The increased risk of employee fraud
The current economic climate has presented many major headaches for employers. One that is discussed less often than reduced sales and higher operating costs is the increased risk of employee fraud
Last year, fraud prevention service CIFAS revealed that the rate of dishonest employee actions had increased by 69.5 percent between the latter half of 2008 and the first half of 2009. KPMG's Fraud Barometer estimated a total of £1.3bn worth of fraudulent activity was committed in 2009.
The elevated risk of being made redundant, or the frustration of having salaries frozen (or even reduced) for the foreseeable future, can make previously loyal staff search for control gaps in a business process to be exploited for their financial gain.
From a practical perspective, a reduced workforce can create potential conflicts in an employee's responsibilities. For example, rather than one individual ordering goods and another being in charge of paying for them, the two tasks may fall to one person which removes the Segregation of Duties (SoD). This immediately creates risk for the organisation because it is an easy step for this person to process payments for goods they might have ordered for themselves.
The most effective way for organisations to ensure they are not putting temptation in the way of staff is to introduce robust internal controls. Limiting IT system access to be free of conflicting responsibilities will remove the risk of an employee committing fraud without collusion. For example, access involving payment processing should be carefully separated from purchase ordering activities wherever possible.
Such compliance activities can be supported by risk management tools such as the SAP Governance, Risk and Compliance (GRC) suite, which enables sophisticated monitoring and control of all business risks. A number of similar, non-SAP products are also available, performing similar functions. Such tools allow the effective monitoring of SoDs and enable organisations to embed SoD compliance into their access request processes.
Most internal controls are performed manually and therefore need to be proactively operated. Manual checks also need to be performed to verify that the controls themselves are working. This makes it difficult and time-consuming to confirm compliance and protect an organisation against fraud.
Introducing continuous controls monitoring (CCM) tackles this issue. Essentially a technology solution, CCM provides real-time status assurances for all compliance control points. For example, an automatic review of the payment run output that sends results to the manager responsible for monitoring duplicate payments can be set up. Exceptions are flagged automatically so the manager is only alerted when required, and manual checks are not required.
Introducing improvements such as those outlined above will require a commitment to security throughout the organisation. Turnkey Consulting's recent GRC Benchmark research report found that 68 percent of organisations defined and documented their IT security authorisation procedures based on processes agreed with the business function. However, only just over a third of IT security experts believed that the business understands security.
It is tempting for the business to view the technologies behind the prevention of employee fraud as overly complex. This ignores the fact that much of what it introduces revolves around better business practice. Automating the internal control environment represents a significant milestone in the risk, security and compliance landscape, offering organisations the opportunity to achieve a new level of protection against fraud.
Richard Hunt, Managing Director, Turnkey Consulting
