Fraud - the threat from within

It used to be considered one of the great taboos of respectable society – the crime that dare not speak its name – but these days it is difficult to open a newspaper without reading a headline relating to employee fraud.

Whilst the real headline-grabbers tend to concern the directors of global conglomerates, even within the legal profession we can probably all think of some stories of partners and others who have absconded with client funds, a situation which is generally met with the reaction “It couldn’t happen here, not in this firm”. But could it?

According to the FBI, employee fraud is the fastest growing crime in the USA. As with so many things, trends from the USA tend to be followed in the UK and already the British Chamber of Commerce is reporting that an estimated 20% of small businesses in the UK fail due to internal theft and fraud. Other surveys show consistent findings, estimating that more than 50% of all businesses have suffered from some type of fraud within the last three years. It would be shortsighted not to consider that law firms are just as much at risk of employee fraud as other businesses.

Rising barometer

KPMG’s Fraud Barometer published in August 2006 – which draws purely on data from reported court cases – noted that in the first half of 2006 alone the value of larger fraud cases going through the Scottish court system totalled £47 million. This figure is greater than the full year figures for 2004 and 2005 combined. The same research noted that while larger organisations – principally government and the financial services – face the largest risk from fraud attacks, the threat of fraud impacts on all businesses, and from our experience that includes legal firms.

Some examples of the types of fraud we have been asked to investigate within legal practices have included areas such as:

• misappropriation of cash/client funds
• unauthorised investments
• diversion of payments/funds
• misuse of documents/client information
• theft of intellectual property
• misuse of the firm’s travel/expenses facilities
• staff managing their own clients at company expense (“moonlighting”).

“That is all very well”, I hear you say, “but what are the chances of one of my staff defrauding me?” Surprisingly higher than you might suppose.

A powerful equation

In fraud prevention circles we talk about the 10-80-10 principle. This principle, which has been consistently supported by research into criminology, holds that in any given population – take, for the sake of argument, the employees within a legal firm – 10% of people will never steal, 10% will steal at any given opportunity, and the remaining 80% can move in either direction depending on the pressures they are under and how they rationalise a particular opportunity.

In the 1950s, the criminologist and sociologist, Donald Cressey, carried out a study of 200 incarcerated inmates to understand the circumstances which had led embezzlers to commit their crimes. He theorised that there were three factors which, when found together, drew otherwise law-abiding citizens to commit fraud. The first of these is motive – generally an event or condition which produces financial pressure. The next step is perceived opportunity – for example, a loophole in controls. Finally, there is the rationalisation process – “they’ve never properly appreciated me”. To put it simply, Pressure + Opportunity + Rationalisation = Fraud.

Clearly, a system of strong internal controls and procedures is critical for reducing the opportunity for employees to defraud. However, in the real world, it is rare for procedures to be fully observed in practice and a recent KPMG fraud survey concluded that in nearly 50% of all frauds a weak control environment was the weakness which the fraudster had exploited. No control system is ever entirely foolproof, and no authorisation process is entirely free from the possibility of management, or other, override.

Danger signals

In my experience of investigating employee frauds there are certain potential warning signs, red flags if you like, to which management should be alert. Although some of these sound clichéd, in reality these occur with staggering regularity:

• The “model employee” who works long hours, particularly where there is no corresponding increase in billable time;
• The employee who regularly fails to take annual leave or who calls in to the office unexpectedly when on holiday;
• An individual who refuses, or does not seek, promotion;
• Missing documents or files;
• Changes in an employee’s lifestyle, for example particularly conspicuous spending patterns;
• A member of staff who is over-protective of duties and is reluctant or refuses to delegate certain tasks, particularly where these are below grade;
• Addictions, such as alcohol, gambling, drugs;
• Computer usage outwith normal office hours or access to systems using the passwords of absent or former employees;
• The copying of large amounts of data;
• Low employee morale.

The list is not exhaustive and should be treated with caution – clearly, not everyone who fails to take a holiday is a fraudster. I would suggest, however, that where you have a combination of two or more of these factors within your firm, you may need to consider whether things are going just as well as you had thought.

Zero tolerance

So what is the solution? As indicated already, a sound control system is a key step towards reducing opportunities for fraud, but the ideal is to create a culture in your firm where fraud is not tolerated. The following are some suggested actions which, depending on the size of your business, you may wish to consider:

• Set an ethical tone from the top;
• Carry out a periodic review of high risk areas to identify and measure fraud risks;
• Establish a fraud policy emphasising zero tolerance;
• Have a clear fraud reaction plan or strategy, specifying, amongst other matters, who has responsibility for investigating and reporting fraud;
• Demonstrate fair and balanced discipline for fraudulent behaviour;
• The use of a whistleblower hotline facility;
• Undertake regular fraud awareness training sessions for all staff;
• Perform effective vetting of new staff, check references and qualifications;
• Establish realistic performance goals and reward systems;
• Create a culture of honesty and openness.

A final thought. There is a tendency to think of the typical modern fraudster as a young, newly-appointed, whiz-kid who will hack into your computerised financial systems. Again, perception does not match reality. From an analysis of 100 fraud cases we have investigated over the past two years, the typical fraudster is a male, aged between 36 and 45, in a senior position with financial responsibilities, who has been with his employers for, on average, three years. It makes you think, doesn’t it?

David Buchanan-Cook is manager of the Edinburgh forensic practice of chartered accountants KPMG. In addition to undertaking a wide range of fraud investigations and fraud risk management consultancy, the unit also carries out expert witness and regulatory work. David is also a reporter with the Law Society of Scotland’s Client Relations Office and sits on one of the Client Relations Committees.