Liz Taylor summarises some of the areas surrounding the detection and the prevention of fraud.
Fraud can come from both external and internal sources; each produces its own array of threats. Differing strategies are used to combat it, depending on which threat is most likely or potentially most damaging.
To determine an overall strategy, a business impact analysis should be conducted which focuses on the threat and possible magnitude. This could be a simple and somewhat superficial overview, or a detailed and far-reaching analysis.
Having determined the most vulnerable areas, the strategy should look at the primary threats first. Many cases of internal fraud are perpetuated over many years and are untraced or dealt with internally by local management. It is said that only 5% of internal frauds become public knowledge, and fraud experts boldly state that every organisation suffers internal fraud every day.
There are two ways to tackle fraud, a) pinpoint a perpetrator and deal with it or b) build an overall culture where endemic fraud becomes unacceptable throughout the organisation. The former takes much effort and can be inaccurate in dealing with the underlying cause or main perpetrators. It can also leave many people within the organisation feeling threatened and vulnerable, unless it is accompanied by the latter approach. The latter approach takes a great deal of time and effort, but is usually more successful overall in delivering best value and winning the support of internal staff.
It has a long term beneficial effect on the health of the organisation, if conducted properly and persistently revisited.
The police should always be involved if an individual is found to be involved in a fraud. This can be done discreetly by making prior contacts with high-ranking police officers or overtly as a deterrent to other staff.
The choice would depend on which one fits with the overall strategy and the business culture.
Business impact analysis
A simple business impact analysis would take into account:
• Past losses that are known
• Vulnerabilities to external and internal threats (both magnitude and probability)
• Existence of proper measurements, such as stock shrinkage internal audit, its depth and effectiveness
• The IT function, the people controls and culture
• The finance function, the level of controls and attitude of the people
• The credit control function, controls and culture
External fraud can come via physical means, such as threats of productsabotage or hacking of computer systems. Payroll systems have beeninfiltrated and money illegitimately syphoned away to personal accounts.
Most external fraud requires some collusion from internal staff or isperpetrated by ex-employees who know the systems and vulnerabilities.
In order to determine the threats of external frauds, one has to analyse what can be lost:
• Financial losses with respect to incoming or outgoing payments
• Business continuity.
Methods of dealing with external fraud would depend on the direction fromwhich the threat comes.
One vast area of fraud is in the payments arena. Credit cards, cheques, BACS transfers and other payment mechanisms are all vulnerable. Fraudsters have no qualms in what they do or how they do it, so long as they remain undetected. Here is an example of a typical payment fraud:
A gang of fraudsters intercepted two blank chequebooks en route toa UK company. They split the chequebooks among five individuals who were instructed to obtain easily sellable goods over a period of two days, and targeted stores with high ‘floor limits'. In other words, the bank was not called if the cheque was below a certain amount. Goods in excess of a value of £50,000 were obtained and the company suffered a significant loss before they stopped the remaining cheques. The rest of the risk was borne by the stores selling the goods.
There are few controls which can prevent the above for the company, but reducing the dependency on cheques, as a method of payment, is the ultimate answer. Ensuring that all providers accept BACS transfer payments does this. Alternatively blank chequebooks could be collected from the bank or sent by secure means.
The stores can protect themselves by utilising the services of a cheque guarantee company who can detect unusual spending on chequebooks.IT systems should be properly managed, and IT staff controlled and monitored appropriately. Proper controls over passwords and internet gateways should be established. Ideally, those PCs linked to the internet should be stand alone and all communication into the networked system virus checked at every level that includes continuous monitoring of e-mail systems and virus checking data disks before loading.
Other management controls should be implemented to detect and reduce the risk of external fraud.
This is the most common type of fraud. Here is an example of one long-termfraud perpetuated over three years:
The son of a financial controller had lost a great deal of money on an airline business. The financial controller had authority for allocating insurance premiums across several businesses. With the introduction of self-insurance, the premiums reduced by 50%. However, the financial controller continued to recharge the full amount to the subsidiary companies.
He raised separate insurance invoices from a fictitious insurance broker having set up a bank account in the name of this insurance broker withhimself as the main signatory. The financial director and managing directorboth signed cheques for the payment of these fictitious invoices over aperiod of three years, thinking that they were genuine. Other cheques hadtheir signatures forged by the financial controller.
The irregularity was discovered when the financial controller forgot toraise some invoices, and there was a positive balance of collected premiumsin the third year. The financial director asked the risk manager when theinvoices would be forthcoming, and the risk manager called for an immediateaudit as the figures did not tally with the central records.
The financial controller had been considered an exemplary employee and he was a personal friend to many of the senior management. They remarked how he had not taken his holidays for three years due to the pressure ofbusiness.
There were several reasons why this fraud was successful:
• Lack of internal audit (internal audit concentrated on physical losses)
• Too few controls over cheques and payment mechanisms in that one person raised the payment authority, raised the cheques, balanced the bank accounts and balanced the books.
• Inadequate understanding of the central process by local management
• Poor communication
• Local management not understanding the basic signs of fraud (not taking holidays is one sign; financial troubles in the family are another).
Tackling internal fraud
The highest proportion of fraud committed is by employees or pastemployees, either on their own or in collusion with colleagues or otherpeople. The following areas of control are outlined.
In tackling internal fraud, there is no substitute for a first class internal audit function. That audit function must be able to widen its analysis to areas of improbability or where the loss could be apparently invisible.
Culture of measurement
As well as a first class internal audit function, there should be a cultureof measurement. In other words, the business should be able to measure andbenchmark performance in all areas of potential loss.
