Secrets of the Fraud Squad
It’s more crucial than ever that firms not only take extra steps to protect employees’ and clients’ data, but have robust practices and structures in place that make fraud both less possible and less likely. Here’s what you can, and should, be doing.
When I first meet people and tell them that I work as a financial investigator, quite often they respond by saying: “That must be exciting,” or “That’s something I would like to do.”
But the reality is that seeing someone’s life change for good when a fraud is discovered is far from exciting. As an investigator, having empathy and a non-judgmental mindset must be high on your list of skills. I’ve worked in this field for more than 20 years, and have experienced cases both large and small that have been equally impactful on the individual and the organisation affected. These cases have related to internal malpractice and offences of gross misconduct which include theft and fraud.
There is no doubt that some organisations have become increasingly aware of the issues of internal malpractice, but in my experience, most of them are the large ones. These are also the cases that tend to make the news. The reality is that there are many small and medium organisations which are experiencing this issue, but which we never hear or read about. There are several reasons for this, including the absence of accurate national statistics.
But there is also the fact that many SME owners don’t report what has happened to the authorities. I spoke recently to someone who told me that they wished they’d had an investigator to turn to when they discovered that the person their parents had hired to look after the accounts of their small family business had, in fact, been diverting the money to their own account.
As a result, the business almost went under. When I asked if they had contacted the Gardaí, they replied: “What could the Gardaí do? The person had already fled the state, and my parents just wanted to put this behind them.” This reaction, and indeed this type of case, is not atypical, in both small and large organisations. So how do you mitigate the chances of it happening in your company?
The fact is that if opportunities arise through weak controls, then individuals on your staff may see them as a way to ‘fix’ issues in their own lives such as gambling debts, the cost of their problem drinking or even peer pressure - the desire to keep up with the Joneses, if you like. Often, senior management or owners do not see the need to invest in countering the threat of losses due to fraud. But while smaller companies by and large don’t need to invest as heavily as larger firms, some controls around employee screening and outward payments could save a lot of pain. In essence, we need to go back to basics. Yes, there are now new laws covering issues that can arise in larger organisations in both the public and private sectors, and that is a good thing. But legislative change is an end product. Before we ever get to that stage, enforcement is required to ensure organisations are responsible and accountable for having auditable controls in place to protect shareholders and stakeholders.
So what can and should be done in every organisation, large or small? A robust employee screening process should be in place, no matter the size of the company – remember, the case I referred to above happened in a situation where the individual was not screened. I have seen this in larger organisations as well, with certain fraudsters able to move from one organisation to another.
There is a need for companies to have internal policies that support investigation principles. The endorsement of such policies by the owner, chief executive and board is imperative, as it leaves the employee fully aware of any policy breach, for example, false claims on expenses. All sanctions and policy should apply from the top down.
Communication is a key tool for companies, and this can be delivered through training sessions. For larger organisations, e-learning is a successful tool and monitors the completion of standard mandatory training. Face-to-face training should be a preference when the issue of staff malpractice is being discussed and enforced. Annual training is provided to staff on many matters such as health and safety, data protection and money laundering, and in my view internal malpractice training should also be mandatory.
Organisations should ask themselves: if an issue occurred tomorrow, would they have the resources to investigate the case? While in many larger organisations there are units tasked with fraud investigations, are they manned by skilled personnel? And do they have all the resources they need to manage multiple or technical cases? Undertaking your own investigations always challenges the independence of same - and, as such, is a key challenge to overcome at tribunal and court stage. Management should undertake a crisis management session relating to an internal matter, as this will test resources and capabilities.
In the light of the Protected Disclosures Act, your organisation should challenge itself as to whether it has defined processes and mechanics for staff reporting issues under the auspices of whistleblowing. Individuals must be free from reprisals in making reports, and again the independence and expediency of investigations is crucial.
Risk assessments are an effective measurement of what controls should be in place to detect and prevent internal malpractice.
However, the lack of understanding of how a risk assessment works – and what it can do - means it is not a tool that is used very often. This is a shame, as I’ve seen myself how risk assessments in the form of workshops and discussions can result in mitigating controls being introduced. Internal malpractice is still predominantly discovered reactively, but proactive auditing and/or reviews are another tool that can be used. Many mature internal and external audit functions use data analytics, and again I have seen cases where firms managed to identify the theft of customer data because of a proactive auditing/review and control testing.
You must also ask yourself what you are doing to stop customer or personal data leaving your organisation. This data should be protected by enforcing controls and restricting access to systems to only those who really need it. My experience has been that the use of performance appraisals and one-on-one conversations as a control mechanism to identify any issues that could account for changes in performance or behaviour of an individual is not common. I would like to see this change.
It is important to have discussions with staff prior to them leaving your organisation. Not only will these discussions highlight whether there is an underlying issue about why they are leaving, but they are also opportunities to recover valuable assets such as mobile phones, iPads etc.
Password innovation is another proactive approach to protecting IT systems and data therein. Previous investigations have highlighted cases of employees sharing passwords and retaining other staff members’ information after they have left an organisation, and this in turn acting as a catalyst for large-scale abuse and theft.
Many organisations rely on IT support and security, so it is very much worth your while talking to them frankly about how they intend to manage and deliver changes given the corporate world’s ever-increasing reliance on computers, mobile devices and cloud computing.
Michael Fitzgerald is senior manager, governance risk and internal controls, at Mazars in Dublin
This article first appeared in the Sunday Business Post on the 2nd December 2018.