Raina Verma, CFE
If you are familiar with fraud, you may be acquainted with The Fraud Triangle, which is a model for explaining the factors that cause someone to commit occupational fraud. It consists of three components which, when brought together, can lead to fraudulent behavior: opportunity, pressure and rationalization.
There’s an extension of this fraud theory, known as the fraud diamond, which includes a fourth element: capability.
Capability refers to someone having the necessary traits, skills and abilities to commit fraud. It’s how the fraudster not only recognizes a particular fraud opportunity but turns it into reality.
With experience in fraud risk management, and specifically investigations, fraud examiners can see the fraud diamond capability in a new light. Capability, as described above, can be exploited by anyone with authority over another employee to mobilize a fraudulent scheme or agenda. This is when the fraudster — often someone powerful or intimidating — takes advantage of the access, skills and abilities of other employees due to their position of authority in an organization. In a contract model, the pressure an employee has for continuity of the role is immense, so it is critical that organizations factor in this aspect of employee capability while performing ongoing monitoring.
As a typical example, a large financial organization hires two types of employees:
Full-Time Employees (FTEs): Employees that are sponsored and on the payroll of the company with extended perks, benefits and annual gratuity.
Contract Employees: Employees that are on the sponsorship of third party, either as a freelancer or by an external company that provides human resources services to the organization. Organizations often use contract employees because there are limited benefits and gratuity. Because of this, contract employees are often more financially viable. The contract period can last anywhere from three months to one year, usually with a potential for renewal.
While the employment pattern is different for both the above types of employees, these individuals often work within the same office environment and have access to same privileges, systems and physical spaces.
A contract employee may go on to work for an organization for years, but this arrangement could potentially lead to having their voices silenced. Often, the continuity of their job depends on the immediate line manager, who can mark them as:
And they can do this with little or no clarification!
What’s the point?
It often comes to light during fraud investigations involving contract employees that due to the nature of their employment contract, they are under immense pressure to please their superior. The contract employees have capabilities that are often capitalized and exploited. Their capabilities to access the system, create transactions and approve transactions can be influenced. Often these types of schemes go undetected for a long period of time because the manager, who reviews and approves transactions, has no interest in bringing the fraudulent transactions to light.
In the event that these schemes do surface, the contract employees are usually dismissed as an outcome of the investigation. Yet they may not be the main culprit behind the fraud, merely the pawn whose capabilities were being exploited.
Looking more deeply at the data, logs and records, the outcome of such reviews can reveal that the fraudster will control their contract employees by dictating:
Who they can speak with during coffee breaks
Who they can or cannot socialize with depending on the interest of the other parties
Whether their contract will be renewed
The larger the organization is, the more this concept gets lost in the mix. Organizations often have a blind spot to this aspect of contract work, and hence such schemes and arrangements could potentially give rise to creating an elevated or long-lasting fraud situation.
In my own training, I often unapologetically talk about this dimension during employee inductions as well as fraud awareness sessions. The advice I give to contract employees is, “Be wary that while we may be on different contractual terms, our accountabilities to perform and initiate transactions in the interest of the organization cannot be over-stated.”
I also illustrate to them, through the fraud diamond, how their capabilities could be seen by other internal and external parties. Their access rights to people, processes and systems should be limited to the realm of ethical work and not by the request of senior or powerful individuals.
I remind them of the guidelines around Persona Non Grata that restricts persons with questionable professional integrity from joining the financial sector. It’s something that all employees should bear in mind at all times and work in the interest of the organization.
I also encourage each employee, regardless of the contract type, to reach out to the hotline for matters requiring attention. And most importantly, an organization cannot be too prescriptive about their requirements to be compliant.
It is crucial that we speak about the elephant in the room. Sometimes it’s the only way to address a problem.
What can organizations do?
A departure from the contract employee model is not a choice that employers may have in the short term, but the tips shared below are a few things might help.
Empower employees to speak up and increase accountability.
Engage in skip-level meetings, and do not exclude contract staff.
Assemble trend analysis reports to identify any significant patterns, not just for external transactions but for internal users as well.
Fraud investigations should be conducted to the fullest extent possible by experienced individuals.
Empower your risk management, financial crimes, compliance and operational risk teams to review processes and question trends, not just when problems arise but to catch them early on.
Develop a model to increase testing in high-risk areas and employee digital behavior. Organizational training and code of conduct awareness must specify that each user should create transactions that are authorized and in the interest of the organization. Contract employees are just as responsible for using their access and privileges with due care. This cannot be downplayed. However, organizations should also consider the risk they carry in the contract employee model. The challenge they have now is how to limit the exploitation of that model.
SOURCE: ACFE Insights – A Publication of the Association of Certified Fraud Examiners