Insight

Close the “threat loop”

Insights from the KPMG 2022 Fraud Outlook

Matthew McFillin

Matthew McFillin

Partner, Forensic Services, KPMG US

+1 267-256-2647

Marc Miller

Marc Miller

Partner, Risk & Compliance Leader, KPMG US

+1 212-872-6916

Companies in North America and Latin America are under attack, and the strikes are increasing in size, scope, and severity. Threat levels are rising in all industries, regardless of company size. These key findings are included in A triple threat across the Americas, the KPMG Fraud Outlook for 2022.

Our survey suggests that fraud, cyber breaches, and non-compliance are tightly interconnected. Each threat affects the others in what we call the “threat loop.” These threats and the damage they inflict have become the costly norm. Many companies have limited defenses in place, and the shift to remote and hybrid work during the pandemic is making existing controls less effective.

We believe that compliance officers can help address these threats by serving as trusted advisors to their companies. Backed by improved data aggregation and analysis, compliance officers can work with stakeholders to identify key risk areas and design controls for effective threat mitigation.

From the study: A flock of fraudsters

A key revelation of this year’s study is the growing range, diversity, and effectiveness of today’s fraudsters. They include:

  • Organized criminals
  • Hacker groups
  • Nation-state attackers
  • Unmonitored suppliers
  • Rogue employees
  • Corrupt officials

Even customers and clients can present serious threats, such as data theft and corporate espionage involving trade secrets and intellectual property.

Which of the following types of individuals are known to have been involved in fraud or misconduct (either alone or in collusion) at your company during the past 12 months?


With digital transformation, these threats are becoming more sophisticated every day. Traditional threats like phishing emails and malware are supplemented by new threats such as “form jacking” to gather payment information and data theft from sensor devices connected to a company’s Internet of Things network.

First reactive, then proactive

Faced with a dangerous and rapidly evolving threat environment, compliance officers naturally want to mitigate threats before their company suffers actual damage. Commonly, this involves a top-down program and a proven set of rules developed by the compliance team and applied across the enterprise.

However, we live in uncommon times. A global pandemic, remote working, increased regulatory presence, and a stream of newly developed digital threats mean that compliance leaders first need to understand the threats. The type, magnitude, location, and potential weaknesses might be undetected by standard compliance audits.

A bottom-up approach based on a more granular and accurate assessment of threats can often be more effective than a top-down, check-the-box mentality. Conducting a risk comprehensive review that incudes fraud and misconduct, compliance and cyber security across the enterprise can inform where controls are needed. While reacting to current attacks, companies should thoroughly aggregate and analyze data to identify new and potential threats. Establishing a program that enables employees to detect and report threats is important. Armed with this knowledge, they can then establish threat-mitigation strategies that can be better targeted and more proactive in design.

Much of this knowledge is highly technical. Compliance teams are usually comprised of CPAs, former law enforcement officers and lawyers. In today’s increasingly digitized business world, the team should also include data scientists, data miners, and other technology experts who can use AI-based analysis to aggregate company information, identify suspicious patterns, and pinpoint fraud and covert attacks.

Who can be trusted?

A compliance leader needs to have financial acumen, the capacity to handle large amounts of data, and the ability to empathize with employees across the organization — all while maintaining a healthy skepticism about potential fraud or statements of compliance by suppliers and outside business associates.

Today’s compliance leader has the opportunity to expand and strengthen these roles by serving as a trusted advisor to the company. This begins with the understanding that threat mitigation is a two-way street, not just a set of rules, procedures, and technology.

Instead, the compliance leaders can work with managers, employees, and other parties to develop a culture that encourages ethical conduct and a commitment to compliance.

Consider the following actions in the role of a trusted advisor:

  • Develop an open dialog with executives, managers, and staff members. Work to understand threat mitigation from their point of view.
  • Seek a middle ground that balances threat-mitigation requirements with a realistic understanding of business operations and how people do their jobs.
  • Approach threat mitigation in positive terms, emphasizing that strong defenses can support the growth, profitability, and well-being of the company as a whole.
  • Make ethical principles, integrity, and behavior part of employee performance evaluations, and provide incentives or rewards for achieving goals related to ethics-related objectives.
  • Continue to improve technical capabilities in aggregating and analyzing company data to help identify and mitigate threats.
  • Work with all stakeholders to develop long-term plans for compliance that are in alignment with the business strategies of the company.

Executives expect a continued increase in risk across the three threats. Companies can help mitigate these risks with a tightly integrated yet flexible approach involving stakeholders at every level of the enterprise.

About the Research

  • More than half of respondents are board members, members of the C-suite, or department heads
  • Respondents are evenly divided across seven major industries:
    • Industrial manufacturing
    • Consumer products and retail
    • Energy and natural resources
    • Financial services
    • Insurance
    • Life sciences and pharmaceutical
    • Telecoms, media and entertainment and technology

Based on a survey of 640 executives

Respondents represent companies across a range of sizes

KPMG LLP does not provide legal services.