Internal & External Audits Are Not Enough
April, 2021
We have all read about the various parking scandals that have made front page news, fraud prevention and detection are becoming a priority for management and decision-makers. Typically, your mid-size to large parking operators consider their internal and external auditors as the pivotal tool for uncovering fraud and taking preventive measures to minimize the risk of loss incurred due to fraud. This implies that their internal and external auditors are often identifying fraud, when in fact, the opposite is true in many cases. The 2019 ACFE’s Report to the Nations stated that auditors rarely find fraud, internal audits detect fraud 15 percent of the time, while external audit merely 4 percent. With internal and external audits only making up 19 percent of how fraud is identified within an organization, what makes up the other 81 percent?
How are frauds detected?
The report further details the means in which frauds are detected, and the medium loss associated with each detection method and the average length of time the fraud was occurring before it was identified.
What is surprising is that 40 percent of fraud is detected based on tips, someone reporting the fraud to a person of authority, through email, calling a hotline, etc. With most of the fraud being identified by tip, this leads to the question, who is reporting fraud?
Who is reporting fraud?
The greatest amount of fraud being reported is by an organization’s own team, its employees (53 percent). Most employees want to “do the right thing” and will report fraud, especially in organizations with a strong ethical tone that starts at the top and works its way down. In addition, organizations that provide a way for the employee to be protected by being able to remain anonymous also encourage staff to report fraud because they do not have to fear retaliation. If employees are the number one resource for identifying fraud when it is occurring, does the size of a company make a difference?
Does size matter?
What the ACFE’s Report to the Nations also highlighted is that an organization’s risks, resources, and structures often vary greatly by their size. Out of the organizations that reported fraud, only 11 percent of them were smaller organizations with fewer than 100 employees. This makes sense as smaller organizations are less likely to have dedicated fraud investigations teams or resources. Now that we know who identifies fraud, the next question is, who commits fraud?
Who commits fraud?
To prevent fraud, you not only have to admit that it occurs, but how and why it occurs. Donald Cressey, a well-known criminologist, developed the Fraud Triangle, which states that Essentially, the three elements of the Fraud Triangle are: Opportunity, Pressure (also known as incentive or motivation) and Rationalization (sometimes called justification or attitude). For fraud to occur, all three elements must be present. The Fraud Diamond, a newer theory of fraud proposed by David T. Wolfe and Dana R. Hermanson, asserts that the fraudster’s capability must also be considered. The fraudster, it is said, must have the required traits (e.g., greed, weakness of character, excessive pride, dishonesty, etc.) and abilities (e.g., knowledge of processes and controls) to commit the fraud. It can be argued, however, that traits are components of pressure and that abilities are opportunity factors. Furthermore, the 10-80-10 Rule* supports the general assumption of capability by a breakdown of the population and the likelihood of fraud occurrences as follows:
10 percent of the population will NEVER commit fraud. This is the type of person that will go out of their way to return items to the correct party.
80 percent of the population might commit fraud
given the right combination of opportunity, pressure, and rationalization.
10 percent of the population are actively looking at systems and trying to find a way to commit fraud.
*Source: National Association of State Auditors, Comptrollers and Treasurers (NASACT) and the Oregon State Controller’s Division
Now that we know how and why, the next step is who? Anyone can commit fraud and it is impossible to predict in advance which employees, vendors, clients, and customers will become dishonest. In fact, when fraud does occur, the most common reaction by those around the fraud is denial. Victims can’t believe that individuals who look and behave much like them and who are usually well trusted can behave dishonestly. In my experience, most of the employees who committed fraud were some of the “best employees”. Many were long-tenured employees who management had a great deal of trust and faith in. I would often hear, “I cannot believe it was him, he was my best employee, I could always rely on him.” While the quantity of fraud cases was committed by line employees, in my experience it was the management level employees that inflicted the most financial loss related to fraud. This is mainly since management level employees have greater access to larger amounts of funds than a frontline employee. It comes down to power and access.
What to look for?
ACFE President James D. Ratley said, “Fraudsters exhibit behavioral warning signs of their misdeeds.” Organizations should train their staff to look for some of the most common human behavioral red flags:
Living beyond their means
Financial difficulties
Control issues, unwilling to share duties
Divorce/family problems
Unusually close association with customer/vendor
“Wheeler-dealer” attitude
Irritability, suspiciousness, or defensiveness
Addiction problem
Complain about inadequate pay
Refusal to take vacation or PTO
As Parking Operators, where is the greatest risk?
While we need to ensure the validity and legality of our organization’s financial records, as parking operators, we are at greater risk of the following types of fraud:
Cash Larceny, Skimming
Theft of non-cash items
Billing Schemes
Expenses Reimbursements
Cash on Hand (operating/petty cash funds)
Payroll Schemes
Common deficiencies that make it easier for fraud to occur within our parking operations are:
A lack of controls and separation of duties
Lack of business ownership and accountability
Not reviewing anomalies or gaps in data
Not enough training and knowledge
Too much trust, with little or no verification processes
Old, antiquated methods, not optimizing technology to mitigate or limit risk
What can you do?
Take an active role in managing your parking solutions. When possible, use technology to assist with this objective and look for parking solutions that:
Automate the payment processes, never have to “touch” money, and go “Cashless”.
Create separation of duties between those that collect revenue and those that reconcile the revenue.
A clear and transparent audit trail as it relates to revenue funds, transactions, invoices, and any changes to these items.
Automation of invoicing processes, account management with a focus on putting control back into the hands of customers when possible to reduce the amount of contact points.
Streamlining the accounting processes, (example: auto suspend accounts for non-payment, or Accounts Receivable Management)
Ensure that data analysis is a priority and that reporting elements are flexible and can adjust to the evolving needs or the operation and the economic environment, (dashboard)
However, never forget that automated processes still need your attention. Remember to ensure that separation of duties is being maintained. Trust your employees, but also verify their work and findings. Watch for any exceptions, whether in employee behavior or within the operation, and investigate them. Manager your accounts receivables and any adjustment reports very closely. Continue to analyze and map out your trends so that problem areas can be identified, investigated, and resolved. Auditing should be a part of the everyday workplace rather than used solely as an investigation tool, or to meet an annual obligation. It really is just about being PRESENT, in your operations.
Katherine Beaty is VP of Implementation at tez. She can be reached at katherine@tezhq.com
