While organizations are increasingly aware of the threat of fraud from outsiders, the risk from within their own ranks is often overlooked. Senior academic and fraud examiner Dr Rasha Kassem offers advice on how to sensitively but effectively deal with the potential enemy within.
Despite the increasing focus on countering the growing threat from malicious actors, ‘insider’ fraud, that is, fraud committed by the members of an organization, still tends to fly under the radar.
A respected academic, educator and fraud expert, Dr Rasha Kassem holds a PhD from Loughborough University in Audit, Governance and Fraud and is a Certified Fraud Examiner. She first became interested in insider fraud as an accounting undergraduate in 2002, when the Enron affair was making international headlines. In Enron’s case, the company was essentially taking out bank loans and recording them as cash from operations, a deceit that was countenanced at the highest levels.
“The directors were accomplices; the external auditors were accomplices. So, it was really fascinating,” says Rasha.
However, what most affected her was the impact of this fraud on innocent employees of both Enron and Arthur Andersen, the international accounting firm responsible for auditing Enron’s accounts. Both companies went out of business largely as a result of the scandal, with tens of thousands of employees losing their jobs – and many losing their pensions as well.
Rasha went on to study financial fraud for her master’s degree, before focusing on the motivational aspect of high-level fraud for her PhD. She finds the sort of insider fraud committed by executives particularly intriguing.
“These people are white collar criminals,” comments Rasha. “They are somehow seen by society as reputable people, sometimes highly educated, holding high positions in their organizations with lots of power. And they are not necessarily in need of money. So, it was really fascinating to understand what drove all that.”
As Rasha points out, even at the level of individuals, insider fraud is by no means a victimless crime.
“Fraud is committed by human beings, this human being could be your colleague, someone you talk to at a personal level every day. So that trust violation really has a massive psychological impact.”
Rasha believes companies and society at large need to place greater importance on the threat from insider fraud, the impact of which can be fatal for companies – as high-profile examples like Enron attest. Fortunately, there are a number of relatively simple steps organizations can take to limit the risk.
1. Establish robust controls
A proactive approach to minimizing insider fraud starts at the point of recruitment, with a robust vetting process for applicants that aims to ensure the appointment of honest individuals. However, vetting cannot 100% guarantee the integrity of staff, so ongoing monitoring is also essential. A good understanding of motive and opportunity is important in this respect.
2. Encourage loyalty
People don’t always commit fraud for financial reasons; revenge is another key motivator. Staff who feel part of a community are far less likely to commit acts that could damage that environment. Encouraging loyalty by treating staff well and having a healthy internal culture is therefore an important anti-fraud strategy. This should include fair pay and conditions, as well as an open-door policy for issues and complaints. Ironically, excessive micromanagement can act as an incitement to ‘revenge fraud’, as it make employees feel they aren’t trusted,. Monitoring must therefore be done with tact and sensitivity,
3. Provide education
Often people rationalize their own fraudulent behavior, particularly when they feel slighted or mistreated. For example, an employee who feels they are underpaid may justify embezzlement as a kind of ‘bonus’ or salary adjustment. Education limits the potential for this kind of rationalization, since the perpetrator is less able to pretend they were unaware of the wrongness of their actions. At the same time, understanding the potential consequences of fraud can act as a strong deterrent – not just in terms of the risk of being sacked, but the damage to an individual’s reputation and future job prospects.
4. Enable whistleblowers
Ticking the box by creating a whistleblowing procedure isn’t enough on its own; employees need to have faith in the integrity and effectiveness of the process. A lot of internal fraud goes unreported because people feel discouraged from speaking out, often because there are too many hoops to jump through, or because they are wary of exposing themselves as a whistleblower to the person who is committing the fraud. Your process therefore needs to be well-publicized, simple, anonymous, transparent and efficient.
5. Set an example
The impact of leaders’ actions on an organization’s culture can be both positive and negative. Senior management need to act as role models for every employee, not just talking the talk about honesty but walking the walk by demonstrating real integrity in the way they run the organization. They also need to listen to their staff, dealing proactively with their issues and concerns around appropriate behavior by the company.
6. Make use of technology
Technologies including AI, data analytics and natural language processing can be invaluable in combatting insider fraud. For example, auditors can use data analytics to identify those trends or individual transactions that don't make sense, such as revenues that have been too low or too high over a period of time, or suspicious withdrawals from company accounts. Similarly, AI can be used to scan company documents to identify forgeries. This sort of use of technology can be incredibly powerful when combined with the professional judgement of a human expert.
7. Monitor and revisit procedures
Fraud is constantly evolving and taking on new forms, so it’s not just about putting in one training course or procedure and thinking the job is done. Instead, anti-fraud measures need to be continually reviewed and updated. Similarly, ongoing investment, whether in fraud and security professionals or in software and processes, is essential.