“I knew him for years. He was like family. How could he do this to me and my business?”

It’s an all-too-familiar question after a long-term or trusted employee is caught or suspected of stealing from a company. So, what happens that makes it all go so wrong?

Simply put, cash is the great attractor – while we all interpret that lure differently, its visceral, kindly promise of freedom occasionally becomes too irresistible for human nature to ignore. Many businesses are not aware of, or at least, are not able to consistently identify, hire, educate and train around this fact. In CIT and Security, the breakdown is most often in one or more of The Three P’s (Policy, Process, and Procedure), but it’s certainly not an isolated phenomenon. Retail establishments, financial institutions and more all struggle with it.

The Three P’s are designed to reduce and control both the likelihood (risk probability) and severity (risk impact) of loss relating to risk; in this example, employee theft. For context:

• Policy is a rule or set of guidelines;
• Process is a high-level set of criteria that must happen in order to ensure compliance with a policy; and
• Procedure is a specific, detailed series of actions that staff members must take in order to implement a process and comply with a policy.

With the recent COVID-19 pandemic, business transactions and revenues are down, and we have seen a surge in employee terminations, furloughs and the like. As a result, many businesses are operating with lean staffing, which can cause breakdowns in segregation of duties, intentional or not. Where two persons may have been required by policy pre-COVID to perform an action, e.g. accessing the safe or vault, conducting physical inventory audits or daily cash reconciliation and balancing, the reduction in staff has caused those policies to become lax in order to continue operations. In doing so, many dual control and custody procedures have led businesses to allocate more access control capabilities to those “long-term” or “trusted” employees. Which can lead to situations like the ‘Not him!’ referenced above.

So, what can be done with limited staffing during these times to protect people, brands, and profits? Below are a few best practices that can be applied across any business, large or small:

• Review your internal policies and processes and provide management oversight to ensure that procedures are being adhered to per company policy and that no one person has too much access to a particular asset or function, including:
  • Access device (key, card, combination, code) controls .
  • Dual control/custody system of checks and balances.
    • Ex: verification of deposit preparation, either 2^nd person or virtual (FaceTime, CCTV, Zoom, etc.), bank pick-ups and deposits in person (no night drops if only one person can perform) and confirm deposit or examine credibility of tamper proof deposit bag before leaving (bringing back deposit slip for verification and documentation).
  • Utilize both Employment Background Screening, regardless of the relationship or previous work history, and a true continuous court records monitoring solution to get the whole picture.
  • Require job-specific training that is documented and acknowledged via signature of the trainer and trainee to ensure adequacy, accuracy and completeness.
  • Incorporate random and unannounced internal and external audits, testing the aforementioned policy, process, and procedure with staff. Examples may include:
    • Cash drawer audits, to be performed by employee and management at the beginning and end of shift; cash drawers should be assigned to one user only.
    • Cash drawer documentation, in the event more cash is needed or removed a verifying document should be signed by two people, i.e. employee and management.

These best practices are intended to provide some potential resolutions to but a fraction of the challenges that businesses face in fighting theft. By improving potential vulnerabilities and understanding the importance of applying essential policies, processes, and procedures, businesses can – and do! – reduce the likelihood and severity of loss relating to employee theft.

Remember, cash may be king, but it’s still your kingdom.

The college admissions scandal has caused quite a stir in the media over the last few weeks. The stories have varied, the fraudsters are unique to each situation, but in the end it’s the same old tale; the rich use money and power to influence the morally weak and advance those closest to them to undeserved positions of grandeur. The key in this case is that schools across the US are being brought down to the same level as the criminals and fraudsters that perpetrated the crime in the first place.

Yale University, founded in 1701, has graduated five U.S. Presidents, and prides itself on its motto, ‘Lux et veritas’ or in English “Light and Truth.” However, a Yale soccer coach was able to pull off a scholarship-based fraud in which a student was accepted without merit. Is this Yale’s fault? Perhaps in part, but I would like to blame it on a much larger, systematic fraud scheme that can easily be discovered and rectified with appropriate planning and execution.

Other schools were involved in Title IX fraud, SAT proctoring schemes, and direct fraud from payoffs or bribes. Each school left a back door open for a fraudster to come barging through and in the end, will be sued for millions of dollars. These lawsuits, some frivolous and others merited, will need to be tried and tested. What can your institution do to avoid situations such as this?

In our experience, fraud is perpetrated in larger educational institutions and corporations when the controls breakdown or are antiquated. There are simple ways to enhance controls and become a much more aware organization.

Some important tips that we feel will mature your organizational fraud prevention controls are below.

