The fraud triangle, fraud risks and anti-fraud measures during COVID-19
October 05, 2020
It is clear that opportunities to commit fraud are higher now more than ever as new ways-of-working combined with unprecedented global financial challenges have put to the test the control environment in our institutions. We now have to contend with changing dynamics from a fraud perspective in the current operating environment. Below are some of the reasons that make organisations vulnerable during these times:
- Organizations have had to quickly adapt to working remotely and virtually in socially distanced environments presenting a heightened risk of identity theft, social engineering schemes, hacking and phishing schemes.
- Companies are cutting back on costs to keep their businesses afloat. This involves downsizing staff, contractors and third parties that form controls around the business weakening the control environment and providing opportunities for fraud.
- Funds in the form of advances, loans and subsidies are being injected into economies to fight the pandemic and cushion against its economic effects in governments and private sector, raising the risk of corruption and misappropriation of those funds.
The fraud triangle is a model for explaining the factors that cause someone to commit fraud. Its elements are pressure, opportunity and rationalization. The increase in incidences of fraud, corruption and other unethical practices is our current reality can be explained in the context of the fraud triangle as explained below:
Pressure is a catalyst, incentive or need, real or perceived, that exerts financial or non-financial push for one to commit fraud. Some of the factors creating pressure as a result of the COVID -19 pandemic are:
- Monetary pressure: Job losses, pay cuts and staff being sent on unpaid leave has created financial pressure on employee’s personal financial position. Employees risk losing their jobs at any time, and this may create pressure on them to “take care of themselves” before the “axe falls”.
- Performance pressure: COVID-19 has made it difficult for some to meet agreed performance targets, which may lead to increased risk-taking, manipulation of results and performance metrics and/ or compromised quality standards.
- Workforce pressure: Job losses and reduced workforce mean that employees have more work to do but with fewer resources.
- Psychological Pressure: The pandemic presents a threat to life, personal health and safety leading to a sense of fear on employees as they live with the new reality that they could lose their lives at any time and leave loved ones in financial distress. Some reports have shown increased cases of insomnia and stress since the pandemic began.
Opportunity is the ability or circumstances that provide the possibility for one to commit fraud. The following are some of the factors creating opportunities for fraud under COVID-19:
- Lack of processes and controls: Lack of proper controls and processes to deal with working remotely and virtually. For instance, lack of proper authentication to prevent identity theft, phishing and social engineering schemes.
- Reduced vigilance: Working remotely, virtually and in social isolation from home has led to boredom, lethargy and reduced productivity. This leads to reduced alertness and vigilance to prevent and detect fraud.
- Lack of technical capacity: Limited technical capacity and expertise in digital platforms and technology creates opportunities for fraud, particularly perpetrated by those with expertise in the area.
- Reduced manpower: Companies are using a skeleton workforce due to layoffs, cost-cutting and need to only maintain essential services to reduce exposure. This has led to a lack of segregation of duties and effective monitoring and supervision of business activities.
- Emergency situation and mindset: The current environment has created a sense of fear and rechannelled management focus to employee wellness leading to relaxed controls, eased compliance measures and the override of controls by those in authority. For instance, some financial services providers increased transaction limits to allow for easy access to funds. However, transactions limits, by frequency and amount, were a control to reduce loses due to fraud.
- COVID-19 themed frauds: Fraudsters have been presented with the perfect lure for all manner of COVID -19 themed attacks including emergency purchases, phishing schemes, Business Email Compromise (BEC), watering holes and other fraud scams.
Rationalization is the self-justification that one is doing the right thing in committing a dishonest action. The following are some of the factors being used to justify fraud under COVID-19:
- Desperation, anxiety and uncertainty: Layoffs, pay cuts and adverse news on COVID-19 in the media may create a sense of anger, anxiety, desperation and uncertainty among some employees who have been working faithfully for their employers and now face a bleak future.
- “I will pay myself” and “deserved reward” excuse: One may justify misappropriating money under the guise that one has unjustly been given a pay cut or unpaid leave imagining that he/ she deserves to be paid the pre-COVID amount.
- “Others are doing it” justification: Some may read news of COVID-19 scams and corruption scandals and use this to self-justify that it is okay to do it as well because others are doing it.
- “I will pay it back”/ loan schemes: In this case, one justifies stealing in order to survive the pandemic and that they will pay it back mostly in-kind by, for instance “working harder” to repay the organization. However, as seen in fraud cases, this rarely happens.
How can you manage fraud risks during the pandemic?
Although there are many factors creating pressure, opportunity and rationalization during COVID-19, there are a number of measures that organizations with limited resources can apply to mitigate and minimize fraud risks, exposures and vulnerabilities. Some of these measures include:
a. Fraud Risk Assessment and Anti-Fraud Diagnostics
It is important for organizations to have a well co-ordinated organization-wide strategy in dealing with the fraud risks that have been amplified by COVID-19. As a starting point, there’s need to conduct a risk assessment and a diagnostic of all IT platforms, servers/ databases, interfaces, access points and configurations to determine the right anti-fraud controls that should be deployed.
b. Fraud Risk Management Framework
Subsequently, organizations need to implement or, if one is in place, update a fit-for-purpose anti-fraud framework/ policy that informs a systematic and holistic approach to respond to the risks and threats identified in the risk assessment and diagnostic. The fraud risk management framework needs to be built in line with the three lines of defence in the organization with written policies and procedures that are communicated to and understood by staff to know what is expected of them as far as fraud is concerned. Please see our Internal Control Framework as an example of a framework/ model organizations can adopt.
c. System- Enforced Anti-Fraud Controls
Organizations should consider automating controls as opposed to relying on “human” control measures. It is not possible for organizations to fully predict or even control human behaviour and their propensity to commit fraud.
