Internal Fraud – or how not to cheat yourself
| 22-02-2018 | Lionel Pavey |
Most companies, regrettably, experience internal fraud. The financial value of the loss can be small or large – however the impact is the same. Internal investigations, procedural reviews, the time spent on detection, possible prosecution, together with the potential loss of reputation are significant factors above and beyond the monetary loss. Fraud can never be eliminated, but the threat can be minimised through proper procedures.
Fraud is normally caused by false representation, failure to disclose information and abuse of power and position. As fraud is performed by people and their actions, a first step to prevent fraud would be to look at the current working environment within a company. If a company is putting extra stress on employees – bigger targets, loss of overtime payments, reductions in secondary benefits, no pay rises nor promotions etc. whilst the directors receive bonuses– this can lead to employees becoming aggrieved and seeking retribution. Furthermore, employing more temporary staff and external contractors, can distance the remaining employees and challenge their allegiance and loyalty.
Internal procedures
One of the least sexy components within a company is internal procedures. They need to be drafted, amended, agreed, published, implemented and reviewed on a rolling basis. Very few people enjoy writing these manuals, but they are essential to ensure that everyone is aware of the correct procedures that have to be followed to perform any tasks. Often there is talk of a “four eyes principle”. Personally, I have always believed in a “six eyes principle” as it requires more independent control and makes fraud less easy to perform. Most of the procedures are, of course, built around common sense. Duties should be segregated – different departments have different roles to perform in ensuring the complete procedure is followed throughout the company. Even within a single department, attention should be paid to segregating duties.
An example would be the administrative function relating to a purchase. There are 4 distinct stages – procurement, arrival, warehousing and dispatch/shipment. If one member of staff was responsible for the relevant data input for all 4 stages, there is an increased risk that fraud could take place. This is not to say that work should be segregated that one employee only ever does one function – this could also lead to fraud either through disenchantment or over familiarity of the systems and procedures used at one specific point in the production chain.
External procedures
Certain departments within a company have contact with external sources – suppliers, clients, financial institutions. Anyone who has contact with an external counterparty can be swayed by opportunity if the controls are not in place. In respect of purchasers – what contact do they have with suppliers outside the office? Are they entertained – restaurants, sports events etc? How often do they have contact? In respect of sales – are they responsible for determining the sales price? How often do they see clients and spend money on them? The same also applies to treasurers, cash managers, risk managers etc.
The necessary checks and balances need to be put into place. A record of all contact with external parties needs to be kept, updated, verified and stored. Temptation can be caused by personal hardship, flattery or grievance at how the person is perceived to being treated by the company.
Standing up to the boss
As stated, a healthy company should have procedures and statutes in place. These need to be adhered to at all times – there can be no exceptions. However, a mechanism for escalation is often missing. Example – someone sends in an expense claim approved by their manager. The treasurer or controller might question the veracity of a particular entry. A proper mechanism to escalate the discrepancy needs to be firmly established. That a manager has signed off on the expense claim does not mean it is correct.
Even directors have to make sure that their claims are signed off by other members of staff. Being at the top does not mean that the procedures do not apply. Requests for a priority payment outside of the agreed procedure should always be questioned. If everyone has agreed to the standard procedures, then there can be no justification to make a payment outside of the normal procedure, just because it has been deemed a priority. If truly deemed necessary, then authorisation must be given not only by management and directors, but also by the legal department. If this occurs, then the existing procedure needs to be examined as to why the incident occurred and where the procedure broke down. This all has to be detailed in writing – fraud can happen at the highest level as well as low down with an organisation.
Static data
Every contact both inside and outside of the company should be recognised and recorded in a data system. Static data refers to all relevant data concerning an entity – full name, registered address, bank details, contact details etc. This data should be fed into all other systems, but data input should be restricted to a small number of employees. These employees should not have access to any of the systems that are used to input data relating to daily operations.
Another key area is in the cash management side – book keeping can be complex and differences not noted until the yearly audit. However, cash movements contain plentiful details – name of beneficiary, account numbers etc. This can be reconciled against the prevailing static data – are the bank account numbers the same?
Fraud can never be eradicated, but by being open, allowing questions to be asked, even performing unexpected checks on the system and its integrity, and creating an atmosphere where staff know that they can question without fear of reprisal, then at least everyone will know that the company is alert and vigilant.
That knowledge and awareness will make a potential fraud think twice.