Don’t forget the risk from within

Online scammers and phishing attacks have become extremely sophisticated lately. Hence, it is understandable that we are constantly warned to be vigilant and on the lookout for the next attack. But as focus shifts to looking outside the organisation, an eye needs to be kept on what is going on within the organisation. Internal fraud is often subtler, harder to spot early and may occur on a regular basis.

Smaller family run businesses can be more susceptible compared to large organisations because they operate in a ‘high trust’ manner by:

  • providing their employees with greater autonomy and authority,

  • using fewer internal checks and process controls, and

  • not using third party audit services.

The classic example is where the owner is busy running their business so they let their finance manager set up suppliers, approve payments and reconcile the bank, and plan on ‘checking later’. Red flags worth paying attention to include reluctance to share duties or take leave, unusual supplier or bank-detail changes, round-sum or duplicate invoices, late reconciliations and urgent payment requests that are outside the norm, e.g. during shutdown periods such as Christmas.

If you sense something is off, start with simple checks. Scan the supplier master list for fictitious vendors or unverified bank account changes. Review one-off payments to new payees. In payroll, look for “ghost” employees, duplicate bank accounts and payments to ex-staff. In expenses, test for inflated or split claims and identical descriptions posted after hours. Keep bank,

GST and payroll reconciliations current and have someone independent review them.

Don’t assume ‘John’ or ‘Jane’ would never do it – as it can be the last person you would expect. The inevitable question is ‘why?’. Cressey’s fraud triangle is useful for putting it into context. It describes three factors that give rise to an increased risk of fraud if they exist simultaneously, as follows.

  • Motivation – this can arise from personal financial stress, medical events or unrealistic targets.

  • Opportunity - this can be in the form of weak controls, autonomy or minimal oversight.

  • Rationalisation - this is the self-justification behind the behaviour. A person might rationalise their behaviour to the point they do not consider it wrong. They might tell themselves it’s “only a loan” or they’re “owed” it.

After something ‘unusual’ is identified, it’s common to then realise all three existed.

To reduce the potential for internal fraud, try to do the basics right and implement procedures to balance the risk. Segregate duties so no one person can set up, approve and pay amounts. Where teams are small, use a maker–checker model with an external reviewer. Lock down supplier changes with call-backs to verified numbers and restrict who can edit vendor records. Use dual approval above modest limits and block changes to payee details after approval. Limit access with least-privilege permissions and multi-factor authentication.

Even when business ramps up, it’s important to stick to the clear policies and processes your organisation has in place.