Organizations need to be wary not only of external threats, such as invoice fraud and social engineering, but also mindful that threats can come from within. An employee’s intentional misuse, theft or misappropriation of a company’s assets can be considered fraud. Organizations that lack fraud prevention controls often suffer double the losses compared with their counterparts with controls in place.1 Having proper controls can help detect, deter and prevent internal fraud.

To help reduce the risk of internal fraud, consider the best practices below:

Establish key internal fraud control framework

A formal framework can help you identify controls, gaps and address risks, and should:

  • Define persons, roles and responsibilities for detecting and monitoring internal fraud
  • Identify the appropriate systems and reports required to help manage the processes
  • Establish proper access controls, particularly for sensitive data, as well as escalation and investigation processes
  • Schedule periodic reviews of banking and financial accounts, as well as independent audits
  • Communicate to employees the consequences of internal fraud, such as escalation to law enforcement

Implement internal controls

The implementation of controls is a critical step in developing the foundation of a strong fraud prevention posture. Not only can controls help safeguard your assets, they can also help deter and detect internal fraud. Consider implementing the following controls:

  • Provide each employee with a unique user ID and require strong passwords as standard practice. Employees should never share user IDs or passwords for any system access
  • Segregate duties to deter a single individual from exploiting their system access to commit fraud. It can also provide visibility and accountability throughout the payment process
    • Clear and distinct separation is needed for individuals responsible for accounting processes, such as accounts payable, accounts receivable and reconciliations
    • Once internal functions are isolated, ensure all accounting personnel are cross-trained in each function. No individual should become a single point of failure in the process
    • Audit each employee's system access periodically at a granular level to prevent toxic combinations (e.g., a payment processor should not have reconciliation responsibilities). Access should be aligned to an individual's role and responsibilities, and unneeded access should be removed
    • Implement independent oversight of those individuals with privileged access and money movement capabilities
  • Require dual approval to ensure that payments are not misappropriated to an incorrect or fraudulent account. Require senior-level approval for high value and/or urgent wire transfer requests
  • Reconcile accounts on a monthly basis and ensure the reconciliation process is conducted by an independent party. Periodically rotate the individual performing the task
  • Conduct journal entry and general ledger reclassification reviews to identify individuals who may be doctoring financial records in order to cover their fraudulent activity. Examine your books and records for any discrepancies
  • Perform annual audits on third-party service providers to deter individuals from creating false business identities or paying themselves. Conduct a thorough review of all vendors and ensure payments match terms
  • Store checks in a secure location to prevent physical theft

Know your employees

Individuals suffering from a personal hardship or engaging in risky financial activities may have an increased propensity to commit internal fraud. Consider conducting background checks on new and existing employees. To help identify potential risks, look for behavioral red flags among staff such as:

  • Living beyond means
  • Refusal to take vacation
  • Unwillingness to share duties
  • Unusually close association with vendor/customer
  • Financial difficulties
  • Gambling and addiction issues

Welcome and encourage whistleblowers

Employees who suspect or witness fraud often keep their suspicions or knowledge to themselves in fear of retribution. Assure confidentiality will be kept when individuals report incidents.

We can help

If you believe your organization has been a victim of internal fraud, speak with your J.P. Morgan team member immediately.