In March 2018, the Accounts Commission published its ‘Report on significant fraud’1 on the audit carried out in 2016/17 within Dundee City Council. The case in question concerned an employee of the Council who was able to embezzle more than £1 million over a seven year period, despite annual audits taking place. The report cites ‘failures in fundamental controls within the council allowed this fraud to continue over a prolonged period’ and goes on to indicate that ‘the extent of the fraud, between August 2009 and May 2016, could have been limited if the local authority had addressed significant weaknesses in its invoicing systems’.
Whilst this particular case is one of the most recent and has a high value attached to the fraud, it is not isolated. A search on the internet can reveal several cases of differing value involving public, private, and third sector organisations.
What do we mean by Fraud?
Section 1 of The Fraud Act 2006, broadly defines three main types of fraud:
- Fraud by false representation
- Fraud by wrongfully failing to disclose information
- Fraud by abuse of position.
Fraud can be perpetrated by customer, employee, or a supplier and can take many forms including Procurement Fraud, Travel and Subsistence Fraud, Exploiting Assets and Information, Payment Fraud, Receipt Fraud, and False Accounting. According to UK Finance2, in 2017 the financial industry stopped an average of almost £4 million in unauthorised fraud every day.
The management of fraud risk must form part of an organisation’s Corporate Governance arrangements which includes effective systems of internal control, including financial, operational and compliance, with a view to the achievement of the Council’s priorities/objectives.
Risk taking is an essential part of business in order to progress, grow, produce innovative products and efficient services etc. and the management of that risk is critical to success.
Therefore, risk assessment is a keystone of Corporate Governance that helps identify where you may be at risk from fraud, assesses the level of risk, and implements controls to reduce those risks where possible and, stay in control.
Fraud is a threat to an organisation’s ability to ensure it manages its financial affairs and during the risk assessment, you will identify proactive controls to prevent and detect it, and reactive controls to respond to suspicions or allegations of fraud.
Note: Later this year (2018) we plan to launch an online self-assessment tool for clients to use when carrying out a risk assessment for fraud.
The first step to carrying out a fraud risk assessment is to identify your vulnerable assets. These include, but are not limited to, buildings, money, and customer data. They are valuable to your organisation. Also consider the potential scale of fraud.
Once you’ve identified them, you’ll need to think about how to reduce the chances of those assets being defrauded or stolen. One strategy would be to identify why they would be of value to someone and how that person may commit fraud.
Internal threats can come in many forms and may include an employee unintentionally allowing others to commit fraud through a lack of information security procedures.
Alternatively, it may be an opportunist employee targeting the employer’s assets.
In some cases ‘unrestricted access’, as in the Dundee City Council case, will provide the opportunity to commit fraud.
1. Do you have any employees with unrestricted access to financial systems?
There was an ability to exploit a loophole, sending money to a personal own account while pretending it was going to genuine suppliers.
2. Have you made proactive attempts to identify any potential loopholes in your system?
There was a lack of segregation of duties which allowed access to a number of systems, enabling the fraud to be perpetrated.
3. Is there a lack of segregation of duties for any employee who has access to financial systems?
Internal controls such as system reconciliations were not carried out, or were ineffective resulting in failure to identify payments as anomalies for further investigation at an early stage.
4. Do you have an effective system of reconciliation which would identify anomalies?
Next, build controls into your routine business processes. Ways of doing this will vary depending on the business and asset, but will include things like managerial oversight of finance processes, ensuring that one person cannot transfer high value assets by themselves or without sign-off, regular checks and audits of your assets, and restricting access to key assets to only those who need to use them. To prevent fraud there must be an understanding of the causes that allow fraud to occur, and the means by which to carry it out.
There are simple things you can do to begin to protect yourself from threats within your business.
Anti-fraud policy statements
Adopting an anti-fraud policy statement is one way of communicating a strong fraud prevention message to your staff.
Such a statement, endorsed by the head of the organisation, provides a clear understanding that the origination promotes a zero tolerance culture to fraud.
Most employers now engage in pre-employment checks and this can be useful in reducing the chances of internal fraud. Always ask for at least two independent references when taking on new staff and verify their personal information and background wherever possible.
Monitoring of employees’ performance is standard practice these days and helps understand what makes a person the type of employee they are. It can also unearth internal threats to your organisation. Identifiable behaviours can include a sudden change of lifestyle, unexplained wealth, a reluctance to take a holiday or promotion, or being scornful of systems and controls.
In almost all cases there are simple explanations for these behaviours, but it is sensible managerial practice to be alert to the possibility that those acting out of character could be up to no good. Remember, even long-serving employees could be tempted to commit fraud under certain circumstances, so it is equally as important to watch out for any strange behaviour in those you think you know well.
Detection is about having a system of checks and balances to ensure things are working as expected.
Many public sector organisations are now employing dedicated Fraud Officers to develop and implement proactive preventative systems, and react to allegations.
All public sector, charities etc. are subject to an external auditing programme and this is one system which may pick up some anomalies in accounting and financial management, however, this can be a general overview rather than in-depth audit. The internal auditing system should be more effective as those carrying out the audit should be aware of the internal working of the financial systems, and other systems which link in to this, and may not be constrained by timescales.
However, as was the case with Dundee City Council, auditing systems were ineffective at identifying the perpetration of fraud.
Where the results of the risk assessment indicate that there is a potential for fraud on a large scale, there is an option to take out insurance as protection against loss of funds.
Fidelity Guarantee insurance is an insurance policy designed to indemnify the insured (the employer) for the loss of money or property sustained as a direct result of acts of fraud, theft or dishonesty by an employee in the course of employment.
The policy pays the actual financial loss sustained as a result of the dishonesty/ fraudulent act of the employee.
Fraud has the ability to impact upon the organisation’s reputation and financial stability and will ultimately affect the achievement of objectives. All Council’s should have identified fraud as a risk on their Operational Risk Register, if not their Strategic.
How can we help you?
For more advice on how we can help lower the cost of your risk, please email UK.London.RMPartners.firstname.lastname@example.org
You can opt out of marketing communications at any time by contacting us.