Skip to content

Education and Training

User login

Entrepreneurs Panel

Steve Purdham
Debbie Pierce
Richard O'Sullivan
Brian Hay
Gary Jacobson
Jeremy Roberts
Tony Caldeira
David Pollock
Ian Morris
Home

Fraud Risk Strategies for SMEs

One of the key lessons to be learnt from the recession is that few if any companies can ignore the threat of fraud. David Alexander, the president of the UK Chapter of the Association for Certified Fraud Examiners and director of Forensics at Smith & Williamson offers advice.

Incidence of fraud is increasing and when it does occur, share holders, bankers and other investors want to know what precautions the company directors had taken to prevent or limit the damage. Ignorance of fraud is no longer a defence. The ostrich type attitude of ‘it won’t happen to me’ is no longer acceptable. Fraud is now recognised as a business risk to be managed in the same way as any other business or financial risk.

So what practical steps can we take to reduce the threat of fraud in our organisations? When fraud happens, how can we mitigate the loss and bolster the confidence of the shareholders and bankers that the directors are still in control.

The guiding principals for an effective fraud risk strategy are prevention, detection and investigation. The strategy must address all three principals in equal measure. In an ideal business world, prevention controls would be strong enough to stop all fraud, but this would also grind the company into the ground due to the shear bureaucratic burden. Also, past experience has taught us that if a fraudster is sufficiently motivated and can justify his action, fraud will happen despite the tightest controls. We therefore need the other two principles to be able to detect fraud as it is happening and then investigate it once we have detected it or, as is more likely, someone blows the whistle.

These three principles should be linked in a virtual circle where lessons learnt from investigation are used to improve controls, where weaknesses in controls identified during prevention activities lead on to selected detection procedures, which in turn instigate investigations.

The following suggested strategy seeks to combine elements, which address all three of these cornerstone principles. Many of these elements may already exist within your organisation, some may not. However, by developing a written strategy you can marshal these elements and obtain support for implementing those elements you do not have from senior management.

Explanatory forward

Firstly, the strategy needs to be put into context. The introduction should explain the purpose of the strategy and why it is important to the company. An explanation of what fraud is, using simple examples relevant to the industry and sector are a useful here to grab the reader’s attention and make it relevant.

Relevance and responsibilities

Next the strategy should set out the general responsibilities of every employee and the specific responsibilities of particular employees. These include the Directors, both individually and collectively, Internal Audit and Human Resources. Many companies set out responsibilities for customers and suppliers. They may also publish the standards by which the company wishes to be measured. A type of ‘how is my driving?’ test.

Responsibilities for implementing the fraud risk strategy itself should also be spelled out together with a process for implementation.

Fraud Prevention

I am a strong believer that you should base any prevention strategy around the Fraud Triangle model. This model suggests that an individual will only commit fraud if they have the opportunity, are sufficiently motivated and can rationalise their behaviour. Therefore to prevent fraud you not only need effective controls but you also need to address people’s motivation to commit fraud and their ability to rationalise their action. For example a code of conduct, which includes disciplinary procedures, attacks the would be fraudsters ability to rationalise their potential action by spelling out the consequences if caught. Like the warning signs displayed in shops to shoplifters it seeks to prick the conscience of a few thus reducing the level of crime.

The fraud risk strategy itself is an aid to prevention as it gives a detailed indication of the company’s attitude to fraud and it’s level of readiness. Someone is less likely to commit fraud if they perceive they are likely to be caught. Prevention is increased therefore if you have effective detection and investigation elements to support it.

An important but sometimes controversial element of any strategy is that of communication. Clearly any strategy will be next to useless if as a document it sits in a desk draw and is never communicated to employees. Conversely, some companies are understandably nervous about publishing what seems like a ‘how to commit fraud’ brochure or being seen to wash their dirty laundry in public. There is no simple answer to this. My personal opinion is that companies should err on the side of disclosure. As we shall see later, increasing employee awareness is fundamental to detecting fraud. Publicising detected fraud also has a powerful deterrent on potential fraudsters increasing their perception of the likelihood of being caught.

Fraud risk assessment is a critical part of any prevention strategy. The assessment process in principal is the same as for any other business risk assessment but with one important difference. It is an unfortunate fact that fraudsters do not necessarily play by the rules. They lie, steal and cheat. The net result of which is that controls, which would otherwise be effective in preventing other business risks, are inadequate when it comes to fraud. Collusion between two employees or between an employee and a supplier are classic situations which otherwise robust controls may not be able to cope. This is another reason why a balance between all three elements of the fraud triangle: opportunity, motivation and rationalisation are vital to any effective prevention strategy.

Pre-employment screening, if carried out diligently, can provide an effective barrier to fraudsters joining your company. A basic level of screening should be carried out on all new employees. More detailed screening should be carried out on candidates applying for sensitive roles. This should include screening not just new employees but existing employees moving into sensitive areas.

Fraud detection

To detect fraud you need to understand what the symptoms are in your company or industry. Once detected you then need to know what to do about it. Fraud awareness training and whistleblowing and therefore key parts of a successful detection strategy. All employees need a basic awareness of fraud. This can be communicated as part of the fraud risk strategy itself through the company’s existing communication channels. Certain staff, such as Internal Audit, will require more detailed awareness training. The most likely person to detect fraud within any organisation is a fellow employee. A whistleblowing procedure is therefore vital to collect and filter reports for evaluation and investigation as appropriate.

Again, the mere fact you have written and communicated a fraud risk strategy will promote the likelihood of whistleblower reports as the would be witness will have a detailed understanding of what will happen with there report and how the whistleblowing procedure fits into the overall strategy.

Data mining to detect fraud can be a useful addition to your armoury. Whether predicated by an identified risk or as regular embedded test, data mining can be a quick and focused way of evaluating a suspicion prior to instigating an expensive investigation.

Exit interviews can be a valuable source of information about fraud risks. Human Resources probably already carry out exit interviews but do the results get fed into Internal Audit as part of the risk assessment process?

Fraud Investigation

With the best prevention and detection controls in place any company still has to prepare for being the victim of fraud. A well prepared company will save considerable time and effort when it happens and dramatically increase the chances of recoverability of the company’s assets. A robust and coherent response will also give confidence to customers, suppliers and investors that the company is in control of the situation.

The fraud risk strategy should detail the company’s response to a suspicion of fraud. From receiving a report through evaluating the suspicion, investigation and recovery, all elements should be detailed and responsibilities assigned. The chances of recovery diminish with every day after a fraud has been detected. It is therefore imperative that the employees affected understand the protocol for investigating the fraud, who to involve in that investigation and, as importantly, who not to involve.

Communication is again an important element within this part of the fraud risk strategy. Who to communicate with, when and what can be said are all important considerations. Calls from the media should be anticipated and pre-approved statements prepared. Communication with third parties such as suppliers and customers should also be considered where commercial relationships could be damaged by rumours circulating on the grapevine.

Conclusions

Your company may already have many of the elements suggested as part of this strategy. Also many of these elements will have contributions to more than one of the overall objectives of prevention, detection and investigation. By co-ordinating these elements into a single strategy it becomes easier to identify and plug the potential gaps in your approach as well as demonstrating to all interested parties, including the fraudsters, that you are taking fraud seriously.

Permalink