In our previous article, Internal Fraud – The Threat from Within (April 2017), we gave a broad outline of the basic steps that can be taken to help reduce the chances of internal fraud and increase the chances of fraud being identified if it is happening.
This article sets out in a bit more detail some of the policies and procedures you should consider implementing in your business, if they are not already in place. The size of your business, and the number of employees involved, will have a bearing on what can be done.
The employees of a company can be its greatest asset or its greatest liability. Employing the wrong person can have a devastating effect on the well-being of the company if they are able to cause financial or reputational damage.
There are no employment policies or procedures that will guarantee that an employee will not cause problems but having a good, robust process in place when employing a new person will give you the best chance of identifying issues before the candidate starts work.
• Do due diligence and make a proper assessment of the applicants who are applying for the position. Are there any gaps in their CV that need explanation?
• Establish the relationship between the applicant and the named referees and make personal contact with each referee. Are they independent enough that you can rely on their assessment of the applicant?
• Make any offer of employment conditional on getting a clear reference from the applicant’s current employer if they have asked you not to contact them until a position is offered. If the applicant won’t accept that condition you would want to know why.
• Take your time to assess the trustworthiness of the new employee before handing over access to bank accounts etc.
As with the employment process, there are no accounting policies and procedures, other than doing everything yourself, that will absolutely prevent any form of fraud being committed by an employee but having the right ones in place should lessen the chances of it happening and increase the chances of you finding it quickly if it does.
• As far as possible, separate the duties of staff so that no individual can control all aspects of a transaction – from ordering of stock or issuing purchase orders, to receiving the supplier’s invoice, to making payment of that invoice and reconciling the bank accounts;
• If your business is a small one and there is only one person responsible for the office administration, then you personally should be the one who clears and checks the mail and the one who carries out final checks on creditor batch payments and authorises the payments to be made.
• Have set systems and procedures in place for making payments that all staff are aware of and follow;
• Conduct stock reconciliations;
• Carry out spot checks, at irregular times, to ensure policies and procedures are being followed. Remember that the higher up the management hierarchy an employee is the greater the damage they can do to the business.
• Have a “whistle blower” policy in place and ensure that all staff have the confidence to report any activity by other employees that is in breach of the systems and procedures.
• As director, ensure that you understand the company’s financial performance and position, by monitoring transactions through the company’s bank accounts and regularly obtaining and reviewing profit and loss and cashflow information for the business;
• If there is any change in the financial performance or position that is not able to be explained by the trading conditions, investigate.
When you, as director of the company, are heavily involved in doing the work of your business, it is very easy to allow staff to look after the administration with little or no oversight, but the risks of doing so are high and the consequences, if an employee is defrauding your company, can be catastrophic.
If, from the beginning, all staff are aware of the policies and procedures that are in place and know that you will be checking on what they are doing, for their protection as much as for the business, this should reduce the chances of fraud occurring and increase the chances of identifying the fraud if it is.
If you would like more information or advice on your business systems and procedures, please contact McDonald Vague.
In our article published in April 2017, Internal Fraud – The Threat from Within, we discussed the issue of fraud committed on an organisation by its own officers and staff, the types of offending and some basic steps that can be undertaken to reduce the risk of internal fraud.
These steps included the need to have robust and durable systems and procedures in place to lessen the opportunities for fraud to be committed or, if they are committed, increase the chances that they will be discovered before they can cause irreparable damage to the business.
A case that our firm was involved in highlights what fraud can cost a director of a company personally if another member of the business, in this case a fellow director, defrauds clients of the company through the company’s business and the director has not been vigilant in exercising their duty to ensure that the company’s activities are being properly conducted and managed.
Another case mentioned later in this article discusses the reliance on advice from certain persons including professional advisers and other directors and further enforces the liability of non-executive directors with knowledge.
FXHT was incorporated in June 2005. Peter Justin Hitchinson was one of three directors on incorporation.
