When I was busy researching about the fraud at BTA Bank of Kazakhistan where regulatory authorities are chasing $6 billion of depositors’ money for the last nine years, allegedly siphoned off by Bank’s Ex-Chairman through fraudulent loans to the offshore Shell companies, suddenly a shocking fraud at the second largest Indian lender broke out last week which is expected to have caused a loss of $3 billion because of issuance of fraudulent Letters of Undertakings (LOU) by unauthorised SWIFT messages without any entry in the Core Banking Application (CBS). If it was a small bank, it would have been liquidated by this single fraud, but this Indian bank is pretty large and strong that can take this hit and still survive.
In another case, telecom giant BT Group is struggling with an accounting fraud at its Italian arm and had to pay £225 million to avoid an imminent court battle with furious shareholders.
The management of Olympus had to write off more than $1.5 billion of losses hidden for years together and Toshiba is still finding it difficult to recover from an accounting scandal wiping out more than $8 billion of its market value.
Fraudsters can strike only when ‘those charged with governance’ are in a complacency mode down with “all is well” syndrome. Nothing is perfect in this world so does the internal controls and governance mechanism. We need to keep a constant vigil through regular independent checks because when ‘trust is good; control is much better.’
The fraud at the Indian bank could have been prevented if a simple control of independent daily reconciliation between the SWIFT messages sent and transaction entry in the CBS was strictly followed or if CBS was integrated with SWIFT platform where CBS can itself generate SWIFT message after approval in CBS without any individual having direct access to SWIFT.
During my career in internal audit and fraud investigations spanning over twenty-one years and having discovered or investigated numerous fraud cases in different countries, I can confirm that the largest fund embezzlements are not committed by sophisticated fraud schemes but by exploiting very small and simple internal control weaknesses like this.
We don’t need to be rocket scientists to find out the reasons when it is reported that a typical organisation loses approximately 5 per cent of its revenue to fraud worldwide. We must implement whistle blowing mechanism to deter and detect fraud because someone always knows something which he or she should be able to tell you anonymously. Prevention has always been better than cure, be it your health or business.
I don’t think that fraudsters are smarter than us but they still continue to defraud us because we fail to learn from other victims when fraudsters always meticulously do that.
The famous fraud triangle theory states that fraud occurs when three elements are present - pressure or incentive to commit fraud, rationalisation and opportunity. This means a person who is under pressure (to show performance) or gains some incentive from fraud, would first rationalise the intended action to himself/herself and then would look for an opportunity to strike.
We cannot control tangible incentive or psychological rationalisation, but we can very well deprive fraudsters of an opportunity to cheat. This can be achieved by implanting professionally designed robust internal controls. Business processes must be well documented, authority lines well defined and internal controls well established in the form of formal risk - control matrix which is revisited regularly.
The authorised signatory mandate to the bank accounts must also be carefully drafted so that no single payment can be made without one person from finance and another person from operations signing together any wire transfers or cheques. Nobody should have unlimited authority to transfer funds. Fund transfers beyond a threshold must always require explicit board approval. Bank mandate must be reviewed at least once a year to ensure that it remains current.
It must also be ensured that domination of any single individual in the management is avoided. When only one man speaks and no other voice is heard at the board meetings, this might be the very first sign of an impending corporate governance breakdown.
Fraudsters can eat an organisation like termites causing its slow death. To outsmart fraudsters, we need to take corporate governance and fraud risk more seriously because the end result of governance failure is fraud, which ultimately destroys the value and reputation of any organisation.
*The writer is the Vice President of Oman Chapter of the Institute of Internal Auditors (IIA), USA. He is also the former chairman of Muscat Chapter of the Institute of Chartered Accountants of India (ICAI).