The effects of the COVID-19 pandemic on business operations have been devastating and far reaching. Companies have been forced to lay off thousands of employees, furlough others for an indefinite period of time, freeze compensation, and cut pay.
There is great uncertainty on when things will return to normal – and what that will even look like.
While the direct financial impact on organizations and the personal financial impact on employees is obvious, a large percentage of companies have had to adjust to a workforce that has migrated to a remote working environment. As the challenges of operating a remote workforce are great, companies must also ensure that assets are protected from fraudsters seeking to take advantage of potential weakened internal control structures caused by a remote workforce.
An Environment Ripe for Fraud
Significant economic turmoil is often the trigger for growth in financial fraud. No industry, including construction, is immune to this reality. Shortly after the COVID-19 crisis began, Bruce Dorris, President and CEO of the Association of Certified Fraud Examiners (ACFE), penned “Coronavirus Pandemic Is a Perfect Storm for Fraud,” where he predicts that economic disruption caused by COVID-19 will lead to an increase in fraud.1 History has shown that major economic disruption is generally followed by a rash of financial frauds coming to light (e.g., during the economic recovery following the Great Recession), as businesses emerge from the disorder and operations begin to return to a steady state.2
To understand why this occurs, it is helpful to be familiar with the environmental factors that cause an individual to commit fraud. The Fraud Triangle, developed by noted criminologist Donald Cressey several decades ago, explains these factors (Exhibit 1).
When an individual commits fraud, they are typically experiencing some type of pressure. That pressure – which is often real financial pressure – is the motivation. For example, an employee has personal debt, perhaps exacerbated by a pay reduction at work. Pressure can also be perceived, such as an employee concerned that if they do not help the company meet its earnings targets then their job will be in jeopardy. To address this pressure, the individual resorts to financial fraud.
For the fraud to occur, the individual must have the opportunity, or a path by which to commit the fraud. This can exist if the individual has identified a gap in a company’s internal control structure or if an individual colludes with another employee or an external third party to circumvent existing controls.
Even the most devious fraudsters find rationalization for their actions, justifying why they believe the fraud they committed is okay. “I’m underpaid, and I deserve this” or “I’ll pay it back later when things turn around for me” are common rationalizations for fraudsters.
Increased Fraud Risks
The pandemic is creating an environment of intensified pressure, and the movement to a largely remote workforce is increasing the opportunity for individuals to commit fraud. An organization safeguards its assets and attempts to limit the opportunity for fraud to occur by developing and implementing a solid system of internal controls.
However, most organizations were office-centric before the pandemic with internal control structures that often relied on the day-to-day interaction of employees to achieve and document their control processes, such as manually initialing invoices for approval, reviewing original source documents, and manually signing checks.
In general, the smaller an organization is, the more likely that manual controls require in-person activities. Additionally, some companies that have had to trim their workforce may be forced to consolidate duties into fewer or even a single employee. Without proper segregation of duties, the chance that a fraud will occur and go undetected increases significantly. A fraudster’s ability to circumvent existing controls is easier when existing policies cannot be followed.
It’s also important to remember that, in these situations, threats can come from inside or outside the organization. Regardless of industry, all companies should consider these heightened risks.
Cybersecurity & Data Theft
With e-mail becoming even more prevalent during the pandemic, phishing and social engineering schemes are increasing. Countless unwitting victims have fallen prey to e-mails appearing to come from within their company requesting an urgent payment be made at the direction of the CFO. These victims did not realize the request was coming from a cyberfraudster until it was too late.
Before the pandemic, perhaps your organization had a manual control that would require physical sign off on a check before such a payment would be made – but that control may not exist while everyone is remote.
Many organizations have also fallen victim to ransomware attacks that have completely locked down their systems, with the attacker requesting a ransom payment to reactivate those systems. Cyberattackers prey on the current environment to seek ways to harm companies that are already under unique pressures.
Employees also may be exposing their company to would-be fraudsters by working in a remote environment that is not protected by the company’s established network security protocols or firewalls. Working from outside of a company’s protected virtual private network (VPN) or using a personal device to perform work tasks can expose an organization to data leakage or theft.
Cyberattacks occur every day at companies with comprehensive IT controls, but that risk increases in an unprotected IT environment. Your company’s own employees could also take advantage of weakened IT controls by devising ways to steal confidential and proprietary data – or perhaps by keeping proprietary data after a job termination.