With increased job losses, human controls such as “maker-checker” may not be practical for all processes. It is, therefore, imperative that organizations look at system-enforced controls that ensure the integrity and authenticity of transactions. Transaction limits, multi-factor authentication such as 2FA, Role-Based Access Controls (RBAC), system-enforced password management among other controls will help reduce the opportunity for fraud.
d. Technology-Driven Transaction Monitoring
Teams that provide assurance, monitoring and oversight in organizations such as IT security, fraud/ forensic investigations, risk management, business monitoring, compliance and internal audit have to leverage technology now more than ever to monitor transactions for fraud red flags and suspicious activities. With current and imminent staff layoffs and an increase in digital transactions, organizations will benefit from automated detective controls and use continuous monitoring tools. ACFE 2020 Report to the Nations highlights a gap in proactive data monitoring and analysis in sub-Saharan Africa which has been reported to be less common among anti-fraud controls, with only 31% of respondents/ organizations reporting using it.
e. Training and Awareness
There is need for adequate capacity building and training by those in assurance roles such as IT security, cybersecurity IS audit and forensic investigations to be able to adequately respond to incidences of fraud. These functions would be organised in line with the lines of defence in the organisation to ensure layers of protection to the business.
Organisations should also raise awareness to customers, staff and third parties on risks, exposures and suspicious activities so that they do not fall prey to, for instance, social engineering schemes and phishing scams. Additionally, customers, staff and other stakeholders should also be encouraged to report fraud and other suspicious activities through safe and secure whistleblowing channels to enable the risk and fraud teams to pre-empt fraud attempts in good time.
f. Open Communication Channels
Companies need to set up effective communication channels for customers, staff and third parties to avoid misinformation, anxiety and fear. For instance, communicating to staff about measures to protect employees from adverse economic effects of the pandemic and recovery plans may reduce anxiety and create a renewed sense of purpose. Offering workplace counselling may also help address the psychological pressure that individuals are dealing with during these difficult times.
g. Building Fraud Deterrence Mechanisms
Fraud deterrence is the proactive identification and removal of the causal and enabling factors related to fraud and sending a strong message that the organization has robust controls and capabilities to identify and respond to fraud by internal or external parties.
Deterrence also involves breaking the fraud triangle by removing one or more of the elements in the fraud triangle in order to reduce the likelihood of fraudulent activities. Organisations should continuously review and monitor their internal control environment to identify and address fraud triangle factors.
About the Author
Anthony K. Ngige is the Founder and CEO of Stealth Africa Consulting LLP. He has close to 15 years experience in risk management and compliance, audit and forensic services. He worked for Standard Chartered Bank Finance Hub for East, Central and Southern Africa where he conducted risk assessments, and IT reviews finance systems and processes. After that, he joined KPMG and conducted audit, advisory and forensic assignments in Eastern Africa before joining Safaricom Limited, a telco that is a global leader in Digital Financial Services (DFS). At Safaricom, he led the forensic and fraud detection and analysis team and developed early warning systems, processes and anti-fraud controls, saving the company millions of dollars.
Anthony has conducted risk and forensic engagements in over 25 countries in Africa, Asia and Latin America cutting across all industries
He holds a Bachelor of Commerce degree from the University of Nairobi and an MBA (Finance) from University of Cambridge, UK. Anthony is also a Certified Public Accountant (Kenya), Certified Information Systems Auditor (USA), a Certified Fraud Examiner (USA) among other global certifications.
About Stealth Africa Consulting LLP
Stealth Africa Consulting LLP is an ISO certified risk, forensic and compliance firm that provides world-class consulting and advisory services with deep local knowledge. Some of the clients it has served include Safaricom PLC, IFC World Bank, VF Corporation (A fortune 500 Company), EABL (Diageo), Tullow PLC, NCBA Bank Kenya, CIPE (An affiliate of US Chamber of Commerce), UN Global Compact, IFAD (a agency of the United Nations), Oxfam, Redcross, BRITAM and VIVO Energy to name but a few. You too can trust us to support you build an effective approach to manage fraud and other risks in your organisation.
The role of knowledge management in managing fraud risks
Knowledge management refers to the effective creating, sharing and using information within an organization. Knowledge management helps to combat f...Continue Reading
Managing Fraud Risks Using An Effective Internal Control Framework
The recently released Association of Certified Fraud Examiners (ACFE) 2020 Report to the Nations survey on occupational fraud (fraud committed by staf...Continue Reading
Managing Third-Party Corruption Risk: The Case of Safaricom and Its Suppliers
Center for International Private Enterprise (CIPE) in partnership with Stealth Africa developed a case study on managing Third-Party Corruption Risk:...Continue Reading