A CIFAS report on beating the growing threat of Staff Fraud

C I F A SThe UK’s Fraud Prevention Service

Internal Betrayalwww.cifas.org.uk | August 2010

The

In this Report . . .Staff Fraudsters - the Link to Organised Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Examining Motivations for Internal Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Protection from the Risk on Employee Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Joining the Dots of Insider Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Whistleblowing: Following a Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Expenses Fraud: a Change in Attitude? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Anatomy of an Inside Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Defining and Dealing with Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

HR and the Philosophy of Tackling Staff Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

The Internal Betrayal: A CIFAS report on beating the growing threat of Staff Fraud

While attention has traditionally been focused upon external attempts to defraud, increasingly the fraud threat is being mirrored internally .

In 2009, CIFAS Staff Fraud Members noted a 45% increase in the number of cases of fraud committed by employees, compared with 2008 . This included theft of cash from the organisation or a customer account, or lies on an application form, through to the theft or disclosure of commercial or personal data . The opportunities to commit fraud from the inside are numerous .

In The Internal Betrayal, CIFAS and a wide range of fraud prevention bodies and experts have combined to examine the facts about staff fraud . This report looks at the steps that organisations can take in order to combat the threat successfully .

From the recruitment process, expenses claims, whistleblowing and corruption, to ensuring that the right anti-fraud philosophy is present at all organisational levels, you will find in this report all that you need to know about combating the threat of staff fraud .

Peter HurstChief ExecutiveCIFAS – the UK’s Fraud Prevention Service

C I F A S

CIFAS is a not-for-profit organisation, concerned solely with the prevention of fraud and is funded by subscription .

For further details about any of the articles in this report, please contact CIFAS at memberservices@cifas .org .uk

Website: www .cifas .org .uk www .identityfraud .org .uk

3The Internal Betrayal C I F A S

Staff Fraudsters - the Link to Organised CrimeCIFAS Reports

CIFAS Member organisations are facing an alarming rise in the volume of identity fraud . These frauds are being carried out by a number of different types of criminal; from the opportunist stealing the identity and good name of their friends and family, to the serious organised criminals indiscriminately tarnishing the financial reputation of anyone whose details they can find . This rather begs the question; how are these criminals getting their hands on other people’s identities?

The finger of blame is pointed pretty squarely at the internet . The digital age has provided myriad different options for fraudsters of any level of expertise: from social engineering facilitated by social networking sites, to the deployment of complex malware designed to rip personal information from the hard drives of the defenceless . It should be noted, however, that the finger of blame is not unwavering in its accusations as it is also wagging sternly at those staff fraudsters who disclose personal data to third parties .Yes, there are those who willingly

disclose their employer’s client information to those who would use it to commit further fraud – possibly against that same employer . It could be that these individuals have been approached by the criminals and offered money in exchange for personal and account information . Another possibility is that these people have been specifically planted within the organisations with the express aim of farming off the data .

The recorded number of these individuals is increasing . In 2008, there were 15 individuals recorded on the CIFAS Staff Fraud Database for unlawfully obtaining or disclosing personal data . This increased to 32 individuals in 2009, and the first half of 2010 has already seen a further 26 . A straight line extrapolation would see the total for 2010 reach 52 – so, the recorded instances of this offence increased 113% in 2009 compared with 2008, and a further 62% increase is expected in 2010 . It’s true that the numbers themselves do not seem that

scary, but there are particular factors that make this threat somewhat more severe:

• How many people’s identities is one staff fraudster capable of compromising? Depending on the position of the individual concerned, it could range from a handful of specially selected identities through to thousands (or even tens of thousands) of potential victims of identity fraud .

• These figures merely count the number of proven cases across the CIFAS Staff Fraud Database . There are currently over 130 Staff Fraud Members, so there are clearly a large number of organisations outside membership who are likely to be suffering the same kind of internal attack . It is not unreasonable to assume that these organisations, too, are seeing similar increases in this type of fraud to those inside the membership – it’s just that these frauds go unrecorded . More concerning is the number of such frauds that not only go unrecorded, but entirely unidentified, thus leaving the perpetrator free to carry on compromising the identities of their employer’s customers .

• These figures do not take into account those individuals who have been threatened and coerced into passing on client information

>>

More concerning is the number of such frauds that not only go unrecorded, but entirely unidentified, thus leaving the perpetrator free to carry on compromising the identities of their employer’s customers.

4 The Internal BetrayalC I F A S

to criminals . For a case to be recorded on the CIFAS Staff Fraud Database, a criminal offence must have occurred; and if the individual was acting under duress, then they are not considered to have committed a criminal offence .

Fig . 1 paints a picture of staff fraud as a facilitator for further criminal attacks and, while identity fraud is the present ‘flavour of the month’, it seems unlikely that the organised criminals will stop looking for people to bribe, place or coerce into revealing customer data .

These criminals may keep looking, but will they still be able to find their men or women (but mostly men – two thirds of recorded cases are men) on the inside? The answer is probably yes - they will . It could be argued that if the country continues to climb out of recession, some confidence will return, and there may be fewer people

willing to accept money from criminals to disclose personal data . That said, there is the small matter of a budget deficit to be addressed – through measures like a proposed increase in VAT, which means that people’s pay won’t go as far . This could lead to those of a more susceptible disposition feeling the urge to augment their spending power by selling a bit of data on the side . This, of course, assumes that these people are being motivated by feelings of financial desperation, which may be true in some cases – but it could just be plain greed . And let’s be honest, your personal spending power is neither here nor there if someone is threatening the safety of you or your family . It should also be remembered that it’s not always a case of seemingly honest people going rogue . There will also be those career criminals happy to take up employment with the sole aim of compromising data for their criminal colleagues . So yes, it seems fair to

say that there will always be a supply of people whom organised criminals can use to obtain data – willingly or otherwise .

The upshot of this is that the problem and harm caused by staff fraudsters who compromise customer data is unlikely to go away any time soon . This means that unless organisations can effectively prevent these frauds from occurring, they will have to cope with the risk of the reputational damage caused by corrupt staff, and the financial fallout caused by the fraudulent attacks made by the criminals who receive the data . Neither should those whose details have been compromised be forgotten . The innocent victims of these identity crimes will be forced to spend time and money unravelling the mess that the criminals have made of their financial identity as well as suffering the emotional trauma of having their good name abused . •

0

10

20

30

40

50

60

2007 2008 2009 2010 (expected)

0

20,000

40,000

60,000

80,000

100,000

120,000

2007 2008 2009 2010 (expected)

60

50

40

30

20

10

0

Cas

es o

f Ide

ntity

Fra

ud

Disclosures of P

ersonal Details

Fig . 1 - Disclosure of Personal Details against cases of Identity Fraud

Identity Fraud Disclosure of Personal Details

5The Internal Betrayal C I F A S

Examining Motivations for Internal Attack

Introduction

In the mid 1940s, Donald Cressey, an eminent criminologist, introduced the ‘Employee Fraud Triangle’ – showing the three constituent parts of an employee fraud: Rationalisation, Opportunity and Motivation .

