The question is not whether there is fraud in the institution, but how open the institutional structure is to misconduct.

The question is “how open the institutional structure is to fraud”,not “is there active fraud in the organization?”

ACFE according to the data; One in 20 organizations is currently in active misconduct and each year the average revenues of the companies 5% is lost through abuses.

When cases of internal misconduct become public, the question is often asked: “How did he do it?”

However, the real question to be asked is this: “How did this institution allow the misconduct to take place?”

This is because internal misconduct is not a singular, isolated or “unfortunate behavior of a malicious employee”, but rather a consequence of the corporate structure. In other words, misconduct is not an accident, but the manifestation of a systemic weakness.

What does ACFE say?

The biannual Report to the Nations published by the Association of Certified Fraud Examiners (ACFE) clearly demonstrates this reality. According to recent reports:

• On average, organizations lose 5% of their annual revenue due to employee misconduct.
• In 85% of cases, there is at least one control weakness.
• 42% of fraud cases are uncovered through whistleblowing, not through internal audit or internal control mechanisms.

These data show that misconduct is not “unpredictable” but rather a predictable and preventable risk.

“We don’t have it” Misconception

Many managers rely on the following assumption when evaluating their own organization:

“We are a family, we trust our employees.”

But the fundamental truth that the ACFE reveals is this:

Fraud occurs not where there is trust, but where there is weak control.

Fraud occurs when three key elements come together (Fraud Triangle):

1. Pressure – Financial, performance or personal pressures
2. Opportunity – Weak controls, confusion of authority, lack of oversight
3. Rationalization – “Everyone does it”, “It was my right anyway”

Managers often ignore the first two elements and focus on the third. However, organizations themselvescreate the third element, especially the opportunity element.

Case Example: Single Signature Authorization

A common type of case in the ACFE database is the following:

In a medium-sized company, the accounting manager is responsible for supplier identification, payment ordering and bank reconciliation. Over the course of three years, he creates fake suppliers, costing the company approximately 1.2 million dollars.

Question:

Is this person to blame, or is it the institutional structure that disregards the principle of separation of powers?

In such cases, the employee is often not alone; the real perpetrator of the misconduct is the faulty processes they have designed.

How Do Institutions Invite Fraud?

Common institutional mistakes that inadvertently pave the way for abuse include the following:

• Over-centralized authority structures
• Controls removed on “trust” grounds
• Outdated job descriptions
• Companies with a code of ethics but not implemented
• Structures without a whistleblowing mechanism or unreliable structures
• Internal audit is seen only as a “formal obligation”

According to ACFE, in organizations with an effective whistleblowing hotline, losses due to misconduct are reduced by up to 50% and cases are detected much earlier.

Case Example: Performance Pressure and Sales Abuse

Another common type of case is related to sales targets.

Sales managers in an international company are measured by targets that are almost impossible to achieve. As a result, some managers create false sales records, recognize revenues early and receive bonuses. The misconduct leads to serious distortions in the company’s financial statements.

At this point the question arises again:

Were these people abusive, or did the organization push them to abuse?

What should be the question?

Therefore, the right question is this:

“How open is the institution to fraud?”

To answer this question honestly, managers need to question the following areas:

• Is there really a separation of duties in critical processes?
• Do the controls work on paper or in practice?
• Do employees believe they will be protected if they report ethical violations?
• Are internal audit and compliance functions independent?
• Does senior management really set an example in terms of ethics?

Internal misconduct is not only an individual error but also a result of deficiencies in corporate governance and control mechanisms. Employees can be replaced, but the risk will not go away unless weak systems are changed.

It should not be forgotten that:

What prevents fraud is well-designed systems with good people.

Without realizing it, you may be paving the way for fraud in your organization. Therefore, the question is not “is there an active fraud?”, but “how much does the structure I manage make fraud possible?”.

And this question should be at the center of every boardroom table.