighboring Central and Eastern Europe. China, where fraud deterred the most respondents, faces a range of challenges rather than a single, overwhelming issue. Corruption and information theft are the two most widespread issues (34% and 33% respectively), but concerns about intellectual property, a long-standing worry for those operating in the country, were a leading factor for 23% of businesses dissuaded from doing business there.
Clearly, many companies are willing to go into emerging markets knowing the risks: 21% believe that their exposure to fraud has increased because of entry into new, riskier markets in the last year. The survey also found, however, that fraud is exacting an economic price by causing companies to pass on potential opportunities, especially in underdeveloped and emerging economies.
Companies are unprepared for increasing regulatory efforts against corruption
The Foreign Corrupt Practices Act (FCPA) used to be a quiet backwater for United States law enforcement officials. Those days are now long gone. Between 2005 and 2009, the US Department of Justice brought more than 60 FCPA cases – more than during the entire period from 1977 to 2005. Every sign points to continued acceleration of this trend: early in 2010, 130 open cases were under investigation, their targets ranging from large corporations to small private concerns.
American authorities have even begun using sting operations as an FCPA enforcement tool. This development has global consequences. Not only does the Act cover foreign activity by US persons and companies, it defines the latter category very broadly. Of the 47 fines handed out in 2008 and 2009, 19 hit non-US companies. Operations, share listings, American Depository Receipts (ADRs), and even having United States nationals as board members can potentially open companies up to liability for actions anywhere in the world. Siemens, for example, reached a settlement for activities in South America with the Department of Justice (DOJ) and BAE Systems for behavior in Africa.
Meanwhile, the reach of the UK's new Bribery Act is in theory longer and wider than that of the FCPA, covering the global activities of every person or company doing any business in the UK. It not only prohibits bribery, but covers failure to prevent bribery by persons associated with the company anywhere in the world in both the private and public sectors. UK authorities are unlikely to be any less vigorous than American ones in enforcement of their laws.
The survey indicates that too few companies fully understand the current regulatory situation. Businesses with a link to the United States or United Kingdom are very likely to fall under one of these acts. However, of respondents whose firms had operations or a presence in one of these countries, only 36% believe that these laws applied to them; more than one-quarter believe that they would not, and 37% were not sure. Smaller companies might have more excuse, but the figures for the largest firms are not much better. For those with annual sales of over $10 billion, 43% understood that they were covered by one of the acts, and 30% were uncertain.
Not surprisingly, then, only a minority of companies are addressing the regulatory risks that accompany more vigorous FCPA enforcement and the advent of the Bribery Act. Among respondents with operations or a presence in the United States or UK, only one-third believe that their senior managers are thoroughly familiar with the legislation. Just 42% say that they have assessed the risks and set in place the necessary monitoring and reporting procedures. Most of the rest are uncertain, but about one-quarter (24%) say that they have not. Finally, fewer than one-half (47%) are confident that they have the controls in place to prevent bribery at all levels of the operation, and 16% of respondents are sure that this is not the case.
Just because a company knows that it is subject to the FCPA or Bribery Act, it does not automatically follow that it is fully-equipped to comply with them. Of the respondents who believe that one or both of these laws definitely applies to their firms, only 40% say that their senior management understands them, and 32% believe the opposite. While 46% say that their company has done a detailed assessment of their exposure to risks associated with non-compliance to the acts, 29% report that they have not.
The only real difference between those who know they are subject to the legislation and the rest of the survey seems to be a greater tendency to steer clear of the problem. Companies with links to either the United States or the United Kingdom need to review their legal position and controls in order not to fall afoul of more aggressive anti-corruption enforcement.
Fraud is most often an inside job
Employees are the people who have the best knowledge of a company. Unfortunately, this also means that dishonest employees know what there is of value, how it is protected, and the best way to circumvent that protection. In our survey, for those companies that have been affected by fraud in the last year and the culprits identified, the most common fraudsters are equally junior employees (22%) and senior ones (22%). When agents and intermediaries (11%) are added in, the proportion of fraud carried out by those who work for the company in one way or another goes well above half.
The finding is remarkably consistent across geographies, with the proportion of frauds carried out by agents, junior or senior employees falling between 50% and 60% in North America, Europe, and Asia-Pacific. It hits its highest figure at 71% in the Middle East and Africa, and the lowest it goes is only 42% in Latin America, where customers are the single biggest fraudsters.
Similarly, that proportion also falls within the 50% to 60% range for most industries, the only exceptions being consumer goods (45%), construction (46%), and professional services (72%). Some differences between industries do exist. In financial services, for example, a notably high proportion of customers are key perpetrators of fraud (28% compared to a survey average of 10%). Consumer goods companies, meanwhile, suffer 40% of their frauds at the hands of vendors and suppliers, more than twice the survey average of 18%.
The broader message of the survey here, however, is an unpleasant one. Whatever the sector, if a fraud occurs, the culprit is more often than not likely to be one of the people working with you.
