What Is the Risk of Fraud? ACFE's 2012 Report on Occupational Fraud and Abuse

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


The Association of Certified Fraud Examiners has released their biannual report (PDF), analyzing reported frauds in nearly 100 countries. I highly recommend that all involved in combatting fraud read and consider this report. The ACFE does a good job of analysis and provides a clear discussion of its results.

In this post, I want to review the ACFE report and then discuss what it should mean (IMHO) to governance, risk management, and audit practitioners.

Over the years, the ACFE’s annual report has been referenced as a measure of typical losses from fraud. The number this year is 5%, consistent with prior years (the same percentage was referenced in the 2010 report). But it is important to remember that the ACFE includes many different forms of fraud and abuse, some of which may not result in significant losses.

In fact, while it is important for any organization to limit the risk of loss from fraud, it is equally important not to chase fraud with measures that cost several times any potential for loss (taking possible fines, reputational loss, and other consequences into account). For example, the typical expense report fraud averages $26,000, payroll scams average $48,000.

For example, the median loss from the frauds studied in the report was only $140,000, and only 20.6% exceeded $1 million — far less than material for almost any company, and lower than in prior years (23.7% in 2010 and 25.3% in 2008).

Of note is that financial statement fraud represented just 8% of the cases and the median loss was only $1 million. (In 2010, the average was $4.1m and in 2008 it was $2m). My guess is that the typical financial statement fraud was to protect individual managers or operating units. I have seen this myself, where the fraud enhanced bonus opportunities, etc.

Other points of interest include:

  • The typical fraud scheme lasts 18 months before it is detected. Experience shows that if fraud is undetected for any period, those involved start expanding their ‘work’ with additional or larger schemes.
  • 87% of the cases were some form of asset misappropriation, with a median loss of $120,000. The report includes a breakdown of what is covered in this class.
  • A third of the cases involved corruption, costing an average of $250,000.
  • Tips continue to be the way most frauds are uncovered (50.9%). Internal audit is second at 16.3%. However, nearly half of the victim organizations did not have a hotline at the time of the fraud!
  • Banking and financial services, government and public administration, and manufacturing were the hardest hit by fraud.
  • When owners/executives are involved, the loss if far larger ($573,000 on average) than if committed by a manager ($180,000) or employee ($60,000).
  • Most of the culprits were first-time offenders with clean records.
  • 81% of the cases might have been detected by one or more typical red flags. See page 58 for details.
  • The geography with the largest median fraud loss was Latin America and the Caribbean ($325,000) while Canada ($87,000) had the lowest. Asia ($195,000) was lower than Europe ($250,000).
  • The weaker the controls, the greater the loss and the longer the fraud lasted before it was detected. Surprise! (OK, not really.)
  • Management review had the greatest effect on reducing losses — those with this in place had 45.9% smaller losses than those that did not.
  • Tone at the top was only a factor in 9% of all the cases, and was cited as a primary factor in just 18% of cases over $1 million.
  • Collusion was involved in 36% of cases (down a little from prior years), but the loss when collusion is involved is about double ($250,000 on average, down from prior years).
  • Men are more active — about 2:1, but this varies significantly by geography. Men also take more.
  • About two-thirds of the cases were prosecuted. In my experience, this is a surprisingly large percentage, possibly indicating a flaw in the research as only reported cases can be studied.
  • About half of the victim organizations had not recovered any of their losses.

So what does all of this mean? I want to repeat, first, what I said above:

“While it is important for any organization to limit the risk of loss from fraud, it is equally important not to chase fraud with measures that cost several times any potential for loss.”

My advice is this:

  1. Understand the risk that fraud, abuse, and corruption represent to your business. The averages discussed in this report are just that: averages. Your risk might be much higher or lower. Don’t forget to include the cost of reputational damage, business disruption, etc. of fraud.

  2. Consider the controls that you have in place relative to fraud. Do you have the obvious and less expensive controls in place and operating effectively? Consider (for US companies) the controls you need to have an adequate compliance program under the US Sentencing Guidelines. Having that as a defense if something goes wrong has significant value.

  3. Go beyond the obvious and less expensive controls. Are they justified when you consider the level of risk? Look at the typical costs of the different kinds of fraud: how much money should internal audit spend on data mining and investigations on expense reporting, payables, and payroll fraud when the typical loss is less than $100,000 (for payment of fraudulent invoices; much less for expense reports or payroll fraud)?

