04/10/2010

By Helen Yates

Traditionally the incidence of fraud rises in recession, when scams are more likely to be both perpetrated and uncovered. In January 2008, as financial markets began to unravel, French bank Société Générale revealed that rogue option trader Jérôme Kerviel had cost it €5bn.
Other major frauds exposed include the respective $64.8bn and $8bn estimated losses from the Madoff and Stanford ‘Ponzi’ schemes, but SocGen’s experience stood out as it was perpetrated internally despite stringent controls.
Financial services firms are increasingly waking up to the risk of internal fraud and looking to prevent it. “The SocGen situation was particularly helpful in expediting awareness and getting people to take a hard look at the controls they had in place with respect to risk management,” says Craig Carpenter, vice president of general counsel at the information management software firm Recommind.

Scales of fraud
The first step towards improved identification and prevention of internal fraud is to understand why employees might be induced to steal. Offences range from fiddled expenses to large-scale asset misappropriation. PricewaterhouseCooper’s (PwC) 2009 global economic crime survey found 77% of UK organisations that were victims of economic crime reported falling prey to asset misappropriation.
Employees may work alone or be tempted to join a third party, such as colluding with external suppliers to overbill their company and splitting the difference or selling data to criminal gangs. In 2006, one in 10 Glasgow call centres was reported as being infiltrated by criminals.
“Some employees are opportunists and in such cases it is common to see a progression with a minor fraud occurring, which then spirals out of control when the culprit realises their actions aren’t observed,” says Don Smith, vice president of engineering and technology firm SecureWorks. “Other fraudulent attacks may be pre-meditated, where criminals target a specific firm to work for with the sole intention of committing fraud once they are working within the organisation.”
Understanding where opportunity exists for employees to commit fraud can help risk managers design appropriate preventive measures. Individuals who move departments but retain access to key areas present a risk, while a policy of not segregating duties provides opportunity to watch for unethical behaviour.
“One of the most effective controls for preventing fraud from occurring in the first instance is through accurately managing access rights across IT systems and granting appropriate rights on a controlled, need-to-know basis,” says Smith. “Employers must also be mindful of entitlement creep – where staff accumulate extra rights as they move between departments or progress within a company. It can result in employees having toxic combinations of access rights, granting the possibility to commit fraud.”

The fraud triangle
Fraud is driven by three key factors that comprise
a “fraud triangle” of motive, opportunity and rationalisation, explains Sian Herbert, director, forensic services at PwC. Both motive and rationalisation tend to increase in a recession, as staff come under pressure to hit targets or face financial difficulties at home. They may feel resentment when colleagues are made redundant, or if they are denied a pay rise. “They tend to start small and build up. Maybe they’re £400 short to pay their credit card bill, so they take £400 aiming to pay it back next month. When no-one finds out they realise how easy it is,” adds Herbert.
There is strong evidence that economic pressures drive internal fraud. PwC’s UK survey shows fear of job loss (46%) is the main reason for fraud, with targets harder to attain (40%) and difficulties reaching the performance numbers to achieve bonuses (28%) as other major factors.
The 2009 survey indicates that the profile of a typical fraudster is changing.
Many (47% against 32% in 2007) are
well-educated, middle-aged middle managers, presented with opportunities
to steal at a time when they may be under pressure financially.
Andrew Jackson, a managing director at Charles Taylor Adjusting and responsible for investigating fraud claims for insurers, comments “In the area of employee infidelity we come across all sorts of frauds. People can be stealing just for their own benefit, doing it totally independently without anyone aware of it.
“In other cases you can have teams within an organisation colluding. That becomes very difficult because your control environment – the people providing the checks and balances – are part of the fraud. To compound that you can have internal infidelities involving external third parties; we’re seeing all types!”
Out of sight can also be out of mind, with frauds occurring in the overseas offices or subsidiaries of large financial institutions, reveals Jackson. “Outwardly things look like they’re going well so they’re perhaps not so high up on the internal audit radar. They are subject to their own controls; that can provide an environment for the perpetration of a fraud, because trust in the senior managers is very high and local culture may mean that senior managers’ actions will not be questioned by subordinates. This means that expected checks and balances are not applied, and leads to an environment of perpetuation of fraud and failure to detect."
Rooting out weaknesses help prevent this. “The internal audit is hugely important but what’s also important is what happens after your internal audit,” he continues. “What about the follow-up to any recommendations or findings you’ve made? If you’ve highlighted a weakness you have to make sure it has been addressed.”

Prevention above cure
There are simple preventative measures that make it more difficult for employees to commit fraud. They include implementing a good control framework that sets the tone from the top of the business. Any disparity in the application of action taken, for example a senior director apparently treated more leniently than a junior member of staff, could give the wrong signals.
“It should made clear by the board that internal fraud won’t be tolerated, that action will be taken against individuals, that there is a clear disciplinary process and it will be consistently applied,” says PwC’s Herbert.
Other procedures include performing background checks and ensuring access rights are changed when people change roles. Segregation of duties – with different people taking responsibility for raising purchase orders, signing-off goods received and sending invoice notices – minimises opportunities for fraud while introducing whistle-blowing hotlines instils a culture that makes it easy for staff to report inappropriate behaviour. “Doing something about it is important – investigating when there is a suspicion and undertaking a risk assessment,” says Herbert.
Technology can be utilised to both spot and prevent fraud. “People are recognising that you can wait for the fraud to occur, investigate it and stop it and then after the event try and improve your controls – or you can be a little bit more proactive in what you’re doing and try and monitor fraud so you find it immediately when it’s happening,” says Graham Ure, director, forensic services at PwC.
“Of course if your safeguards are good enough it doesn’t happen in the first place, because people are aware of the deterrents through the technology.”
Continuous transaction monitoring is one way of using technology to detect fraud. This involves collecting, aggregating and correlating network, application and operating system data in a structured way to spot anomalies or suspicious behaviour. “It runs a series of rules to monitor your controls in an organisation. If those controls look like they’re being circumvented it will immediately flag an alert so that things can be investigated,” says Ure.
One reason for employee fraud becoming easier to perpetrate is that companies lack the same protections internally as they have externally. Within the firewall, sensitive data is much easier to access. “In medieval times the town was inside the outer wall and anything coming from outside you had a much better chance of protecting, because most threats were external in nature,” says Carpenter. “We’ve traditionally done the same sort of thing with networks and data – which helps protect against external threats, but on the inside it’s much easier to commit some sort of fraud because it’s much harder to detect things inside the wall.”
The use of software to spot internal fraud is vital, particularly for financial services firms. “It’s using the same thing that causes the complexity – which is the technology – and bringing it to bear to help address this issue and gain insight into what might be going on,” says Carpenter. “Increasingly these battles are being fought digitally or virtually as so much of our wealth is digital in how it’s handled, managed and traded.”
As technology and organisations become more complex, risk professionals will find the task of preventing internal fraud a constant challenge. Even the use of monitoring software carries its own pitfalls. If fraudsters are aware of how the software works they can ensure their activity falls below certain thresholds and remains hidden from the algorithms set up to spot it. Inevitably, criminals tend to be one step ahead.
“Most firms don’t tend to ratchet up the controls until well after fraud has reared its ugly head; by then they should be – but typically aren’t – focusing not on the fraud they just experienced, but rather the next fraud that might come down the pipeline,” says Carpenter. “It being a creative market, the next fraud is likely to be different from what was just encountered and that’s why it seems like we have this un-virtuous cycle. It’s fighting the previous battle all over again rather than the battle to come.”

Helen Yates is a freelance contributor to Risk Management Professional