Defined by the UK Serious Fraud Office as intentional deception to obtain an advantage, avoid an obligation or cause loss to another person or company, fraud is an ongoing issue for the business community. Treasury Today considers the threat from the treasurer’s perspective and asks what role the profession has in defending corporate cash and reputation.
In a globalised and competitive world where complexity of systems and processes meet a workforce subjected to increasing personal financial pressures, and where blasé attitudes to security assist unchecked greed, the conditions are right for fraudsters to try their luck. Fraud is of course nothing new, but despite awareness of its prevalence, and the adoption of sophisticated anti-fraud technologies by some business, it remains a major commercial issue.
Despite this, the ACT/Kyriba annual report shows that fraud prevention remains surprisingly low on the priority list with only 11% viewing it as one of their three top concerns for 2015. Martin Taylor, Vice President of Northern European Sales at Kyriba says it is certainly “a concern” that fraud does not feature highly on most treasurers’ radars, particularly given the number of high-profile cases that have come to light on both sides of the Atlantic in the past couple of years. “At the moment, there does not seem to be too much ownership of the problem.” It is, he believes, not solely an ‘IT problem’ or a ‘risk problem’; it is a matter in which all must be involved.
After all, the reputation of a business that is in some way embroiled in major fraudulent activity is starting to have an interesting and potentially serious side effect, notably in the Asia Pacific region. Ethical business practices are directly related to attracting and retaining talent in the region, with almost 80% of respondents polled in Ernst & Young’s (EY) recent APAC Fraud Survey 2015 saying they would be unwilling to work for companies involved in bribery and corruption. As EY concludes, “fraud prevention is no longer just a legal and compliance issue but impacts recruitment, talent retention and business continuity.”
Red flag act
So how do you spot a potential fraud, or stop fraud before it even starts? Well, most perpetrators of corporate fraud do not aim for the big numbers straight away simply because the chances of being caught syphoning millions in one hit are very high. The intelligent fraudster makes multiple micro-transactions, often sent on a circuitous route, ensuring far greater difficulty in tracing their movement. The UK Serious Fraud Office notes a number of indicators or ‘red flags’ that may suggest an individual is engaged in fraud. Its watch-list is not exhaustive but combinations of the following may indicate trouble:
Significant changes in behaviour.
An individual is known to have large personal debts or financial losses.
Transactions taking place at odd times, odd frequencies, or involving unusual amounts or to odd recipients.
Discrepancies in accounting records and unexplained items on reconciliations.
Missing documents or only photocopied documents available.
One employee has control of a process from start to finish with no segregation of duties.
It almost goes without saying that any approach must be handled with extreme sensitivity.
Within any organisation humans are most likely the weakest link, says Kyriba’s Taylor. “If an employee is given unilateral control over financial movements without safeguards then the possibility for fraud exists.” As part of a pre-employment checklist, he suggests a degree of due diligence, checking relevant credentials for example. Although most recruitment specialists should do this anyway, a discreet background search may prove worthwhile. As employment progresses it becomes a line management and HR duty to keep up with personnel matters; this may reveal at an early stage problems that could, if left, resolve in fraud.
As treasurers are at the helm of the company’s finances, they are often the last in the chain when approving payments or executing trades, Taylor notes. “If the company is still depending on individual banking portals and spreadsheets then the potential to defraud is much higher than for a treasurer with highly secure workflows.”
For Steve Baseby, the UK ACT’s Associate Policy & Technical Director, the fact that treasurers tend to deal with the wholesale end of the money spectrum sets them apart from more obvious areas of potential fraud (simply because of the process, not the people) such as accounting, accounts payable or purchasing. Treasurers do have access to payments systems where they move quite large sums of money, but even here the classic bank internet system for the corporate treasurer has a three-tier transaction process, he explains. When one of these systems is implemented the first thing internal audit will do is certify its integrity so that once in operation, having got to the stage where the business is creating a payment instruction, it is certain that, depending on value, at least ‘four eyes’ approval is given. “And ideally none of these people will have anything to do with the original commercial transaction.”
