The Threat from Within - Internal Fraud

There have been a number of news reports this month in the UK around incidents of internal fraud within banks and other corporations. Coincidently, a number of research establishments and industry bodies have produced reports this year detailing the level of internal fraud that occurs.

So where is the impact seen? From the news items seen this month, internal fraud has been instigated within various types of business; from financial institutions to charities, Travel companies to entertainment venues.

The most high profile of recent weeks (as reported by the DCPCU – link to the press release is here) is the jailing of a former member of staff at a Santander Branch, who on his final day following his resignation had transferred £31,000 into an account he had set up some months earlier in a friends name. As the DCPCU report, Santander were able to detect the high value transfer and identify the fraud, and once referenced to the DCPCU a successful conviction was obtained.

It should be noted however that Financial Institutions have (or should have) well defined policies and procedures that dictate how their staff access accounts, manage funds and perform tasks. Outside of the finance industry, best practice is not as readily available to follow.

The Stage (a weekly paper for the performing arts in the UK) recently reported that The Edinburgh Fringe festival society had uncovered an internal fraud where a former employee had stolen £220,000 over an eight year period (link to the article is here). The society's chief executive described the activity as a "sophisticated fraud campaign conducted by one individual in a position of responsibility over an extended period of time".

This is where policies and procedures become vitally important. In PWCs' Global Economic Crime Survey in 2014, the respondents were asked to profile the main perpetrator of the most serious fraud they had seen. Of the respondents, 56% of the perpetrators of those frauds were their own staff (link to the report is here). Kroll stated that of those companies that participated in their 2013-14 Global Fraud Report (link to the report is here), 72% of those surveyed say that their company has been hit by a fraud involving at least one insider in a leading role. Indeed, more locally, the Scottish Business Resilience Centre reported that they were forecasting up 85% of frauds at companies being committed by dishonest staff (reported by the Scottish Herald – link is here).

In fact, the SBRC stated that 88% of insider fraud was committed by permanent staff. When CIFAS published their Employee Fraudscape 2015 report (link to report here); it was reported that in the 45 cases analysed for the report, over half of those persons found to have committed internal fraud were employed for less than 3 years. However, where fraud was committed on accounts, on average the staff member would have been employed for 5.4 years.

So what steps can be taken to reduce the risk of internal fraud occurring? First step has to be the best practice of developing robust Risk policies and procedures; that are routinely reviewed, amended where necessary and signed off. These policies must include an audit function (internal at the very least, and where possible external audit). The risk policy will then govern the second step of developing Staff policies and procedures – that reference the risk policies and procedures. Again these should be routinely reviewed, amended where necessary and signed off. If possible, software should be employed to monitor staff activity on systems, with pre-defined criteria on what the staff can and cannot access or perform – but dependent on the business this may not be feasible.

Should any internal fraud occur, a full review must take place of how the fraud was perpetrated and which aspects of internal policies failed to prevent the fraud occurring. These findings must then be fed back into the Risk policies and procedures to prevent such an event occurring again.

Finally, there must be an environment that facilitates the capability of "whistleblowing" in the event of discovering an internal fraud event. Especially given that the members of staff performing the fraud could be senior personnel, the chain of command may prevent the flagging of abnormal activity.

Without robust policies and procedures in place, it makes it very difficult to detect internal fraud until it is too late; and could ultimately bring down the company that has been defrauded.