Fraud: When the Tide Goes Out

My name is Kate Foy. I’m a Principal at Olvera Advisors in the Government Advisory practice.
My name is Robyn Karam. I’m a Principal at Olvera Advisors, specialising in forensic accounting and insolvency services.
I’m Paul Curby, a Partner with Curby McLintock, and we conduct fraud and corruption investigations, as well as fraud risk management.
Hi, I’m Scott McLintock, a Partner at Curby McLintock, and I specialise in fraud and corruption investigations and whistleblower hotlines. 

Welcome to Turnaround Talk, a podcast where we explore a range of issues affecting business across Australia.
This is our very first podcast, called When the Tide Goes Out, and it’s a focus on fraud. 

My name’s Kate Foy, and I’m joined by a panel of wonderful experts:
Scott McLintock, who’s an expert in regulatory enforcement, fraud identification, and investigation strategy.
Paul Curby, a veteran investigator—veteran doesn’t kind of… does that say anything about your grey hair?
No? Probably does. Silver bag… Silver fox.
Paul Curby, a veteran investigator with decades of high-stakes casework and recovery expertise, with a focus on investigation and risk management. 

And Robyn Karam—Karam? Robyn, how do I pronounce your surname properly?
Karam. 

Robyn Karam, a specialist in insolvency, forensic analysis, and governance failures.
Robyn and I work at Olvera, and the delightful Scott and Paul work for Curby McLintock. 

If I could also acknowledge that we are on the land of the Gadigal—
So this podcast is recorded on the land of the Gadigal people of the Eora Nation, and we pay our respects to Elders past and present, and thank them for the care of the waterways, lands and skies. 

Let’s talk a little bit about the context.
It’s not just a back-office risk—fraud.
Fraud is a structural, cultural, and leadership issue affecting public and private sectors alike. 

It’s not obvious. It doesn’t come up and bite you on the bum.
Sometimes we are finding that it’s gone on for quite some time before anyone really notices.
So we want to talk a little bit today about what happens behind the scenes—
Where fraud can grow, and what we might do to arrest it. 

We know that it’s costing businesses—
Around 5% of revenue goes to fraud.
And this is a multi-billion-dollar issue in Australia alone. 

If I could kick over to my friends—
We’ve talked about fraud not being a back-office risk. It’s structural, it’s cultural, and it’s all about leadership. 

Robyn, how does fraud begin, and why do people think it’s rare until it happens to them? 

It’s an interesting question because our perceptions of fraud can be that it’s quite complex, deceitful, and potentially evil.
And those perceptions—particularly if they’re informed by the high-profile cases that are splashed all over the media or have their own Netflix series—
Can overlook the idea that fraud can begin with a simple act. 

It can also cause us to believe that fraud is not very likely to occur to us, because there’s a belief that it happens to other people. 

What I find is that fraud can—and often does—begin with small, seemingly inconsequential actions: a misuse of a corporate credit card, company assets, or a minor error in reporting. 

Those small deviations can create loopholes or opportunities for bigger issues to develop.
It’s always important to consider the slippery slope to fraud—
The potential for relatively minor ethical violations to escalate or snowball into something more serious, and ultimately, serious fraud. 

Because once a pattern of fraudulent behaviour begins, it can become increasingly difficult to stop. 

I can understand why people consider fraud to be rare.
The reality is, fraud by its very nature is intended to be hidden.
The purpose of the perpetrator is to conceal the fraud, and it’s often overlooked by the victim until the fraud itself is uncovered. 

With the evolution of technology—and the speed with which it’s changing—together with the increasingly busy lifestyles people are leading, individuals can overlook or fail to recognise the warning signs or increasingly suspicious behaviour. 

They can also misunderstand the extent of it.
I find that unless and until fraud is uncovered, the true extent of it is not identified by individuals—
And we often misunderstand the extent to which it’s occurring. 

Great. Thank you.

Scott, we’ve talked a bit before about the fraud triangle—opportunity, motivation, rationalisation—and how today’s economy can make these conditions particularly ripe. Can you talk to us a little bit about that?