In December 2005, Dirk Oberholster became a director of FXHT and invested some funds in the business. FXHT’s business was the management of clients’ investments in foreign exchange markets. Mr Oberholster was a medical doctor and, although he had other company interests, he had no expertise in fund management.
The other two original directors ceased in July 2005 and March 2006 leaving Mr Hitchinson and Mr Oberholster as directors.
About 1 year after accepting appointment as director, Mr Oberholster discovered that Mr Hitchinson had been defrauding clients of the company. Mr Hitchinson resigned and the matter was reported to the Police. Mr Hitchinson was subsequently convicted of criminal fraud and sentenced to imprisonment.
The company was subsequently liquidated and Peri Finnigan and Boris van Delden were appointed as liquidators. The liquidators’ investigations confirmed that Mr Hitchinson had misapplied client funds to pay out other prior investors and to keep the business operating.
The liquidators took proceedings, through the High Court, seeking orders that Mr Oberholster contribute funds to the liquidation so that the clients could be reimbursed for the losses caused by Mr Hitchinson. The claim was on the basis that Mr Oberholster had failed in his duties as a director and thereby contributed to the losses suffered by the clients.
The High Court found that Mr Oberholster breached section 135 of the Companies Act 1993 (“the Act”) in that he allowed the business of FXHT to be carried on in a manner likely to cause a substantial risk of serious loss to the company’s creditors by allowing Mr Hitchinson free rein to run the company without requiring any formal reporting.
The Court also found Mr Oberholster was in breach of his duty of care under section 137 for failing to put in place adequate systems of control and reporting.
Mr Oberholster was ordered to contribute funds to the liquidation to reimburse clients.
This case highlights the problems that can be caused to a company, and its officers, by fraud committed by someone within its organisation.
It also highlights the risks faced by a director by becoming involved in a company whose business is outside their expertise and who fails to comply with the statutory requirements of being a director.
Mr Oberholster was not involved in any way with the fraud committed against clients by his fellow director but, because the Court held that he had not properly carried out his duties as a director, he became personally liable to reimburse, at least in part, the clients who had suffered losses.
We have included the link to the High Court decision. The High Court's decision was appealed to the Court of Appeal who upheld the findings of the High Court.
Section 138 of the Act can provide some relief from personal liability to directors who rely on advice given to them by certain classes of people, including professional advisers and other directors.
This is dependent on the individual director's situation, knowledge and responses, and may be particularly relevant where the director concerned is a non-executive director and not involved in the day to day operation of the business, who makes reasonable enquiries and receives misleading information from the other director.
However, once the non-executive director is in possession of information or could be reasonably expected to have acquired sufficient knowledge of the company’s business and how that business is being managed, they may be found liable from that point onwards.
This is set out in the High Court and Court of Appeal decisions in the case Grant & Ors v Johnston & Ors. We have included the link to the High Court decision in this case.
In this case it was decided that a non executive director who was mislead for a period of time, and who took affirmative action to identify and correct company deficiencies including lending the company significant sums of money to fund trading losses was not required to pay a contribution to creditors despite having been found negligent as a director from the time that the Court determined he should reasonably have paid attention to the mounting evidence of his fellow director’s ill disciplined and incompetent management and the adverse results that followed.
These cases remind us that directors in any role must be active and vigilant, and that while a non-executive director may be given some time to learn and then remedy poor company trading, there comes a time when continuing a company trading will not be considered to be a reasonable course of action.
If you are a director and are concerned about your company's financial performance, you have reservations about the information you are being provided, you would like more information about your duties as a director, or you want advice on restructuring, business systems and procedures, please contact McDonald Vague.
As a business owner, have you been kept awake at night trying to work out why your business is struggling to pay its bills on time when you know that you are doing more work and earning more income.
The answer could be that someone within your organisation is taking advantage of their position and is defrauding your business.
