Capitalise on your employees' knowledge when it comes to Fraud Risk Management
KordaMentha Forensic staff have undertaken risk management assignments for organisations in different parts of the world, from developing countries to first world countries. Although many of the organisations we have worked with had fraud risk management plans in place, on every occasion we have uncovered multiple methods by which those same organisations could lose anywhere from $10,000 to in excess of $100 million (you choose the currency!). It can be surprisingly simple (once understood) for this to happen by circumventing some of the steps associated with the approval process to authorise wire transfers out. Those organisations had initially thought their fraud risk controls were strong, until we pointed out their weaknesses.
A recent survey showed 32.2% of fraud cases occurred in organisations that lacked internal controls to prevent fraudulent behaviour1 . This suggests that some organisations remain complacent and simply 'set and forget' their fraud risk management plan. They do not test it regularly, and ensure it is updated as new business products or services are introduced. This can allow weaknesses in controls to develop which, in turn, could allow fraud to occur.
So how do you prevent these weaknesses in controls? We suggest that your organisation taps into the knowledge and concerns of staff to develop a stronger fraud risk management system. Organisations that have grown through mergers and acquisitions are particularly vulnerable because of 'bolt on' and 'legacy' systems, and even organisations that grow organically are susceptible if they take their eye off the ball. Scheduled testing of the control environment for fraud scenarios, and involving staff in that process, is a vital part of fraud prevention, awareness and education. Involving your staff helps build your front lines (and back lines) of defence. If you are not doing this, then you are potentially giving a green light to fraud.
2 Find the weaknesses in controls by asking your employees
One of the reasons that white-collar crime has flourished is that people prefer to avoid conflict, confusion and confrontation. In a work environment where we like to trust and be trusted, it can be difficult for someone to ask a colleague or peer whom they like and trust to explain a decision, or to ask for supporting documents to verify a transaction.
However, even if they don't want to ask difficult questions of their colleagues, employees are the best eyes and ears to identify fraud. In 2014, 42.2% of initial detection of fraud was through a tip-off and almost half of these tips (49%) came from an employee2 . While employees are the best source as whistleblowers, it relies on them reporting the issue after the event, rather than being proactive.
The most effective method to uncover control weaknesses and identify how a fraudster could commit a fraud is to enlist the help of your staff who input and process transactions. They know the weaknesses and the shortcuts, and those controls which may have been 'operationalised' over the years under a false sense of security and with an intention to make life easier. They know transaction types that will be queried and whether any fraudulent transactions could get through the existing systems and controls.
We find that there can be an over-reliance on software, internal audit departments, corporate security or even external audit to conduct fraud risk reviews. Rather, our experience shows that eliciting information on the 'how to defraud' scenario requires a specific skill set, and an organisation must be careful to select the right people to lead the project. This usually requires only two people to run such a project. Importantly, staff who participate in interviews and workshops need to feel that they can share information, feel safe to expose the flaws, real or perceived.
We are often asked whether including staff in the reviews may increase the risk of fraud by 'giving them ideas'? In our experience, it does not. They already know the weaknesses, but these are rarely discussed. By exposing the flaws, you will reduce the risk because now everyone knows what to look out for.
The planning for a 'how to defraud' review is key: ensure that you understand the business drivers and systems and obtain the right mix of staff to participate.
3 So what next?
As part of your review, take a deep dive into your control environment to really understand where the risks may lie.
The good news is that you don't need much management time to devote to such a project. In order to do this we recommend:
- Identify the department or area you want to review e.g. front office, back office, or financial shared service centres
- Take stock of the systems and processes used in that area to process transactions
- Work with your project leader to select an appropriate cross section of staff to participate in interviews and workshops
- Sell the fraud risk management review to your staff and enlist their support.
It really comes down to the touch points in your organisation. A perpetrator (internal or external) looks at your organisation to find the weak link as a way in to defraud you. Where will s/he look? Everything is on the table. Looking at your organisation, s/he will look at:
- Contact points in your various departments (e.g. front office sales)
- Contact points with your suppliers (e.g. procurement department)
- Contact points to your bank accounts (e.g. payment approvers, payroll manager)
- Contact points to your inventory/assets (e.g. warehouse manager, security system)
- Contact points on your computers (e.g. exchange servers).
Speak with your key staff about potential control weaknesses at your organisation in each of these areas.
Also, don't forget, when testing your control environment, to consider how ex-employees could commit fraud.
Normal staff turnover means that an average of 12% of your staff leave every year3 – those people often have extensive knowledge of your organisation's systems and controls. Once they leave, however, management have little control as to what an ex-employee (particularly an aggrieved one) may do with knowledge of your control environment (and its weaknesses)! Again, we suggest speaking to your staff to find out what risks they think exist in this area.
If you are an international organisation with functions replicated across geographic locations, there is real benefit in executing the results of what you find in Australia to other locations. In that way, you can get some real leverage.
It may be a solo dance or it may take two to tango ... or three or four
Collusion is a factor that should be taken into consideration, as it is easier to bypass controls if fraudsters work together rather than alone. A recent survey by the ACFE showed that over 45% of frauds had two or more employees involved, and if that was the case, then the median loss rose by 150%4 .
Collusion between employees allows fraudsters to get around the most carefully planned segregation of duties (a mechanism to spread responsibility and avoid any one person having too much control over a particular business function).
While collusion may be a difficult area to prevent, make your staff aware of the risk of collusion – they are best placed to identify such behaviour.
So is regular testing of fraud risk management essential for an organisation? We certainly think so, and our experience shows that staff inclusion in the fraud risk management activity is the best way to action that testing. Discussing the risk of control weaknesses with staff enlists their support, and also adds additional eyes and ears in the battle against fraud.
1 Page 39 of the ACFE Report to the Nations
2 Page 19 and 21 of the ACFE Report to the Nations 2014.
3 According to the Australian Human Resources Institute survey on staff retention and turnover for 2012, an organisation of 1000+ employees has a staff turnover rate of about 10% per year while an organisation of 500–999 employees has a staff turnover rate of about 14% – that is an average of 12% of your staff every year!
4 Page 46 of the ACFE Report to the Nations 2014
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.