How could you commit fraud? Capitalise on your employees’ knowledge when it comes to Fraud Risk Management November 2014 Publication No. 14-06 1 2 Introduction KordaMentha Forensic staff have undertaken risk management assignments for organisations in different parts of the world, from developing countries to first world countries. Although many of the organisations we have worked with had fraud risk management plans in place, on every occasion we have uncovered multiple methods by which those same organisations could lose anywhere from $10,000 to in excess of $100 million (you choose the currency!). It can be surprisingly simple (once understood) for this to happen by circumventing some of the steps associated with the approval process to authorise wire transfers out. Those organisations had initially thought their fraud risk controls were strong, until we pointed out their weaknesses. A recent survey showed 32.2% of fraud cases occurred in organisations that lacked internal controls to prevent fraudulent behaviour1. This suggests that some organisations remain complacent and simply ‘set and forget’ their fraud risk management plan. They do not test it regularly, and ensure it is updated as new business products or services are introduced. This can allow weaknesses in controls to develop which, in turn, could allow fraud to occur. So how do you prevent these weaknesses in controls? We suggest that your organisation taps into the knowledge and concerns of staff to develop a stronger fraud risk management system. Organisations that have grown through mergers and acquisitions are particularly vulnerable because of ‘bolt on’ and ‘legacy’ systems, and even organisations that grow organically are susceptible if they take their eye off the ball. Scheduled testing of the control environment for fraud scenarios, and involving staff in that process, is a vital part of fraud prevention, awareness and education. Involving your staff helps build your front lines (and back lines) of defence. If you are not doing this, then you are potentially giving a green light to fraud. 2 3 Find the weaknesses in controls by asking your employees One of the reasons that white-collar crime has flourished is that people prefer to avoid conflict, confusion and confrontation. In a work environment where we like to trust and be trusted, it can be difficult for someone to ask a colleague or peer whom they like and trust to explain a decision, or to ask for supporting documents to verify a transaction. However, even if they don’t want to ask difficult questions of their colleagues, employees are the best eyes and ears to identify fraud. In 2014, 42.2% of initial detection of fraud was through a tip-off and almost half of these tips (49%) came from an employee2. While employees are the best source as whistleblowers, it relies on them reporting the issue after the event, rather than being proactive. The most effective method to uncover control weaknesses and identify how a fraudster could commit a fraud is to enlist the help of your staff who input and process transactions. They know the weaknesses and the shortcuts, and those controls which may have been ‘operationalised’ over the years under a false sense of security and with an intention to make life easier. They know transaction types that will be queried and whether any fraudulent transactions could get through the existing systems and controls. We find that there can be an over-reliance on software, internal audit departments, corporate security or even external audit to conduct fraud risk reviews. Rather, our experience shows that eliciting information on the ‘how to defraud’ scenario requires a specific skill set, and an organisation must be careful to select the right people to lead the project. This usually requires only two people to run such a project. Importantly, staff who participate in interviews and workshops need to feel that they can share information, feel safe to expose the flaws, real or perceived. We are often asked whether including staff in the reviews may increase the risk of fraud by ‘giving them ideas’? In our experience, it does not. They already know the weaknesses, but these are rarely discussed. By exposing the flaws, you will reduce the risk because now everyone knows what to look out for. The planning for a ‘how to defraud’ review is key: ensure that you understand the business drivers and systems and obtain the right mix of staff to participate. 3 4 So what next? As part of your review, take a deep dive into your control environment to really understand where the risks may lie. The good news is that you don’t need much management time to devote to such a project. In order to do this we recommend: 1. Identify the department or area you want to review e.g. front office, back office, or financial shared service centres 2. Take stock of the systems and processes used in that area to process transactions 3. Work with your project leader to select an appropriate cross section of staff to participate in interviews and workshops 4. Sell the fraud risk management review to your staff and enlist their support. It really comes down to the touch points in your organisation. A perpetrator (internal or external) looks at your organisation to find the weak link as a way in to defraud you. Where will s/he look? Everything is on the table. Looking at your organisation, s/he will look at: • Contact points in your various departments (e.g. front office sales) • Contact points with your suppliers (e.g. procurement department) • Contact points to your bank accounts (e.g. payment approvers, payroll manager) • Contact points to your inventory/assets (e.g. warehouse manager, security system) • Contact points on your computers (e.g. exchange servers). Speak with your key staff about potential control weaknesses at your