In the second article of this series I discussed the fraud response plan and how it is vital to have agreed procedures to follow in the event of a suspected fraud. One important element of any fraud response plan, and one which is often forgotten once the dust of an investigation has settled, is that an organisation should review how the fraud occurred and what it can learn to prevent it happening again. This is known as creating a "forensic memory".

A forensic memory enables an organisation to learn from past mistakes. In order to do this, the management must first ensure they have a thorough understanding of what went wrong. It is vital, therefore, that any investigation also considers these factors and reports on any controls that may have been breached or circumvented by the fraudster.

Once these controls have been identified, the management should consider whether there is evidence of a more widespread or structural failing in their controls, which could leave the organisation exposed to similar frauds in different divisions or business areas - does the fraud suggest a systematic weakness?

The final step is to consider how these weaknesses can be addressed, and whether additional or alternative controls are required. Any such changes will, of course, need to be balanced against commercial considerations - management must assess their fraud risk and decide their risk appetite before implementing additional controls.

In addition to an organisation's own forensic memory, one can also learn lessons from some of the more famous corporate frauds that have occurred through the years. When we see frauds repeating themselves, it can sometimes appear that lessons from the past have been ignored.

While it would be fair to say that many of the investigations into the Jérôme Kerviel case at Société Générale are still ongoing, one factor appears to be that his experience of working in the middle office compliance function earlier in his career gave him insight into how certain processes worked, making it easier to circumvent them.

Similarly, in the case of Barings Bank, Nick Leeson had spent a number of years processing trades in a back office role before moving onto the trading floor himself. As with Kerviel this gave him a detailed understanding of the control processes. In addition, Mr Leeson was both the trading floor manager and the head of settlement operations - two roles that should ordinarily be segregated. This dual role allowed him to evade internal controls and, effectively, operate with minimal supervision.

Segregation of duty is now a widely accepted and basic anti-fraud control, but in a difficult economic environment, where cutbacks and redundancies can result in too few people covering too much work, the resources required to segregate duties may be lacking. Indeed last year's Ernst & Young's European Fraud Survey (entitled "Is integrity a casualty of the downturn?") found that 36 per cent of respondents believed that normal policies and procedures are likely to be overlooked as staff redundancies are made.

John Rusnak was imprisoned for hiding losses of almost US$700 million at the AIB subsidiary Allfirst Bank. One of the ways he kept his fraud hidden was by manipulating spreadsheets used by the risk-control group.

Organisations often use spreadsheets to carry out certain checks and balances and some even protect cells within those spreadsheets, in the belief this will prevent anyone from manipulating them.

However, it can be fairly simple to break this protection and change formulae and numbers within a spreadsheet, potentially to hide fraudulent transactions and avoid controls.

If an organisation relies on a spreadsheet for a key control, it should have certain standards or protocols in place to regularly review it. Alternatively the management should challenge whether a robust application should be developed to replace the spreadsheet.

The Bernard Madoff investigation reminds us of a fundamental truth in fraud investigation: if it seems too good to be true, it probably is. Mr Madoff promised investors returns that consistently outperformed the market but it then transpired that he was operating a massive Ponzi scheme, using new investors' capital to pay returns to earlier investors. The Ponzi scheme was named after Charles Ponzi who, in the 1920s offered investors returns of up to 40 per cent within 90 days on postage stamp speculation. However, no legitimate investment existed and Ponzi used new investors' capital to pay out returns, essentially "robbing Peter to pay Paul".

It is ever more important that management focus on fraud and the protection of their organisation's assets.

Organisations should have a robust anti-fraud programme in place to help them detect any indications of employee fraud. When fraud is suspected, it is vital that they have a fraud response plan in place to allow them to respond rapidly and decisively. Finally, that plan must ensure that the organisation develops a forensic memory to prevent it suffering from the same frauds again and again.

This is the last of three articles related to employee fraud. The first article dealt with spotting the warning signs while the second one dealt with how to respond to employee fraud.

Samantha des Forges is a senior manager, Fraud Investigation and Dispute Services (FIDS), Ernst & Young Channel Islands. She was recently in Malta to deliver a talk on the changing landscape of fraud.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.