Quebec executives greatly underestimate the risk of corporate financial fraud

Right from the start, our survey results indicate a distinct underestimation of fraud risks throughout Quebec. Eighty percent of survey respondents believe the risk of financial fraud within their company is low to moderate. Only 20 percent rated their perceived fraud risk as high.

Owners were the most likely to believe their business was at a high risk of fraud — understandable given their stake in the business and personal investment in its success — still, only 30 percent expressed such concern.

Perhaps most surprising is not that the perception of fraud risk drops when speaking with non-owner executives, but by how much. Only around 15 percent believe their organization is at high risk, fewer than half compared to owners who have a monetary investment in the company.

While one might think experience is the best teacher, these survey results suggest longer tenure seems to encourage complacency rather than vigilance. Both the older a survey respondent was, and the longer they reported occupying their current position, the lower they rated fraud risk and the less they tended to believe it’s getting worse. The younger and newer a respondent was to their role, the more they believed fraud risk to be both high and increasing. 

Looking in the wrong direction

Another eye-opening discovery is the mismatch between the types of fraud survey respondents are most concerned about versus those businesses are most likely to encounter.

First, we can point out that very few respondents rated their risk above seven out of 10 in any category. With an average weighted score of five out of 10, respondents rated theft of intellectual property (i.e., data breach, corporate espionage, etc.) and misconduct at work (e.g., abuse of power, harassment, etc.) as the highest perceived risk. However, depending on the environment and particular industry, these are not necessarily the most common types of fraud perpetrated when compared to industry research, historical MNP engagements, or survey responses of impacted businesses.

According to historical data such as the Association of Certified Fraud Examiners (ACFE) 2020 Report to the Nations, that distinction usually belongs to embezzlement — which respondents rated as having the lowest perceived risk, with an average weighted score of 3.9 out of 10. This plays out somewhat in the survey data, where embezzlement occurred most often among those businesses that had previously experienced a fraud incident (39%).

MNP Forensics Manager Simon Gaudreau has personally observed several examples of misappropriation of funds through employer payroll systems. “I’ve seen employees create false profiles to receive a second payment — as well as fraudulent overtime claims, which had not been verified,” says Gaudreau. He also notes recent cases where employees have been paid more than 24 hours in a day.

Theft of confidential information / intellectual property and fraudulent disbursements tied for second most common confirmed fraud, with each occurring 32 percent of the time. Interesting to note the survey respondents rated the latter on the lower end of the risk scale at a weighted average of four out of 10.

“These misconceptions about fraud put companies at risk, as they increase the likelihood of blind spots and gaps in anti-fraud management,” says Bloom. “On average, fraud-related losses account for 5 percent of a company's revenue, according to ACFE estimates. Companies need to educate themselves on where they’re vulnerable, and the necessary measures to address these higher probability frauds."

There appears to be a divergence between the respondents’ perception on misconduct at work, tied for the highest perceived risk (5 out of 10), and survey respondents’ experience with this type of fraud — as it was the least frequent type of event that affected companies who were aware that they’d been victims (only three percent of victim organizations). Here, however, we tend to agree with the respondents' perceived higher risk ranking. Our current experience shows this type of event is currently very present and tends to inflict a lot of stress on the workplace.

Lacking context on peer-evaluated risk

Respondents are overwhelmingly (though perhaps not surprisingly) more likely to rate their own fraud risk lower than that of their competitors or other lines of business. This result squares with social sciences research on illusory superiority effects (i.e., people resist the belief they’re average or faring worse than the average) and is also consistent with a previous MNP study in which the respondents also felt fraud was worse elsewhere.

Compared to competitors, nearly two thirds of survey respondents (60%) believe they share a comparable level of fraud risk and 20 percent think their own fraud risks are lower than their competitors. Similar results were gathered from the perceived risks in other line of business, where 81 percent of respondents believe their fraud risks are equivalent or lower. This indicates respondents tend to allocate higher fraud risk elsewhere rather than within their own reach. 

"People tend to mistakenly think fraud is someone else's problem," says Bloom. "Everyone thinks it's somewhere else: 'It's not here.' They think it's worse at the competitors. Even within a company, you sometimes hear the opinion that it's worse in another service line."

The data also indicates the larger a company is, the lower they believe their comparative risk to be. For businesses with fewer than 100 employees, roughly a third (32%) believed their fraud risk to be lower than the fraud risk of other lines of business. Confidence jumps to 46 percent for those with between 100 and

Downplaying the impacts of the pandemic

Given the sweeping changes precipitated by the COVID-19 pandemic — remote workforce, layoffs, technology transformations, new business models, logistics upheaval, etc. — one would expect an uptick in the overall perception of fraud risk. This was indeed the case, with more than a quarter (27%) agreeing their business is more risk exposed now than it was at the outset of 2020.

