Companies are arming themselves with forensic accountants to alert them to patterns of internal fraud, writes John Collins
With all the recent media coverage about debit card skimming devices at ATM machines and letters being stolen from communal mailboxes to support identity theft, it would be easy to think that financial fraud is being perpetrated solely by organised crime gangs.
However, according to Peter Dorrington, principal strategy manager and head of fraud solutions with software company SAS, the biggest threat to organisations is often internal; employees who either through greed or coercion are defrauding or helping to defraud the company.
While fraud perpetrated from outside an organisation can be tackled by making changes to internal processes and IT systems, the same approach is of limited value for dealing with insiders. "Internal fraud is much more difficult to tackle because the people doing it know how to manipulate the systems and the organisation's trust," says Dorrington.
"They know how the auditors work and they know what they are looking for and, what starts off as a small fraud can escalate rapidly into something major."
Traditionally, fraud-detection computer programs analysed monetary movements but the advent of identity theft means that fraudsters are now looking to steal information rather than cash. Dorrington came across an example in Abbey, the UK financial institution, where a staff member was using a camera phone to take pictures of customers' account information on screen.
This information was then used to open new accounts using the customers' details and taking out loans which were paid into the account controlled by the criminal.
Dorrington was speaking at a SAS seminar in Dublin this week, attended largely by executives from the financial services and public sector, who heard him describe some of the tell-tale signs of internal fraud. These include:
staff members who are under stress without having a high workload or who display marked personality changes;
staff who are always working late or reluctant to take leave;
customer complaints of missing statements or unrecognised transactions;
new staff resigning quickly;
rising business costs with no explanation;
suppliers or contractors who insist on dealing with just one individual;
employees with external business interests.
"The communications revolution in recent years means that there is almost an academy of fraud available on the net," says Dorrington. "Every organisation I've talked to has had some level of fraud."
From a situation where fraud was what Dorrington calls a "four o'clock Friday" item on most board of directors agenda, it has become a hot issue in the wake of scandals such as Enron which have put risk management and compliance on the agenda.
"Previously it was seen as a natural cost of business and you couldn't do anything about it," he says. Now, by contrast, many financial services companies in particular are using their anti-fraud measures as a competitive differentiator. For example, British bank Capital One talks up its protections against fraudulent use of customer credit cards on the internet.
While SAS believes mandatory ID cards will reduce fraud in many situations, Dorrington admits they will not be the silver bullet for identity theft that some proponents are making them out to be. "Rather than being socially inclusive, they are potentially socially exclusive because if you are not in the system, you will have no access to banking, social services or the other things we take for granted," he explains.
"As a result you have to have manual processes to allow for exceptions and, once you do that, you have an opening for fraud and coercion of the humans who are operating it."
He makes the point that fraud has been around for as long as we've had money. There are ancient Egyptian records which show that scribes carried out audits of homes to ensure that taxes on cooking oil had been paid.
Ironically it is the digital nature of most modern fraud that makes it easier to detect, as fraudsters leave tell-tale digital fingerprints on the systems that they use to commit their crimes. While SAS offers tools and services to help uncover fraud that might otherwise go undetected, Dorrington says a simple first step is for companies to switch on the logs in their IT systems which track what employees are doing with their PCs.
"Most logs are turned off or the information from them is not gathered," he says. "The logs are usually only turned on when a new system is being implemented so that errors can be caught."
He suggests that there is a 10-80- 10 principle at play when it comes to employee dishonesty - 10 per cent of staff are totally honest, 80 per cent are honest most of the time but could be pushed in the direction of fraud, depending on the circumstances, and the final 10 per cent will steal at any given opportunity.
Those figures suggest the problem is far worse than people imagine or is admitted. In the past auditors typically sampled one in 1,000 transactions to check if they were suspicious. As Dorrington points out, though, if one in 1,000 transactions is fraudulent, this model only has a one in a million chance of discovering fraud.
With the new software available, he says forensic accountants are now armed with tools that are able to alert them to patterns and behaviours that look suspicious.
"In large companies it goes to the heart of their reputation for probity and trust," explains Dorrington.
"If that's diluted, it affects their bottom line so they want to deal with it quickly and quietly. But I always make the argument that if it is to have a deterrent effect, you have to publicise that people have been caught and dealt with in the courts."
