[author: Matt Kelly]
Compliance professionals know that COVID-19 has unleashed a host of new challenges on corporate enterprise. Fraud risk isn’t one of them.
Don’t get me wrong; COVID-19 has changed how fraudsters might approach your company. It’s also created many more tempting targets, with trillions in federal funds gushing around the economy and previously mundane items like toilet paper and nasal swabs now worth much more. Your fraud risk has gone up, rest assured.
But fraud risk itself — the principles of how it works, and the basic scams that fraudsters try — is nothing new to corporate enterprise. That’s a crucial point to remember as you evaluate what your fraud risks truly are these days, and how to modify your policies, procedures, and internal controls in response.
Understand What’s Changed
Fraud has always been about using deception to achieve improper financial or personal gain. The fraudster works by exploiting confusion, urgency or unfamiliarity with some situation.
Ask yourself: How has COVID-19 changed the operations at our enterprise? Where might we be more vulnerable to that confusion, urgency, or unfamiliarity?
So when performing a fraud risk assessment, ask yourself: How has COVID-19 changed the operations at our enterprise? Where might we be more vulnerable to that confusion, urgency, or unfamiliarity?
Potentially, in lots of ways. COVID-19 undermines anti-fraud controls and procedures by keeping people physically apart from each other — which means controls that previously relied on trust and interpersonal contact no longer work. That’s a change to fraud risk compliance and audit executives need to consider.
Take business email exploits as an example. Someone poses as a senior executive, sends a spoof email to the finance team saying, “We have a deal to close; wire money to this account immediately,” and hopes that the employee falls for it. Prior to COVID-19, one possible control was the employee turning to a coworker or peeking into the CFO’s office to ask, “Is this legit? Were we working on a deal?” Now there is no coworker next to you. The CFO and the finance team, like most other workers, are all working remotely.
Sure, you could still confirm the wire transfer with someone else via a quick chat on Zoom or some other technology, but that’s a less natural response for people — especially when they’re also managing at-home school lessons, fighting their spouse for work space, or wondering whether that’s a fever they feel coming on.
So companies will need to require that confirmation, and put structure around how employees obtain it. That means having a written policy, training employees, and possibly even inserting new controls in the payments process so no wire transfer happens without confirming documentation.
A fraud risk previously mitigated by trust and teamwork now must be managed by policy and stronger internal control because COVID-19 has made close communication and teamwork more difficult.
Audit executives would say we’re introducing compensating controls to anti-fraud processes that have been weakened by our response to COVID-19. That’s exactly right. Risk assurance teams need to review and retrofit their anti-fraud programs, because the steps companies have taken to keep employees safe from COVID-19 also left those companies exposed to fraud in all sorts of new ways.
Keep Employees Attuned to Risk
Remember what we said before: Fraudsters work by exploiting confusion, urgency, or unfamiliarity with some situation. An anti-fraud program counters those things by slowing down transactions and demanding clarity.
For example, as we conduct more transactions virtually, that might mean more effort to confirm the identities of supposed business partners, vendors or customers. Fraudsters will always be happy to provide that documentation — except it will be fake, of course. So you’ll also need policies about when to get independent verification, as well as provide the means to do that.
Note the broader trend here: internal audit or risk management functions might be able to identify heightened fraud risks in the age of COVID-19, but compliance may well end up implementing many of the responses to those risks.
That’s because those responses will depend more on people following policy, while they’re stuck in home offices or following ad hoc business processes cooked up during the early weeks of the crisis. Employees will need to be more attuned to fraud risk, and understand what steps they’ll need to take to reduce that risk — and creating that state of affairs typically falls to the compliance function.
Don’t Forget Leadership
Somebody in the enterprise will need to lead the anti-fraud program. For example, large companies might have a VP of internal audit, and retailers usually have a VP of loss prevention. Those executives would be obvious candidates for the role.
Many other companies will struggle to find the right person. An external audit firm will be happy to help with a fraud risk assessment, but that’s not the same as “owning” the anti-fraud program quarter after quarter.
Procurement could try to do it, assuming your company has a procurement function. Compliance officers could try, too — although many CCOs would be quick to say they aren’t experts in fraud risk and internal controls. They would be right.
Regardless, these are the ways that COVID-19 is putting an old issue — fraud — into a stark new spotlight. Companies will need to give fraud careful attention and develop a new, multi-pronged approach to reducing it.