Fraud risk is the chameleon of threats, changing with its environment.

People commit fraud. Being alert to changes that affect people’s behaviour enables internal audit to deliver meaningful assurance with foresight. Reports and trends have value but look backwards not forwards. Fraudsters operate in the present, amid the cost-of-living crisis, not the past.

Employees are an organisations greatest asset. They are also one of the weakest links in the control armoury that organisations create to protect themselves from fraud.

This article looks at the internal environment and the risk of employee fraud.

Asset or threat

Think for a moment about some of your colleagues that are great assets to the organisation; long-service, understand legacy systems, dependable at key times, always there when needed etc. These qualities are also warning signs.

Findings from a 2020 NatWest survey found that employees were responsible for about 40% of all business fraud. Estimates suggest two thirds of employee fraud is committed by workers with at least 5 years’ service with one in five fraudsters having over 10 years' service. A similar CIFAS report found most fraudsters have been employed between one and five years.

The fraud triangle is commonly used to think about three elements that enable fraud risk. Internal auditors do not require the same level of knowledge, skills and abilities as a risk owner but should have reasonable competence in recognising relevant factors as it is a pervasive risk.

The fraud diamond build on the triangle, suggesting that capability, a fourth element, is critical for shifting a fraudster from theorising into action. Understanding behaviour is critical to managing fraud risk. We will come back to this.

Sphere of control

There are many factors within the three elements of the triangle. Some of which will be outside the control of the organisation.…