Somewhat surprising, however, is more than half (57%) don’t believe their fraud risk has changed at all — and nearly one in five (16%) believe they’re at a lower risk than before. These perceptions don’t align with either the ACFE study, which found more than half of organizations have reported an uptick of fraud since COVID, and the experience of MNP’s Forensics team.

“In the early days of the pandemic, companies were forced to let go of some of their employees,” says Bloom. “Some of these employees were performing fraud control duties, which then fell between the cracks."

“We’ve also seen new loopholes emerge through the adoption of remote working — especially with digital signatures,” says Gaudreau. "Companies are at a far greater risk of a false signature or a contract signed by the wrong person," Gaudreau says.

Given the overall lack of risk assessments and reporting mechanisms in place (more below), much of the apparent disconnect may be attributable to businesses failing to re-evaluate their fraud risk in a COVID and post-COVID environment.

Incidents of fraud don't align with perception of fraud risk

Perhaps most telling of all is the story that emerges when comparing how businesses self-assess their fraud risk and their past experiences with fraud in the business. It seems the businesses which are most likely to rate their fraud risk as high are speaking from experience, while those who have not detected a fraud are more unaware rather than invulnerable.

Recall that 80 percent of businesses believe they are either at a low or moderate risk of financial fraud: Only 62 percent of respondents can definitively say they have not been the victim of financial fraud in the past. Another two in five businesses either do not know (9%) if they’ve been a victim, or suspect they have but cannot say for sure (12%).

Based on our historical findings, more than one in five companies has indeed been a victim of financial fraud in the past. Moreover, MNP fraud experts are also unanimous in believing the actual proportion of financial fraud is potentially far higher than reporting data suggests, as numerous frauds have gone either undetected or unreported.

Of the 17 percent of businesses that have detected a past fraud, 59 percent of incidents took place within the last three years, and more than half have experienced more than one reported incident

Low fraud preparedness

Despite the high degree uncertainty about past or ongoing fraud incidents we saw in the previous section, almost four (78%) in five businesses believe they’re in a good position to either detect, deter, or respond to an incidence of fraud. On a ten-point scale, respondents rated their internal controls rather favourably, at an average of 7.3. Almost a quarter (23%) ranked their preparedness between nine and 10 (most favourable), while close to half (47%) self evaluated at between seven and eight.

Only six percent self assessed as having significantly ineffective controls (i.e., one to four) — which is particularly striking when compared to the 10 percent who couldn’t provide details on the measures their business is taking to prevent financial fraud.

Nearly half (46%) of those surveyed admitted they’re not currently performing any fraud risk assessments — with one in four (26%) saying they’ve never performed an external review of their fraud risks, and another 25 percent saying they haven’t performed one in the last 12 months.

Driving this point home is two thirds (64%) of those who performed a fraud risk assessment within the last year also rated their fraud risk as high — more than triple the global survey rate, and more than double the average rate among business owners. 

Mismatch between tactics and best practices

Audits and verifications were the two most cited measures to detect and counter incidents of fraud: One in five (18%) respondents indicated they work with outside CPAs to conduct audits and verifications. A similar number (18%) indicated they have double approval and verification systems in place or have daily verification controls (17%) to determine where money is flowing.

However, these measures alone are insufficient when viewed through both the lens of MNP’s experience, and the ACFE report which reveals external audits only account for about four percent of all detected frauds.

We must remember the primary responsibility for the prevention and detection of fraud rests with management. While auditors play a key role, their responsibility lies in obtaining a reasonable assurance that the financial statements are generally free from material misstatement — whether caused by fraud or error. Audits and verifications performed by external auditors are not, in and of themselves, a proper means to detect fraud.

What best practices are the most effective? The ACFE study found more than two in five (43%) incidents of fraud are detected as a result of tips. Yet only one in five (20%) respondents have a reporting mechanism in place to receive such information, and fewer than one in 10 (9%) have a detection or surveillance system to flag suspicious activity.

Remember again, 80 percent believe they’re at a low or moderate risk of fraud and 83 percent either haven’t or don’t know for certain whether they’ve ever been defrauded. Interesting to note that 80 percent also aren’t hearing from employees possibly because they don’t offer an employer-sponsored tip line or other solutions.

