Article 4 of 4: Employee Fraud Series
Whether or not a company has experienced an employee fraud, it is important that management and those charged with governance consider the risk of fraud for the organization and the appropriate measures to put in place to mitigate those risks. These measures will address both prevention and the timely detection of fraud to minimize any losses.
Companies that have endured employee fraud and experienced all of the steps outlined in our previous articles, will have a greater appreciation for the importance of an internal assessment. In those cases, management should consider how the fraud was perpetrated, the lapses in control that likely allowed it to happen, any red flags that would have allowed the fraud to be detected sooner, any other gaps in the control framework or culture of the organization that need to be addressed, and the steps required to reduce the risk of a similar situation happening again.
A recent report1 shows the median duration of a fraud scheme is 14 months. Early detection is therefore critical, as the speed of detection can have a significant impact on the overall fraud loss.
The following are some key areas to consider in evaluating your company's fraud prevention and detection strategy.
Internal Controls and Risk Assessment – As resources are often limited, management must decide where to focus its internal control efforts. The first step is to conduct a risk assessment to determine where the company is most vulnerable to fraud losses. The risk assessment should identify specific fraud schemes that present a risk in the company's industry, assess the likelihood and possible impact on the business if the fraud occurred, evaluate the current systems in place to mitigate that risk, and implement further controls to address any residual risk to an acceptable level. Common areas of focus are around cash (or receipt and payment of funds) and other valuable assets such as inventory and intellectual property. While this assessment and internal control resources are specific to each organization, the following are some key areas to consider:
- Ensure there is an appropriate segregation of duties for the core finance functions. Companies should ensure no one person can initiate and complete a financial transaction or has responsibility for more than one of the core finance duties, which include:
- Custody of assets (access to cash, cheques or the bank account or responsibility for collecting payment from customers or sending payment to vendors or employees);
- Authorization or approval (signing authority on bank accounts, approval of expense reports);
- Recording transactions in the accounting system; and,
- Reconciliation of accounting or other control activities (bank reconciliations or other review functions).
- Where these core duties are not appropriately segregated, there is an opportunity for employees to commit fraud (custody of assets and authorization) and conceal it (recording transactions and performing reconciliations). In smaller companies where segregation of duties is not practical, management review becomes more critical.
- Review the information technology controls available for the company's key systems, including payroll, banking, and the accounting system. Set appropriate authorization and access levels within the software so only employees who require access have it, and limit administrator rights so only key individuals can make changes to the access levels. To the extent available, use exception reporting options that alert when changes to access are made and review audit reports regularly to ensure any changes to the systems were appropriate and authorized.
- Restrict the ability to make cash payments, including transfers or wires in bank accounts or signing cheques, and ensure that authorization from two key individuals is required for all payments. Cash and bank accounts should be safeguarded, and cheques should be locked up and never pre-signed. Particular attention should be made to remote money transfers requested or authorized through email, other e-transfer or shortcut processes.
- If the company has an internal audit group, or if internal audit services are provided by a third party, ensure they are part of the fraud risk assessment and that internal audit reviews are conducted for high risk areas as well as periodically for lower risk areas. The internal audit group should communicate all findings and control recommendations to those charged with governance.
- In most smaller companies, there will not be an internal audit function. Management review of the banking, accounting, and other risk areas then becomes more critical, especially where there is not appropriate segregation of duties. The review should not be performed by individuals responsible for recording and reconciling the bank and accounting systems. Management should carefully review the financial reporting and reconciliations at least on a monthly basis, ensuring this is not a "rubber stamp" exercise but rather a thorough review to identify potential concerns.
- Assess the internal control framework periodically to ensure the processes are working as intended and identify any gaps that need to be addressed.
Code of Ethics and Policies – Companies typically document the expectations for their employees in a Code of Conduct or Code of Ethics and create specific policies which will usually document its financial rules. The Code of Conduct provides the ethical framework that applies to all areas of the employment relationship, while policies tend to be more prescriptive. These are both important tools to ensure employees know what is expected and may serve to prevent inappropriate behaviour. In cases where an employee commits a fraud, these policies are also important to demonstrate the company's expectations were communicated to the employee and subsequently violated. Where a company does not have a Code of Conduct or finance policies in place, there is an increased risk the employee may claim they were not aware of the expectations in order to justify their actions. Companies should consider the following best practices to minimize this risk:
- Ensure a Code of Conduct is in place that clearly states the expectations of employees;
- Review the Code of Conduct with all employees when they are hired and on an annual basis, having them sign the document to acknowledge it was read and understood;
- Ensure finance policies are in place with rules around what constitutes an appropriate business expense, the level of authorization required for expenditures, use of expense reports or corporate credit cards, and other areas specific to the company. Policies should be prescriptive for key risk areas but broad enough to ensure all non-business transactions are captured;
- Review policies regularly to ensure they keep pace with the changes in business practices and communicate all changes to employees;
- Ensure policies are applied consistently for all employees, except to the extent that differing authority levels are set out in those policies; and,
- In the event of a policy violation, ensure the issue is addressed with the employee, expectations are reiterated, and remediation takes place as set out in the Code of Conduct or policy. Keep in mind, however, that if an initial fraud is discovered, and only reprimanded, there may not be any insurance coverage should a larger fraud be discovered in the future due to this same employee's misconduct. Coverage for the employee fraud typically ceases on the date the issue was discovered. A fine balance must be struck between the competing employment and insurance considerations.
