How to Utilize HR to Prevent Fraud in Your Organization

We often only associate fraud with human resources when we think of what happens after fraud is discovered. However, a solid human resource plan from entrance to exit can not only minimize the likelihood of fraud occurring, but it can also lessen the effects of fraud after it occurs.

Prevent Fraud Before It Happens with Better Hiring Practices
Hiring new employees can be a long and grueling process. However, there are steps that can be taken to make this process easier and more effective. Background checks allow businesses to make confident hiring decisions and avoid fraudulent candidates or negligent hiring. Placement services make the hiring process easier as well, as many businesses have positions to fill but do not have the time or skills necessary to focus on recruiting, reviewing resumes, and scheduling and conducting interviews. A deeper look into these human resources topics can provide insight on the many issues that may arise during the process of hiring.

• Background Checks
  Background checks should be completed on new hires to avoid negligent hiring. Negligent hiring is a legal doctrine that states employers are responsible for the destructive actions of employees when due diligence—such as conducting background checks—would have revealed the employees’ propensity to commit such actions.
  
  Background checks can do more than just protect you legally; they can also verify information presented on resumes and assure that the candidate is qualified for the position. Consumer reporting agencies obtain criminal information through means such as database searches and court researchers. When conducting employee background checks, it is important to keep in mind the Fair Credit Reporting Act (FCRA), which is a United States federal regulation on the collection, dissemination and use of consumer information, including consumer credit information.
• Placement Services
  Placement services are useful for many different types of businesses, including small businesses who lack the resources such as an HR department, any business that needs to run a blind ad, or any business that simply does not have the time to spend on the details of the hiring process. The placement process typically includes meeting with management, searching for qualified candidates, refining the search, screening candidates, and finally, recommending candidates. Placement services can help lessen the burden of hiring new employees.

The following are recommendations for vetting potential candidates during the pre-employment hiring process to avoid becoming the next victim of fraud or embezzlement:

• Verify education and professional credentials for misrepresentations.
• Perform background checks consisting of criminal and credit checks (if the individual will be entrusted with the organization’s assets) to identify past criminal history and potential financial pressures.
• Vet background for wage garnishments, liens and/or judgments that may be signs of prior embezzlement history.
• Research for news articles online that may shed light on prior employment activities.

Although these recommendations are essential in mitigating embezzlement and fraud risks, your organization should follow its hiring policy. If your hiring policy hasn’t been updated in several years, consider working with an employment attorney to review and update your policy manual to today’s standards.

The hiring process is an important step in fraud prevention because fraud doesn’t happen if people aren’t involved. The next step in preventing fraud is to ensure your organization has the proper checks and balances over its cash receipts, cash disbursements, payroll and all other assets. Your organization’s internal controls are only as good as its weakest link, so be sure to review and monitor your internal controls on a periodic basis.

Mitigate Risk by Having a Whistle-Blower Hotline
The Sarbanes-Oxley Act of 2002 requires publicly traded companies to provide a confidential way for employees to report fraudulent and wrongful behavior. The American Institute of Certified Public Accountants (AICPA) recommends that all organizations implement a whistleblower system for reporting wrongdoing, regardless of whether the organization is publicly traded or not. Why? Simply put, all businesses—large and small—are at risk from both intentional ethical and legal violations, as well as unintentional mistakes that may not be easy to report.

Utilizing a fraud hotline can be beneficial in many ways. Not only can fraud hotlines prevent fraudulent and illegal behavior, but they can also detect issues before they become serious, reduce losses that could hurt the company, and promote a healthy work environment. The anonymity of fraud hotlines is vital both for employers, who can receive important anonymous tips from their employees, and for employees, who can report wrongful behavior anonymously without fear of retaliation.

Financial fraud isn’t the only concern for businesses. Ethical violations of every sort imaginable can take place at any organization and within any department. According to a 2013 National Business Ethics Survey (NEBS) conducted by the Ethics Resource Center, 41% of the respondents indicated they witnessed some form of workplace misconduct, including conflicts of interest, discrimination and violations of health and safety regulations.