Enhance Internal Controls

When looking at sophisticated organizations such as a university, one might think that internal controls are deployed across the enterprise. However, this was not the case in athletics, where some of the fraud was perpetrated. Entities should implement enterprise wide systems of internal “dual control” whereby a minimum of two people are involved in the decision-making process/function. The purpose of dual control is to deter fraud, provide a properly documented audit trail, maintain quality assurance, and prevent extortion. This dual control process creates a system of “checks and balances” in which a single person (authorized person(s) within a department) does not have the sole authority to decide without the verification and approval conducted by a secondary and separate department (authorized person(s) within that department). This helps to mitigate the potential for collusion. These obvious changes can deter fraudulent actions and lead to much more effective fraud deterrence. Internal control is vital when trying to ensure that protocols and regulations are carried out according to policy.

Make your organizations aware, and force reporting

Create a fraud risk policy with demonstrative cases that establish consequences for perpetrators. It sounds simple, but this is a critical step in setting up the consequential deterrence that is sometimes needed to stop amateur fraudsters. If individuals in the organization are aware that management is looking for certain types of fraud, they might think twice before acting.

An additional aspect of organizational awareness is to implement reporting. In any instance where there is a violation of policies or an employee feels there is a violation by someone else, encourage reporting. Anonymous reporting/tip lines have historically been the number one means by which occupational fraud is discovered. These reports and tips need to be vetted and followed up to ensure there are consequences. As the fraud risk policy matures, there should be a noticeable difference that will help secure organizations from becoming victims of fraud.

Know Your People

Fraudsters tend to demonstrate behavioral traits that can indicate they have committed or are candidates to commit fraud. Comprehensive background screening can be the first step in ensuring that there are no concerns prior to offering employment. However, initial background checks are not enough.

Employers and leaders need to listen to what employees are saying. If there are divisional leaders, or in this case coaches and deans, that are deeply respected or far too entrenched in the internal control environment, they can create circumstances that could lead to fraud. For instance, USC, who saw their senior athletic director implicated, was victim to the college admissions scandal when the water polo coach recruited a student who didn’t even play water polo! Had USC screened each scholarship athlete and ensured there were controls and reporting in place, this could have been avoided. Now, USC is at the mercy of the judicial system.

In conclusion, it is amazing that these events transpired in today’s digital environment, but it clearly demonstrates a lack of understanding when it comes to the willingness of fraudsters to attain what they want. Legacies are now tarnished over the acts of bad actors and their accomplices.

Lowers Risk Group prides itself in delivering solutions to our clients that rectify these types of situations.

Contact us to learn more.

Occupational fraud awareness is the focus of Fraud Week but it’s also a rising concern of organizations year-round. At least that’s the message in the data from the Association of Certified Fraud Examiners: 2016 Report to the Nations on Occupational Fraud and Abuse.

The report compares the implementation of a wide range of anti-fraud controls across reported cases, and finds that every single type of control was more prevalent in 2016 than it was in 2010. This is true even for very widely used controls like more traditional types of financial audits and management review. An important example is the external review of financial statements, the single most common anti-fraud tool, whose implementation rate increased .08% to 81.7%.

Workforce Participation is Key

More interesting, is that the types of controls that have increased the most are those that leverage workforce participation and cultural restraints. The implementation rate for a hotline increased 8.9%, anti-fraud training for employees increased 7.6%, the establishment of an anti-fraud policy by 6.8%, and a code of ethics, already high, increased 6.3%.

It’s useful to think of the anti-fraud policy and code of ethics as part of the cultural framework, the stated intentions for acceptable behavior. These standards have to be demonstrated from the top down, and built into expectations for every employee. They have to be used when fraud is detected to devise an appropriate sanction in response, without equivocation.

Hotlines and Anti-Fraud Training are On the Rise

The largest rates of implementation increase for hotline and anti-fraud training for employees reflects actions taken to facilitate the cultural shift. Unlike the cultural standards that justify these tools, but which exist primarily in the beliefs of employees, hotline and training are concrete policies an organization can implement and measure. The connection between hotline and fraud detection is a fact: 39% of frauds detected come via a hotline. Training is less obvious, but it moves directly against the efforts of potential fraudsters to make up rationalizations for stealing. Training helps remove excuses, and clarifies the intentions of cultural policies.

Given the performance of hotlines, it is no wonder they are being adopted by many organizations. The key to this performance is availability, security, and privacy. The employee who reports suspicious behavior via a hotline has to feel secure, that it will be taken seriously and that it will not jeopardize his or her social standing in the enterprise.

Anti-fraud training helps employees interpret the code of ethics or anti-fraud policy in the context of their working lives. It may teach them how to recognize suspicious behavior or patterns of abuse, and how to report them. The ACFE report is full of “red-flag” behaviors that can indicate fraud or abuse, and employees who recognize these are better able to multiply the strength of the fraud prevention effort.

