Some organisations fractured their risk mitigation systems in their rush to make it possible for employees to work from home during a pandemic. The pandemic made rapid change essential, but changing things fast makes breaking them more likely.
Many organisations don’t realise they’re still racing. The race today is to locate any gaps in control systems before those gaps are exploited. Exploiting gaps to perpetrate expensive and ongoing payroll fraud is more likely every day as employees come under pressure from rising interest rates, inflation and employment uncertainty.
The first step in mapping the deficiencies is to ask the right questions about the prevention, detection and response of flexible working arrangements.
The right questions include:
- Which activities or processes were we forced to bypass to respond fast enough to ride out the pandemic and allow our workforce to be mobilised remotely?
- Could those necessary omissions have opened gaps in our policies, processes and procedures?
- What can we do to close those gaps now?
In the meantime:
- What might it cost us if those gaps are not filled?
- How would we know if we were being defrauded, and how long would it take us to learn this?
- How would we respond if we suspected payroll fraud?
1. Prevention of payroll fraud
Flexible working affects how employees work, not just where they work. That’s why you need a formal assessment of:
- How flexible working has changed work practices
- How that affects the checks and balances you had in place before
You’ll know whether a formal assessment is worth the investment if you’ve calculated the possible cost of time fraudulently billed and the accompanying drop in productivity. Also, you’d want to consider the potential costs if deficiencies in your systems have opened opportunities for employees to inflate expenses and reimbursement claims, which are amplified when detection is low.
Questions to ask when looking for deficiencies that might lead to payroll fraud
Preventing fraud starts with:
- The right policies: Setting out in clear, enforceable terms what is allowed and what is expected. The policies you had before might not be suitable or comprehensive enough for your new ways of working. Not only do you need the right policies, but you also need to communicate them effectively. Without effective communication, policies are useful to you only at the response stage, after the fraud has happened and when losses might not be recoverable.
- The right processes: Do the right people know the processes they should follow to verify that employees are complying with your policies? Perhaps some employees took on new responsibilities in haste, so you need to go through the processes with them now that you have more time. Additionally, many HR departments and hiring managers had to recruit rapidly and rely on virtual onboarding, which sometimes meant reduced due diligence and background checking.
- The right procedures: Is everyone competent in each task within your processes? You might have excellent processes, but someone in the chain could introduce an exploitable gap if they aren’t following procedures
External advice can be useful in reinforcing your control architecture. An external advisor will likely have come across more gaps, so they’ll see things you might not. Also, an external advisor will have seen a wide variety of control models that could work in your business.
2. Detection of payroll fraud
Everybody wants to trust their employees, and most of the time they can. However, a single employee’s undetected payroll fraud can lead to significant losses. For that reason, every business should have mechanisms to detect misuse or abuse.
Early detection is especially important in payroll fraud because some losses can’t be recovered. How do you quantify, let alone recover, all that’s lost when a project takes months longer to complete because someone was working on it less than they claimed?
New ways of working create blind spots in detection
You might already have mechanisms to detect payroll fraud, but those mechanisms could have blind spots if they were designed before you shifted largely to working from home.
Data analytics to detect payroll fraud
To design detection mechanisms to fit your new ways of working, you should consider the right technology for your circumstances. This should include a data analytics capability. Expertly configured data analytics creates a tripwire. Misconduct will trip that wire sooner than is likely with more manual detection mechanisms. This is especially true considering how much electronic data flows through the average business now that so little is left on paper.
The insights to design detection mechanisms
Because most people are trustworthy, you might not have seen many (or any) cases of payroll fraud so far. As you’d expect, we do see many client organisations experiencing payroll frauds in Clayton Utz.
A significant advantage of seeing many (sometimes ingenious) examples in multiple sectors is being able to reverse engineer those insights into comprehensive detection mechanisms, stopping fraud before it leads to losses.
Now is the time to decide what you’ll do if you suspect payroll fraud. Putting everything in place now will increase your chances of:
- A fast and accurate response. You want to be certain quickly whether fraud is happening.
- Successful and effective resolution. The stronger your evidence, the more likely you are to get the best resolution possible in the circumstances.
- A human-centred approach. COVID taught us to balance business needs with the wellbeing of employees – mentally and physically. Flexibility remains an important consideration when reassessing your control environment, but it requires rigorous controls to manage abuse.
A professional investigation — one that holds up to scrutiny — will put you in the strongest position for what comes next. An effective investigation combines experience with an eDiscovery capability. Your eDiscovery capability enables you to extract information from systems to rule out fraud or corroborate your suspicions.
The time to ensure your systems will support effective eDiscovery and that you have investigative resources on call is now. You want to be certain you can pull evidence from email, phone records and computer logs before you need the capability and find you don’t have it.
Suppose you are right in having detected fraud. In that case, you’ll give your response an additional advantage if you can call on forensic know-how and investigative that comes with the protection of legal professional privilege. That way, you’ll be in the strongest position to take the next steps.