Fraud is a perennial problem for businesses and tackling it seems to require a level of cunning that fraudsters themselves would be proud of. But instead of keeping the lid on it, experts say the best response is to be more open and communicative. Are you ready for change?
Whatever anyone does to try to prevent it, fraudulent activity will never go away. Corporate treasuries have the same fraud risks as anyone else, but given the access treasury has to strategic information, pools of funding and payments mechanisms, they are also subject to some bespoke risks and potential for major loss. The risks need to be mitigated.
Alongside the processes and procedures laid down by a company as the framework in which its employees are expected to operate, there is the element of the people themselves who have different and unpredictable needs and behaviours. There is also a technology element that can put controls around the people and ideally some workflow around the processes, but this can also complicate matters. “Where these three elements come together, if you get them right you can significantly reduce your corporate fraud risk,” says Steve Wright, Product Development Manager at payments processor, VocaLink. But, he adds, although the idea is to “make it as difficult as possible”, fraud is an ongoing threat: if a criminal is determined to act, then they will.
With this in mind, all these usual practical measures – including controls around passwords, clear-desk policies, training against social engineering, locking computers when away from the desk, implementing banking processes that require multiple approvals, segregation of initiation and approval of payments – are just “basic things that apply to any business”, according to Bill Trueman, Managing Director of corporate fraud and risk management consultancy, UK Fraud. What is really needed is a change of culture. The common corporate practice of keeping the lid on fraud only serves to perpetuate it and, says Trueman, building silos of risk and compliance expertise into each corporate function (including treasury) serves to limit the level of communication and thus the agility of the business when responding to the threat.
The nature of corporate fraud, notes Trueman, has moved beyond the relative simplicity of the corrupt office manager and the occasional “weights and measures issue” with a supplier and into a sophisticated world where highly intelligent professionals – and professional criminals – will manipulate processes and procedures to inflict heavy damage, both financial and reputational, on their targets. The defeat of a modern sting can thus require multiple corporate functions to co-operate and communicate as never before.
The motivation behind corporate fraud varies considerably, the methods ranging from the desperate and stupid to the ingenious. Fraudsters may act alone or as part of an organised crime syndicate. They may be part of the company or have no connection. But in the corporate world, when a fraudulent act is revealed, the sums involved can be staggering.
Indeed, recent history has thrown up three monumental cases of corporate fraud. Each was inflicted upon a multi-billion dollar business and saw their CEO convicted and sentenced to a long prison term for their efforts. Former Tyco CEO, Dennis Kozlowski, was convicted in 2005 of misappropriating more than $400m to fund his extravagant lifestyle (which allegedly required $6,000 shower curtains). The CEO of telecoms firm, WorldCom, Bernie Ebbers, was convicted in 2005 of fraud and conspiracy in the US’s largest ever accounting scandal. False financial reporting caused investors to lose more than $11 billion. Around the same time, the Enron scandal hit. Its CEO, Kenneth Lay, played a major part in what was termed an “institutionalised, systematic, and creatively planned accounting fraud” that led to the collapse of this US-based energy, commodities and services company. Lay was found guilty in 2006 of multiple counts of securities fraud. He died before he could be given a custodial sentence which was expected to be 20 to 30 years.
These high profile scandals served to cast a dark shadow over the accounting practices and activities of many US corporates, and the realisation that all was not well had earlier heralded the arrival of the Sarbanes–Oxley Act of 2002, which placed culpability for accounting inaccuracies directly in the lap of CEOs who signed off financial statements. That year also saw the award for the IgNobel Prize in Economics (an American parody of the Nobel Prize) go to the CEOs of various companies known to be involved in the corporate accounting scandals. Each was lauded for “adapting the mathematical concept of imaginary numbers for use in the business world”.
There may be dark humour to be extracted from this situation, but the 2013 AFP Payments Fraud and Control survey shows that 61% of organisations questioned experienced, attempted or actual payments fraud last year. Some 27% reported that the number of fraud incidents had increased, with affected organisations being hit more often, indicating that the fraudsters know they are a soft target and, more worryingly, that nothing had been done to close the breach.