It is encouraging that so many organizations both recognize the threat of occupational fraud and take steps to prevent it., The fact is, that organizations of all types worldwide lose about 5% of topline revenue to fraud means the fight is far from over. In fact, given that fraud is an individualized crime, the effort to prevent it can never succeed completely. But it can win many battles, perhaps one that saves your organization.

Almost every organization is vulnerable to occupational fraud and abuse, and the impact of fraud can be costly. The 2016 Report to the Nations by the Association of Certified Fraud Examiners (ACFE), indicates that the worldwide loss to fraud across all organizations is 5% of topline revenue. Based on reported cases of fraud, the median cost per case was $145,000, and some others were much more.

As part of the International Fraud Awareness Week for 2016, ACFE published 5 Fraud Tips, a one-page summary of steps an organization can take to reduce its vulnerability. Implementing these steps cannot guarantee your organization won’t suffer occupational fraud, but it will certainly improve the odds.

1. Be Proactive

Top management needs to put in place policies and procedures that set a tone from the top against fraud. This may include a code of ethics taught to every employee, with on-going follow up training that emphasizes the danger and unacceptability of fraud. Traditional financial controls should be in place and reviewed on a regular basis, possibly with an independent internal audit function. Fraud prevention will be enhanced through organizational structures like effective separation of duties.

2. Establish Hiring Procedures

The person you hire may be a future fraudster. The hiring process is an opportunity to look into the background of an applicant to look for factors that may indicate risk. Where it is legal, and following best practice guidelines strictly, employers can run a variety of background checks to get a fuller picture of an applicant’s character.

3. Train Employees in Fraud Prevention

Employee training can go beyond the code of ethics. Employees are on the frontline of fraud, working with others every day and working with the systems and controls that are potentially vulnerable to fraud. These employees need to be aware of the signs of fraud both in evidence (such as breeches of a control), and in the behavior of their colleagues. One of the most difficult factors of fraud to combat is the pressure employees may feel to look for ways to commit fraud.

4. Implement a Fraud Hotline

A straightforward way to improve fraud detection is a fair and anonymous hotline for reporting potential frauds. A tip has long been the most important source for fraud reporting, and the hotline can facilitate it.

5. Increase the Perception of Detection

Fraudsters’ number one concern is getting caught. An anti-fraud culture in which there is regular training, communication, and discussion about fraud makes it clear to the potential thief that he or she will be under surveillance. When fraud does occur, the organization has to act decisively to prosecute, sending the message that the crime will have consequences.

Taking these steps can reduce the risk of occupational fraud. In the long term, the improved channels of communication up and down the organization may also help establish a happier workplace, which is a further barrier to fraud.

Teamwork is usually a good thing. Many organizations work hard to increase its effectiveness because well-coordinated activity can boost productivity and improve outcomes. Unfortunately, the effect of multiple people colluding to commit occupational fraud and abuse has the same kind of effect as good teamwork by increasing the impact of the crime.

Greater Collusion = Greater Loss

The Association of Certified Fraud Examiners (ACFE) 2016 Report to the Nations on Occupational Fraud and Abuse shows that the greater the number of people colluding in a fraud, the greater the loss. The median loss for a lone fraudster was $85,000, while losses where 5 or more colluded was $833,000.

It’s important to note that about 48% of the cases covered by the 2016 report involve collusion between two or more people. However, fraud by collusion was detected in about 18 months as compared to 16 months for the lone fraudster, so the duration of the fraud was not the prime source of the higher cost of collusion. In any event, the frequency and higher cost of collusion means that this form of fraud is a serious threat.

Working Together to Defeat Controls

Collusion may enable fraudsters to defeat controls based on separation of duties, independent verification procedures, or other procedural methods intended to reduce fraud or failure. Certainly, employees are expert in the application of controls where they work every day. When two or more of them coordinate activity meant to defraud the organization, they can defeat the controls at least for a time.

How to Detect Collusion

Detection of clever collusion schemes may be improved by setting up automated tracking or standardized analytical systems that flag unusual behaviors. For example, numerous transactions on a dormant or very low volume account or transaction amounts outside normal limits may indicate fraud. The system might flag changes in employee behavior, such as failure to take a vacation for a lengthy period of time or a significant change in working hours. The system might be designed to create norms for behavior in a given type of job and compare each person in that role to the norm. Outliers’ of behaviors could be scrutinized more closely.

Prevention is the Best Medicine

Of course, prevention is better than detection because detection means that fraudulent losses have already occurred. Potential fraudsters may leave a trail based on internal searches, such as searches for accounts whose inactivity means that they would not be regularly monitored, helping them to escape detection.

More straightforward, a well-designed hiring process with effective background checks, plus regular training in fraud prevention can help to create a workplace culture where fraud is not tolerated. Multiplying the number of people who would report suspicious behavior is probably the most effective means of fraud prevention, including collusion to commit fraud.