It Starts with Tone at the Top
Every year fraudulent activity accounts for billions of dollars in losses and significant business disruptions. In an increasingly digital environment, and with the rise of cybercrime, the problem will only worsen if preventative, detective and corrective measures are not in place to mitigate the risk. In 2020 alone, according to PwC’s most recent Global Economic Crime and Fraud Survey, 47% of survey respondents experienced fraud in the last 24 months, and on average six incidents of fraud. This was the second highest number in 20 years.
The top four types of fraud reported on the survey were customer fraud, cybercrime, asset
misappropriation and bribery and corruption, a significant number of customer fraud and cyber crime stemming from the work of creative, motivated criminals armed with high tech devices and excellent knowledge of banking protocol. However, probably most concerning is the upward tick in fraudulent activities by senior management who are entrusted with setting the “tone at the top” and who have access and override controls on several internal safeguarding processes. Combined with dishonesty, by rank and file employees, it is clear that every company – large or small – has a pressing obligation to a maintain top class risk structure.
In this article, we will focus on some practical steps companies can take to mitigate internal exposure; this is especially relevant for companies without an internal compliance team. While no system is foolproof from fraud, these steps, when deployed properly, can limit the incidences of fraud.
According to criminologist Donald Cressey, the following elements of the fraud triangle are usually present when fraud occurs:
Opportunity – the ability to commit fraud
Pressure or Motive – a reason for committing fraud
Rationalization – a justification for the fraud
Consequently, we should not be surprised that management and "tone at the top" gets the most scrunity. Senior leadership, by virtue of their placement on the corporate ladder, have the most opportunity to override controls and so our recommendations starts there.
The most successful fraud structures starts with leadership.
Tone at the top- while every employee has a role to play in preventing fraud, leadership - management and the board - has the responsibility for driving the creation of an ethical environment, and leading by example.
Employee Training – investing in company-wide employee training, at least on an annual basis, is one of the best investment organizations can make. Employees must be made aware of the company’s values and ethics and have a clear understanding of the policies and procedures that underpin those values.
They should also know the ramifications of going against company policy and the organization must act upon violations to both educate and deter future occurrences. Some form of tracking tools to measure success should also complement this process. Smaller companies can avail themselves of an outside consultant if they do not have the human capital. However, company size should never be used as a reason for not having strong procedures and policies.
"A company that invests deeply in IT systems and mitigating external attacks, but not its employees will discover rather quickly that an uneducated workforce poses the greatest risk to a company."
As Peter Goldman noted in his book, Anti-Fraud Risk and Control, “Today, any organization lacking a stringent set of internal computer security policies, processes, and procedures to counter the numerous threats of insider fraud puts itself at serious risk of financial and reputational damage, as well as legal and regulatory repercussions in the event of a successful insider attack.”
Segregation of duties – There are numerous stories of employees who have financed living expenses for years from their company’s petty cash, simply because they were the sole person responsible for disbursement, record keeping and account replenishing. Thousands of dollars in losses could have been prevented by inserting an additional person in the petty cash cycle, to either co-sign checks or perform account reconciliation. Small companies may be challenged by not having enough personnel for effective segregation. However, the risk is worth protecting, even if a non-finance person has to be trained to perform some of the required functions.
Rotating or cross-functional training is an additional internal control step that can be
implemented, especially in mid to large companies. While there are possible
downsides to this approach, employees can gain new skills and also provide an
added check for each other’s work product. Additionally, mandating that employees take some vacation so that their job function is done by someone else is good way to review each employee’s activities as a new person is inserted in the process as coverage. This is especially critical for employees in sensitive,
“Torture the data, and it will confess to everything.”
— Ronald Coase, British economist
Monitoring and Regular oversight – some leaders can be too trusting or unwilling to get bogged down in financial matters. But it is good practice to frequently assess the finances, to ensure there is no questionable pattern developing. Additionally, detective measures, such as the possibility of a spot check is a great deterrent against internal fraud.
Measurement system – where available, use some of the latest data tools, benchmarking against peers, as well as the use of questionnaires to track success. A robust fraud protection system is a no-brainer, and there are some low cost steps that can be easily implemented regardless of company size. While each company’s situation is different, and no amount of controls can totally mitigate fraud, some of the steps outlined above can form the backbone of a highly effective fraud prevention system.