Fraud
How Do Businesses Better Protect Themselves Against Frauds? (Published: March 29, 2022)
This is my first article on LinkedIn. As a newbie, I pondered on what concerns me now and what would also interest and help readers. As everyone has limited time, I have tried to make this first article more concise. In that process, I had to leave out a lot of details. Maybe these details (and other personal experiences related to fraud work) can be left for another time and article if there is enough interest...
Are We at Greater Risk of Frauds Now?
I believe that we are currently experiencing all the factors that increases businesses to the risk of frauds.
What is Fraud?
Fraud refers to the deliberate practice of deception to receive unfair, unjustified or unlawful gain. It can range from theft of cash from the till, pilferages from the shelves or stores, embezzlement, to misuse of company resources like fuel cards.
The Fraud Diamond Theory
The Fraud Diamond Theory indicates that anyone who has the combination of sufficient Motivation/Pressure, an ability to Rationalize a dishonest act, adequate Opportunity and, has the Capability is at risk of committing fraud.
Motivation
With rising inflation, economic and job uncertainties, staff are pressured to make ends meet, pay their rents/mortgages and daily bills. Salary freezes, inability to cope with the soaring cost of living and even the fear and uncertainty of losing jobs provides the Motivation element.
Rationalize
Work pressures and demands to maintain and even improve operating performance and results with lean staffing, can lead to staff feeling unheard, unappreciated and disgruntled. Such feelings and attitudes can result in staff developing a sense of self-entitlement and to feel justified to take care of themselves instead. This enables fulfilment of the Rationalize element. Examples of rationalizations of fraudulent behaviour include: “I am only temporarily borrowing the money and will return it”, “I am entitled to the money because my employer is doing alright and I haven’t been given a raise”, “I have no choice as I need to provide for my family”.
Opportunity
The current economic climate’s impact on business bottom-lines results in staffing levels that are often lean. Procedures are also changed to fit the leaner, current operating environment. These changes affect the system of internal controls laid down previously. If these changes are not carefully planned and carried out, key controls, checks and balances can be easily and inadvertently compromised. A common result is a breakdown in the separation of duties for asset handling, checking and authorizations. This lack of segregation and concentration of functions with certain individuals provides the Opportunity element.
Capability
In a lean working environment with staff turnover and absences arising from health reasons, functions are distributed among fewer staff. This can lead to a compromise in checks and balances as power and authority are concentrated and dependencies placed on key individuals. If these individuals lack moral fortitude, are creative and experienced enough with a good grasp of controls and vulnerabilities, these provide the final Capability element.
How Do Businesses Better Protect Themselves Against Frauds?
There is no single “magic bullet” for preventing frauds. The following will go a long way to reducing the risk of fraud:
a) Strong tone from the top with zero fraud tolerance, supported with adequate policies on fraud, reporting and management of frauds and clear messaging on the potential consequences and punishment that follow arising from frauds.
b) Fraud awareness training for staff highlighting this tone from the top and the potential “red flags” and indicators of frauds.
c) Robust system of internal controls with adequate checks and balances.
Key Takeaways
Finally, the key points to remember:
· Be Diligent. This means showing care and conscientiousness in performing work and duties, whether they are in checking, approving or handling of assets. Procedures, work processes and their controls are established for good reasons and should be carried out as laid down.
· Be Vigilant. This means being alert, giving careful attention to work and duties, a particular problem or situation and concentrating on noticing any danger or trouble that there might be.
· Be Inquisitive. This means having the curiosity to question if one comes across situations that are out of the ordinary. These situations can be altered documents, suspicious transactions or activities. If in doubt, always follow the organization’s policies on fraud and seek help and advice.
What do you think? Do my thoughts resonate with you? Comment, Like and Share.
Should Internal Auditors Investigate Frauds? (Published: April 7, 2022)
There have been many articles expounded on this topic over the years. The Institute of Internal Auditor’s, International Standards for the Professional Practice of Internal Auditing – Attribute Standard 1210, clearly states that internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The Standard goes on to state that internal auditors must have sufficient knowledge to evaluate the risk of fraud and the way it is managed by the organization but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. So, if the guidance is clear, is there still an issue?