Ethical Culture and Tone in the Company – For an employee fraud to occur, the employee must be able to rationalize their actions. This rationalization may be that "everybody is doing it" or that the employee actions are justified because of their negative perception about management or others in the company. Policies and codes of conduct are only effective in preventing fraud to the extent that employees believe they apply to everyone in the organization. When an employee observes policy violations or exceptions, or inappropriate conduct that is tolerated without recourse, this sends a message that management does not take these expectations seriously and opens the door for rationalization of further wrongdoing. Often referred to as the "tone at the top", companies should ensure that ethical conduct is core to their business character, is a priority for the leadership team, and that swift action is taken in response to any allegation of fraud.
Whistleblower Program – A whistleblower program or other hotline that allows individuals to report suspicions of fraud may be an important part of a company's fraud detection strategy. A recent report shows tips were the most common way employee fraud was discovered, with more than 40 percent of the fraud cases in the study identified through tips, almost three times as many cases as other detection methods. Specifically, the report indicates:
- Companies with a hotline detected frauds more quickly, with the issue identified in a median 12 months compared to 18 months for companies without a hotline;
- Early detection meant the fraud losses were cut in half for those companies in the study with hotlines in place; and,
- Companies with a hotline received tips identifying a fraud more often, with 49 percent of those companies receiving a tip compared to only 31 percent of cases where a hotline was not in place.
As early detection is one of the most effective means of reducing fraud losses, and with tips being the top means of identifying an issue, a whistleblower (confidential reporting) program is a good investment for most companies. The program should allow individuals to provide information anonymously, if they choose to do so, as the fear of retaliation or reprisal may cause an individual with valuable information not to come forward.
Employees also need to trust that any allegations made will be taken seriously and investigated, as a lack of trust in the process undermines the effectiveness of the program. For some larger companies, a whistleblower program is administered internally where an individual or group is designated to receive and investigate tips; however, for most companies a hotline is administered by an external organization with specialized expertise that can provide the service independently and more cost effectively.
Fraud Awareness Training – While it is important to have a confidential reporting program in place, this will only be effective to the extent that employees know what financial irregularities or other red flags are suspicious and should be brought forward. A recent report shows companies with fraud awareness training had more tips that identified a fraud, increasing from 37 percent without training to 56 percent for companies that trained their employees.
Companies may provide fraud awareness training in a workshop format, which gives employees the opportunity to identify risk areas in their day-to-day operations that management may not have otherwise identified. If a hotline is in place, employees should be trained, not only on what fraud is and some of the red flags, but also on the whistleblower program and how it should be used. This is also a good time to talk about the importance of business ethics and the relevance of the company's policies and codes of conduct. Companies may require employees to take this training periodically and sign off on their understanding of the company's expectations.
Insurance – Even companies with the most robust fraud prevention strategy and internal controls cannot eliminate the risk of a fraud occurring. Companies should know that employee fraud is often an ongoing scheme, not a one-off event. The average duration of an employee fraud is 14 months and, as a result, companies may underestimate the extent of the damage that can arise due to an employee fraud.
To mitigate the risk of financial loss, companies should review their insurance policies. While the company may already have an insert to its insurance package for employee dishonesty, it might be better to obtain a standalone fidelity or crime policy. These policies typically have larger limits and can be tailored for the company's specific needs. As discussed in our previous articles, insurance may cover all or part of a fraud loss and may also pay for costs associated with the investigation of the fraud. Following a fraud risk and internal controls assessment, companies should speak to their insurance broker about the coverage available and determine whether a fidelity or crime policy should be added to their portfolio.
1. References to a "recent report" are based on the Association of Fraud Examiners (ACFE) 2020 Report to the Nations
Bailey Rivard, CPA, CA·IFA, CBV, CFE,
About Mackrell International - Canada - Scott Venturo LLP is a full service business law firm in Calgary, AB and a member of Mackrell International. Mackrell International - Canada is comprised of four independent law firms in Alberta, British Columbia, Ontario and Quebec. Each firm is regionally based and well-connected in our communities, an advantage shared with our clients. With close relations amongst our Canadian member firms, we are committed to working with clients who have legal needs in multiple jurisdictions within Canada.
This article is intended to be an overview and is for informational purposes only.