Internal fraud should be a serious concern for every company. Ros Prince, senior associate at Stephenson Harwood and Peter Binning, partner at Corker Binning, explain how its origins can be misunderstood and that a good anti-fraud and whistleblower policies are key.
What is internal fraud?
Ros Prince (RP): To a layman, the words usually equate to theft - an employee stealing company property or diverting company funds to a personal account. It is a common misconception that fraud is generally committed for personal gain.
In our experience, fraud is just as often perpetrated so as to hide losses or artificially inflate a company’s balance sheet or performance.
While the perpetrator usually obtains some benefit (for example salary or bonus payments), the primary driver is not always personal enrichment. Indeed, in some cases a fraudster may actually convince themselves that they are acting in an employer's best interest - for example, by securing a major contract through the use of bribes. Companies' internal policies, as well as their culture, need to be robust enough to prevent a wide variety of frauds in an ever more global economy.
How can internal fraud affect the wider company?
RP: The most obvious impact that fraud has on a company is financial loss. In the simplest terms, this occurs where company property has been misappropriated. However, fraud other than misappropriation also causes loss - for example, an overstatement of profits may result in the company paying greater bonuses than those that are due, and expose it to the risk of claims being brought against it by investors.
Any significant internal fraud is also likely to result in investigation costs (such as legal expenses) and take up valuable management time. If legal proceedings ensue (whether by or against the company) these will involve further costs, as well as requiring a significant time commitment from relevant witnesses and those responsible for the company's legal affairs.
Large scale frauds severely damage staff morale, and are likely to attract media attention, with consequent harm to trust and reputation. This is of acute concern where a business has the responsibility of safeguarding other people's money.
For regulated entities, the risk is even greater—a fraud that may only have caused limited direct financial loss, can result in regulatory penalties. Companies operating internationally may be exposed to regulatory consequences in more than one jurisdiction.
How can an organisation develop a robust program to prevent internal fraud?
RP: Fraud-prevention policies must be tailored to the company's business and sphere of operation. For example, while all companies should have clear anti-bribery policies, these will usually need to be enhanced for companies operating in sectors or countries at higher risk of fraud. Regulated companies will also need to ensure that fraud prevention programmes satisfy any relevant regulatory obligations.
Most employees will understand that their employer would not endorse stealing from the company. A key message which needs to be conveyed is that other forms of fraud, which may on the face of them appear to benefit the company in the short term (for example falsely inflating the company's profits) are equally unacceptable. It is particularly important that senior management are seen to fully endorse and take responsibility for such policies.
Peter Binning (PB): Any anti-fraud programme depends on a thorough risk assessment. Without this a company will not be able to design an anti-fraud programme which has a realistic prospect of being effective. There is no point in introducing a standard "tick box" process which does not address the kind of risks a company actually faces. Any programme needs high level commitment from the board and a regular process of review and continuing training at all levels.
Are there any practical tips on how to create a strong whistleblowing process to identify internal fraud?
RP: There are some basic principles which should apply to all whistleblowing policies. They must be clear and intelligible - although often drafted by lawyers or compliance officers, policies must be written in terms easily understood by employees who are not used to reading legal documentation.
Policies should set out the whistleblowing procedure, and whom employees should approach if they wish to raise concerns. Whistleblowers are often closely connected to those accused of wrongdoing, and in many cases are their subordinates. It is therefore important that any whistleblowing policy allows employees to approach a party not connected to the relevant individual or business area.
As with fraud prevention policies, the written policies are only half the story—it is effective implementation and company culture that make the policies truly effective.
PB: Employees at all levels must be engaged by a training scheme that fosters a personal responsibility to safeguard the company interests for the benefit of all stakeholders—whether directors, shareholders, customers or the general public.
There must be a clear route by which reports of suspicion can be made and there must be evidence that such reports are acted on and not ignored or swept under the carpet. There must be anonymity available for those who want it and the whole whistleblowing procedure should be subject to regular review and supervision by an independent body answerable to the board or a committee of the board. Employees should be kept informed of the company’s whistleblowing policy and should see reports about it from time to time to remind them about its existence and effectiveness.
How should an organisation react to suspected fraud from within the company?
RP: Any reaction to a suspected fraud must be tailored to the company’s circumstances and the nature of the suspected fraud. When fraud is discovered—generally speaking—a number of decisions will need to be taken very quickly. These include:
It will often be necessary to instruct external professional advisers quickly. These may include lawyers, forensic accountants, IT specialists or press advisers. Decisions to instruct advisers should be made quickly so that the advisers can familiarise themselves with the facts, as fraud investigations often move quickly.
Which officers and employees of the company to tell about the suspected fraud
It is advisable in the first instance to ensure only a limited number of individuals are involved (such as senior management, legal and compliance staff).
How to deal with the employees involved
A knee-jerk reaction may be to dismiss or suspend them. However, this issue needs to be considered carefully, with the benefit of legal advice, both in relation to employment law and in relation to possible future civil litigation (as well as regulatory advice where a company is regulated).
How to secure documents
Once a fraudster becomes aware that the fraud has been discovered, their first step is often to destroy evidence. Although a company may have back-up servers, it is important to secure hard copy documents and portable devices belonging to the company, as these can also contain important information.
The company will need to consider whether the suspected fraud needs to be notified to any regulator or other authority. This question is particularly complex where a company operates in more than one jurisdiction. It is also necessary to consider urgently whether the company's insurers, customers, clients or counterparties need to be alerted to the suspected fraud. This very much depends on the nature of the suspected fraud, and what impact it has had (or may have going forward) on third parties.
How to deal with the press
Although most companies prefer to deal with suspected fraud without publicity, it is best to be prepared for press enquiries.
The most effective fraud investigations are usually led from the outset by an individual experienced at such investigations, usually a lawyer, who is able to ensure that all of the above decisions are made in accordance with an overall strategy. Any investigation that is not strategically co-ordinated risks creating problems for the company in the future, particularly if they are later sued by third parties.
PB: An immediate reaction should be an internal investigation properly and fairly conducted in a proportionate way. Action must be taken promptly, but with a demonstrably fair process to ensure confidence in the outcome and to guard against false accusations which can compound the original problem.
Have there been any examples of notable internal frauds from which lessons can be learnt?
PB: Yes, fraud occurs at all levels of seniority and some of the most notable frauds have been those committed by professional people on the firms in which they work. Examples include a number of partners in law firms and a senior executive at a hedge fund. Other examples are:
- a well-publicised case of a secretary who stole very large sums of over £4m from her boss, a senior banker at Goldman Sachs
- another case saw Nigella Lawson give evidence about the alleged dishonesty of her former domestic staff
RP: A key lesson is that companies should not only look to detect fraud where money is "missing", but ensure that they are equally careful to ensure that apparently profitable business is carried out ethically and monitored as carefully as loss making areas.
Interviewed by Julian Sayarer. As published by Lexis Nexis.