Lawyers should be aware of the dangers of insider fraud when advising their clients, as the damage can be catastrophic for a business - no business is immune from the danger, not even law firms themselves.
The reality of corporate fraud is that it is an all too common occurrence. Fraud levels remain high – seemingly regardless of market conditions – and the sad truth is that the guilty parties are often found at the very heart of a business, frequently key staff and trusted suppliers. Economic losses are usually the first visible effects, however the reputational damage of a public case can be worse, hurting an organisation’s future earnings significantly more. As management teams start to reflect on the year and commence planning for 2013 the top priority should be to safeguard against sophisticated fraudsters - they may be closer than you think.
Although it is dangerous to try to portray a "typical" fraudster – anyone can be one and there is no formula that can be applied to identify them – there is various anecdotal evidence that suggests employees are often involved, be that directly or indirectly.
I have seen growing evidence of fraud that uses confidential information, apparently sourced from the victim company. The perpetrator uses this information to establish a degree of credibility as to his or her authenticity, thereby, for example, facilitating the erroneous transfer of funds. There can be little doubt that, in such cases, this information was possibly supplied by an employee of the victim. Moreover, it is often very mundane information, such as bank account details and other customer-related information, which can be used to establish credibility and facilitate fraud.
However, it is not simply this superficial legitimacy that determines the success of the fraud. In order for fraud to be perpetrated, there must be either a fundamental lack of basic internal controls in safeguarding payments or a simple failure to observe them. It is critical to ensure that all employees understand the importance of protecting information available to them, regardless of its apparent trivial nature.
It is virtually impossible to be 100% secure against an attack from a determined, sophisticated and knowledgeable fraudster. Yet barriers can be put in the way which will deflect fraudulent intent. Having effective internal controls in place, ensuring that these procedures are followed and, critically, that the existence and application of procedures is well known should mean that the fraudster will tend to look for softer targets.
It is also important to recognise that fraud does not only impact victims through the actual crime; it can and does have a longer lasting adverse effect on trust. One of the characteristics of information theft is that it is often difficult to be able to prove where or who it came from – even after detailed forensic investigation. Thus, an organisation that becomes a victim of information theft can find itself in a situation where there is an internal breakdown of trust and working relationships. Members of staff can become suspicious of one another and protective of their own areas of responsibility. This can soon escalate into an unpleasant and insular working environment.
So how can you prevent you or your organisation from becoming a victim? In relation to information theft there are two areas that should be considered: (i) the HR process which ensures that all new staff are vetted appropriately; and (ii) ensuring internal controls are respected, applied and reviewed regularly.
In relation to the HR process, the key to effective vetting is "knowing your employee". It is self-evident that this starts at the recruitment stage where potential employers should request, follow up and obtain references from previous employers as a matter of course. In addition, employers should also obtain evidence of identity – passport, driving licence, proof of address – and in certain circumstances perform enhanced due diligence checks. This will highlight issues such as previous convictions, potential indications of financial problems and any adverse press reports which may impact employment. Such checks should not be limited to new employees. Employers should consider a rolling programme to undertake background checks on existing employees in the same manner.
With regard to internal controls which seek to minimise the improper dissemination of information outside of the organisation, we would recommend that companies ensure that:
- There are limited access and authority levels to change standing data, particularly in relation to cash outflows from the business. In my experience, information is often changed without any apparent due diligence, basic checking or authorisation. Employees entrusted with access and authorisation must be made aware of the privilege and responsibility that this entails and there should be regular reminders that custody of this information – and all that the word implies – is a critical element of the on-going business.
- Authorisation is required from senior personnel to change data and that reports of any changes made are provided to senior management on a regular and timely basis.
- Checks are undertaken to verify that instructions to make payments to different bank accounts from those recorded are bona fide.
- There is sufficient segregation of duties to reduce the risk of one individual having access to all information to affect such a fraud. Requirements to counter-sign, seek line-manager approval and, where appropriate, maintain a compliance record of such changes should all be considered best practice.
- In relation to particularly sensitive commercial information and trade secrets, access to information should be restricted to a small number of known key individuals, acknowledging the point regarding multiple authorities. This could be achieved by way of restricted access to particular work areas (using locks, access codes, and closed-circuit cameras), use of secure areas for storage of electronic information, tracking of the sensitive information.
- Regularly testing of the relevant procedures and protocols is essential. While we would not advocate too strict exercises, for fear that it undermines the trust within the workplace, it is important for all employees to recognise the importance of their relevant responsibilities. Knowing that they will be tested should ensure that they maintain the appropriate level of awareness and checking.
Most of these points are common sense, and may already be in place. However, it is one thing to have procedures and operational instructions, it is quite another to ensure that they are consistently applied and, when they are not, that adequate and timely warning is made to the appropriate personnel. To the last point, if an issue becomes apparent, it is also important that external advice is sought and a detailed investigation undertaken.
Stephen Peters is director of BDO Forensic Services