Have you protected your business from the criminal within?

April 30, 1998

Employing (and continuing to employ) the right people

Before organisations open their doors to new startersjoiners, they should stop and ask themselves “Do I really know this person well enough to trust them with my money, confidential information and above all my reputation?” Many companies believe that their recruitment procedures will deal with this question. However, they should bear in mind that a recent Mori poll revealed that:

· 30% admit to lying while applying for jobs

· 18% think it is necessary to exaggerate on their CV

· 34% of managers do not check the background of applicants

· 36% of organisations state that untruths on CVs cost them significant time and money.

The news that Alfred Dunlap, the fired chairman and chief executive of Sunbeam Corp in the USA had also been axed from two previous jobs – and that the two major search firms checking his employment history never uncovered those dismissals – therefore comes as no surprise. Closer to home, in the case of Barings, Nick Leeson failed to declare County Court Judgements against him and the Securities and Futures Authority turned him down for accreditation. His employer, Barings, failed to detect this and sent him to Singapore where he successfully applied to operate as a trader.

Given the disturbing stories that regularly make the news such as those illustrated above, organisations should be asking themselves: “What can we do?” The following list represents a starting point for an answer to this question, but what truly an organisation should do depends on a number of factors. These include the industry they are in, the position that is being applied for and the level of risk the organisation faces if an incorrect decision is made:.

1. Confirm name and address – to guard against false details and identity theft to conceal a chequered past.

2. Confirm educational qualifications – it is only too easy these days to produce a ‘cut and paste’ certificate from some obscure and largely unknown college.

3. Check membership of professional bodies – Manchester United Football Club once had to release their director of communications before she had even taken up her role. She had neglected to tell her prospective employees that she had been barred from practising law. She had also claimed falsely that she had previously advised Tony Blair on PR.

4. Confirm employment history – at least the last three employers; review positions held and dates of leaving. Ask for explanations for any ‘gaps’.

5. Check financial status – search the Electoral Roll, check for County Court Judgements and the Insolvency Service for bankruptcy.

6. Confirm directorships held and any disqualifications – a simple check with Companies House will confirm current and previous directorships together with disqualification dates.

7. Media and Internet search – this can identify individuals in the news and associations with third parties.

It is also important that these checks are not only for new recruits, but as an on-going process across the whole workforce. Especially when staff with more than ten years service are responsible for one third of all frauds, you can easily see why it is important to adopt continual vetting procedures.

Policies and procedures

Once you have employed the correct people, it is important to ensure that you have identified all the risks that your IT systems are exposed to and that there are appropriate policies and procedures implemented to minimise the risk of inappropriate activity occurring. Two of the most important of these are a “Code of Conduct” and a “Whistleblower Policy”.

Code of conduct

It is important that organisation’s have a formal, structured code of conduct in place. This must be communicated to all employees. The document should include a strong statement emphasising that fraud and any other inappropriate behaviour is totally unacceptable. It should also lay out that any such behaviour will be treated very seriously with strong measures taken, including reporting the matter to the Police, against any perpetrators.

The code of conduct should also include examples of ‘good’ and ‘bad’ behaviour so that employees are aware of what is and is not allowed and the consequences of their actions. It should also include procedures that employees should follow if they have suspicions of fraud, including a whistleblower policy.

Whistleblower policy

When carrying out investigations, the first point of call are members of staff. They are the ‘eyes and ears’ of a company. They can know exactly what frauds and other inappropriate behaviour is going on and who is responsible. An even better source of information for the investigator is the ex-member of staff as he or she has less to lose by blowing the whistle.

For those members of staff that do blow the whistle, the consequences can be disastrous. Far from being hailed as corporate heroes and saving the business from potential financial ruin, our recent experience is that three in four whistleblowers are sidelined or have their careers blighted by their honest actions.

It is imperative that all organisations should set up a whistleblower policy to ensure that all complaints are seriously investigated and consider ways for whistleblowers to be rewarded.

Next steps – identifying the loopholes

Ghost suppliers

The most common method of abstracting monies is through ghost employees or suppliers. Imagine a scenario where the purchase ledger clerk, Ms Ann Sarah Jones, has been given access to create new suppliers on the master-file and then authorise payments to avoid any unnecessary delays.

A detailed review identifies the fact that a new supplier has been set up on the system called ‘ASJ Consulting’, the bank details for Ms Jones and ASJ Consulting are identical and ASJ Consulting seems to be a frequently used supplier. This of course is a rather straightforward scheme, but one that my colleagues and I have seen many times without management being aware of it. A further, possibly more damaging scenario would be where an employee of the IT department has manipulated one of the organisation’s customer accounts so that instead of the customer receiving the profit from a trade, the funds are diverted to the employee’s bank account. Not only do you then face a financial loss, but damage to your reputation.

How do you manage such risks?

Access rights of users should be regularly reviewed to ensure that they are appropriate, that job segregation is maintained and that unauthorised persons do not have access to sensitive information (eg employees’ salary and bonus schemes). Data mining techniques should also be regularly applied to raw system data in an attempt to identify fraudulent or unusual transactions. This will also enhance your ability to detect potential money laundering transactions.

Sabotage

Often employees find they can gain access to confidential electronic information due to ineffective controls on the network. If they are looking to cause trouble or defraud the company, the consequences can be disastrous.

Damage can be a one-off sabotage where relevant data is destroyed or corrupted but this is very relatively easy to identify and rectify. A more subtleThe subtler and more damaging threat is that where critical data is altered slightly;, for example, where customer address data is modified so that it is incorrect and, therefore, meaningless. The customer still exists so the organisation will not easily spot the damagemodification, but their details are now incorrect. When would the organisation realise? Through a customer complaint, or more drastically when the customer stops carrying out business with the organisation?

There are many controls that could be implemented to avoid the above scenarios. , initially As a start, an organisation shouldmust have an adequate, documented, tested and regular back-up strategy to enable them it to recover from any data destruction, be it deliberate, accidental or system based.

Culture – the key to reducing IT threats

In summary, no matter how good your IT security is, it is only as good as the weakest link. That could easily be a member of staff who has legitimate access to parts of the system. Therefore, not only must you have the right IT security in place, you must also ensure that:

· the organisation employs the right people

· those people have policies and procedures in place to guide them

· there is a strong organisation culture for them to rely on.

Andrew Durant is head of the fraud investigation and recovery services team at accountancy firm BDO Stoy Hayward