Spotting fraud before it`s too late Recent high-profile cases of corporate wrongdoing demonstrate just how easily white collar crime can go undetected for extended periods if the checks aren`t in place. Good corporate governance, individual risk mitigation and technology all contribute to businesses taking a proactive approach to identifying and preventing fraud. THE NUMBER OF incidents unearthing commercial crime has risen dramatically over the past few years, and South Africa has its fair share of high-profile cases. From former Deputy President Jacob Zuma" rel=tag>Jacob Zuma`s corruption charges through to the more recent exposé of Brett Kebble`s financial mischievousness, local organisations would do well to ask themselves just how secure their operations are from those who work for them. In its Global Economic Crime Survey 2005 for South Africa, PricewaterhouseCoopers (PWC) revealed that 83% of the 100 organisations that it had surveyed had been subjected to economic crime in the two years before the survey. Of the companies surveyed, 69% were listed.

Additionally, PWC noted that the companies that had suffered fraud had reported an average of 11 incidents in the two years leading up to the survey, with the highest numbers reported in asset misappropriation (72%) and `false pretences` (61%). Nevertheless, it does warn that these categories are the easiest to detect. Alarmingly, the report suggests that one third of cases were detected by `chance`.

And detection is often too late, and very costly. According to Amir Lubashevsky, director of Magix Integration, "Detection is generally too late as fraud not only costs organisations in terms of money and weakened customer relationships, but, if publicised, can lead to acute embarrassment for the company as well."

WHAT`S BEING DONE?

Unfortunately, most of the commonly deployed risk management strategies leave much to be desired. For many companies, risk management revolves around an annual or biannual audit. The objective of these audits oth internal and independent - is to identify and address vulnerability and irregularities.

However, Pieter Muller, forensic director of Grant Thornton`s business risk services, says many things could go wrong in the periods between audits. "Companies shouldn`t be waiting for audits; instead, they should have controls and measures in place to identify fraud earlier. Of course, having all possible measures in place will not necessarily completely prevent fraud; the only way to do that is to not have any employees."

Jonathan le Roux, manager of Ernst & Young`s forensic investigation and dispute services, concurs: "Companies are often very reactive [in dealing with] internal fraud, and have an almost `laissez faire` approach, as opposed to a holistic strategy. Prevention will always be better than cure."

GET (PRO)ACTIVE

Which is why Lubashevsky says that the best way to prevent fraud is to use technology, especially when technology is used in its perpetration. Technology can automatically detect and raise the alarm in real time, as the fraudsters act.

"Tools that function independently of the company`s applications and platforms can be installed on its servers. These solutions can monitor specified people, applications and business processes in real time without alerting users of the surveillance, or adversely affecting the performance of applications," he explains.

And instead of waiting for a dated fraud report, companies can use technology to monitor their business practices and catch any anomalies in productivity, data movement, file access, real-time work, broken procedures, uptime of systems and illegal activities. For example, should an insurance claim be logged, investigated and authorised by the same person, the system will immediately notify the audit department, allowing them to investigate and nip the problem in the bud in real time.

The concept is very similar to that employed by banks to identify fraudulent use of credit cards and cheques. Having built a profile of the customer, the system highlights when the person has gone outside the norms and asks someone to confirm the transaction with the customer. The result? Fraud identified and financial losses avoided.

Nevertheless, the founder of the Information Security Group of Africa, Craig Rosewarne, cautions that this kind of strategy can only be implemented if staff formally agree to having their privacy compromised in this manner.

BLOWING THE WHISTLE

Then, of course, there is the tactic of encouraging employees to blow the whistle on wrongdoers within the organisation. However, many people are too scared of the repercussions to seriously consider standing up to criminal activity around them.

According to Le Roux, this is due to a lack of understanding around whistleblower rights and requirements: "In South Africa whistleblowers are protected by the Protected Disclosures Act of 2000, which protects employees or whistleblowers from being punished by the company in question. However, people need to understand that there are conditions to this Act - the person must tell the whole truth as they know it; must follow company policy and must not be reporting only because there is a reward involved."

There is a groundswell of support for whistle-blowing. Following widespread media focus on high-profile fraud cases, both the private and public sector have launched independent call centres to solicit reporting of anonymous tips.

Grant Thornton`s ScamStop operates 24/7 and provides companies and individuals with security and confidence. But Muller says these call centres require highly skilled people to man the lines, as often the centre only gets one chance to get the information.

"We have outsourced our call centre to a contact centre specialist, but have also ensured that there are qualified legal professionals on the lines to ask the right questions and get the best information for follow-up action. This information is then passed onto the company, and if they are a client, they will receive recommendations on how best to address the particular incidence and the larger problem," he says.

ON THE RECORD

Once an infraction has been identified within the business, the company`s IT systems provide advantageous avenues for the discovery of evidence of the crime for use in prosecution. In most cases, the relevant prosecuting authority will do this to build a strong case against the perpetrator.

But what of companies that choose not to notify the authorities in the interests of damage control? The experts say certain processes should still be followed to protect themselves, provide an example to the workforce and warn potential employers.

Lubashevsky says companies often have different ideas on what types of fraud are serious enough to warrant court action; nevertheless these same companies may change their mind once they complete a full investigation and discover the full extent of the actions.

It is also important to follow the rules of the organisation, as not adhering to the stated consequences in one case may successfully be used as a precedent in the case of another employee, regardless of differing amounts. And failing to set down rules and consequences could ultimately prevent the company from taking decisive action in the future.

Finally, companies have to start sharing their experiences with shareholders and the market at large. To deny the problem exists makes the organisation look worse in the long run, exposes it to shareholder action and allows the person to continue his or her criminal activities without punishment.