Campbell Jackson, Partner at EY, on Fraud in the Workplace| HR Think Tank #10

To be honest with you, Khai, it’s an exciting job because no two days are the same and no two jobs are the same. So it keeps things fresh, and there are always things to learn and new experiences to be had.  

In terms of the “why” aspect of your question, this career is a constant journey because your skills will essentially grow incrementally job by job. Forensic accounting is not something you learn in a textbook; you learn it at the coal face. And the more experience you get, the more opportunities come to the surface.  

So, it becomes a natural cycle: your experience leads you into new jobs and opportunities.  

Another consideration is the ability to work with diverse people from different backgrounds across the globe. Of course, at the moment, things are slightly different, and we are primarily communicating virtually. But if the past is anything to go by into the future, this job has allowed me to travel the world. And for a young professional starting out, that’s pretty appealing.  

Six weeks ago, a graduate was preparing for their final exam, and now they’re sitting on a plane connecting on a flight in Dubai through to someplace of the world that they’ve ever been to.  

The second reason someone might want to consider this job is the variety. There are so many skills that you pick up, ranging from IT skills and presentation skills to interview, accounting and analysis skills. The world is your oyster to find your passion and the experiences that will allow you to explore where you want your career to actually go.  

​​But the foundation is built over many years, and the forensic area just gives you that opportunity. 

Yeah, it’s an important part of the job for me. Look, it gets tough having to leave my family and leave the kids. But I get to teach them the world map and put a little star on the places that I have been to.  

For most people, you probably wouldn’t even know that half these places existed unless you’ve been there for a specific reason. So it keeps the job exciting. And it really broadens my outlook on the world because I get to experience so much diversity.  

No, absolutely not.  

When I finished school, I had no idea what I actually wanted to do. But the only thing I could keep going back to was my accounting teacher – I really enjoyed his interaction, and I enjoyed the accounting part too. But to be honest, I didn’t enjoy the academic side of school; I was more interested in sports.  

I was lucky enough to get a job at one of the big firms, Coopers and Lybrand, as it was known back then, but is now PriceWaterhouseCoopers. I started in audit, and it was a great grounding because, for the first three years, I had no idea what an accountant actually did or what a general ledger was – even though I had a full accounting degree.  

But to be frank, I needed more in my life. So joined Arthur Andersen’s startup forensic accounting practice. And that was it – I was hooked from day one.  

As a forensic accountant, I often get asked what the definition of fraud is. And I always say there’s an academic perspective to the definition, and then there is perspective in reality. To me, fraud is simply a line: either you step over it, or you don’t.  

If you step over it, you know it’s wrong and congruent to what is actually expected. So, it will bring some form of unease that something is not quite right. I wouldn’t get caught up in the definition of fraud because, essentially, it’s just knowing right from wrong. And once you’ve crossed the line, you can’t come back to the other side. So, it’s important to stay on the right side.  

But in terms of the types of fraud, you can split it into three main areas.  

The first would be corruption which would involve a conflict of interest breaches, bribery and financial advantage through legal means. Corruption is definitely more prevalent outside of Australia, but our workplaces are not immune to it. There are a few well-documented cases of corruption within Australia.  

The second and most common type of fraud would be asset misappropriation – which is simply just stealing things of value. It could be stealing tires from a warehouse, stealing stuff from the stationery cabinet, skimming funds from petty cash or ordering things through accounts payable, and it’s just clear cut stealing.  

The third and most devastating type of fraud is where an organisation’s financial statements are deliberately compromised for a more favourable outcome on the market.  

All three areas delve and cascade down into particular areas of the organisation, whether it be HR, sales, finance or legal.  

It’s everywhere. It’s right under your nose, and it happens in every single organisation. But, first and foremost, it comes from your employees.  

It’s human nature to want to seize an opportunity that drives an outcome that will suit them and go against the organisation’s values. Because they’re within the organisation, they know exactly where to pull the levers, expose the cracks and deliver what they want to achieve.  

Fraud can also occur externally. And by externally, I mean it could be anyone ranging from a supplier or a member of the public to a government official.  