The latest findings from the UK’s fraud prevention service, CIFAS, saw its member organisations (spread across multiple sectors) report a 53% rise in 2012 of facility takeover fraud – unlawful access to and fraudulent operation of an account. In a survey published in December last year by EuroFinance, more than a third of global financial professionals stated that they had worked in an organisation in which serious financial malpractice had taken place. The prevalence of fraud is a concern but, according to the survey, there is a serious obstacle preventing companies from tackling it head on.
Corporations, it seems, are far less likely than banks to prosecute fraudsters. Some 57% of respondents said that whistleblowers severely risked damaging their careers by speaking out. When serious financial fraud had been detected, 42% of corporate respondents said that the perpetrators had been fired but that the issue was merely hushed up. Of the banks, 76% of respondents said the guilty party had been prosecuted. Whilst corporates are seemingly prepared to get tough on minor fraud cases, they are not prepared to risk seriously damaging company reputation (and potentially their share price) by going public, and so they often sweep it under the carpet. According to Melvin Glapion, UK Managing Director of global risk and security consultant, Kroll Advisory Solutions, this reluctance to face up to the issue sends out all the wrong signals.
Know your employees
Whilst fraud will always present a challenge, Glapion feels that unless companies establish an appropriate culture around this topic it will remain a taboo. Failure to tackle the underlying problem will not make it go away.
The major corporate fraud that takes place is usually internal, notes Trueman. The perpetrator is often at a relatively senior level and will nearly always have a personal issue (such as a gambling habit) or corporate issue (being overlooked for a promotion) driving them. “Usually the fraud involves significant amounts of money,” he says. Sophisticated stings are much in evidence but most often are based on a deliberate ‘conflict of interest’ where the perpetrator will work with an existing supplier and arrange to overpay for products, or they will work with a relatively new supplier to the company and receive a kickback from them in exchange for continued business.
As such, corporate fraud tends to be an ongoing problem. “If regular payments go to the same supplier, the name becomes familiar within the immediate company in terms of invoicing,” Glapion explains. It thus becomes commonplace and unremarkable. Once it has become a part of the system it is much more difficult for other staff, especially at a junior level, to question it.
The challenge for a corporate is in how to identify and mitigate such fraud, says Trueman. A possible deterrent that can also be an investigative tool may be found in a back office IT system that can create an audit trail for every process carried out by staff. But, he notes, the fraudster will know how to sidestep these systems (just think of Nick Leeson or Jérôme Kerviel).
VocaLink’s Wright argues the case for as much automation and straight through processing (STP) of accounts payable (AP) and receivable (AR) as possible. As well as eradicating points of intervention and creating a clear audit trail, he says that it removes the need for back office staff to have access to bank accounts and core systems, or for others to handle sensitive account details on bits of paper. “If someone is manually assigning receivables to a particular account and they have found a way of diverting those funds, and if they are also doing the accounting, the fraud can go undetected for years.” He adds that if someone gets away with it once “invariably they will go back again and again and it only comes out when it has become a big problem”.
Automation clearly has a key role to play in prevention, but when it comes to fraud detection Glapion notes that relying on “algorithms and analysis” to try to figure out where fraud is going to occur and who is going to do it is part of the toolkit “but it is not the answer in itself”. For Glapion and Trueman, the key lies in being able to monitor and understand employees at a more human level. Internal fraudsters may exhibit behavioural traits such as obviously living beyond their own means or refusing to share workload or take holidays. Observing such changes is a key part of detection.
Who are you?
All businesses therefore need to be able to answer a very basic question: who are the employees in the company, particularly in the finance, sales and marketing and executive teams? Details such as address and spouses name and employer can be cross-referenced with the company’s database of key suppliers to see if there is any matching information. “We do find conflicts of interest which have not been disclosed to the corporation,” Glapion says.
