With potentially the entire workforce logging on from home, many organisations will worry about timesheet fraud and consider electronic monitoring solutions. But this could be an own goal. More holistic, behavioural approaches may be a better way to both prevent fraud, and support staff.
I remember when ‘working from home’ was seen as a bit of a jolly, and greeted with wry smiles from colleagues. Now in the wake of COVID-19 it looks set to become the norm, at least for a while. Employers may worry about employees misrepresenting their time, and wonder whether they need to heighten monitoring through computers and smartphones.
There is a place for these kinds of technologies. Certain types of electronic monitoring can be prudent for certain types of work. But for many organisations – especially those new to remote working at scale – this could turn out to be a mistake. There are better ways for organisations to protect productivity and support their teams during crises like this.
Humans, not machines
The fraud triangle, based on the work of Donald Cressey, is so robust we’re still using it 70 years after it first appeared. In this model of dishonest behaviour, a key component of fraud is rationalisation – the way that we make ourselves comfortable with what we want to do.
When I open my casebook of internal fraud investigations, a rationalisation that crops up repeatedly is the perpetrator’s sense that the organisation has wronged them – that the fraud would be retribution, justice, rebalancing the scales.
This is important. If an organisation adopts intrusive methods that leave employees feeling devalued and untrusted, then this can open up the possibility of that rationalisation. Combine that with financial or logistical pressure generated by the COVID-19 crisis (motivation) and the clear opportunity, and the fraud triangle is complete.
Instead, we need to think more broadly about the impact of home-working on fraud, and more carefully about human factors, before we jump to thinking about controls.
Start with a new fraud risk assessment
Sending the workforce home is a major change of circumstances – one big enough to affect your organisation’s internal fraud risk profile. Risks beyond timesheet fraud will be affected. For example:
- What could be the effect on expenses fraud?
- Will the rise in e-mail and online communication heighten vulnerability to cyber, data security, and privacy threats?
- If a health and safety assessment hasn’t been carried out on a person’s home workstation, is there a risk of false claims for which organisations may be unable to defend themselves in some jurisdictions?
It’s time for a new fraud and corruption risk assessment.
Taking a human-centric approach
With the risk assessment providing a clear picture of what could go wrong, there may be places in which technology can help. But there are others in which we need to think about humans.
In a time where our people feel frightened and stretched, it is nurturing, caring leadership that will both support them and help to prevent and detect fraud. It’s not only possible to do both, but vital. Managers are the key controls. In retail, smiling as a customer enters can make them feel welcome – and deter shoplifters by showing they’ve been noticed. The principle is the same here. Good day-to-day remote management of employees leaves them feeling empowered and enabled, but also helps to deter, prevent and detect internal fraud.
For example:
- Train and develop managers in the potentially new task of supportive remote leadership;
- Create nurturing, mutually-problem solving relationships within teams, reducing the likelihood that people will feel the need to hide things (which can help to generate the right conditions for fraud);
- Consider online collaboration platforms. Some have amazing functionality to improve connections between remote workers, which also helps to preserve accountability;
- Provide managers with clear guidance on fraud red flags.
At the corporate level, review HR policies from an anti-fraud perspective. For example, flexible working is also about time, not just location. Business closures means that employees may now have to balance caring for children and the elderly, and seizing sudden opportunities to buy essentials, with their work-day. A flexi-time policy is a great way to prevent employees misrepresenting their work hours. Have an anti-fraud specialist examine your policies.
Meanwhile, with your employees now physically disconnected from the social norms, cues and wider internal culture that helps to regulate their behaviour, re–assess how you will manage internal culture. How will you shape how employees think, feel and act in line with an anti-fraud culture when they’re not in your building? Now might be the time to step up behaviour-shaping online materials, and anti-fraud communication and awareness initiatives.
There are a surprising number of organisations that already embrace remote working, especially in the humanitarian and global development sector. Reach out for advice. How are they managing the risks? What has worked and what hasn’t for them?
Finally, manage your own cognitive errors, biases and heuristics. Fraud and corruption love availability bias, for example, the phenomenon in which we focus on the most visibly present issues and risks. Because fraud hides and masquerades, that bias allows it to shuffle off into the darkness. Don’t let that happen. Fraud is agile and will already be adapting to this new world, you need to think about how your organisational efforts to deter, prevent, detect and respond to it will too.
