How to stop fraud

Around the Office. Physical protections in the building and its perimeter can also curb fraud. Do you have someone at the front door? Are you locking cabinets with sensitive data in them? Do you have a policy on transporting removable media like laptops and BlackBerrys? Where is the company trash going? Sotto recalls one multibillion-dollar, family-owned company that 20 years earlier donated reams of used paper to a preschool for a recycling drive. Recently, one of the preschool's parents called to report that one of her son's preschool art projects included names and social security numbers on the backside.

Any sensitive documents should be shredded or designated for burning.

Employees should have access to confidential data on a need-to-know basis. Review access rights weekly or quarterly, and terminate access immediately for any employee leaving the company. Make sure everyone has the right levels of access, and mask some of the data for some levels of access. Audit log software can also document who logged into what documents and systems, when and whether they made changes or exported files.

In the Call Center. Fraud prevention in the call center begins with background checks for all employees before hiring them. Once they're on the job, monitor their computer activity. "See what they're looking at and why," Sotto says. Deactivate CD drives or USB ports so information can't be copied. Adopt a paperless work environment so information can't be written down and documents can't be removed. Keep purses and backpacks outside of the call-center room.

At Home. Employees who work from home can be difficult to monitor. Sotto suggests occasional surprise visits from a supervisor. "Have policies in place where the PC is in a segregated area away from family, use strong encryption and password protection" for PC access, she adds. (Also see Seven Deadly Sins of Home Office Security.)

Hotlines. Occupational frauds are much more likely to be detected by an anonymous tip than by audits, controls or any other means, according to the ACFE. Hotlines are one of the easiest ways of allowing those tips to come in. Sarbanes-Oxley requires public companies to establish whistle-blower hotlines, and many private companies are following suit. Other companies have set up anonymous e-mail programs "or a locked box in the coffee room for notes," Dorris says.

Employee Education. One of the easiest and most inexpensive ways to reduce fraud is through employee awareness and training about fraud protection and security.

Employees can be trained on how to handle sensitive documents left near printers, for instance. "They may be unknowingly printing important information that can be used in a fraud or theft context and leaving it near the printer," Safir says. "Most importantly, let employees know from their first day of employment of the company's rules and expectations regarding fraudulent activity--not after fraud surfaces."

Connecting Fraud and Security Programs

Antifraud policies and procedures should be part of an overall security program, with input from the general counsel.

"Some CSOs work very closely with their general counsels, and some who are very skilled become relied upon as the 'finders of fact' for these very sensitive issues," Safir says. "A good CSO doing the job proactively and doing it well ends up speaking the language of and servicing the general counsel whose basic duty it is to ensure on behalf of the board that upper management isn't doing anything [fraudulent]."

In rare cases, CSOs can find themselves at odds with executives who might be engaging in rogue behavior themselves, over certain control environments or his or her responsibilities to the general counsel reporting to the board. A series of checks and balances can clear that impasse.

"You have a board of directors, an audit committee and control procedures that public companies need to comply with, and a lot of private companies have adopted this as a best practice," Safir says.

Tags fraud

More about SEC