How could you commit fraud?
Capitalise on your employees’ knowledge
when it comes to Fraud Risk Management
November 2014
Publication No. 14-06
1
2
Introduction
KordaMentha Forensic staff have undertaken
risk management assignments for organisations
in different parts of the world, from developing
countries to first world countries. Although many
of the organisations we have worked with had
fraud risk management plans in place, on every
occasion we have uncovered multiple methods
by which those same organisations could lose
anywhere from $10,000 to in excess of
$100 million (you choose the currency!). It can
be surprisingly simple (once understood) for
this to happen by circumventing some of the
steps associated with the approval process to
authorise wire transfers out. Those organisations
had initially thought their fraud risk controls were
strong, until we pointed out their weaknesses.
A recent survey showed 32.2% of fraud cases
occurred in organisations that lacked internal
controls to prevent fraudulent behaviour1. This
suggests that some organisations remain
complacent and simply ‘set and forget’ their
fraud risk management plan. They do not test
it regularly, and ensure it is updated as new
business products or services are introduced.
This can allow weaknesses in controls to develop
which, in turn, could allow fraud to occur.
So how do you prevent these weaknesses in
controls? We suggest that your organisation taps
into the knowledge and concerns of staff to
develop a stronger fraud risk management
system. Organisations that have grown through
mergers and acquisitions are particularly
vulnerable because of ‘bolt on’ and ‘legacy’
systems, and even organisations that grow
organically are susceptible if they take their eye
off the ball. Scheduled testing of the control
environment for fraud scenarios, and involving
staff in that process, is a vital part of fraud
prevention, awareness and education. Involving
your staff helps build your front lines (and back
lines) of defence. If you are not doing this, then
you are potentially giving a green light to fraud.
2
3
Find the weaknesses in controls
by asking your employees
One of the reasons that white-collar crime has flourished is
that people prefer to avoid conflict, confusion and confrontation.
In a work environment where we like to trust and be trusted, it
can be difficult for someone to ask a colleague or peer whom
they like and trust to explain a decision, or to ask for supporting
documents to verify a transaction.
However, even if they don’t want to ask difficult
questions of their colleagues, employees are the
best eyes and ears to identify fraud. In 2014,
42.2% of initial detection of fraud was through a
tip-off and almost half of these tips (49%) came
from an employee2. While employees are the
best source as whistleblowers, it relies on them
reporting the issue after the event, rather than
being proactive.
The most effective method to uncover control
weaknesses and identify how a fraudster could
commit a fraud is to enlist the help of your staff
who input and process transactions. They know
the weaknesses and the shortcuts, and those
controls which may have been ‘operationalised’
over the years under a false sense of security
and with an intention to make life easier. They
know transaction types that will be queried and
whether any fraudulent transactions could get
through the existing systems and controls.
We find that there can be an over-reliance on
software, internal audit departments, corporate
security or even external audit to conduct fraud
risk reviews. Rather, our experience shows that
eliciting information on the ‘how to defraud’
scenario requires a specific skill set, and an
organisation must be careful to select the right
people to lead the project. This usually requires
only two people to run such a project.
Importantly, staff who participate in interviews
and workshops need to feel that they can share
information, feel safe to expose the flaws, real
or perceived.
We are often asked whether including staff in the
reviews may increase the risk of fraud by ‘giving
them ideas’? In our experience, it does not. They
already know the weaknesses, but these are
rarely discussed. By exposing the flaws, you will
reduce the risk because now everyone knows
what to look out for.
The planning for a ‘how to defraud’
review is key: ensure that you
understand the business drivers and
systems and obtain the right mix of
staff to participate.
3
4
So what next?
As part of your review, take a deep dive into your control
environment to really understand where the risks may lie.
The good news is that you don’t need much
management time to devote to such a project.
In order to do this we recommend:
1. Identify the department or area you want to
review e.g. front office, back office, or
financial shared service centres
2. Take stock of the systems and processes
used in that area to process transactions
3. Work with your project leader to select an
appropriate cross section of staff to participate
in interviews and workshops
4. Sell the fraud risk management review to your
staff and enlist their support.
It really comes down to the touch points in your
organisation. A perpetrator (internal or external)
looks at your organisation to find the weak link as
a way in to defraud you. Where will s/he look?
Everything is on the table. Looking at your
organisation, s/he will look at:
• Contact points in your various departments
(e.g. front office sales)
• Contact points with your suppliers
(e.g. procurement department)
• Contact points to your bank accounts
(e.g. payment approvers, payroll manager)
• Contact points to your inventory/assets
(e.g. warehouse manager, security system)
• Contact points on your computers
(e.g. exchange servers).
Speak with your key staff about potential control
weaknesses at your organisation in each of
these areas.
Also, don’t forget, when testing your control
environment, to consider how ex-employees
could commit fraud.