Lack of training for employees

Roughly a third of businesses surveyed indicate they currently provide fraud awareness and ethics training to their employees. Even more startling is fewer than half (48%) of trainings took place in the previous calendar year. Nearly two in five (39%) of businesses have either never provided fraud and ethics training to their employees or haven’t provided training within the last three years.

The picture becomes even more worrisome when looking at who attended these trainings. The data indicates senior leaders and executives are the most frequently present, at 78 percent of the time — with a significant drop off for managers (53%), and other employees (44%). Owners report attending anti-fraud training the least, only in attendance 41 percent of the time.

“Training is one of the most effective ways to reduce the risk of fraud,” says Bloom. “It’s also imperative that employers conduct background checks on newly hired employees — especially those who will be immersed in the most critical systems, such as payroll.”

“The lack of targeting toward those at the top and to non-management employees is startling for several reasons,” adds Gaudreau. “Having a strong grasp or fraud and ethical best practices is critical for owners to identify risks and champion preparedness measures throughout the business. It’s also one way to lead from the front and set an overall tone of fraud awareness throughout the organization.”

“Employees can be assets or weaknesses in the fight against fraud, the difference lies in whether they’re properly trained and educated to spot and report red flags.”

Adds that an employee who is well aware of fraud risks is better prepared to report suspicious activities — which also links to the success of a reporting line, as highlighted in Figure 7 above.

As with fraud risk assessments, anti-fraud training also has a marked impact on how survey respondents assess their overall risk of fraud. Three quarters (73%) of those who have provided fraud risk training in the past year rate their risk exposure as high (+53% from baseline). Only five percent of respondents who have never provided anti-fraud training share the same sentiment (-15% from baseline).

Fraud lessons go unlearned

Of our survey respondents who experienced a past fraud, nearly three in five (59%) incidents took place within the last three years. Furthermore, as previously mentioned, one in five businesses have dealt with three previous incidents and 10 percent have been defrauded four or more times.

While those who previously experienced a fraud incident appear more likely to rate their risk as high (above), this increased concern does not necessarily translate to greater vigilance or corrective action. Close to one in 10 (8%) businesses did not make any changes to prevent a similar issue from recurring in the future and fewer than two in five (38%) incidents resulted in a termination.

Only one in four (25%) businesses conducted an internal investigation to identify the root cause(s), extent, and mechanism(s) of the fraud — and fewer than a third (31%) reported the incident to the police.

The most common measure taken was to revise or create new policies / procedures to better detect and prevent fraud. But even here only 40 percent of businesses said they did as much. Far fewer added the step of also reviewing policies and procedures to better deal with instances of fraud once they’re detected (26%). Additional training (28%) and a revised fraud risk assessment (17%) were also less common — though, according to MNP’s practical experience, those steps are critical for policy and procedural changes to be effective.

Somewhat surprisingly, only 17 percent of businesses that experienced a previous fraud reached out to an external forensic accounting team to assess the root cause and extent of the breach. This was, however, the measure most pursued by businesses that have been operating for five years or less. That could indicate a lack of confidence in internal policies and procedures. More likely, though, is a correlation to the reduced perception of fraud risk in older respondents and those who have been in their position for longer (above).

Where do you go from here?

The ACFE 2020 Report to the Nations revealed a staggering 2,504 cases of fraud occurred across 125 countries in 2019, with losses totaling $3.6 billion dollars. Canada and the U.S. accounted for nearly half those cases, with a median loss of $120,000 for every instance. At this point it’s helpful to remember, this data reflects a world prior to the paradigm shifting onset of COVID-19.

Just because a business has not yet uncovered an instance of fraud doesn’t mean one hasn’t occurred or even that there isn’t a scheme currently underway that’s going undetected. The 2020 ACFE report revealed the average fraud scheme continued for 14 months before it was uncovered. Nearly one in five (17%) schemes lasted more than three years. The results of our recent survey suggest not only are most Quebec businesses ill equipped to detect fraud, but many may not be monitoring the areas where they’re most likely to find it.

Fraud is pervasive and it’s occurring across all industries and at organizations of all sizes. According to our findings, so is ambivalence to the risk. COVID-19 has changed how organizations do business and the ways people work, along with the reasons and opportunities to commit fraudulent acts.

Our findings indicate some disconcerting trends which Quebec businesses — and indeed all Canadian businesses — will need to address if they’re going to improve their overall fraud preparedness and resilience. The good news is there are several clear and actionable steps leaders can begin taking immediately to drastically improve their ability to detect fraud and reduce the likelihood and severity of an incident.

