(c) Chartered Accountants Ireland. Contact Chartered Accountants Ireland for permission to reproduce this article., Fraud

The threat within: tackling insider fraud

There is much debate about the external cyber risks facing organisations, but how can firms cope with insider threats?

The EMEIA Fraud Survey 2017, which was published by EY in June of last year, suggests that there is room for improvement in Ireland’s corporate culture with some staff prepared to bend the rules to meet targets. The survey states that bribery and corruption remain a significant risk to Irish businesses. Indeed, a more concerning finding is that employees are not open to the introduction of policies that would help detect fraud. Such policies would include email, telephone or social media monitoring.

In the main, workers are honest and hard-working. However, experience shows that, due to weakness in controls or changes in individuals’ personal circumstances, individuals can on occasion take the opportunity to commit fraud or other kinds of malpractice against their employer.

Culture shock

While surveys represent a snapshot in time as opposed to deeper and more engrained trends, it is nevertheless concerning that a significant number of individuals would bend the rules – in particular, recognising revenue earlier to meet a target. Indeed, this is a timely finding given the ongoing fake accounts scandal at Wells Fargo where staff created more than 1.5 million unauthorised deposit accounts and filed more than 500,000 unauthorised credit card applications between 2011 and 2016 in an effort to meet sales targets.

The fact that 89% of respondents believe that the monitoring of data sources such as email, phone or instant messenger would represent a violation of their privacy might also lead one to wonder whether employees have something to hide or are using company facilities for inappropriate purposes. Communication is another issue worthy of consideration given the discrepancy between the perceptions of senior management and other employees when it comes to the effectiveness of communication around ethical standards. For example, almost half of all board directors and senior managers have heard such messages frequently compared to just 32% of their more junior colleagues, according to the survey. These issues, when considered in the round, point to issues around culture, so what can a company do?

Back to basics

To fully address the issue of insider risk, leaders will need to go back to basics. This will involve setting the right tone at the top while taking a ‘bottom up’ approach to change initiatives that aim to eradicate traces of malpractice among employees.

The following 10 steps will assist organisations in battling insider risk and the subsequent material and reputational damage it can bring. Certain steps may require a level of investment and it is up to each individual company to set its own investment threshold. In many cases, however, simple improvements around leadership and communication, for example, can reap significant rewards.

Internal policies

Does your company have a policy that supports its investigations principles? The endorsement of a company’s policies by the chief executive and board is imperative as it leaves employees fully aware of the repercussions in the case of a policy breach. Equally, executive leadership teams should not be beyond reproach. A cursory review of media coverage suggests that major internal fraud cases in industry occur at senior management level where structure and independence play a critical role.

Communication

Does your company communicate internal malpractice through training? While eLearning is a successful tool and monitors the completion of standard mandatory training, face-to-face training should be preferred when the issue of malpractice is being discussed and enforced. Annual training should be provided to staff outlining potential red flags and actions to take, in addition to mandatory training.

Investigation unit

If an issue occurred tomorrow, could you investigate the case? While a unit may be tasked with fraud investigations, one should question and test whether this unit is manned by skilled personnel who are independent to the investigation process, so much so that the process could not be challenged in a tribunal or court of law. The technical nature of internal investigations cannot be ignored and should be planned for accordingly.

Disciplinary process

In the event of an issue being confirmed, investigated and reported, does your business have a robust HR process supported by legal advice? Having investigated a case, it is not uncommon for organisations to fail to deal with the outcome of the case or pass the appropriate sanctions. Any failure in this area sends out the wrong message, one that could lead to further malpractice without reprisal.

Speak up lines

Does your company have a ‘speak up’ line? Larger companies (those with 500 employees or more) should have a defined process for staff reporting issues which they feel cannot be addressed by line management. In line with legislation, individuals should be free from reprisals in making such reports and again, any subsequent investigations should be undertaken independently.

Risk assessments

Do you have a fraud risk assessment process? Fraud risk assessments are an additional means of understanding, through open discussion and workshops, the fraud risks the organisation is exposed to. The introduction and management of the assessment supports good governance and provides assurance to stakeholders and owners.

Proactive auditing

Investigations are predominantly reactive, so how do you learn from previous issues? Mature investigation or audit functions should plan for proactive auditing and control testing, using data analytics. In the example of a customer who is contacted by their bank regarding a suspicious credit card transaction, data analytics should be employed to identify ‘out of the ordinary’ transactions and issues.

Monitor employee actions

What do you do to stop customer data or personal data leaving your business? Organisational data, including that of your customers, should be protected from corporate espionage. This can be achieved by enforcing simple controls to protect and restrict the inappropriate access and relocation of data without validation. The General Data Protection Regulation (GDPR), which will come into force on 25 May 2018, will make this a requirement.

Performance appraisals

Do your organisation’s management and leadership teams engage with employees in a meaningful manner? Managers and leaders should continually strive to make better use of performance appraisals and one-on-one catch-ups. Such discussions could highlight issues that may account for changes in the performance or behaviour of an individual, which may otherwise go undetected. An appraisal should also be undertaken as part of the organisation’s exit programme.

Password innovation

Does your company take a proactive approach to protecting IT systems and the data contained therein? Previous investigations have highlighted cases of employees sharing passwords and retaining staff members’ information after they have left the organisation, which in turn acted as a catalyst for abuse and theft. Given the corporate world’s ever-increasing reliance on computers, mobile devices and cloud computing, organisations should consider replacing the traditional password with biometrics in an effort to minimise the risk to the company.

Michael Fitzgerald is Founder of Fraud Business Solutions, which provides investigation, consultancy and training services.