Is the cost of reducing fraud risk greater than the loss from a fraud incident?
I recently had the opportunity to visit with Sam Antar, convicted felon and former CFO of Crazy Eddie. This is cross-posted from my other blog, Nonprofit Update.
During our interview, Mr. Antar suggested a reason why businesses don’t put enough effort into fraud prevention and detection. He said the cost of deterring fraud may be more expensive than the consequences of fraud. Before I refine the concept, look at some costs he mentioned:
- In the corporate world, particularly companies that have grown for a while, there needs to be a lot of systems put in place to deter and mitigate fraud risk.
- There needs to be an audit committee and they need to have resources available to them. Translate that to they have authority to hire legal and accounting experts. They need training personally. This is expensive.
- The audit committee, consisting of skilled and knowledgeable people, must have a direct line of contact to the Board of Directors. That is expensive in terms of time.
- The Board of Directors has to have a substantial amount of financial skills. That is expensive in terms of time and dollars for training and dollars for their access to expert resources.
- At some point in the growth curve, there needs to be a robust, skilled internal audit department. That could get quite expensive, if you look at it only in terms of cash outflows.
I would add to that the time involved to implement quality controls, policies, and procedures. Those will take a lot of time for the finance & accounting team. In turn, those procedures will take time for operational staff to follow. All of that translates into more staff.
That can get costly fast.
What is the cost of a fraud incident
I will look only at the hard dollar costs. I won’t consider the cost to investigate or remediate a fraud incident. I won’t consider the impact on reputation or the distraction imposed on senior leadership to deal with the trauma.
According to the 2014 Report to the Nations by the Association of Certified Fraud Examiners, the median loss for a fraud in their study was $145,000. That means half of the frauds reported for their current survey had a loss less than that amount and have had loss higher than that amount.
The embezzlement at a megachurch near where I live reportedly cost the church somewhere in the range of $700,000 to $900,000. The confessed embezzler only conceded that $25,000 was “missing.” The DA only insisted on that amount of acknowledgment in the plea agreement because that’s what could be proved. I will make a wild guess that the real loss was above half a million and below one million.
Pick any of those numbers you want: $145K, $25K, $700K, $85K a year, $340K in total.
Could your business or charity handle that loss?
Cost of internal control compared to expected cost
Here is where I would like to revise Mr. Antar’s comment.
The relative cost of deterring fraud shrinks dramatically when compared to those possible losses.
If the question was whether to put appropriate controls in place for a small organization or the near certainty of incurring one of those losses, most organizations would implement the recommendations of their accountants.
Yet most don’t.
I think I know why.
Consider a small or medium-sized business or charity. You’re not going to get hit with a fraud incident somewhere in the magnitude of those amounts every year. Those losses will probably only occur once in a while.
If you were to get hit by one of those losses every five years if you operate with poor internal controls, then from a strictly economic perspective you would have to discount those losses by my assumed 1 in 5 likelihood.
That reduces the median loss down to $29,000. Adjusted for the same probability, a loss on a magnitude engineered by Mrs. Wilson would cost $17,000 a year.
If you were to mentally assess the risk as one fraud disaster every ten years the expected cost of an average incident would be $14K.
Few businesses and even fewer charities would hire another half-time person or add several people adding up to a full-time equivalent to eliminate that risk.
I can then describe in a mathematical form why most charities and small businesses don’t implement better internal controls:
- The annual cost of doing a better job of deterring fraud is greater than the expected amount of a loss adjusted for the probability of a fraud occurring in any one year.
In simpler form:
- Cost of reduced fraud risk > probability-adjusted fraud loss
The error in that mindset
There are several factors missing when organizations mentally make that calculation.
The first error is there are lots of frauds that are never discovered in amounts smaller than the average for discovered fraud.
The distraction for mid-level and senior staff to deal with a fraud is severe. Not only is there a lot of time involved, but dealing with the mess takes a disproportionate amount of mental and emotional effort. The ministry of the charity will slow down a lot while senior staff deal with the mess.
The above calculation does not take into consideration the horrid publicity that can arise from a fraud incident. The loss of trust and damage to reputation could be larger than the dollar loss.
All those factors affect one side of the calculation and make it likely that the total cost of a loss would be greater than the cost of reducing the risk.
So I suggest the equation should read:
- Cost of reducing fraud risk < probability-adjust risk of (dollar loss + time & emotional energy + lost reputation)
In that calculation, the cost of deterring fraud is a cheaper price to pay that the expect damage that might be incurred every few years.