It can be difficult to predict an individual’s self justification, and opportunities for attack are already the focus of most anti-fraud controls - but motivation is never really considered . This may be a mistake as there are certainly areas where understanding the reasons behind a major attack could enhance prevention and detection, and help to identify an individual’s predisposition to attack .

Studies and Comment on Motivation

A 20 year study (Hollinger & Clark) of 12,000 employees concluded that the most common reason for employees committing fraud had little to do with Opportunity but more with Motivation . The KPMG Profile of a Fraudster Survey (2007), meanwhile, showed the main motivations to be financial pressure, often from an excessive lifestyle . No studies, however, have examined the breadth or depth of motivations, nor their potential relevance in internal fraud/crime management .

Types of Motivation

Another American criminology commentator (Nettler) succinctly summed up the types of motivation as: “Babes, Booze and Bets” . While tongue in cheek, this does cover a large proportion of motivations, but by no means all: so a closer, more exhaustive, examination is worthwhile .

There are probably three major fields of motivation (all with some cross-over) which are outlined in Fig . 2: >>

1. Greed

2. Need

a) Debts (self inflicted)

b) Debts (true necessity)

c) Targets/Survival/Concealment of Error/Deficit

d) Coercion/Threat/Blackmail

e) Addiction: alcohol, drugs, sex, gambling

How to identify potential for enhancement of controls.

3. Miscellaneous

a) Malice/Revenge (Existing)

b) Malice/Revenge (Responsive)

c) Competitive Sabotage

d) Peer (or Family) Pressure/Loyalty

e) Psychological Problems

f) Excitement/Entertainment/Self-

Aggrandisement/Ego

g) Idealism/Terrorism

h) Stupid/Naive (i.e. no deliberate motive)

i) Mole/Cell (i.e. only purpose to employment)

j) Industrial Espionage

Fig . 2 - The three major fields of motivation

by Nick Mann, Principal, Nick Mann Associates

6 The Internal BetrayalC I F A S

A lot of these are known to us, and we will commonly see cases exhibiting some of the features . It is worth recording, however, some examples of the less obvious ones to illustrate that all can be dangerous if ignored .

2d (as described in Fig . 2): there has been a very recent manifestation (trial June 2010) where a bank cashier helped thieves steal £150,000 after they threatened to uncover her as a bigamist .

3a, 3g, and 3i are exemplified by a case in 2006, where alleged terrorists were taped discussing ‘targeting utility companies by using recruits with inside knowledge to cut off electricity, water and gas power supplies across the country’ .

An unusual example of 2a (and possibly 2e) is the case this year of the NHS Trust employee who stole £200,000 from various Trusts to fund her purchase of 18 show-jumping horses .

In 2006, a Loans Manager for a major bank defrauded £21 million and at least part of his motivation was thought to be self-aggrandisement (3f); looking good to his friends and rugby club associates, as well as some element of 2c . Probably the most famous example of 2c is Nick Leeson (Barings), as well as the recent allegations against a French trader .

Motivation Linkage

It is possible to link most motivations under four main Risk Factor Indicators (RFIs):

• Financial – 1, 2a, 2b, 2e, 3c, 3j• Compulsion – 2c, 2e, 3a, 3b, 3e,

3g, 3h• Secret/Embarrassment – 2d• Illogical – 3f, 3i

There are opportunities to detect these RFIs in both subjective and objective controls before and after employment . It is worth looking at the most difficult of these first .

Vetting (Pre-employment Screening) Control

To spot RFIs will necessitate detailed ‘checks’ and realistically we can only conduct that level on approximately 10-15% of roles . It is necessary, therefore, to decide which posts have a high risk . There are processes whereby one can measure attack opportunity, ease and impact for each role (or role family) . This not only enables proportional (most common legal test for ‘intrusive’ vetting) and targeted vetting controls but also allows the same resource focus for many of the other controls (see below) .

In order to detect RFIs it is important to ensure that the following points are covered in a vetting exercise:

• Is their application real? • Are their qualifications (if true?)

consistent with their career path to date?

• Is what the subject does, or has done:

• A secret (e .g . criminal record, a habit or extra-marital affair)?

• Expensive for them?• A risk because of how often

or how much they do it?• Embarrassing if revealed/

discovered?• A risk to them or anyone

else?

Vetting, of course, is a huge subject in itself, but it is important to understand the legalities within your particular jurisdiction .

It is not only possible to screen for motive presence but also feasible to discover any propensity or capability for fraudulent/criminal activity . The Key is to look for the unusual or the inexplicable . The analysis for RFIs must take into account all subjective as well as factors e .g . too much money can be as much an RFI as too little and one man’s gambling addiction is another’s hobby . For

A Case Study

Candidate supplied CV, references, bank and financial outgoing statements . Examination of the documents and the candidate revealed RFIs of a predisposition to fraud/crime, namely a drug habit (uncovered by spotting inexplicable cash withdrawals every second Thursday) and forged references (same misspellings as in CV) to cover a dismissal for alleged bribery .

It is not always feasible to spot some motivations prior to employment , e .g . when it is a first time offence and the employment is itself causal to the Motivation (3a) and presents the Opportunity and, if necessary to the miscreant, the Rationalisation . Almost all motivations would become ‘vettable’ if we applied repeat vetting (on High Risk posts) . Repeat vetting would be particularly successful if linked with Fraud Monitoring/Detection and other objective post employment controls .

>>

7The Internal Betrayal C I F A S

example: a £100 a week gambling habit may well pose a risk for a clerk who is only able to earn £20k pa (possible addiction), but it is not a risk for a Director who is to earn £100k pa (probably more a hobby) – unless … he has kept it a secret from his wife?!! (NB . Such detailed (Gold Standard) screenings must be conducted by experienced investigators . This is particularly important in the interviews and analysis of data e .g . bank accounts .)

General Controls

Whether the motivation or RFI is ‘vettable’ or not – all motivations and the resultant product, are controllable:

1 . Education and Training – Security Awareness Programme

2 . Professional Investigative Capability and Well Publicised Deterrent

3 . Fraud and Theft Detection

4 . Communication and Intelligence

5 . Audit Trails, Logs and Reconciliations

6 . Monitoring and Exiting of High Risk Posts

7 . Segregation and Compartmentalisation

8 . Access (Logical and Physical)Controls – particularly for High Risk

9 . Information (not just IT) Classification and Protection

10 . Foster Good Industrial Relations

11 . Realistic Target Programmes

12 . Duty to Report – not just whistleblowing, but a mandatory duty

Moreover, it should now be obvious that each of the above controls is

better applied with knowledge of the range of Motivations and their RFIs .

