Alan Mack:
All we're talking about is reducing opportunity. If you can maintain vigilance, you can put in effective internal controls that people will not try to get away with things or not even bother thinking that they can get away with things, and then your risk of fraud is actually going to be significantly reduced.
Narrator:
Welcome to Accounting for the Future, a BDO Canada podcast for financial leaders to navigate change and achieve business growth. We'll uncover the challenges financial leaders may not have dealt with yesterday, but will definitely have to manage for the future.
Anne-Marie Henson:
Hello and welcome to Accounting for the Future. I'm your host, Anne-Marie Henson. On today's episode, I'm joined by two BDO partners, Mary Mathews, longtime recurring guest at this point, and Partner in our Accounting Advisory group, and Alan Mack, Partner and our National Leader of the Forensic Disputes and Litigation practice. I'm really looking forward to speaking to the both of you today.
Alan Mack:
Yeah, really happy to be here. Thanks for having me.
Mary Mathews:
Looking to get into it.
Anne-Marie Henson:
Awesome. So I'm really happy to have you both here to talk about some recent current events that many of us have read about in the news, and these types of situations always fascinate us. Some of them have even been made into movies, so I'm referring to the F word, which in our world is fraud. And it seems like there are more and more cases that we've noticed in recent years, so I'm glad we have an expert in forensics and litigation to help us demystify these fraud cases. So Alan, why don't we start with a bit of an update on what's happening in the world today? So you look at rising interest rates, high competition for capital, technology advancements, and tell us whether you've seen any new fraud trends emerge during 2023 as a result of these events.
Alan Mack
Sure. Just anecdotally in our practice, we're certainly very busy. That's probably not a good thing for our economy, but great for our practice. We look at the world through one of several ways in terms of risk assessments for fraud, and a common framework that we use is something called the fraud triangle. The fraud triangle lists three elements that are necessary in order for frauds to exist or to occur. They are opportunity, rationalization, and motivation. And without getting into the gory details, motivation is what people need to feel compelled to commit a fraud. And the factors that you just mentioned, the realities that we're dealing with today, such as increasing interest rates or high interest rates, competition for capital, and that the other nasty word that we've been hearing so much about, inflation, those are all factors that contribute to motivation for people because they're facing more challenging economic circumstances. Whether you're a business or whether you are an individual trying to buy groceries for your family, all those factors contribute to squeezing your bottom line, squeezing your purchasing power.
And because of that, unfortunately, we're definitely seeing more activity in investigations, more requests for assistance to understand what's happening in companies because something is wrong. And what we're seeing is, it's not just one pocket of the economy or another or one type of business or another, it's really all throughout the entire economy, the entire spectrum of businesses. We're seeing increased activity in private companies, public companies, public sector. The activities that we're seeing in terms of fraud trends, I don't think it's anything new. I don't think it's necessarily new types of frauds. Although how the frauds are being perpetrated are evolving, such as using more technology, such as using crypto for example. But it's standard stuff. We're seeing more activity from small-scale employee expense frauds to larger-scale procurement frauds to shareholder disputes, and even some financial reporting frauds to mislead investors or lenders. So unfortunately, we're definitely seeing more fraud activity.
Anne-Marie Henson:
Wow. Well, like you mentioned, Alan, maybe good for your practice, not necessarily good for stakeholders and owners of companies who are concerned about these types of activities. So Mary, when you look back at this past year, are there any stories that have stuck out to you or that maybe listeners can learn from?
Mary Mathews:
Yeah, so I'm going to say for me it was FTX. That was the biggest one for me. It got attention all over the world. It was big dollars, it was a scandal, it was in crypto, the relatively new space, just leading to more buzz around this. And we saw the story unfold throughout the year, and it's still ongoing, where SBF is waiting for sentencing as we speak. And there was a lot to uncover there, but I think the more we know about it, the more there is to learn. But I think what stands out for me here is something that's important at any organization. What can we learn from FTX? It starts with good governance in place. Alan mentioned opportunities and understanding those opportunities that exist, thinking about what that good governance looks like by putting in checks and balances to reduce those opportunities and the risks of fraud where opportunities might exist.
