top of page

Applying ICAM to a Fraud Case: A Practical Example

  • Luke Dam
  • 13 hours ago
  • 5 min read

Imagine a scenario: A procurement officer authorises fake invoices from a shell company they control. The fraud goes unnoticed for two years, costing the company millions.


Traditional investigation might stop at:


  • “Employee acted dishonestly.”

  • “Control breach in procurement system.”


But an ICAM investigation would dig deeper:


1. Event

Fraudulent invoices paid to a non-existent supplier.


2. Immediate Cause

Individual authorised payments without verification.


3. Absent/Failed Defences


  • No secondary approval required for amounts under $50,000

  • No periodic supplier validation

  • Weak segregation of duties (same person could create and approve supplier entries)


4. Task/Environmental Conditions


  • High workload in finance team

  • Pressure to clear invoices quickly to maintain supplier relations

  • Limited use of analytics for anomaly detection


5. Individual/Team Actions


  • Normalisation of shortcuts (“We always fast-track end-of-quarter payments”)

  • Rationalisation: “I deserve compensation for being underpaid”


6. Organisational Factors


  • Culture emphasised speed over compliance

  • Lack of fraud awareness training

  • KPIs rewarded throughput, not accuracy

  • Weak internal audit presence


7. Latent Conditions


  • Governance gaps allowed one individual too much unchecked control

  • Absence of continuous improvement in financial controls

  • Failure to act on previous audit recommendations


An ICAM-based analysis shifts focus from the person to the system, highlighting how organisational design created the conditions for fraud.


Can ICAM Prevent Fraud?

Yes, through proactive application.


ICAM isn’t just for post-incident analysis. It can be used in risk reviews, audits, and process design to spot vulnerabilities before they’re exploited.


Here’s how:

1. ICAM Proactive Reviews

Conduct ICAM-style workshops around key processes (procurement, payroll, sales) to identify potential absent/failed defences and organisational factors. Ask:


  • Where could controls fail silently?

  • What pressures might push people to cut corners?

  • Are KPIs or incentives aligned with ethical behaviour?


2. Learning from “Near Misses”

A detected but incomplete fraud attempt is a learning opportunity, not a victory. Apply ICAM to understand why it almost succeeded.


3. Using ICAM for Control Design

When implementing new systems or processes, use ICAM categories as a checklist:


  • Are defences layered and independent?

  • Are tasks designed to minimise human error and temptation?

  • Does the culture support reporting and challenge?


4. ICAM in Governance Reviews

Integrate ICAM thinking into board-level reviews:


  • What latent conditions exist in finance, HR, or procurement?

  • Are incompatible goals driving risky behaviour?

  • Are lessons from past breaches truly embedded?



By adopting ICAM, organisations move from punishment to prevention, recognising that good people can make bad decisions in bad systems.


Common Organisational Factors in Fraud Cases

Based on global experience, ICAM often reveals recurring Organisational Factor Types (OFTs) in fraud investigations:


1. Incompatible Goals

Targets that prioritise short-term gains over compliance. Example: “Close all sales by quarter-end, no exceptions.”


2. Communication Failures

Poor awareness of fraud risks or reporting channels. Example: Staff unaware of whistleblower hotline.


3. Leadership and Culture

Tolerance for “creative accounting” or ethical grey zones. Example: Leaders turning a blind eye to aggressive practices.


4. Resource Constraints

Understaffed audit or compliance teams. Example: No capacity to review all transactions.


5. Training and Competence

Lack of fraud awareness and control understanding. Example: Approvers unaware of red flags.


6. Governance and Oversight

Weak board engagement with risk management. Example: Audit committee rarely meets or reviews findings.

These are latent conditions- they don’t cause fraud directly, but they make it inevitable.


Integrating ICAM into a Fraud Management Framework

To use ICAM effectively in fraud prevention, organisations should embed it into their existing frameworks:


1. Enterprise Risk Management (ERM)

Include ICAM as a tool for identifying latent conditions across all risk categories- not just safety.


2. Internal Audit

Train auditors in ICAM principles to expand from compliance checking to system-level learning.


