POV provided by Simon Longden, Partner, Armstrong Wolfe Partners
Fraud – To What Extent Has This Internal Threat Increased?
The scale and disruption caused by Covid-19 has tested the rehearsed and documented contingency plans of most organisations. Established models of reliance on nearshore, x-border and offshore BCP arrangements will have been put under strain as Covid-19 did not respect geographic boundaries and would have impacted many of those markets also.
While economies and businesses slowed, the wheels across Financial Services continued to turn, adapting to the challenges that had been presented. Organisations will no doubt have their own stories to tell on where things have gone wrong and the lessons that have been learnt, though on the face of it, the sector appears to have been resilient and had met this unique challenge well.
This is correct, perhaps, on the face of it, but there is one question that must be asked:
“ What might be lying in wait that is currently undetected? ”
One should not put a dampener on things or be seen as having a glass half empty – but all recognise most organisational models and control environments weren’t designed to support a largely dislocated workforce in the short term let alone an extended period of time.
Through many of the industry discussions and the forums that have been run since the pandemic began, I have an appreciation of some of the great work that has been done and the challenges that have been overcome. All to the good but one aspect I keep reflecting upon is the unique and very different set of pressures that will have been exerted on the workforce, impacting both their personal and professional life, as they have had to adapt during the crisis.
The risk, compliance and fraud practitioners of the industry might recognise pressure as one of the cornerstones of the Fraud Theory developed by Donald Cressey, in the 1950s, the others being Opportunity and Rationalisation:
Cressey developed this theory based on multiple, in-depth interviews with people that had been convicted of trust violations. His research suggested that individuals are motivated to commit a violation when three elements converge:
• some form of perceived pressure
• a perceived opportunity
• a way to justify in their own mind that the act is appropriate given the situation.
Cressy claimed that all the cases he studied conformed to this process and that none of these elements alone would be sufficient to result in fraud, all three must be present. Let us consider each of these elements through the lens of the Covid-19 crisis:
Pressure
I read many posts on LinkedIn extolling the benefits of being able to work from home. The benefit of being able to spend more time with family, of not having to endure a long and often crowded and costly commute, nor having to pay exorbitant city fees for a coffee or lunch, but has it all been plain sailing ?
You see posts of people working from a comfortable home office or study, yet not everyone will have had such luxuries. For every well-equipped home office, how many people have been working at the kitchen table, huddled over a laptop, perhaps with other family members, or their partner, also working from home.
Initially that might have been a novelty, but at what point did the lack of personal private space to think or take calls become an issue?
You consider other obligations that might have been imposed on people working from home, perhaps having to attend to the needs of family members, children that have required home schooling or elderly parents they might still live with.
In the West we take the provision of electricity and WiFi for granted, yet in many markets this may have been a problem and presented an additional challenge for people to complete their work and meet performance targets or deadlines.
While in the early part of the crisis we saw governments step up and offer support to companies that were struggling and some commitments from organisations not to lay people off, these schemes are coming to an end, and some of the commitments not to lay off staff appear to be unwinding. Job security will have been a concern for a lot of people during the crisis, and unfortunately for some, or members of their family, that risk is now materialising.
The easing of lockdown in many markets, countered by a sudden reintroduction of localised lockdowns or quarantine restrictions being imposed on previously noted safe travel corridors, adds to the uncertainty. At the sharpest end of this crisis is the human tragedy of loss that many would have experienced, be this a loved one or friend.
In 30 years of international banking, I worked through multiple difficult situations, including the SARs outbreak in Hong Kong in 2003, the collapse of the markets in 2008, and many more, but I cannot recall anything of the scale and impact on people and the banking industry that the present crisis and the unique set of challenges and pressures has imposed.
Opportunity
Even the best prepared organisations will have been surprised by the speed in which they had to implement a work from home model, in many markets it felt more like an evacuation, than a smooth disciplined process.