If you think about it realistically, fraud is happening in every organisation, and every new individual you introduce to the organisation essentially increases the risk that fraud is going to occur in your workplace.  

Yeah, it is certainly a very topical issue at the moment with everyone working from home, and many of our clients have asked for advice on how they could mitigate the risk of fraud.  

When people aren’t physically together, you risk having them become disconnected from the organisation’s culture because they’re floating on their own without any support mechanisms. That’s a dangerous thing because their rationale and mindset can change, and you might not be able to notice it. And it might deteriorate into something that might prompt them to do something they wouldn’t normally do or shouldn’t be doing.  

Secondly, their mindset will shift because of the uncertainty of the future or viability of their employment. The fact that they might not be receiving a bonus in the future because 50% of the revenue is gone can drive the mind to do silly things. And they might start thinking about where they can recover or claw back and justify fraudulent things in their own mind. 

The third consideration would be the technology aspect. Everyone is at home using BYD devices on the internet, going through servers to the workplace without VPNs. Everyone’s there fishing for information, watching, monitoring and ready to pounce.  And if you’re throwing homeschooling into the mix, you have kids clicking on websites left, right and centre. So, it’s the perfect storm for cybercriminals to step into your home environment and then into your work environment. 

It’s difficult to monitor when people are working remotely because you don’t have that physical interaction and can’t check on their well-being or state of mind.  

A short seller attack is effectively a report made publicly available by an activist or hedge fund that criticises an organisation’s financial and non-financial reporting. The idea is to call out where fraud has occurred or where the company or organisation has covered up false information.  

But, their only motive is to put that out there in the public domain and get everyone to panic so that the share price drops.  

Credible short sellers have a role to play to keep the market honest and get the mysteries out there. It’s a good thing to have organisation fraud exposed. But, quite often, the short sellers can say whatever they like, whether it’s true or not, so it has a catastrophic impact on the organisation.  

It’s not a level playing field: boards of listed companies have an obligation to tell the truth promptly through continuous disclosure, where short-sellers can say whatever they like, even if it’s not true. It can be catastrophic for an organisation in terms of value. 

I’ll start with the fraud triangle, which is produced by the Certified Examiners Organisation. It has three components: pressure, opportunity and rationalisation. And all three are common in a fraudulent event.  

Pressure is effectively the warning sign that something is not right or that there is some underlying reason driving the anticipation of committing a fraudulent event. For example, it could be substance abuse, gambling or job loss. I have seen fraudsters lose their jobs and not tell their families. So they have had to steal money to supplement their income.   

So, the pressure to keep the story going is critical or embedded at the start of any fraud.  

The second element is opportunity. Fraud doesn’t just happen – you have to give them the opportunity to do it. And I call that, giving them the keys to the castle. It can be as simple as not having the appropriate control environment within your organisation. Fraudsters will find a weakness or find a key to a door and walk through it because you left the door open or unlocked. Or it could be that you’re hiring employees that have a history of fraudulent events.  

The same could be said about the relationships you have with your suppliers and your customers. If you have bad customers or bad suppliers, you’re just inviting a whole lot of trouble.  

The third element is what they call rationalisation. And that goes to the heart of the culture within the organisation. A fraudster will rationalise their actions if they believe the company deserved it. They want to keep their jobs, though, so they’ll do what they need to do, like changing the numbers on the financial statements or hiding something from management.  

Some situations see employers starting and not being able to stop. For example, they had the intention to pay the money back. But unfortunately, in my experience, if you do it one month, you’ll likely keep doing it, and it will turn into two months, three months, four months, and it gets bigger, bigger and bigger. And, once you tell a lie, it’s hard to keep the lie going. So the story has to keep playing out. And they’ll continue to find ways to rationalise it.  

But it all goes back to your employees. If I look back at some of the fraud cases, it just gets handed down from one employee to the next. And it just gets tighter, better and bigger in terms of what they’re doing.  

Absolutely. Look, control measures are only as good as the way that they are enforced. The minute you take a shortcut, the control falls over, and an employee override steps in. A common example would be sharing passwords – you’re just opening the door and providing the opportunity for fraud to happen. 

The fraudster might need the money, and the pressure kicks in. And then they’ll rationalise it by saying that it’s your fault for giving them the password.  