Conclusion

Making the connection between why employees commit employee fraud and applying controls respectively has to be more effective than simply having controls based on how attacks are perpetrated . That said, I don’t believe this is something that will provide easy wins in the short term - but what is certainly evident from the above is that it warrants further study . •

www .nickmannassociates .com

Background screening at the forefront.

Using real-time case tracking, paperless criminal record checking, full system integrations and many other cutting-edge technology solutions, Kroll offers class-leading remedies to today’s business challenges.

Kroll’s unrivalled experience, global coverage and exceptional customer service make us the background screening partner of choice for hundreds of companies around the globe.

Call 01273 320209 to fi nd out more about how Kroll can help you or visit www.krollbackgroundscreening.com

Kroll. Screening Solutions.

Global employee risk mitigation from Kroll.

8 The Internal BetrayalC I F A S

Protection from the Risk of Employee Fraudby Fiona Dawson, Product Manager, Experian Background Checking

As the economy starts to show signs of improvement, employers will want to position themselves to take full advantage of the recovery . The demand to find good people quickly will become a top priority . In the face of this pressure, it is crucial

that organisations remain diligent in checking backgrounds and references or they run the risk of recruiting unqualified candidates or worse, people who are focused on depleting company resource through fraud or identity theft .

The implications for an organisation of recruiting the wrong person can be severe and have potentially high financial, legal and reputational consequences . It’s not surprising, therefore, that employers are increasingly implementing more stringent employee screening procedures . Indeed, the volume of background checks carried out by Experian in 2009 increased by 4%, despite a period of depressed recruitment activity; demonstrating a

tightening of vetting practices across all sectors and company sizes . 7% of criminal record checks undertaken in 2009 highlighted convictions not disclosed in the application, a fact that clearly demonstrates the importance of these additional checks .

Getting recruitment decisions right is essential at the best of times, but in this post-recession environment, the task of recruiting the best talent certainly presents some challenges, and finding ways to limit uncertainty in the hiring process has never been more important .

CV cloning

Improvements in anti-fraud measures over recent years have pushed organised criminals to look at new options and approaches . This means that fraudsters will increasingly look to take on the identities and career histories of third parties as an easier way of getting into an organisation . The rise of social networking sites

such as Facebook and LinkedIn, where people post detailed information about their educational and career histories, further increases this risk and means that CVs can no longer be accepted at face value .

Increase in insider fraud

While pre-employment screening can certainly deter rogue candidates and ensure that new recruits have a clean background prior to starting employment, there is no guarantee that this will remain the case .

Employee screening to minimise risk in the recruitment process is key to combating insider fraud, but organisations should also be aware of the increasing threat posed by existing employees .

BDO Stoy Hayward’s 2009 Fraudtrack report found that 29% of fraud was committed by senior management, (equating to a cost of £358m to UK organisations) and 8% was attributed to employees - equating to £95m . The fact that the value of reported fraud in the UK has increased by 153% since 2003 reminds us just how serious a threat this is to UK businesses .

The raft of recent fraud reports and reviews suggest that the UK is heading for an unprecedented surge in fraud over the next two years, as businesses and individuals struggle to survive

>>

To be truly effective, employee screening should be applied to all staff at all levels and

should be undertaken regularly in order to protect organisations over the longer term.

9The Internal Betrayal C I F A S

Employee fraud increased by 45% in 2009*, protect yourself with Background Checking.

Embellishing a CV is one thing. Hiding an adverse financial history or criminal record is quite another.

Experian Background Checking will give you the confidence to recruit safely by combining: • Identity Check – ensure candidates are who they say

they are, and verify their address details.• Adverse Financial Check – reveal undisclosed CCJ’s,

bankruptcy and other adverse financial history.• Criminal Record Checks – uncover details of any

unspent convictions.

For more information, contact us on 0115 901 6017 or visit www.backgroundchecking.com.

ARE YOUR EMPLOYEES HIDING SOMETHING? UNCOVER THEIR TRUE BACKGROUNDS FIRST.

*CIFAS Statistic

BGC_Employee fraud _AD.indd 1 10/05/2010 12:12:12

the economic downturn . According to KPMG’s annual fraud barometer, the value of criminal frauds prosecuted in the courts reached a 13-year high of £1 .1 billion last year but it’s feared that the worst is yet to come .

Developing a continuing employee screening strategy

During times of recession (as debts mount, habits form, pressures rise and circumstances change) the risk of employee fraud presents an ever greater risk to organisations . Extreme financial pressure can make some people, often with no previous history of criminal activity, more vulnerable to coercion or open to insider fraud as a way of improving their situation . Developing a continuing screening strategy can help employers to minimise this risk over the longer term . Financial checks and criminal record checks can provide vital warning

signs by enabling organisations to identify changes in an employee’s circumstances . This in turn, allows them to make a better assessment of the risk they may pose . Dealing with this information appropriately and carrying out a thorough investigation prior to taking formal action is critical to an effective, continuing vetting strategy .

By regularly screening existing employees, organisations can gain an insight into the background of their workforce, ensuring that they fulfil their contractual obligations and, in the case of financial organisations, ensuring that they meet compliance requirements while mitigating risk .

Don’t just check senior positions

It is also often a common mis-conception that the more senior a position, the more checks are required; as they are perceived as holding the

most power and responsibility . Junior and temporary staff, however, often have less to lose and, subsequently, can have little or no loyalty to the company . These employees are also likely to have the widest access to sensitive information .

To be truly effective, employee screening should be applied to all staff at all levels and should be undertaken regularly in order to protect organisations over the longer term . It is also important to measure the cost of implementing this against the risk facing the company in terms of data loss, financial crime and reputational damage, should it become a victim of insider fraud . •

For more information, advice and practical tips on background checking, visit www .backgroundchecking .com .

10 The Internal BetrayalC I F A S

Joining the Dots on Insider Fraud

How can organisations detect employees disclosing customer data or using it for their own personal gain without restricting them from doing their day-to-day jobs?

Matthew O’Kane, Head of Financial Services Analytics, Detica NetReveal®

2009 saw a large increase in two particular areas of fraud; disclosure of customer data to a third party — which almost doubled according to data from CIFAS Staff Fraud Database Members — and an escalation in the number of victims of identity fraud where CIFAS Members saw a 31% increase .