Towards organisational health
Some employee monitoring solutions – especially those at the leading edge – are exciting, minimally intrusive and potentially very useful. But organisations should take care not to panic-buy. Just as with COVID-19, fighting the virus that is fraud starts with careful, risk-based preparation.
Did you find this article useful? Why not check out Oliver May’s books on tackling fraud and corruption?
Content at Second Marshmallow does not necessarily reflect the views of the author’s employer, clients or others. Check out our Disclaimer for more information.
In these situations, organisations can rely on alternative evidence of the delivery, such as the evidence of the supplies’ transport to, and arrival at, the point of distribution. Distributions can also be recorded with modern technologies such as biometrics, body cameras on the distributors, or even mini-drones which can be deployed to record at a set altitude above a person wearing a transmitter.
In non-emergency activities such as training, incorporating fraud detection into post-event monitoring and evaluation is key. Organisations can randomly select a sample of recipients, contact them for feedback, and verify receipt of the items or service.
Najwa Whistler is a finance director with 18 years of experience working for several international NGOs around the world. Growing up in a small village in Lebanon in poverty during the civil war built her resilience and determination to work in international development. She enjoys cooking and dancing. You can reach her via naj.whistler@gmail.com
The lead investigator had just returned, fresh off the plane and into our update meeting with the rest of the team. We sat down in a comfortable meeting room, thousands of miles away from the dusty, hectic and often frightening city in which the allegations had arisen. The city was one of those places that was sort-of a conflict zone, sort-of a disaster zone, sort-of a global city and sort-of none of these things. Development specialists and humanitarians worked shoulder-to-shoulder, and projects evolved quickly in response to an endlessly changing local environment.
Secondly, whistleblowers face enough challenges already. From stakeholders obsessed with identifying them, to those who try to use the whistleblower’s motivations as a shortcut for judging their credibility (and no – just because a whistleblower is motivated by reward or revenge, it does not mean that their allegations are untrue). Investigators play a critical role in mitigating these risks to them.
Every so often, I hear investigators at conferences speculating (or riffing online) about what sort of people become whistleblowers. I wonder if a more pertinent question is, what sort of investigator are you? And in particular, how much attention do you give to your eternal, internal battle against cognitive biases, heuristics and errors – a battle critical to maintaining your objective investigative mindset?
Embrace hot and cold debriefs. (Or ‘immediate and delayed’ debriefs.) Adopt a cycle of evaluating your own performance and incorporate how you handle whistleblowers into it. Handling a whistleblower includes how you interact with them, treat their information, manage the investigation around them, and manage other stakeholders.
* Details have been changed. Images do not necessarily represent the locale or persons described.
Some years ago, I found myself investigating events in a program in a war-torn country. The program had been set up to build the capacity of small local NGOs to implement community development projects. The concept was great, the donor funding had been secured, local partner NGOs had submitted proposals and agreements had been signed, transfers had been made and reports had been received. The only problem was that most of these NGOs didn’t exist.
Ex-pat Nancy used to be a teacher in Canada, and this was her first job in an international NGO. She was young, and idealistic, but it was clear that she did not have the relevant skills and experience. A conflict zone is a dangerous and stressful place, often with high staff-turnover, and the international NGO had compromised on her qualifications to find someone willing to endure the hardship.
When my team drove out to the field to visit the partners and the communities, I went with Malik, a driver, who turned out to be Raj’s brother. The driver tipped off the ‘NGOs’ that we were coming for a visit.
Firstly, ensure a realistic and validated assessment of potential partners takes place. More than one person or function needs to be involved in this assessment, and it should compare project proposals. Involve logistics and procurement teams to verify market rates.
There is a disconnect between the perception of reputational risk and the action taken to manage it.
One of the report’s most surprising findings was the under-use of risk assessment. This might not surprise NGOs, however; my counter-fraud colleagues and I have found the quality and extent of risk assessment in the sector to be patchy at best.
The biggest proportion of incidents reported were conflicts of interest, with personal favours not far behind. This may resonate with NGO managers; anecdotally, conflicts of interest in procurement and recruitment can be a real issue.