Sure, there are the financial consequences. But ultimately, big organisations can often get over losing a million dollars. That might sound blase, but these companies often expect to have a certain amount of leakage. The real loss is the loss of reputation and the impact on the share price, which essentially impacts your board of directors, employees, customers and talent pool.  

The second big impact is the distraction it causes to the organisation. The response to the issue must be as complete and thorough as the issue itself. And this is because the organisation is judged on how they respond and the quality of the investigation rather than the event itself.  

For example, for large US organisations, often the penalties that come from corruption and fraud events can be a lot higher in terms of the transparency of the fraud, and the investigation that was conducted: 

• Did they have the right accounts in place? 
• Were they recording things correctly?  
• Did they have a thorough investigation process that was objective and independent? 

How you are going to respond to it is the key to good management. You need to have an independent team auditing, reviewing and investigating the fraud event. You need to protect the employees that come forward and have a plan for that. And make sure that you don’t end up investigating the fraud yourself. The finance department and the legal department should stay out of the investigation.  

So, it’s important to have a thorough and sound process that will allow you to get to the bottom of the matter without fear and with acceptance of the results that will come out of the investigations. And often, that’s more important than the issue itself. 

Look, if you think something is wrong, it’s most likely because there is something wrong. So always follow your gut instinct. I often say to employees that the standard they walk past is the standard they accept. So, you have an obligation to report your observations truthfully and factually, and this way, you’ll be protected and free from any criticism.  

There are whistleblower protection laws in Australia to assist people in making protected disclosures or referring matters for investigation. There is also a raft of mechanisms that allow you to report fraud events anonymously. You can do it via a hotline, by an email to the ethics officer, general counsel, CEO or CFO.  

Put it in writing, put it out there, be very factual, and engage in the process to give them the required information. 

But there’s often a fine line between someone making false allegations because they have an axe to grind and allegations that are clearly true. And regardless of what it is, the personal impact toll and stress you see on the employees cannot be underestimated.  

If your employees have an axe to grind, they’ll get fixated on it and just want to bury everyone. It goes very wide between fraud, bullying, harassment, and misconduct to doing something that’s occurred that they feel grossly aggrieved of and disconnected from the organisation. 

Look, I’m certainly not going to be explicit in naming individuals and companies. Anyone who does their research will join the dots, and I’ll leave that to them if they are interested in it. But the thing about a lot of these fraud cases is that they do become public. And it becomes public very quickly because of social media and the court reporting process.  

Often I’ll take on an investigation, and I might work on a substantive matter for a period of months that culminates in a report to the police, authorities or the regulator. That then typically culminates in a court case.  

One of the investigations I worked on involved a startup IT company that worked on an invoice financing scheme. They had great growth and aspirations but didn’t have the processes to understand what was going on in their organisation. Invoice financing is essentially where you invoice a bank for $1,000, and they pay 90% of the invoice and keep 10% to pay at a later stage.  

The issue came up where they ran out of money and kept recycling the same invoices that had already been financed. Or they created false invoices for financing. It became super messy and extremely complicated. There were large sums of money involved. But unfortunately, it culminated in a court case, and the perpetrators served a custodial sentence for several years based on the financial advantage by deception that had entered. So our work becomes very important in quantifying all of the fact documents and all of that. 

The company went into receivership and was liquidated. 

The first would be to profit from the misfortune of others. And by that, I mean, learn lessons from your peers. Whether you’re a charity or a listed company, if fraud is happening over there, it’s probably happening here too.  

Fraudsters often follow organisations within their cohort, or fraud schemes often replicate through different industries at different times. So it’s important to keep abreast of what is going on around you and within other similar organisations.  

My second suggestion is around culture. It’s important to allow your employees to engage in the process of identifying fraudulent activity. Break down the barriers and have a holistic discussion through things like fraud risk assessments. Engaging your employees could be as simple as discussing your organisation’s plan for dealing with fraud or conducting a survey.  

For example, you could ask them if anything has made them feel uncomfortable over the last two years. Or if they have ever felt pressure to implement a certain transaction or do something that goes against their principles. You’re not on a witch hunt or a fishing expedition, but you’re engaging with your employees and showing that you actually care. 