I think the fraud triangle…
I think of late, with the economic circumstances people are facing, the motivation to exploit weaknesses in control is higher. 

We’ve had 13 rate rises in a row.
Then we’ve had a couple of rate drops of late. 

But Paul and I are very much of the view that fraud is the sleeper in the wings. 

In an organisation, if the controls are poor, that provides the opportunity for people to perpetrate fraud. 

The motivation—for example, high cost of living expenses—is what drives some people to exploit those controls where they otherwise wouldn’t. 

Then there’s the rationalisation component.
In a low wage growth environment, the rationalisation might be: 

“I’ve been working my arse off for a long period of time here. I haven’t had a pay rise. I haven’t got a bonus. What? I’m entitled to this.” 

They exploit that opportunity. 

That’s how fraud can present itself. 

And typically, it’s the opportunity that organisations have the ability to control.
It’s about looking at the control environment—what controls are in place to prevent fraud from occurring—and going from there. 

A lot of the work that we do is around fraud prevention:
Identifying control weaknesses and implementing strategies to try and plug those gaps. 

Then we often get called in where fraud occurs—
And we’re having to investigate, unpick it, and then do a root cause analysis to identify how it occurred. 

And then putting in remedial steps to ensure that doesn’t happen again. 

Clean up the mess.
That’s right—clean up the mess. 

I think the recent federal election has shown that cost of living was the number one issue, followed by healthcare and other areas where cost is a major driver. 

Anyone who understands today’s context and the economic pressures that families, individuals, and companies are under should be very alert to the opportunity that presents for people—and the rationale and justification they might use. 

That’s right. And picking up on what Robyn said before—it starts off as a small thing.
It might be the case that someone can’t pay their mortgage this particular month.
They’ll go, “Look, I’ll borrow some money,” and then that perpetuates.
The next month comes around, and they still can’t pay the mortgage again. 

You see that with gambling, or with people who have drug addictions—
They say, “I’ll borrow some money here,” and then before long, the extent of the fraud is massive. 

There have been a number of instances where you go and speak to the fraudster at the end of it, and they don’t realise how big the fraud is.
They’ve lost track of how big it is. 

They go, “Really? Is that the quantum of it? I thought it was a small amount.”
But to Robyn’s point—it gets bigger and bigger. 

And the longer it goes on, statistics show that the bigger the fraud is going to be, obviously.
People are emboldened by the fact they haven’t been caught.
They go, “I’ll take a little bit more next time. A little bit more.” 

And then it becomes a massive issue.
Do they justify it with, “You fools haven’t caught me yet, it’s on your head”? 

It’s funny—there’s often a sense of relief when people say, “I’m glad you’ve caught me.” 

I don’t know if it’s necessarily about, “You haven’t caught me yet.”
I think the rationalisation component there is not, “I’m doing this because you haven’t caught me.”
I think it’s more around the motivation—which is to feed whatever it might be. 

Then the rationalisation comes in with things like,
“I haven’t got a bonus,”
“I haven’t had a pay rise.” 

I haven’t personally come across someone saying, “You haven’t caught me yet.”
Have you? 

No, I haven’t. 

But you think about those opportunities…
From my own experience—after I moved back from Singapore to Australia, I was still travelling extensively. 

I had a Singapore Amex card, and I was claiming my expenses using Singapore dollars, but I was supposed to be claiming in Australian dollars. 

I was putting in these claims over a month, and to my horror, I realised I was claiming in Singapore dollars but being reimbursed in Australian dollars. 

I’m glad that I caught it myself first.
I could proactively tell the organisation, “I’ve made an error here—I owe you 500 bucks,” or whatever it was at the time. 

But those little opportunities, where people might not pick up on that, could be exploited.
They might go, “No one’s picking up on it—I’ll keep claiming.” 

But if I’d been queried on it, it would’ve been very embarrassing for me, given the job that I do—
Right. But it was an innocent mistake.
I caught it myself and I fixed it up. 

