Many organizations have been affected by layoffs and workforce reductions in recent years. As responsibilities are distributed among fewer personnel, internal controls often suffer, as the segregation of duties that once was no longer exists.
As is consistent in its previous studies, the Association of Certified Fraud Examiners’ 2010 Report to the Nations revealed that inadequate internal controls are the number-one enabler of fraud. Further, the study noted that most of the banking/financial services frauds reported were committed by accounting personnel in schemes involving corruption, cash theft, payroll fraud, and billing schemes. That’s why it’s so important for management to consistently evaluate internal controls to make sure that the benefit of reducing staff won’t be outweighed by the costs associated with fraudulent activity.
Let’s look at a simple example in the lending process. The typical procedure of processing a new loan may look like this before a personnel decrease:
After a workforce reduction, this process may now be controlled by one person or by an overworked lending services employee who may not have the time to perform the normal background checks and verification procedures. This would allow someone the opportunity to create a fictitious loan customer or change information on a current customer. Funds then could be disbursed to either the ghost customer or funds could be disbursed from a legitimate loan and into a bank account which had been altered by either the lending services employee or the loan officer.
So how do you make sure you still have a level of control in your organization to help thwart fraudulent activity, despite smaller numbers of staff? There are analytical procedures that can and should be performed by management and/or internal auditors to help detect problematic activity. Reports can be run to identify:
- Loans with excessive renewals or extensions in quantity or duration
- Loans with excessive information changes (payment due dates, credit limit, address, ACH)
- Unusual loan terms (highest/lowest interest rate, longest/shortest duration)
- Loans missing information (interest rate, physical address, purpose code, officer number, appraised values, etc.)
- Loans coded outside bank policy (do not mail, exempt from credit reporting, exempt from past due reporting)
The results of these and other tests can be indicators that problematic activity may be occurring, resulting in financial losses that outweigh the purpose of the workforce reductions.
Let’s look at a second example, the payroll function. Before a staffing reduction, a company’s human resource/payroll department may have looked like this:
Afterward, the entire payroll function may be controlled by one or two people, creating opportunities for fraudulent activity to occur. Such schemes may include the addition of ghost employees to the payroll, unauthorized increases in wages or salary, and a claim of overtime hours not worked. Management can run reports to identify:
- Employees with matching information, such as duplicate social security numbers or direct deposit account numbers.
- Employees with missing information. Are there employees who have no residential address listed?
- Changes in wages/salary made to employee records. Were these changes authorized?
- Anomalies regarding total overtime, by hours, paid to employees. Are the overtime wages inflated?
- The number of payroll distributions for each employee. This ensures all employees are receiving the same number of checks.
As a final example, consider the department that processes wire transfers, arguably the riskiest activity at a bank. As the workforce is reduced across a bank the volume of activity generally does not decrease in a similar manner.
As the workload increases for the remaining employees, the normal process and challenges to individual transactions decreases. As a result, customer call-backs and other general controls do not occur as one would expect; this is especially true with customers who have recurring wires. Due to the nature of wires, reports after the fact are almost useless making it more important to focus on the preventive controls. Great care should be used in reducing the workforce in the risky and critical departments and ensuring preventative controls are in place and working as designed.
It’s worth noting that the perception of detection can be one of the best deterrents of occupational fraud and abuse. Asking questions regarding specific transactions sets the tone that management is closely watching employee activities. For example, requesting supporting documentation and asking about the specifics of changes to customer loans and employee pay alerts employees that management is taking an interest in what’s being disbursed. These inquiries should be performed randomly.
An internal control structure can never be completely effective, regardless of the care followed in its design and implementation. However, the system can be significantly hindered when the ability to segregate duties has been reduced. By applying some analytical procedures, management can help detect if problematic activity is being performed before the losses to the company outweigh the savings attempted through workforce reductions.