Anne-Marie Henson:
Right, exactly. And Mary, I'm happy you brought up FTX is a good example. A shameless plug for our previous episode where you, Michael Crolla and myself did talk about FTX and what happened there even before the ruling came out and before SBF was found guilty. So if listeners are interested in that situation in particular, feel free to reach out or take a look at our previous episodes for that.
Alan, you see these types of situations all the time. This kind of work is what you do on a day-to-day basis. And you already mentioned this doesn't just happen with very large public companies, although those tend to be the cases that we hear about a lot more in the news. A lot of our listeners are probably a little bit more in the smaller or mid-market space, so what are the common types of that you've seen occur in smaller organizations?
Alan Mack:
That's a very good question, but I'm going to put a twist on it. I actually don't think that the size of organization necessarily correlates with the types of frauds that we've seen. The types of frauds that we've seen, I've seen from in smaller organizations to multinational corporations. What is different is the scale of the fraud. So in a smaller company, you'll see smaller dollars of course. In a larger company, the access to available resources, just the bank accounts are bigger, so the impact can be bigger. What we've seen generally speaking would be things like employee expense frauds. That's always happened, but we're seeing more and more of it now. Simple things like putting personal expenses on corporate credit cards or double dipping by claiming per diems when you're attending a conference that already has meals provided. It's the little stuff, the nickel and dime stuff.
But again, in this environment of increasing grocery costs, people are worried about the price of eggs and price of bread, that $75 a day could make a difference to some people. The other trend that we're seeing is more and more procurement fraud. And again, this is something that exists at all sizes of companies and it involves colluding with vendors. So someone inside the company colluding with a vendor to over-bill the company or to bill for fictitious goods and ultimately sharing in the spoils. There's also things that we've seen like taking volume discounts that are paid separately from a company, so the company is invoiced and expects to pay a certain amount. At quarter end, at year-end, they get a rebate statement and the manager may or may not remember that. They may or may not be expecting it, and some employees take advantage of that. They take the check and deposit in their own account. And there we go, that's some fraud.
Larger companies tend to be more sophisticated, so they should have better internal controls, the governance that Mary spoke about. But of course, as everyone knows, as crooks know in particular, internal controls can be defeated. Smaller companies generally don't have the benefit of those fancy control systems, but in theory, they have something even better, which is an eagle eyed or a hawk eyed owner-manager who's watching out very closely to the dollars and cents. You would think that happens, but in my experience, oftentimes it doesn't. These entrepreneurs are really good at what they do. They're really good at building a business, they're really good at winning sales, winning customers. Watching the expense accounts, watching whether the debits and credits are balancing, is not something that's high on their priority list.
And unfortunately, that's where the fraudsters can hit. So that's actually another point that I wanted to bring up, if I can dive into a bit of a side story. Fraud is one of those things that is very personal, even when it's a big company. And the reason why is because fraud inherently involves trust. A manager, an owner, the CEO has decided to trust someone. They've trusted them by hiring them, trusted them by giving them authority, delegated authority, making decisions, trusting them with the assets, whether it's their family's assets or the company. So when a fraud happens, it's in essence a betrayal of that trust. And a lot of times just in conducting witness interviews, the manager who conveyed that trust, the owner who conveyed that trust blamed themselves because they ask themselves, why didn't I see that? I should have known better. I should have seen it coming.
And that's how deep that betrayal, that trust flows. But again, people do bad things because they choose to do bad things. I always tell people, if it happens, it's not because of you. It's because this person chose to do something bad. Having said that, there's always things that perhaps you wouldn't do differently. A story that I like to bring up in terms of how bad this can be is I recall a case that we were retained on. It involved a manufacturing company. They had a controller who had been with the company for over 25 years. He was quite literally considered to be a member of the family. It's a private company, but this person was considered to be part of the extended family to the point where he attended family weddings. But for whatever reason, this person decided that he wasn't getting paid enough, and so he colluded with the biggest supplier of the business to start doing some bad stuff.
It started with something pretty simple, overbilling on materials, and they had an arrangement where the overbilling would be shared between the vendor and this controller, quite literally meeting up in a local park with cash in a paper bag. As time went on, it got worse and worse. As time went on, they started just billing for materials that were never required by this business, but it was ordered and paid, sometimes it was delivered and then shipped off again. Other times it wasn't even delivered to the company. It was invoiced, company paid for it because the controller approved it, and then the goods would be sold onward, and then the proceeds split. And then at the end, they basically just got lazy. They didn't even bother selling the stuff. They just were overbilling for stuff that never existed and then splitting the funds.
