This article was first published in the February 2016 UK edition of Accounting and Business magazine.

We’ve all heard it before: an organisation’s biggest asset is its people. That’s because things like innovation, problem-solving, ingenuity and high standards are in the hands of individuals. 

So it stands to reason that while people can be the organisation’s biggest asset, the law of zero (all ups have equal and opposite downs) means they can also be its biggest liability. This could simply be incompetence: staff who are honest but simply not very good at what they do or not very interested. Or it could be more deliberate: they may be feeling undervalued, badly treated, in debt, divorcing or just generally cheesed off. 

Many organisations now place high importance on COSO compliance, particularly when allied to the need to comply with Sarbanes Oxley. It requires users to consider ‘the potential for fraud in assessing risks to the achievement of objectives’. 

Robust recruitment processes clearly guard to some degree against fraud risk within the workforce by ensuring individuals with a wilful disposition and poor record are not hired in the first place. However, people can and do change, usually as their circumstances and lives change. From a business perspective those changes need to be identified, particularly in relation to how a manager or employee changes in their attitudes towards work. Many convicted big-league fraudsters have no previous record or form whatsoever; often it is a change of some kind in their lives that is the trigger for them to commit fraud. Employee opinion surveys may help prevent this, but they are no substitute for a properly conducted ongoing risk assessment. 

Motive, means and opportunity

Any such risk assessment should first consider the conditions in an environment where fraud is likely to occur. When a serious crime takes place such as murder, the investigators typically focus on motive, means and opportunity. The perpetrators of fraud and other serious crimes are not that different. The fraudster requires an incentive or must be under some pressure to have a reason to commit fraud. 

Second, they have in their minds a rationalisation for committing the act, often driven by negative feelings or because of an absence of any sense of decency. The case not too long ago of the Lloyds Bank head of fraud and security for digital banking is interesting and provides an insight into the mindset. The individual was jailed for five years for committing a £2.5m fraud and told investigating officers she deserved the money because she was getting up at 5.30am and returning home at 8pm: ‘I saw the opportunity and thought: given the hours I work, I deserve it. If I went to work for another company I would probably be earning four times as much.’ This last bit was the justification. 

Which leads on to the third condition: opportunity. In many cases, absent, ineffective controls will eventually lead to acts of fraud, particularly when allied with one or more of the other conditions mentioned above. 

Control overrides are interesting as, almost by definition, they are imposed by management, often senior management. It is therefore essential not to have any dubious officials in place at high levels in the organisation. If managers are not trustworthy, it can be very difficult indeed to address fraud from within the organisation. Assuming – and it’s a very big assumption – that all the senior management team are honest, well-meaning and diligent individuals, then it is perfectly possible for the rest of the organisation to implement an effective ongoing assessment and monitoring process.

The basis of this process is that heads of department and business managers must have their fingers on the pulse of their areas at all times and be able to gauge their staff’s motivation, happiness, demeanour, attendance and general intent towards their daily work. Likewise, these heads and managers must be monitored by their superiors. The key is in identifying changes. 

Identifying changes

The first stage in ensuring effective internal controls is to identify the areas of the business that are susceptible to a high degree of fraud risk. These areas typically include wherever staff are handling client monies, processing receipts and payments, dealing with third parties, exercising significant accounting or management judgment or override, processing accounting transactions (in particular, posting journals), working on debt write-offs, dealing with refunds, controlling accounts, doing bank reconciliations, handling cash and dealing with vulnerable clients. 

Once areas of high and medium risk have been identified, then managers on the ground need to assess – on a quarterly basis at least – the current position and fraud-risk rating by paying particular attention to any changes affecting their people. This will include such things as the impact of pending reorganisations or relocations, job threats, absenteeism, changes in attitudes to colleagues, usually sociable staff becoming quiet and withdrawn, and other behavioural changes.

This assessment process should not replace existing anti-fraud measures such as ensuring there are effective whistleblowing and employee opinion survey processes and sophisticated transactional-level fraud detection techniques in place. The assessment is designed to supplement existing processes and controls and to act as a people control that gauges the effects of pressure points on staff in their everyday work. Done effectively, it is a very useful fraud prevention measure and identifies hot spots where risk is increasing and performance deteriorating, and where management action needs to be taken. 

Remember, there’s nowt so queer as folk, and fraudsters often turn out to be the very last people you would expect to swindle the organisation.

Andy Sutton FCCA, finance manager in financial services