Prevent, detect and respond: A three-step plan to protect your business from cybercrime

Amir Mousa
15 March 2022
4 min read

16 March 2022

The Association of Certified Fraud Examiners (ACFE) estimates that organisations lose about five percent of their annual revenue to fraud. The need for a strong anti-fraud stance and a proactive, comprehensive approach to combating fraud has never been stronger.

Despite the severe risk that fraud presents to businesses, many organisations still do not have formal systems and procedures to prevent, detect and respond to fraud. While no system is entirely foolproof, our internal audit team use specific steps to deter fraud and make it much less attractive for cybercriminals.

In this environment, organisations should increase their focus on risk and take the opportunity to consider and improve measures to detect, deter and prevent fraud.

The cost of fraud

With organisations losing as much as five percent of their annual revenue to fraud, the fraud cost, which is projected against the 2019 Gross World Product (GWP- $90.52 Trillion), is expected to be more than USD 4.5 Trillion globally each year.

According to the ACFE report 2020, an annual study of the reported fraud cases shows:

  • 2,504 fraud cases occurred in 125 countries throughout the world.

  • Fraud accounted for a total loss of more than USD 3.6 Billion.

  • The average loss per case was USD $1,509,000.

Fraud triangle: How fraud occurs

The fraud triangle is a helpful model for understanding the motivation to commit fraud. It is built on the premise that fraud is likely to result from a combination of three factors:

  1. Motivation.

  2. Opportunity.

  3. Rationalisation.

An effective way of tackling fraud is to adopt methods to address these factors.


Audit 2.2.png

Typically based on greed or need, e.g. resulting from financial difficulties.


Where there are weak internal controls, poor security, little fear of exposure or likelihood of detection.


Some may rationalise fraudulent actions as necessary, especially when done for the business, harmless because the victim was large enough to absorb the impact or justified because the perpetrator had a sense of grievance.

Types of occupational fraud

Asset Misappropriation

Involves the theft or misuse of an organisation’s assets. Examples include theft of plant, inventory or cash, false invoicing, accounts receivable fraud and payroll fraud.

Fraudulent Statements

Usually occurs in the form of falsification of financial statements to obtain improper benefit. It also includes falsifying documents such as employee credentials.


Such as the use of bribes or acceptance of kickbacks, improper use of confidential information, conflicts of interest and collusive tendering.

Fraud risk management

To combat cybercrime, organisations need to invest time and resources towards tackling fraud, using an effective anti-fraud strategy of prevention, detection and response.

Fraud Prevention

Key components of fraud prevention:

  • A sound ethical culture

  • Sound internal control systems.

While fraud prevention techniques cannot be 100% effective, organisations also need to engage in fraud detection.

Fraud Detection

There are two key tools for detecting fraud – training and experience combined with the necessary mindset that fraud is always possible. These can be supplemented by a range of techniques for identifying and analysing anomalies to help determine whether further action is required.

Key elements of a comprehensive fraud detection system should include:

  • Exception reporting.

  • Data mining.

  • Trend analysis.

  • Ongoing risk assessment.

Fraud Response

An organisation should set out its approach to dealing with fraud in its fraud policy and fraud response plan. This should include learning lessons from fraud incidents and appropriate, prompt follow-up action.

Organisations should design and implement anti-fraud controls help to reduce the cost and duration of fraud.


Cybercrime is on the rise and it’s important your organisation has the systems and processes in place to protect itself should an attack occur. The Findex internal audit team can assist by conducting a fraud risk assessment to ascertain the type of support you may need. We can then provide fraud awareness training, fraud strategies, fraud risk frameworks or incorporate fraud risks into your Enterprise Risk Management. For more information, talk to your adviser or get in touch with our team.

Author: Amir Mousa | Senior Manager