'In some cases, an individual may be a bully, or they might use intimidation so that people are less likely to question them'
An IT director was in the spotlight recently, for all the wrong reasons.
Having worked for the Ontario government for over 10 years, he pleaded guilty to multiple charges of fraud, breach of trust and money laundering.
The illegal activities add up to $47 million, according to a Global News report.
And while the employee has since expressed remorse for his misbehaviour, the case serves as a reminder to HR about the huge costs of employee fraud, in more ways than one.
In part 1, we looked at the ways employers can better prevent this unwelcome activity; in part 2, we look at best practices in confronting the fraud.
Red flags that shouldn’t be ignored
While it’s tempting to oversimplify when it comes to warning signs of employee fraud, there are common patterns to watch out for.
For example, often an organization is having cashflow issues that are inexplicable, though that can be difficult to assess when there’s boom times or down times, says Bailey Rivard, a partner in the valuations, forensics and litigation support services group at MNP in Calgary.
“But a lot of times you'll be seeing financial pressures, issues meeting vendor payments, issues with collections, that kind of thing, [where it’s] difficult to put your finger on what is happening and why the company's in the financial position that they're in.”
On the individual level, employers should be careful about behavioural red flags because we never know about an individual's personal circumstances, she says. But they could include employees living beyond their means, so living a lifestyle that's really not supported by their employee status or their pay.
And often fraudsters will commit the breaches because they’re facing financial difficulties, such as an illness in the family, divorce, a drug or gambling addictions, says Rivard.
“Sometimes the financial difficulties is really the need of greed, that financial pressure to live a lifestyle that they can't necessarily afford and sometimes we see that with extramarital affairs as well.”
Also, watch for people who are irritable, anxious or defensive, especially if they're questioned about their work, she says.
“In some cases, an individual may be a bully, or they might use intimidation so that people are less likely to question them.”
On the other hand, you might be concerned about a long-time employee who is unwilling to take vacations, or they're at work earlier than everyone else, and stay late, says Rivard.
“They're wanting to hoard their work, they don't want to share their duties or let anyone help. And they want to limit access to their information that they're working with [because] if somebody steps into that individual's role, then they might be able to uncover the fraud.”
Employees who never take vacation are notable in showing a resistance to hand off their work to anybody else, says Alan Mak, partner and national practice leader, forensic disputes and investigations, at BDO Canada in Toronto.
“The concern would be that they're cooking the books, they have things going on, and they don't want anyone else to know or have access to their files.”
Also of note: procurement processes, he says.
“Anyone in a position of authority, who has the ability to award contracts or to pay vendors, you want to be watching out for red flags in relation to tendering processes, related party transactions, which is very common, but also a difficult one to be on the lookout for.”
It's a matter of recognizing discrepancies and anomalies “when they hit you in the face,” says Mak, referring to blind spots to the risks.
First steps after fraud is suspected
While there’s an urgency when fraud is suspected, because this person could be taking advantage of the organization, it is really important — whether you're talking about $2,000, or $100,000 — to pause and actually develop an investigation plan to guide management, says Rivard.
It may be prudent right at the beginning to hire an independent party to come in and investigate the allegation, to avoid any perception of bias.
“Typically, HR is going to have some involvement. And really, you're trying to limit the team that has knowledge of the issue to just key individuals that are on a need-to-know basis. So it may be somebody in the executive of the organization or on the board of directors… it may be somebody that's in charge of the financial reporting — it really depends on the level of the individual, the role of the individual that is suspected,” she says.
“You do not want to have anybody involved that does not need to know, or if they are involved, maybe with limited information.”
For example, the IT group may need to be involved dealing with cutting off access, pooling data or preserving evidence, “but they don't necessarily need to know the details of what it is that’s being dealt with, so it's just limiting that information flow,” says Rivard.
There’s a great amount of delicacy involved with maintaining secrecy, she says, “because you don't want to inadvertently… paint somebody with a brush that turns out not to be true. And then you're dealing with the repercussions on an employment claim, coming back where there's been a false allegation or an allegation there's been defamation or something like that. And then you're dealing with an employee lawsuit.”
Getting lawyers involved
If you suspect wrongdoing, then assume that there is wrongdoing, says Mak.
