Managing internal fraud – what should businesses consider?
White-Collar Crime Series
The perpetration of internal fraud – that is, a fraud committed against a business by one of its employees or officers – can have significant ramifications for a business and its stakeholders that extend far beyond its immediate bottom line. Legal obligations on a company and its remaining directors may arise, workplace morale may be impacted, and long-term reputational damage may occur – just to name a few possible consequences.
Internal fraud most commonly involves theft or misuse of assets, through stealing, fraudulent payments or embezzlement. However, it can also involve the misuse of confidential information and intellectual property. In carrying out such fraud, employees or officers may have also engaged in acts of bribery, conflict of interest or extortion.
In light of these risks, it is imperative that businesses not only minimise the opportunities for internal fraud, but have a well-researched and proactive response plan in place to manage suspicions or allegations of fraud.
1. Establish and maintain a fraud policy
A formal fraud policy is the first step in communicating a company’s attitude to fraud and specifying how fraud will be dealt with. While leaders of a business might fairly think that zero tolerance for fraud ‘goes without saying’, expressly setting the tone is critical not only to reduce the risk of fraudulent activity, but also in assisting the business in coordinating its actions in response.
A well-drafted fraud policy should:
- state clearly that any event of fraudulent behaviour will not be tolerated;
- identify who will be responsible for managing any investigation (e.g. a fraud committee), and who else may need to be engaged in the process;
- set out what should be reported, and to whom;
- identify relevant considerations to be taken into account in any investigation, including how the investigation will be communicated to stakeholders; and
- be regularly updated.
A range of independent, expert advisers should be identified in the policy. This is necessary because it is not always possible, or best practice, to turn to a company’s usual accountants or lawyers, particularly when discretion is paramount or multiple employees are being investigated. This is because the company’s regular service providers may have working relationships with the employees or officers who are suspected or alleged to have committed the fraud.
It is also prudent to have policies and procedures in place that enable a business to undertake any necessary investigations, including surveillance and examination of an employee or officer’s electronic devices.
2. Tips for investigating fraud
We have identified some practical considerations when investigating fraud in the workplace:
- Do maintain confidentiality – that is, only inform those who need to know. Unnecessary disclosure may tip the employee or officer off and hinder the investigation efforts, disrupt usual business and lower employee morale. Further, an external leak of a suspected fraud may cause unnecessary reputational issues.
- Do not look at electronic devices without checking internal policies and relevant legislation – it is often necessary to obtain access to electronic devices and other property of an employee or officer. Before doing so, businesses should ensure they have the relevant policies in place that entitles them to undertake such a review. Depending on the type of business it is, and the state or territory that it is operating in, there may be privacy and/or workplace surveillance legislation that must also be complied with.
- Do engage lawyers early – internal and/or external lawyers should play an integral role in the investigation and fraud response. It is important to engage lawyers early to provide advice as to how the investigation should be conducted, and what steps can or must legally be undertaken, as this will minimise the risk of any legal action being taken against the business itself. Experienced lawyers will also be able to advise on, manage and oversee the broader team of experts who may need to become involved in the investigation.
- Do consider using experts – consider the utility in engaging a range of experts, including forensic accountants, data security and IT specialists, or communication strategists. Those experts may provide valuable advice and assistance in collecting, recovering or preserving evidence, or containing reputational damage. Engaging experts through lawyers may assist in maintaining privilege over communications with, and subsequent investigations by, the expert.
- Do seek urgent advice if it is likely that evidence may be destroyed – in some cases, a business may have a suspicion that an employee or officer has, or will, destroy evidence. If this occurs, steps should be urgently taken to obtain legal advice on available remedies such as applying to the court for urgent injunctive relief such as search and seizure orders which aim to preserve evidence.
- Do act quickly and deliberately.
3. Legal requirements to report fraud
Where a company is subject to fraud, there may be a legal obligation on the company to report the fraud to a regulatory body or to the police.
Companies that hold an Australian financial services licence are, more often than not, obligated to notify the Australian Securities and Investments Commission (ASIC) of internal fraud. Of course, there are exceptions that apply, but knowing those exemptions and the time frames for reporting, are essential.
Similarly, companies listed on stock exchanges in Australia may well be obligated to report fraud events to their governing bodies. This includes, for example, companies listed on the ASX which are subject to continuous disclosure obligations under the ASX Listing Rules. That is because fraud may fall within the definition of ‘market sensitive information’ – that is, information that a reasonable person would expect to materially affect the value of the entity’s securities.
It is also important to remember that directors of companies who are involved in contraventions of these disclosure requirements may be subject to personal liability under the Corporations Act 2001.
In some Australian jurisdictions, it is an offence to conceal a serious indictable offence, and the fraud must be reported to the police accordingly.
However, where the company does not have an obligation to report the fraudulent conduct to police or regulatory bodies, consideration should be given to whether doing so is in the company’s interests, or whether dealing directly with the offender is preferable particularly having regard to:
- what scenario will best facilitate recovery of stolen information, funds or other assets (as we discuss further below); and
- whether publicity is undesirable or indeed whether the leaders of the business consider that reporting the conduct is simply the right thing to do.
4. Recovering loss and retribution
Once the investigation is complete, there may be sufficient evidence to commence civil court proceedings against the employee or officer to recover the loss suffered by the business, or alternatively to report their actions to the police or ASIC.
As the allegations of fraud (and details of any related weaknesses in processes or systems that allowed the fraud to occur) may enter the public domain, it is very important to consider the impact of potential reputational damage against the prospects of success in the proceedings and the likelihood of any judgment being successfully enforced against that individual.
If there are any suspicions that the employee or officer is taking steps to dissipate assets or remove assets from the jurisdiction to avoid liability, urgent legal advice should be obtained to consider applying to the court for urgent injunctive relief, including search and freezing orders.
A business may also be able to recover some of its losses through its insurance program. Prudent companies should ensure that they have appropriate fidelity or business disruption insurance cover in place and that they understand when, and how, they need to notify their insurer in accordance with the policy obligations. The company’s insurance brokers and lawyers should be asked to consider this aspect at a very early stage.
For further information, please contact our authors below.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.