Detecting Fraud and Mitigating Risk for Natural Resources Companies
Download the PDF Version
By Jeff Harfenist
The natural resources industry is often noted for three things: the mercurial nature of a commodities-based market; pressures from myriad national and regional regulations; and the inherent challenges presented by disaggregated operations in high-risk areas.
Oversight of risks related to operational and financial reporting decision-making – primarily through exposure to corruption and fraud – is top-of-mind for executives and their advisors. And amid the rapid pace of globalization and the growth in compliance obligations in the natural resources sector, resources are stretched further than ever. The risks stemming from today’s heightened regulatory environment are significant and demand that organizations take action sooner rather than later.
The process of designing, implementing and testing an integrated suite of thorough compliance programs and related controls to safeguard company assets has become a daunting task for many energy and mining organizations – and one placing increased scrutiny and pressure on boards and management teams, forcing them to allocate more personnel and related resources to address the threats they face.
Continuous Monitoring as a Prophylactic Management Tool
Continuous monitoring integrates sound forensic practices with data mining tools to detect high-risk behaviors and potentially anomalous transactions, as well as evaluate policy compliance within an organization’s financial and operational environment. Continuous monitoring systems can identify, quantify and report, in real time, instances of non-compliance with company policy, high-risk behaviors, and transactions with high indicia of fraud, as well as failures in internal controls.
Continuous monitoring systems can also identify high-risk operations within a company’s global business by testing for uncharacteristic trends, data discrepancies, duplication of payments, policy violations, missing data and a host of other high-risk attributes. These tests can be performed remotely and, based upon the reported results, appropriate compliance and forensic experts can be routed to the geographic areas posing the greatest risk of loss and exposure. This produces increased efficiency, reduces travel costs and allows companies to focus limited resources on their highest and best application.
Continuous Monitoring vs. Traditional Internal Audit Approach
The Association of Certified Fraud Examiners estimates that the average fraud scheme goes undetected for approximately 18 months. This should come as no surprise to companies employing the traditional intermittent, sampling-based audit approach. But facing the ever-expanding risks associated with violating anti-corruption laws, companies simply cannot afford to wait 18 months to recognize potentially anomalous transactions and high-risk relationships. In an 18-month period, the number of Books & Records violations can multiply drastically, and substantial amounts of cash can vanish as a result of non-economic transactions.
As further outlined below, when comparing the two approaches, Continuous Monitoring is a far superior protocol for the early identification and mitigation of suspect behaviors. (see table below)
It is clear that if fraudulent behaviors are permitted to continue undetected, the associated liabilities will compound, along with the loss of critical cash flows.
Applying Forensic Data Analytics to Anti-Corruption
The detection of prohibited payments, dubious relationships and high-risk activities represents a central element of both proactive and reactive anti-corruption engagements. When designing a forensic data analytics plan, it is important to consider that violations of company policy and/or various statutes can occur by manipulating vendor payments, accounts receivable, payroll, expense reporting, purchasing cards, expense classifications within the general ledger and the posting of journal entries. Below is a sample list of target areas energy and mining companies with a high operating risk profile should review:
Lastly, it is important to consider that any negative outcome resulting from the aforementioned tests does not constitute proof that prohibited behaviors or fraudulent transactions have occurred. Companies must carefully consider qualitative issues with their data and how these issues might impact the results of the applied tests.
Program Implementation and Exception Management
Continuous monitoring systems produce the most significant benefits in organizations that approach the process in a structured manner. In our experience, there are six prerequisites for success:
- Clear vision of the program’s goals. Is the organization solely looking to test for compliance with company policy, or is there a broader ambition to improve management oversight by detecting and eliminating accounting irregularities, as well as potentially fraudulent behaviors and transactions? These decisions will dictate the types of analytical tests to perform.
- Understand the nature of risk faced by your organization. Companies need to move beyond the geographic approach to quantifying risk and adopt a more reasoned methodology that considers a number of quantitative and qualitative factors. In addition, risk is not a static condition, so companies must periodically reassess the appropriateness of prior risk evaluations.
- Consensus on which data sources will be monitored. Companies should consider evaluating their Enterprise Resource Planning (ERP) system, legacy systems and system logs.
- Keen insight into the underlying data that will be mined. For example, do the recorded cash disbursements represent transactions initiated through the ERP system, or are they being recorded post issuance, producing underlying data that may lack integrity?
- A work-flow process covering the full range of actions and responsibilities, including the assignment and management of exceptions. In the absence of timely follow-up, the benefits of a continuous monitoring system will be substantially diluted.
- Experienced forensic professionals. These individuals can be involved in both designing the front-end analytical tests that drive the system, as well as monitoring the output generated in order to separate instances of real concern from the range of false positives that are inherent in this type of early warning system.
Once the continuous monitoring system is generating exceptions, a process of managing and risk-ranking these exceptions on an enterprise-wide basis needs to be implemented. Without the ability to effectively triage results, the team responsible for following up on perceived high-risk matters will find itself wasting time and valuable resources on false positives.
The pressure being brought to bear on energy and mining companies will continue to grow as commodity prices remain depressed. This pressure will increase the risks of prohibited behaviors as individuals attempt to mitigate the financial impact of current market conditions. Clearly, the costs associated with delayed detection – and in some cases, a complete lack of detection – are high and escalating at an ever-increasing rate. In addition, the observed trends in the sphere of forensic investigations are quite troubling. Schemes are growing in their sophistication and aggressiveness, conspiratorial relationships are on the rise within companies, and those committing fraud are increasing their awareness and understanding of the investigatory protocols being employed by forensic experts. Each of these conditions poses unique challenges requiring thoughtful, reasoned and evolving responses. The unfortunate truth is that you cannot completely eliminate fraud; however, you can implement solutions to detect prohibited behaviors and fraudulent transactions quickly, shut them down in their infancy and implement additional controls to further enhance existing systems.
Jeff Harfenist is a managing director with BDO Consulting’s Global Forensics practice, heading up the group’s Texas division. He can be reached at email@example.com.
For more on data analytics and mitigating risks, refer to BDO’s archived webinar and self-study course, 2015 Board Matters – Data Analytics and Risk Management: A Board Primer
For more information on BDO USA's service offerings to this industry, please contact one of the following practice leaders: