By Michele L. Creek-Tatom, CFE, CIA, Internal Audit Manager, J.R. Simplot Company
“That could never happen here! Why would someone ever steal from our company? The internal audit people will catch it if someone tries anything. My co-workers are like family! I just can’t imagine someone doing that!”
Does this sound familiar? As anti-fraud professionals, we are trained to find and fix the opportunities for fraudulent activity within our organizations. But there are usually only a few of us and many employees. How is a small team, or single fraud professional, supposed to deter and detect all fraud? The answer is we can’t. We rely, in part, on the honesty of the average employee. For dishonest employees, we rely on controls and consequences to deter bad behavior. But what if there were a way to enlist and educate the honest, frontline employee to be the eyes and ears of everyday fraud detection? What if fraud awareness became every employee’s responsibility — not just the fraud professionals’?
The ACFE’s 2020 Report to the Nations shows that 43% of fraud cases are identified through tips, and just 50% of those tips come from employees. These employees work in the business, follow processes, and possibly work side-by-side with potential fraudsters, so why is this number so low? Fellow employees should recognize anomalies and irregularities first, but how do they know what to look for? What if they don’t understand the risk of fraud in a process so they can’t watch for wrongdoings? There is a tremendous opportunity to harness the collective power of the workforce by increasing fraud awareness and training each employee to be a fraud detector.
Fraud risk in daily operations
Several years ago, I was talking with an employee who worked in our cash application department (I’ll call her Sally). At the time, customers liked to come into a location and pay their invoice in person. The location would mail the checks to the cash application department at headquarters for posting and depositing. Sally was a longtime employee who valued the in-person nature of our business and was happy to take the checks received in her department to the bank for deposit. What Sally didn’t understand was the risk of check fraud involved in that scenario, and because she didn’t understand that, she didn’t know where the process had vulnerabilities.
Through our conversation, I outlined all the different hands the check traveled through — a minimum of six pairs — before the check was safely deposited into the bank account and the funds received. I described the various points at which the check could be lost, or stolen, and deposited into someone else’s account. Sally refuted my description, saying the check was safe because it was written to the company. That is when the discussion turned to all the ways checks are altered and deposited into accounts that don’t belong to the intended recipient.
Sally was floored! She had no idea that checks written to specific companies could be deposited or presented for payment elsewhere. Because this was not a possibility to her, she had no way to ensure appropriate controls were in place and had no perspective about the risk involved in her current process. While all checks now go directly to a lock box, the conversation highlighted something important — fraudulent activity can be right in front of us, and if we are untrained, we can’t see it for what it is. Additionally, those who understand fraud might not know where the risks lie or what controls should be in place. If they don’t know what they don’t know, how can we rely on our employees for tips?
This is where we, as fraud professionals, come in. We must teach our fellow employees where the company is vulnerable, and help them understand what activities, behaviors and transactions might be questionable. We must provide safe, confidential methods for employees to report fraud or questionable activity. We must ensure employees know how and where to report these activities. But where do we start?
Components of effective fraud awareness trainings
A comprehensive fraud awareness training should include basic information to help your employees identify when something isn’t right. That basic information is the what/how, the who, and the why people commit fraud. Also consider relevant case studies, graphics that tell the story, and the effect fraud has on the employee directly and the organization. Include details on when, how and who to report to if an employee sees something questionable.
What and How
Provide enough detail about the kinds of frauds employees could see at the company, including examples that tie directly back to the employee’s work. Rather than stating they might be vulnerable to vendor fraud, help employees understand exactly what vendor fraud looks like. Make sure they know what they can do in their daily job to prevent it. We help employees see that checking inventory deliveries against a packing slip or bill-of-lading, as well as against the purchase order, helps prevent a vendor from sending subpar or a shortage of inventory, and/or at a price different than agreed upon. This discussion helps employees see that what they thought might be mundane tasks have a purpose that protects the company, and ultimately their livelihoods.
As you describe the what and how, don’t rely too heavily on “fraud speak.” The goal is to help employees understand categories of fraud and provide examples of what those categories can mean. It’s important to use relatable language that connects with employees in a way that is engaging and encourages participation. Specific examples help employees connect the theoretical idea of fraud, to the realization, “Wow, this can actually happen (or has happened) at my workplace.”
