by Alex Movchan
We recently conducted an interview together with Magali Logossou who is a Global Audit Manager Forensics by the Heineken company. We focused on the topic of conducting fraud investigations within organisations during the Covid-19 pandemic, which Magali Logossou gave her insights on given her expert opinion in the fields of internal auditing and forensic practices. Hello Magali, you have an impressive international career in France, UK, Switzerland and the Netherlands with in depth knowledge of internal audit and forensic practices. Based on your experience, on which 2-3 main points would you advise organisations to focus on to prevent or significantly minimise the probability of fraud occurring within an organisation?
Magali Logossou : “For all organisations, irrespective of the size, industry, or geographical location it becomes more and more critical to have an effective fraud risk management framework. There are many ways to commit fraud and for a long time, the radar was on occupational fraud rightfully so. The consequences of workplace fraud could be damaging for any company, considering financial losses, legal costs, and reputational risks at stake. Over the years, with the emergence of new technologies, external fraud and online fraud are growing exponentially.
Two examples of the common frauds reported by organisations are:
Third-party vendor scheme: Fraudulent invoices submitted to circumvent weak procurement and account payable controls; and
Cyber-related fraud: Phishing or social engineering attacks whereby the fraudster impersonates a trusted party or an internal employee and dupes the victim to obtain sensitive data, change of banking, or payment data.
Prevention remains one of the most effective ways to manage fraud. Corporations quite frequently overlook access control management whilst it should be one of the priorities in setting up effective internal controls.
Three measures that could be considered when implementing a fraud risk management framework are:
(1) Ensuring that adequate policies and controls around procurement, vendor account creation, banking, and treasury functions are designed and effective;
(2) Implementing an anonymous whistleblower reporting mechanism; and
(3) Communicating continuously on the importance of compliance with the company’s code of business conduct and foster an ethical working environment.”
This year is very unusual in terms of the Covid-19 related situation, and while many internal audit functions switched to conducting internal audit engagements online, in case of fraud investigations however, this is not so easy. Based on your experience and the successful practices you’re aware of, please share some solutions and insights that might help fraud investigators to still continue doing their job within the limits of the pandemic.
Magali Logossou : “The Covid-19 pandemic is imposing a profound shift in the management of business processes and forcing organisation to make strategic decisions to face significant operational and financial challenges. With the introduction of new ways of working, headcount reduction, and remote working conditions, critical controls such as segregation of duties might have been weakened.
This crisis has created an environment where not only internal fraud risks are on the rise, but also opportunities for external fraudsters to take advantage of disruptions in normal business operations. It is quite common for fraudsters to exploit crises such as market crashes and natural disasters to expand their misdeeds. The Covid-19 pandemic is no exception.
In such circumstances, conducting a fraud investigation might become a big challenge for auditors and CFEs. The following actions could be considered:
- Set the right priorities: Assess the internal investigations that can be delayed and those which need immediate attention given the nature and sensitivity of the allegations (e.g. allegations with material financial impact, the integrity of senior management is in question, cases subject to regulatory or law enforcement actions). It is important to carefully consider limitations that might result from remote investigation.
- Make use of technology: Due to social distancing rules which allow for less physical interactions, it becomes critical to resort to technology to support fraud investigations. Data and information gathering can be facilitated by secure data exchange via a central repository or SharePoint (single source repository), and virtual connectivity could be used for interviews and collaborations. Forensics data imaging and data search tool such as e-discovery could be handy to support email box search and document reviews, for instance. Invest in video conference software, which offers system capabilities to share documents, face to face communication to allow interviewers to observe interviewees’ reactions, and assess credibility.
- Increase proactivity: Most of the organisations nowadays rely largely or solely on whistleblowing tools to trigger a fraud investigation. Besides fraud reporting means, there is a necessity to develop and deploy data analytics for fraud risk analysis. The aim is to identify unusual transactions and especially new fraud methods and trigger an investigation where red flags are raised.”
I’ve recently read a PwC report on fraud in Eastern Europe and compared it with the global ACFE Report to the Nations on Occupational Fraud. I’ve noted that in Eastern Europe, around 40% of all fraud cases were discovered while performing certain controls and monitoring mechanisms while whistleblowing formed around 20% of the cases that were detected. Globally, the picture looks different with whistleblowing and tips having the 1st place among all sources of fraud detection with around 43%, followed by internal audit (15%) and management reviews (12%).
Based on your experience in multiple regions in Western Europe, but also on emerging markets, what solution would you consider more appropriate for organisations that work in multiple regions: having one global approach to tackle fraud risks or implementing tailored regional fraud risk strategies. And what are the pros and cons of each of those approaches?
Magali Logossou : “Firstly, it is important to acknowledge that there is no single approach to fraud risk management. For organisations with a global footprint and operating in a multicultural environment, understanding how the cultural difference influences ethical decision making, reporting fraud or misconduct is paramount to implement an effective fraud management framework.
In essence, depending on the region or country you are based in, whistleblowing can be seen as a positive or negative action. Denunciation and fear of retaliation are concepts differently perceived across the globe. From my experience, anti-fraud measures should be tailored to the unique risks of the organisation, the specific conditions that give rise to those risks. This entails a wide spectrum of elements such as the propensity to commit fraud, level of fraud acceptance, the regulatory landscape, etc.
Global corporations should perform a regional fraud risk self-assessment to gain sufficient insight into the fraud awareness in the countries they operate, but also to evaluate the specific risks based on probability and impact. Gaining such insight is valuable in designing preventive and detective controls, meeting the needs of certain specific organisation, as well as providing an appropriate response in managing fraud risk.”
The author, Alex Movchan CIA CICA CFE is the President of the Institute for Internal Controls (Ukraine and Belarus chapter). He is also currently Head of Internal Controls in a global medical company.