1. Conduct regular risk assessments

Annual or regular fraud risk assessments are imperative. Your business is constantly changing, with new team members joining, people exiting or moving into different roles, shifting economic conditions, technology transformations, expansion into new services, regions, and business models, etc. Slight changes can have a massive impact on your overall risk profile and the opportunities for unscrupulous actors to take advantage.

This is not a “set it and forget it” situation. Regular risk assessments will help you gain a better understanding of where you’re vulnerable to fraud and what you can do to prevent it — they can also help you uncover instances of fraud and may reduce the total losses from an incident by up to a third.

2. Put a tip line in place

One thing that business owners can be confident of is the general goodness of most people. The average employee, customer, or vendor doesn’t want to be complicit in someone else’s unethical act. According to the 2020 ACFE report, 43 percent of all frauds are detected as a direct result of a whistleblower tip.

More than two thirds (64%) of organizations with tip hotlines and other formal reporting structures managed to uncover a fraud incident. Nearly half (49%) of all cases at these organizations were detected by a tip compared to fewer than a third (31%) at organizations without one. These organizations reduced the time to detect a fraud by six months on average and reduced the total losses by nearly half (49%).

3. Provide frequent training

Another interesting insight about tips: training increases both the likelihood employees will report suspicions of fraud (+19%) and the likelihood those tips will result in detection of fraud (+12%). But the value of fraud and ethics training also goes much deeper.

Fraud training for employees can cut the cost and timeline of a fraud incident by a third (33%). Providing training for senior managers and executives yields a similar reduction. However, these trainings need to be frequent and part of the overall employee experience, else they won’t be effective.

People are busy with their day-to-day work and myriad other responsibilities outside of the office. Employers need to place fraud and ethics at the forefront of everyone’s mind all day, every day. If you want the risks, warning signs and best practices to be salient, you need to reinforce these with some regularity.

Turnover is another growing challenge and reason to embrace more frequent training. According to OECD data, nearly two in five Canadians left a role within three years of starting at a company between 2017 and 2020. This places immense value in including fraud and ethics training as part of the onboarding process and making it a key part of employee development throughout their tenure with the organization.

4. Resist complacency

Recall that younger and more junior employees in our study were both more likely to rate the risk of fraud as high in their organization and believe the existing controls in their business were not sufficient. It’s easy to dismiss this as simple inexperience or not understanding why businesses do certain things in certain ways. In the interests of fraud detection and prevention, it may be worth heeding their concerns and taking a more critical look at longstanding practices.

The world is in a state of constant change and people act in unpredictable ways. A curious and self-critical approach is the crux of an effective fraud prevention mindset. Don’t take anything for granted — especially policies, procedures, and controls you’ve grown accustomed to, had a hand in creating, or believe are serving you well. That’s precisely what fraudsters are counting on. This is also a good time to emphasize the importance of background checks and diligence in an effective anti-fraud program.

Resisting complacency also means staying the course and not letting the environment change your messaging. This is manifested by keeping a serious yet positive tone-at-the-top that permeates across and throughout the organization, from top to bottom. It is indeed one of the best things that executives can do to foster positive and appropriate behavior within their company. 

5. Collaborate with external advisors

Hand in hand with complacency comes blind spots: Often the more you look at your policies, practices, controls, and detection methods, the less you’re able to see — or at least see objectively.

Consider reaching out to a qualified third party to assess your fraud preparedness and identify any gaps worth addressing. A skilled advisor can provide valuable context on emerging trends, suggest cost-effective measures to reduce your risk exposure, and even provide an impartial intermediary to receive and report incoming tips.

If you do suspect an instance of fraud in your organization, it’s important to act quickly to limit your losses, catch the perpetrator, and prevent similar incidents from recurring. Forensic accounting professionals are uniquely qualified to spot inconsistencies or suspicious activity that may otherwise go undetected. Members of MNP’s Forensics and Litigation Support team have worked extensively with clients of all sizes and industries to prevent, deter, investigate, and detect fraud. Our experience uniquely qualifies us to protect and preserve the assets and interests of your organization from misconduct and fraud.

Contact

If you have any questions about this survey, or would like to learn more about our services, contact:

Corey Bloom, FCPA, FCA, CA•IFA, CFE, CFF, ACFE Regent Emeritus
Partner and Eastern Canada Leader, Forensics, Investigations and Disputes
514.228.7863
[email protected]

Simon Gaudreau, CPA AUDITOR, CFF, CFE, FIS
Manager, Forensics, Investigations and Disputes
514-906-4641
[email protected]