It can be no surprise that these two fraud types may be linked — and the recession has the potential to exacerbate the problem .

Financial institutions could certainly be forgiven for looking outside their organisation when attempting to detect and prevent the compromise of customer data; particularly as we see more and more database compromise events hit the press such as Heartlands1 and the recent compromise in Spain2 . Experience, however, suggests that financial organisations should also be ensuring that they are well-defended against internal compromises .

This can be difficult: effort is frequently focused on preventing employees from stealing personal information (e .g . restrictions on emailing, printing and photography) but such restrictions pose little threat to the most determined fraudsters or employees with little regard for correct procedures and behaviours .

So how can organisations detect employees disclosing customer data or using it for their own personal gain without restricting them from doing their day-to-day jobs?

Every action leaves a fingerprint

The first step in detecting this type of fraud is ensuring that fraud analysts have access to account maintenance log data from across the organisation . This data should include logs of every time a staff member touches or accesses a customer account . Particular care must be given to ensuring that all account activity, including changes and account views, are captured by the logging system . A fraudster only needs to write down pertinent account information to commit identity fraud . In addition, it is worth adding descriptors of the overall net worth of the account owner to the analysis data — fraudsters will frequently target high-worth individuals .

The next steps are to identify the patterns of activity of employees opening customer accounts, and look for anomalies . In addition, one should try to detect when a customer’s details have been potentially used in a fraudulent manner . For credit and debit card information, for example,

there are two key touch points to detect — the testing and, then, the actual fraudulent use of the card details .

Test point identification

Card details are usually ‘tested’ by the fraudster to ensure the card’s validity before either selling the details or using them directly for fraud (particularly if the intent is to use the details in a card-not-present environment) . As internal fraudsters become more organised and create ever larger data thefts, they are faced with the prospect of needing to test large volumes of cards at once . As a result, they often use technology and automated processes to check the cards’ validity and record the outcome .

This modus operandi can be spotted using anomaly detection — such technology can watch merchants for odd, repeated, authorisations or spikes of activity to detect potential card testing .

Fraudulent card usage

Whether it is through direct notification from the customer or detection by a

>>

1 Heartlands data breach 26/1/09 – Computer Weekly2 Spanish data compromise – Daily Mail 19/11/09

11The Internal Betrayal C I F A S

third party fraud detection system, fraudulent card usage gives the strongest indication that a customer’s card details could have been compromised . It is important, though, to remove or ‘de-prioritise’ events where the customer believes the loss is due to loss of the physical card .

Identity theft notifications

Discovering theft of customers’ information which doesn’t relate to card details can be more complex, as stolen personal information is typically used in order to gain credit with other financial institutions . There are some warning signs that should be included in fraud analysis . For example, a sudden drop in a customer’s credit reference agency score, particularly due to a recent successful application for credit, could indicate that a fraudster has successfully committed identity fraud .

Joining the dots

By using advanced social network analysis platforms, disparate data sets (e .g . logs of account views and changes, potential card testing events, third party and identity fraud events) can be combined and each event networked: allowing a holistic view of all interactions to be created . If potential compromises are found, not only should an investigation be started, but any other customers viewed by the employee (particularly ones who have potentially been tested) should be placed on a watch list or a ‘contact and replace’ strategy .

Conclusion

Too often it is assumed that effective insider detection requires all possible data about every activity of the

employee — no matter how removed from their business role — aligned with complex analytics . However, only targeted information relating to the organisation’s particular business processes and systems is required . An example would be call centre staff having access to customer data: the risk which needs identification and management is this interaction point . A tailored solution to the organisation’s processes yields far better results with more manageable scales of technical solution . After all, the ‘insiders’ tailor their attacks to the environment within which they operate .

Sophisticated database compromises may grab the headlines when it comes to identity theft but, as CIFAS

research3 shows, financial institutions also need to look internally . The right tools and access to the right data can provide your organisation with the ability to detect more internal fraud before significant loss and reputational damage occur . •

www .deticanetreveal .com

3 CIFAS Staff Fraudscape Research - www .cifas .org .uk

Linking and analysing data provides the basis for detection of insider fraud.

12 The Internal BetrayalC I F A S

Whistleblowing: Following a Procedure

What is Whistleblowing?

Whistleblowing is when an employee discloses information about a fraud to his or her employer, a recognised regulator or (in some cases) the media . This information will be about some danger, or illegal practice, generally at the company they are employed by .

Many public and private sector organisations now have a whistle-blowing policy (e .g . the financial and banking sector, oil/petroleum and health) but it is questionable whether these procedures work . Those who have something to hide because their behaviour is illegal will do all they can to keep it this way – while the legal protection in place is open to abuse from disgruntled, sometimes corrupt, employees who suddenly discover that they have a conscience .

The Law

The Public Interest Disclosure Act 1998 (PIDA) for the UK provides protection for ‘whistleblowers’ if they meet set criteria . These are referred to as ‘qualifying disclosures’ and are where an employee discloses information that can cover: criminal offences, failure to comply with (or breach of) legal obligations, miscarriages of justice, health and safety matters and environmental risks .

A key point about the disclosure is that it need not be correct . While it might, later, be discovered that the employee was wrong to disclose information, he or she only has to show that he/she held a ‘reasonable belief’ at the time of disclosure . The revelation, however, is not a qualifying disclosure if (by making the disclosure) he or she has committed an offence; e .g . the disclosure was made by a legal adviser who acquired the information in the course of providing legal counsel .

What should an organisation’s whistleblowing policy contain?

A whistleblowing procedure is useful only if it has the support – rather than lip service – of company directors and managers . Without this commitment, it could merely be seen as an attempt to deter or obstruct the potential whistleblower from exhausting all avenues to disclose relevant information (see case study – page 14) .

A real problem, however, is the reluctance of many employees to ‘snitch’ on colleagues . After all, even if they become aware of criminal acts at work, their disclosure could threaten their colleagues’ jobs and, therefore, perhaps understandably, they might become highly unpopular at work .

With this in mind, it is important that a whistleblowing procedure is followed and offers the whistleblower protection . Managers notified of a concern (unless they are involved) should:

• have responsibility to ensure that all matters raised are taken seriously

• where appropriate, investigate properly

• where appropriate, make an objective assessment of the concern(s)

• keep the employee advised of any progress

• ensure that any action necessary to resolve the concern(s) is taken

• set out penalties for making unfounded or malicious disclosures .

It is in the interests of a company to have a clear whistleblowing procedure and deal with issues effectively . No company would want to disclose information that exposed a breach of codes, illegal malpractice, corruption etc . but if it fails to deal with a matter ‘in-house’, and is eventually exposed, its public reputation could be damaged: a far more unquantifiable damage .

