Uncertainty and financial necessity are a breeding ground for fraud, so was the pandemic a fraudster’s perfect storm? There are several red flags directors should be aware of to mitigate the risk posed by workplace deception, write Sara Deady and Matt Fehon AM GAICD.
There are two main reasons we’ve seen the threat of workplace fraud increase over the past two years and directors must be alert to these. Firstly, the conditions brought by COVID-19 shifted board and management focus to managing the business changes necessitated by ongoing lockdowns. As a result, we have seen a significant lag in changes to controls. This presents a raft of challenges to boards, which may be operating in an environment where the usual governance and controls are missing — unbeknown to them.
Secondly, employees have encountered motivations and opportunities that didn’t exist in a pre-pandemic world. Financial pressure on families and businesses can lead good people to take risks and make decisions they wouldn’t otherwise. This presents a risk to business where the opportunity to commit workplace fraud has been rationalised as an attractive and necessary option.
Since the onset of COVID-19, a number of high- profile financial crime investigations have hit the media, including the alleged fraud perpetrated by an equipment leasing company to undertake what has been described as one of the largest frauds in Australia. While no two frauds are the same, and different industries will be targeted in various schemes, it’s important for all directors to know that at the centre of all frauds are people and technology. Whether you’re a director of a major bank or of a small charity, there are some basic lessons, red flags and indicators that directors can take from such matters.
In the past year, significant custodial sentences have been handed down to former NAB executive Rosemary Rogers and former Moriah College finance manager Gus Nosti. Both cases serve as important reminders to directors of the threat and impact of fraud, should red flags be ignored. In each of these long-standing matters, suspicions had been raised and denials provided. While the investigations were very different, the warning signs were nothing new (see breakout, page 64).
In the case of Rogers, her sentence for defrauding NAB highlighted the obfuscation of controls to collude with an outside supplier and receive significant kickbacks, which also resulted in unwanted media attention. With Nosti, a financial controller worked alone to override segregation of duties to steal $7.4m across many areas of the business during a 15-year period, severely impacting the close-knit school community.
Has oversight waned? McGrathNicol has also noted a significant spike in the number of fraud investigations into the behaviour of senior executives in the past 12 months. These range from not declaring a conflict of interest in procuring services and providing kickbacks to secure work, to the abuse of credit cards and submitting false invoices for personal expenses.
These may seem like small misdemeanours, but they expose a company to significant legal and reputational risks as well as having a protracted organisational impact and causing the diversion of key resources.
Fertile ground for fraud
With a booming mergers and acquisitions market, and businesses keen to build momentum after the pandemic, directors might be forgiven for focusing on growth and not scrutinising the heightened environment for fraud. In fact, the uncertainty driven by the impact of COVID-19 has stimulated the conditions that enable fraud. This presents internal and external threats to organisations.
So where should financial crime risk sit on the board agenda? AON’s 2021 Global Risk Management Survey reported cyber attacks or data breaches as the number-one risk across all sectors. But what about other types of financial crime? Is this something directors should be more alert to — and what questions should they be asking?
An Australian Institute of Criminology report — Fraud and its relationship to pandemics and economic crises — released in May 2021, highlighted that while long-standing frauds are often revealed in times of economic crisis and pandemic, such events also tend to lend to the emergence of new fraud types, and a different kind of perpetrator. From a board perspective, this presents new risk exposures that need to be identified and mitigated.
In considering how to manage these threats and identify important red flags, directors need to consider the following questions:
1 Are you being told the full story?
A time of crisis puts exponential pressure on the bottom line. We saw this play out post-GFC. As government stimulus is wound back, what will the future look like? The pressure to weather the storm can lead executives faced with tough decisions to make the wrong move — to “delay” bad news, cut corners and misrepresent reality in the hope of brighter days ahead. Financial misstatement risk has increased. Key questions are:
- Who knew what and when?
- What projects or segments of the business are most at risk?
- Have complaints or issues been raised within particular segments of the business?
