Fraud Is Not an Exceptional Event — It Is an Organisational Constant

Fraud is not the rare aberration that many organisations treat it as. According to the Association of Certified Fraud Examiners’ Report to the Nations — the most comprehensive global study of occupational fraud — organisations lose an estimated five percent of annual revenue to fraud each year. Applied to the Caribbean enterprise landscape, this figure represents a staggering and largely invisible transfer of value from organisations and their stakeholders to the individuals who perpetrate fraud — in most cases, trusted employees, managers, and in some instances executives and directors who exploit the access and authority their roles provide.

The Caribbean context amplifies this risk in several important ways. The prevalence of cash-intensive businesses, the relatively limited professional pool from which anti-fraud expertise can be drawn, the cultural pressures that make fraud reporting uncomfortable and retaliation real, the limited forensic investigation capability available to most organisations, and the prosecutorial challenges that make criminal recovery of fraud proceeds uncertain — all of these factors create an environment in which fraud is more likely to occur, less likely to be detected, and less likely to be successfully prosecuted than in larger, more institutionally mature economies.

This article — the eleventh in Dawgen Global’s The Internal Audit Imperative series — examines fraud risk and the internal auditor’s role with the rigour and practical specificity this topic demands. We explore the ACFE’s fraud risk framework and the Fraud Triangle, identify the fraud typologies most prevalent in the Caribbean, examine the internal auditor’s responsibilities under the IIA Standards, present a comprehensive anti-fraud programme architecture, provide a structured forensic investigation protocol, and address the critical governance question of how organisations can build genuine, lasting fraud resilience.

 

KEY INSIGHT Fraud is not discovered by accident in well-governed organisations. It is systematically deterred by strong governance, proactively detected by analytics-enabled internal audit, and decisively investigated and remediated when it does occur. The absence of any one of these three components creates a vulnerability that determined fraudsters will eventually exploit.

The Fraud Triangle and the Diamond: Understanding Why Fraud Happens

The Fraud Triangle — developed by criminologist Donald Cressey in the 1950s and refined through decades of empirical research by the ACFE — remains the foundational analytical framework for understanding why individuals commit fraud. The triangle identifies three conditions that must all be present for occupational fraud to occur: pressure, opportunity, and rationalisation.

Pressure: The Motivating Force

Pressure is the personal or professional circumstance that motivates the fraudster to consider fraudulent action. Financial pressure is the most common form — personal debt, lifestyle inflation, gambling losses, medical expenses, or business failure that creates an urgent perceived need for money that legitimate compensation cannot satisfy. Non-financial pressures — the desire to conceal poor business performance from shareholders or lenders, the pressure to meet unrealistic budget targets, or the ego-driven need to appear more successful than one’s actual results justify — are equally powerful motivators in executive and management fraud.

In the Caribbean context, financial pressures on employees are often amplified by the region’s economic characteristics: limited social safety nets, high cost of living relative to professional salaries, family financial obligations that extend beyond the immediate household, and the social stigma of financial difficulty in close-knit communities. These pressures do not excuse fraud — but they contextualise the risk environment that organisations must manage.

Opportunity: The Enabling Condition

Opportunity is the condition that makes fraud possible — the access, authority, or knowledge that enables a motivated individual to commit fraud and, critically, to conceal it. Opportunity is the one element of the Fraud Triangle that organisations can most directly control through governance architecture, internal controls, and independent oversight. Poor segregation of duties, inadequate access controls, weak approval processes, absent reconciliation procedures, and ineffective oversight of high-risk roles all create opportunity that motivated individuals may exploit.

The internal audit function’s role in relation to opportunity is direct and consequential: by assessing and reporting on the adequacy of internal controls — particularly in high-risk processes — internal audit identifies and enables the remediation of the control weaknesses that create fraud opportunity. An organisation with a strong, risk-based internal audit function that regularly tests its highest-risk control areas is systematically reducing the opportunity dimension of the Fraud Triangle.