>>

by Graham Brooks, Senior Lecturer, Institute of Criminal Justice Studies, Centre for Counter Fraud, University of Portsmouth

13The Internal Betrayal C I F A S

Internal qualifying disclosures

A ‘worker’ is defined as having a contract of employment, working for a company as a casual employee or under contract to provide a service and all are protected if they make a qualifying disclosure . Disclosures, however, must be made to their employer using a procedureauthorised by the employer such as a whistleblowing scheme . But employees have a lot at stake: they may fear bullying, abuse, and/or attempts to discredit their personal and professional life . Evidence supports this, as whistleblowers are marginalised and abused . This is perhaps why some people choose to disclose information to an external body .

External qualifying disclosures

An employee is protected if he/she makes a qualifying disclosure to an appropriate ‘prescribed person’ . These are certain statutory bodies – or people within them – that are authorised to

receive the disclosure: e .g . breaches in health and safety can be brought to the attention of the Health and Safety Executive . For the person to be protected he/she must:

• make the disclosure in good faith;

• ‘reasonably’ believe the information and allegation is substantially ‘true’ and not be driven by personal gain

• ‘reasonably’ believe they are making the disclosure to the relevant body or person .

The person wishing to disclose information externally must have previously disclosed the same information either to his or her employer or prescribed person . If not, he or she needs to believe the employer would subject them to a detriment e .g . promotion prospects blocked, and/or the disclosure to the employer would result in the destruction or concealment of information about the wrongdoing .

Once external, and the case has reached an employment tribunal, the

tribunal must decide if the worker acted ‘reasonably’ in all the circumstances . Even if the person raises an issue that is of public interest, if he or she fails to meet the set criteria they might not be protected by the PIDA (see case study – page 14) .

Compensation

If successful in bringing an action under PIDA the person in question might be reinstated, seek re-engagement and/or compensation . Many might not want to return to a place of work that unfairly dismissed them, though . There is no limit to the amount of compensation that can be awarded in an unfair dismissal claim that is related to whistleblowing . Unlike ordinary unfair dismissal claims, compensation is also awarded for injury to ‘feelings’ .

Recent changes

Although the name ‘public interest disclosure’ appears to be in the ‘public interest’ many are private disputes

>>

14 The Internal BetrayalC I F A S

between an employee and employer leading to employment tribunals . From 6 April 2010 however, an employee, before going to a tribunal, can consent to having ‘sensitive’ information passed on to the appropriate regulator .

The employment tribunal secretary, however, will make the final decision to forward the whistleblowing claim . The increased likelihood of regulatory involvement might make employers settle disputes rather than face a tribunal and regulatory investigation . If the internal whistleblowing procedure is sound and followed, it is possible to avoid litigation, adverse publicity and regulatory intervention; however, this is if the company has nothing to hide .

A note on the USA and whistleblowing

The approach in the USA is somewhat different from the UK, but is worth considering . One notable difference is that whistleblowers can be rewarded for their actions in any case where money is recovered as a result . Eight years ago, however, a private fraud case from the USA demonstrates that whistleblowing can work .

In 2002, Ms Cooper was vice-president of internal audit in WorldCom (a large telecommunication company is the US) . A co-worker complained to her that WorldCom used a requested $400 million to boost its income instead of covering billing shortfalls . Under pressure to stand down, her team discovered that WorldCom inflated its profits by labelling operating costs as capital expenditures . Ms Cooper and her team uncovered $3 .8 billion in fraud, a figure that rose to $11 billion by the end of the investigation . WorldCom filed for bankruptcy and its former chief executive was sentenced to 25 years in prison .

The problem here is that, once fraud is uncovered, many people lose their jobs: and yet, if we discover such fraud, do we allow it to continue because of the potential ‘consequences’?

Conclusion

There is much to consider before becoming a whistleblower: your reputation, health (because of work stress), lack of popularity at work, and the future consequences of your action(s) . In the US however, a substantial reward for whistleblowing, if successful, might encourage those to ‘blow the whistle’ and consider victimisation at work as an acceptable and worthwhile risk . •

Case study

In 2005 Margaret Haywood, a NHS nurse, secretly filmed horrific practices and treatment of elderly people at the Royal Sussex Hospital in Brighton for BBC Panorama . Even though Haywood had spoken to her line and ward manager, neither listened to her about poor patient care . Feeling she had no option, Haywood made the programme for Panorama . Haywood was found guilty of misconduct . The disciplinary panel felt that she had failed to carry out her duties as a nurse whilst working for Panorama . It was also found that she had compromised patient confidentiality because she filmed them without their knowledge or consent . Although Haywood admitted this, she felt that because of the poor patient care and lack of response from her managers this was the only way to expose and deal with the problem . However, because she did not exhaust all avenues (e .g . a written complaint to someone higher in the NHS) Haywood was found guilty of misconduct and thus not covered by PIDA .

Margaret Haywood made the programme in good faith and her allegations are seen as ‘true’ due to the documentary evidence . She did not, however, exhaust all avenues (e .g . the relevant body or person) before going to the BBC . Originally struck off by the Nursing and Midwifery Council for this whistleblowing, her punishment has since been replaced with a one-year caution allowing her to return to work in due course .

In light of this case, the Conservative Party recently called for a review of the PIDA . However, in this case, the Department of Health defended its position claiming that its new constitution protects employees that report ‘wrongdoing’, and have set up a special help-line, which treats calls in confidence . However, would you use the help-line if you had no confidence in your employer? Would you approach the person(s) you thought were responsible for a criminal act? Furthermore, would you have confidence in a scheme if you thought criminal offences were being committed or covered up?

15The Internal Betrayal C I F A S

Expenses Fraud: a Change in Attitude?by David Vine, CEO, Global Expenses

British companies and organisations paid out an estimated £8 .8 billion to reimburse their employees for expenses incurred in the course of business in 2009; around £2 .1 billion of which would have been for out-of-policy and fiddled employee expense claims .

This figure is a conservative estimate: based on 4 .8 million expense claims made by GlobalExpense’s clients . It doesn’t take into account expense claims made at companies that reimburse employees direct from the petty cash, or where employees complete paper expense forms and management has no effective way

of monitoring how many claims are accepted or rejected per month .

The good news is that the attitude of the general public towards expenses fraud has changed considerably over the past couple of years . In 2007, before the start of the recession, a third of Britons questioned in a YouGov survey (34%) said they thought it was acceptable to exaggerate their work expenses . In 2009, this figure had fallen to just 14% .

The percentage of employees that admit to exaggerating their expenses has also dropped: in 2007, 30% of all employees who claim, or have

claimed, employee expenses in the past, admitted to exaggerating their expenses compared with 15% in 2009 .

