Drip, drip, drip of fraud
Drip, drip, drip of fraud
Fraud is like a dripping joint in the water tank in the loft. You don’t know it’s happening until it’s too late and the ceiling comes crashing down.
The ACFE 2016 Report to the Nation contains some interesting statistics and information about how fraud is discovered, who commits fraud, and how long it lasts. Conventional controls, internal and external audits generally don’t work as the fraudster knows the systems and how to fly under the radar. All too often the warning indicators get missed, such as:
The slightly flamboyant life style;
The expensive overseas holidays, “How does Jack manage to get away so often, does Lastminute.com really work that well? I heard that his partner inherited a stash from a distant relative…….”;
The late nights in the office, working weekends;
Being too helpful, especially to internal and external audit; and
Having “accumulated” excessive system privileges etc.
Internal fraudsters hide in plain sight, and the press constantly reports of payroll & finance managers, accountants etc. abusing their position of trust. So what can be done?
If you consider the plumbing analogy, checking that all the joints are dry and stress testing the system will ensure that there are no unnoticed leaks. Flushing the system to remove sludge and potential blockages will ensure the central heating system is optimised.
So how does this apply to fraud? Haymarket’s Critical Point Analysis (“CPA”) is designed to detect vulnerabilities in business processes and systems. These weaknesses could result in the loss of critical proprietary information or financial losses from payment of false supplier invoices, employee abuse of expenses and credit cards, or payments to ghost employees. CPA will identify and evaluate these weaknesses.
For example, in every organisation it is the work flows between departments which often present the greatest risk. Wherever there is a branch or interface in the information or authorisation flow, such as the responsibilities between different departments e.g. credit control and accounts payable or HR and the payroll function there is a potential for error, and deliberate manipulation.
CPA identifies and documents these vulnerabilities and more importantly stress tests these to determine the actual risk exposure.
Periodic flushing of the “system” helps to minimise risks. For example, it is much easier for a corrupt employee working in Accounts Payable to manipulate a dormant supplier, change their details such as bank accounts and initiate a one off payment than to set up a new bogus supplier. Removing such dormant suppliers and making it impossible for a single person to alter details will reduce this fraud potential. Requiring dual authorisation only works if access privileges to key systems and functions are accurately maintained and ex-employees are removed (flushed out) from the system. Furthermore, it is often the case that employees moving from one department to another acquire excessive system access rights. So while job rotation is a good principle to prevent collusive relationships from developing, this should be accompanied with an appraisal of employees’ access privileges.
Taking measures to proactively identify and fix the weaknesses in the system will prevent the ceiling from crashing down