My third suggestion is around training. Training is not only proactive around identifying and managing your expectations but can also help you respond to things when they go wrong. How did it happen? What happened? How did we find it? What was the impact on the individual in the company, and how was it resolved?  

You also need to consider data. All of the banking is electronic now, and everyone uses email. So as soon as you touch a keyboard, it’s there forever, whether you like it or not. Social media also plays a significant role. I can see what you’re up to, I can tell where you are today, I can tell what you had for dinner last night, and I know who your friends are. So use it to your advantage because that will give you the markers of where the action is and what issues you may have.  

For small organisations, it could be as simple as matching your employee payroll bank accounts to your accounts payable and the bank accounts you’re paying your suppliers with. And if I could tell you that you’re paying an employee to a Commonwealth Bank Account 123. And you’re paying a supplier to the same bank account, Commonwealth 123; I reckon you’d work out that you have a problem pretty quickly.  

So harness the data that’s in front of you to help detect fraud and prevent fraud. 

Cybercrime is the future of fraud, whether we like it or not. If I can extract hundreds of millions of dollars by sitting in my living room, anywhere around the world, that’s a great work environment for a criminal. And that’s the reality of it. Everything is electronic now.  

When people talk about cybercrime, I often say, “If large financial institutions and organisations can spend hundreds of millions of dollars on detection, why does it keep happening?” And that’s because the cybercriminals are ahead of the game and have got the upper hand.  

We do a lot of cyber work, and the outcomes of the crime often astound me. The cybercriminals get in now and can mimic your voice so they can take that phone call and orchestrate the fact. They can access the CEO’s diary and time their crimes perfectly. They have the whole organisation at their fingertips.  

Cybercrime is evolving beyond just taking money. Cybercrime ranges from ransom and privacy of information to leaking information to the dark web.  

Yeah, it’s pretty simple: trust your gut instinct and don’t let it go. If you feel like something is wrong, something is wrong until proven otherwise. And if the story is too good to be true, then it’s too good to be true. Money doesn’t just fall out of trees. So, don’t be sucked into the story, the justification and the mitigation. 

Having said that, you have to have some level of trust and accountability within your organisation. But, you absolutely have to expect that it’s going on right underneath your nose, and you’re not just finding it. So set the controls, do the monitoring, and do the groundwork to build the culture, the systems, the controls to give yourself the best chance of protection.  

And then lastly, whether you like it or not, there’s not a lot of time to plan for these reputational events because of social media. Everyone is going to know before you know. So you need to plan way in advance about how you would respond as an organisation. And that’s super relevant for not-for-profits and the charity space. No one wants to be associated with a charity with contentious issues that are reputational – regardless of whether the information is true or untrue.  

So preparation practice and thought are key because it will happen. 

• What was your first job? Working at a news agency for my mom and dad.  
• What’s something interesting that is not on your CV? I have a twin brother, and my older sister and brother are also twins. So there are two sets of twins in the family.  
• What advice would you give your eighteen-year-old self? Play the long game, not the short-term game. Gathering experience along the way is a journey, and you have good days and bad days. But as long as you’re learning, you’ll get to where you want to be. And just have some patience. I didn’t have patience. But I wish I did. Because the career path is there. The support is there. The mentor is there. Just play the long game and be around and stop expecting everything right now and pushing too hard for that to happen.  
• What book is a must-read, or what movie is a must-watch? Definitely the Blues Brothers. I watched it 30 years ago, and I watched it last weekend in lockdown. It lifts the mood. Those guys are pretty cool. And you know, every time I watch it, there’s an underlying theme or something that comes out that you haven’t seen no matter how many times you have seen it.  

• What’s a job for the future that doesn’t exist today? Probably psychology for robots or AI machines that are working too hard. Because that’s the future, everything’s going to be driven and automated by technology. It might be space travel or public taxis around airlines and helicopters. I don’t know. But whatever it is, I don’t think anyone’s going to predict it. Because it’s so dynamic. Things are changing so quickly. We can’t predict the future, but it will present, and we’ll see what happens.