Creating an environment where fraud cannot thrive
* Please note this blog was first published on Humentum
In many conversations I’ve had over the years, I find there is still a common belief in the notion that ‘fraud is done by bad people’. This has an insidious result of blaming the individual(s) who committed fraud while reducing the sense of urgency and responsibility that all staff, especially managers, have for reducing the risk of fraud. Furthermore, the facile ‘bad person’ explanation can lead managers to focus all their fraud prevention efforts on recruitment (let’s keep them out) and controls (let’s frustrate their efforts). But such approaches over-simplify the question of why people commit fraud. I find Neil Gaiman’s take more compelling:
Most of the triumphs and tragedies of history are caused not by people being fundamentally good or fundamentally bad, but by people being fundamentally people.
Fraud is a complex human behaviour problem. Wherever people form organisations, there will be fraud, and there is good reason to think that the settings and nature of the work of most NGOs means that they are at significant risk. We must go beyond policies and procedures. We can’t prevent fraud, but we can create a culture and environment where it cannot thrive.
No blog about fraud could go far without mentioning the Fraud Triangle. Cressey’s 1950s presentation of ‘why good people do bad things’ has undergone various geometrical transformations, apparently upgrading to a hexagon last year (November 2021). I like the quadrilateral iteration because the increasingly technological nature of controls means the capability of the fraudster has a big impact. The Fraud Diamond shows that when these elements are present, the likelihood of fraud increases.
At Humentum, we used this model and other research to develop a holistic approach to fighting fraud in NGOs. There is no single magic bullet, but 40+ actions and ideas are explored in our practical, hands-on online workshop where we dive into discussing an environment where fraud cannot take hold.
Clearly explaining what is required and expected of staff and others de-normalizes fraudulent practice and makes it less likely that someone will cross the line by convincing themselves that their actions are okay. Believing you are likely to get caught and face consequences is a strong deterrent. The Kroll 2021 survey highlighted the need for organisations to think beyond their employees: fraud can be done in collusion with suppliers, consultants, donors, grantees, volunteers, board members, bankers, auditors, government officials, and even, rarely, community stakeholders or constituents.
- Key ‘standing’ documents with references to fraud such as a fraud policy, contracts with staff and suppliers, grant agreements, and a code of conduct,
- Clear articulation of the consequences of fraud (usually dismissal or contract termination), Statement of ‘zero tolerance’ on the website,
- A question about fraud in every job interview,
- Frequent touch points with statements on operational documents like expense claim forms, purchase orders, application forms (grantees, staff, and suppliers), annual declarations about conflicts of interest and zero tolerance; and
- Staff training
Even if a human being is under pressure (from need, want, addiction etc.) and has convinced themselves a fraudulent action is justified, prevention measures make it harder for them to succeed. Internal controls play an crucial part here, protecting individuals from themselves and others. Well-designed procedures in finance, procurement, HR, IT and stores are all important, setting out the relevant segregation of duties, limiting access, use of standard documents, approvals and authorizations, accounting controls, and reconciliations. They make it more difficult to commit fraud, squeezing the opportunity and capability sections of the fraud diamond. Robotic Process Automation is becoming increasingly attractive and common since we presume robots do not experience pressure or motive to commit fraud. But with artificial intelligence (AI) exceeding that of humans in power and complexity, I can’t help wondering when we will hear the first report of robot fraud!
The fear of getting caught is an important part of the psychological equation. Well-publicized whistleblowing hotlines are a vital mainstay but require trust and effective whistle-blower protection to build confidence for people to use them. Some internal controls, such as a review of cash and bank reconciliations, are designed to detect fraud and error. Larger organisations benefit from internal audit services, outsourced if needed. Organisations with large numbers of transactions are increasingly turning to AI to analyse anomalies in big data sets.
But there is a dilemma for NPOs investing heavily in resources for detecting fraud and other types of misconduct. Improving detection will inevitably lead to more reports of fraud and the need for more investigations. This requires a proactive communication strategy so that greater transparency in fraud cases and losses increases the trust that donors and other stakeholders have in an NGO’s ability to detect fraud.
Save the Children came under scrutiny in 2018 for a misconduct scandal but actually won a reporting award from PwC partly because of the upfront, open and honest way it addressed the issues, which built trust.
A fraud allegation, whether substantiated or not, whether brought to light in good faith or with malicious intent, is a massive administrative burden for management, fraught with risks. If not addressed carefully, whistleblowers may be harassed, or worse, trusted relationships with donors may be broken. Furthermore, evidence could be lost or rendered inadmissible, perpetrators may escape justice, and numerous other balls may get dropped as the process unfolds.
Many find the best approach is to convene a small internal fraud response team from a pool of trained individuals. This fraud response team can take the matter forward following clear guidance, withholding judgement, managing internal and external communications, commissioning an investigation, and taking actions as appropriate. Factual findings of fraud should then be passed to HR for fair and firm disciplinary actions that reflect zero tolerance, avoid scapegoating, account for coercion and collusion, and include due process for addressing complaints and appeals.
Written procedures will have limited real impact without a conducive tone at the top. Is fraud talked about at all, or is it an unmentionable ‘F Word’ to quote the title of Oliver May’s excellent book on the subject?
The tendency to create a culture of silence around fraud is a persistent problem that the sector needs to work on. Managers often worry that implementing procedures and asking questions related to fraud signals ‘distrust’ of their staff or of other stakeholders. I have met resistance to training on the subject because it might give people bad ideas! But failure to talk about fraud openly creates the ideal conditions for it to grow.
Culture and values are absolutely central. Is there top level buy-in to a zero-tolerance approach? Is there management override of controls or a strong sense of ‘them and us’ between senior leaders and other staff? Do managers know and connect on a personal level sufficiently well to know if someone was under particular financial or other pressure? Is there perceived unfairness in the provision of pay and benefits? These factors play a big part in the fraudster’s inner voice that rationalizes their actions, and can also keep people from speaking up, even if the hotlines are available
Using the holistic approach, it’s clear to see how any of the five elements could fail without the others. A fraud policy will not fight fraud for you, but it is an essential starting point. Developing policies from scratch is never fun, and the risk of ‘copy/paste’ syndrome is real.
Humentum has developed a free template fraud policy for NGOs, highlighting the sections that must be carefully discussed and tailored internally. With an appendix of useful forms and checklists, all fully editable, it is a fantastic tool for an organisation looking to develop its first fraud policy, or for ideas to update an existing one.
Samantha Musoke ACA is a UK Chartered Accountant who has lived and worked in Uganda for more than 20 years as an auditor, internal auditor, consultant, trainer, CFO, grant manager, fraud investigator, and board member. She developed Humentum’s ‘Fighting Fraud in NGOs’ training course and template fraud policy and is currently Humentum’s Project Director for the IFR4NPO initiative.