3. Ethics and Compliance Programs

Use ICAM insights to strengthen training, communications, and culture initiatives.


4. Incident Reporting Systems

Encourage employees to report near misses, ethical concerns, or suspicious behaviour- and investigate using ICAM.


5. Governance Reviews

Apply ICAM findings to inform board-level decisions about structure, accountability, and strategy.


The Cultural Shift: From Blame to Learning

Preventing fraud isn’t just about stronger controls- it’s about psychological safety. Employees must feel safe to raise concerns, admit errors, and challenge unethical practices. ICAM’s Just Culture foundation supports this.

In a blame culture:


  • Fraudsters hide actions.

  • Whistleblowers stay silent.

  • Lessons go unlearned.


In a learning culture:


  • Red flags are discussed early.

  • Errors are treated as data.

  • Leadership models ethical behaviour.


ICAM builds this learning culture by showing that individual actions are shaped by system design.


Case Study: Applying ICAM to Financial Misreporting

Consider a real-world style example:


Situation

A business unit inflated revenue figures to meet investor expectations. No direct theft occurred, but the misreporting led to regulatory penalties and reputational damage.


ICAM Findings:


  • Absent Defence: No independent review of forecasts

  • Task Condition: Aggressive deadlines for board reporting

  • Individual Action: Adjustment of numbers to “smooth” results

  • Organisational Factor: CEO rewarded solely on profit growth

  • Latent Condition: Culture equating success with short-term financial performance


Outcome

By reframing the issue as a systemic failure, leadership restructured incentives, improved governance, and introduced ethics coaching. Fraudulent reporting ceased.


Challenges and Limitations

While ICAM is powerful, it’s not a silver bullet for fraud prevention. Challenges include:


  1. Complex Intent – Fraud often involves deliberate deception, not error. ICAM must adapt to explore motivation and ethical reasoning.

  2. Data Sensitivity – Fraud cases may involve confidential or legal proceedings; ICAM facilitators need clearance and training.

  3. Leadership Resistance – Organisations may prefer “bad apple” narratives over systemic reform.

  4. Integration with Legal Processes – ICAM’s learning focus must be balanced with evidence requirements for prosecution.


However, these challenges don’t diminish ICAM’s value- they highlight the need for multidisciplinary collaboration (investigators, auditors, HR, legal).


The Future: ICAM as a Cross-Disciplinary Tool

As workplaces evolve, ICAM’s scope is expanding. Modern investigations apply ICAM to:


  • IT breaches (organisational factors behind cyber incidents)

  • Quality failures (latent conditions in supply chains)

  • Ethical lapses (culture-driven misconduct)


Fraud fits this pattern perfectly. It’s not just a financial issue- it’s a failure of systems, culture, and leadership.

Forward-thinking organisations are already using ICAM to:


  • Review incentive schemes for unintended consequences

  • Audit segregation of duties for latent weaknesses

  • Analyse decision-making frameworks for bias

  • Improve reporting cultures through Just Culture initiatives


ICAM’s adaptability makes it a future-proof methodology for all forms of organisational failure.


Conclusion: Yes, ICAM Can Prevent Fraud

Fraud prevention isn’t about locking everything down. It’s about understanding why breaches happen and designing better systems.


ICAM provides the structured, blame-free approach needed to uncover:


  • Weak defences

  • Cultural enablers

  • Organisational blind spots


By applying ICAM thinking to fraud risk management, organisations can:


  • Detect vulnerabilities before they’re exploited

  • Build cultures that discourage rationalisation

  • Create systems that make fraud harder, and integrity easier


Fraud, like any incident, is a symptom- not a cause. ICAM helps you treat the disease, not just the symptom.


Key Takeaways


  • ICAM is not just for safety- it’s a universal method for understanding systemic causes.

  • Fraud often arises from incompatible goalsweak defences, and cultural pressures, all core ICAM elements.

  • Proactive ICAM reviews can identify and mitigate fraud risks early.

  • Combining ICAM with traditional fraud frameworks creates a powerful prevention model.

  • The ultimate goal is a learning organisation where transparency, ethics, and resilience thrive.




 
 
 

Comments

bottom of page