Career liberty? Maybe not career liberty, that one. 

If I could pick up on something Scott said earlier—about the relief that people feel when they’re caught—
My experience is that if people are coming into fraud with—let’s put the fraud triangle into perspective—and they’ve decided to commit a small act,
Their intention, my feel, is not to commit a significant fraud and get away with it. 

Their purpose is often limited to, 

“I need it for purpose A, B, or C. It’s going to be a short-term thing, and then eventually I’ll put it back.” 

It’s the fear that they’ll get uncovered before they get the chance to rectify the situation or correct whatever it is they’ve done.
I haven’t come across individuals whose sole purpose has always been to defraud—
They do exist, I know that. But I would say they are more the exception rather than the norm. 

I’d say that if we accept that fraud is more common than we think, then those circumstances are typically by people committing what they consider isolated acts—
Ultimately with the purpose of rectifying the fraud they’ve committed. 

And I think that helps with the rationalisation piece: 

“I’m only doing this for this specific purpose, and once I’m in the correct financial position—or whatever issue I’m facing is resolved—then I’ll put it back. I’ll make good.” 

And that’s how they rationalise it in their own mind. 

How interesting.
In terms of these different mindsets going into it—
You’ve got a criminal mindset: absolutely intent. 

And then there’s another mindset which is about relieving oneself of one’s own difficulties.
The intent to steal isn’t always formed at the first stage. 

The intent can come later—
Correct. As you said, they start out with that justification, but as they realise that no one’s querying it,
That’s when that intention might change. 

How interesting—from a kind of criminal psychology point of view. 

Which leads me to a question for you, Paul—
We’ve talked about the pressures, particularly cost of living, being one of many motivators that can lead people down the slippery slope to fraud. 

Why are senior executives often the source of the most damaging fraud? 

Senior executives, by their nature, have access to everything.
They can control the environment in which people are operating.
They have their reporting lines; they can control people. 

And most people, if you think about it, want to do what the boss says.
Some people will sometimes compromise their ethics and values and not query something when they should. 

That comes down to organisational culture—
We’ve seen organisations where a whole C-suite has been involved in fraud instigated by the CEO—
In concert with each other. 

We’ve seen that. 

And clearly, there’s a compromise to the culture in that organisation,
Where even the C-suite weren’t prepared to block the Chief Executive from enacting particular frauds. 

They have access. They have control. 

And if you think about today’s environment,
Where—depending on whether it’s a publicly listed company—there are quarterly reports, earnings reports—
Everyone’s trying to make shareholder profits. 

They’re trying to do more with less. 

To some degree, automation or AI might fix some of that,
But you’ll often hear of people in organisations that are very stretched in terms of monitoring compliance and accountability aspects. 

And when they’re stretched—and we’re living in an age of information overload—
There’s so much information coming in, and people are just trying to get their jobs done,
That they might forego the accountability aspect and let it go through to the keeper. 

The CEOs know how to get around the controls.
They can dictate the controls.
They might reduce oversight in certain areas, so the particular fraud being perpetrated is not identified. 

They’ve typically got the biggest delegation—
Sign-off authority. 

And by virtue of that, the size of the fraud can also be bigger. 

Picking up on one example—
We had a matter recently where a CEO was committing expense card fraud. 

And what she had put in place was people around her submitting expenses on her behalf.
She was signing off on her own expenses. 

It was a circumvention of control.
The Chair of the Board, who was meant to have oversight of her expenses, wasn’t signing off—
Didn’t have optics—
And she was able to perpetuate this fraud. 

To Paul’s point: because the CEO said, 

“I want you to do this,”
They were doing it without questioning—
And then they were signing off on the expenses—not her own expenses. 

Do you find in those circumstances that people are either very clear that there is fraud occurring by their superior,
Or they’re concerned but don’t do anything about it,
Or they’re kind of—not oblivious, but they stick their head in the sand? 

It’s a cultural thing. 