No doubt, the MPs’ expenses scandal has gone a long way to changing the public’s tolerance of expense fiddling – both at work and at Westminster . Nobody would be caught appearing to condone such behaviour, following the national outrage which followed revelations about moat cleaning and duck house claims .

The effect has spilt over to the workplace . Three-quarters of people now say that they would not trust someone who fiddles their work expenses with other areas of business such as signing contracts with suppliers, putting together sales figures or making budget requests .

Surprisingly, the recession doesn’t seem to have increased people’s propensity to fiddle their expenses: in 2009 only 2% said they saw the recession as an excuse to exaggerate their expenses compared with 13% who said that it was likely they would exaggerate their expenses if they found themselves in economic difficulties as a result of the recession in 2008 .

What the recession has done is to increase the risk of fraud occurring by providing more opportunities for people to feel hard-done-by and disgruntled and, therefore, tempted

>>

16 The Internal BetrayalC I F A S

to right perceived wrongs via the expenses system .

In last year’s survey, 71% thought it was acceptable for people to exaggerate their expense claims if their employer didn’t reimburse all the costs they incurred; when an employee did a lot of unpaid overtime (68%); when an employer took a long time to reimburse the employee (36%); and when an employee felt they were not paid a fair salary (24%) .

One of the key things that employers can do to clamp down on fraudulent expense claims is to educate staff about the expenses policy so that they understand the rules . It is particularly important to train and support expense authorisers whose job it is to spot fraudulent and out-of-policy claims . Most ‘fiddled’ claims are the result of error rather than deliberate fraud, especially when it comes to mileage

claims which are the most likely to be exaggerated .

A client that contacted GlobalExpense because it was concerned about fraudulent expense claims saw a natural reduction in expense claim value of 20% as soon as it announced that it was changing to an automatic, independently monitored system – even before implementation had started . The message had been received by staff that their expense claims would be scrutinised . According to the 2009 YouGov survey, 77% of people said that their employer never queried or rejected their expense claims, and 13% said that claims were queried or rejected, but rarely . This is an open door to fraudsters .

There has never been a better time than now, while employees are ready, willing and supportive, for

employers to get to grips with their employee expenses . Exposed to the detail of the expenses rule changes at Westminster, discussion about spending limits for types of expenses and newspaper scrutiny of individuals’ spending, employees are probably beginning to question why their own employer isn’t doing something to change the way expenses are claimed .

As the MPs’ expenses scandal fades in people’s memories, there is a chance that employees will return to their old ways . This is a particular risk if employers do not act quickly to raise salaries and give bonuses as soon as the boom times return, in order to compensate staff who have scrimped and saved . •

Advanced application fraud prevention solution

Transactional monitoring for effective fraud detection

Integrated case management system

Automated fraud network & data mining modules

Risk ranking & sophisticated scoring capability

Employee fraud screening

Procurement fraud identification

Real-time and batch infrastructure

01782 664000sirasales@synectics-solutions.com

Revolutionary solutions for fraud and risk management

17The Internal Betrayal C I F A S

Anatomy of an Inside JobCIFAS looks at an example of a known internal fraud, and diagnoses what was not done to prevent it!

The basics of the case

A major fraud in the social housing sector was driven by a temporary employee who set up a company, awarded a contract to it and, during a three week period, submitted invoices for the installation of kitchens that never took place . A total of 15 invoices were submitted, relating to over 300 properties, and at a cost of over £2 million .

The diagnosis

When the fraud was uncovered and investigated, a number of key points emerged which demonstrate the mistakes and oversights that a business can make which aid the potential fraudster . In particular:

1 Recruitment

The contractor at the centre of the fraud was connected to a former agency worker who was employed by the social housing body as a Project Manager . In addition, the contract for provision of temporary staff from the agency was unclear about the precise nature and scope of background checks that should have been performed . As it transpired, basic checks of references would have revealed problems at a previous employer – which would have given the agency grounds for not referring the candidate for this position .

The problem here is that of ‘knowing your staff’ . While the interpersonal relationships of employees may not be something that any organisation would choose to delve into, the initial contract between the social housing organisation and employment agency was obviously not clear: how can an organisation have confidence in the agency staff provided if they have never made clear their requirements? In addition – a question of ownership arises: accepting candidates or references at face value . Is it always the agency’s job to verify references or should an organisation verify what it receives too? In all cases, preventative steps were missed that could have prevented the Project Manager’s employment from ever commencing .

18 The Internal BetrayalC I F A S

2 Internal procedures

The contract awarded to this particular contractor had been made by the agency employee but not reviewed by his manager . It turned out that the contractor did not appear on an ‘Approved List’ of contractors . Furthermore, the procedures manual for commissioning works of this kind had not been followed, and there was evidence that a contract had been signed and sealed before any senior authorisation had been granted .

It was not only in these, requirement driven, procedures that fault was to be found, however: insufficient diligence also featured on the payments side . Invoices were approved by staff who had no first-hand knowledge of the installations, or recourse to the project file . Invoices were also processed where the total value exceeded the value of the purchase order . To compound all of this, there was a lack of information and documentation kept in the project files, together with a lack of documentation on day-to-day supervision of the installations project and the people involved .

This is a catalogue of errors – all surrounding processes not being followed . A user manual, after all, is only useful if it used: and if a process is considered to be obstructive or cumbersome, what steps can reasonably be taken by an organisation to address this? The Chartered Institute of Management Accountants (CIMA) states that the aim of internal controls is to “reduce the opportunity and remove temptation” for employees to steal . However, as internal controls were inadequate or ignored, the opportunity for someone to exploit its frailties and commit fraud increased . In addition, what this demonstrates is that training should be continuous: instructing new staff to keep information and documentation in a structured way is one thing, but if existing staff are not doing so then this becomes the established standard in the organisation . Encourage staff to follow procedures - not to indicate a lack of trust, but to empower them to question something when it does not make sense .

3 Management processes

Finally, the management process of staff, procedures and budgets failed on several fronts . A lack of oversight (at all management levels) to monitor, review and compare apparent or actual activity levels against financial spend was key . In addition, the perceived ‘pressure’ felt by staff to approve invoices and make payments before the end of the financial year, played a part . Finally, the agency worker directly involved in the fraud was found to have put payments through the system during the three week period during which his line manager was on annual leave!

Whether it is unreasonable pressure upon employees to place more value upon speed and deadlines at the expense of quality, or failing to implement useful processes for management (e .g . cover during periods of annual leave) what this proves is that the quality of a workforce or organisation means nothing if the quality of management is lacking . Procedure manuals are not just for employees – but for employers and managers too .

