It is clear that opportunities to commit fraud are higher now more than ever as new ways-of-working combined with unprecedented global financial challenges have put to the test the control environment in our institutions. We now have to contend with changing dynamics from a fraud perspective in the current operating environment. Below are some of the reasons that make organisations vulnerable during these times:
The fraud triangle is a model for explaining the factors that cause someone to commit fraud. Its elements are pressure, opportunity and rationalization. The increase in incidences of fraud, corruption and other unethical practices is our current reality can be explained in the context of the fraud triangle as explained below:
Pressure is a catalyst, incentive or need, real or perceived, that exerts financial or non-financial push for one to commit fraud. Some of the factors creating pressure as a result of the COVID -19 pandemic are:
Opportunity is the ability or circumstances that provide the possibility for one to commit fraud. The following are some of the factors creating opportunities for fraud under COVID-19:
Rationalization is the self-justification that one is doing the right thing in committing a dishonest action. The following are some of the factors being used to justify fraud under COVID-19:
Although there are many factors creating pressure, opportunity and rationalization during COVID-19, there are a number of measures that organizations with limited resources can apply to mitigate and minimize fraud risks, exposures and vulnerabilities. Some of these measures include:
It is important for organizations to have a well co-ordinated organization-wide strategy in dealing with the fraud risks that have been amplified by COVID-19. As a starting point, there’s need to conduct a risk assessment and a diagnostic of all IT platforms, servers/ databases, interfaces, access points and configurations to determine the right anti-fraud controls that should be deployed.
Subsequently, organizations need to implement or, if one is in place, update a fit-for-purpose anti-fraud framework/ policy that informs a systematic and holistic approach to respond to the risks and threats identified in the risk assessment and diagnostic. The fraud risk management framework needs to be built in line with the three lines of defence in the organization with written policies and procedures that are communicated to and understood by staff to know what is expected of them as far as fraud is concerned. Please see our Internal Control Framework as an example of a framework/ model organizations can adopt.
Organizations should consider automating controls as opposed to relying on “human” control measures. It is not possible for organizations to fully predict or even control human behaviour and their propensity to commit fraud.
With increased job losses, human controls such as “maker-checker” may not be practical for all processes. It is, therefore, imperative that organizations look at system-enforced controls that ensure the integrity and authenticity of transactions. Transaction limits, multi-factor authentication such as 2FA, Role-Based Access Controls (RBAC), system-enforced password management among other controls will help reduce the opportunity for fraud.
Teams that provide assurance, monitoring and oversight in organizations such as IT security, fraud/ forensic investigations, risk management, business monitoring, compliance and internal audit have to leverage technology now more than ever to monitor transactions for fraud red flags and suspicious activities. With current and imminent staff layoffs and an increase in digital transactions, organizations will benefit from automated detective controls and use continuous monitoring tools. ACFE 2020 Report to the Nations highlights a gap in proactive data monitoring and analysis in sub-Saharan Africa which has been reported to be less common among anti-fraud controls, with only 31% of respondents/ organizations reporting using it.
There is need for adequate capacity building and training by those in assurance roles such as IT security, cybersecurity IS audit and forensic investigations to be able to adequately respond to incidences of fraud. These functions would be organised in line with the lines of defence in the organisation to ensure layers of protection to the business.
Organisations should also raise awareness to customers, staff and third parties on risks, exposures and suspicious activities so that they do not fall prey to, for instance, social engineering schemes and phishing scams. Additionally, customers, staff and other stakeholders should also be encouraged to report fraud and other suspicious activities through safe and secure whistleblowing channels to enable the risk and fraud teams to pre-empt fraud attempts in good time.
Companies need to set up effective communication channels for customers, staff and third parties to avoid misinformation, anxiety and fear. For instance, communicating to staff about measures to protect employees from adverse economic effects of the pandemic and recovery plans may reduce anxiety and create a renewed sense of purpose. Offering workplace counselling may also help address the psychological pressure that individuals are dealing with during these difficult times.
Fraud deterrence is the proactive identification and removal of the causal and enabling factors related to fraud and sending a strong message that the organization has robust controls and capabilities to identify and respond to fraud by internal or external parties.
Deterrence also involves breaking the fraud triangle by removing one or more of the elements in the fraud triangle in order to reduce the likelihood of fraudulent activities. Organisations should continuously review and monitor their internal control environment to identify and address fraud triangle factors.
Anthony K. Ngige is the Founder and CEO of Stealth Africa Consulting LLP. He has close to 15 years experience in risk management and compliance, audit and forensic services. He worked for Standard Chartered Bank Finance Hub for East, Central and Southern Africa where he conducted risk assessments, and IT reviews finance systems and processes. After that, he joined KPMG and conducted audit, advisory and forensic assignments in Eastern Africa before joining Safaricom Limited, a telco that is a global leader in Digital Financial Services (DFS). At Safaricom, he led the forensic and fraud detection and analysis team and developed early warning systems, processes and anti-fraud controls, saving the company millions of dollars.
Anthony has conducted risk and forensic engagements in over 25 countries in Africa, Asia and Latin America cutting across all industries
He holds a Bachelor of Commerce degree from the University of Nairobi and an MBA (Finance) from University of Cambridge, UK. Anthony is also a Certified Public Accountant (Kenya), Certified Information Systems Auditor (USA), a Certified Fraud Examiner (USA) among other global certifications.
Stealth Africa Consulting LLP is an ISO certified risk, forensic and compliance firm that provides world-class consulting and advisory services with deep local knowledge. Some of the clients it has served include Safaricom PLC, IFC World Bank, VF Corporation (A fortune 500 Company), EABL (Diageo), Tullow PLC, NCBA Bank Kenya, CIPE (An affiliate of US Chamber of Commerce), UN Global Compact, IFAD (a agency of the United Nations), Oxfam, Redcross, BRITAM and VIVO Energy to name but a few. You too can trust us to support you build an effective approach to manage fraud and other risks in your organisation.