Many companies might not have materially adjusted process flows during this rapid evacuation, rather staff would have executed existing tasks on pre-Covid processes, albeit now remotely. I would expect, therefore, that control testing would still provide basic assurance that tasks were being executed effectively but what about the situation where the process has become more fractured or where new tasks have been introduced, or where there has been an emergency relaxation of BAU standards, e.g. dispensing with wet signatures in favour of digital, where printer access has been granted for remote working, where access rights, privileges and approval levels have been changed ?
In times of stress, identifying, documenting, and testing controls around such matters may not have been a primary consideration and may have been completed later, when time permitted. The question arises, has a master log been maintained of all changes that may have been introduced so back testing can be conducted?
When I reflect on the findings coming out of the most recent Report To The Nations on occupational fraud, produced by the Association of Certified Fraud Examiners (ACFE), it’s striking to look at the primary internal control weaknesses that contributed to fraud that were identified from this research.
When I reflect on the findings coming out of the most recent Report To The Nations on occupational fraud, produced by the Association of Certified Fraud Examiners (ACFE), it’s striking to look at the primary internal control weaknesses that contributed to fraud that were identified from this research.
While the ACFE review several thousand cases and it cuts across a diverse set of industries and geographies, approximately 19% of the cases that formed this research were from Banking and Insurance.
The three primary control weakness that the research identified as contributing to an internal fraud were:
• the lack of an internal control (32%)
• override of an existing internal control (18%)
• lack of management review (18%)
When you further consider the ACFE findings on the top 4 deceits used to conceal fraud, they revolve around:
• the creation of false physical or electronic documents / files
• the amendment of existing ones
Therefore, how robust are the industry’s processes and tests to be able to detect such instances?
The lack of management review as a control weakness is also worth reflection and is important, when you consider the supervisory challenges that Covid-19 crisis has presented in terms of the dislocated workforce, and staying current on how effectively people are working, and more importantly how they are feeling.
When considering how best to have dealt with this situation, one of the most impressive traits of some I have worked with over the years, was the way that they were able to filter the noise around them, and connect signals across the key functions that they regularly networked and sense where there might be a potential problem. Conversely the current environment inhibits the ability for such a dialogue, or an informal chat at the water-cooler, and presents a challenge for those on top of the all the potential internal risks, can we rely on all the normal MI for this qualitative insight?
Rationalisation
This is the cognitive part of the fraud equation, and one where an individual will make the decision, in their own mind, that they can justify the potential benefit that could be gained from committing a violation of trust, outweighing the risk of detection.
I suspect for most people this is a very high bar, but it will be depleted to an extent by the pressure that might have built up and could be more pronounced in the event they believe they have a perceived injustice that needs correcting.
In the present scenario, I look at the continuation of the engagement with staff still working from home and the upcoming performance assessment cycle that will commence for the industry the next couple of months.
There are potentially several factors to consider:
• the extent to which employees retain job satisfaction
• perceived pressure to return to the office
• concerns they might have with line managers
• concerns they might have with line managers
• whether they feel they might have been ignored
• ill-treated during the crisis
• perhaps a feeling of not been enough focus on the individual but too much on productivity
• line managers with a preference for presenteeism and favouritism of others
• a perceived entitlement to a bonus or promotion in the next performance round
Companies will of course have been planning the year end performance cycle and whilst it does not need to be that different, difficult or complex, it is probably the most important one in a generation in terms of communication to the whole workforce. A workforce that has supported them during an unprecedented time.
Closing Remarks
The extent to which the internal threat of fraud poses an increased risk in your own organisation, over and above what it would normally represent, is a point of individual reflection.
To what extent do the internal control weaknesses identified from the ACFE be exploited in the current environment? Even with subtle changes to workflow process, policy, or rules, it is easy to argue the opportunity to do so increased.
Clearly the pressure point has been enhanced, increased, and dialled up during the crisis. It could all boil down to the extent to which an individual rationalises in their own mind that committing a violation of trust is a risk worth taking, weighed against the chances of detection.
ACFE’s research suggests that the typical time for a fraud to be detected from when it began is 14 months, which allows a return to the question proposed: