Internal fraud is the biggest fraud risk of all, but who really manages it?

In the past couple weeks we have seen Patisserie Valerie in the news, but unfortunately the news was anything but sweet…

At this stage, five Patisserie Valerie employees have been arrested in connection with a substantial case of internal fraud. With internal fraud, the loss an organisation will suffer is never just money. The shareholders and the company’s bottom line might be victims, but more particularly it’s the staff. As a result of the dishonest actions of a few, 900 staff were laid off, the share price plummeted and the business, which was once valued at £450 million, was purchased for just £5 million.

Patisserie Valerie may well recover, as its brand strength could see it through and the new owners could turn it around. But this type of business risk is nothing new. It has happened before and will happen again. In fact, it is happening now in other business across the UK. What is most surprising though is that so few businesses adequately seek to manage this risk effectively. The key question is, who owns internal fraud risk in a business? Ask that question at a typical board meeting and see how the fingers point around the room at different functions: security, HR, IT are all involved, as are internal audit and line managers. No organisation is immune to internal fraud and yet so few have a clear risk management policy in place.   

Clear ownership is just part of the issue. Fundamentally, businesses rely on their staff and seek a high level of trust in them to do their jobs well and diligently. However, this level of trust is what ends up being broken. In a fast moving business world where people have access to systems or assets, and are under pressure to perform quickly, can lead to open gaps in defences. People change, their circumstances change, and things happen that effect their lives outside of work: a death in the family, or growing addiction, for example. Equally, disgruntled employees who feel aggrieved could turn against their employers. Finally, it is possible that employees are pressurised or incentivised by organised criminal gangs to infiltrate your business for criminal purposes.

There may be one reason someone commits fraud, or there may be multiple, but there is always one common factor: they all believe they can defraud their employer and not get caught. The telltale signs will be there: fancy clothes, exotic holidays and other expensive purchases that may indicate someone is living above their obvious means. Or you may have a quiet employee that comes and goes, and doesn’t interact or engage. Or instead you may work with a person who seems to be a workaholic, not taking a holiday as they are too frightened that someone will spot what they have been up to while they are away. Critically, where there are weak management controls in place there will be much larger windows of opportunity. The employee might have tried something and gotten away with it once – on purpose, or sometimes by accident – and it snowballs from there.

If internal fraud happens, something is broken

This is part of a wider discussion we have quite a lot at Cifas. At what stage does dishonesty become acceptable? Is grabbing an apple at the office canteen without paying justified? Does not punishing that action lead to a culture of where taking from your employer is okay? It may be a low-level example but it challenges our thinking. Where does it end? An apple, some stationary, a laptop, some cash, staff property, false expenses claims, customer data, false invoices, major data download, falsifying accounts?

The answer: nurturing trust and applying best practice

Thankfully, we live in a world where most people we employ are trustworthy and hard-working—it is the few who are the issue.

To counter that issue you have to start at the beginning. Vetting new staff is vital and employers don’t always do this effectively enough. CVs can be ‘creatively' written and, while previous employers are not legally required to give a reference, if they do it’s pretty worthless. This is where Cifas’ Internal Fraud Database can help as a place for employers to record and share sensitive information about dishonest people. Being a member of the Internal Fraud Database creates a strong anti-fraud culture in the workplace, which is in turn protecting your business, staff and customers from fraud threats.

Stopping repeat offenders is vital. Typically, if someone gets away with fraud once, they resign, and do it again at the next organisation, over and over. This is why collaboration and sharing information within the legal framework of Cifas’ Internal Fraud Database is the best way we can prevent fraud reoccurring.

There is some straightforward best practice your organisation can apply to limit opportunities of internal fraud:

• Screening new employees:
  • Don’t just screen for capability, but also for levels of integrity;
• Tighter controls – monitoring key staff activities:
  • Make transparency part of your organisation’s culture;
  • Avoid seeming like ‘big brother’: balance trust vs. monitoring;
  • Communicate the importance in protecting the business and jobs by being able to spot issues quicker;
  • Paint it as the new norm and not personal.
• Engaging with staff:
  • Raise awareness in the office of the consequences of taking part in these activities;
  • Put engagement plans in place that encourage staff with issues to come forward;
  • It’s easier to offer help to people who need it if they feel they can discuss their issues with impunity.
  • Have open conversations with employees about what red flags they can look out for. Managers and directors can’t be everywhere all the time, so it’s important all employees can recognise when something isn’t right;
  • Remind employees of their importance to the organisation. These controls are to protect them and their jobs at the end of the day.
• Whistleblowing and anonymous reporting:
  • Ensure staff can report issues with anonymity and no recourse;
  • Ensure appropriate actions can be taken quicker and dealt with before issues escalate;
  • Enlist outsourced providers who can offer this.

Fighting internal fraud is something all members of staff and all departments should have an interest in. Shifting the responsibility or looking at management only to act isn’t enough. Clear management and procedures should be in place that work effectively - don’t simply pay lip service to it. The particular risk of internal fraud and the potential damage it could do to your business if left unchallenged is not something that can be swept under the rug.