Collusion, The Kryptonite of Fraud Controls
The majority of mitigating fraud controls that are put in place in organizations are there to prevent a singular fraudster. The definition of collusion is a secret or illegal cooperation or conspiracy, especially in order to cheat or deceive others. The concluding party’s job responsibilities and authority given to them by the organization will likely determine if the mitigating fraud control will fail.
For example:
Risk – Accounts Payable employees print checks, sign the check and then cash them for non-business purposes.
Mitigating Control – Segregation of Duties in Accounts Payable – One or more employees have the security permission in the accounting package to print checks. Another group has the authority to sign those checks.
Mitigating Control – Positive Pay – An employee that does not have permission to print checks reviews the checks printed and sends a listing of those checks to the organization’s bank. The bank then only accepts checks from that organization that are on the positive pay list.
Collusion – Since there are multiple controls in place to prevent a fraudulent transaction, in this case a fraudulent issued check, collusion in the Accounts Payable department or collusion between the Accounts Payable Department and the check signors would be a way to circumvent the controls. For example, the check signor, who also happens to be the positive pay submission employee, and the employee who prints the checks collude to print one fraudulent check a month for a low dollar amount and split the proceeds. This would work and probably not get caught until the amount of fraud rises to a level that would alert someone. If the check signor, positive pay submission employee and the employee who prints checks are separate individuals it would take three employees to collude to make the fraud successful. The more segregated you can make the process between employees the less chance of collusion.
The question is how do we prevent collusion? Since management is often in the dark between relationships in the workplace it is a difficult task. A third party risk assessment in the area of concern will often bring these relationships to the forefront. Once you know the potential vulnerability, Bob and Jeff are best friends or Tom and Wendy are intimately involved, you can make sure there are proper segregation of duties. Relationships in the workforce aren’t evil, but they do have the potential to circumvent good mitigating controls.
Recently we had a couple fraudsters collude a local organization out of 1.5 million dollars through collusion. You can read about it below:
https://www.pennlive.com/news/2016/06/snack_scam_feds_say_pair_conne.html
If you need help or ideas in making your organization as secure as possible to prevent fraud please email me at [email protected].