Organizational norms influence behavior, and unethical behavior, particularly from senior management, can be contagious. So, the first step in an organization’s fight against fraud is to establish an ethical culture within the organization.
This starts by having an official policy on fraud. Fraud policies vary from organization to organization, but they usually contain:
Definitions of activities that are considered fraudulent
A statement that all appropriate measures to deter fraud will be taken
Confirmation that all instances of suspected fraud will be investigated and reported to the appropriate authorities
A direction to all employees to report suspected fraud
The policy should also set out the formal procedures to follow if fraud is suspected or discovered in the organization. It should state:
How to deal with the individuals involved
How to collect and preserve evidence
How to communicate with stakeholders and, if necessary, the media
The policy should be communicated to all staff and fully implemented. It should be reviewed at board level as per the organization’s internal norms for policy renewal.
The risk of internal fraud occurring can never be eliminated, but steps can be taken to manage it.
Train employees
Regular training should be provided to all employees to:
Make sure all employees understand what constitutes fraud
Make them aware of the costs of fraud to the organization, including loss of business, lost profits, reputational damage, potential job loss, and decreased morale
Make them aware of the personal consequences of committing or facilitating fraud, including the possibility of imprisonment
Establish a zero-tolerance policy to fraud
Encourage a speak-up culture
Be proactive
Organizations should take a proactive approach to detecting fraud that includes:
Using continuous monitoring software to detect fraud
Performing regularly scheduled audits along with “surprise” fraud audits
Auditing accounts on a regular basis and in line with accounting/auditing rules and standards
Implement a fraud risk management framework
Fraud risks are constantly changing, so it is vital that organizations implement an effective fraud risk management framework to:
Identify and assess potential vulnerabilities
Manage/mitigate identified risks
Monitor and report regularly on fraud risks
Implement controls
By implementing some simple controls, organizations can significantly reduce the risk of internal fraud.
For instance, having appropriate segregation of duties is important in banks and other financial institutions. Many high-profile rogue trading cases were facilitated by the lack of segregation between front-office functions (sales and trading) and back-office (operations) functions.
Some other examples of controls that help to prevent fraud include:
Having a two-person signoff procedure for all transactions
Allowing sensitive information to be accessible to only those who need it to perform their job (job role definitions should specify what information employees can access or modify, and IT systems should implement this specification robustly)
Ensure via system controls that employees’ login credentials are changed regularly
Making employees take their full allocation of vacation days each year, including requiring them to take a “block” of (say) two weeks where someone else may be required to perform their duties
Conducting background checks on all first-time employees and contractors
Conducting detailed background checks on anyone who might have access to the organization’s funds, IT systems, and confidential information such as proprietary technology
Managing external fraud
There are a number of actions that organizations can take to protect themselves from common types of external fraud:
All employees should scrutinize e-mails or websites that ask them to enter personal or company details. Most phishing messages have grammar, spelling, or punctuation errors, so check for these.
If you doubt an e-mail is legitimate, do not open any of its attachments or click any links it contains.
You should also:
Never give out personal or sensitive company information via e-mail, messaging apps, or over the phone unless you are absolutely sure that the e-mail/message is authentic, or the line is secure.
Be suspicious of unexpected text messages that claim to be from a reputable source such as a bank or executive of your organization, particularly if they prompt you to act urgently.
Be wary of calling any phone number or clicking any link that is embedded within a text message.
Never reply to e-mails or text messages that request your login credentials.
Payment requests that come with new or amended bank details should be independently verified. This includes internal e-mails from senior management that contain payment requests.
Do not be pressured to act on urgent payment requests, even if they appear to originate from someone in seniority.
Organizations should consider removing information from their website or social media channels that could let fraudsters know which third parties they work with.
If you doubt an e-mail is legitimate, do not open any of its attachments or click any links it contains.
There are a number of control measures that can be used to protect against vendor fraud.
One obvious – but vital – measure is to perform background checks on all vendors.
It is also vital to have a written code of ethics that states how the organization expects employees and vendors to conduct business. The code should be reviewed and updated as per the organization’s norms or as deemed appropriate, to reinforce the idea that the organization prioritizes ethical business practices.
Finally, official whistleblowing channels or anonymous hotlines, such as a dedicated email address or telephone number, can help detect vendor frauds, particularly those involving collusion.
Some steps that businesses can take to prevent long and short-firm fraud include:
Checking the trading history of any company they deal with
Checking the credit histories of those running the companies
Asking the business for trade references and check the authenticity of these references (some criminals form companies to fraudulently provide references for each other)
Being wary if the only way of contacting a company is by e-mail or phone
Reporting suspicions
All organizations should encourage employees and third parties to report suspected fraud, whether through an official whistleblowing channel or anonymous hotline.
It is one of the most effective ways of deterring and exposing fraud and can allow them to address problems before they lead to reputational damage and financial loss.
Organizations should have a policy that:
Outlines how an employee or third party can report suspected fraud anonymously and confidentially
Guarantees that anyone who does so will be protected from dismissal, detriment, and victimization
All reports of suspicious activity should be evaluated promptly and thoroughly.
The content for this article is taken directly from Intuition Know-How‘s tutorial ‘Fraud‘ taken from the ‘Global Compliance‘ coursewhich is part of Intuition Know-How’s comprehensive Regulation & Compliance channel.
Fill in the form below to learn more about the full Intuition Know-How offering and how you can use it to improve organizational performance.
Ruairi is a content marketer for Intuition Publishing, focusing on the creation of written pieces around corporate learning and finance. If you'd like to speak to an eLearning solutions specialist about an upcoming project, Ruairi can put you in touch with the appropriate Intuition representative. Email him at rodonnellan@intuition.com.
