Data shows that losses due to employee fraud in public sector entities are on the rise. 

While everyone has a responsibility to prevent and detect fraud, employee fraud can take longer to be detected, meaning those charged with management and governance should always remain vigilant.

A greater awareness of the risk factors for employee fraud can assist with this. In this blog, we’ll share tips on how entities can use the fraud triangle to help prevent and detect employee fraud, and resources that can help strengthen your entity’s internal controls.

What does employee fraud look like?

Employee fraud is where an entity incurs a loss due to a fraud committed by someone internal to the organisation. 

This can include when an employee:

• steals or lends assets for personal gain
• causes an entity to pay for goods and services that are not received by the entity
• applies for reimbursement of non-work-related expenses
• uses their corporate credit card for personal purchases and claims as business expenditure
• submits fraudulent forms to make unauthorised changes to payroll master data, such as increasing their own salary rates.

Using the fraud risk triangle to understand employee fraud

Understanding the conditions in which employee fraud is likely to occur can help entities identify where they may be weaknesses and how these can be addressed.

The fraud risk triangle model is widely used today but has its origin in the 1950s. Criminologist Dr Donald Cressey proposed the theory in 1953 in a paper called ‘Other people’s money: a study in the social psychology of embezzlement.’ Cressey interviewed 133 convicted embezzlers as part of this research, concluding that 3 elements needed to be present for white-collar crime to occur: opportunity, pressure, and rationalisation.

The presence of these 3 characteristics, can create ideal conditions for employee fraud:

• pressure or an incentive to commit fraud – often underpinned by personal or outside issues or fears
• opportunity, or perceived opportunity to commit fraud without being caught
• the ability to rationalise committing a fraudulent act – for example reasoning such as ‘they were only borrowing money and intending to pay it back’.

Pressure and rationalisation are characteristics that entities have limited ability to influence. 

Publicly reported statistics and survey results indicate that more employees are experiencing moderate or severe financial stress. This can increase both the pressure on employees to misappropriate assets, such as cash or other assets susceptible to theft, and the ability of employees to rationalise this.

However, entities can protect themselves by reducing opportunities, or perceived opportunities for employees and management to commit fraud through strong internal controls.

Internal controls that can help

Entities can implement controls that address employee fraud risk factors to protect themselves from financial losses. For example, entities can: 

• ensure the code of conduct and other key policies on acceptance of gifts and entertainment, protected disclosures, and investigation standards, are robust, up-to-date, and distributed to employees
• ensure an employee independent of payment and receipting processes conducts regular bank reconciliations 
• ensure a person independent from processing transactions verifies all changes to bank account details 
• follow up complaints and queries from suppliers and debtors concerning outstanding balances
• ensure information systems are secure, for example through restriction of user access, regular monitoring by management, and appropriate segregation of duties. 

Those charged with governance can help to address employee fraud risk through their oversight. For example, audit committees should consider the potential for the override of controls or other inappropriate influence over the financial reporting process. Entities can find more information on the role of audit committees in our blog Does your audit committee comply with Treasury’s composition requirements? 

QAO also has 2 tools that can help entities understand their fraud risks, determine how robust their internal control environments are, and document their risk treatments:

1. Fraud risk assessment and planning model
2. Fraud and corruption self-assessment tool

Read more about risk controls and treatments in our blog Keep fraud risks front and centre in 2024.

It’s also important to keep in mind that when an entity uses third-party providers to support its operations, management should also consider the controls operated by the third-party on their behalf, as these risks and controls are part of the entity’s overall control environment.  

Obligations to report material losses

When losses do happen, entities need to report them to QAO as soon as possible. Entities can do this via our website and can find more information about this in our blog Why is it important to report material losses to QAO?

Resources

• Keep fraud risks front and centre in 2024
• Why is it important to report material losses to QAO?
• Are your ‘everyday’ internal controls strong enough to prevent a fraud attempt?
• Managing risks associated with third-party providers
• Risk management – where do we start?
• Does your audit committee comply with Treasury’s composition requirements? 
• Fraud risk assessment and planning model
• Fraud and corruption self-assessment tool
• Fraud risk management (Report 6: 2017–18)
• Fraud risk management in local government (Report 19: 2014–15)
• Fraud risk management (Report 9: 2012–13)
• State entities 2023 (Report 11: 2023-24)
• Other People's Money: A Study in the Social Psychology of Embezzlement. Donald R. Cressey | American Journal of Sociology: Vol 59, No 6.