Should I worry about fraud risk in my business?
Fraud is all around
There's a saying that all businesses contain at least one fraud; I once heard of an employee who went to Hungary on business and came back with a bunch of receipts that he duly claimed for. Fortunately for the organisation, if not the employee, the person checking his claim happened to speak Hungarian and spotted that the receipts were not subsistence, but actually for jewellery and CDs.
Internal fraud risk can be subtly different at each size of business; smaller businesses do not have the policies, procedures and scope to check up on everything everyone does all the time, so have to rely on culture, force of personality and a risk-based approach.
At the other end, larger and more complex organisations can afford more rigorous procedures but have greater scope for dubious transactions and shady side-deals.
The Big Issue
Of greater concern is outside fraud - this is where you really do need to be on your guard, as fraudsters are getting cleverer all the time.
Tactics will inevitably vary over time, but there are certain themes.
- Spoofed and / or hacked business email accounts
Business emails from supposedly private accounts should immediately raise suspicion, but in this example the CEO's or other senior manager's account is spoofed and a very plausible message to arrive requesting an urgent funds transfer for a "highly confidential M&A deal we are working on".
Finance receives a call from a supposed supplier needing immediate transfer of funds so that a production job can go ahead. The urgency is used to pressurise staff into acting before they realise what is really going on.
The starting point for many of these frauds is asking for business-confidential details, such as business email details, names, email formats, bank account or details of travel or other suppliers.
Stop. Think. Check.
The best defence against fraud is awareness - and taking the time to think about what is really going on; "Stop. Think. Check" is one company's motto.
Stopping and thinking is the easy bit. All non-routine requests for business-confidential information or funds should be considered for 10 minutes or so before actioning.
Checking involves first raising the issue with a more senior person and where appropriate, speaking with a known contact at the client or supplier organisation involved to confirm the request.
Basic financial controls like dual authority for banking and sign-off levels are a minimum. There also need to be controls over changing sensitive supplier data, such as bank account details.
Chartered Accountants and internal auditors are trained to consider fraud risks, known as "red flag" issues; verbal-only requests, urgency and large, non-routine funds transfers are all red flags to consider.
Top FD Tips
- The best defence is awareness - be on the look out for "red flags".
- Be alert to "phishing" activity - is the receptionist being asked for the CEO's email address, the FD's name, the travel provider?
- Do you really know the identity of the person calling / emailing – how can you be certain they are who they say they are?
- Stop. Think. Check.
- Independently verify any unusual requests via a known contact.
- Complex supply chains with high transaction values present the highest risk.
Check out more details on fraud examples.