organisation in each of these areas. Also, don’t forget, when testing your control environment, to consider how ex-employees could commit fraud. Normal staff turnover means that an average of 12% of your staff leave every year3 – those people often have extensive knowledge of your organisation’s systems and controls. Once they leave, however, management have little control as to what an ex-employee (particularly an aggrieved one) may do with knowledge of your control environment (and its weaknesses)! Again, we suggest speaking to your staff to find out what risks they think exist in this area. If you are an international organisation with functions replicated across geographic locations, there is real benefit in executing the results of what you find in Australia to other locations. In that way, you can get some real leverage. It may be a solo dance or it may take two to tango ... or three or four Collusion is a factor that should be taken into consideration, as it is easier to bypass controls if fraudsters work together rather than alone. A recent survey by the ACFE showed that over 45% of frauds had two or more employees involved, and if that was the case, then the median loss rose by 150%4. Collusion between employees allows fraudsters to get around the most carefully planned segregation of duties (a mechanism to spread responsibility and avoid any one person having too much control over a particular business function). While collusion may be a difficult area to prevent, make your staff aware of the risk of collusion – they are best placed to identify such behaviour. 4 5 Conclusion So is regular testing of fraud risk management essential for an organisation? We certainly think so, and our experience shows that staff inclusion in the fraud risk management activity is the best way to action that testing. Discussing the risk of control weaknesses with staff enlists their support, and also adds additional eyes and ears in the battle against fraud. KordaMentha has extensive experience in providing fraud risk management and training in a number of industries and countries. Please contact the authors below for more information. Endnotes 1. Page 39 of the ACFE Report to the Nations 2014 2. Page 19 and 21 of the ACFE Report to the Nations 2014. 3. According to the Australian Human Resources Institute survey on staff retention and turnover for 2012, an organisation of 1000+ employees has a staff turnover rate of about 10% per year while an organisation of 500–999 employees has a staff turnover rate of about 14% – that is an average of 12% of your staff every year! 4. Page 46 of the ACFE Report to the Nations 2014 About the authors Paul Curby | Partner Sydney | +61 2 8257 3050 | pcurby@kordamentha.com Paul specialises in fraud risk and prevention services, and fraud and anticorruption investigation. Paul has more than 29 years’ experience in the area of fraud risk and investigation consulting in both government and the private sector. His extensive industry experience includes financial services, government, manufacturing, insurance, airline and transportation, construction and gaming. Matthew John Lim | Senior Executive Analyst Sydney | +61 2 8257 3048 | mjlim@kordamentha.com Matthew has been conducting investigations for large multi-national corporations for the past 4.5 years. Matthew has worked on cases in the Asia Pacific region and in Europe. His industry experience includes the financial services sector, oil and gas, telecommunications, government and international shipping. KordaMentha Forensic We provide clarity and objectivity to organisations when the commercial stakes are high, and the evidence is critical to the outcome. Our specialist forensic tools, rigorous analysis and clear presentation of the financial, factual and electronic information provides insights that are otherwise hidden in the detail of a dispute, investigation, or review. Melbourne Sydney Brisbane Owain Stone Andrew Ross David Van Homrigh +61 3 8623 3410 ostone@kordamentha.com +61 2 8257 3051 aross@kordamentha.com +61 7 3338 0220 dvanhomrigh@kordamentha.com Robert Cockerell John Temple-Cole Brian Wood +61 3 8623 3355 rcockerell@kordamentha.com +61 2 8257 3077 jtemplecole@kordamentha.com +61 7 3338 0250 bwood@kordamentha.com Craig Macaulay Nigel Carson Partner Adelaide +61 3 8623 3373 cmacaulay@kordamentha.com +61 2 8257 3080 ncarson@kordamentha.com Stephen Duncan Anthony Hodgkinson Paul Curby +61 8 8223 8106 sduncan@kordamentha.com +61 3 8623 3307 ahodgkinson@kordamentha.com +61 2 8257 3050 pcurby@kordamentha.com Briston Talbot Brittany Lincoln Alex Bell +61 8 8223 8114 btalbot@kordamentha.com +61 3 8623 3426 blincoln@kordamentha.com +61 2 8257 3053 abell@kordamentha.com Perth Singapore Grant Whiteley Matthew Fleming +61 8 9220 9331 gwhiteley@kordamentha.com +65 6593 9363 mfleming@kordamentha.com Partner Partner Executive Director Executive Director Executive Director Director Partner Partner Partner Executive Director Partner Partner Partner Associate Director Partner Subscribe to our publications at kordamentha.com/subscribe Learn more about our forensic services at kordamentha.com/forensic This publication, and the information contained therein, is prepared by KordaMentha Forensic Partners and staff. It is of a general nature and is not intended to address the circumstances of any particular individual or entity. It does not constitute advice, legal or otherwise, and should not be relied on as such. Professional advice should be sought prior to actions being taken on any of the information. The authors note that much of the material presented was originally prepared by others and this publication provides a summary of that material and the personal opinions of the authors. Limited liability under a scheme approved under Professional Standards Legislation.
© Copyright 2024