Skip to content

Fraud Is Moving Up the Organisational Chart

Fraud is moving up
Listen to the Podcast

Fraud Is Moving Up the Organisational Chart

Someone in your organisation is probably stealing from you right now.

Not a junior clerk sneaking petty cash. Someone who knows the systems, knows the controls, and knows exactly how long they can run a scheme before anyone notices. According to the ACFE’s Occupational Fraud 2026: A Report to the Nations, the typical fraud runs for 12 months before it is detected. At the executive level, it runs for 23 months before it is detected.

That number deserves a moment.

Nearly two years. Nearly two full annual audit cycles. Two sets of signed management accounts. Two rounds of board presentations. All while the fraud continues.

The Collusion Problem Nobody Talks About

When most people picture fraud, they picture a lone operator, someone with access, opportunity, and a plan. That picture is out of date.

The ACFE report analysed 2,402 real fraud cases across 143 countries and territories. South Africa contributed 123 of those cases, the largest single-country contribution in Sub-Saharan Africa. What the data shows is that fraud is increasingly a team effort, and that changes everything about how dangerous it is.

Schemes involving three or more perpetrators produced median losses of $324,000. Single-perpetrator fraud produced median losses of $55,000. That is nearly six times more damage, for the same duration.

In Sub-Saharan Africa, 65% of reported fraud cases involved collusion. That is one of the two highest rates of any region in the world. When fraud is a coordinated act, the usual safeguards collapse. Segregation of duties fails when two people who are supposed to check each other are in on it together. Approvals become rubber stamps. Controls that look healthy on paper are being actively worked around by the people responsible for them.

Corruption was the dominant fraud type in the region, appearing in 56% of Sub-Saharan African cases. In procurement, in finance, in government contracting, across the sectors where South Africa’s largest organisations operate every day.

The People You Trust the Most

Here is the part that should keep you awake.

Fraudsters at the owner and executive level caused median losses of $475,000 per case. Their schemes ran for a median of 23 months. Board-level perpetrators produced median losses of $316,000. These are not rogue employees exploiting a loophole. These are people with authority, access, and the organisational credibility to avoid scrutiny.

The ACFE data also found that for executive-level fraud, “poor tone at the top” was listed as the third most common contributing factor. Not a systems failure. Not an oversight gap. A cultural one.

And when executives are caught? They are terminated in only 52% of cases. Compare that to 75% for staff-level perpetrators. The higher up the perpetrator sits, the less likely the organisation is to take formal action.

The Audit You Are Relying On Is Not Doing What You Think

Eighty-three percent of the victim organisations in this study had external audits in place at the time the fraud occurred. That did not stop the fraud. External audits detected just 2% of cases.

Read that again. Two percent.

Annual financial statement audits are a compliance mechanism. They are not designed to find determined, coordinated fraud. They sample, they verify, they sign off. A well-run scheme that has been operating for 18 months, involving someone in finance and someone in procurement who have agreed on a story, will not be caught by an external audit. It will sail straight through.

The detection methods that actually work are proactive: management review, surprise audits, data monitoring, and tips. Tips alone accounted for 43% of detected frauds in the global study. Yet fewer than half of the organisations studied had proactive data monitoring in place at all.

Think about what that means for governance. Most boards are reviewing a compliance report that confirms the right boxes are ticked, while the controls that would actually catch fraud are absent.

Digital Concealment Is Now Standard Practice

Modern fraudsters do not just steal. They cover their tracks, and they are getting better at it.

In 89% of the cases studied, fraudsters actively used concealment methods. Twenty-eight percent involved creating or altering electronic documents or files. Nineteen percent involved creating fraudulent transactions directly in the accounting system. Fourteen percent involved altering those transactions after the fact.

The fraud is not happening in the gaps between systems. It is happening inside the systems, committed by people who know them well enough to manipulate them without triggering alerts.

South Africa has seen this pattern play out at scale. Transnet. Eskom. VBS Mutual Bank. Steinhoff. These were not amateur operations. They were sophisticated, sustained, and concealed using exactly the kinds of methods the ACFE data describes: manipulated records, falsified documents, accounting entries designed to look legitimate.

Those cases did not surface because of annual audits. They surfaced through whistleblowers, forensic investigations, and in some cases, complete institutional collapse.

What Actually Reduces the Damage

The ACFE data is clear on what works. Organisations with proactive data monitoring and analysis in place experienced 53% lower fraud losses and detected fraud 44% faster. Management review produced similar results. Surprise audits cut losses in half.

None of these are exotic. But they require intent. They require an organisation that is not just compliant, but genuinely trying to find out what is actually happening inside itself.

More than half of all fraud in the study occurred because of a lack of internal controls or an override of existing ones. That is not bad luck. That is a governance failure, and it sits at the door of boards and audit committees.

The Question Worth Asking

South Africa operates in a high-collusion, high-corruption environment. The organisations most exposed are large, complex, and run by people with significant trust and authority. The controls most relied upon are the ones least likely to catch the kind of fraud that is actually occurring.

The honest question for every CEO, CFO, and board member is this: if a coordinated fraud has been running inside your organisation for the past 12 months, would your current controls have found it?

If you cannot answer that with certainty, the gap between your compliance posture and your actual forensic readiness deserves serious attention.