However, in some countries, harvesting and cross-referencing this kind of data is illegal (in Germany, for example). He urges all businesses to “think outside the box” when it comes to looking at how legitimate information can be checked to ensure there is sufficient basic knowledge about all employees.
Related to this is the more pressing need for companies to carry out background screening of those in or being considered for key roles. In treasury, says Trueman, the task takes on greater importance because of the sensitivity of the information they may have access to, including strategic corporate information and any trading and merger and acquisition (M&A) activity.
“You’d be surprised at the number of companies that don’t do this,” comments Glapion. “Many tell us that they don’t feel comfortable prying into personal lives. But quite frankly, it is just basic due diligence. They will do it for M&A transactions and on the financial side for tax and pensions reasons, so they certainly should be doing it when employing key personnel.”
A credit check can be a useful indicator of an individual’s propensity to be compromised. But for key employees it is necessary also to uncover any issues around litigation or criminal records and to acquire ‘human intelligence’ by talking to people who have worked with or have been involved in deals with this individual. It is, Glapion notes, “basic common sense” that the higher up you go in an organisation the broader the scope of enquiry should be. “Candidates looking for a very senior level position should expect that the company possibly about to hire them will want to know more about them.” Some searches require permission; any candidate that refuses may be hiding something (but it may just be an objection on moral grounds).
Watching the watchers
The task of checking and monitoring staff is often seen as the responsibility of HR. But for Glapion, this is “much more of a commercial responsibility” and should be shared with General Counsel (the legal head), HR and other key department heads such as finance and sales and marketing. Department heads should be looking at individuals within their department and asking for the information at the point of hire and reviewing that information every one or two years. Indeed, if there has been a change in an employee’s circumstances or behaviour it may be necessary to review their levels of access and authority and be “mindful of situations” that could place them in a position where they may be compromised.
Accepting that many people are uncomfortable talking about these investigative activities, Glapion insists that they are absolutely necessary. No individual should be above this process, from the CEO and Board down, and this is why the responsibility sits well within the legal division and not HR.
A cultural shift
To counter inevitable accusations of Big Brother-type surveillance, it’s necessary to normalise the checking process, making it part of company policy and bringing it into the open so that everyone knows it is part of the process. Whilst the information gleaned must be treated with absolute confidentiality, the discovery process itself should never be covert, as this engenders mistrust and suspicion.
When a company is subjected to a major fraud it will almost certainly and understandably close ranks and seek to suppress it. There may be certain aspects that have to be reported in the accounts, says Wright, but he adds that “no one wants to make public where their issues are”. This secretive approach can permeate the business and create an environment in which discussion is awkward, if not impossible. If individuals do not feel comfortable communicating their concerns upwards it can enable someone to operate outside of policy and procedure unhindered.
Companies need to state the absolute expectation that all communication is made through the official channels and not conducted in secret. It also needs to be asserted that individuals will not be subjected to any repercussions if they report something that they believe to be out of the ordinary, even if it means reporting something about their direct manager or the CEO.
If this out-in-the-open approach is enshrined in policy it will be seen as a genuine requirement that will be taken seriously. “Companies should also be able to demonstrate it in action, even with something that didn’t result in finding fraud,” Glapion advises. “If an employee in a subsidiary discovers something unusual that relates to a senior executive and it transpires that it was nothing, there is no reason not to praise that employee for raising the matter to show other employees that this is what is expected of them, as a means of combatting fraud.”
Another matter that should be addressed is the standing that fraud prevention often has in the hierarchy of corporate needs. In the current environment where personal budgets are squeezed and redundancies are hanging over ever more people, the temptation to defraud an employer can escalate into a need, notes VocaLink’s Wright.
The corporate investment agenda tends to be driven by revenue, profit or cost simply because these are areas that most can relate to within a business case. When tackling fraud, Wright notes that many companies will implement measures only when their business has been hit because it is a pure cost centre. “It’s one of those things that people believe probably won’t happen to them,” he notes. But unless tackling fraud is moved up the agenda, enabling firms to put the right measures in place and to look at the intersection of people, processes and technology, how confident can a business be that it is not already a victim?