As part of our ongoing series of Forensic related themes, Damien Margetson (Head of Forensic at KPMG in the North West) explains why it’s time to reassess your fraud risk.
It’s the end of the day on Friday and you’re wrapping up loose ends before going on leave.
You get an email from IT services that says: “You have exceeded your email storage quota. Please click here to request more space or you will be unable to use your account.”
What do you do? Your inbox is rather full.
The smart thing to do would be to check where the email had come from. Then you’d see that it was sent from a strange looking external address. Recently, a colleague of mine failed to do that and clicked on the link. She was lucky – it was an IT security test. If it hadn’t been, she might have found herself as the recipient of some nasty malware.
Cyber criminals and fraudsters have become smarter with their phishing attacks. Their approach isn’t always as obvious as the classic offer of millions in return for a small loan to unlock an overseas bank account. Now, their emails are likely to look very much like an internal communication from the finance or security team.
The pandemic has triggered the fraud triangle
The threat has been exacerbated by COVID-19 and the fact many of us are working remotely. In an office environment, it’s likely my colleague would have turned to the person next to her and commented on the email she’d just received. That could have been enough to prevent a security incident.
The pandemic hasn’t just increased the threat of employees being caught out by external fraud – it’s triggered all the elements of the classic fraud triangle making internal fraud more likely as well. Employees in fear of their livelihoods or disgruntled by the lack of a pay rise have the motivation. People out of sight and using new processes have the opportunity. Economic uncertainty has provided the rationalisation. It’s an issue that Ashlee Mewburn raised in their thought-provoking blog back in September.
How well do you manage the risk of fraud?
Before the pandemic began, we posted up a fraud risk management survey to our website. By answering a simple set of questions, respondents can see how well prepared their organisation is to tackle fraud. Based on responses to date, the actions being taken by almost two-fifths (38%) of organisations to prevent fraud were limited or very weak, meaning there was a significant risk they might fail to detect a fraud before it became material.
For me, what’s particularly worrying is that most of the responses came in before the first lockdown. Given how quickly organisations had to rethink their ways of working, it’s very likely that measures to tackle fraud are actually less robust than they were.
Five steps to managing fraud risk
So, what should you be doing now to help mitigate the risk of fraud? Here are five pointers based on my experience.
Regularly assess the risks of fraud
Over a third (36%) of organisations that have taken our fraud survey only assess fraud risk on an ad hoc basis. And almost one in ten (8%) has never carried out a fraud risk assessment. The pandemic saw organisations having to change processes at speed and provide more remote access to critical systems. If you haven’t done so already, now’s the time to conduct a thorough fraud risk assessment. And to make sure it happens, be clear on who’s responsible for this.
Train staff to spot the signs of fraud
Less than a quarter (23%) of our survey respondents ensure that all members of staff attend an annual update on fraud. Most provide training on an ad hoc basis. Regular training is important as employees under greater stress are more likely to miss the signs of fraud. Tests like the one that caught out my colleague can prove highly effective to raise people’s awareness. It also helps to keep them up to date with the latest fraud trends and patterns.
Set out a clear policy on handling fraud
85 percent of respondents said they have a fraud policy. But just two-fifths (42 percent) said it covers what is meant by unacceptable behaviour and that potential disciplinary action might result from this behaviour. Having a clear policy and communicating it regularly can help dissuade people who may be rationalising fraud. It’s also important that employees know how to report fraud. 81 percent of respondents said that they have a policy on reporting fraud. But 30 percent of these aren’t convinced their staff are aware of it.
Support whistle blowers
In my experience, internal fraud most often comes to light through whistle blowers. But employees are less likely to come forward if they fear an adverse impact on their own positions. According to our survey, less than half (48 percent) of respondents set out the protections available to staff who report fraud in their formal reporting policy. More than one in ten (13 percent) have no formal protections in place.
Establish a clear fraud response plan
What do you do if suspected fraud is reported? Less than half (47 percent) or respondents said they have a documented fraud response plan they would follow in the event that a significant fraud was alleged. It’s important that, once a potential fraud is reported, everyone is clear on how to respond and who is responsible for what.
If you’d like to discuss any of the points raised in this blog post, please don’t hesitate to contact me.