Technology has evolved over the past decade in a way that has unintentionally made it easier for internal fraud to be perpetrated in companies. It is possible today for a company to receive a fake invoice or bank statement which to the untrained eye passes every test of legitimacy.
In addition to its more positive attributes, digitalisation has dramatically sped up everything to a point where a business loses its filter under a bombardment of data – a situation worsened by hybrid working. This has broken down the internal controls that companies may have had prior to Covid-19.
Such a breakdown stimulates temptation. We have seen a rapid rise in poverty as cost-of-living increases have reduced the traditional middle class. A computer-savvy individual with inside knowledge can easily develop a plan to commit fraud – and with weak controls, is likely get away with it. This is facilitated by two things: technology; and internal controls in businesses not at a level they should be to cope with new forms of threats – whether that business is a large corporate, a privately-owned business or an SME.
The true ethical and moral nature of an employee is typically hidden from view. Theft often starts off slowly and in a petty form such as stealing company stationery or spending an inordinate amount of time on social media during work hours. Consistently getting away with it may make a morally weak individual start to think in bigger terms. Before long, through its lax controls, a business has cultivated a fraudster within its ranks and itself become a victim of fraud from what initially appeared a normal individual, and in some cases even the perfect employee.
One of the most common reactions we hear when someone is finally unmasked within a company, is utter stupefaction that fraud was committed by the most unsuspected individual in the company. Normally it’s caused by financial pressures at home: a harmless-looking grandmother who secretly has a gambling habit and has had a run of bad luck on the tables – and sees the solution as recycling company receipts or supplier invoices, for instance.
Consequently, staff need to see management overtly performing checks, balances and reviews at every level of the organisation. Staff need to be certain their work will be doublechecked and any fraud unearthed sooner rather than later. One of the easiest forms of fraud to perpetrate is to load a beneficiary with one’s own bank account details, as bank systems do not match those details against their records. Therefore, this has to be done through the company’s controls.
To institute close controls, a tone of zero tolerance to unethical behaviour has to be instilled from the top of the company. Owners or executives have to lead by example. The concept of ‘unethical behaviour’ should not be limited to actual crimes like stealing. It must include any inappropriate behaviour between employees, and any behaviour outside the workplace on social media that is out of sync with the ethos of the company. A business becomes tainted by their employees’ personal behaviour.
Pre-Covid, most companies had strong controls over their office-bound personnel, requiring paper-based or online forms before permitting anything. Employees never enjoyed it, but it was there for a reason. The suddenness of the 27 March 2020 lockdown permitted no time for companies to adapt their controls before staff all went off home. As best they could, companies had to re-engineer their procedures and processes to a remote working environment just to survive, and with that came new risks. Suddenly employees could be in a position to override controls “because they’re not in the office” when for example loading payments.
Controls in a virtual world
Companies have been struggling to return to normality for two years now, unaware in many cases that they already may have a cancer within their ranks.
To return to an environment of strong controls, companies – starting today – need to have reassessed by experts their processing and operating environment and to identify any holes that need to be plugged or processes updated. This problem is not going away, as employees accustomed to working from home want to continue a hybrid work model. Company controls therefore need to evolve to accommodate that.
Segregation of duties should be a key component of this reassessment. Exacerbating this issue is that smaller companies cannot afford multiple employees, and even larger companies in our recessionary environment have retrenched or reduced staff counts through attrition or digitalising functions. This has blurred the segregation of duties.
The top financial person in a business has to have such an innate grasp of the finances and business that anything wrong is immediately evident to them and they instinctively know where the main risks are. In the knowledge that the risk of fraud is quite high today, they might want to keep a ‘risk register’ listing the main risks as they are identified as well as solutions to deal with such risks.
One policy that every company should immediately adopt is to make it compulsory that each staff member take annual leave and public holidays, no matter how vital their function to the operation of the business. Someone not taking leave should be a red flag to management. Key to this is that every position should have a back-up so that there is no excuse that there is nobody to cover an employee on leave.
In conclusion, for governance to be a real deterrent it is not sufficient that internal controls be in place at a company, but for those controls to be enforced and that they be seen by staff to be rigorously enforced from the top.
Marc Edelberg partner at Mazars in South Africa.