Insights & Reports > Kroll Global Fraud Report

---

Tracey Stretton & Mark Surguy

---

An old threat

The professional services sector may experience less fraud than others, but there is still plenty around. In the UK, the Serious Fraud Office recently prosecuted several solicitors for mortgage fraud. In the same country, not so many years ago, the senior partner of a small accounting firm forged a client’s signature on a series of stock transfer forms. His innocent fellow partners were found liable as well. The latter case followed a substantial fraud in Dubai involving a firm of London solicitors: one of its partners had allegedly drafted consultancy contracts which facilitated a massive fraud by the firm’s client. The allegations were withdrawn, but the firm’s insurers still made a substantial settlement payment. They in turn sought a contribution from the innocent partners. The court established that the dishonest partner had acted in the course of the business of the firm, thereby rendering the innocent partners liable.

Cases like these may be on the rise in today’s economic environment. Kroll’s annual fraud survey revealed that professional services experienced one of the strongest up-ticks in fraud over the last 12 months.

In some cases desperation is heightening the risks. For example, the moment an employee thinks redundancy is a possibility, the employer faces a greater danger of data theft, of customer lists, trade secrets, research data, or price sensitive information. It also remains to be seen whether the increased regulation promulgated early this decade in the wake of the Enron scandal will truly eliminate so-called “cozy relationships,” where audit and accountancy firms succumb to client pressure to “make the numbers work.” The last six years have seen considerable merger activity and the pressure to mis-state the accounts of struggling companies may well be high.

As the initial examples in this article illustrate, however, perhaps the biggest risk for the professional services sector is to be drawn into a client’s fraud. Recent incidents abound:

• India’s largest fraud in 2009, of IT outsourcing firm Satyam Computers, involved the company’s auditors, who allegedly signed mis-stated accounts knowingly in return for a larger than normal audit fee. The audit firm has been joined to several lawsuits, and two partners have been arrested.
• One of the most senior partners at a New York law firm was recently convicted over the collapse of a commodities broker. Now that firm has been drawn into litigation.
• The principal of another New York law firm became involved in fake security transactions and the partnership has collapsed into bankruptcy.

The recent popularity of the Limited Liability Partnership (LLP) may help reduce the danger in practice, depending on the terms of the partnership agreement. Even if it does, however, the reputational implications of client fraud remain significant. After all, Arthur Andersen – an LLP in the United States – was cleared of all wrongdoing in its association with Enron, but its business nevertheless disintegrated and its brand was fatally tainted.

Moreover, the need to pursue compensation for fraud is also greater when finances are tight. In the past, cases of fraud might have been overlooked and the losses absorbed. Now, aggressive pursuit of redress in the hope of recovering some proceeds is much more likely, putting even the innocent at greater risk.

A new threat

As the professional services sector adopts new technologies and ways of working, new risks arise. The Internet and e-commerce have brought substantial business benefits, but also a sharp increase in the incidence of “e-fraud” in particular, and commercial fraud in general. In Britain alone, companies now lose in excess of $16 billion a year because of cyber crime and data theft. Ninety one percent of respondents in a recent survey cited cyber crime as a major business risk, resulting in lost customers, damaged brands, and lawsuits.

According to Kroll’s annual fraud survey, over a quarter of companies in the professional services sector were hit by information theft in the past three years, making such attacks – along with theft of physical assets which affected the same number – the most widespread fraud threat. Losing valuable data brings the risk of losing clients and money as well. Professional services firms also risk breaching the duty of confidentiality owed to clients and the responsibility to keep clients’ data secure in order to protect them from fraud.

Information management amid rapid technological advancement brings many and varied challenges. The modern thief can steal more with a computer than with a gun. The days of copying a few company secrets onto a floppy disk are long gone. Increasingly complex networked environments recognize no physical boundaries, and permit a multitude of devices to communicate and interact. These new technologies enable quick, quiet data theft on a massive scale. A thumb-sized USB drive, for example, can store the equivalent of four tons of paper documents; email can send information away instantly; gigabytes of data from desktops or servers can be burned covertly onto DVDs and PDAs; and wireless networks and Bluetooth devices increase the risk by making data access and transportation easier still.

The law and business respond

The law has not developed sufficient new rules to meet the challenges of these cyber crimes. Instead, existing procedures and remedies are being applied in new contexts. Freezing and search orders are available in common law regimes, and English courts have the power to order an innocent party caught up in wrongdoing to disclose the identity of a wrongdoer. Data does not respect jurisdictional boundaries, however, and so the applicable law in the event of fraud is never obvious.

Unlike the law itself, the context in which it is being applied has changed beyond recognition. Huge volumes of electronically stored material often have to be reviewed to establish a legal remedy. Moreover, this electronically stored information can also be readily copied, and therefore moved without permission; altered, and therefore falsified; and the identity of the author can be easily concealed or assumed by anyone with access to a user’s password. This makes the authenticity of the evidence much less reliable and the risk of not finding it, or contaminating it, high. It has become essential for fraud lawyers to work with investigators and computer forensic experts to uncover evidence and preserve its integrity so that it will be admissible in court.

If significant volumes of electronic information create the risk of unauthorized access and even information leakage, professional service firms should determine what information they hold, where it is, and who has access to it. A computer use and document management policy is only part of the solution. Enforcing the policies and refreshing them regularly is essential. The concept of e-health is also beginning to spread, where organizations purposefully delete masses of data and store only what they need for business purposes. Such firms carry a much lower risk of being saddled with fraud.

The professional services sector is not exempt from fraud, but often has less direct control. In the current economic environment, it faces heightened risks, especially that of being drawn inadvertently into the fraud of clients. The ongoing exploitation of information technology’s benefits also brings a dark side of increased vulnerability to certain crimes. Professional services organizations need not only to be aware of all these risks but, like other companies, have the right security controls and incident response plans in place.

View the Professional Services Industry Report Card

EIU Survey

Although still facing only low absolute losses, professional services firms may need to consider doing more to address their fraud problems, especially given the role of these businesses in the growing battle against financial crime. Fraud levels, a complex story: On the surface, the numbers look good, but digging deeper reveals a more nuanced story. The average loss per company over the last three years was $2.9 million, which is well below the average. It is over twice the 2008 survey figure – $1.4 million – but nevertheless an extremely good result. Moreover, the vast majority of professional services respondents are from smaller companies – those with annual sales of under $5 billion. These businesses averaged a loss of only $4.6 million, so size only partly explains these low losses. More worrying, smaller companies as a whole saw average fraud losses decline last year, contrary to the trend in professional services. 28% of sector companies saw an increase in the level of fraud at their company in the last year, the second-highest proportion, and greater than the 24% who saw a decline. Although, as a sector, professional services had the second-lowest proportion of companies hit by fraud (77%), and the lowest incidence of theft of physical assets (27%), it still had the second-highest rate of information theft (27%) and money laundering (7%). The response is sometimes wanting: Sector companies do not always recognize and rise to the challenge. These firms are less likely to feel at risk to specific types of fraud, which can create blind spots. For example, only 4% think themselves highly vulnerable to internal financial fraud, yet 16% suffered from it in the last three years. Professional services companies are also less likely than average to deploy any of the anti-fraud methods listed in the survey, with the exception of due diligence, where the number is only slightly above average (48% compared with 46%). Only 58% have information security measures in place, compared with an average of 71%, even though information theft is a marked problem. A smaller than average fraud problem is not the same as no fraud problem. Professional services firms need to address the weaknesses they do have, especially in information security, so that losses do not grow. Written by The Economist Intelligence Unit