IT meets IQ
In addition to multi-factor authentication, companies can put in place more general safeguards such as Virtual Private Networks and IP Filtering. Many of these tools are commonly and conveniently deployed as part of a TMS or ERP. Furthermore, IT can also integrate treasury system user rights with internal systems using Lightweight Directory Access Protocol (LDAP) Authentication, effectively creating a secure single sign on for multiple services. “Even just implementing these controls increases security dramatically, without having to resort to further IT investments,” says Taylor. “As long as people follow the process and don’t make exceptions ‘just because it seems to be the CEO emailing me’, then the defences will remain enforced.”
In any approach to fraud detection and prevention, whilst most environments can be considered for risk-free operation, there will always be a cost associated with the number of people or systems engaged in checking every transaction. “If you increase the oversight you lower the risk, but businesses have to take decisions about how much cost they can justify to lower those risks,” says Baseby. “There is a persistent level of fraud because business in general chooses not to overload the internal controls because they know that costs can get out of hand.” There is, he notes, a “bearable level of control” and within that limit, internal auditors will use various statistical sampling methods to check the level of confidence that there is not fraud within a system, but fraud is still possible.
Why is this acceptable? As an example, a normal commercial relationship that involves a continuous flow of trade will, in the eyes of the auditors, have a standard deviation probability measure of the way the business runs its procedures. This methodology may give 98% certainty that things are happening as they should. Within this boundary Baseby says it is generally accepted that the cost of pushing that last 2%, and thus fully eradicating fraud, would be “ludicrous.” Even if the costs were acceptable, the reality of business would most likely see the company grind to a halt under such a regime anyway; hence there has to be a practical limit of control beyond which it becomes unfeasible. Herein lies the need for clear, well-documented and promoted policy as a means of providing the foundations and guidance for all.
A matter of policy
Most corporates will have a two-stage policy process, Baseby notes. A summary policy will be agreed at Board level, covering the general principles and strategies (including IT) around matters such as managing payments, dealing processes, counterparty exposures (including bank exposures) and will set risk appetite, boundaries and limits for practical application above which additional checks will be required.
The second stage of policy takes the form of the more detailed procedures manual, which describes actual processes. This should be the constantly evolving part. As this document is amended, so the conversation must continue with internal auditors to keep every process up to date. This, Baseby explains, avoids the common error of thinking that “just because a system worked once it will always work.” Although policy must not be too restrictive and prescriptive, the adoption of procedure must be across the board, with no exceptions because, as Taylor mentions above, as soon as its influence is disregarded the risk of fraud rises significantly.
Policy around fraud should address control measures which will seek to either prevent or detect at various levels. Organisational controls may include assurance that senior management has oversight, that staff background checks have been carried out and that there is segregation of duties where necessary. Physical controls such as workplace security roll into system controls that cover areas such as access and authorisation rights and identification. Controls around process will consider a wide spread of areas such as management of mandates for bank and dealing activity, the control of financial product acceptability, payment approval processes, strong reporting and the insistence on at least an annual independent audit. Accenture’s ‘Treasury operations and controls’ advisory document urges treasurers to make sure policy is relevant, clear, well understood, aligned to the corporate objectives and, most importantly, has full buy-in of all stakeholders.
Ultimately it is the responsibility of all employees to safeguard and be vigilant to the threat of fraud – but are strong policy guidelines enough? The EY Fraud survey referred to above suggests that policies are failing to improve attitudes to fraud. Some 52% of EY’s respondents believe anti-bribery and corruption policies are ‘irrelevant and ineffective’. In addition, 41% said a code of conduct has little impact on how people actually behave. Although 55% of APAC companies have whistleblowing hotlines in place, the number of respondents prepared to use them has dropped since the last survey (81% in 2013 but 53% in 2015). “The drop in whistleblower hotline usage appears to be due to respondents being increasingly concerned about insufficient legal protection or the lack of confidentiality leading to a risk of retaliation,” says Reuben Khoo, EY Partner and ASEAN Leader for Fraud Investigation & Dispute Services. “It is clear that APAC policies, codes of conduct and whistleblowing hotlines are not enough. Companies need to demonstrate and communicate about ethical behaviour if they want to affect true change.”
