Professional services firms face a growing number and variety of internal and external fraud threats. “There are many different types of fraud, with new ways that people are committing fraud every day,” said Grant Thornton Services Industry National Managing Partner Frederick Kohm.
“Recently, we investigated an allegation of revenue recognition fraud at a services firm,” Kohm said. “Pressure had built up in one of the firm’s regions to make quarterly revenue projections, and there were allegations that individuals were billing excess hours. As we investigated the underlying details, we found it to be true. We essentially found that there were large groups of individuals who were front-loading hours on long-term projects, and then accounting for those in quarters where they were short on hitting their revenue targets.”
To effectively prevent, identify and investigate fraud, professional services firms need to establish an informed and clear framework up front.
How to prevent fraud
“You need to remediate both the instances of potential fraud and also those control deficiencies that lead to fraud.”
To help prevent fraud before it happens, professional services firms need sound fraud risk management. “An effective fraud risk management framework includes controls that prevent fraud from occurring, detect fraud when it does happen, and respond effectively to fraud incidents when they occur,” Kohm said.
Firms need to educate their employees and third-party vendors on how to identify fraud — and how to report it. This education also helps to communicate that the firm is on alert. “You need to remediate both the instances of potential fraud and also those control deficiencies that lead to fraud,” Kohm said.
It’s important to maintain concise, consistent and transparent communication about your fraud management processes, so the entire enterprise and its suppliers can understand the expectations. To follow up on these expectations, firms need an effective team that is trained to identify and investigate fraud.
How to spot fraud
“When you determine that you have an allegation of fraud to investigate, one of the first things you need to do is to decide who is going to perform the investigation,” Kohm said.
“Typically, we see legal departments, internal audit, HR and compliance executives within an organization making these decisions and then actually being part of the investigative process,” Kohm said. “The goal, when you're forming your team, is to construct a team that will perform an objective, complete, thorough, and defensible investigation.”
Your team must be trained to identify the red flags for potential fraud, in three categories: operational issues, cultural issues and financial reporting.
How to investigate fraud
With your fraud investigation team in place, define your investigation’s procedures and practices. These can include:
- project management
- data collection
- data analytics
- time sensitivity (to regulators or governmental officials)
“It's necessary to follow a process, and the first step is to lay the foundation for an investigation by adopting the proper tools, mechanisms and activities to evaluate and communicate,” Kohm said.
“Investigations are a critical component of uncovering not only fraud within your organization, but also a range of other corporate crimes.”
Even with a standard process, no two investigations are identical. “Investigations are a critical component of uncovering not only fraud within your organization, but also a range of other corporate crimes,” said Grant Thornton Risk Advisory Services Managing Principal Jamie Sybert. “Even if they're based on the same allegation or same area, they could always lead in different directions. At the inception of an investigation, it's hard to tell how long the investigation might take. The unique nature of each fact pattern will dictate the specific tasks and procedures you should perform to prove or disprove the allegations.”
Along the investigation journey, new findings or other internal fraud issues might require the investigation to add unexpected roles or tasks. For instance, if you need to question employees, contractors or vendors, prepare for the legal considerations — the people questioned have specific rights and protections that the investigation must honor. It’s important to understand and address the full range of key considerations for your investigation.
With the right team and process in place, your investigation can determine the facts through document retention and reviews, electronic evidence, carefully planned and thorough interviews and public record searches. This can be a difficult process for the alleged offending individuals, so the team must prioritize an efficient investigation with a clearly defined scope that causes minimal disruption to business operations and maintains open lines of communication for the special counsel, forensic investigators, auditors, management, regulators, investors and other parties involved as necessary.
The biggest goal of your investigation is to prove or disprove the alleged wrongdoing. “To do that, you need to perform a complete and thorough investigation without any types of restrictions,” Sybert said. “The scope of the investigation should be narrow, and only expand based on the facts uncovered.”
The conclusion of the investigation should present the findings and suggest corrective actions. It should include a final report with the background and a summary of the allegation, the process used, the actual findings and recommendations on how to respond. A comprehensive fraud risk framework, together with comprehensive investigations and corrective actions, will help fight the likelihood of losses to fraud.
“Put together a roadmap and a high-level plan to create solid foundation, no matter which way your investigation ultimately takes you,” Sybert said. “Whether you end up proving or disproving the allegations, the investigation itself really provides an effective deterrent for future instances of fraud.”
Our services featured industry insights
No Results Found. Please search again using different keywords and/or filters.