Lastest news

Avoiding fraud during a period of uncertainty

Jun 05, 2020

With the current disruption to business processes, how can you manage risk and prevent cybercrime? Will O’Brien gives four key steps needed to protect your business from fraud.

With COVID-19 disrupting business as usual, fraud attempts are being made on existing processes that may not be functioning as designed due to remote working, employer distraction and operational or workforce disruption. These fraud patterns are continuing to evolve and need your ongoing attention.

Businesses should be asking:

  • Are these threats being sufficiently assessed, or are there gaps that leave the business exposed?
  • Has there been a re-evaluation of the new fraud risks due to new working arrangements?
  • Are current policies effective if/while the workforce is operating from remote locations?
  • Are the right actions being taken when an incident occurs?

When economic survival is threatened, the line separating acceptable and unacceptable behaviour can become blurred for some. Experience from previous recessions shows that criminal organisations and individuals will view the current environment as an opportunity to be taken advantage of.

COVID-19 has also introduced challenges which heighten the risk of fraud. Businesses should be taking practical anti-fraud measures, along with reviewing or establishing an anti-fraud programme.

Remote working arrangements are weakening the oversight provided by the three lines of defence that ensures the effective management of risk. This can impact internal controls in areas such as payroll, receivables and payables. Cyber-risks are also heightened with IT changes being rapidly deployed and network access being requested from multiple locations.

Opportunistic threats are increasing as criminal organisations seek to exploit the changing environment. Businesses must remain alert and respond appropriately. A big part of this will involve providing employees with specific guidance on how to spot suspicious activity.

What four key actions should businesses take now?

Unprecedented times like this call for innovative solutions to identify and tackle the increase in fraud. Businesses must ensure that their COVID-19 fraud management program minimises risk across all its operations. It is important to have the flexibility to adapt to changes and uncertainty.

1. Update your existing fraud risk assessment

During challenging times, fraud risk assessment involves a significant commitment by management and staff. It should be directed or managed by personnel with fraud risk expertise. The key steps include:

  • Establishing the context;
  • Identifying the new risks;
  • Analysing the risks;
  • Evaluating the risks; and
  • Treating those unacceptable risks.

Risk identification should not be confined to only financial risks. Some fraud, such as cybercrime and information theft, damage reputation as well as the bottom line.

2. Consider the impact of reducing headcount and cost-cutting measures

When businesses downsize, the remaining staff take on additional responsibilities outside of their scope and expertise due to work being realigned. This can result in weaknesses in the internal control structure such as:

  • Lack of segregation of duties;
  • Lack of the correct skill sets;
  • Staff are overworked and under-resourced;
  • Documentation of controls impacted;
  • Increase in fraud; and,
  • Increased pressure on governance structures.

Consider whether all updated processes and procedures are understood, including revised roles and responsibilities.

3. Consider risks attached to fast-tracking new suppliers and other business partners

Commercial pressure may arise to quickly deliver products or services to market. Existing suppliers and third parties who are fully vetted may not be able to meet this demand or are facing their own COVID-19-related challenges. While it may be desirable to "fast track" new suppliers or third parties, appropriate measures should be implemented to mitigate the risk of engaging unsuitable third parties. Have sufficient steps been undertaken to independently verify new and existing suppliers and business partners?

4. Internal audit considerations

During times of heightened fraud risk, internal audit should review management’s commitment to internal controls and report on any suspicions or allegations of fraud. COVID-19 has had implications on financial reporting. Companies and auditors need to work together to ensure quality is not compromised even in challenging circumstances. 

Internal audit should ensure that they:

  • review and expand or redirect internal audit coverage;
  • prioritise fraud risk in the internal audit plan;
  • assess the adequacy of the control environment with appropriate planning and management oversight;
  • assess adequacy of company’s whistle-blowing procedures;
  • increase in data monitoring and analysis; and
  • conduct, where appropriate, surprise audits.

Having a robust fraud management program and a culture where the tone at the top promotes integrity and holds employees accountable will go a long way to protecting critical assets and weathering times of uncertainty.

Will O'Brien is the Director of PwC’s Cyber Practice.