Relationship with police and other enforcing agenciesOne reason why many organisations wish to deal with problems internally isthe possibility of loss of reputation. Employees know this, and it is oneof the reasons why internal fraud is so endemic. To counter this,management should always have a relationship with the police at a highlevel and be prepared to use this relationship to ensure absolutediscretion in dealing with any problems. There are other external agencieswho can also assist with the same level of discretion.
Good human resources programme
Staff will only perpetuate a fraud if they have a) the means and b) themotive. All the previous activities will reduce the means and set up aframework for detecting and dealing with fraudulent activity after it hasstarted. It is far better to have a situation where the staff (past andpresent) have no motive to defraud the company. It is easy to say thathappy employees are honest employees, but it does boil down to that.
The human resources programme should be fair and appropriate. Ideally,there should be a culture within the organisation where the managementunderstands the external pressures on their staff and can lend apaternalistic hand if staff are suffering from whatever their outside livesbring to bear.
At the very least, management should be trained in the detection of the signs that an employee may fall prey to the temptations put before them,such as:
• lengthy absences
• not taking holidays
• problems in the family
• changes in behaviour that might mean the employee has some need for money rather fast
• changes in lifestyle (more expensive car, clothes or holidays);
• poor internal communication, no eye contact or too much eye contact;
• lack of will to delegate or share workload with fellow employees.
Any of these is more likely to have innocent origins, but the manager whohas detected suspicious changes should be more alert to the possibilitythat the employee is vulnerable to temptation. The manager should thenrecheck the internal controls which are appropriate to that employee's areaof responsibility and if necessary, put in some more checks and balances ormove the employee away from the source of temptation.
When staff leave, their parting should be professionally managed and the security managed after they have gone. Computer and access passwords should be changed, physical access controls altered and even locks changed, if the risk is high and the person leaving was a key holder. It is a good idea to allow employees who are leaving to keep some form of “ownership” in the company, like extending share purchase schemes or giving them a couple of years membership of the sports and social club. People who feel that they are valued stakeholders of a company, are much less likely to seek to damage that company.
Overt zero tolerance culture
Where internal fraud is known or suspected to be endemic or it is in theindustry culture, an overt programme of zero tolerance is highly recommended. This means that there is a statement from the very highest level that the company will not tolerate any form of fraudulent behaviour, whether it is stealing time from the company, using the company phones for personal purposes or stealing money or assets from the company.
This statement needs to be reinforced all the way through the organisation and senior managers must lead the way by their own behaviour.Persistent days away for corporate entertaining may be necessary forcustomer relationships, but staff do not understand this and assume that itis all right to take time off themselves.
A director taking a sheaf of paper home, as he has work to do over the weekend, is quite entitled to do so. But staff may assume that he is going to use some of it for personal purposes and take some paper home themselves. Once a member of staff has taken home a sheaf of paper, there will be little compunction about a box of pens, an electronic notebook, or a computer, and so on. Zero tolerance has to mean just that – and it applies to everyone.The campaign for zero tolerance must be accompanied by something that takes away the dread of a draconian oppressive culture within the company. One company introduced a generous bonus for every employee based on the success of the zero tolerance programme. It had calculated that known fraud was costing over £1 million per year, and it suspected that the true cost was 10 or 20 times that amount. The cost of the bonus scheme was £1 million – it could not lose.
By reinforcing to everyone that it was their money that was being protected, the company cleverly harnessed peer pressure to reduce the internal fraud. It set up a freephone service for employees to inform the company about happenings anonymously. The service was highly used for the first few weeks. A full bonus was paid out after the first six months. The zero tolerance programme exists today, run by a committee of mainly employees. They came up with a programme which allows double bonuses to people contributing suggestions if the idea is implemented. In this organisation, even stealing ideas is not tolerated.
As with all management controls, there should be a separation between thosewhich raise the request for payment, those that issue the payment, and thosethat account for it.
IT systems should be properly managed, and IT staff controlled andmonitored appropriately. Proper financial controls should be enforced atall times, but especially during major IT projects.
There should be a properly communicated policy on gifts and entertainment, which is strictly enforced. Many employees can slide down a slippery slope of accepting gifts or entertainment. This can become a source of weakness and temptation. For example:
An executive was given the use of a chauffeur driven limousine each time he was in London on business with a provider of services. This became the norm. Soon tickets for Wimbledon and racing were provided and a good relationship was building between the executive and the provider.
However, the service from the provider was falling short of expectation. When the executive tackled the provider about this poor service, he was told that if he persisted then the “treats” would be withheld. The executive kept quiet about the level of service and continued to receive more expensive gifts and ‘treats'. It was several years before management understood that they were receiving poor quality service and they had to release the executive from employment. The poor quality service had cost them a great deal of money.
The cost of the loss should be primarily borne by the budget holder who hasthe ability to control the loss. In other words, if the budget holder isnot responsible for the cost of his or her own lax management, then theincentive to take care is lost. If necessary, remove all insurancecoverage, apart from that which is necessary for the protection of theoverall bottom line. It is important to make it absolutely clear concurrently to all budget holders that they will bear the cost of any losses, while setting out for them a programme as to how to detect, prevent and recover losses.
There should be a security policy which is properly communicated, owned bymanagement and enforced on a day-by-day basis. If the company employs asecurity specialist, it is important that the position is seen as the expert facilitator and enforcing officer, rather than having responsibility for implementing security. Security must be the responsibility of local management to be successful. Security should be appropriate for the risk.
Liz Taylor is executive director of ALARM, the association for public sector risk managers in the UK. Tel: +44 (0) 7041 340135; e-mail: firstname.lastname@example.org. More detailed discussion of the topics covered in this article is available from the author.