This article, the second in our Fraud 101 series, focuses on the steps you can take to protect your organisation against internal fraud.
1. Understanding the whole business
Every business is unique. Each one has its own culture, people, parts, structures and cycles, and they all interact in their own way. It’s important to explore these key questions to better understand your business:
- Who are the people involved in your organisation? Obvious insiders are employees, contractors, and management; other stakeholders include customers and suppliers, financiers, and shareholders.
- What assets could be under threat? Many organisations have tangible items such as stock, cash and fixed assets. But they can also hold intangible items: intellectual property, brands, and IT.
- What are the reporting chains? Who controls the information and messages flowing around the organisation?
- How do the various processes and procedures within the organisation work? What controls are currently in place over these and how effective are they?
Only by understanding fully how the organisation operates, who is involved, and what might be of interest to potential fraudsters, can you start to build effective defences.
2. Identify and assess the risks
Once you have an understanding of the organisation, its governance and operating environment, it’s time to start thinking about the risks that the organisation may face.
For example, here are some simple questions asked about a single business cycle to understand the control environment and where vulnerabilities may be exploited:
- How are new suppliers selected?
- What connection is there between deciding which suppliers to use and putting in an order?
- How are orders checked against goods received?
- Who is responsible for paying for items?
Risks may occur at any of these key points and may arise as a result of a lack of controls within a process or an ability to circumvent without detection.
Identifying all areas vulnerable to the risk of fraud, traditionally those in finance, HR, sales, procurement and stock management, can help you understand the hot spots and prioritise resources to resolve those areas where risk exposure is too high.
One of the greatest internal-fraud risks that a business can face is through its employees. Fraud stems from people, motivated by personal gain, who sense opportunities and exploit weaknesses: your organisation needs to develop an anti-fraud culture and ensure robust prevention measures are in place. Our previous article, explores what motivates fraudsters in more depth.
3. Develop appropriate controls
Understanding the fraud risks that a business may face will enable you to identify and develop appropriate controls through your policies and processes.
Typical controls might include:
- Physical controls: limiting access to assets, equipment, or stock
- Logical controls: such as robust password controls and limiting access to IT systems without the right credentials
- Authorisation: over payments or setting up new suppliers on the system
- Segregation of duties: so that staff responsible for initiating a transaction, or record a transaction differ from those reviewing and authorising that transaction
- Reconciliations: such as between bank balances and the company’s cash books
- Verification: verifying new customers and their details before deciding credit terms
- Recruitment checks: for potential employees to confirm they are who they say they are
- Periodic reviews: high-level controls that can help spot errors as well as frauds
4. Establish the best types of control
What are the best types of control? The best controls are those designed to plug any specific gaps in your company and its processes to reduce the opportunity for fraud taking place. Controls must also be operating effectively.
It’s important that the controls are proportionate to the risks involved. This means striking a balance between the likelihood of fraud taking place and the potential damage arising, while making sure that operating the controls doesn’t hinder day-to-day operations.
For example, requiring non-executive director approval for payments by directors may reduce the risk of loss from the actions of rogue directors. However, this control may also significantly slow the payment process. This could lead to jeopardising relationships with suppliers and restrict the autonomy of directors from taking advantages of favourable trading arrangements such as early settlement discounts.
Conversely, while the financial losses arising from expense-claim fraud may not be significant in value, its potential volume and frequency could become endemic. This may cause the business to implement additional, and potentially cumbersome, controls in place.
5. Make risk management a continuous process
Risk management is like anything else within business – you get out it, what you out into it. It needs to be dynamic and respond to the evolving landscape both inside and outside of the organisation. It needs timely input to drive the necessary insights that allows action to be taken.
Identifying your key fraud risks is a step in the right direction, but regularly assessing how well it is being managed is the most critical aspect and the only element within your control.
Remember that periods of greatest change can often be the times of greatest risk. As the shifts in environment and operations occur, they may expose gaps in controls and create new opportunities for fraud.
6. Appoint who is responsible for preventing fraud
The key question is: who is responsible for preventing fraud? In companies, the board of directors are ultimately responsible for risk management: this is part of their legal duties under the Companies Act. Similarly, trustees of charities also have obligations under law to protect their organisations. Ultimately, those charged with governance should lead the fight against fraud.
Those charged with governance, who have a better knowledge of the organisation’s day-to-day operations, can take direct responsibility for overseeing the fraud risk function. Larger organisations may have an internal audit function dedicated to minimising risk, while in smaller companies this duty usually falls to a chief executive or chief operating officer.
However, the responsibility for fighting fraud falls to everyone in an organisation. Staff are on the front line to combat or report bad behaviour and protect the organisation from harm. This applies to each person in the organisation from the security guard on the front desk, to any member of the accounts team or to the head of legal and compliance.
Tone from the top is crucial. If every member of your organisation sees its leaders adopting a strong corporate culture of integrity, this will permeate down through the organisation. This can make staff members more likely to share your goals and behave with integrity.
7. Get wider staff involved
But how can you get your staff involved? A good approach is to combine a risk assessment exercise with a fraud awareness training exercise. This can be done through workshops or as part of ongoing staff training.
During these sessions staff are asked to think about the most vulnerable parts of the organisations that may be targeted by fraudsters: if they wanted to steal from the organisation, how would they go about it? This captures your challenges but also what you are going to do to manage them.
Not only will this empower staff who want to do good by the company, it will help them become more aware of the kinds of actions and behaviours they should look out for.
8. Get advice
Fraud can be complex. If it weren’t, then your organisation wouldn’t be at risk.
If you’ve identified or need help uncovering complex-fraud risks, forensic accounting services can support you further.
A forensic accounting specialist can assess your risks and help you to build an appropriate risk management system to prevent or mitigate the dangers that the organisation faces.
Talk to Evelyn Partners
If you want to find out more about how to protect your organisation against insider fraud, please get in touch with our experts.