Who Polices the Risk and Fraud Managers
Following the recent high profile cases of senior fraud and online security managers being caught up with fraudulent activity, UKFraud's Special Interest Group (SIG) for Corporate Fraud Prevention has set out a new set of benchmarks which will help organisations identify the signs that something is awry. The SIG also outlines the most effective strategies for countering these risks. Recently established by UKFraud, the Corporate Fraud Prevention SIG consists of leading fraud prevention consultants coupled with representative input from a wide range of fraud industry skill sets.
The SIG was established in response to sector frustration at recent claims by the UK's National Fraud Authority that fraud levels have risen significantly from £38bn in 2011 to £68bn in 2012. The aim of the SIG is to analyse the approach taken to fraud in the corporate sector and to make recommendations for change at local, national and global levels.
According to the SIG's research, the most likely signs of wayward behaviour by fraud and security management are relatively easy to spot and yet often overlooked. They include:
- Fraud Systems that are below par. The fraud systems chosen by an organisation can be unfit for purpose and may not deliver what is required. There is also often an unwillingness, due to the influence of the internal fraudster, to consider competitive fraud technology products that do deliver or that can deliver more quickly. Often, the SIG says, it is easy enough with hindsight to see that a change to effective systems had been deliberately avoided, but typically, career minded employees are reluctant to blow whistles.
- Erratic, incomplete, late or excuse laden management and system reporting is a classic sign that line managers are covering something up and says the SIG, this is just as likely to be the case with those fraudulently managing the security and anti-fraud systems of a company. Normally, further investigation will reveal that 'lip service' and increasingly tenuous explanations are given assertively to thwart follow up activity. When though one is dealing with an errant fraud manager, these explanations are more difficult to see through and more than likely to pass the plausibility test. Often the blame for the cause of any suspicion will be thrown onto inadequate IT systems or on the political gaps between corporate silos.
- Frequent excuses based around IT related issues such as technology compatibility issues between different company systems or even between international systems.
- Unexplained wealth of managers outside of work – there will be plenty of evidence with housing, wardrobe, holidays, cars and home computing equipment together with rewards for family and friends which can even extend to private school fees for children.
- Work place rumours, jokes and tip offs. These are often dismissed as political jibes but often this is a tell tale sign that something is wrong and that staff are too afraid to 'blow the whistle' formally.
- Frequent use of the 'privileged rank' of Security or Anti-Fraud Manager to divert questions or avoid enquiries from those who might raise suspicion such as internal or financial auditors. This also includes the robust use of the 'we don't want to compromise security' excuse.
- Where fraud specialists know the latest trick, for example how on-line fraud works, the unique symptoms of that particular scam will show up in the company where the fraudster is using it.
UKFraud's Corporate Fraud Prevention SIG believes that 'maintaining an independent review perspective managed by those with the greatest experience' is the most effective solution for combating inside jobs by fraud and security management. Amongst the strategies the SIG would recommend are:
- A greater emphasis on the use of Non-Executive Directors. This is crucial as usually non-execs are appointed for their experience of skills and operations in other organisations and sectors. They have that 'other worldly' eye that is able to cast a different perspective. They should have the ability to review all aspects of a company's anti-fraud strategy and to ask awkward questions 'from the top' as this carries more weight.
- Up-to-date reporting must be a core mantra of good company management, with the details of repeated exceptions thoroughly investigated. Organizations should also ensure that reports are not only timely but that they are also complete, real and updated as required. These processes should also then be built into the internal audit schedule for checking. This in turn should feed into the main GRC (Governance Risk and Compliance) systems. In addition, wherever appropriate, organisations should adopt an enterprise-wide approach to technology as this will help with errant systems issues. Thus, if the technology works well in all other parts of an enterprise, it is highly noticeable if it fails in the management of the fraud department or the control of online and financial systems.
- Organizations need to establish records both electronically and on paper. This should include specifying where documents are and when they should and should not be stored. One should indentify who is in control of these systems, processes and procedures and who has ownership of specific records. Organizations also need to decide who is responsible for checking that these measures are followed. The scanning, and indexing of work needs to be carried out to professional standards and there must be rules to ensure that no-one can intercept/edit documents at an inappropriate stage or in a fraudulent way. It is also important, the SIG believes, to ensure that your storage capacity is controlled properly.
- Where acquisitions and mergers are concerned, organizations need to ensure that all documents are available and stored appropriately and securely, especially those that relate to IP protection, IP development records, audit trails and staff contracts. In particular, when acquiring a business, companies must make sure that they have indemnities and penalty clauses built into the acquisition agreements which relate to the availability of data, logs, audit trails and so forth.
- An extra fraud prevention 'task-set' should be drawn up for Auditors and IT auditors whether they are internal or external. This can have a real impact, although sadly most auditors are simply there to either report on financial results or check asset lists and software licence compliance. There are though many specialists that can undertake 'special' tailored checks to find frauds within all manner of business systems including: payroll, invoicing or payments. By turning them towards checking the efficacy of the security and fraud systems in place, says the SIG, it is not only a greater deterrent but also a far more certain way of catching wrong doing whilst in flight.
- Getting HR more involved. This allows you to define responsibilities and handle warnings for non-compliance.
- Organisations should actively consider the use of external risk consultants who can offer solutions which benefit from an independent viewpoint that resides outside of a company or its politics.
- Where doubts exist, organisations should contemplate the use of private investigators to look deeper into the processes used by those who are deemed to be high risk people. These need to be the breed of computer literate investigators with corporate fraud experience.
SIG member Malcolm Gardner, the CEO of fraud prevention consultancy Freevision Ltd., believes that the situation may be worse than many fear. In his view, "Typically, when fraud or security managers are caught, it is either because they went too far, having become complacent, or where there has been a tip off. This tends to suggest that those who are caught might simply be the tip of the iceberg. With sectors such as the online market, now so very tempting to fraudster, it can also be tempting for internal cheats too. Corporations need to be sure of their staff and need to put the right systems in place to help the loyal staff who are the ones still working for the good of the company."
Bill Trueman echoed Gardner's comments adding, "It is awful whenever any fraudster is identified within a business, but if it is the person who has the responsibility for fraud themselves, then this is even more abhorrent. Within the fraud SIG, we all universally believe that these fraudsters who were identified as fraud specialists themselves should have significantly more severe punishments, for abusing these particular positions of trust. The first step is finding them and then managing the problem. Hence, our SIG was keen to put these guidelines in place for all to benefit. We would welcome any feedback on other pointers and precautions that people feel might be also of benefit in future SIG reports."