CBA - Investigating ‘On-the-Job’ Crimes

The issue of ‘on-the-job crime’ (crimes committed by corporate employees or stakeholders such as clients or suppliers) is a highly sensitive issue that is usually left outside of the scope of a comprehensive business analysis. Which is not a good idea at all.

Why? Because these crimes have a significant and obviously very negative impact on corporate profits, cash flows and financial value.

The most recent edition of The Association of Certified Fraud Examiners (ACFE) “Report to the Nations on Occupational Fraud and Abuse,” issued in 2012, states that the median loss of each instance of employee fraud in their study was $140,000. More than one-fifth of these cases caused losses of at least $1 million. Even in a large, multi-billion dollar organization, that amount is significant.

In addition to purely financial losses, there is usually another negative impact, potentially even more serious, resulting from both internal and external awareness of repeated instances of fraud. Internally, this can lead to low morale and a “me-too, as everyone else is doing it” mindset. Which results in escalating fraud, theft and, therefore, in higher and higher financial losses. Externally, it can significantly damage an organization’s brand and reputation.

Even in a generally well-run company, fraud still takes place. According to the abovementioned 2012 ACFE report, an average organization loses 5% of its revenues to fraud — a staggering sum.

Unfortunately, few companies take the problem of on-the-job fraud seriously enough. Some simply ignore this issue, pretending that these crimes only happen elsewhere. Others rely solely on ethical policies (code of conduct), employee background checks and seemingly well-designed corporate financial and operational controls.

However, these safeguards (which must be an integral part of every corporate risk management and loss optimization system), is usually not enough. The reality is that people are fallible and there is always going to be at least one bad apple. Policies and codes of conduct will be ignored, and controls are never perfectly effective.

Therefore, you will simply have to include on-the-job crime investigation (activities that look specifically for on-the-job crime) into your CBA project. Which, obviously, requires bringing to the CBA team outside professionals highly competent and experienced in such investigations (usually they have some law enforcement background).

Where to look? Within the company, on-the-job crime tends to concentrate in the procurement, payment and expense areas. Externally, a going threat is an online crime (which can be external as well) – theft of money and valuable information, identity theft and so one. Investigating for these will obviously require services of experts in online crime investigation.

Top five areas of employee theft (according to John Verver - vice president at ACL, an audit and risk management technology solutions firm):

1.      Purchase-to-Pay. Potential fraud risks include (a) an employee initiating purchase orders (P.O.) for goods and services that are diverted for personal use and (b) an employee setting up a ‘phantom’ vendor account, through which fraudulent invoices are processed and payments are made to the employee.

2.      Corporate Credit Cards. A common fraud risk occurs when an employee uses a corporate credit card for personal gain instead of legitimate corporate purchases or travel and entertainment expenses.

3.      Payroll. Payroll fraud can consist of (a) ‘phantom’ employees being set up on payroll systems; (b) excessive overtime payments; and (c) employees remaining on the payroll after death or termination.

4.      Sales and receivables. Most common thefts include (a) employee collusion with vendors and (b) sales representatives inflating sales to achieve higher commissions and bonuses.

5.      Information systems and critical data. This kind of fraud includes (a) internal or external theft of money from corporate bank accounts using computer software and online tools; (b) employee theft of critical data and (c) employees providing corporate data to external individuals – competitors, hackers, etc. - or criminal organizations.