If there is a culture of speaking up, then that is less likely to occur. 

But you typically find in those circumstances that there’s an element of bullying,
Or some type of coercive control taking place. 

If you don’t adhere to the way in which the senior person wants you to operate,
Then they make your life pretty difficult in the organisation. 

People tend to conform to avoid that bullying or coercive conduct. 

It takes a big person at a senior level. And when you look at where fraud occurs, the biggest frauds are often perpetrated by people between the ages of 40 and 60. 

Now, why is that? Because they have a lot of financial pressures. They’re putting kids through school, they’ve got mortgages to pay. 

And when you’re at that age, getting a job in another organisation at a senior level can take six to twelve months—or longer. 

You can imagine having to decide whether you’re going to push back on something that you think is wrong, with the potential of losing your job or being restructured out, and then thinking, 

“I’ve got a $10,000-a-month mortgage to pay…” 

Do I keep quiet, stay out of the limelight, and hope for the best? 

The risk is very high on the individual. 

—Pardon me. Sorry. 

That concern… can you please move a bit closer to Robyn? Because your microphone is hiding your face at the moment. 

The microphone is so good—even if it’s far from you, it still picks you up. 

Let me adjust. 

You get me? You want to see my pretty face. 

Is all this being edited? 

We’re all good? I hope so. 

Are we getting a little jolt of the Matrix when we come back on? 

I think we will. 

I think this leads us into a really good discussion around how we detect fraud, what the red flags are, what controls can be put in place, and what should be our immediate response once it’s detected. 

Let’s lean to you, Scott—what are the behavioural red flags that most fraudsters show before they’re caught? 

I think one of the typical things we ask for if we’re doing an investigation is to look at leave records. 

It’s quite common for someone who’s conducting fraud to never take leave.
The reason for that is, if they take leave, someone has to come in and do their job—and might ask questions, and then uncover the fraud. 

That’s one aspect. 

Another red flag is someone who’s living beyond their means. 

Now, that doesn’t necessarily mean they’re a fraudster, obviously—
But if they’re on a relatively low wage and living like a king or queen, that might be a red flag. 

Especially if that change happens suddenly. 

Now again, we’ve seen instances where people have come into money from an inheritance or other means—
But it’s still something to flag. 

Going back to the original point—an unwillingness to accept oversight.
You’ll typically see behaviours like aggression, bullying or intimidation when someone gets too close or starts asking questions.
They’ll act aggressively toward that individual. 

Where a senior person is doing it, that plays out as a power play: 

“I’m the boss—you do what I say.” 

That’s another red flag. 

Data analytics, for example, can identify circumvention of controls.
By doing proactive work, you can identify potential fraud. 

For example, if someone’s delegation limit is $10,000 and you see a raft of transactions just under that amount—especially to the same or similar suppliers—that’s something to query. 

There are different things you can proactively identify. 

And I think a big part of it is having an effective whistleblower hotline.
That gives people a mechanism to speak up securely and confidentially. 

But having a hotline isn’t enough—you have to act on the reports. 

We offer whistleblower services.
We can implement a hotline and handle the assessment and triage. 

Very early in the conversation with a client, you get a sense of whether they’re doing it to tick a box—
Or whether they have a real passion and understanding about the value of whistleblower hotlines. 

Can we talk a bit more about that?
Let’s unpack it as a really important control. 

Because we hear a lot about whistleblowers, and we know there’s legislation in certain contexts to protect whistleblowers from retaliation. 

Curby McLintock provides a whistleblower phone service—is that an end-to-end service?
Can you tell us a little bit about that? 

We did some research when we were looking at implementing a whistleblower offering. 

A lot of people immediately go to a phone line, but from personal experience, phone lines have several downsides. 

People are often reluctant to speak to someone because they’re worried about their voice being recognised.
And typically, you only get one opportunity to speak to the individual—because they’ll call and tell you what they want to tell you. And if the people receiving the call aren’t adequately trained, or you miss asking the right question, then later, when you reflect on the notes, you might think: 

“I really should have asked that question.” 