Respondents most frequently declared organisational culture and tone-at-the-top as the greatest preventative factors. I have written about the link between culture and corruption for NGOs before (
To read more about how to deter, prevent, detect and respond to fraud and corruption in humanitarian and global development work, make sure you pick up a copy of my book, 
If a humanitarian or global development organisation gets serious about tackling fraud and corruption, then it will detect cases – possibly in significant numbers. As my organisation invested in counter-fraud efforts, for example, we saw recorded suspicions in its global operations 
The job does not finish with the dismissal or conviction of the suspect(s). These incidents have long tails – there is work still to be done to rehabilitate the project or business unit in which the incident took place. An incident represents a severe breach of trust; workers may feel abused and betrayed. The ripples can spread wide.
Hopefully, the organisational response included a lessons-learned exercise, generating changes to implement. This should look beyond the internal controls, also into enabling factors such as culture, communication and awareness.
Now is also a good time to do some contingency planning. Is the incident serious enough that it could result in regulatory interest, onerous remedial controls applied by institutional donors, or put future funding at risk, for example? We can prepare for these.
Team members will respond to the matter differently. While some may be relatively unaffected, others may not. It is important to note that where staff have made a commitment to an organisation on the basis of their values – perhaps more common for charities, nonprofits and NGOs than for private sector organisations – a breach of trust could be more impactive. Perhaps there could even be a grief reaction for some team members.
Look out for, and respond to, the traditional symptoms of stress, low morale and anxiety. These might include absenteeism, disciplinary issues, a rise in complaints, and disillusionment. An incident can impact upon personal and professional confidence, and colleagues may feel fear, shame or embarrassment. Will the incident create a funding crisis, putting their jobs at risk? Will staff have to justify themselves to an angry public? Consider access to staff support systems, and formal interventions such as counselling and facilitated debriefing.
Clear communication. Rebuilding trust requires the open communication of reliable content. Low information creates anxiety, more information helps manage our ‘fight or flight’ crisis response. Concealing the matter from the team is, therefore, more likely to sow suspicion and fear than peace and confidence. Be as open as you can about what has happened, and what will now happen, within the boundaries of policy, employment law and data protection legislation. As you describe the future, avoid over-promising – employees need clear and consistent messaging from management. If you cannot make promises, don’t; recognise uncertainty and explain what is being done to reduce it.
Foster trusting relationships. Ensure that teams meet as regularly as possible, in person or via teleconferencing. Consider holding team-building events, reflective away days and/or ‘how are we doing’ agenda items in meetings. These measures can improve understanding, interaction and trust between team members.
Lead by example. We know that employees look to the behaviour of their managers to determine their own. So be present; you cannot role-model behaviours and attitudes if you cannot be seen by anyone. Be positive and show how you treat what has happened constructively, managing risk, avoiding blame, taking care of your colleagues (and yourself), and using the incident to make the business unit stronger in the future. As one casualty of a fraud or corruption incident is honesty, ensure that you are (and are seen to be) authentic. So, for example, if you feel hurt, vulnerable or confused, consider sharing those feelings with the team. This helps to normalise these emotions.
Reaching project milestones or completing tasks puts clear blue water between the incident and the present, assisting both staff and stakeholders to move on. It also, of course, ensures the progress of the project or business unit. Embed, as rapidly and effectively as possible, any changes to processes to reduce the risk of a recurrence.
Fraud and corruption has, historically, not been well understood in this sector. Your Board may have a low or rudimentary understanding of the risk and how to respond to it. This means starting at a basic level, making no assumptions, taking the time to address myths and misconceptions and playing a longer game. ‘Educate as you go,’ Willie Oelofse from Deloitte Kenya told NGOs at 
Civil society is under attack the world over, and the issue of their fraud and corruption exposure can be something that sends Board members running for their shields and helmets – especially if it is perceived to come from an 
Fraud and corruption, especially at a strategic level, can be abstract concepts. Help the Board to connect by painting a picture of the risk with case studies. If you don’t have any in your own organisation, then perhaps partners, donors or other organisations have some they will let you use? If not, then find cases in the public space affecting comparable organisations. If you’re really struggling, consider using fictional examples – but remember to state that they’re fictional!