When it comes to internal audit, it is understandable that the audit committee of the board and management will look to them and expect them to detect and investigate fraud. But, my advice is to ensure that internal audit only allocates resources that are justified considering the risk to the business. While it may be satisfying to detect and stop frauds that cost the company hundreds of thousands of dollars, don’t do so at the expense of performing audits that will improve business processes and the bottom line by millions.

What do you think?

Posted on May 29, 2012 by Norman Marks

Share This Article:    

  1.  NM,

    Similar to the treatment of other risks, if the perceived impact of fraud risks are immaterial, the resources committed to managing such a risk should be commensurate (n.b. This may present issues where the risks aren't assessed properly. I usually recommend a separate fraud risk assessment is performed in light of the organisation's structure and possible fraud schemes that may occur).

    However, the occurence of fraudulent activities may reflect a weakening control environment, and a growing perception by employees that they will not be detected (re Cressey's Fraud Triangle). To help prevent this, a well structured anti-fraud program should be developed and effected.  The costs associated with setting up this framework are unlikely to be prohibitive.

    It would be interesting though, to clarify how the study treated losses resulting from 'poor governance' (e.g. Olympus, CLICO), and whether a pedantic definition of fraud was applied. Whether these crippling improprieties can be defined as 'fraudulent', may be one for the courts to decide.

    On the transaction level, data analytics tend to unearth unfavourable trends or irregularities that may be occuring.  As such, I would srongly encourage an investment in these tools to aid the organisations efforts to mitigate potential fraud risks.

    While much more can be said, l look forward to perusing any subsequent comments.


    Best regards,

    Harun Abdul-Haqq CFE










  1. With respect to financial statement fraud, this may be one of those cases where the median ($1,000,000) is less informative than the mean would be.  We don't know how how the size of cases skews around the median, but one thing we do know is that some of those frauds that are above the median are going to be way above it, whereas the ones below the median can only go down $1,000,000, to zero.  Really you'd like to see the distribution chart.

    One thing that struck me as very interesting about the survey is that the tip statistic you quoted (50.9% of frauds are discovered by tips) is the figure for companies with a hotline.  Without a hotline, the number is 34.6% -- a difference of 16.3 percentage points. (Average overall is 43.3%).   So hotlines really made a difference.  What's interesting to me is if you look for where that difference went -- that is, in companies without a hotline, how were the "other" 16.3% discovered.  Well, over half of that difference shows up in the "discovered by accident" category.  That is 2.8% for companies with hotlines, versus 11.3% for companies without.  Now, how much longer do you think the average fraud scheme persists before it's discovered "by accident," as compared to a tip, and how much greater do you think the loss would be? 

    Also, for companies without hotlines, the percentage of frauds first discovered by law enforcement authorities (and reported by them to the company) more than doubled -- from 1.7% to 3.7% -- and these are the frauds that tend to cause the most damage, with a median loss of $1,000,000. 

    Score a big one for hotlines.

  1. Norman is right in his analysis.  The ACFE report always irritates me, however. My fraud team never participated in the survey as they ask each repsondent to report one, large fraud from the last two years.  This is clearly not a methiod of selection that is representative of all fraud that exists.  I use the ACFE report as giving broad directional information, but not as an accurate measurement of indicators of fraud that is occurring.   

  1.  I just received this email:


    Comments from Tom Hughes:

    Mr. Marks,

    Your piece on ACFE's annual report has me thinking.

     Speaking as one of the criminals, I can say two things with relative certainty: First, I can say that the hardest dollar to steal is the very first one. Dollar #5 causes slightly less anxiety... And Dollar #25,000 eventually passes without a thought. As you alluded in the article, the checks never, ever get smaller over time.


    Second, the importance of even the most basic internal controls can't be overstated. Since most fraudsters are first offenders, basic controls and a corporate culture of accountability and fraud awareness go a long way toward preventing embezzlement by someone who hasn't yet made it over the emotional obstacle to stealing for the first time.

    After all, as I'm fond of saying, money never stolen... never has to be recovered.

    Tom Hughes


    *A former embezzler, Tom Hughes writes and speaks on the subjects of Professional Responsibility, ministry and Business Ethics from his home in northern Vermont.*

Leave a Reply