Rationalisation: The Psychological Permission

Rationalisation is the self-justification through which the fraudster reconciles their behaviour with their self-image as an honest person. Common rationalisations include: the belief that the fraud is temporary and will be repaid; the perception that the organisation owes them the money they are taking; the conviction that everyone does it; or the view that the organisation is so large that the amounts involved are immaterial. Rationalisation is the most difficult element of the Fraud Triangle for organisations to address directly — it is a psychological construct that operates in the mind of the potential fraudster. However, a strong ethical culture, clear and consistently enforced conduct standards, and visible consequences for misconduct can erode the social and psychological licence that rationalisation depends on.

The Fraud Diamond — an extension of the Triangle developed by researcher David Wolfe — adds a fourth element: capability. Not every employee who faces pressure, perceives opportunity, and can rationalise their actions has the technical knowledge, access, and skill to commit a sophisticated fraud. The capability dimension is particularly relevant to executive and financial system fraud — which typically requires specialised knowledge of the organisation’s systems, processes, and control weaknesses that junior employees do not possess.

 

KEY INSIGHT Every fraud that is discovered in a Caribbean organisation is evidence of a governance failure that preceded it — a control weakness that was not identified, a conflict of interest that was not managed, a whistleblower mechanism that was not accessible, or an internal audit programme that did not cover the area where the fraud occurred. The governance response to fraud is not merely investigation and prosecution — it is the systematic elimination of the conditions that made the fraud possible.

Caribbean Fraud Typologies: The Six Categories That Demand Audit Focus

The ACFE classifies occupational fraud into three broad categories — asset misappropriation, financial statement fraud, and corruption — which together account for the full spectrum of fraud types observed in practice. In the Caribbean context, these categories manifest in specific typologies that reflect the region’s economic characteristics, institutional structures, and governance environment. The table below presents the six most significant fraud categories, their Caribbean typologies, and the key audit techniques for each.

 

Fraud Category	Definition	Caribbean Typologies	Key Audit Techniques
Asset Misappropriation	Theft or misuse of organisational assets — cash, inventory, equipment, intellectual property	Ghost employees on payroll; fictitious vendors; cash skimming; inventory theft; expense reimbursement fraud	Payroll analytics; vendor master file review; cash reconciliation testing; expense claim sampling and data matching
Financial Statement Fraud	Intentional misstatement of financial information to deceive stakeholders — investors, lenders, regulators	Revenue recognition manipulation; liability concealment; asset overvaluation; improper period cut-off	Analytical review of financial ratios; journal entry testing; management override assessment; revenue recognition policy compliance
Corruption and Bribery	Improper use of influence or authority for personal benefit — including bribery, kickbacks, conflicts of interest	Procurement kickbacks from vendors; contract award manipulation; related-party transaction undisclosed; improper gifts and hospitality	Vendor relationship testing; contract award process review; conflict of interest declaration audit; hospitality register review
Procurement Fraud	Manipulation of the procurement process to award contracts improperly or extract value through the supply chain	Bid rigging; fictitious invoices; split purchase orders to avoid approval thresholds; vendor collusion	Full-population invoice analysis; Benford’s Law on invoice amounts; contract terms compliance; approval threshold testing
Cyber-Enabled Fraud	Use of technology to perpetrate or conceal fraudulent activity — including business email compromise, identity theft, and system manipulation	Business email compromise diverting payments; unauthorised system access to manipulate records; identity fraud in account opening	Privileged access review; payment authorisation audit trail; email security controls; customer identity verification testing
Internal Financial Fraud	Misappropriation or manipulation by employees with access to financial systems and processes	Unauthorised journal entries; account balance manipulation; write-off abuse; loan fraud by credit officers	Journal entry anomaly detection; segregation of duties assessment; exception report review; collusion risk analysis

Asset misappropriation is by far the most common fraud category globally and in the Caribbean — accounting for approximately 86 percent of cases in the ACFE’s research — though it typically produces lower median losses per scheme than financial statement fraud or corruption. The prevalence of asset misappropriation in cash-intensive Caribbean businesses, combined with the frequency of procurement fraud in both private sector and public sector procurement processes, makes these two categories the highest-priority fraud risks for most Caribbean organisations.