It is a sad fact of life that some people will abuse the trust placed in them by their business associates or employer and use their position to obtain personal profit. This can have a devastating impact on a business, putting its ability to continue to operate in jeopardy, and also putting its creditors and directors at risk because of the company’s inability to meet its obligations.
The types of dishonesty are many and varied.
Some of the more common types are –
Research has shown that, generally speaking, three things have to exist for a person to commit fraud against an employer. Those three things are pressure, opportunity, and justification, and are known as the “fraud triangle”.
“Pressure” is usually financial and could be funding a drug or gambling addiction, the threat of mortgagee sale of a property, or just the desire to have more money to spend on a grand lifestyle. Time pressure in the business provides an opportunity for systems to be overlooked.
“Opportunity” is the ability to commit the fraud. The knowledge of how to manipulate the company’s processes, the belief that they won’t get caught, and weak internal controls that allow the actions to happen.
“Rationalisation” is the justification by the offender for the fraud they commit. Some of the common ones are fear of losing everything if they don’t have the money (mortgagee sale), labelling the theft as “borrowing” as they fully intend to pay it back, or job dissatisfaction as they believe that they should have received a promotion or are worth more than the company is paying them.
The people who can cause the greatest harm are generally those that you trust the most.
Often, they are the employee who is always there. They are never off sick, even when they should be, and they don’t take annual leave outside of the normal shutdown periods. They look after everything for you, from collecting the mail to ordering stock, invoicing customers, dealing with creditors and generally sorting out any issues as they arise.
They have online access to all the company’s bank accounts and may have signing authority. There is a chance they are living beyond their means.
We do not suggest, of course, that all staff who fit within this description are defrauding their employers. Far from it, as staff can be the glue that holds the business together and allows it to operate to its potential.
What has been shown by experience though is that if they fit this description and the factors involved in the fraud triangle described above exist, there is the potential for fraud to occur.
The director of an electrical services company employed an accounts person, on a part time basis, to replace a long-term employee who was leaving. The new employee was immediately given online access to company accounts and was responsible for all dealings with creditors and debtors and reconciling of bank accounts.
The business was growing, employing more staff, and picking up new work but was still struggling to pay its creditors on time.
The director was alerted to possible issues by his bankers, who noted some unusual transactions. A subsequent investigation identified that the part time accounts person had taken over $300,000 from the company in 18 months, simply by paying personal expenses directly from company accounts and by directing payments intended for creditors to the employee’s personal account.
The offender was convicted of criminal charges but reparation was not ordered. The funds were all used to finance an extravagant life style.
The electrical services company had to cease trading and the director now works for wages.
This fraud was able to continue for as long as it did, and to the level it reached, because the director placed too much trust in the new accounts person. He concentrated on the electrical services work and left all financial details to the accounts person and had no oversight of what was happening with the company’s account systems.
There are a number of measures that can be taken to reduce the risk of internal fraud. These will vary, depending on the size and nature of the business. Some basic steps that could apply to any business that employs staff include:
It is unrealistic to think that by putting correct procedures in place you can absolutely prevent any form of fraud being committed. The reality is that if someone has the skills and is prepared to take advantage of their position within a business they will be able to find a way around the procedures and systems that you have in place.
A person was engaged by a public sector organisation in a management position. The position gave the manager authority over the administration and accounts staff.
The organisation had systems and procedures in place to ensure separation of duties and to provide a reasonable level of oversight and review by personnel who authorised payments, which were mostly made through online banking batches.
The manager was employed by the organisation for about 14 months and, during that period, the manager defrauded the organisation of approximately $800,000. This was achieved predominantly by creating fraudulent batch payments using fake invoices.
Some payments were authorised without the proper process being followed by the manager instructing staff to take certain actions for supposedly urgent payments, and by getting payments processed when staff who were likely to question the payments weren’t present.
Other payments were made by following the correct procedures but the manager had used their technical ability to create false payment batches that disguised the fact that payment was being made to the manager’s personal account and not to the account recorded on the supplier’s invoice.