“I don't mean a single person is guilty, necessarily, but assume that the investigation will lead you to a problem. And the reason why that's important is because you want to make sure that the process is defensible.”
So if an employer has in-house counsel, obviously they should be involved, he says, but if not, the employer should probably consult a labor or employment lawyer quickly to identify any contractual obligations.
“That could vary from employee to employee, but also, in terms of guiding the investigation, [it’s about] making sure that you have someone who knows what they're doing. So that you are protecting the chain of custody for the evidence, making sure that it's not compromised.”
Of course, a big challenge is figuring out what to do with the employee during this preliminary phase, and it’s a good idea to get lawyers involved, says Rivard.
“Early on, they may continue on as long as there's no imminent risk to them being there and continuing in their role. But if there's any risk of the fraud continuing, evidence being destroyed, anything like that, typically, what we see is an employee being suspended with pay pending an investigation, or being asked to take accumulated vacation time,” she says.
“We just caution about having a very emotional response and terminating an employee without actually having done the due diligence.”
And if you're going to be removing an employee, even temporarily pending an investigation, says Rivard, “it’s important to look at what access they have to physical premises, what electronic or remote access they have to systems, so cutting off bank access, accounting access, remote access — anything like that would have to be paused or blocked.”
It’s important to have policies, not only for prevention, but the aftermath, she says.
“After a fraud is detected and you're trying to deal with it, the HR implications, or if there's any kind of lawsuit or criminal complaint, if there aren't policies and documented expectations, a code of conduct, that kind of thing that sets out… what the expectations are, and defines what the employee's role is — for example, with expenses being reimbursed, uses of corporate credit cards, that kind of thing… it creates this gray area that is unnecessary, gives the employee a bit of an out to say, ‘Well, I didn't actually know, that's not what I was told in practice, there was no policy.’ So it is problematic.”
Preserving the evidence
It’s also really important to preserve the evidence, such as information in banking systems or accounting systems, or electronic communications, says Rivard, “so really identifying whether there is information that may be relevant to an investigation on hard drives or devices is important early on, so that any information can be preserved. That's a big one.”
And of course it means taking any devices — “including any documentation or evidence at their home that's gathered for the investigation phase,” she says.
Anyone who is involved needs to be very conscientious and cautious about preserving evidence.
“What I always say to people when they call in, and they're not really sure what they're dealing with: ‘Treat it like this could be a large-scale fraud, and it could be criminal,” says Rivard, so that means if you are gathering information, that you are identifying where you're finding documentation, and not altering the evidence, such as drawing arrows or circling items on documents.
In addition, before you go diving into the employee's computer or laptop, check if you have taken a forensically sound image of the hard drive, so that there's no concern later on about someone having altered the information, altering the data, says Mak.
But make sure that you respect the individual's privacy, he says.
“We see it all the time, personal information on work devices or laptops, so you want to be careful about what you're accessing, and making sure that you're not going offside and that would jeopardize the prosecution later on.”
Employers also need to decide whether and how to engage law enforcement, “because once that door’s open, there's other factors or obligations that come into play,” says Mak.
For example, if a business engages the police, who then seize the employee’s computer, the employer no longer has access to the device, he says, “which would be a problem from a business operations perspective, but also from a civil recovery perspective. So now our hands are tied or the clients’ hands are tied waiting for the police to do their thing.”
Communicating the fraud
A final consideration? How should the events be communicated to employees?
Employers have to be very careful about what is told to employees for privacy reasons, says Mak.
“If things don't work out, like if the investigation proves that nothing happened, you wouldn't want a situation where you've told the whole company that you thought this employee was a crook. So the idea is that you tell basically nothing… And the only people who need to know should be very limited and controlled as much as possible. So you are conducting the investigation quickly and quietly, as much as possible.”
Any messaging that goes out should indicate that these types of actions or misconduct “are not tolerated by the organization and will be taken seriously,” says Rivard.
Depending on the industry, there may also be reporting obligations to licensing bodies or professional bodies, she says, “and then there's also potentially union considerations as well, as far as how the communication flows, because a lot of times you have to do that inside the parameters of what is acceptable.”