NGO Boards are often allergic to anything with a whiff of extra expense, especially if it is 
NGO Boards manage a lot of risks, only some of which materialize. Using evidence helps them to appreciate how fraud and corruption sits, whether that evidence is perception-based, representative sampled, or from other diverse sources. Cast the evidence net wide – consider staff surveys (especially anonymous surveys), risk assessments, project and programme evaluations, audit reports, security reports, academic research and open source. This may mean that you need to start by 
Just as is the case with private and public sector organisations, the counter-fraud agenda needs to directly support the organisation’s mission. This needs to be clearly elucidated so that Boards can see that counter-fraud is a mainstream activity, rather than a distraction.
In March’s 
It’s a great scene, and we celebrate Maverick’s daring heroics. But let’s be clear, this wasn’t what he was supposed to do. It was dangerous. We only celebrate because Maverick pulled it off. If something had gone wrong, Top Gun wouldn’t be a heartwarming movie about a young pilot’s quest for meaning, love and success. It would be a dark political thriller about a world on the brink of nuclear war following a mid-air collision caused by a reckless American pilot.
Some international NGOs are tempted to break the laws and regulations of their countries of operation, registration, or both. Here we don’t so much mean situations where legal authority is unclear, or regulations and obligations are ill-defined or differently interpreted, or laws which violate human rights. Here we’re focussing on a situation where an NGO wilfully or negligently breaks legitimate, clearly-defined and communicated local laws and regulations. Temptations might include, particularly:
When an incident of fraud takes places in a project where the NGO was working unlawfully, managers may then be incentivised against taking civil or criminal justice action for fear of drawing attention to the project’s own misdemeanours. This may significantly hamper the prospect of redress (getting our money back), and impact upon the available sanctions for a perpetrator. This, in turn, could damage the NGO’s ability to deter fraud and corruption if a potential perpetrator knows that such an outcome is unlikely.
The risk goes even further, however. While international staff may be able to hop on the next plane home if things get too hot with local authorities, local staff can’t press that escape button. They may therefore bear the greatest risk of consequences like prosecution. This outrageous burden is hardly helpful to the positive workplace relationships necessary to help deter corruption and promote whistleblowing.
Scarce resources make it even more important to steer clear of avoidable mistakes. Recently, the ACFE’s 
This includes failing to have and apply lawful and proportionate performance management and disciplinary policies and procedures, internal suspicion reporting systems, and external reporting mechanisms (for example, to regulators). This exposes programmes to an array of risks, including confused or inconvenienced stakeholders, invalidated insurance, and accusations of bias (with the subsequent legal action). Being shown to have failed to follow your agency’s own protocols can be a rapid way to lose a case involving a former employee.
In some country contexts – especially conflict zones and fragile states – a criminal justice outcome for a case of employee fraud or corruption may be very unlikely for an NGO. While we should usually proceed with the intent to take a case to court, we must recognise that sometimes a disciplinary outcome (such as dismissal) has to be enough.
It is easy to see why implementing partners might want to carefully manage what their donors see and how it is framed. Many donors seem increasingly risk-averse, and have a history of unhelpful, disproportionate reactions.
Anonymous donors are a normal feature of fundraising. We’ve all popped a few coins into a collection bucket. But where NGOs receive unusual or significant funds, with no information on their provenance, a red light should flicker into life. Anonymous giving could be the starting point for a number of laundering methodologies, perhaps even involving insiders. NGOs need to take reasonable steps to identify the sources of such contributions.
An example might arise from the UK. In 2013, the Charity Commission 
Let’s say you are running a social development enterprise. A company approaches you to purchase a quantity of your beautiful wooden products. You’re delighted – but then the company asks if a second company can settle the invoice on its behalf. They’ll settle up between themselves, later, it says. The red light should come on.
Let’s say that our rich, local businessman approaches you with a proposition. He wishes to store some money in a savings account, but he doesn’t like banks. Maybe he says they’re greedy and corrupt, and he wants to help those who live out his own commitment to social justice. He suggests giving you his US$100,000 – which he will retrieve in six months, while you get to keep the interest. Red light.
A range of complex issues face NGOs that move funds into and around locations of elevated risk, such as conflict zones, fragile states and areas of significant terrorist activity. One of these is that we don’t know who else’s money an MTO is moving in or out of these places. If our NGO engages an unscrupulous, unregulated or badly-run MTO, there are real risks of breaching the principle of ‘do no harm’ and of reputational impact.
Second Marshmallow 