Today’s guest post is from Tony Bridger of Assymetrix Consulting. Got a spending, process, or change management problem? Tony has a solution.
There is an old Nigerian Proverb that runs a little like: “One cry of “Thief!” and the whole marketplace is on the lookout.
However, crying “thief” has serious implications for many business, particularly those public organisations with shareholders who would quickly perceive financial crime as a systemic business process failure. It is easier for management teams to internally manage fraud than to prosecute. Detection of large fraud is also an admission that both controls and deterrence are failing. In a recent article, It’s Hard to Find Fraud in Big Spend Stacks … the advent of AI could provide that vital detection of internal fraud. It’s a sophisticated solution.
Whilst we are on the subject of proverbs, a key element in fraud management is “prevention is better than cure”. Companies that detect fraud have clearly not created the cultural norms that others take for granted that deter staff from committing fraud. There are many cultural and technological capabilities that can reduce the incidence of fraudulent activity that are well within the grasp of many businesses. Deterrence – or risk of detection is a critical cultural message.
With some careful risk analysis, it is quite easy to map out where company fraud is likely to originate. Finance, Procurement and staff expenses are usually the key internal risk areas. Culturally, one of the first steps is to ensure that there is adequate separation of duties. In finance, this is simply ensuring that a finance staff member does not have the capacity to both create a supplier vendor master entry – and pay an invoice. This is a system administration role setting. The creation of “dummy vendors” and subsequent payments is often down to this simple failure. Making all data elements (Business Number, address, contact details) as mandatory data items also reinforces the message on data integrity. Many mid to high end systems will also allow user audit trail analysis if required. This simply captures the user-id of the employee accessing the key finance system forms.
For smaller companies, separation of duties can be an issue – but keeping a register of new supplier entries and reviewing this regularly is a key move. In the procurement space, the person who creates the contract and then manages the winning vendor should also not be one and the same person if possible. Again, hard to mobilize with limited staff and expertise – but a very clear signal around why is a powerful deterrent. The idea is not to create a draconian working environment – it is simply ensuring that employees understand that this is designed to protect them – as well as the company.
Where possible, organizations should also use the power of their accounting system to the full. Many of the low-end accounting systems have decent quality automation for transactions like staff expenses. From experience, there are some subtle employee mindset changes generated with increased automation. Almost all of us realize that entering data in to a system creates a record. Once submitted, unless a request is made to vary the claim – the electronic evidence exists. Paper can be lost, shredded or misinterpreted.
Almost all staff will recognize that these transactions can be retrieved many years later. A very good business practice is to engage a vendor that provides duplicate invoice analysis services periodically. This service can also detect anomalies and “odd” transactions. A multiple repeated “same value” claim by an employee will almost certainly be found and analyzed. As many of these services are contingent based, they are quite affordable. Regular auditing can also send clear signals on fraud risk assurance.
However, the combination of separation of duties, increased electronic transaction processing and periodic data analysis should send very clear cultural signals about what is acceptable. Staff will work out the “why?” comparatively quickly.
Organizations cannot effectively function if trust is lacking. The notion of the cry of thief! Is far more acceptable if good management controls are in place and any subsequent fraud is detected. In effect, it’s a best effort approach to fraud prevention.
Thanks, Tony.