Usually when one thinks about fraud at a company, the first thing pictured is an outside intruder. Or it might be some kid in a dark basement hacking into the company servers. However, one of the greatest threats to any business might be sitting in a cubicle at the business’ shop or office.
For governance to be a real deterrent at companies, it is not sufficient for their internal controls to simply ‘be in place’, but for those controls to be rigorously enforced and that they be clearly seen by staff as being enforced from the highest echelon of management. Internal fraud is facilitated by two things: technology; and internal controls in businesses not at a level they should be to cope with new forms of threats – whether that business is a large corporate, a privately-owned business or an SME.
The reason lies with one of the unintentional side effects of technology. It has evolved in such a manner over the past ten years as to make it so much easier for employees to perpetrate internal fraud against their employers. It is feasible today for a company to receive a fake invoice or bank statement that to the unsuspecting eye can pass every test of legitimacy.
Pre-Covid, most companies had strong controls over what was invariably office-bound personnel. These required paper-based or online requests before permitting anything. While employees may have occasionally bridled against it – they were there for a reason. Then the suddenness of the 27 March 2020 lockdown left no time for companies to alter their controls to a remote working environment. As best they could, in order to simply survive companies had to re-engineer their procedures and processes to cover staff working at home. In the meantime, staff had every excuse for overriding controls ‘because they’re not in the office’ when for example loading payments.
Internal controls have consequently been in many instances seriously compromised under conditions of hybrid working. Even outside Covid, on top of its more positive attributes digitalisation has dramatically ratcheted up the speed of action to the extent that businesses can all too easily lose their security filter under this veritable bombardment of data.
Auditors are trained to exercise scepticism, while management’s focus is often the empowerment of its people. This latter attitude can hide from view a more discerning analysis of the true ethical and moral nature of an employee.
Theft typically starts off gradually in petty form such as stealing company time by spending an inordinate number of hours on social media during worktime. Consistently getting away with it may encourage a morally weak individual to start pinching stationery and finally emboldening them to bigger items, even the cash box. Through its lax controls, a business enables this behaviour and unbeknownst to management a seemingly mild person has become moulded into a fraudster within its ranks. The company has become a victim of fraud from what initially appeared a normal individual, and in some cases even the perfect employee.
This is because breakdowns in control stimulate the worst in people. It stimulates temptation: we have seen a rapid rise in poverty in South Africa as cost-of-living increases and unemployment have shrunk the traditional middle class. An employee may suddenly be drawing the only income in a household. In such an environment, a computer-savvy individual with inside knowledge has the wherewithal to rather easily think up a plan to commit fraud. With weak controls and unsuspecting management that person is likely get away with it.
The answer is for management to change the culture of the organisation. Staff need to see management overtly performing daily checks, balances and reviews throughout every level of the organisation. Staff need to be left in no uncertainty that their work will be doublechecked and consequently that even the smallest misdemeanour they have committed will be unearthed sooner rather than later.
One of the easiest forms of fraud to perpetrate is to load a beneficiary with one’s own bank account details. Bank systems do not verify those details against their own records, so this has to be done through the company’s controls.
Companies must begin to tighten controls with an attitude of zero tolerance towards any form of unethical behaviour – instilled from the top of company management. Owners or executives have to lead by example. This implies that the concept of ‘unethical behaviour’ not be limited to actual crimes but to embrace any inappropriate behaviour between employees.
In fact, it should even include behaviour outside the workplace or on social media that is out of sync with the ethos of the business. A company can become tainted by its employees’ personal behaviour.
- Marc Edelberg partner at Mazars in South Africa