When It Comes To Fraud, As With Any Horror Movie, The Phone Call Is Coming From Inside The House
An internal actor is still far more likely to be behind a damaging fraud upon the company than a shadowy hacker.
Whenever a company official speakson the subject of fraud security, they’ll talk a great game. They understand the “grave threat” posed by the “increasingly complex world” of fraud. But do they really understand what they’re facing out there? Or, more importantly, do they really understand what they’re facing “in here”?
Everyone understands, or thinks they understand, the growing risk of “foreign hackers.” The government and the media have trumpeted the growing number of cyberassaults coming from within countries like Russia and China targeting American and Western European businesses over the last few years. Even if these attacks rarely succeed in directly exploiting the target company financially, the reputational risks of becoming the next Panama Papers and the commercial risk of losing industrial secrets to an unknown and unpredictable attack has companies on alert and the SEC asking businesses to do more to disclose their risks to investors.
While cyberattacks launched from hostile foreign powers or exiled Nigerian princes draw the lion’s share of worry from companies and the jittery media, it’s worth keeping risk in perspective. There’s no denying that the pace of these attacks is on the rise, but when it comes down to it, an internal actor is still far more likely to be behind a damaging fraud upon the company than a shadowy remote hacker.
It’s a natural psychological reaction to overvalue threats that are both exotic and seemingly random. There’s a reason people are more afraid of flying in an airplane piloted by a professional than getting behind the wheel of their own car. And yet, just as we know intellectually that a person is at far more risk of injury on the road than in the air, we should also know the greatest fraud threat facing a company begins from within.
Like it or not, employees, up to and including senior management, still present a more significant fraud threat than a cybercriminal half a world away. Think less Swordfish and more Office Space. And just like in Office Space, the mere fact that the fraud is coming from within doesn’t mean it isn’t complex.
Assuming the criminals didn’t screw up a decimal point or some other mundane detail like Michael did in that movie.
RSM US Senior Director Scott Richter explains that one of the most significant risks a company faces is an employee who ends up exploiting the internal control environment that he or she is charged with overseeing, maintaining, or influencing.
A CFO, controller, or assistant controller – particularly if they are colluding with IT professionals with a high level of system access — may have the power to manipulate data in the system to effectively (a) conceal an embezzlement, or (b) manipulate the financial statements to achieve any number of goals from making a budget target, to meeting bank covenants or EPS expectations, to reaching a revenue/profit target that triggers their bonus.
So in a situation like this, who watches the watchers? That’s where data analytics tools can provide the company the critical insights they need. Technology allows companies to scour thousands and thousands of data points to seek out patterns that might never appear suspicious to an auditor performing a spot check of the material. Richter identified a number of red flags that can be sussed out by a proper application of data analytics, such as even dollar amount entries, reversed transactions, invalid Social Security Numbers, the presence of PO Boxes as addresses, and vendor addresses next door to, for example, the CFO.
While undermining controls can be gravely dangerous for a company, there are a million and one other ways an employee can defraud a company. Setting up phony employees or bogus vendors to channel money to the fraudster or someone related to the fraudster are classic frauds. As Victor Padilla, a Director at RSM US, described another classic scenario he’d worked to uncover. The analytics showed “representation expenses” that appeared suspiciously high. After a little digging, it turned out that influential company officials had used the vagueness of that description to build a private slush fund.
But don’t let the risks posed by employees blind you to the closely allied third-party actor. These are the folks that combine all the familiarity and inside knowledge of an employee with the critical distance that keeps them outside the company’s immediate zone of control. Whether it’s a trusted foreign agent exposing the company to FCPA liability or a vendor inflating the bills, the faithless third party can do significant damage to the company.
Padilla described an engagement where an employee and a vendor were working on a scheme together and data analytics managed to identify a number of red flags suggesting collusion in an otherwise well-concealed scheme. The company’s phone records provided an overwhelming wall of contextless numbers, but the system started to identify longer phone calls to a specific vendor, calls outside of business hours to that specific vendor, all little details that don’t prove collusion but add to the tapestry of doubt.
Despite the nation’s chief executive actually telling officials that he wants companies to be able to bribe foreign officials, FCPA prosecutions haven’t really stopped, even if they’ve slowed from the breakneck pace of 2016. Third-party agents working overseas and collecting company funds in hefty one-time reimbursements with vague descriptors could be exposing the company to prosecution by executing illegal bribes on the company’s behalf.
It’s never comforting to hear this, but risk abounds. In this environment where technology has not only created new external risks but afforded bad actors more power to cover their tracks, the only thing companies can do is keep an honest, self-critical sense of the risks they face. Plan for an external attack, but keep it in the proper perspective. Build comprehensive internal controls, but never lose sight of the risk posed by the people minding those controls. Maintain vigilance when it comes to “trusted” vendors and agents. Most importantly, don’t put off comprehensive threat assessments.
In addition to establishing sound internal controls, proactively launching targeted testing of high-risk transactions, analyzing the supporting documentation and inquiring about the nature of such transactions –on an ongoing basis– can send a powerful message to all employees that company management is taking seriously the identification of improper activities.
It’s not enough to understand that there could be risks, expend the time and effort to get a checkup.
Joe Patrice is an editor at Above the Law and co-host of Thinking Like A Lawyer. Feel free to email any tips, questions, or comments. Follow him on Twitter if you’re interested in law, politics, and a healthy dose of college sports news.