Create the profile of a common fraudster and use statistics and any relevant information to bring your profile to life. Effective types of information include gender (global and regional counts), average age, position in the company, the department in which the employee worked, median dollar loss, and education level. Using data from the ACFE’s Report to the Nations, highlight the “never charged or convicted” and “never punished or terminated” numbers to illustrate that most fraudsters don’t start out as hardened criminals. We hear from employees that they cannot believe the person in the cube next to them could possibly commit fraud because, “They don’t look or act like a criminal.” In order to break these biases, provide data-supported information in your training to speak to the fact that it really can be, and often is, the person you least expect.
Understanding why a person would resort to committing fraud is critical in opening employees’ minds to the possibility of it occurring. Without acceptance of a fraudster’s reasonings, recognition of the activity as fraudulent is nearly impossible. Why would a normally good, honest, hardworking person do such a thing? What could cause them to change their behavior? Enter the Fraud Triangle. Fraud professionals are aware of the Fraud Triangle, but are your employees? And even if they are, would they understand what is meant by “opportunity, pressure and rationalization?”
To demonstrate why, we created a graphic that breaks down the three legs of the Fraud Triangle. When people hear opportunity, they might not think about lack of monitoring, weak controls or lack of discipline for offenders. They might not realize that rationalization can start out as innocently as, “I am just borrowing it for a brief period and plan to pay it back right away.” They also might not understand that sales targets or a newly developed gambling addiction can send someone right over the edge with pressure. Displaying these items in the training has helped our employees grasp the theory and start to develop awareness.
Developing the training
Building meaningful training within your organization means first understanding the most common fraud risks affecting your unique company. Ensure the types of fraud risk, example cases and information presented are relevant to the business. While the Report to the Nations is full of helpful information and fraud examples are endless, due to training time constraints, it is important to limit the statistics and case examples to those which are high risk in your organization. For example, if you have a domestic organization who does no work internationally, foreign corruption information might be a smaller portion of the training. However, a global organization which does business in countries with high levels of known corruption should emphasize corruption risks and should include specific examples of corrupt activity.
One of the most powerful elements of training is describing how fraud impacts the employee directly. We connect the fraud directly to the risk of compensation or benefit loss, job loss and company closure. We highlight reputational risks that can arise from fraud, either from the act itself, or that a fraud was discovered. During this phase we provide specific examples of cases that caused the demise of an organization and the subsequent job losses. Sadly, examples abound, and stories such as Clive Peters, the Australian big box electronic store that was taken down by a lone payroll clerk, are highly effective.
Include case studies
Real-world examples and cases make the biggest impact on employees. Cases external to the company that may align with the business are helpful, but we have found the most powerful message comes from sharing actual cases from within the organization. We are careful to generalize the details of the fraud in a summary document, describing:
- Type of fraud
- High level details of fraud
- What happened
- How did it happen
- Who (generally) committed it (i.e. plant manager, purchasing manager, etc.)
- The length of time and the approximate or known loss
- How the fraud was identified (employee tip, data analytics, manager review, etc.)
- The outcome (termination, prosecution and conviction, XX years in prison, etc.)
Anonymizing the cases is critical so trainees focus on risks and not specific details which might lead to guessing the name of the offender or the exact location of the incident. Internal case studies drive home the reality of fraud in ways that statistics and data models simply cannot. This is the time during training where we start hearing gasps and whispers of, “Did she just say that happened here?”
Empowering employees with the knowledge and awareness of fraud in the workplace is key to increasing employee tips. When employees understand what fraud looks like in their world, and that they have a path to confidential reporting, fraudulent behavior is confronted, which can reduce losses. It is critical to give employees permission to question the questionable. The information should be presented in everyday language that is relevant to their work environment. Make use of the multitude of helpful resources provided by the ACFE. By making your training fun, localized and meaningful, you will cultivate awareness and develop fraud fighters across your entire organization.
Edited by Ellen Tillotson, CFE, CIA, J.R. Simplot Company