This went on for a long time to the point where the losses totaled in the millions. The controller used the money to buy himself and his family a very nice cottage, boats, jet skis, all the toys. And when this came to light, because the owner of the business walked into the warehouse one day and realized that the inventory that he expected to see on the books wasn't in the warehouse. They had millions of inventory on the balance sheet, but next to nothing in the warehouse, so he knew something was wrong. And with that, started the investigation. That's when he realized that this person who he trusted for more than 25 years was up to something very, very bad.
On a larger scale, what we're seeing now is in the present economic environment with interest rates being so high, with cost pressures for all kinds of companies, we're starting to see more and more frauds regarding credit facilities borrowing. And this is pretty simple stuff. Where credit facilities are margined on inventory or receivables, what's being reported to the lender just doesn't exist, or assets that are being pledged as collateral have been pledged to multiple lenders. So when it hits the fan, then the recourse that a lender thought they had may not be there and they're in for a bit of a bun fight, so this is the way of the world right now.
Anne-Marie Henson:
Wow. Well, it's really fascinating what you're saying about almost the psychology behind fraud. I think myself, with an audit and accounting background, when we hear that word, we always look at the numbers. What happened and how did it occur? What controls were overridden or what controls were not in place at the time? But your story's interesting in the sense that it speaks to really the motivation behind it and that loss of trust, which goes beyond the numbers, it goes beyond the financial statements. So very interesting, and hopefully some lessons or some thought-provoking ideas for people just to consider without necessarily putting fear in users.
Alan Mack:
I actually have minored in psychology in my undergrad just because I was interested in psychology. I never thought it would be useful in my career later on as a forensic accountant, that it would play a big part in doing my job effectively, understanding people or trying to understand their motivation. It's a fascinating part of the work.
Anne-Marie Henson:
Yeah, absolutely. No, I'm sure it's actually probably a very important part of the work. So Mary, maybe this is a good question to you, back to the numbers and back to the financial statements. You read and prepare a lot of financial statements for clients, and when you're reading through a company's financial statements, what could be some indicators that a company may have been impacted by fraud? Or what would at least make you question that there could be a suspicion of fraud, if you're looking just at the financial statements of a company?
Mary Mathews:
I think for me, it starts with revenue. That's the typical answer there, where overstated revenues, maybe a slow collection and cash and flow doesn't really tie together. That is an interesting place to look. I also find digging deeper on related parties and how they correlate, how they interact, even just understanding the group structure. Sometimes they get so big, they get so complex, a group structure can take pages. And that's difficult, but understanding how all the entities interact and what they're doing there is important. I also look at transactions that look one-off, look complex, and maybe aren't as explained. And sometimes you just have to go really to the details there and just starting with what's the business rationale for this? Why are we doing this? How are they making money? Why is this useful? Because if you start questioning with that, at least then the accounting sometimes falls into place. But that's usually where I start. Related parties and revenues there.
Anne-Marie Henson:
Yeah, no, definitely a good starting point. And putting our auditor hat on now, what would be the auditor's responsibility when they suspect a fraud may have been committed?
Mary Mathews:
So I'll start with saying financial auditors, we're not looking for fraud. We look for material misstatements when we're performing our audits. The primary responsibility for detecting or preventing fraud actually rests with those who are charged with governance and the management of a company, so that's a distinction I want to make with an auditor. Frauds of course can result in material misstatements. The numbers flow through to the financial statements at some point, but the nature of fraud is such that there is a bad actor involved here, and they're likely actively trying to conceal it, so fraud is typically difficult to find. While as auditors, we have to meet high professional standards, a financial statement audit doesn't actually serve as a guarantee against any fraud or detecting fraud. And of course, audits happen once a year, so any chance of finding fraud maybe would only happen not in a timely manner anyway.
