Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
.svg)
Subscribe now to join the Risk Register community:
The Association of Certified Fraud Examiners released Occupational Fraud 2026: A Report to the Nations this month. It analyzes 2,402 occupational fraud cases across 143 countries, investigated between January 2024 and September 2025.
For internal audit and risk professionals, this is the most current global benchmark on fraud frequency, scheme distribution, perpetrator profile, and detection performance. It's the dataset we should all be calibrating our fraud risk assessments against.
We read the report the way we all read a risk assessment: pattern, signal, and gap.
The 2026 edition surfaces five patterns that should reset how we operate this year - whether you're running internal audit, managing enterprise risk, or sitting on an audit committee.
In 1996, staff-level employees committed 58% of frauds, managers 30%, and owners or executives 12%.
In 2026, staff and managers each commit 41%, and owners or executives commit 16%.
Operator read: Fraud risk has moved up the org chart. Tone-at-the-top is no longer a soft control we mention in committee presentations. It's the highest-velocity risk vector in the system.
What we should do: Re-weight management override in our fraud risk assessments. Stress-test segregation of duties at the executive level. Confirm that journal entry testing, related-party transaction reviews, and override controls are scoped to capture executive-initiated transactions, not just employee-initiated ones.
If our fraud risk registers still treat management override as a low-likelihood control failure, they're out of date.
Schemes committed by employees with more than 10 years of tenure produced the highest median losses: $200,000. But the majority of occupational fraud is still committed by employees with fewer than five years of tenure.
Operator read: Short tenure drives frequency. Long tenure drives severity. We need both lenses in our fraud risk assessments, not one.
What we should do: Build two segmentation views into fraud monitoring. One for new-hire frequency risk (onboarding controls, access provisioning, expense oversight). One for long-tenure severity risk (privileged access reviews, vendor master controls, override exposure).
We can't monitor for both with the same control design.
Corruption schemes have risen from 10% of cases in 1996 to 45% in 2026. Asset misappropriation still leads frequency. Corruption leads scaled damage.
Operator read: Third-party risk management, conflicts of interest, gifts and entertainment, and procurement integrity controls now sit on the front line of the fraud risk operating model. If those topics aren't on our 2026 audit plans, we're auditing yesterday's threat model.
Research shows that 79% of anti-corruption settlements involve third parties. Agents and intermediaries authorized to represent companies pose the highest corruption risk.
What we should do: Add a dedicated corruption risk lens to annual fraud risk assessments. Map it to ABAC and FCPA exposure, third-party due diligence depth, procurement segregation, and senior leader gift policies.
Test, don't assume.
43% of frauds were detected by tip. More than half of those tips came from employees. No other detection method comes close. Internal audit detected just 15% of cases.
Operator read: The whistleblower hotline is a control. Not a checkbox. Not an HR function. A control. We should test it like one.
Organizations with formal reporting mechanisms experienced median fraud losses of $100,000 detected in 11 months. Those without suffered $150,000 losses taking 17 months to detect. That's 50% higher.
Every month fraud continues undetected costs approximately $9,400 on average.
What we should do: Run a structured hotline control test. Test intake channels for accessibility and anonymity. Test routing and triage timelines. Test case management discipline. Test retaliation monitoring.
If we can't produce evidence of these tests for the audit committee, we don't have a tested control.
The 2026 median time to detection is 12 months. The 2024 median was 12 months. The 2022 median was 12 months.
Operator read: Every continuous auditing platform, data analytics investment, and monitoring tool deployed across the profession over the last decade has not moved the global median. Despite every vendor pitch about AI-powered fraud detection we've all sat through, the benchmark says we're not detecting fast enough.
What we should do: Stop reporting on tool deployment as a fraud risk metric. Start reporting on days-to-detection by scheme type. Pick one high-velocity scheme. Build a continuous monitoring pilot against it. Measure detection time as a KPI and report it to the audit committee quarterly.
We've all been tracking tool deployment. What we should be tracking is detection time.
Three priorities for the 2026 plan:
Refresh the fraud risk assessment. Re-weight against the 2026 scheme distribution. Increase scrutiny of management override and corruption.
Test the hotline as a control. Run intake test cases. Measure routing, escalation, and closure. Document the test.
Build a proactive detection pilot. Pick one scheme. Deploy continuous monitoring. Measure days to detection. Report it.
Two priorities for the 2026 risk dashboard:
Add velocity to the dashboard. Median loss per month by scheme type is in the report. Use it to inform insurance limits, board reporting, and recovery planning.
Quantify management override exposure. The shift toward owner and executive perpetration changes risk weighting. If management override still reads as a low-likelihood control failure in our fraud risk registers, they're out of date.
Two questions to ask in your next meeting:
What is our median time to detection on our last five fraud or anomaly investigations?
How are we testing the integrity of our whistleblower hotline as a control?
If neither question has a structured answer, there's a gap in oversight of the fraud risk operating model.
The 2026 Report tells a consistent story. Loss severity is rising. Detection time is stuck. The perpetrator population is shifting toward roles with more access and more authority.
Tone-at-the-top is the highest-velocity control in our systems.
This is not a year for incremental change. It's a year to rebuild fraud risk assessments, stress-test detection mechanisms, and demand evidence that proactive monitoring is producing measurable improvements in detection time.
If our fraud risk programs look identical to what we ran in 2024, the data says they're underperforming.
Pull the 2026 ACFE figures into our next fraud risk assessment refresh. Recalibrate scheme distribution, perpetrator profile assumptions, and detection method effectiveness.
Schedule a structured hotline control test for the next quarter. Treat it like any other control test. Document intake, routing, escalation, and closure discipline.
Pick one proactive detection use case. Assign it owner, KPI, and reporting cadence. Measure days-to-detection and report it to the audit committee.
The benchmark is clear. The question is whether our fraud risk programs are keeping pace.
About Cherry Hill Advisory: Cherry Hill Advisory is a global practitioner-built internal audit and risk advisory firm, led by former CAEs and Big Four alumni, delivering co-sourced internal audit, fraud risk management, ERM, SOX compliance, cybersecurity, and AI governance. To discuss how to apply the 2026 ACFE findings to your fraud risk program, visit cherryhilladvisory.com.
Subscribe now to join the Risk Register community:
