The corona crisis has created a new dynamic within organisations. Many people are working from home, new digital tools are being used and processes are running slightly differently than usual. It is the perfect breeding ground for fraud. What can organisations do to prevent fraud? And how can supervisory directors monitor fraud prevention practices?
Dirk de Hen is a Partner in BDO’s Forensics & Technology Group. In this capacity, he is involved in fraud investigations at clients and provides support to trustees in bankruptcy proceedings. In this article, he explains why, now more than ever, it is important for supervisory directors to remind their executive colleagues of the need to pause and take a close look at their internal fraud controls.
Corona crisis: a breeding ground for fraud?
Because of the current public health crisis, many organisations have adopted alternative working methods. Dirk de Hen believes that these might well increase the risk of fraud: ‘People engage in remote and online teamwork. In some cases, the standard procedures they used to follow are no longer tenable. What’s more, the soft controls of many organisations, which tend to play an important role, are now less effective. This impacts the management of fraud risks because of the related increase in the opportunity to commit fraud. The fact that we live in uncertain times is also contributing. Employees are concerned about their company’s financial performance and worry whether or not their employer can rely on economic support measures if need be. This may lead to pressure to manipulate a company’s financial reporting.’
Roughly speaking, there are a number of types of fraud, all of which are more likely to occur during this public health crisis. ‘There’s the classic type of fraud, which entails an employee stealing money or goods from their employer. Another type is reporting fraud: figures are doctored to make them look better or worse than they actually are. And then there are fraud risks that are prevalent now that people are working from home, such as phishing emails. The Dutch National Cyber Security Centre (NCSC) has already issued warnings about this type of fraud. Finally, organisations need to be alert to CEO fraud, particularly now that their employees are interacting less. This is a type of fraud where a fraudster pretends to be an employee or customer and makes an urgent payment request,’ explains Dirk de Hen.
The fraud triangle: opportunity, pressure and rationalization
Using the fraud triangle, Dirk de Hen shows us how the current crisis might increase the risk of fraud. ‘The three elements in the fraud triangle are ‘opportunity’, ‘pressure’ and ‘rationalisation’. If these elements come together, individuals are incentivised to commit fraud. A person must obviously see an opportunity to commit fraud. The risk of fraud is enhanced as the pressure on an organisation or employee increases, whether it be pressure on the company to achieve certain financial results or personal financial pressure. The third element is rationalisation, i.e. how fraudsters try to justify their actions to themselves. You can clearly see these three elements popping up in the corona crisis.’
What do you mean exactly?
‘Well, a fraudster sees opportunity because people are working from home and are interacting less. Take, for example, invoices that need to be signed off before they’re paid. Because people are not in the office as much, it can be difficult to determine whether goods or services have actually been delivered. The organisation may put pressure on employees to present certain financial ratios and to make the figures look better than they actually are. Or worse, so that the company can avail itself of the economic support measures the government has made available. Employees may also experience pressure if they fear that they’ll be made redundant and feel the need to create an emergency fund.’
Fraudsters basically come up with all sorts of arguments to rationalise what they did. Dirk de Hen explains: ‘People may believe it’s unfair that they’re in danger of losing their job if they’ve been with an organisation for years. We’ve seen enough examples in the past of employees appropriating company property for this very reason. There may also be business reasons. A business owner may think that they can avoid problems with financiers by sugar-coating the figures now, fully expecting to make up for a deficit in the next quarter. What we’re seeing is that the breeding ground for fraud in these exceptional times of corona is becoming more fertile.’
Internal control infringements
So, how do you manage this increasing risk of fraud as an organisation and how do you ensure that the chance of fraud is minimised?
‘In my view, it’s crucial that an organisation evaluate its internal controls. In the current situation, duties aren’t being segregated and processes aren’t routed as usual, which is why a company should review whether additional controls need to be put in place. Depending on the size of the organisation, this would be the responsibility of the CFO or the internal audit department. Risk managers should obviously focus on this as well.’
‘In these turbulent times, organisations don’t always have the time to look into the nitty-gritty of their internal controls right away. But they’d be well-advised to at least check their back-up and retention procedures. If details, such as financial information or email and systems logs, are retained properly, incidents can be investigated adequately after the fact should the worst-case scenario have materialised. If these details aren’t retained properly now, they can’t be retrieved later. That not only makes it more difficult to follow up on an incident, but also complicates the bolstering of the internal control structure that’s required to prevent similar incidents from happening in the future.’
The fact that effective internal controls are not just nice-to-have is reflected in the increase in the number of incidents. Dirk de Hen explains: ‘We’re already seeing an increase in the number of incidents, for instance in the frequency of phishing emails, which were recently in the news again, but also in instances of CEO fraud. Employees used to be able to drop by the CFO’s office to check whether an invoice was correct and could be processed for payment. They can’t do that now. What’s more, many executives are in calls all day, making them more difficult to contact. This infringes upon an organisation’s internal controls.’
So, what can supervisory directors do to deal with the increased risk of fraud in organisations?
In Dirk de Hen’s view, they should constantly draw attention to this risk: ‘Obviously they should ask their executive colleagues whether they’re paying mind to the increasing risk of fraud, what controls are in place and how the Executive Board is trying to mitigate this risk. Supervisory directors can also ask to be kept in the loop by the organisation’s crisis team or incident response team.’
Please do not hesitate to contact Dirk de Hen, Partner at BDO Forensics & Technology, if you have any questions about this article or require more information. Just send an email to [email protected] or call +31 (0)30 6336 271.
Read More Insights