Normal staff turnover means that an average
of 12% of your staff leave every year3 – those
people often have extensive knowledge of your
organisation’s systems and controls. Once they
leave, however, management have little control
as to what an ex-employee (particularly an
aggrieved one) may do with knowledge of your
control environment (and its weaknesses)!
Again, we suggest speaking to your staff to find
out what risks they think exist in this area.
If you are an international organisation with
functions replicated across geographic locations,
there is real benefit in executing the results of
what you find in Australia to other locations. In
that way, you can get some real leverage.
It may be a solo dance or it may take two to tango ... or three or four
Collusion is a factor that should be taken into consideration, as it is easier to bypass controls if fraudsters
work together rather than alone. A recent survey by the ACFE showed that over 45% of frauds had two or
more employees involved, and if that was the case, then the median loss rose by 150%4.
Collusion between employees allows fraudsters to get around the most carefully planned segregation of
duties (a mechanism to spread responsibility and avoid any one person having too much control over a
particular business function).
While collusion may be a difficult area to prevent, make your staff aware of the risk of collusion – they are
best placed to identify such behaviour.
4
5
Conclusion
So is regular testing of fraud risk management essential for an organisation? We certainly think so, and
our experience shows that staff inclusion in the fraud risk management activity is the best way to action
that testing. Discussing the risk of control weaknesses with staff enlists their support, and also adds
additional eyes and ears in the battle against fraud.
KordaMentha has extensive experience in providing fraud risk management and training in a
number of industries and countries. Please contact the authors below for more information.
Endnotes
1. Page 39 of the ACFE Report to the Nations 2014
2. Page 19 and 21 of the ACFE Report to the Nations 2014.
3. According to the Australian Human Resources Institute survey on staff retention and turnover for 2012, an organisation of
1000+ employees has a staff turnover rate of about 10% per year while an organisation of 500–999 employees has a staff
turnover rate of about 14% – that is an average of 12% of your staff every year!
4. Page 46 of the ACFE Report to the Nations 2014
About the authors
Paul Curby | Partner
Sydney | +61 2 8257 3050 | [email protected]
Paul specialises in fraud risk and prevention services, and fraud and anticorruption investigation.
Paul has more than 29 years’ experience in the area of fraud risk and investigation consulting in both
government and the private sector. His extensive industry experience includes financial services,
government, manufacturing, insurance, airline and transportation, construction and gaming.
Matthew John Lim | Senior Executive Analyst
Sydney | +61 2 8257 3048 | [email protected]
Matthew has been conducting investigations for large multi-national corporations for the past 4.5 years.
Matthew has worked on cases in the Asia Pacific region and in Europe. His industry experience includes
the financial services sector, oil and gas, telecommunications, government and international shipping.
KordaMentha Forensic
We provide clarity and objectivity to organisations when the commercial stakes
are high, and the evidence is critical to the outcome.
Our specialist forensic tools, rigorous analysis and clear presentation of the financial, factual and electronic
information provides insights that are otherwise hidden in the detail of a dispute, investigation, or review.
Melbourne
Sydney
Brisbane
Owain Stone
Andrew Ross
David Van Homrigh
+61 3 8623 3410
[email protected]
+61 2 8257 3051
[email protected]
+61 7 3338 0220
[email protected]
Robert Cockerell
John Temple-Cole
Brian Wood
+61 3 8623 3355
[email protected]
+61 2 8257 3077
[email protected]
+61 7 3338 0250
[email protected]
Craig Macaulay
Nigel Carson
Partner
Adelaide
+61 3 8623 3373
[email protected]
+61 2 8257 3080
[email protected]
Stephen Duncan
Anthony Hodgkinson
Paul Curby
+61 8 8223 8106
[email protected]
+61 3 8623 3307
[email protected]
+61 2 8257 3050
[email protected]
Briston Talbot
Brittany Lincoln
Alex Bell
+61 8 8223 8114
[email protected]
+61 3 8623 3426
[email protected]
+61 2 8257 3053
[email protected]
Perth
Singapore
Grant Whiteley
Matthew Fleming
+61 8 9220 9331
[email protected]
+65 6593 9363
[email protected]
Partner
Partner
Executive Director
Executive Director
Executive Director
Director
Partner
Partner
Partner
Executive Director
Partner
Partner
Partner
Associate Director
Partner
Subscribe to our publications at kordamentha.com/subscribe
Learn more about our forensic services at kordamentha.com/forensic
This publication, and the information contained therein, is prepared by KordaMentha Forensic Partners and staff. It is of a general
nature and is not intended to address the circumstances of any particular individual or entity. It does not constitute advice, legal or
otherwise, and should not be relied on as such. Professional advice should be sought prior to actions being taken on any of the
information. The authors note that much of the material presented was originally prepared by others and this publication provides a
summary of that material and the personal opinions of the authors.
Limited liability under a scheme approved under Professional Standards Legislation.