Since late 2021, in the UK we have been experiencing a significant rise in day-to-day costs as a result of a combination of factors including Brexit, the COVID-19 pandemic and most recently the war in Ukraine. Such is the extent of this rise in costs, the BBC has created a dedicated cost of living page on its website. Consequently, many lower and middle income households are struggling to make ends meet, and therefore are looking for ways to supplement their income. In short, this type of financial pressure increases the risk of employee fraud within organisations.
The fraud triangle
The ‘Fraud Triangle’ is an accepted theory that outlines the three main elements that are likely to be present in most instances when somebody commits a fraud.
The three elements being:
• Financial pressure/motivation
The pressure to commit fraud often arises from financial pressures being experienced by the perpetrator of the fraud. For instance, the Bank of England raising the base rate of interest from 0.75% in March 2020 (pre-COVID) to 5.25% at the time of writing, may have made a perpetrator’s mortgage payments increase to unaffordable levels. As a result, that person may resort to fraudulent means to make up the difference between their monthly income and expenditure.
If the perpetrator identifies a way of defrauding an organisation and thinks they won’t get caught, the likelihood of that person carrying out the fraud increases. For instance, an organisation with little oversight over employee expenses is much more susceptible to employee fraud than one which requires line management to perform a detailed review of expense claims with a member of finance performing a second level review.
As the name suggests, this is the perpetrator’s way of justifying the fraud to themselves. An employee for instance may rationalise committing the fraud by saying to themselves, “I did not receive a pay rise that has kept pace with inflation whilst my employer made record profits, and therefore my employer owes me”.
When all three elements of the fraud triangle exist, the risk of fraud increases significantly.
The importance of a robust internal control framework
Removing the opportunity neutralises a key element of the fraud triangle
An organisation is only able to control one of the three elements of the fraud triangle, being the opportunity to commit a fraud. If the organisation’s processes and security are sound, then there is simply no opportunity to commit fraud. In real life, however, this is rarely the case, but what is key to minimising the opportunity is ensuring an organisation’s internal control framework is robust.
The following areas are key aspects of a control framework.
Fraud risk assessment
The first step in mitigating the risk of fraud is to perform a fraud risk assessment. A fraud risk assessment, simply put, is when an organisation carries out a cold review of its processes and procedures with a mindset of ‘what could go wrong’ in order to identify where a fraud could occur. As forensic accountants, when we carry out a fraud risk assessment for an organisation, we approach it not just with a mindset of ‘what could go wrong’ but also ‘how can someone commit a fraud here’. We have to remember that it can be a fraud from within the organisation, or from outside the organisation. Our next step is to attribute a risk rating to each ‘what could go wrong’, being a combination of the likelihood of occurrence and the impact on the organisation should it occur. The higher the risk rating, the greater the threat the risk poses to the organisation.
It's important for all departments and operations of the organisation to be covered in a risk assessment. Employees from outside of the department being assessed should also be involved in the review as they can bring a fresh and potentially more objective perspective to the processes and procedures within the department.
On completion of a fraud risk assessment, an organisation should then have visibility over the identified risks within each area of the organisation and the likely impact should a fraud occur.
What controls exist?
Against each identified risk, there needs to be a control that covers that risk. Just because an organisation has controls in place that should prevent a fraud being committed, it is important to review and test how these controls operate in reality. For example, a listed multinational organisation may have seemingly robust and extensive controls in place that should prevent fraud. However, in one of its smaller subsidiaries with fewer employees, the segregation of duties that should be in place according to group policy may not be practical and therefore the controls may not be implemented as intended. The review and testing of controls is crucial in mitigating the risk of fraud within an organisation.
The right combination of controls
When considering the controls in place, thought should be given to the types of controls in place – being preventative or detective. A preventative control, by its very nature, should act to prevent a fraud occurring in the first place, whereas a detective control should identify a fraud/irregularity after the fact. Having only preventative controls would mean that should a preventative control fail, the fraud would likely go unnoticed and the perpetrator may get away with it. Similarly, whilst a detective control should identify the occurrence of a fraud after the fact, it is clearly more beneficial to an organisation that the fraud was not able to occur in the first place. Therefore, a mixture of preventative and detective controls are crucial.
Revisiting the fraud risk assessment regularly
Carrying out a fraud risk assessment is not a one-off task; it needs to be revisited and updated regularly. Fraud evolves over time – operations within an organisation change, systems change, legislation changes, suppliers and customers change. So a fraud risk assessment also needs to keep up to date with change.
The current economic environment increases the risk of connecting all sides of the fraud triangle. To combat this, an organisation should ensure its controls and systems are as robust as possible, thereby reducing the risk of fraud by removing the opportunity.
Ask yourself the following questions:
- When was the last time your organisation undertook a fraud risk assessment?
- Does your existing control framework sufficiently address all risks identified in the fraud risk assessment?
- Are your controls operating as intended?