Anne-Marie Henson:
Yeah, no, it's a good point. Maybe by that point it's too late, even if the auditor has uncovered something. But you bring up a few good points as well, and Alan alluded to it in his story. Not only do people committing fraud make efforts to hide it, but oftentimes, or at least sometimes, there's collusion involved, which makes it even more difficult because you have two individuals who are motivated to override controls or hide certain things that are going on. I know for myself as an auditor, one of the things that are really so important in the process is something as simple as just looking at ratios and trends year over year. To Alan's point about inventory, if I have a relatively consistent level of revenues and consistent profit margins over the past five years, but my inventory just keeps on going up and up, maybe there's something there, or all of a sudden my margins are way higher than they have been in the past.
So all of these types of things can be pretty short analyses, but things that everybody could do quickly, auditor or just a user or an owner of a business that wants to get a better idea as to whether there's anything unusual. And it doesn't necessarily mean that there's fraud automatically, but it just may be something to investigate, so those are all really good points. And maybe Alan, if you could give us some advice or some ideas in terms of things that a company could do to try, although like you said, it's never a hundred percent guaranteed, but is there anything someone could do to try to protect themselves from the risk of fraud?
Alan Mack:
Yes, we can certainly do things to protect ourselves. We can do things to reduce the possibility or probability of fraud, but it would be very difficult, if not impossible, to eliminate a hundred percent. Well, you put it best just now. I would call it keeping your eyes open. Looking at ratios, looking at your financial statements to see if something looks wrong. That type of vigilance is, in my experience, what could have detected or prevented most of the frauds that we come across. Don't tell my wife I said this, but whether we're talking about my kids or crooks, people do what they can get away with. That's what I've learned in so many years of practice. So if you can reduce the odds of people thinking they can get away with something, you've already done most of the work.
We talked about the fraud triangle earlier. Opportunity, motivation, rationalization. What we're talking about is reducing opportunity. So if you can maintain vigilance, you can put in effective internal controls that people will not try to get away with things or not even bother thinking that thinking get away with things, then your risk of fraud is actually going to be significantly reduced. Having said that, frankly, it's easier said than done. Like I said, a lot of entrepreneurs and successful business leaders are successful because they're very good at building businesses, they're very good at selling, they're very good at motivating their people. Internal controls, corporate governance, may not be near the top of their list. And so, as great as they're doing these other things, they may not be paying enough attention to the nuts and bolts of internal controls. And even when you have internal controls, it doesn't mean that they're going to be effective or that people can't defeat them.
So one of the stories that I like to share is one of my earlier fraud investigations, which deals with a lender that was margining a credit facility on receivables and WIP, so basically receivables and inventory. And the story is important because there was an internal control in place, but it wasn't effective because of an oversight and how it was being executed, how it was being implemented, that nobody knew until unfortunately a fraud happened. And in the course of our investigation, we figured out a fundamental flaw, and it goes like this. So it's a credit facility that's being margined on receivables and inventory. Every day, the lender requested and received a list of invoices and purchase orders from the borrower. There's an Excel list. They were also supposed to submit copies. Back in the day, it was faxes. The invoices and purchase orders. And the control was that a clerk was supposed to make sure that everything on that list of receivables and inventory was supported by an invoice or a purchase order.
And so every day this person would get a stack of these documents, 50, 75, 100, and they would make sure that the date at the top right corner and the amount at the bottom right corner matched the listing they had received. What this person never did, and just in terms of how they worked, there was a stack and they would just flip the half of the page to see the top and bottom right. They never actually turned the entire page over. And that's critical, because if they had, they would've noticed that on the top left corner, the address of all the so-called customers and so-called vendors was exactly the same. It was the same two companies circulating goods round and round. Going to Mary's point about related parties, and that was the oh my gosh moment. Because if that person had flipped the pages over and realized that it was the same companies doing business round and round, someone would've been very, very scared because that's not a real business. It's just two companies going round and round.
So with the best intentions of having good internal controls, if it's not executed properly, it's not going to help. But what's going to help is someone paying attention. The owner, the manager, the corporate governors, paying attention and asking tough questions. That's my best advice.
Anne-Marie Henson:
Wow, that's a really interesting story. Definitely. That's it. A good case of having the right controls in place and the right intentions, but not necessarily the best execution of those controls, so definitely something for us to think about. And Mary, maybe over to you. What are some controls that you've seen companies put in place to help them reduce the risk of fraud?
