Internal fraud is complex, not least because it is often perpetrated by people in positions of trust, who take advantage of that power and their knowledge of the organisation to perpetrate and conceal the fraudulent activity.
This article, the first in the Fraud 101 series, focuses on internal fraud, explains how organisations can be prey to those operating within and the potential impact this crime can have on the business. And it’s not all about money.
What is internal fraud?
Fraud happens when someone behaves dishonestly, deceiving others to achieve a personal gain.
Internal fraud is perpetrated or assisted by someone within an organisation, often someone in a position of trust. This can make it very hard to detect.
The schemes can be perpetrated by a combination of different actors using various methods to target individuals inside or outside of the organisation, or the organisation itself. Those fraudsters can target any part of the organisation, seeking to exploit any weakness in internal controls to make a gain for themselves. Weaknesses commonly exploited are those around how invoices are processed for payment, how employees are onboarded or added to payroll, the physical security around assets, and many others.
What motivates fraudsters?
While the motivations that drive people to commit fraud vary, in general it can be explained by the fraud triangle framework. The three elements of the fraud triangle are:
Fraud arises when pressure, rational and opportunity combine. People may be driven by the pressure of personal financial difficulties, living beyond their means or even involvement with organised crime. They may rationalise their fraudulent behaviour by thinking they are underpaid and deserve the extra money, they may even plan to pay the money back later. Opportunity tends to arise due to the insufficiency of internal controls, with lack of segregation of duties being very commonly exploited.
What are the three forms of internal fraud?
Internal fraud typically falls into one of, or a combination of, three categories:
- Actions targeting business assets – this is what most people think of as fraud, and includes theft and fraudulent payments
- Altering reporting mechanisms – here the perpetrator manipulates the company’s results, either understating or overstating income or assets
- Collusion with a third party – examples include setting up false purchasing schemes or bribery
The fraud is often undertaken by someone who is more familiar with the controls and processes, and how they might be manipulated, than those charged with Governance. This is why it is so important for management and those charged with governance to pro-actively (and pre-emptively!) seek to understand how and where the fraud risks exist.
How to spot the signs of internal fraud
Bad actors within an organisation are the root cause of internal fraud, but many businesses often have a blind spot here. Leaders often assume that everyone else in the organisation shares their integrity, goals and motivations and like to think that everyone involved in their company wants to make the business succeed. Sadly, this is not always the case. Equally, wanting the business to succeed can also turn into a motivation for fraud – exaggerating the financial results or performance KPIs could be perceived, by some, as a way to help the company.
There’s also the risk of ‘good’ employees being influenced by other people’s bad behaviour. If they see their managers putting personal expenses through the business or taking laptops home for personal use, they are more likely to think it is fine for them to behave like this too.
What are the common behavioural red flags of internal fraud?
- An individual living beyond their means
- Changes in apparent financial status
- An unusually close relationship between an insider and a customer/vendor
- An unwillingness to share work duties and/or refusal to take annual leave
- Aggressive/irritable behaviour or a suspicious/defensive demeanour
But be warned: watching out for red flags is not a catch-all solution. If fraudsters are aware that the company keeps an eye out for certain types of behaviour, they will do their best to mask those traits. Staff will need to be able to look past their presumptions on how trustworthy and friendly someone is.
How does internal fraud impact a business?
The financial loss from fraud is not just an isolated, historic loss of money – it can have a cascade of future impacts. For example, the diminished financial position can influence the credit decisions of suppliers, lending decisions on banks, and so on. These factors compromise the company’s ability to continue in business, putting everyone’s livelihoods at risk. If news of the fraud gets out, the potential reputational loss can erode trust with third parties (including customers and suppliers), impacting business-volumes and further exacerbating the above direct financial impacts.
Damages to morale and culture
The financial and reputational costs of fraud are often the most obvious ones, but a sometimes unexpected, but significant, harm is the damage to corporate culture and team morale. It can be very hurtful when staff discover they have been deceived, and they can feel foolish for having trusted the perpetrator. This heavy psychological toll can undermine other working relationships and erode the remaining trust within the organisation.
Directors can face personal consequences if the business is trading when insolvent.
Further regulatory impacts
There can be other regulatory impacts (for example if bribery is involved) or tax consequences (for example if VAT has been underpaid). With the prospect of potential reforms to corporate criminal liability laws in the UK (and the existing crime of failure to prevent the facilitation of tax evasion), the imperative to act against fraud is only getting stronger.
Burdens on key resources
Trying to resolve or investigate internal fraud without the appropriate skills and experiences can drain an organisation’s resources, and it can cost more to investigate than may be recoverable from the fraudster. Furthermore, any criminal or regulatory action taken can take years to reach an outcome, placing long-term burdens on financial and reputational resources.
Is internal fraud a large problem for UK businesses?
The Office for National Statistics estimates that fraud and cybercrime accounts for almost half of all crimes committed against individuals. 18% of small businesses that have experienced a crime in the last two years said that fraud was the single most disruptive offence for their company. That disruption can take valuable resources from the operations of the business, and in some cases, threaten the existence of the business.
Corporate fraud victims can lose 5% of their revenue to the crime. With inflation and the recession already squeezing margins, this 5% could be the crucial difference between a company surviving or experiencing financial difficulties.
How to prevent internal fraud?
We have seen examples of companies whose entire existence has been threatened by fraud. Don’t let yours be one of them. Act now.
Too often we hear clients say: there is no fraud in our business. If you don’t look for fraud, you will not find it. Challenging this mindset is one of the biggest barriers to creating a fraud resilient culture you can face. Another frequent barrier is time and resource, with competing priorities causing fraud prevention to fall down the list of priorities.
Whilst prevention controls should reduce the risk of internal fraud, they are unlikely to be able to prevent 100% of fraud. Fraudsters generally start small, exploiting control gaps, and when their actions are not detected they gain confidence and increase the amounts involved. The longer a fraud scheme is undetected, the more harm is done (and the losses often grow at an increasing speed). There are therefore two key elements to taking action on fraud: –
- Taking steps to prevent it, and
- Detecting fraud faster
Planning to prevent internal fraud
To develop an effective prevention and detection programme, an organisation must first identify where risks of fraud exist. By understanding your business, its stakeholders, its systems and the controls over those systems, you can identify the gaps and the procedures needed to fill them. Anti-fraud measures need to be proportionate to the potential loss and level of risk. They also need to be effective yet not cause too much friction in terms of day-to-day operation of the business.
The next article in this series, looks in more depth into how you can take action to prevent internal fraud.
Don’t wait for fraud to hit you – talk to Evelyn Partners
If you want to find out more about the steps you can take to protect your business against internal fraud, please get in touch with our experts.