By: Richard Keegan  |  From the Adjusting Matters Blog Series – From Subsidence to BI and Beyond  |  Part 2 – The Trouble with Employees…

Other than the matters that our HR Colleagues have to concern themselves with on a daily basis, what if your employees start costing your business significantly more than expected? Perhaps they are interacting with the assets in unintended ways? Perhaps some theft, fraud, maybe with some collusion, and we are developing a scenario which is not just morally reprehensible but can impact on the balance sheet and profits of the business.

Employee Risk

When Employees go bad, the risks are higher than for external threats due to the level of trust extended to them to perform their role. These individuals have both physical access to the premises and assets but also are within the IT firewall.

Left to their own devices, certain Employees with fraud on their mind can spend their working day familiarising themselves with the controls within the business looking for weaknesses, whilst often portraying themselves as a model employee taking on additional duties and gaining additional access rights.

Underwriters of Crime policies recognise the additional risk by separating the Employee cover from that provided for external threats and control the risk by restricting the scope of covered events often from “All Risks” to a “Perils”-style wording with the addition of more stringent conditions.

The overall risk that a business will suffer a material fraud is the combination of Selection Risk, Control Risk, and Detection Risk.

Selection Risk

Can we manage the risk of employing someone who may be a high fraud risk?

This seems like common sense that employees should be screened before giving them access to the premises and the IT systems.

Referencing is the key one used in the UK and was a specific condition of UK FG wordings but has been dropped by a lot of current Crime covers.

Over the years, I have seen a number of shortcomings in this respect which have led to losses including:

• Assuming that Employment Agencies have been diligent in obtaining references for temporary staff, and then allowing them to work unsupervised in finance or IT departments,
• Not using independently sourced contact details for current or past employers, allowing serial fraudsters to provide false email address and submit their own fake references,
• Not independently verifying relevant and academic professional qualifications, allowing unqualified candidates employment and access to the business assets.

The removal of unsuitable candidates during the screening process definitely contributes to reducing the fraud risk, and the screening needs to be proportionate to the position applied for.

Control Risk

The use of procedures to define how money and assets belonging to the business should be cared for, combined with segregation of duties between staff members—preferably across different departments—significantly reduces the opportunity for fraud.

Because Employees need the freedom to perform their duties to the best of their ability, there will be occasions when trust is required and this creates additional risk. It is for this reason that the detection of the fraudulent act after the event increases in importance.

Detection Risk

Detection Risk is the risk of failing to detect ongoing fraud and is reliant on putting in place the correct controls, creating the right culture within the business, and promoting the diligence of employees.

With the knowledge or expectation that the business operates systems likely to restrict or detect some activities/transactions, a fraudulent employee may explore avenues of deception by putting through individual transactions at first to see what response is generated from the business.

There are some basic accounting controls where any variances identified should immediately trigger investigations, including: i) monthly bank reconciliations, ii) unannounced cash counts, iii) periodic or rolling stock counts, and iv) comparison of actual to budgeted financial performance.

Also, whistleblower notifications, unusual external enquiries, unrecognised suppliers or staff members, and material aggregation of payments to unrecognised bank accounts should not be ignored. Disregarding warning signs only causes more embarrassment in the long term.

To avoid raising any red flags, the fraudster primarily needs to create an accounting surplus sufficient to match the value of assets they are removing. If they are successful in doing so, the business becomes reliant for detection on the issue being tested through an audit, a change of circumstances, or simply luck.

An unexpected absence from work has led to a number of frauds being discovered. I can think of car accidents and heart attacks as instances which forced fraudsters to be absent from work and resulted in their activities being uncovered. Others have been undone whilst on holiday, when a whiff of impropriety has led to HR/IT taking the opportunity to perform an uninterrupted search of their workstation and IT accounts.

Fraud Scenarios

What are the most difficult frauds to spot?

Even in well managed organisations it can be difficult to detect fraud when the financials are not signalling back there is a problem.

Give some thought to these examples.

Scenario 1 – Nothing to see in these accounts

• A Police investigation reviews the bank statements of a boiler room fraud victim and discovers that he received a large number of payments from a London Borough Council, alerting the Borough,
• The Borough confirms the person is their retired Chief Accounting Officer, and a review of payments made confirms his bank account received £450,000 in addition to his wages,
• The fraud opportunity arose from the Borough falling into dispute over £1m of invoices from a supplier, which, in resolution, were superseded with a single new invoice,
• The fraudster had full access rights for the finance system, used them to update the ex-supplier’s bank account details to his own, and slowly released and approved for payment the disputed invoices, triggering payments to his account,
• After submission of the payment request to the bank, he deleted the transaction from the accounting system,
• The Borough’s clerks performed the bank reconciliations, detected the rogue payments, but only viewed them individually and, being small, wrote them off.

