Fraud and Organisational Culture

Chartered accounting firm HLB Mann Judd offers advice on how organisations can minimise their exposure to fraud.

Many businesses have been affected by fraud, if they haven’t it is only a matter of time before it does happen. This poses the question; how does one protect themselves in today’s society?

Considering my opening statement, it is fair to say that it is very difficult to immune ourselves from it, but we can minimise our exposure.

Setting the tone at the top is the most effective way of preparing an organisation for attacks on the internal control environment whether they be from internal or external sources.

To steal a well-coined phrase from Lieutenant-General David Morrison (retired chief of army): “The standard you walk past is the standard you accept”. David didn’t use this in the context of fraud however, it can be applied equally to almost any situation in the workplace.

In developing a culture of fraud awareness and zero tolerance, leaders of organisations need to develop adequate policies and procedures to address such instances. More importantly, the policies and procedures need to be communicated, monitored and tested for effectiveness and reviewed regularly to ensure they are still relevant.

Organisations cannot afford to set and forget – we only need to reflect on how we operate in the workplace now compared to five years ago.

Threats from within the organisation are easier to control than those from outside. Each day we are inundated with bogus emails that appear to have been generated from legitimate sources or receive phone calls from “reputable” organisations seeking information. It is not always easy to determine the legitimacy of such communications and it is becoming increasingly sophisticated.

One basic control is to check the URL address on emails received but this is not completely fool proof.

Recently, there was an instance where a client had received an email from what appeared to be one of their major suppliers advising of a change in bank account for future payments.

Unbeknown to our client, the supplier’s server had been hacked so the email received (with invoice attached) appeared to be legitimate. The invoice was subsequently paid. The amount was significant. Fortunately, the bank detected that the account to which payment was to be made was related to other fraudulent activity and stopped payment.

The organisation affected by the fraud was not out of pocket in this instance but have since revised their internal control procedures to mitigate the risk in future. For example, they no longer accept letters (on company letterhead), emails or incoming phone calls as a means to make changes to the vendor master file. All requests are followed up with a phone call directly to the supplier’s nominated contact to verify the details before any changes are made.

For internal threats, it is imperative that basic internal controls are in place that not only prevent a potential fraud but also can detect it if it occurs. As in all cases, prevention is the best cure.

Some examples of preventative controls include having delegations of authority for expenditure and dual authorisation of bank transactions. Basic detection controls include independent review of bank reconciliations and regular review and monitoring of financial performance.

To further enhance the control environment, consideration should be given to regular review of master files for key business cycles (expenses, payroll and revenue).

For some organisations it can be more effective to outsource the finance function (eg Virtual CFO) to strengthen the control environment and give those charged with governance additional assurance.

For more information, contact Corey McGowan, partner, audit and assurance, HLB Mann Judd Adelaide at cmcgowan@hlbsa.com.au