The Internal Auditor’s Fraud Responsibilities: What the IIA Standards Require

The IIA Standards establish specific and unambiguous responsibilities for internal auditors in relation to fraud risk. Standard 1210.A2 requires that internal auditors have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation. Standard 2120.A2 requires that the internal audit activity evaluate the potential for fraud and how the organisation manages fraud risk. These are not aspirational standards — they are professional obligations that define the minimum expected engagement of every internal audit function with the fraud risk of the organisations it serves.

The Distinction Between Audit Responsibilities and Investigation Responsibilities

A critical distinction that all internal auditors — and all audit committee members — must understand is the difference between the internal auditor’s responsibilities in relation to fraud risk assessment and those in relation to fraud investigation. The internal auditor is not a fraud investigator. Their fraud-related responsibilities are to assess the organisation’s fraud risk exposure, evaluate the adequacy of the controls that manage that exposure, identify red flags and anomalies that may indicate fraud in progress, and report their findings to the audit committee — including findings that suggest a fraud may have occurred.

When a fraud is suspected or confirmed, the investigation responsibility typically passes from the internal audit function to a forensic investigation team — either an in-house forensic capability where it exists, or an outsourced forensic specialist. This distinction is important for two reasons. First, forensic investigation requires specialised skills — structured interviewing techniques, evidence preservation protocols, chain of custody documentation, and legal-evidential reporting standards — that go beyond standard internal audit competency. Second, maintaining the separation between the audit function and the investigation function preserves the audit function’s objectivity and independence for the ongoing assurance work it must continue to perform during and after the investigation.

The Red Flags That Internal Auditors Must Recognise

A significant component of the internal auditor’s fraud responsibility is the ability to recognise and escalate red flags — indicators that fraud may be occurring — encountered in the normal course of audit work. The IIA’s Practice Guide on Internal Auditing and Fraud identifies a comprehensive taxonomy of fraud red flags. The most significant for Caribbean organisations include:

• Unusual journal entries — particularly manual journals posted outside normal business hours, by individuals without normal journal entry responsibilities, or with vague or absent narrative descriptions.
• Anomalous vendor relationships — including vendors without verifiable physical addresses, vendors sharing addresses or bank accounts with employees, vendors with unusually rapid payment turnaround, or significant increases in vendor spend without corresponding operational justification.
• Payroll anomalies — including employees with no deductions, employees with unusually high overtime relative to peers, multiple employees sharing bank account details, or employees on the payroll who do not appear in HR records.
• Lifestyle indicators — employees living visibly beyond the means that their compensation would support; unexplained wealth; unusual personal financial relationships with vendors or customers.
• Behavioural indicators — reluctance to take annual leave, resistance to audit access, unusual protectiveness of specific records or systems, changes in behaviour coinciding with control changes or audit cycles.
• Management override indicators — frequent exceptions to established approval authorities, pressure on accounting staff to post entries that do not comply with policy, resistance to implementing audit recommendations in specific areas.

When internal auditors encounter red flags, they must assess their significance, document their observations, and escalate to the CAE — who must in turn determine whether to escalate to the audit committee and whether to engage forensic investigation capability. The escalation of red flags must never be suppressed by management, and audit committees must maintain the direct access to the CAE that enables red flags to reach the governing body without management interference.

The Anti-Fraud Programme: Architecture for Fraud Resilience

Fraud resilience is not achieved through any single control or mechanism. It is the product of a comprehensive anti-fraud programme that operates across three dimensions: prevention — reducing the opportunity and rationalisation for fraud through controls, culture, and governance; detection — identifying fraud that has occurred or is in progress through monitoring, analytics, and whistleblower mechanisms; and response — investigating suspected fraud promptly and thoroughly, recovering losses where possible, and remediating the control weaknesses that enabled the fraud. The table below presents the eight components of a comprehensive anti-fraud programme, with descriptions of each component and ownership assignments.