- What do the forecasts indicate? Do the figures match the story?
- Are you receiving mixed messages? Does what you are told align with competitors or the broader market?
2 Do we know what risks lie in our new products and technologies?
The speed with which business has adapted to a new way of doing things has often meant that the usual rigour around new products, distribution channels and technology solutions is lacking — creating gaps in both people and technology based controls. Companies have admitted they have had to accept a level of risk in order to function, but what does that look like and how can it be measured? Key questions are:
- What will the internal audit function be considering in 2022?
- Can the data tell us more?
- How can we improve transparency and tighten controls as a new “business as usual” returns?
3 When your staff/executives walk, what might they take with them?
In 2021, organisations saw higher levels of attrition and substantial movements at management and executive levels. Key questions are:
- How is your IP protected when a member of the executive resigns?
- What data security protocols are in place?
- How do we deal with breaches of security protocols with departing executives?
- How are protocols working in a workplace that can now operate completely remotely?
- Do we know what IP, devices and information our executives have access to?
- What contractual restraints are in place?
4 Who are we doing business with?
There is no question that the way in which organisations manage their workforces has changed. It is expected that organisations will continue to expand their use of subcontractors and consultants to maintain more flexibility in workforce management post-pandemic. The vetting of counterparties and suppliers requires in-depth due diligence. Key questions are:
- How are we managing associated risks and implementing controls in this process?
- What procurement processes are in place to manage this uptick?
- Have we carefully considered the insider threat risk? How do we identify or detect potential collusion?
- How are conflicts of interest managed and reported?
5 What is your staff discussing at the digital water cooler?
As entire workforces were forced to work from home, our kitchen gossip and desk banter has moved to Teams, Slack, BlueJeans, Google Chat and Skype. Key questions are:
- As owners of this messaging service data, do we monitor it? How should we monitor it? What insights could it give us about our employees?
- Do we know how it is stored and managed? In the event of an investigation, are we able to interrogate it?
- Is confidential information being released?
6 What are your employees saying?
Employees are the best source of identifying wrongdoing. After sustained disruption to how employees can communicate, employees, customers and suppliers may feel that now is the time to report questionable conduct they may have observed or suspect. Key questions are:
- How robust are our whistleblower programs and protection mechanisms?
- What insights do whistleblower reports made throughout the pandemic provide?
- How are current reports being managed?
- Are there reports coming from certain areas of the business or a particular employee?
There is significant additional cost and diversion of resources following the discovery of a long-standing fraud, large and unexpected write- downs, or whistleblower alleging a cover-up. All of these events often lead to significant damage to a company’s brand and reputation.
7 Are we learning from our mistakes?
The past two years has seen an exponential increase in reported cyber attacks, ransomware and data breaches from outsiders. Competitive advantage is key. Boards have a responsibility to shareholders to ensure that they are across industry events to mitigate the risk of external threats. Key questions are:
- What are our competitors seeing?
- Are we learning from our own and our competitors’ mistakes?
- Do we know why we’re being targeted?
- Are we taking those learnings to our own data and systems?
- An employee that appears to “manage it all” and has a response for all the questions asked, even when suspicions were raised. This extends from oversight of financial transactions and procurement, to ongoing supplier and client relationships.
- Changes in the demeanour of staff and executives – clear warning signs that shouldn’t have been ignored or dismissed. It seems obvious, but new cars, boats or homes, expensive holidays or gambling habits can be key indicators. Extramarital affairs or a marriage break-up can also be important warning signs that all is not as it seems.
- Data — there was information in the systems that could have uncovered the truth. The data held in your business holds much of the information needed to identify the red flags that could lead to the discovery of a fraud. This includes invoices and journals processed outside of work hours, supplier invoices approved by staff that appear unusual, duplicate invoice payments, changes to vendor master files, deletion of audit logs or simply the contents of email correspondence with suppliers.
Sara Deady and Matt Fehon AM GAICD are partners at McGrathNicol Forensic.
Already a member?
Login to view this content