The ACFE recently published its Occupational Fraud 2022: A Report to the Nations, which presents results of annual research around occupational fraud. It’s a lengthy document full of stats and information relevant to business owners who take a zero-tolerance approach to fraud. Forwarned is forearmed, after all.
Background screening also features in the report, with almost half (43%) of victim organisations reporting that they did not run a background-check on the perpetrator prior to employment. Of the background checks that were run on the perpetrators, 21% revealed previous instances of misconduct.
The report goes on to explore the topic of internal controls in victim organisations.
What are internal controls?
Internal controls refer to policies, procedures and safeguards designed to provide reasonable assurance against errors and, in this case, actions which may harm an organisation. Where such potentially harmful errors or actions have been committed, internal controls can also be used to detect these errors, and to correct or mitigate their impact. Where internal controls are weak, they create the opportunity for fraud to be committed.
Background screening as a preventative control
Pre-employment background screening is itself an internal control designed to protect the organisation from individuals whose previous conduct are not in line with organisational values. These background checks can be broad, and may include identity verification, qualification and reference verification, criminal record checks, credit checks, and so on.
Background screening can also be employed as a continuous internal control in the form of periodic background checks, where pre-determined statuses can be monitored on an ongoing basis (e.g. credit status, criminal record status, driver’s license validity, and so on).
But, as an internal control, pre-employment background screening’s cannot monitor or predict the actions of existing employees. To assume that some existing employees won’t be tempted to reach into the proverbial cookie jar would be a mistake.
According to the report 29% of victim organisations admitted to inadequate internal controls. A further 20% of victim organisations had adequate internal controls in place which were overridden by the perpetrator. This becomes possible when there is a lack of management review (16%), or a lack of competency in oversight roles (8%).
To combat these internal control failures, other preventative internal controls can be enforced. The good news is that they are fairly easy and inexepensive to implement.
Separation of duties
The purpose of a separation of duties is to act as a failsafe when other controls fail. Here the objective is to ensure that no one employee has the means to perpetrate and hide instances of fraud. For example, assigning one person to verify invoices received, one person to set up payment, and another to approve payment would be a more secure internal control than having one person perform all three tasks.
This separation of duties creates a little more freedom during the hiring process; a specific red flag in the background screening process might make an individual unsuitable for one type of duty, but may not have any bearing on another type of duty. Or, in a real world context, having someone with a history of gambling addiction verify invoices would pose less risk to an organisation than, say, having that person in charge of the organisation’s bank accounts.
Access controls provide another barrier that can protect against fraud, even when background checks throw up no red flags. At its core, access controls determine who has access to which organsational locations, resources, assets, and systems.
Access controls can be divided into two categories:
Physical access control
As the name suggests, physical access controls determine physical access to specific locations or assets. This can be enforced by key cards, biometric fingerprint scanners, or by simply keeping a specific area under lock and key at all times.
Logical access control
Logical access controls on the other hand control access to digital locations or resources like specific files, folders, or systems. These can be enforced by digital permissions, usernames and passwords, as well as biometric systems.
Implementing these internal controls where previously there were none can severely reduce the potential for fraud. But, it is also essential that there is competent oversight which, almost needless to say, starts at the top.
Note: The ACFE report surveyed 2,110 cases of fraud from 133 countries across 23 industries. But despite this global focus on incidences of fraud, South African businesses should take its findings to heart – SAPS’s Q3 ‘21 stats indicate that commercial crimes were up almost 16%.