19The Internal Betrayal C I F A S

by Sterl Greenhalgh, Partner, Grant Thornton UK LLP

The Bribery Act 2010

You might be forgiven if you are one of the many senior managers who remain blissfully unaware that, in April, one of the final acts of the outgoing government was to ensure that the Bribery Act received Royal Assent . The Act has been described as the “gold-standard” of anti-corruption legislation,

but will not come into force until April 2011 . Ken Clarke MP – the UK’s recently appointed “International Anti-Corruption Champion” and Secretary of State for Justice – is on record as saying that “his first priority was to ensure the effective implementation of the [Act]” . It is clearly an Act that senior management needs to take seriously .

But just what is corruption and why is so much UK and US regulatory and law enforcement activity devoted to it? The answers to these questions, according to Transparency International (TI), a leading non-governmental organisation

(NGO) in this area, are that corruption involves, “the misuse of entrusted power for personal gain” and that it has “dire global consequences, trapping millions in poverty and misery, while breeding social, economic and political unrest . Corruption is both a cause of poverty and a barrier to overcoming it1” .

Corruption is not just about bribing public officials; it is also a private sector issue and in terms of establishing the “gold-standard”, it is no coincidence that the Bribery Act, unlike its US cousin the Foreign Corrupt Practices Act 1977, also captures business-to-business corruption .

In terms of detail, the Act consolidates existing legislation that dates back to the 19th century, and introduces four offences . These are in essence:

• offering, promising or giving a bribe

• requesting, accepting or agreeing to accept a bribe

• bribing a foreign public official; and

• failure of a commercial organisation to prevent bribery .

As might be expected, there are nuances to each offence (which will be subject to animated legal debate or ultimately left to a jury to decide), but it is safer to work on the premise that the Act is widely drawn to catch as many incidents of domestic and foreign bribery as possible .

It is, perhaps, inevitable that a far-reaching act of this nature will run headlong into the commercial realities of doing business, especially overseas . Already, two particular areas of unease are being expressed by some companies2 . First, a concern at what point “lavish corporate hospitality” might constitute payment of a bribe and, second, why small so-called ‘facilitation payments’3 remain prohibited .

>>

1 http://www .transparency .org/news_room/faq/corruption_faq

2 See “Decision Time”, an anti-corruption survey published in June 2010 by Grant Thornton .

3 A facilitation payment is made to a foreign official, political party or party official for ‘routine governmental action’, such as processing papers, issuing permits, and other actions of an official, in order to expedite performance of duties of non-discretionary nature, i .e ., which they are already bound to perform . The payment is not intended to influence the outcome of the official’s action, only its timing . They are legal under the FCPA, and recognised as such by the OECD, but are considered as bribes under existing UK law and under the Bribery Act .

Corruption is both a cause of poverty and a barrier to overcoming it.

Defining and Dealing with Corruption

20 The Internal BetrayalC I F A S

So how should business respond?

It would be a mistake to assume that it will be business as usual . Both the Serious Fraud Office and the City of London Police’s Overseas Anti- Corruption Unit have increased their enforcement activity and co-operation with other countries in recent months . As the new Act should make it easier to prosecute corruption offences, both agencies will be keen to make as much use of it as their (albeit limited) resources permit . It will be no surprise if they seek to maximise the deterrent value of their activities across a wide variety of industry sectors and through imprisonment of senior management in

order to drive the message home . In this latter regard, they are assisted by the new Act which provides that, if any of the first three offences (described on page 19) are “committed with the consent or connivance” of a “senior officer” (also broadly defined and includes a manager), they will also be guilty of the offence . Connivance has interesting connotations which may well include secretly allowing such payments or (worse still) closing one’s eyes to the obvious .

Investigations will, no doubt, also focus on the new corporate offence of failing to prevent bribery, which will result in some companies being subject to large fines, especially as

Lord Justice Thomas recently opined4 that “corruption of foreign government officials … is at the top end of serious corporate offending” . There will, however, be a defence to this charge if the commercial organisation can demonstrate that it had in place “adequate procedures” to prevent bribery . In this regard, companies are encouraged to review their existing strategy, policies and procedures ahead of the Bribery Act coming into force .

It is fair to say that for many businesses, especially those with

>>

4 Regina (SFO) v Innospec Limited

©2010 Grant Thornton UK LLP . All rights reserved

The Ethical Triangle:Adequate Procedures?

WHAT WE SAY WE DO

HOW WE DO IT

ENSURING WE DO IT

Mission Statement& Strategy

Audit Committee Champion

Anti -Corruption

Policy

Financial Controls

HR Procedures

Code of Ethics IT Policy

TrainingProgramme

Speak Up Policy

3rd Parties

DueDiligence

Procurement Policy

Anti -MoneyLaundering

ResponsePlan

Data Mining

-PreEmployment Screening

Investigations

3rd partyPayments

review

RiskAssessment

& register

LessonsLearnt

Annual Declarations

SanctionsProactive

AuditsComplianceProgramme

Approved Supplier List

TrainingAssessment

Hospitality Gifts

Register

Management Oversight

RefresherTraining

CollectiveAction

Internal Audit

Workplan

Exception Reporting

Awarenesstraining

Approved 3rd Parties

list

Control activitiesControl activities

Risk Assessment Information & Communication MonitoringRisk Assessment Information & Communication Monitoring

The Ethical Triangle:Adequate Procedures?

WHAT WE SAY WE DO

HOW WE DO IT

ENSURING WE DO IT

Mission Statement& Strategy

Audit Committee Champion

Anti -Corruption

Policy

Financial Controls

HR Procedures

Code of Ethics IT Policy

TrainingProgramme

Speak Up Policy

3rd Parties

DueDiligence

Procurement Policy

Anti -MoneyLaundering

ResponsePlan

Data Mining

-PreEmployment Screening

Investigations

3rd partyPayments

review

RiskAssessment

& register

LessonsLearnt

Annual Declarations

SanctionsProactive

AuditsComplianceProgramme

Approved Supplier List

TrainingAssessment

Hospitality Gifts

Register

Management Oversight

RefresherTraining

CollectiveAction

Internal Audit

Workplan

Exception Reporting

Awarenesstraining

Approved 3rd Parties

list

Control activitiesControl activities

Risk Assessment Information & Communication MonitoringRisk Assessment Information & Communication Monitoring

Fig . 3

21The Internal Betrayal C I F A S

overseas operations who use agents and other third parties, corruption poses a significant but difficult risk to quantify . A first step in any review should be to undertake a business-wide corruption risk assessment and then align policies and procedures to mitigate the risks identified .

What are “adequate procedures” likely to mean for companies?