Scenario 2 – Nothing missing here

• Payments to an unidentified planning agent were detected for services relating to the sale of council assets, but neither the assets nor the agent’s services reconciled with the business records,
• Ingeniously a borough surveyor realised that rights of way required to perform construction works represent the creation of a new asset for which there is no prior or subsequent record,
• By creating the legal easement and selling it, the council received the funds to which the surveyor was able to attach the false agent’s charges, transferring the funds to his own bank account,
• By doing this within a single accounting period, the transactions netted off and the balance sheet showed no evidence of any asset movement.

Scenario 3 – No overspend here

• New accounting software listed the annual building maintenance expenditure by contractor, but the budget holders did not know the highest paid contractor,
• Investigation identified the unknown contractor as the son of their regional maintenance surveyor who had received £1.5m over a period of nearly 10 years,
• When challenged, the surveyor insisted that he had not failed to declare his interest and all the work invoiced had been done for the right price, so there was no loss,
• Expert visual inspections of recently invoiced works could not confirm if they had been performed. Additional doubt was sown by the existence of other contractors’ work,
• Tenants’ witness statements were sought, but due to the time passed, they were not reliable,
• Business records for the contractor were reviewed, suggesting insufficient expenditure on skilled labour and materials to have been capable of performing the works,
• In the end, it took a jury 13 weeks to listen to the evidence and decide that the contractor was a sham.

Scenario 4 – No short deliveries here

• Following an increase in machinery breakdowns, a rapeseed crushing plant concluded there were excessive impurities in the rapeseed being processed,
• The plant received rapeseed crops from local farmers, which were sample tested for quality and then received into stock, where it would be mixed in silos with crops from other suppliers,
• Covert CCTV was installed, capturing footage that suggested deliveries from three suppliers were not being tested correctly. A sting operation witnessed incorrect sampling, then repeated the testing and found that 90% of the delivery was impurities,
• Records confirmed the volumes received from the suppliers for over 5 years (invoiced EUR4m), but it was under 1% of the total rapeseed received. The variances in the production results were beyond those that could have resulted from the deliveries from the suppliers,
• It was agreed that the aggregate volume of impurities could not be established from the empirical data, and the volume was estimated on the basis of witness statements.

In these examples, the fraudsters used the presentation of fraudulent submissions to delay the detection of their thefts. In all the scenarios, except no 4 where the controls were overcome by widespread collusion, there were control weaknesses which were exploited.

Of course, all the scenarios were detected, some by luck, and it does make you wonder how much fraud passes completely undetected and what the cost to business is.

Current Fraud Landscape

In times of economic strife, such as now in the UK, there is always a tendency to expect that the level of insurance claims for theft by Employee events will increase, with the logic being that fraud levels will increase as Employees find it more difficult to cover their monthly outgoings.

However, from my experience, which is limited to loss events that are both insured and considered by Insurers to require the instruction of a Loss Adjuster, these frauds tend to be driven by the aspiration / lifestyle of the fraudster rather than general economic conditions. In addition, the frequency of claims is dependent on the level of detection rather than the fraudulent activity itself.

Hence, while fraud / theft by employees can be expected to increase during periods of economic hardship, this does not always equate to additional insurance claims.

Looking forward, the fear is that technology is becoming a facilitator of fraud, and AI clearly provides new tools to fraudsters to produce false documents, certificates, and witness statements to evidence their narrative of events and disguise an ongoing fraud.

Conversely, AI tools can also be used to scrutinize documents for tell-tale traits of being AI-generated, and to analyse big data sets for unusual transaction patterns, in the same way the Cyber industry use it to detect suspicious network activity.

With regards to the scale of significant fraud ongoing in the UK, there are many uncertainties as to the proportion of fraud which is detected. Few of the fraudsters I have investigated appear to plan their exit, but there is potential that a raft of fraudsters do and are passing wholly undetected. For this reason, the scale of actual fraud by employees suffered remains something for speculation.

To conclude, good controls, employee screening, and staff diligence are the best protections against a fraud getting started and can improve early detection. Together, these can reduce the need to call on Insurers, improve profitability, and hopefully enhance job security.