Wednesday 16 January 2013 by Stephen Peters
Lawyers should be aware of the dangers of insider fraud when advising their clients, as the damage can be catastrophic for a business - no business is immune from the danger, not even law firms themselves.
The reality of corporate fraud is that it is an all too common occurrence. Fraud levels remain high - seemingly regardless of market conditions - and the sad truth is that the guilty parties are often found at the very heart of a business, frequently key staff and trusted suppliers. Economic losses are usually the first visible effects, however the reputational damage of a public case can be worse, hurting an organisation's future earnings significantly more. As management teams start to reflect on the year and commence planning for 2013 the top priority should be to safeguard against sophisticated fraudsters - they may be closer than you think.
Although it is dangerous to try to portray a "typical" fraudster - anyone can be one and there is no formula that can be applied to identify them - there is various anecdotal evidence that suggests employees are often involved, be that directly or indirectly.
I have seen growing evidence of fraud that uses confidential information, apparently sourced from the victim company. The perpetrator uses this information to establish a degree of credibility as to his or her authenticity, thereby, for example, facilitating the erroneous transfer of funds. There can be little doubt that, in such cases, this information was possibly supplied by an employee of the victim. Moreover, it is often very mundane information, such as bank account details and other customer-related information, which can be used to establish credibility and facilitate fraud.
However, it is not simply this superficial legitimacy that determines the success of the fraud. In order for fraud to be perpetrated, there must be either a fundamental lack of basic internal controls in safeguarding payments or a simple failure to observe them. It is critical to ensure that all employees understand the importance of protecting information available to them, regardless of its apparent trivial nature.
It is virtually impossible to be 100% secure against an attack from a determined, sophisticated and knowledgeable fraudster. Yet barriers can be put in the way which will deflect fraudulent intent. Having effective internal controls in place, ensuring that these procedures are followed and, critically, that the existence and application of procedures is well known should mean that the fraudster will tend to look for softer targets.
It is also important to recognise that fraud does not only impact victims through the actual crime; it can and does have a longer lasting adverse effect on trust. One of the characteristics of information theft is that it is often difficult to be able to prove where or who it came from - even after detailed forensic investigation. Thus, an organisation that becomes a victim of information theft can find itself in a situation where there is an internal breakdown of trust and working relationships. Members of staff can become suspicious of one another and protective of their own areas of responsibility. This can soon escalate into an unpleasant and insular working environment.
So how can you prevent you or your organisation from becoming a victim? In relation to information theft there are two areas that should be considered: (i) the HR process which ensures that all new staff are vetted appropriately; and (ii) ensuring internal controls are respected, applied and reviewed regularly.
In relation to the HR process, the key to effective vetting is "knowing your employee". It is self-evident that this starts at the recruitment stage where potential employers should request, follow up and obtain references from previous employers as a matter of course. In addition, employers should also obtain evidence of identity - passport, driving licence, proof of address - and in certain circumstances perform enhanced due diligence checks. This will highlight issues such as previous convictions, potential indications of financial problems and any adverse press reports which may impact employment. Such checks should not be limited to new employees. Employers should consider a rolling programme to undertake background checks on existing employees in the same manner.
With regard to internal controls which seek to minimise the improper dissemination of information outside of the organisation, we would recommend that companies ensure that:
Most of these points are common sense, and may already be in place. However, it is one thing to have procedures and operational instructions, it is quite another to ensure that they are consistently applied and, when they are not, that adequate and timely warning is made to the appropriate personnel. To the last point, if an issue becomes apparent, it is also important that external advice is sought and a detailed investigation undertaken.
Stephen Peters is director of BDO Forensic Services