When it comes to protecting themselves against business risks, most companies tend to focus their efforts on detecting and countering external threats. But just as important as watching out for outsider attacks is to guard against internal ones.
According to PwC’s Global Economic Crime and Fraud Survey 2022, more than half (57%) of reported fraud cases involved an internal perpetrator, including cases of collusion. Internal fraud, also known as insider fraud, is defined as any fraud committed by an employee against their employer organisation.
Corruption, theft or misuse of companies’ assets, and falsifying of payment or procurement documents are all examples of internal fraud. But be warned: in this modern age, fraud doesn’t just cover financial misappropriation-customer data theft is on the rise, especially in the healthcare, IT, and finance sectors.
And if you think only large corporations are vulnerable to internal fraud, think again. According to the Associate of Certified Fraud Examiners (ACFE), billing and payroll fraud occurs at twice the rate in small businesses compared to large ones.
For companies that fall victim, the costs aren’t just related to the loss of assets. There are also reputational damages and punitive fines to consider.
To mitigate the risk of internal fraud, here are 5 tips for business leaders.
1. Strengthen internal risk culture
According to the ‘fraud triangle’, most cases of fraud encompass one or all of the following:
- Pressure or motivation
- Opportunity
- Rationalisation
While motivation and rationalisation are highly personal and generally out of a company’s control, opportunity is something that organisations can tackle by building a strong internal risk culture and establishing proper processes for fraud detection.
Consistently educating employees about fraud is allows companies to build a strong first line of defence against internal attacks. Communicating a zero-tolerance policy and encouraging whistle-blowing allows internal fraud detection to become more deeply ingrained into the company culture.
More importantly, companies need to follow through. If you want employees to take fraud detection seriously, they need to trust that if they do report a potential issue or raise any concerns about suspicious activity, their concerns will be thoroughly investigated.
2. Establish an ethics hotline
In addition to having a clear and well-established internal whistle-blowing policy, companies can leverage an anonymous ethics hotline. An ethics hotline allows both employees and other stakeholders, including customers or third-party partners, to report any instances of fraud, abuse, or misconduct witnessed within your organisation.
Anonymity also adds a layer of safety to encourage staff who would otherwise be uncomfortable with whistle-blowing, because there’s less likelihood that they may be identified and receive retaliation for standing up.
3. Conduct regular internal audits
One of the best ways to detect mismanagement or misappropriation of assets is through internal audits. For companies serious about addressing the billions of dollars lost every year to fraud and corruption, investing in regular internal audits is key to assessing fraud risk exposure and strengthening anti-fraud controls.
Because these audits are done by internal staff, they’ll have sufficient understanding of the company’s operations and general data trends to help identify red flags, evaluate whether further investigative action is necessary, and evaluate the effectiveness of existing controls to prevent or detect fraud.
Once an internal audit has detected a fraud occurrence, however, it’s generally advised that the matter be handed over to an external investigator for follow up or evaluation. That’s because most internal auditors are unlikely to have the specific and proper skill sets required to carry out an in-depth fraud investigation.
4. Implement internal data controls
Segregate accounting duties and have clear data privacy processes in place so that situations where one person has full control over financial, accounting, and customer data is minimised. Ensure that staff only have access to the specific data and programs they need to perform their role.
Data privacy measures are paramount to preventing internal fraud, so take care to ensure that privileged information is exactly that— – privileged.
Verizon found that 61% of internal actors involved in a database breach were not in high-level positions, meaning that companies need to be stricter in implementing internal data controls.
While this may be easier for larger enterprises with more human resources, it’s understandable that smaller businesses may struggle due to leaner teams. At the very least have an extra pair of eyes to check and balance the accounts, and try to keep the handling of cash completely separate from the accounting function.
5. Know your employees
Because internal fraud is perpetrated by your own employees, having a robust employee monitoring process in place is essential to minimising risks. This process should span the entire employee life cycle, from the moment a candidate submits their CV to the moment they leave the company.
This means taking pre-employment screening and background checks seriously, and conducting regular re-screenings for existing employees— – especially if they’re in positions of significant power.
Because everyone’s personal circumstances change over time, re-screenings are crucial for identifying red flags related to pressures or motivations, such as credit card debt, gambling debt, sinking mortgages, or any other financial shocks that would make an employee vulnerable to committing fraud.
Don’t overlook the threat of internal fraud
All companies are vulnerable to internal fraud, whether a small business of only a few or a large corporation with hundreds of employees. Combatting internal fraud requires being on the lookout for signs that impact the three points of the fraud triangle, two of which can be mitigated by a strong internal risk culture and a robust employee screening process.
Fortunately, there are trusted third-party service providers that have the specific skill sets and expertise to advise on best practices. The more employees feel that the company is keeping a close eye on internal operations and flagging suspicious activity, the less they’ll think they can get away with fraudulent activity.