The fraud threat from within – take action now to protect your business

Fraud risk can heighten in times of disruption and the operational upheaval caused by COVID-19 means that organisations need to be alert to potential and enhanced fraud risks from within.

Personal financial pressures, potential reductions in salaries and bonuses, and concerns over possible redundancies may tempt employees to commit improper acts. Aside from personal gain, individuals may also feel that the standard rules of operating and the company code of conduct can be justifiably waived in such unprecedented circumstances, and may actually see their actions as helpful to the efficient running of the business.

Compounding the impact of these motivations are changes in the working environment, including remote working, staff shortages and management being diverted from business as usual functions to deal with critical issues. This rapidly changing environment can create new opportunities for misconduct, which may go unnoticed unless organisations are aware of the risks and adapt where necessary.

What should corporates look out for?

Faced with threats to operational continuity, there is pressure to act quickly and to be flexible, so as to adapt effectively to the continually developing situation. Demand on supervisors and management is likely to have increased, decision making can be ad hoc and there will be demands on resources and time.

With the onset of remote working, standard controls practices may no longer be functioning. For instance, approval of payments, journals or updates to system master data may have previously been based on checking original supporting documents with the benefit of face-to-face peer review. Temporary workarounds might include reliance on electronic documents and copies, as opposed to original invoices or purchase orders, bringing with it the increased risk that payment information may have been doctored.

The maintenance of segregation of duties could be problematic as staff involved in verifying and authorising may no longer be in the business or may have been diverted to other roles. In addition access control rights, ring-fencing who has access to view and amend data within systems, may be inadvertently removed in the transition to remote working.

With increased pressure on existing supply chains and restrictions on the global movement of goods, companies may be forced to look for new suppliers. However, any lapses in control practices could mean that supplier approval processes are overlooked and the supplier might not be put through the standard third party tendering and due diligence processes. This could expose the company to potentially criminal elements entering their supply chain, and to possible employee collusion with suppliers, perhaps accepting financial inducements and bribes for contracts or colluding to inflate prices.

In addition, the change in working patterns, staff roles, or staff being made redundant or put on extended leave, may reveal existing fraudulent activity that has been ongoing for some time prior to the pandemic.

What can you do to address the risks?

Tone from the top
Management should remind employees that the code of conduct still applies and will continue to be monitored. In addition, management should be alert to the heightened risk of misconduct and encourage open and timely escalation when misconduct issues are suspected. Compliance functions must adapt the way they work to remain effective.

Assess fraud risk and adapt internal control environment
The fraud risks will have changed as a result of COVID-19 and existing controls may no longer be practical. It’s time to take a fresh look at your existing fraud risk assessment and adapt existing control measures in order to effectively mitigate risk. In addition, segregation of duties, with any necessary modifications, should be maintained so as to ensure that there is no undue concentration of authority in individual employees.

Robust record keeping
Make sure evolving fraud risk and internal controls are clearly documented in an updated fraud response plan. Audit trails should also be maintained and decisions formally documented, with the approval process outlined.

IT controls
Review access controls, to ensure that the correct access rights to systems are in place and check that systems are running all available security updates. Monitor audit logs of system activity for suspicious activity including unexpected users, changes to master data or the addition of new suppliers.

Taking a proactive approach can act as an effective defence and deterrent

No single measure will completely protect your organisation from the enhanced fraud risks posed by COVID-19. However, consideration of your unique circumstances and taking some of the above steps can contribute to an effective defence, as well as deterring would be perpetrators.