Mary Mathews:
Starting with good governance. I can't get away from that, so it starts at the top. What's the code of conduct? What is management putting in place in terms of whistleblower policies and the code of conduct that employees are meant to be following? I was going to say perform reconciliations, but now I'm going to amend that to perform reconciliations with the right level of detail and attention from Alan's story, so doing it thoroughly, properly, reviewing budgets to actuals to see how performance is going and where outliers are really coming out. And again, segregation of duties where you have someone perform, someone review with the appropriate level of information and capability to make sure that control is actually being performed effectively. And then one I also always want to think about, especially from the assurance perspective, is just being mindful of incentives and how management and those involved in the business are incentivized based on financial performance. In my audit days, that was something we did think about and look at. What balances are going to affect someone's financial rewards at the end of the day? Those are my big key areas there.
Anne-Marie Henson:
Yeah, no, I like those all. And I think it's important to note, even as a business owner, just because an incentive that's based on financial performance could lead to someone having that motivation to commit a fraud doesn't necessarily mean you shouldn't put that incentive in place. It's just to be mindful of those types of situations. And Alan, to your previous point, I love what you said about just creating an environment where it's clear that you want to put controls in place and even a code of conduct that leads to all your employees understanding that it's not environment where fraud is accepted or just putting those parameters in place like you do with your kids is a good analogy.
Alan Mack:
Not to get too big brother, but the message you want to get across is you're being watched, and that in and of itself is a big deterrent.
Anne-Marie Henson:
Absolutely. For sure. And maybe, Alan, a final question for you. Do you ever think we'll be able to get to a place where companies can comfortably say they're fully protected from fraud?
Alan Mack:
Not until after I retire. But joking aside, probably not. And the reason why is because fraud is perpetrated by a very basic human motivation. Actually, I was about to say greed, but I think it's even more than that now, just reflecting on our earlier conversation. Greed is certainly a part of fraud, but at this point, for some people, it's a matter of self-preservation as well. Putting food on the table for your family, being able to keep a roof over your family's head, that sort of thing. That is an unfortunate reality for some people. And so that's the kind of motivation that we have to deal with in the fraud triangle, which is no small feat. The other factor I would consider is that fighting fraud is way more than the responsibility of your company's internal accountants, internal auditors, or risk managers. There's a huge societal element as well. And what I mean by that is how does society view fraud?
And by extension, how do fraudsters get punished? Maybe we can save this for another discussion, but in Canada, my experience has been that white collar fraud is really not seen to be something to be a serious crime, and punishments unfortunately are light, if any. And so there's an important element beyond internal controls in terms of the consequences of what happens that would need to be addressed to really come up with a robust and coherent framework to protect all of us against fraud. That's depressing.
But let me leave you with three numbers. 10, 80, and 10. 10% of people will never commit fraud. These are your boy scouts, your girl guides, your straight shooters. You don't have to worry about them. Don't worry about them. 10% of people will commit fraud any chance they get. Your best bet is try not to hire them. And if you find yourself with one, then get rid of them. A big part of that is we advise people to do background checks. I'm shocked at the number of employers who say, "We don't need background checks," or they conduct cursory background checks, so we'll try to avoid that 10%. It's the 80% in the middle that we have to worry about. These are the people who would commit a fraud if given a chance. Those are the ones that we can manage hopefully by eliminating opportunity, so that's where we should focus our efforts.
Anne-Marie Henson:
No, I really like that advice actually, so thanks for sharing that and really fascinating discussion. So maybe not the last time I invite you both on to talk about these cases that we see a lot of in the news. So I'd like to thank you both, Mary and Alan, for your valuable time and your input today. I hope our audience appreciated this discussion. I'd also like to thank you, our listeners, for tuning in today and to all of our episodes. I'm Anne-Marie Henson, and this has been BDO's Accounting for the Future. Please let us know if you found the topic interesting and useful, and remember to subscribe if you liked it. We'll see you next time.
Narrator:
Thank you for listening to BDO Canada's Accounting for the Future. Past episodes and related insights are available at www.bdo.ca/accountingforthefuture. Or you can go to Apple Podcasts, Spotify, or Google Podcasts to subscribe. For more information on BDO Canada, visit bdo.ca.