With an anonymous whistleblower hotline in place for employees, tips can be submitted safely and securely for all manner of wrongdoing:

• Financial: Every business is at risk of financial abuses and errors. From inadequate accounting procedures to audit issues and simple billing errors, there are a plethora of opportunities for mistakes to be made or criminal activity to take place.
• Ethical: Some business practices may not necessarily break any laws, but they would still be considered unethical if utilized improperly. Ethical breaches can include anything from code of conduct violations to outright theft, including intellectual property theft.
• Privacy: In today’s digital world where everyone and everything is connected and online, privacy concerns have never been more pronounced. Identity theft can happen to anyone, and breaches can occur anywhere personal information is stored. The healthcare industry is particularly at risk for inadvertent confidentiality breaches.
• Security: Security goes hand-in-hand with privacy. Securing both physical and digital property is becoming harder and harder with the advancement of technology. Hackers target everything from electronic door locks to customer databases.
• Safety: Businesses that don’t take safety seriously put their workers—as well as their customers—in jeopardy. OSHA violations aside, an unsafe work environment is neither efficient nor profitable.
• HR Violations: No department benefits more directly from the implementation of a reporting hotline than human resources. HR professionals constantly deal with ethical and workplace safety issues, from employee handbook violations to harassment and discrimination.

According to ACFE’s 2018 Report to the Nations, anonymous tips were the most common fraud detection method, regardless of whether the organization had a hotline system in place. However, tips were submitted at a much higher rate when the company had a hotline, as illustrated by the below chart.

With an anonymous, easy-to-use reporting system, employees feel much more comfortable reporting wrongdoing. They know their name won’t be attached to the tip. They won’t fear retaliation. But they will report the issue that could end up saving the organization money and even lives, thanks to early detection and correction. Having adequate controls that seek out fraud, rather than relying on external or passive detection methods, can dramatically reduce the cost and duration of illicit activity.

The Risks of Employee Emails and Social Media
There is great risk in intermingling personal accounts with work-administered systems. Management can reduce risk to the organization by encouraging employees to keep personal accounts separate from their work-related digital profiles.

Here’s why:

• Risk to the organization is increased when an employee uses their work email address for personal/non-company managed application accounts.
• External accounts are often the basis for a phishing campaign, and if the account is tied to the employee’s email address through the organization’s domain, the incoming phishing email may look and feel more correct, appearing legitimate. If an employee clicks the link and logs in, the hacker can intercept login credentials or can trigger malware installation on the employee’s work computer.
• Passwords to external accounts often go unchanged and might be used across multiple systems. If LinkedIn gets breached (again), the password for that account, along with the work email (used as the username for that account) will provide access to any other account where the employee has used the same credentials.

Best practice is to prohibit combining personal account use with work email addresses, and to also disable use of personal email accounts through email filtering.

Other tips for online web-browsing and social media activities include:

• Personal social media accounts (Facebook, Google, Twitter) should be locked down with maximum privacy settings applied to prevent open access to personally identifiable information such as birthdates, location, activities, etc.
• Check with the sender before opening an attachment, even if the email appears to be from another employee or trusted source.
• Do not send confidential data, such as credit card data, customer names, email addresses and Social Security Numbers through non-encrypted transfer methods. For example, don’t perform online mobile banking over public Wi-Fi networks.

Digital Forensics in Your Human Resource Plan
What happens to your employee’s computer and other issued devices when they leave the company? Typically, the equipment is taken to IT and wiped clean and made available to the next employee. But you should also be asking why the employee is leaving. Are they being fired for cause? Are they a disgruntled employee? Or are they leaving for another opportunity? Are they going to a competitor, and did they have access to key files or client lists that could bring harm to the company if in the wrong hands?

More and more companies are sending their former employees’ devices to a digital forensic investigator for digital forensics services to protect themselves against possible litigation. These investigators act as an independent third party and create a forensic image of each device for HR and legal to hold if a suit is filed against the company, or if they feel the former employee might have conducted themselves in a manner that hurts the company and need to open an internal investigation.

Why not have your own IT department do this? Internal IT teams should not investigate employees for the same reason that it is never a good idea to self-collect data in a litigation proceeding or represent yourself in court: it is less defensible and a standard best practice to show that an independent third party imaged the data. This takes away the possibility of questions like, “How do we know that data wasn’t erased or added to make my client look guilty?” This can certainly be proven, but at a much greater expense than outsourcing to a third party.

The Importance of Human Resources in Your Fraud Prevention Plan
By ensuring you have adequate hiring protocols, a fraud hotline, an acceptable use policy and a digital forensics policy for employee exits, your human resource department can greatly lessen the chances that your company will experience fraud.