 

Programme Component	Function	Description	Ownership
Fraud Risk Assessment	Prevention	Annual structured assessment of the organisation’s fraud risk exposure — identifying fraud schemes to which the organisation is most vulnerable, the controls that mitigate each risk, and the residual exposure requiring additional response	Board and senior management; Internal Audit leads or facilitates
Code of Ethics and Conduct	Prevention	Formal statement of the organisation’s ethical standards and conduct expectations — defining acceptable and prohibited behaviour, conflicts of interest, gifts and hospitality policies, and the consequences of violation	Board approves; management implements; all staff acknowledge annually
Whistleblower Programme	Detection	Confidential mechanism through which employees, suppliers, and other stakeholders can report suspected fraud or misconduct without fear of retaliation — typically a hotline, online portal, or dedicated email managed independently of management	Board or audit committee oversight; independent management — not by management subject to reporting
Data Analytics Fraud Monitoring	Detection	Continuous or periodic automated analysis of transaction data to identify anomalies, patterns, and threshold breaches indicative of fraud — covering payroll, procurement, accounts payable, cash management, and revenue recognition	Internal Audit designs and operates; findings escalated to management and audit committee
Segregation of Duties Controls	Prevention	Structural separation of the authorisation, custody, recording, and reconciliation functions in financial processes — ensuring that no individual has end-to-end control over a transaction that could enable fraud without detection	Management designs and operates; Internal Audit tests effectiveness
Pre-Employment Screening	Prevention	Background verification of prospective employees — including criminal record checks, credential verification, reference checks, and financial integrity screening for roles with financial access	Human Resources; management; third-party screening providers
Fraud Awareness Training	Prevention	Regular training for all staff on fraud awareness — recognising fraud indicators, understanding the organisation’s anti-fraud policies, and knowing how to report suspicions through the whistleblower mechanism	HR and Internal Audit; at induction and annually thereafter
Forensic Investigation Capability	Response	Access to qualified forensic investigation expertise — internal or external — that can be rapidly deployed when fraud is suspected; capability to preserve evidence, conduct structured interviews, and produce investigation reports for legal proceedings	Forensic specialists; Internal Audit; Legal; typically co-sourced or outsourced in Caribbean context

 

The Whistleblower Programme: The Most Powerful Detection Tool

The ACFE’s research consistently demonstrates that tips — including those submitted through formal whistleblower mechanisms — are the most frequent initial detection method for occupational fraud, accounting for approximately 43 percent of cases in its global research. In the Caribbean context, this detection advantage is even more significant: formal analytical and control monitoring programmes are less consistently deployed in Caribbean organisations than in larger economies, making tip-based detection relatively more important as a fraud discovery mechanism.

Despite this evidence, many Caribbean organisations either do not have a formal whistleblower programme or have one that is not genuinely accessible, confidential, or effectively communicated to staff and other stakeholders. A whistleblower programme that is managed by a member of the management team being reported upon is not independent. A hotline that requires staff to identify themselves is not confidential. A reporting mechanism that is mentioned once in a staff handbook and never communicated again is not accessible. Building a genuinely effective whistleblower programme requires deliberate design, independent governance, active promotion, and consistent follow-through on reported concerns.

 

THE CRITICAL GOVERNANCE REQUIREMENT FOR WHISTLEBLOWER INDEPENDENCE A whistleblower programme governed by the management team that employees are reporting is not independent — it is a governance fiction. The audit committee must own the oversight of the whistleblower programme, receive all reports directly, and ensure that every allegation is assessed for credibility and investigated appropriately. Any arrangement in which management filters whistleblower reports before they reach the audit committee creates an independence failure that defeats the programme’s primary purpose.

