This is part 4 of the five-part series “Business and Financial Fraud: Yesterday, Today, and Tomorrow” with Tom Fox and the FCPA Compliance Report. During the series, Tom was joined by K2 Integrity experts Joanne Taylor and Ray Dookhie for a discussion of how organizations can identify and mitigate fraud risk.
Organizations are often surprised to learn that the most effective and straightforward tool available to help detect fraud is a properly operating whistleblower hotline. Case in point, a recent Association of Certified Fraud Examiners (ACFE) survey noted that whistleblowing tips are the most common way to discover fraud, with more than 40% of survey participants indicating their cases came from a whistleblowing tip—nearly three times as many cases as the next most common detection method. Bottom line: Firms that have a whistleblower hotline in place detect fraud more quickly and minimize losses more effectively than those organizations that do not have a whistleblowing hotline.
Whatever channels an organization uses for whistleblower reports—a hotline with a phone number, an email address, or an electronic platform, or some combination thereof—it is important to test all those channels regularly. Such testing will identify problems, such as when a hotline email address is managed by one person and that person retires, leaving notifications to basically go into a void. A recent UK case, in which a major insurance company forgot to test its line for a period of several months and employees could not make an anonymous report, highlights the point. Having an inaccessible hotline is a violation of regulations under the UK Financial Conduct Authority; the firm really landed itself in hot water when a simple periodic test could have identified the issue very quickly.
Another important part of a fraud detection program is approaching it from a holistic standpoint, rather than simply using a snapshot view. Waiting for an internal or external audit in order to detect fraud will limit the program’s effectiveness. Audits are focused on particular ways of looking at the control environment, but they are not necessarily geared to detect fraud that is happening right now. The solution? The fraud health check. This interim tool takes the combination of data analytics and the organization’s data sets, together with an investigative mindset and approach, and runs the data against fraud scenarios that apply to an organization.
The wide variety of fraud types found in organizations—ranging from the traditional pilfering of money to insider stock trading, to paying for ghosted employee, to the theft of company products, equipment, and services—call for a variety of detection protocols and skill sets. There needs to be alignment and cooperation between an organization’s fraud team and its cybersecurity incident management team to counter the sort of crossover between the classic and continuing fraud scenarios.
One type of fraud that all organizations should be on the alert for as the world moves into year two of the pandemic. Business email compromise fraud. Often the fraudster is posing as either a vendor to the organization or perhaps as the CFO or CEO. To counter this prevalent type of fraud, continue to train the organization’s treasury team, and make sure that staff are trained on malware and phishing attempts.