But where do you go then? Unless they’ve provided a phone number—which they rarely do—it’s lost. 

We’ve partnered with a company called Wily that provides an online platform. 

The reason we did that is because Wily provides a secure mechanism for people to speak up in a truly confidential manner. 

You don’t need to provide an email address or anything like that. But it allows you, in your own time, to make a fulsome report. 

And we find—that’s the other thing with phone lines—people are nervous on the phone that they’ll forget information. 

Whereas if they’ve got the time to sit down and get on the computer and be considered in their response, they give a far more fulsome version of events. 

Wily also allows you to have two-way communication. 

It’s basically a Microsoft Teams-style chat—instantaneous. You can upload videos, documents. 

You get a far more detailed report from an investigative assessment point of view. You’re able to determine: 

“Is there something here?”
“Is someone just blowing off steam?” 

That’s one of the challenges when you’re doing assessments via a phone line report—you typically only have the initial information. 

Same with email. People will create a dedicated email inbox to report fraud, but they’ll never check it again after sending that first message. 

The Wily hotline, which is an online platform (and has an app), allows for ongoing two-way communication. 

You get a notification, and the whistleblower is prompted to go back online to respond to further questions. 

And who’s at the other end of that message?
Us—Curby McLintock. 

The client can choose to run the platform themselves, but if they want independent expertise, they engage us. 

And the reason clients typically do that is because—say Kate Foy is the person receiving disclosures, but Kate is also the named person in the report—
Then you’ve got an inadvertent disclosure. You become aware of a report made against you, which shouldn’t happen. 

Having someone like Curby McLintock in the middle allows us to conduct that assessment and triage accordingly. 

We’ve had instances where the responsible person at the organisation—the person in charge of receiving reports—was the named respondent. 

In one particular case I’m thinking of, it was a board member. 

Which makes sense, considering the earlier discussion about the propensity for executives to commit fraud. 

In that instance, we had to escalate the report. 

There was an escalation protocol in place, and it was escalated to the chairperson. 

The chair then created a subcommittee with other board members to act as the independent decision-makers regarding the concerns raised against their fellow board member, who had been reported via the platform. 

and I imagine also that the complainant—the whistleblower—might be concerned that the information they provide could be enough to reveal their identity.
Correct. And that’s the other downside of using email. 

If an email goes to an executive, well, typically executives have someone else with access to their mailbox.
If it’s a confidential report sent to an executive, you risk an inadvertent disclosure—and the integrity of the process is compromised because an EA or someone similar may have access to those communications. 

We’ve seen some organisations where, although we haven’t handled the triaging of the complaint, we’ve been engaged to conduct the investigation. In these cases, the executive leading the organisation has been more concerned with finding out who made the report than whether there was substance to the complaint. 

The benefit of outsourcing this—if you don’t have that internal capability—is objectivity. 

We operate across multiple industries with years of experience. The value we bring in triaging complaints lies in offering a dispassionate view: 

“This is the information—how does it fit into the organisation?”
“Is there merit in the complaint or not?” 

As an example: a number of years ago, we were engaged by an organisation that had received a complaint internally. The board’s knee-jerk reaction was to immediately launch an investigation. 

They had identified potential persons of interest and declared, “We’re launching an investigation.” 

We were brought in. I joined the second half of the investigation, which was being conducted in another city. 

When I reviewed the actual three-page letter of complaint, there was no fraud in it. 

It was a gripe—nothing more. No one had taken the time to properly analyse the complaint from a triaging perspective. 

That organisation ended up spending $400,000 on investigating a complaint that never should have progressed to that stage. 

What other controls can organisations have in place?
Yes, you need triaging—so that your response level is proportionate to the information available. But what else? 

Segregation of duties is a simple and critical one.
No single person should have the ability to both approve and pay. 

A strong example that comes to mind was a community health provider we were engaged by. The CFO was charging exorbitant accounting fees and circumventing controls. 

