Everything CFOs should know about fraud - a chat with EY's Susan Breytenbach
“With fraud the devil is often in the detail,” says Susan Breytenbach, a leading partner in EY’s forensic services department. “For the CFO there is a fine balance between not being in the detail, whilst still maintaining control to ensure that the checking gets done by the appropriate level of person to the appropriate level of detail.”
CFO South Africa sat down with Susan to chat about her career in forensic accounting, "the exhilaration of finding stuff", the latest fraud trends and - most importantly - the role CFOs should play to prevent and detect fraud. "The CFO should consider whether adequate controls are in place to mitigate the risk of fraud, but he or she need not be THE control," says Susan, who divulges a number of extremely practical tips for finance leaders.
How did you get into forensic accounting?
"I completed my audit articles at one of the Big Four accounting firms and I was seconded in 1995 to their offices in the UK, where forensic accounting first grabbed my attention. After working with forensics specialists on a number of forensic accounting and anti-money laundering projects in the banking industry in London and Switzerland, I knew forensic accounting is the field I wanted to work in. When I moved back to South Africa in 1998 I joined the newly established forensic department of a firm and have ever since worked exclusively in forensic accounting."
What do you like about forensic accounting?
"The exhilaration of finding stuff, getting to the bottom of an issue or suspicion, as well as the sense of contributing towards putting right what is wrong. It is a passion. In the litigation support environment, I find the application of financial and accounting skills to legal issues particularly interesting. The issues and their complexity can vary significantly from case to case. "
- Do you want to learn more about the latest and greatest in forensic accounting? Join the Finance Indaba Africa on 13 & 14 October! Free registration for SAICA, ACCA & CIMA members!
What types of fraud or litigation support do you deal with?
"It varies considerably. On the investigation side, anything from investigating fraudulent payments and Ponzi schemes to financial mismanagement, related party transactions or other forms of misrepresentation. On the litigation support side, it ranges from the quantification of damages to providing assistance with warranty claim submissions in terms of a sale and purchase agreement."
Does the CFO have a role to play here?
"Our point of contact is often the CFO. Fraud investigations and litigation often touches on the CFO's role of guarding the financial affairs of an organisation, for example these matters may typically impact issues related to cash flows, controls, costs and risk. CFOs are often seen as the gatekeeper when it comes to fraud risk - the person whom the organisation looks to when things go wrong."
"Also, in litigation matters organisations often seek either to claim for or defend a claim against them for financial damages. In sale and purchase disputes the buyer may at some point seek to claim against financial warranties. Those matters typically require the input of someone in the organisation such as the CFO, who is not only financially skilled, but who also has a deep knowledge of the business, its stakeholders and the market in which it operates. So when the organisation has suffered or stands to suffer financial loss, the CFO is often called upon either to drive or support such investigations or related financial analyses."
Which fraud is detectable?
"All frauds are detectable - however, the timing of detection is the issue. Fraud is committed with the intent to conceal and fraudsters invest effort in covering their tracks and circumventing IT and other financial controls, and by the time fraud is detected considerable loss may already have been suffered. "
How does fraud get detected?
"The 2014 global fraud survey of the Association of Certified Fraud Examiners (ACFE) shows that fraud mostly gets detected via tip-offs, followed by management review. There is often a misconception about the role of internal auditors. One cannot expect them to have the same expertise to detect fraud like forensic accountants do and they in turn may rely on internal accountants and management to detect fraud. The same goes for external audit - detecting fraud is not their primary role."
"Fraud often follows a learning curve trend. Criminals would typically start with small amounts over a long period and as their confidence grow the amounts increase over a shorter space of time. Often their work is good and they are trusted, hence fraud red flags, such as gambling habits or living above means, are often ignored. Fraudsters often get caught at the tip of the fraud learning curve, when the frequency of transactions and values are high."
What external fraud risks do CFOs face?
"It depends on the industry they are in. For example, in the banking and insurance industry external fraud risk in comparison to internal fraud risk, is generally higher than in certain other industries such as public sector or mining and energy. Credit card fraud syndicates and insurance fraud perpetrators can include policyholders, assessors and brokers."
"There are also a lot of external cybercrime related risks that have emerged with the rise of technology, which are not necessary industry specific, like hacking a network to obtain valuable information from an organisation, either to be exploited or sold on. The risk of unauthorised access to your network can be as easy as the most junior member of staff clicking on a link in an unsolicited email. Also, syndicates may also place people in an organisation or corrupt existing employees to obtain access to sensitive systems or information."
What can CFOs do?
"Fraud is dynamic and methods applied to mitigate against or detect fraud can become outdated, so the starting point is to keep up to date with the risks, for example by sharing information about fraud risks in your industry. It is also crucial to be alert when you are restructuring or laying off people. You need to make sure controls don't get compromised. Fraudsters are typically entrepreneurial and schemes evolve as technology or internal controls change."
"When entering into agreements with suppliers or with prospective buyers or sellers, CFO's should be involved when financial warranty and related clauses are drafted. Vague or ambiguously worded financial terminology in agreements with suppliers or sale and purchase agreements often form the subject of costly disputes later down the line. "
How should the CFO structure the controls?
"The CFO should consider whether adequate controls are in place to mitigate the risk of fraud, but he need not be THE control. In larger organisations it is not always practical for the CFO to be the only point of control and to get involved in that level of detail. That is why these CFOs need to consider appropriate support structures below them, such as a hands-on financial manager with sufficient attention to detail, commercial savvy and professional scepticism."
"The person who approves transactions should have sufficient time to consider properly the relevant supporting documents and business rationale of transactions." Fraud often gets missed when persons approving transactions consist of too many different people who do not have proper history of, background to or understanding of a transaction. If the same person sees all related transactions and invoices, he or she should be better placed to see and probe red flags."
"EY survey results over the past 10 years further suggest that there may be a persistent level of fraud that businesses are not able to eradicate. Instead, they may also need, apart from the right processes, technology to be able to detect fraud indicators. In this regard the mining of data, using forensic data analytics technologies and techniques, can assist in detecting and monitoring suspicious activities and transactions earlier and more effectively."