This article highlights my personal experiences and insights dealing with frauds over the years. In my experience, organizations will typically have a Fraud Policy that lays out the procedures and escalation steps when a potential fraud situation arises. If the organization’s fraud reporting processes are operating, the Chief Audit Executive (CAE) should be the first person receiving any potential fraud alerts. The CAE needs to carry out some discreet preliminary fact finding to answer the following questions: “is this likely to be a fraud?”, if so, the next question should be, “is this likely to be a big fraud?” Why do you need to guestimate whether it is going to be a “big” fraud? It is important for the CAE to be able to make judgement calls and to advise the CEO (and any other relevant parties) so that a more informed decision can be made on the next course of action. The scale of the potential fraud affects the amount and type of resources required for the response. To illustrate, I was once provided with a suspicious invoice that looked fine but on closer examination, had been very professionally altered with an unauthorised bank account number. After carefully examining the altered invoice, the amount involved and scanning the current operating environment surrounding the potential fraud area (in relation to the Fraud Diamond Theory), I was able to make a call that it did not look to be an isolated fraud attempt and it would probably be a “big” fraud. With that preliminary assessment I was able to advise the CEO who could better decide on the next course of action.
At this point, things can get a bit tricky. I have encountered situations where the natural response is for the CAE to be directed to proceed with investigating the matter further. The assumption is that the CAE and the internal audit team have the expertise to carry out the task. The CAE must be clear on what is involved proceeding with the investigation. As a former Certified Fraud Examiner, I have carried out fraud investigations by myself. While I am reasonably clear and confident to carry out an investigation, a big and complex investigation will require resources, likely involve many man-hours of investigative work and if the fraud case goes to court, take years to conclude. Do the other internal auditors also have the required skillsets to carry out and assist with the fraud investigation work? A simple mistake, even from well-intentioned internal auditors, can inadvertently damage the chances of a successful fraud investigation and jeopardise a court conviction. The CAE must be honest and realistic on what can be achieved alone and collectively by the internal audit team. If the internal auditors do not meet Attribute 1210, it is prudent for external specialist help to be summoned.
In my experience, the following are some of the areas (certainly not exhaustive) to look out for in a fraud investigation:
1) Be extra careful when carrying out preliminary fact-finding. This is critical as you do not want to alert the fraudster(s). At this early stage it is normal for the CAE or the person with the required experience, to undertake the work to keep the matter confidential. It is best to keep information and communication to a “need-to” basis. Any leak that an investigation is being carried out could result in the perpetrator destroying important evidence, alerting other collaborators, or even leaving the organisation.
2) Before the investigation formally begins, inform Legal and HR. Staff have rights and HR input is essential if termination or other disciplinary actions result from the investigation. Legal needs to be involved in matters of dealing with regulators, lawyers, law enforcement and even insurers to reclaim part of the losses suffered.
3) During the investigation, check, and cross check information for accuracy as the actions and consequences from a fraud investigation impact the alleged perpetrator, fellow colleagues, management, and the whole organization. Findings and judgements must be based on clear evidence not hearsay.
4) Be extra careful when gathering evidence to ensure its integrity and admissibility as evidence in court. A lot of evidence these days are not in hard copy but in digital format. Computer forensic experts are better equipped to secure computer files and data as important information may be tainted by seemingly innocent actions, like switching a computer on and off.
5) Be aware that once the alleged perpetrator resigns or is no longer an employee of the organization, access to interview the person to gather information will be very much restricted. The alleged perpetrator may appoint an employment lawyer and refuse to cooperate with attending interviews or disclosing information. If that is the case, reliance will need to be placed more on other evidence gathered during the investigation.
6) Properly and thoroughly document the investigation work carried out. This includes documenting and securing all supporting evidence to ensure none are tampered with or lost. A complete case file will need to be built up and reports written for the CEO and for handing over to the relevant authorities later.
7) If fraud is confirmed, ensure that the relevant parties are informed. These may include the Board Chairman, Audit Committee Chair, the Head of Communications, and the external auditors.
8) Where an investigation identifies serious misconduct, the offender should be managed in accordance with the organization’s disciplinary process protocol. It is important for an organization to have a strong zero fraud tolerance policy to ensure the appropriate messaging for staff as well as the public. Action is likely to include instant dismissal and onward referral to the Police or in New Zealand (depending on the nature and amount of the fraud), the Serious Fraud Office (SFO) for prosecution. Recovery of the losses should be sought wherever possible.
9) After the alleged perpetrator has been removed, it is essential that internal audit carry out a detailed review to identify the weaknesses in internal controls and recommend improvements to prevent such occurrences elsewhere in the organisation and in the future.
10) Supplement the lessons learnt with fraud awareness training to educate and reinforce the appropriate messaging from management and the Board.
These are just a few of my thoughts based on personal experiences dealing with frauds. You may have similar or different insights to share. Happy to receive feedback and comments so we can all learn together.