They had implemented a control system requiring dongles (security tokens) allocated to certain approvers, with two signatories needed for payments above a certain threshold. 

But what the CFO did was say: 

“You guys are travelling a lot—give me your dongles and I’ll take care of it.” 

The CFO was raising invoices and then approving them using other people’s dongles. 

What’s on the dongle?
For banking approvals, it’s a device requiring a unique PIN. 

I might have one. Paul might have another. For a two-signatory approval, I would use mine, enter my PIN, and Paul would do the same with his. 

But in this case, one individual had all the dongles and passwords—and could approve payments without any oversight. 

All this was under the guise of “trying to be efficient.” 

Dongles are supposed to be a two-factor authentication tool, which is one of the best forms of internal control available.
But of course, it can be defeated if someone says: 

“Just give me your 2FA—I’ll take care of it.” 

That’s the trusted insider risk.
And it’s a major one for organisations. 

What controls can you have around that? 

I want to pivot now to Robyn, because when you do forensic reviews—what are the first signs that something isn’t right? 

Well, I suppose when I’m asked to conduct a forensic review, I always try to take a step back and assess the overall situation. 

Often when I’m engaged, I’m handed a bundle of documents—sometimes reluctantly—either through a subpoena or as part of a mandatory disclosure requirement. 

The first thing I do is evaluate the completeness of the information I’ve been provided. 

Because in my experience, it’s quite easy to dig straight into the information you’ve received and immediately get distracted by what it appears to be telling you, but I find that if you take a step back and ask the question, what am I not being told? What am I missing here? What have I not been provided? — that gives you clues and pointers in certain directions. 

Picking up on a point that Scott made earlier about people going on leave — two of the cases that I’ve looked at were as a result of the perpetrator dying. And the fraud spills out thereafter. 

Accounting records, in and of themselves, do tell a story. And it’s being able to recognise what story is being told. You’ll often find there are gaps in the information or inconsistencies between source A and source B. And those are the first warning signs that something’s not going right. It’s not being presented in the way it should be, or it’s being misrepresented. 

Typically, I always try to make sure I have as much information as possible that helps me uncover what has truly gone on here — not what I’m being asked to believe has taken place. 

Typically, I’m engaged in an insolvency context where the fraud’s taken place. 

It’s interesting, because sometimes it’s a straight-out liquidation, and we don’t know that a fraud had taken place. 

There was one where I was appointed as the liquidator. And it comes back to our point about why people commit fraud, right? 

In the instance I was looking at, it was a tax fraud — and it was genuinely a scheme. It was a scheme from the outset. The company was set up with the purpose of basically committing GST fraud. 

And it went uncovered for about 18 months. A significant amount of GST was claimed back, and we uncovered that after having accepted the engagement — not knowing there was fraud there. 

In the cases I see, there’s clearly a situation where there’s a pool of money, there’s a deceived party, and the entity putting in the money could be anyone. 

It could be the ATO. It could be the general public being brought in under a scheme. Or it could be shareholders being deceived. 

But these are the common facets: There’s a pool of money that’s come in — from whatever source. There’s a misuse of those funds. And there are people who have, in essence, been victims — taken advantage of. 

When we get involved, it’s typically after that fraud has occurred — and we’re trying to unwind it as best we can, and recover what we can for the victims of the fraud. 

Because it’s such an important point — when you’re reviewing documents in front of you: What is it not telling me? 

That’s often overlooked. And clearly not with you — but evidence of absence is not absence of evidence. 

It’s about knowing that if it’s not telling the full story, there must be documents somewhere that can be recovered. It’s about knowing where to look. 

Yes — we got a civil search warrant a number of years ago, engaged by a law firm. It’s called an Anton Piller Order, which is a civil search warrant that the court issues. It requires supervision from a court-appointed lawyer. Then both parties will have their own lawyers — there are a lot of lawyers involved. 

But basically, you have the right of entry to go and search the premises for evidence. 