 

The Forensic Investigation Protocol: Eight Phases from Allegation to Resolution

When fraud is suspected, the speed, discipline, and expertise of the initial response are critical determinants of the investigation’s success. Evidence can be destroyed. Suspects can be alerted. Legal privilege can be lost. Recovery opportunities can expire. The following eight-phase investigation protocol provides a structured framework for managing fraud investigations from initial allegation through to remediation and governance reporting — designed for Caribbean organisations where forensic investigation capability must often be sourced externally.

 

Investigation Phase	Timeline	Key Activities	Lead Responsibility
1. Initial Allegation Assessment	Immediate	Evaluate the credibility and specificity of the allegation; determine whether it falls within the organisation’s fraud policy scope; decide whether to escalate to forensic investigation or handle through standard HR or compliance processes	CAE or Audit Committee Chair; Legal counsel if material
2. Notification and Confidentiality	Immediate	Notify audit committee and legal counsel of credible fraud allegations; establish strict confidentiality protocols to prevent tipping off suspected individuals; preserve electronic and physical evidence before access is restricted	CAE; Legal; Audit Committee Chair
3. Evidence Preservation	Within 24–48 hours	Secure access to relevant systems, email accounts, financial records, and physical documents; engage IT to preserve electronic evidence in forensically sound manner; document chain of custody from the outset	IT; Legal; Forensic investigator
4. Investigation Planning	Days 1–3	Define investigation scope and objectives; assemble investigation team (internal and/or external forensic specialists); determine interview sequencing; establish secure communication protocols for investigation team	Forensic investigator; CAE; Legal
5. Forensic Fieldwork	Variable — days to weeks	Data analysis and financial reconstruction; structured interviews of witnesses before subject; document and email review; identification and quantification of losses; tracing of misappropriated assets	Forensic specialists; data analytics team
6. Investigation Report	At conclusion of fieldwork	Formal investigation report documenting findings, evidence, conclusions, and — where fraud is substantiated — the quantum of loss and the identity of responsible parties; written to legal-evidential standard	Forensic lead; reviewed by Legal
7. Remediation and Recovery	Following report	HR action against responsible parties; civil recovery proceedings where appropriate; criminal referral to law enforcement where evidence meets legal threshold; remediation of control weaknesses that enabled the fraud	Legal; HR; Management; Board
8. Audit Committee and Board Reporting	Throughout and at conclusion	Regular confidential updates to audit committee during investigation; full investigation report presented to board at conclusion; governance lessons learned incorporated into anti-fraud programme enhancements	CAE; Forensic lead; Legal

 

The protocol makes clear that forensic investigation is a specialist discipline with legal, evidentiary, and procedural dimensions that go well beyond the standard internal audit skill set. Caribbean organisations that attempt to conduct material fraud investigations using in-house audit staff without forensic training risk compromising evidence, exposing the organisation to legal liability, and producing investigation findings that cannot withstand legal challenge. The engagement of qualified forensic specialists — either as part of a co-sourced IA arrangement that includes forensic capability, or as a standalone forensic engagement when significant fraud is suspected — is not a luxury. It is a governance and legal necessity.

 

DAWGEN GLOBAL FORENSIC & FRAUD INVESTIGATION CAPABILITY Dawgen Global’s Forensic & Fraud Investigations practice provides Caribbean organisations with rapid-response forensic investigation capability — from initial allegation assessment and evidence preservation through structured investigation, financial reconstruction, and legally-evidential investigation reporting. Our CFE-qualified forensic specialists have deep experience in payroll fraud, procurement fraud, financial statement manipulation, AML investigations, and cyber-enabled fraud across the Caribbean financial services, public sector, and commercial enterprise landscape. We also design and implement comprehensive anti-fraud programmes — including fraud risk assessments, whistleblower programme governance, and data analytics fraud monitoring — that build lasting fraud resilience. Contact us at [email protected] to discuss your organisation’s fraud risk management requirements.