There is no absolute protection from staff theft or fraud but having robust and durable systems and procedures in place will lessen the opportunities for fraud to be committed or, if they are committed, increase the chances that they will be discovered before they can cause irreparable damage to your business.
If you think you may have been the victim of a fraud, or you would like more information or advice on your business systems and procedures, please contact McDonald Vague.
Workplace investigations can detect the source of lost funds, identify employee misconduct and possible culprits, as well as help recover losses. They are usually undertaken when there is alleged employee misconduct, or a rumor of something amiss comes to the attention of the employer which requires action. Investigations must be undertaken in a fair and reasonable manner without bias.
Investigations into employee misconduct can cause significant problems. They can also be expensive, time-consuming and disruptive to organisational morale. Investigations which are not conducted in an ethical and transparent manner, with the utmost care and confidentiality, can lead to a number of legal issues and other unexpected complications. Well-done workplace investigations can provide a solid defence to legal challenges raised by dismissed or disgruntled employees.
In most workplaces serious misconduct such as fraud, harassment, violations of company policy, theft of intellectual property and the use of proprietary information for personal gain incorporates the use of electronic devices.
Collecting digital evidence
The collection of digital evidence is one of the most important initial steps in an investigation and it is important for employers to understand at least the basics of securing data. Having a reputable computer forensic investigator involved in the early stages of an investigation can avoid jeopardising data, the outcome and reduce problems further on down the track.
As electronic data within a business is forever changing it is imperative that steps to secure the data are taken in a timely manner as soon as a situation becomes apparent. While data is often recoverable there are no guarantees that it won't be overwritten as time goes on.
The use of computer forensics which includes identifying, preserving, validating and analysing of electronic data is commonly used in these investigations.
Once the devices relevant to the investigation are identified the data is preserved by creating a read-only forensic image, or 'clone', of electronic media to a standard that any evidence obtained from them would be admissible in Court. Possible devices incude servers, cloud storage, computers, phones, tablets, iPads, portable hard drives, thumb drives and DVDs.
A forensic image is an exact 'bit-by-bit' copy of the entire contents of the original storage media performed with write-blocking equipment to ensure the data is not altered in any way. It copies the contents of all of the unused areas on the hard disk as well as the areas that currently contain data. The unused data often contains data that has been deleted by a user but still resides on the device and is important to capture.
As part of a correct forensic process a hash algorithm, or 'digital fingerprint', of the acquired media is generated. Both the original device and resulting digital image are analysed to generate matching source and target hash values. With the use of the digital fingerprints, any tampering or manipulation of the cloned data is readily detectable.
Backup copies or ghost images, as often generated by an IT person, are not a true forensic image. While these backups are critically important to perform for the purpose of data recovery, they only contain current data that the user can 'see'.
Email correspondence is a major tool in the workplace and is an important part of electronic evidence. When an individual sends an email, a retrievable copy is most likely stored in more than one device or location. These include computers/laptops (work and/or home), tablets, mobile phones, workplace servers and the emailer's hosting server such as Gmail and Hotmail. Computer forensics can be utilised to extract existing emails as well as potentially retrieving deleted emails.
Collection of data
Once data is secured a computer forensic investigator utilises software tools to analyse and extract data relevant to the investigation. The recovery of data includes the retrieval of documents, images, emails, chat logs, social media and internet usage history, call logs, text messages and contacts. Data can be collected about when documents were created, altered or deleted as well as any devices which have been connected to a computer/laptop.
The information that is retrieved by the use of computer forensics could make the difference between a successful and unsuccessful workplace investigation.
Beyond the financial damage and risk to a business' reputation, responding to instances of workplace misconducts draws on critical resources, particularly management, and impacts the business' culture so it is imperative that a prompt and professional investigation is performed.
McDonald Vague works closely with Tina Payne, Computer Forensic Investigator. Tina authored this article.