A forensic approach
When something is amiss and internal audit and investigation cannot find an answer, an external forensic accounting expert may be required. Forensic accounting is all about piecing together information contained in financial records and other documents, to create, or recreate, as accurate a picture as possible of an event or transaction that has happened, explains Richard Abbey, Head of Global Forensic Accounting firm, Stroz Friedberg.
The unwinding of that event or transaction is like “reverse engineering” each step to be able to tell when a payment was made, where it went, how it was described in the system and what it was that triggered it, such as an invoice or payment instruction, and who authorised it, which cost centre did it go to and so on until the truth is revealed. But other than the knowledge that something is not right, Abbey notes that there are few immediate warning signs with which a forensic investigation can commence; it can require a long and patient trawl by skilled practitioners through the relevant data.
However, genuinely beneficial technology is at hand in the form of ‘transaction monitoring’ which can help uncover anomalies. Stroz Friedberg has developed its own analytical engine that uses complex algorithms to unearth irregular transaction patterns. The output, also known as red flags, will be further investigated by the team, tracing them back through the chain, both internally and externally.
Abbey is convinced that it is becoming less effective for businesses to rely fully on internal networks and control mechanisms such as segregation of duties to protect assets. He argues that organisations will need to run regular monitoring and analytics on all their transactions to be sure they have not been compromised. The issue is not now just one of fraud prevention and detection, but also one of regulatory compliance, as rulings around AML, bribery and corruption and fraud hit the statute books.
Curiously, although he comments that many organisations still think fraud is something that only happens to other companies and thus they prefer not to spend time and resources in trying to prevent it, he believes that the current raft of regulations is having more impact in this respect. Abbey comments that businesses have spent a lot of money in the past few years taking advice on internal control frameworks to ensure regulatory compliance. For him, the next challenge is going to be in proving that these controls are working and being adhered to. “The most obvious way to do that is to carry out regular transaction monitoring, and if you’re not doing that then query whether you really have implemented adequate controls.” Whilst he concedes that real-time monitoring of every transaction is maybe too much of a regulatory ask, he feels it is “inevitable” that the regulators will eventually expect some kind of “regular retrospective design to control and capture infringements.”
Detection and prevention
Claiming a first for transaction monitoring in the procure-to-pay environment is David Griffiths, CEO of UK-based FISCAL Technologies, vendor of the APForensics suite. He says his firm’s cloud-based or installed system sits alongside a corporate accounting system, monitoring invoice payments and consuming master data relating to suppliers and employees to build a picture of payments activities of all values as they unfold in real-time. Working in the fraud and compliance context, it uses proprietary algorithms to perform real-time controls monitoring by continuously recalculating and outputting any anomalies or ‘red flags’ for further investigation. These warnings may, for example, be based on the size of the payment, the date of payment, the frequency or a combination of such issues. If a red flag is created it may warrant further investigation by internal audit or an external forensics unit.
Due to the sheer volume of data being processed, internal audit capacity for this kind of investigation is typically restricted to ad hoc investigations. “They may do this once a year; what we do is carry out those tests all the time,” says Griffiths. “This enables management within each business unit to own the output of all procure-to-pay monitoring and to take responsibility for it.” The role of treasury in this context is to provide detailed insight into the mechanics of cash and payments processes within their company which can help other functions to better understand their own processes and any suspicious movements.
Ultimately, a company can only control the opportunities it gives to fraudsters; it has no control over the external pressures its staff face nor how they may rationalise an act of fraud. With or without technology, one thing is certain and that is the responsibility for preventing or capturing fraudulent activity must now be collaborative rather than individual and that the entire process must start from a company-wide ethical stance and be led by a set of policies that everyone buys into. Where there is the risk of fraud, the chances are that fraud will eventually occur, unless the organisation has identified the risk first and put effective anti-fraud controls in place.