With International Fraud Awareness Week (17–23 November 2019) in focus this week, it’s time to address the elephant in the room. Organisational fraud isn’t a rare occurrence, and companies are losing millions of dollars every year because they don’t have the strategies in place to protect themselves.
We spoke to Natalie Faulkner, Partner in Forensic at KPMG, about the common types of business fraud, the financial and reputational cost of being compromised, and the steps you can take to protect your company.
Business fraud: It’s more common than you think
When it comes to businesses being threatened by fraud, the statistics are concerning. Figures from KPMG’s Fraud Barometer reveal Australian entities have been the victims of fraud with an average fraud loss of $3.1 million, while another study shows 90% of businesses have been targeted by cyber attack. Making matters worse, up to 72% of small and medium-sized enterprises don’t believe it is a considerable risk to their business.
But the risks are very real, and the damage goes beyond the bottom line, according to Natalie Faulkner from KPMG.
“Companies have to bear the cost of what has been misappropriated – namely the value of the assets or the data lost, plus the time and cost to investigate the fraud and recover what was taken,” she says. “Then there’s also the reputational cost, and whilst trust is difficult to quantify, the financial fallout from its loss is not.”
Organisational fraud does not discriminate
Natalie also points out that all organisations – both large and small – are vulnerable to fraud.
“Normally the employees that we see perpetrating fraud have been in the organisation for a number of years, during which time they work out how to bypass controls. Smaller businesses might not have control such as segregation of duties to mitigate the risk of fraud.
“Larger businesses can be more complex and thus open to risk. Larger organisations need to work to control the risks they face over their key assets and data.”
“It’s not just the junior staff who are committing fraud – it can go all the way to the top. Some of the recent investigations I have conducted have been at C-suite level.” Natalie says, noting that with internal fraud, organisations need to expediently deal with the fraudster to manage reputational damage and ensure controls are enhanced to mitigate the risk of recurrence going forward.
Common types of fraud and the why it’s committed
Organisational fraud comes in many shapes and sizes. While it most commonly relates to stolen money, businesses must be aware of more elaborate fraud schemes such as identity theft, data theft, payroll fraud, workers’ compensation fraud and even return fraud – which involves external parties ‘returning’ stolen items in an attempt to make a profit.
Natalie points out that no industry is immune, and the motivating factors behind fraudulent activities can vary.
“Fraudsters follow the money and assets, and increasingly now, data as well,” she says. “The industries targeted commonly are government, insurance, superannuation, and banking, but I’ve also led investigations at telcos, in retail, in construction – really, there is no industry that’s immune.”
“When it comes to motives, there are some common features we see. Sometimes it’s a gambling addiction. Sometimes there are personal reasons behind why fraudsters believe they need the funds. Sometimes employees manipulate results to show they can work within their budgets or meet their KPIs. I’ve also seen cases where employees want to be considered wealthy by their peers or perpetrate fraud as a backlash against complacent management. There can be several such factors in an employee’s mind which motivate, and help rationalise, committing fraud.”
6 steps to building a fraud-resistant business
With such a variety of threats at their doorstep, what can HR managers and business leaders do to protect themselves against fraudulent activity? These six steps are a good starting point:
- Know your employees: “Often, people who commit fraud have done it before,” Natalie says.
“Make sure you do background checks and screening – not just set and forget but revisit those checks, particularly if the employee is promoted into a position where they have more delegated authority and more influence.”
- Set up reporting systems: Monitoring controls are important over high-risk areas to detect and investigate suspicious transactions.
- Enforce employee leave and use it as a detection control: Make sure employees are taking their holiday time. “Many instances of fraud don’t get detected until the person finally takes leave or even retires,” Natalie says. “Having a policy where you ensure staff take two weeks’ annual leave when the business is still operational means someone else has to take over their job – that can be a good fraud detection control.”
- Hire an external expert for occasional audits: If you have the resources, deep dives into high-risk areas can detect control gaps susceptible to fraud that have flown under the radar. However, Natalie advises small business owners to “reconcile cash balances, reconcile your payments to vendor statements to identify any false invoicing” and deploy “analytics to detect fraud” – all of which can be cost-effective.
- Create an open corporate culture and keep training staff: “Conduct fraud-awareness training sessions, and tailor them to be relevant to the different roles of your employees,” Natalie says. “Also provide employees with anonymous whistleblower-reporting channels.”
- Protect credit card information: It should go without saying that all business credit cards should be protected with monitoring and approval of purchases with receipts retained.