VOL. II ARTICLE NO. 120

Fraud and Embezzlement: The Insider Risk

Most Companies Don’t Get Serious About Fraud Prevention Until They Become Victim To It. What About Yours?

It’s an uncomfortable truth. But in the vast majority of cases, acts of fraud and embezzlement occur because – somewhere in the spectrum of countermeasures, from keeping track of physical assets to championing a culture of security awareness – companies failed to establish even basic prevention-oriented practices widely proven and acknowledged to be very effective at mitigating the “insider risk”.

Like what? Well, take monitoring and internal controls, for example. Like ensuring segregationof-duties and dual accountability. Like creating robust security controls that are specific to employee functions – and then testing them. Like avoiding dual reporting relationships – and removing the opportunity for an employee to tell different managers different stories.

Or take policies and principles. Like ensuring the company’s code of ethics requires the disclosure of actual, potential and perceivable conflicts of interest. And requiring the identification of material interests insiders have in the business of any customer, vendor or supplier.

Red Flags of Caution

Research has uncovered a great deal about fraud and embezzlement – clues that are crucial to defining the right countermeasures. In 2004, the National Threat Assessment Center of the U.S. Secret Service completed the Insider Threat Study in conjunction with the renowned Software Engineering Institute at Carnegie Mellon University. Here are a few interesting study highlights:

• Most insider events were triggered by a negative event in the workplace – and most perpetrators had prior disciplinary issues.
• Only 17% of the insider events studied involved individuals with administrator access.
• Three out of ten (30%) incidents took place at the home of the insider using remote access to the organization’s network.
• Financial gain was the dominant motive, driving 81%. Other common motives were revenge (23%), dissatisfaction (15%) and desire for respect (15%).
• Most incidents required little technical sophistication. Only 23% of perpetrators held technical positions and 87% of the incidents used only simple, legitimate user commands.
• Perpetrators planned their actions. In addition, in 85% of cases, someone else knew of the plans.
• Perpetrators do not share a common profile. Just 58% were male, 54% were single, their jobs were scattered throughout the organizations and few of them were known troublemakers. However, 27% did have arrest records.

A Smart First Step: Get Familiar With the Fraud Triangle

Most people who commit fraud against their employers are not career criminals. They are often trusted employees who have no criminal history and who do not consider themselves to be lawbreakers.

So what factors cause these otherwise normal, law-abiding persons, to commit fraud?

The best and most widely accepted model for explaining why “good people” commit fraud is the Fraud Triangle. This is a model developed by Dr. Donald Cressey, a criminologist whose research focused on embezzlers, people he called “trust violators.” According to Cressey, three factors must be present – at the same time – for an ordinary person to commit fraud:

1. Pressure or motive – i.e., the need to pay bills, a drug or gambling habit, the need to meet productivity targets at work.
2. Opportunity – i.e., the occasion and positioning to commit a fraud without being discovered.
3. Rationalization – i.e., the logic and mindset that allows fraudsters to believe that their fraudulent act is justifiable.

For More Information

To find out more about preventing fraud and embezzlement in your business, contact:

• Arnette Heintze, Chief Executive Officer, at (312) 869-8500 or via email
• Ken Bouche, Chief Operating Officer, at (312) 869-8500 or via email