The Enemy Within: Stopping Employee Fraud

By John Verver

Fraudulent purchasing card use and travel and entertainment expenses (T&E) rank among the most commonly occurring types of employee fraud. With an estimated 5% of revenues typically lost to fraud around the world, T&E fraud alone accounts for 14.5% of all fraud uncovered.[i] In almost every organisation there are going to be employees who seek to benefit at the expense of their employer. In one case, a manager in a district branch of a telecommunications company was caught using his purchasing card to buy cattle at an auction for his hobby farm. Unfortunately, not all cases are this easy to catch.

If there is a risk that T&E or purchasing card fraud becomes widespread within an organisation, it is not difficult to imagine that total losses can represent a significant sum and can extend beyond monetary losses to reputational damage. In organisations where such fraud does become widespread, it is often symptomatic of a generally unethical attitude: “I know others are doing it—why shouldn’t I?” So what can you do to protect your organisation?

Two Key Defenses

John Verver

It’s always a good idea, of course, to start by ensuring that there are effective controls designed to prevent employee fraud. The reality, though, is that internal controls are never perfect and will inevitably be prone to failure or circumvention.  Fortunately, data analysis software can be particularly effective in identifying fraud indicators. By analysing millions of transactions and looking for a variety of indicators, data analysis can make up for control weaknesses and rapidly identify where fraud has occurred.

•  Look at the Entire Population:

One method is to analyse entire populations of transactional data for various anomalies and suspicious patterns. This does not necessarily prove fraud has occurred, but it can be a very effective way of highlighting a situation that warrants further investigation. For example, why would one employee with the same job responsibilities as many others claim 50% more in travel expenses?

•  Focus on the Transactions:

The second, and more specific approach, is to analyse transactions for indicators of known risks. For example, an employee may be authorised to use a card for purchases of specific business items, but if an analysis shows a purchase was made from a consumer store, this could be a strong indication of actual fraud.

Protected? Think Again!

Despite the reality that no control system is perfect, some organisations continue to believe they are protected from fraud by automated control mechanisms in their enterprise resource planning (ERP) systems. However, built-in controls in ERP systems often get turned off or can be circumnavigated. ERP systems are often unable to compare information from other business systems to look for red flags, so it is essential to test for suspicious transactions and patterns with software that is independent of operational systems through which transactions flow. And although spreadsheets do have the appeal of simplicity, beware of their shortcomings, including lack of data integrity, propensity for errors, incompatibility with standard IT regimes for critical applications, and inability to duplicate results.

Achieve Best Practices

Fraud detection analytics should be ongoing, starting with relatively simple tests and then adding tests that perform checks for more complex types of fraud. It’s also wise to move towards continuous fraud monitoring. The sooner a fraud can be identified, the quicker the fraud can be prevented from growing in size. Once a particular form of analysis has been produced to detect a specific fraud indicator, it will often make sense to repeat the process on a regular basis against the most recent transactions.

Once everything is in place to monitor transactions and all of the people and process activities are working on an ongoing basis, it may be tempting to think that the job is done. But fraud detection needs to be dynamic. Systems change, business processes change, and those tempted to commit fraud will always be thinking of new ways to “beat the system.” But if an organisation is openly and consistently evolving its transactional monitoring process, not only will preventative measures be taken to catch fraud as soon as it occurs, it will also communicate a zero-tolerance policy to deter individuals who may have been tempted to commit fraud.

About the author

John Verver, CA, CMC, CISA, is vice president, strategy, at ACL, an audit, compliance and risk management software solutions and consulting firm with a client base including more than 14,000 customers around the globe—including 89% of the Fortune 500, and hundreds of national, regional, and local governments. Prior to joining ACL, John spent 15 years with Deloitte in the UK and Canada. He is a Chartered Accountant, Certified Management Consultant, and Certified Information System Auditor, and has an honours degree from King’s College, University of London, England. www.acl.com