Online scammers and phishing attacks have become extremely sophisticated lately. Hence, it is understandable that we are constantly warned to be vigilant and on the lookout for the next attack. But as focus shifts to looking outside the organisation, an eye needs to be kept on what is going on within the organisation. Internal fraud is often subtler, harder to spot early and may occur on a regular basis.
How can you be at risk
Smaller family run businesses can be more susceptible compared to large organisations because they operate in a ‘high trust’ manner by:
- Providing their employees with greater autonomy and authority
- Using fewer internal checks and process controls
- Not using third party audit services
The classic example is where the owner is busy running their business so they let their finance manager set up suppliers, approve payments and reconcile the bank, and plan on ‘checking later’.
Red flags worth paying attention to include reluctance to share duties or take leave, unusual supplier or bank-detail changes, round-sum or duplicate invoices, late reconciliations and urgent payment requests that are outside the norm, e.g. during shutdown periods such as Christmas.
Simple checks
If you sense something is off, start with simple checks. Scan the supplier master list for fictitious vendors or unverified bank account changes. Review one-off payments to new payees. In payroll, look for “ghost” employees, duplicate bank accounts and payments to ex-staff. In expenses, test for inflated or split claims and identical descriptions posted after hours. Keep bank, GST and payroll reconciliations current and have someone independent review them.
Don’t assume ‘John’ or ‘Jane’ would never do it – as it can be the last person you would expect. The inevitable question is ‘why?’. Cressey’s fraud triangle is useful for putting it into context. It describes three factors that give rise to an increased risk of fraud if they exist simultaneously, as follows.
- Motivation: this can arise from personal financial stress, medical events or unrealistic targets
- Opportunity: this can be in the form of weak controls, autonomy or minimal oversight
- Rationalisation: this is the self-justification behind the behaviour. A person might rationalise their behaviour to the point they do not consider it wrong. They might tell themselves it’s “only a loan” or they’re “owed” it
After something ‘unusual’ is identified, it’s common to then realise all three existed.
To reduce the potential for internal fraud, try to do the basics right and implement procedures to balance the risk. Segregate duties so no one person can set up, approve and pay amounts. Where teams are small, use a maker–checker model with an external reviewer. Lock down supplier changes with call-backs to verified numbers and restrict who can edit vendor records. Use dual approval above modest limits and block changes to payee details after approval. Limit access with least-privilege permissions and multi-factor authentication.
Even when business ramps up, it’s important to stick to the clear policies and processes your organisation has in place.
How we can help
At Moore Markhams, our purpose is to help people thrive, and that includes protecting your business from the inside out. While trust is the cornerstone of any successful enterprise, robust controls are the foundation that keeps it secure. Our experienced advisors are here to provide the independent oversight that can make all the difference.
We can work with you to conduct a thorough fraud risk assessment, identifying potential weaknesses in your current processes before they can be exploited. Through our business advisory and audit services, we help you design and implement practical, effective internal controls, such as segregation of duties and payment verification protocols.
Strengthening your defences doesn’t have to be complicated. A proactive review of your internal environment is a small investment that provides significant peace of mind, safeguarding your assets and securing the future of your business. Let’s work together to build a more resilient organisation.
