The Association of Certified Fraud Examiners recently released its 14th Report to the Nations. As they have for nearly three decades, CFEs responding to the survey estimated that organizations lose 5 percent of their revenue to fraud.

Applied to the Gross World Product, that’s nearly $5.5 trillion—more than the GDP of every country but the U.S. and China.

No one really knows how much organizations lose to fraud, but the evidence suggests it is a significant problem. Yet many don’t give fraud the attention it deserves. Business owners and executives are certainly aware of the threat, but far too many don’t seem to believe it will happen to them and, as a result, don’t take steps to protect themselves.

I’ve puzzled over this dissonance for a while, and I have a theory that may help explain it. I call it “The Trust Trap.”

Human society evolved and advanced over millennia through cooperation and trust. Making a meal out of a woolly mammoth took more than one person with courage and a spear; it took lots of people with courage and spears, and those who participated in the hunt had to trust that they would share the meal. By using our great big human brains and working together with individuals outside our genetic families, we gained an advantage over other species that are stronger, faster and have better senses of sight, hearing and smell. Our capacity to think, reason and cooperate took us to the top of the food chain.

Cooperation demands trust; it is a critical component of our social fabric and essential to our survival. Trust is part of human physiology. Our bodies produce a hormone called oxytocin that makes us desire it; we literally can’t help ourselves. Oddly enough, one of our greatest strengths as a species is also a vulnerability. People who want to steal from us use our natural inclination to trust as a tool to harm us. The first task of every fraudster is to gain our confidence; it’s why we call them “con artists.” We’re inclined to give it to them because of the way we’re built. Remember: In the absence of trust, there can be no fraud.

We can’t rely on trust to protect us from fraud; that’s what the “bad guys” are using to steal from us. We also can’t change human nature. But being aware of our vulnerabilities allows us to compensate. We can do that with internal controls, our most powerful tool in the fight against fraud.

The first step in creating an effective system of internal controls is to raise awareness. Sadly, if you want to see an executive tune out quickly, try scheduling a meeting to discuss internal controls. People who aren’t like us tend to think internal controls are boring. To engage them, we’ve got to shake them up and get them out of their comfort zone. I’ve found storytelling to be a highly effective tool as it’s an essential part of human learning. Our history was passed down from one generation to the next by telling stories. People relate to stories; they connect them to personal experience. In the case of fraud, storytelling can establish a link between risk and what they care about: their money and their reputation.

Over the years, I’ve used magic and storytelling to connect with people about fraud risk in ways that turn listeners into clients and skeptics into believers. I’ve been telling a favorite payroll fraud story for 25 years; it’s sold more forensic work for me than anything I’ve ever done. If you haven’t tried storytelling, please do.

Internal controls aren’t magic, but when done properly, they can seem that way.

In 1985, the Treadway Commission (now COSO) defined five basic components of internal control:

• Control environment, or “tone at the top:” This is the foundation for everything else. If management isn’t committed to doing the right thing, nothing else works.

• Risk assessment: Since you can’t control what you don’t understand, it’s important to conduct an effective assessment. Fraud risk is scenario-driven, so it’s important to understand which scenarios apply to your organization. The scenarios haven’t changed over the course of my career, but the methods used to perpetrate them have changed dramatically, and the velocity is staggering.

• Control activities: Developed to mitigate unacceptable risks. When it comes to fraud, two critical controls are worth your attention: segregation of duties and meaningful approvals. I’ve seen breakdowns in one or both in every asset misappropriation I’ve ever examined.

• Continuous monitoring and communication: These are essential—up, down and across the organization—as every business changes every day, and all internal control systems break down over time. Indeed, artificial intelligence is having a tremendous impact.

Of course, knowing what to do and being able to do it isn’t always the same thing, and this is one of the biggest challenges for anti-fraud professionals.

In 2023, KPMG asked audit committees what they wanted from internal auditors. More than 60 percent of respondents said they wanted help seeing the big picture, and half said they wanted a greater focus on critical enterprise risk and assessing the culture.

Their responses suggest that a significant percentage of them don’t think they’re getting it. But it’s difficult to reconcile those sentiments with data from other sources.

For example, in 2022, the Association of Certified Chartered Accountants, the Institute of Internal Auditors and the Institute of Management Accountants asked their members about the challenges they faced in implementing effective controls. Half of the 2,000 respondents said they lacked skilled staff, 32 percent said they lacked executive support and 41 percent said technological challenges compromised internal controls.

Even more disturbing was a survey conducted by the IIA Research Foundation in 2015. Responses from 500 Chief Audit Executives revealed that 58 percent had been directed to omit or modify an important finding, 49 percent had been directed not to perform audit work in high-risk areas and 31 percent had been directed to perform low-risk audits to investigate or retaliate against individuals.

These results suggest a cultural problem. A quote often misattributed to Peter Drucker says: “Culture eats strategy for breakfast.” The control environment is culture, and when it comes to fighting fraud, it eats everything else. We have our work cut out for us.

John Tonsick, CPA, CFE is a forensic accountant, former Fortune 50 executive, magician and public speaker. You can reach him at john@tonsick.com.