Fraud: Dig deep

Crises bring out the best in people – and the worst. One reason is that the temptations and opportunities for fraud and corruption rise rapidly. The Covid pandemic, with its associated economic downturn, rapidly changing work norms and a slew of government financial initiatives, has been particularly fertile ground offering the seeds for fraudulent activity a fertile environment for growth and, often, shade from scrutiny and oversight.

Fear and chaos create situations that exacerbate our natural tendencies to make mistakes and override our usual levels of caution and scepticism. “Snake oil” merchants spring up in every plague, offering miracle cures and playing on people’s desire to take positive action to make themselves safer.

These cures can be financial as well as physical and news outlets have highlighted concerns that more people have turned to gambling and other desperate ways to restore tottering fortunes while stuck at home worrying about their jobs and their businesses. Governments around the world have offered financial back-up programmes, but these bring their own risks as new systems conceal hidden vulnerabilities that can be exploited by fraudsters, or mistakenly misused by people who may subsequently find themselves the subject of investigations, repayment charges or even prosecution.

At the same time, a crisis gives organisations and individuals incentives to take risks that they would never normally sanction. Some who would usually be sticklers for rules and procedures will have bypassed these, inadvertently exposing themselves to a range of legal, regulatory, financial and reputational risks, including fraudulent activity.

This was evident when organisations, including governments, entered the global fray to compete for personal protective equipment (PPE) in the first wave of the pandemic. Established due diligence practices were bypassed as employers panicked, prices rocketed and manufacturers around the world hastily marketed themselves as suppliers of new types of products. Some were honest. Some had honest intentions, but were unable to provide the quality required. Others deliberately exploited lax controls and a booming market. Many organisations took on new suppliers with minimal checks only to find they disappeared as quickly as they were set up and they had no recourse if goods were substandard or never arrived.

The government, normally subject to stringent procurement controls, was not immune. At the end of November, the National Audit Office (NAO) reported that UK government processes for procuring PPE and other urgent goods and services earlier in the year lacked transparency and were inadequately documented. Of the £17.3bn spent on new contracts to suppliers, £10.5bn had been awarded directly without a competitive tender process and often without any documentation explaining whether other suppliers were considered, or whether risks or potential conflicts of interest were discussed.

One in ten suppliers was processed through a “high-priority” channel, with little evidence about why they had been selected. Some contracts were back-dated to before the pandemic, which makes measuring their performance and assessing their value for money more difficult.

This demonstrates why all organisations, even those that have historically strong controls and see fraud as a low-likelihood, low-impact risk, should now review their policies and exposure to fraud. Payroll, for example, is often perceived as a dull, well-controlled element of finance, yet it is set to be one of the biggest areas of compliance and fraud reviews by the UK tax authorities in 2021 because of the risk that employers may have improperly, illegally or accidentally claimed billions of pounds in furlough payments and benefits.

Incidences of workplace fraud are also likely to have risen. Remote working has reduced management’s oversight of employees, economic pressures will make some staff more anxious to outperform their colleagues, potentially encouraging more risky behaviour and tempting people to “massage” sales records or “bury” complaints, while staff who have been furloughed, and/or feel they could lose their jobs may resort to helping themselves to stock, equipment or cash.

Assess, advise and monitor

Internal audit has a clear role to play in warning management about these risks and helping to review fraud prevention and detection strategies, but auditors need to set clear boundaries about the profession’s level of involvement. 

Liz Sandwith, chief professional practices adviser at the Chartered IIA, reiterates that it is not internal audit’s responsibility to identify or detect fraud: that job lies with management. However, she clarifies: “It is our job to make sure that the organisation has an enterprise-wide fraud risk assessment to find areas that might be exposed to incidences of fraud and to encourage managers to put sufficient controls in place to detect fraud.” In addition, internal audit should monitor how effective these controls are in practice.

While internal auditors must be careful that they are not made responsible for managing fraud risks, Sandwith believes that they could be “more vocal” about where these risks may occur and should flag up the areas of the business that are prone to them. Auditors could also urge managers to be more proactive about telling employees what will happen to them if they are caught committing fraud.

“Internal audit can help to raise fraud awareness as part of an effort to improve the organisation’s fraud risk culture by simply making it clear that fraud risks present themselves in areas where staff have direct control over money, such as accounts and procurement, and in less obvious areas – for example, in sales and marketing where employees have direct contact with clients,” Sandwith says. “Internal audit can also communicate the organisation’s tolerance for fraud and make employees aware of the presence of fraud monitoring processes so people think twice before attempting it.”

Prompt the right questions

Assurance functions – including internal audit – can help organisations to review their fraud risk assessment by encouraging management to ask simple, but probing, questions, such as how have risks changed? Where does money go out now? How has segregation changed? And where is the biggest lack of oversight?

Sven Probst, lead partner for professional services firm Deloitte’s forensic team in Switzerland, says internal audit needs to ensure that management asks key questions about whether a shift or reduction in resources increases the risk of physical misappropriation of assets; whether people dealing with government officials are trained about what they are allowed to do and not do; and whether “risk reminder” communications are sent regularly to staff so they know that zero tolerance to fraud still applies even in a crisis and that they should report any suspicious behaviour.

Research released in November by risk management consultancy Kroll found that two-thirds of nearly 200 internal audit professionals surveyed said fraud risk had increased since the shift to remote working, but serious challenges are hindering better management of these risks. Over a third of respondents said that lack of financial resources was the biggest barrier to effective fraud management, while over a quarter said a lack of internal education about the value of internal audit in fraud risk management was unhelpful.

Proactive fraud measures

Matthew Weitz, associate managing director at Kroll, emphasises that there are many ways in which internal audit can support management’s practices around fraud risk. For a start, the function can work with the HR function to check whether employee fraud policies and investigative and disciplinary processes are adequate, and auditors can assess how the organisation’s “anti-fraud” stance is being communicated and whether it is understood by employees.

Internal auditors can also feed into the organisation’s fraud risk framework by giving feedback and advice on controls and procedures. Weitz suggests that auditors work with second-line assurance functions including HR, IT and compliance and review whether they have appropriate measures in place to detect, report and mitigate fraud risks.

As in other areas, internal auditors could boost the company’s performance and the function’s reputation by being more proactive and suggesting areas where they can offer audit expertise. “Internal audit can look at getting areas of the business where fraud is most likely to occur to conduct more regular reviews,” Weitz suggests. “The function could act as a ‘trusted adviser’ and suggest controls that may make fraud detection easier and procedures to make fraud reporting simpler and quicker.”

He adds that, as part of a risk-based approach, internal audit can use its skills and knowledge of the organisation to support proactive data analysis in search of potential anomalies. “Our research made it clear that internal audit plays a vital, but often undervalued, role in fraud risk management,” Weitz says. “Empowering internal audit to feed into strategic fraud risk management has several benefits. Auditors’ input can help management to identify fraud more quickly, which then allows efficient investigation and remediation processes to be deployed more easily when issues occur. Empowering internal audit has always been important, but it is now vital to the continued fight against fraud.”

Fraud may not be at the forefront of many auditors’ minds. However, as we look back over a turbulent year – and expect more turbulence to follow – organisations where fraud has traditionally not been a high-risk priority must re-examine their assumptions about the way this risk is managed and communicated. Internal auditors can help to eradicate any fraudulent weeds before they become established. 

This article was first published in March 2021.