Fraud Risk and the Governing Body: Accountability at the Top

Fraud risk is ultimately a board-level governance responsibility. The board and audit committee are accountable to shareholders, depositors, policyholders, and other stakeholders for the integrity of the organisation’s financial position and the trustworthiness of its governance. When fraud occurs — particularly when it involves senior management or when it has been allowed to continue through inadequate controls and oversight — the governing body’s accountability is direct and cannot be delegated.

Effective fraud governance at the board level requires four commitments that the board must make explicitly and maintain consistently. The first is tone at the top: unambiguous communication that fraud and misconduct will not be tolerated, that whistleblowers will be protected, and that the consequences of fraud will be swift and proportionate. Research consistently demonstrates that the ethical tone set by the governing body is one of the most powerful determinants of the fraud culture within an organisation — a board that communicates ethical seriousness in its own conduct and in its governance decisions creates an environment in which fraud is less socially acceptable and less easy to rationalise.

The second is resourcing the anti-fraud programme adequately. A board that approves a budget for internal audit that is insufficient to cover fraud risk areas, that does not fund a whistleblower programme, or that allows data analytics investments to be deferred indefinitely is not fulfilling its fraud governance responsibility. The cost of an adequate anti-fraud programme is a fraction of the potential losses from a single significant fraud event — a cost-benefit calculation that every governing body should make explicitly.

The third is ensuring independent oversight of the internal audit function — as explored throughout this series. An internal audit function that is not genuinely independent cannot provide reliable fraud assurance. Boards that have allowed management to compromise the independence of internal audit have removed one of their most important fraud governance tools.

The fourth is responding decisively when fraud is discovered. Boards that suppress investigation findings, negotiate quiet settlements that allow fraudsters to avoid consequences, or fail to report significant fraud to regulators when legally required to do so are not merely failing their governance responsibilities — they are creating the moral hazard that invites the next fraud. The integrity of the governance response to fraud is as important as the quality of the fraud prevention programme.

Conclusion: Fraud Resilience Is a Governance Achievement

Fraud resilience — the capacity to deter, detect, and respond to fraud effectively — is not an accident. It is the product of deliberate governance investment: in the independence and capability of the internal audit function, in the design and operation of a comprehensive anti-fraud programme, in the cultural commitment to ethical conduct that begins at the board level, and in the forensic response capability that enables decisive action when fraud is discovered.

For Caribbean organisations, the investment case for fraud resilience is compelling on both financial and governance grounds. The average loss per fraud scheme identified in the ACFE’s research runs to hundreds of thousands of dollars — losses that, for many Caribbean enterprises, represent a material proportion of annual revenue. The reputational damage of a high-profile fraud, particularly in financial services or public sector contexts, can be exponentially more costly than the direct financial loss. And the regulatory consequences of fraud that occurs in an environment of inadequate internal controls — including the possibility of regulatory sanctions, licence revocation, or director disqualification — represent governance risks of the highest order.

In Article 12 — the final article in this series — The Future of Internal Audit: Building a World-Class IA Function, we bring together the threads of the entire series into a strategic synthesis: examining the maturity model for internal audit capability, the characteristics of a world-class IA function, the CAE leadership qualities that drive IA excellence, and the practical roadmap for Caribbean organisations committed to building an internal audit function that is genuinely fit for the governance challenges of the coming decade.

 

PROTECT YOUR ORGANISATION FROM FRAUD WITH DAWGEN GLOBAL Dawgen Global’s Forensic & Fraud Investigation practice, combined with our Internal Audit & Assurance team, delivers comprehensive fraud risk management — from anti-fraud programme design and fraud risk assessments to forensic investigations, data analytics-enabled fraud detection, and whistleblower programme governance. We serve Caribbean organisations across 15+ territories with the expertise your fraud risk environment demands. Request a Proposal Today: [email protected] Tel: 876-929-3670  |  876-665-5926  |

 

About Dawgen Global