I remember we were in one particular place trying to find documents, and one of my staff happened to chance across a hidden doorway. She pressed a button — it wasn’t a doorway, it was the ceiling. A staircase came down from the ceiling — and you couldn’t see it if you looked up. 

But all of a sudden the staircase came down. She pressed the button — everyone was in shock. 

We went up and had a look — and there were boxes of evidence in a hidden part of the attic. 

That’s something out of a movie. It was quite hilarious, really. 

Why would someone committing fraud retain records? 

If you’re telling the truth — I’ve got a fireplace at home. I mean, if it were me… 

But seriously — if it’s a complicated fraud… 

If you’re doing something legitimately, you don’t need to remember as much. Because the truth is the truth and it sits in your memory, and you can retrieve it. Sometimes you need a nudge based on something, but a truthful person will be able to recall what happened. But if you’re committing fraud, then if it’s complicated, you need to keep some record. Because if you get advance notice that you need to give evidence about something, you might need to refresh your memory about the fraud that you’ve committed. You might need that record somewhere that you can try and refresh your memory. Go, that’s what I said five years ago. This is the document that I relied on. 

Is there anything kind of trophy…? The documents being a bit of a trophy? 

I don’t know if it’s a trophy or a psych… or is it self-preservation? 

Self-preservation. Dirty Matt Off is a good example. They had the nice floor and the client-facing floor, which was all pristine. And then two floors down, they had where all the records were kept, in a smoky… if you believe what the movie depicts, on one computer. 

The Netflix wasn’t on one single computer or something? 

No. There was a whole heap of books and records. But we had a matter where we were looking at bank records. And you typically look at the larger amounts to start with. And then we identified a very small amount that was a repetitious transaction, and it ended up being a storage shed or a garage in a storage facility. That was… by identifying in the bank statement the monthly payment. We went… 

And what was the size of the payment? 

The monthly payment? It was 60 bucks or whatever it was. 

And you were looking… what was the size of the payments you were looking at? 

Over 15… or it’s typically over 10. It depends on the quantum and the scale of the matter. But you typically set a threshold. It might be over $5,000 or $10,000. But it was doing that analysis of repetitious transactions that identified there was a storage unit. We got a search warrant for that and identified a whole heap of documents relevant to the investigation. 

Why is it after you’ve identified a fraud, why are the first 48 hours critical? 

The first 48 hours are critical because typically you want to secure the evidence. Is really why. And in our experience, if you get that first 48 hours wrong, it can destroy the investigation from a provenance of evidence point of view, etc. You want to make sure that you have a plan in place. You obviously have a very tight need-to-know list. That means that you have less risk of communicating the potential offence or the potential investigation that’s coming forward. You need to identify sources of evidence and secure those quickly. There might be a need, for example, to disable someone’s access to systems remotely. That they can’t come in and delete stuff on your server. Things like that. Having an investigation plan is really critical in that first 48 hours. Securing the evidence. And then getting people out of play if necessary. And there’s obviously a fine balance there around telegraphing the investigation that’s forthcoming. But you also need to remove people — be that through access or suspending them and setting them aside pending the outcome of the investigation. 

A lot of it on that first 48 hours is if the person of interest is being tipped. It’s less important if it’s been uncovered behind the scenes and you’ve got a bit of time to gather the evidence discreetly. And then work out what evidence could be at risk of being jettisoned from the organisation. But it’s not a hard and fast rule. 

No. I think in my experience, if you get in there in that first 48 hours — basically, we acknowledge that fraudsters keep some records. They have to keep some track of what they’re doing. And hopefully if they haven’t been tipped off, they haven’t had a chance to correct it or to alter it or to cover their tracks. Or simply delete it. And the aim and the intention would be to try and secure the unaltered evidence and get the entire picture as best we can. Failing that, you’ll have to reconstruct the evidence you do have and try and understand what’s happened. Now, it’s not to say you can’t do it — the preference would be in that first 48-hour period securing everything we have. 

