Over the past few months, there has been an increasing number of cases involving fraudulent insurance claims, abuse of COVID-19 relief schemes, and corporate fraud driven by employees. This article looks at the issue of employee fraud and the relatively simple and cost-effective measures that organisations can implement to help mitigate employee fraud risk.

Economic stress and employee fraud

Historically, fraud and employee malpractice ("employee fraud") rises in times of financial uncertainty, as businesses struggle to survive economically and employees try to hit targets or make ends meet. The global financial crash of 2008 is a classic example of this cycle which is now repeating as the covid-19 pandemic continues to cause economic hardship. Virtually every day now brings a new fraud-related survey or headline from around the world.

In the last few weeks for example, there have been reports ranging from rises in fraudulent insurance claims, abuse of covid-19 relief schemes, and corporate fraud driven by employees trying to circumvent controls, falsely boost performance, or line their own pockets. Incidents include theft of intellectual property and corporate information assets, abuse of procurement or expense procedures, and exploitation of weak controls and oversight following the introduction of remote working practices.

What factors increase employee fraud risk?

Many organisations fail to adequately address the risk of employee fraud, in part because it’s often an uncomfortable topic to acknowledge. But it is more critical than ever to address this risk as the pandemic continues to have a significant economic impact on companies across a range of sectors. Employee fraud needs to be addressed both at the individual employee level (assessing individual risks) but also at a corporate level (structural risks).

The risk of employee fraud is often proportionate to the level of controls and incentives that an organisation puts in place. For example:

• Organisations with weak corporate governance structures are more vulnerable to employee fraud due to there being weak oversight at every level, from board room to factory floor
• Where organisations have misaligned or poorly-designed financial incentives, this can encourage fraud such as employees creating false sales invoices or churning client investment accounts. A good example is the Wells Fargo account fraud scandal which broke in 2016
• Organisations that fail to adopt effective (or any) second or third lines of defence, such as having effective compliance or internal audit functions
• Organisations which fail to invest sufficiently in up-to-date technology to protect their intellectual property and valuable confidential data such as client lists are at far greater risk of theft by employees, particularly departing employees

However, there are some simple steps that can help reduce employee fraud which can be executed quickly with the right support. Organisations that adopt a risk-based approach can identify areas of weakness in their systems and controls and, in combination with identifying employees who fall into a higher-risk category, can mitigate employee fraud risk considerably. When properly executed, this can be a very cost effective approach, which can be combined with a robust and targeted awareness campaign.

What pragmatic steps can organisations take to reduce employee fraud?

First, identification of higher risk employees. This step is not about identifying employees who are likely to be dishonest or untrustworthy. This exercise is designed to identify which employees, if they were intent on committing fraud, are either:

1. In a position to be able to commit fraud because of their rights of access (e.g. to the company safe) or their level of autonomy
2. If they were to be successful in committing a fraud, would cause the greatest economic damage to the organisation i.e. stealing stationery vs. emptying the company bank account

There are a number of factors to consider when determining which employees fall into a higher risk category. The factors will vary depending on the type of organisation and its industry sector but examples include:

• Are the employees working with financial incentives that increase the risk of fraud? This is particularly important for client-facing sales staff who are on sales targets
• The employee’s level of seniority. All senior staff should be considered higher-risk by default;
• The extent to which their role can influence financial reporting
• Employees with excessive autonomy or who regularly self-report numbers or performance
• The levels of system privileges they possess and the appropriateness of those privileges for the role they perform
• More modestly-paid employees who have access to potentially very sensitive and/or valuable company or client data e.g. call-centre staff who have access to client account details and passwords
• Employees who are considered outliers with regards to performance, either the worst performers (who need to make up their numbers) and the top performers (whose apparent success may result from fraud)
• Employees with ongoing or historical grievances
• Employees who have resigned and are working out their notice
• Employees who have repeatedly missed out on promotion
• Employees who regularly fail to take leave or who only take short breaks
• Employees whose role or office location exposes them to higher risks of corruption e.g. Employees in procurement or those based in offices in jurisdictions with above-average levels of corruption
• Employees who fail to complete mandatory training on key compliance issues

Second, an employee fraud and malpractice risk assessment should be performed. Focused on the now-identified higher risk population, it will help determine those areas with the highest likelihood and impact rating for fraud or malpractice. It will provide insight as to where you should start to consider more robust controls.

Third, the design and implementation of enhanced controls should be prioritised. Often this may simply require a reconfiguration of existing controls, although in some cases new measures may need to be designed, tested and deployed. For example, in the case of an employee who has resigned but is working out their notice period – is there a valid reason why they still need access to intellectual property or customer lists? A simple control could be put in place to prevent the downloading of sensitive or confidential data that could potentially be the subject of unauthorised disclosure.

Other examples of simple but effective controls to implement include:

• Review and re-design of existing financial incentives
• Mandatory periods of annual leave
• Regular job rotation
• Regular internal-audits of offices in high-risk countries
• Review of authorities matrix
• Rotation of auditor
• Anti-fraud awareness training

Further enhancements

While these steps in isolation are an excellent start, even greater value can be generated by combining the deployment of enhanced controls with an awareness campaign. The combination of new controls and awareness activities often has a strong deterrent effect.

Arguably one of the most important steps to combat or deter employee fraud is to ensure is that there is a process and a capability to investigate any incidents that arise or which are identified as a result of the enhanced controls. A properly conducted investigation will also have a strong deterrent effect.

Finally, most organisations have "blind spots" which prevent them from properly self-assessing their vulnerabilities. There is often a tendency for organisations to become complacent when times are good, and to assume that "we've always done it this way" means that it's the right way to do things. Bringing in independent, external consultants, who have extensive experience of employee fraud acquired after having investigated or assisted many clients to manage the after-effect of such frauds can be invaluable. Experts can help identify red flags quickly and are immune to office politics or the fear of retribution from colleagues or management, so getting a review from an independent, external party can't be over-estimated.

Conclusion

Most observers continue to project higher levels of employee fraud and malpractice and, although focusing on high-risk employees can feel uncomfortable for some businesses, it is a really pragmatic response to the circumstances.

The three steps of:

1. Identifying your population of high risk employees
2. Performing a fraud and malpractice risk assessment to determine the most likely and highest impact areas
3. Enhancing controls

Together, can quickly help to strengthen an organisation's resistance to employee fraud. Combining theses steps with a good awareness campaign and an investigation capability can make for a very effective mitigation strategy.