Recent case involving $47 million puts spotlight on best practices

$47 million.
That’s how much a government worker in Ontario pleaded guilty to when it came to charges of fraud, breach of trust and money laundering.
The IT director has apparently agreed to pay back all the money, which he amassed over 10 years of illegal activities.
“He’s taking responsibility for everything,” the worker’s lawyer said. “He feels sorry for his crimes.”
That may well be, but it’s a scenario no employer wants to face. So how can HR work to prevent employee fraud? Canadian HR Reporter spoke to two experts for advice on how to justify an investment in fraud prevention, along with the importance of policies, culture and whistleblowing (Part 2 of our focus on employee fraud will look at how employers should respond when fraud is alleged and confirmed.).
Opportunity, motive, rationalization
When we think about fraud, there’s the fraud “triangle” of opportunity, motive and rationalization, with at least one usually required for someone to do something bad, says Alan Mak, partner and national practice leader, forensic disputes and investigations, at BDO Canada in Toronto.
And in the past year, the motive or rationalization for people to commit fraud “is certainly on the uptick,” he says, “simply in terms of pressure from inflation.”
“There's certainly more pressure to find more money. And that's a big factor to what we've seen in our practice when we have been asked to investigate. People are saying, ‘I’ve got to put food on the table.’ That's not an excuse, of course, but it's a factor. And that's something we're seeing more of.”
Also a big factor? The rise of remote work with the pandemic. That created gaps in internal controls, such as physical signatures on cheques, which “went out the window pretty quickly,” he says. “But then again, we adapted — many companies just did away with physical cheques altogether and just started doing wire transfers.”
Employers can’t necessarily rely on “This is the way it's always been done” because so much has changed, according to Bailey Rivard, a partner in the valuations, forensics and litigation support services group at MNP in Calgary.
“In the past, your controls have been very much [about] people reviewing things in person — signing off on a cheque, making sure that everything's authorized, that goods are received — and now people aren't physically present,” she says.
“You’re adapting as needed to keep the business going without keeping up with the control side of things. So, we've seen a lot of that.”
Being proactive with policies and procedures
But there's a need to shift in the way things are done, says Rivard, as many mid-sized companies lack formal policies or procedures.
For example, companies that have grown from a family business to a larger entity may have key employees who have been around forever.
“They're managed based on trust, as opposed to formal processes and agreements and things like that… [but] it’s very important to verify that that trust is warranted.”
If an employee has been around forever, with access to many key areas within a business — such as bank accounts or journal or accounting entries — they know the inner workings and who looks at what, she says.
“They're in a position to be able to circumvent any controls, they may be trusted to the extent that nobody's really looking at what they're doing, and the organization is vulnerable to fraud. And that is a lot more common than you would think.”
It’s also important to have preventative measures such as a code of conduct or code of ethics — but the company also has to “live those values,” says Rivard.
It can also be “more compelling, more powerful” if an employer celebrates people doing the right thing, such as coming forward with a concern, and living by “a higher ethical standard,” she says.
Doing your due diligence
When it comes to fraud, the proactive is very important, and that includes things like education and policies, which go hand in hand, says Mak.
“Surprisingly, sometimes you'll come across situations where there's no policy; for example, on gifts from suppliers and vendors… on meal expenses.”
As an example, does a “per diem allowance” include a part-day allowance or just a full-day allowance? If there's no explicit policy, employees might claim ignorance, he says, so it’s about having a clear policy of what is and is not permitted.
The fact that an employer is looking will also be a significant deterrent, says Mak, citing activities such as reviewing expense reports or internal audits, “looking at their accounts, their buying, their purchasing procurement processes.”
Another area that is sometimes neglected by employer is vendor due diligence, he says, which means looking into the background of the owners, shareholders and management. It’s a practice that's less common in Canada but worth the effort, says Mak, “because there's all kinds of schemes and scams that can happen.”
Also on a risk basis, there’s often a deficiency when it comes to developing internal controls, he says.
“Everyone's got limited resources, everyone's got priorities, and a lot of times organizations look at internal controls and say, ‘You know what, we're too small, we want to be lean, we don’t have reasons for this.’ But you don't have to have Fort Knox-level security for every company; you should be looking at… where are the greatest risks — asset diversion, defalcation — where do those risks lie and develop controls for those areas only as a priority.”
Cultural problems and employee fraud
The biggest dollar-value fraud tends to involve employees who have been with an employer for a long time, he says, citing two recent cases involving people who had been with the company for at least 10 or 20 years.
“[The one] gentleman was treated like a member of the family, attended family weddings, the whole thing. He was the guy who was taking advantage of the owners like nobody's business. So the owners, when they found out, they were devastated because they didn't think this would ever happen.”
It’s about identifying and being cognizant of the risks, says Mak, and training everyone to know what is expected of them.
“It’s not just a day one onboarding session — it needs to be reinforced continuously each year, or depending on the risk, like cybersecurity, maybe every quarter.”
We often hear the expression “tone at the top,” but when it comes to organizational culture and vulnerability to fraud, that’s definitely true, according to Rivard.
“We see situations where either the organizational culture or the culture within a department is problematic, and then it leaves the company more susceptible.”
There are three big areas that are common, she says. One is organizations that tend to operate in the grey, so people feel the rules don't necessarily apply to them, or the employer is willing to look for ways to get around the rules, or meet its objectives at any cost.
“That kind of mentality really filters down through the organization, and people are willing to bend rules to get what they want,” says Rivard.
Then there are situations where organizations operate by exceptions, so the rules apply in some cases and not others. For example, management gets special treatment.
“It provides a powerful rationalization to an employee to be able to commit a fraud. They say, ‘Well, everyone else is doing it, so why can't I?’” she says.
Thirdly, there are organizations or departments where staff are unable to come forward with questions or concerns.
“It's not necessarily going to make an organization more susceptible to fraud in the first instance, but it oftentimes will allow a fraud to go undetected for a longer period and be more costly,” says Rivard.
“I've seen that a lot, where you go in after a fraud is detected or suspected, and employees knew that there was something wrong, and they would have been in a position to come forward and stop the bleeding from that fraud, but they don't because of the culture — it doesn't have that openness to people coming forward.”
Whistleblowing catches the worm
The number one way to catch fraud is whistleblower programs, says Mak.
“If you have a good whistleblower program, that allows people to report suspected wrongdoing by colleagues or by vendors or strategic partners. That is statistically the most effective way to catch bad stuff happening. And besides, if employees know that you have a strong program of whistleblowing, that's quite a deterrent.”
If individuals do not have a mechanism to bring their concerns forward, they'll stay silent — especially when the misbehaviour involves somebody at a high level of an organization, says Rivard, citing a recent case as an example.
“Many people knew that it was happening and were in fear because it was the president and CFO that was committing the fraud,” she says. “It was a barrier — they never came forward and the fraud continued a lot longer than it should have.”
And a whistleblower program can cover other issues such as misconduct, harassment, discrimination or environmental breaches, says Rivard.
“The trick is to actually have any allegations or issues that are brought forward appropriately addressed… reviewed and taken seriously,” she says.
“People do need to trust that when a concern is raised, that it will be taken seriously, and that management will carry it out until the end, and that there won't be any consequences.”
Canadian HR Reporter will cover best practices for how to respond to employee fraud in part two.