The Secretary of State is required to provide guidance as to what constitutes “adequate procedures”, but it is not anticipated that any radical recommendations will emerge and there is already information available from a number of sources . There does seem to be an over-emphasis in some quarters on the role played by a compliance programme, probably as a consequence of the role this plays in the Federal Sentencing Guidelines

– following interventions by the US Department of Justice .

An adequate procedures framework goes far beyond a compliance programme and should be viewed as an essential component of good corporate governance . It should have its foundation in the internal control environment established through sound policies and procedures . Many companies are now aware of the importance of setting the right “tone at the top” but is setting the right “tone in the middle” management tiers (as shown in Fig . 3) is increasingly seen as key .

To work best, and to avoid causing confusion among managers and staff, awareness of corruption risks through training should be aligned to inter-related aspects including fraud, anti-money laundering, competition risks and even heath and safety .

Companies should also consider using tools to assess the effectiveness of their training programmes . The aim should be engendering an ethical culture across the business, so that employees know not only what is expected of them but attain a level of awareness to gain the confidence to raise issues or suspicions with line management or, preferably, the company’s hotline .

In short, the Bribery Act and in particular the new corporate offence heighten the risk for senior management who can no longer abrogate the responsibility by delegating to others or, worse still, turning a Nelsonian blind eye to certain activities . As Vivian Robinson QC, the SFO’s general counsel said “the subject of anti-corruption procedures should be a standing item on any board’s agenda these days” .•

Fraud Risk Management• Uncover more fraud

• Reduce false positives

• Accelerate investigations

• Support regulatory compliance

Find out more by visiting www.deticanetreveal.com

22 The Internal BetrayalC I F A S

HR and the Philosophy of Tackling Staff Fraud

Arjun Medhi, Staff Fraud Adviser, CIFAS – The UK’s Fraud Prevention Service

It goes without saying that the vast majority of people working in any organisation are trustworthy and honest . Most organisations also acknowledge the problem posed by staff fraud and address it proactively . However, some don’t: preferring to sweep the problem under the corporate carpet and operate in a reactive fashion . These organisations are an attractive target for staff fraudsters, who see them as the most likely organisations in which to get away with committing fraud . Most obviously, this

is due to the organisation not having adequate controls in place to counter the problem by instilling an anti-fraud philosophy .

While the involvement of the fraud investigation team is to be expected, the Human Resources (HR) function is equally crucial to combating staff fraud . With the increasing trend for organisations to outsource services (which potentially increases the staff

fraud risk), HR becomes even more fundamental . Promoting an anti-fraud philosophy requires collaboration between HR, fraud prevention, compliance, risk management and legal teams, together with trade unions, staff at the ‘coal face’ and others: collectively addressing the fraud risks in their organisation . Some public sector organisations are known to “fraud proof” new and existing policy and operations1 . This will improve current internal controls and help to detect fraud in a proactive manner .

Most organisations underpin their anti-fraud philosophy with a code of ethics or an ethical behaviours statement which is freely available for all staff, and is legally bound into their employment contracts . This will outline the code of conduct that should be communicated by senior management to show that fraud is not only taken seriously, but that fraudsters – when found – will be punished . This may not sound like anything new, but in their

UK study on global economic crime, PriceWaterhouse Coopers (PWC) reported that organisations are not properly implementing such codes and not communicating them regularly2 . After all, what use is a code, if it does not appear to be taken seriously?

Regular education and awareness of fraud at all levels is the cornerstone of an anti-fraud philosophy . Staff must be trained to identify fraud risks and signals from staff that may indicate fraud (for example, a member of staff living way beyond his or her means) . However, it will be hard to identify fraud that involves collusion because, for example, loyalties within a team may make it difficult to report . The Chartered Institute of Management Accountants (CIMA), in its good practice guide, also argues that making staff aware of the techniques used by fraudsters (e .g . training on how key logging software is used in data theft) could potentially arm employees with the skills to commit fraud themselves3 . This is a difficult but essential balance for responsible employers to achieve .

Whistleblowing, of course, is consistently a key feature of an anti-fraud philosophy and is integral to an organisation’s code of ethics . As

>>

1 National Audit Office Tackling External Fraud, 2008 .

2 PWC Global Economic Crime Survey, UK Report, 2009

3 Chartered Institute of Management Accountants, Fraud risk management: a guide to good practice, 2008

Who takes ‘ownership’ of the vetting of these outsourced staff? If a fraud is committed by

an outsourced member of staff, then it is your organisation that will face losses, reputational

damage and regulatory consequences.

23The Internal Betrayal C I F A S

The UK’s Fraud Prevention Service

C I F A S

Prevent Staff Fraud before it happens

If you would like more information about Staff Fraud membership, please contact staff .fraud@cifas .org .uk .

Join the 134 existing organisations already using the Staff Fraud Database.

highlighted in CIFAS’ Staff Fraudscape report, however, whistleblowing is theleast common form of discovery of staff fraud . When employees see corruption or fraud in their organisation, they do not seem to want to report it . Staff have been surveyed about whistleblowing: some are not interested, and some fear being ostracised by their peers or losing their job . As a result of these surveys, businesses have enhanced their whistleblowing policies (e .g . by having a direct phone line to the Board to report unethical incidents – not just fraud or corruption) or have tried to re-brand the image of whistleblowing . Either way, whistleblowing must be an essential part of any thinking about how to tackle staff fraud, as – once again –

merely having a weapon in the armoury is no use, if the weapon is never used .

Finally, while recruitment levels are low, it still takes place and will – eventually – increase . Some staff, of course, may be outsourced and, as such, technically employed by another company . They still carry out services for your organisation, however: so, who takes ‘ownership’ of the vetting of these outsourced staff? If a fraud is committed by an outsourced member of staff, then it is your organisation that will face losses, reputational damage and regulatory consequences . This risk is heightened, especially when research of employment screenings in Europe, Middle-East and Asia

undertaken by Kroll has seen a 71% increase in fraudulent applications for employment . How do you ensure that your outsourcer has screened their staff to the same degree as your organisation would? Ownership is your organisation’s responsibility, always: nobody else’s .

Like all crimes, fraud will affect you and your organisation, your competitors, your industry – in essence your community . The best way to fight crime is to have the entire community not tolerate crime . It is up to every organisation therefore to help make this a reality . •

CIFAS - The UK’s Fraud Prevention Service6th Floor, Lynton House7-12 Tavistock SquareLondonWC1H 9LT

www.cifas.org.uk

C I F A SThe UK’s Fraud Prevention Service

For further information, please contact our Communications Team,

or our Staff Fraud Adviser.

CIFAS6th Floor, Lynton House

7-12 Tavistock SquareLondon

WC1H 9LT

press@cifas.org.ukstaff.fraud@cifas.org.uk