Anti-fraud consultancy UKFraud.co.uk has published a list of 10 common early warning signs that could alert management that fraud may be occurring in their organization. The list draws upon UKFRAUD.co.uk’s substantial experience across an international client base, ranging from major financial institutions, public sector bodies and corporations to SMEs and non-profit making organizations. The list works on the assumption that whatever tools they use, be it IT-based cons and false accounting or other traditional scams, the warning signs are often the same. As UKFraud.co.uk believes that awareness of the signs and a sound approach to countering them can often deter many opportunistic incidents of fraud, it has published the list to help executives benchmark their own operations. Suggested actions that can be taken to counter the risk of fraud are given following each sign.
Click through for 10 warning signs of fraud and actions you can take to mitigate the risks, as identified by UKFraud.co.uk.
This sign is just as applicable to suppliers and contractors as it is to internal departments and functions within the organization. Erratic, incomplete, late or excuse-laden management reporting is often a classic sign that something is wrong. One of the possibilities is the existence of fraud. Further investigation will reveal that lip service and increasingly tenuous explanations are given assertively to thwart follow-up activity. Common excuses used are often the frequent occurrence of IT failures, technology compatibility issues between different company systems or international systems. It is also often the case that once reports are complete, there are typically delays in them reaching those who need to review the data.
ACTION: Insist on up-to-date reporting, within a set timetable and then build this into the internal GRC (Governance Risk and Compliance) systems. Wherever appropriate, adopt an enterprise-wide approach to technology to help with systems issues.
A weakening of anti-fraud and data security systems can happen naturally, over time and is normal – especially when things get busy. This occurs where the sage precautions and risk-avoidance measures get bypassed or ignored in practice as time goes by. This could just be the natural adjustment of systems to the practicalities of working life and busy peaks or it could be deliberate and sinister. However, with the seemingly right processes in place, top-level management are often lulled into a false sense of security that they are actually being used, whilst the fraudster is busy at work getting around them.
ACTION: Make sure you implement the suggestions of your internal compliance managers and organize appropriate training to reinforce attitudes and practice. Ensure that the control processes, especially in tendering, purchasing, invoicing and customer controls and identifications are ALWAYS kept strong, managed and regularly reviewed. Where systems/processes are under pressure when used in practice, introduce a review process – and then adapt them promptly.
A major indicator can be the act of deletion or pressure on staff to delete, remove or otherwise dump past records following a restructure, a new division launch, a JV or acquisition. An excuse of, “Oh, I’m sorry those files were destroyed” should be cause for alarm. It will be an even bigger problem where international operations are involved as it’s far harder to find or recreate evidence in a foreign territory.
ACTION: Take care to establish and log where paper documents are and when they should and should not be stored. Identify who is in control of the system processes and who is responsible for and has ownership of the records. They are not always the same person of course. Ensure that scanning, and indexing works properly and that no-one can intercept/edit documents. Also ensure that storage capacity is enough and controlled properly. Where acquisitions and mergers are concerned, ensure that all documents are available and stored appropriately and securely, especially those that relate to IP protection, IP development records, audit trails and staff contracts. In particular, if you are acquiring a business make sure that you have indemnities/penalty clauses built into the acquisition agreements that relate to the availability of data, logs, audit trails and so forth.
Whether it is archive data or cross reference checks that are missing or wrong; factual inconsistencies will also occur naturally. The cheats who seek to defraud an organization will use the possibility to explain such inconsistencies and hide their fraud.
ACTION: Make sure that all files are electronically stored, with appropriate backups as part of your compliance systems and that no-one has the access to any files that include a DELETE capability. It is also worth having internal or external auditors sample check key files from time to time as a part of the audit program. In addition arrange for the HR department to make it a gross misconduct issue to destroy data without recorded approval from above. This may not deter the fraudster but if nobody else is doing it the fraudster is more likely to be spotted at an early stage.
Excuses, confusion or wild goose chases when disclosing to auditors, be they internal or external, can be a telltale sign too. We need to remember though that the audit team is not there to find fraud, rather to ensure that the correct processes are in place that will deliver appropriate protection.
ACTION: Ensure that everyone treats audits as important and make sure that they are completed on time and properly, and with appropriate audit skills. Where there have been delays or difficulties investigate why this was the case by drilling down into the detail. Make sure that the business critical and financial exposure areas take a priority and act upon all failings both quickly and completely; with follow-up audits if necessary.
These can range from acute defensiveness and resistance to attending review meetings, through to blaming strategies or even aggression when specific questions are asked about processes or figures. These behavioral anomalies have probably already been noticed through the assessment process or by HR staff. Research shows that internal fraudsters are most likely to be either “youngsters who cut across the processes and systems” or “middle-aged executives with the authority and a gripe.”
ACTION: Get HR more closely involved. Then if you still have concerns about such people upon closer inspection, all the relevant files need to be pulled and checked, or you might even consider a private investigator to look deeper into the processes used by such high risk people.
Staff whispers and rumors “that all is not right” should always be taken seriously. These are, however, so often overlooked by senior management.
ACTION: Listen, take all such rumors seriously and investigate the reality.
Good non-execs provide a considered, independent and external perspective. Often they bring in specific expertise from outside the board’s immediate experience and their skills can vary from financial knowledge through to IT. When their comfort factor “goes south” or when they have a “bee in the bonnet” about something that does not add up or make sense, they often have good reason to worry. So must you.
ACTION: It is always good for the business to maintain a fresh supply of new thinking, new approaches and new concerns. Thus if non-execs have concerns about particular issues, one should fund their thinking by allowing them to bring in the appropriate specialist experts who can investigate matters more deeply.
Technical staff working around the enterprise conducting unsupervised IT activity, often outside normal hours, can also be a worrying sign, both from a risk and a cost perspective. Not every company is large enough to have a full IT department that might spot such issues through system audit trails. This is more common in smaller organizations where some are working more to help themselves than to help the organization that is paying for their IT equipment and the software they use.
ACTION: Do the IT security staff look and think further than just password expiry issues? Make sure that someone is on the lookout for data-theft, IPR theft, time theft (people spending all day on Facebook, etc.), or simple theft of IT assets. Make sure you have a proper asset register and IT audit system in place.
Where people are given a title but without actual responsibility, it can effectively cover up what is going on with those who do have responsibility or power in a situation. The fraudster’s hope is that should the balloon go up the scapegoat takes the blame, at least long enough for records to be destroyed and evidence removed.
ACTION: Make sure that you have strong and cascaded accountabilities. Ensure that people know what they should be doing, and that they are doing what is required of them. Make sure that everyone is contributing to the business objectives. Make sure HR is involved in creating or reviewing job specifications.