And there’s also other issues around, in organisations today where people have a Bring Your Own Device policy, which makes it difficult from an investigative point of view. Because if we are going in on behalf of the organisation, we can take people’s laptops, their issued mobile phones, and we can do what we need to do from a forensic point of view with that. But if it’s BYOD, the person can say, no, you’re not taking my device. That is my computer. That’s my phone. And it really… I’ve seen or experienced many instances where that has been a massive obstacle to us uncovering what’s happened. 

From a fraud prevention point of view, while there is a cost to the business to issue things like laptops — because in part, it’s a cost-saving device to have BYOD — but you then increase your risk if things do go bad. 

Can you talk us through, Paul, what does a professional investigation look like? What’s the kind of stages and phases, typically? 

Look, I think first of all, you’ve got to look at what’s the industry. And we have touched on it already with a couple of these things about how to go about it. But really, it’ll come down to what’s the industry that you’re looking at? What are the things that are at risk that you can quickly mitigate? Potential loss of evidence, destruction of evidence. 

Once you understand what the fraud that has been alleged is, then you can get your resources ready to deal with it. That could be a computer forensic IT specialist that can go in and image a server or image a laptop or a phone. Data analytics. You’ve got your investigators. You’ve got your forensic accountants who can work as a team to uncover what has happened from a factual perspective and gather the evidence. 

Having those things in place — that when you assemble the troops, you’re ready to go. You can go into the organisation and effectively uncover what’s happened. 

But there’s a lot of liaison that needs to happen with the organisation because invariably, witnesses go off sick. People take leave. You need to be, from a logistical point of view, armed with all the HR information that you might need to identify what are the assets that we need to recover, where are the people now, can we get access to them? 

I think with the person of interest, one of the early things we look at is what’s that person’s sphere of influence? Let’s… and I don’t want to pick on a CFO here, but let’s say it’s a CFO. I would be looking at — if it is the CFO — who has that CFO hired in the last three to five years? And how close are they to that person? 

Because if we go back to the example we gave before where there’s been a whole C-suite involved — that’s the issue that you need to be aware of. That we don’t inadvertently speak to a person that the CFO has hired thinking they’re a potential unbiased witness, but they now become someone with a vested interest to protect that CFO. 

Looking at that sphere of influence and then working out our strategy to deal with that and possibly the sequence in which you would interview people — because clearly you don’t want to compromise your investigation. 

Yes. 

Because we had an example where there were multiple POIs, and even if it’s a work-issued device, you’ve got people working from home a lot. 

If you sit there on a particular day and say, we are going to collect the devices for the purpose of evidence preservation—we want to get a phone, a laptop from these people, we want to forensically image that—you choose a day, you go into the office, and they’re working from home. Right? You might get one person, but the other three are working from home. 

You’ve got that issue where the other person telegraphs to the other three, “Hey, they’re after your stuff.” And by the time you make arrangements to get the phone or the laptop, all of a sudden it’s set to factory default, for example, and the evidence is gone. 

There’s a lot of work—and there was one last year we did—where there was a lot of time, we had three false starts because people, being senior, ended up being in a different state or a different office, and we had to change the strategy. 

It’s all part of that investigation planning, risk assessment: what do we do if this scenario transpires? We pull the pin and we have to reset. Or, as Paul said, someone goes off sick and they’re working from home. What do you do in that scenario? 

Let’s pick up a few case studies, because this can kind of bring it to life. 

Can I go back to you, Robyn? Let’s talk about your experience around investors and directors and where there’s misuse and misconduct. Have you got a case study you can draw on for us? 

Look, I’ve been involved in a fair few of these, and the investors can be multiple types of parties. I’ve seen it where, for example, the financier is the party that’s taken advantage of. One that does come to mind was one of these debtor factoring facilities. And I suppose the purpose of those is, you raise an invoice to a client and the lender basically prepays that invoice—thereby facilitating cash flow ease. 

The scenario that I was looking at was one whereby the invoices that were being raised were not genuine invoices, but the financier continued to provide funding on the basis that payments were continuing to be made into the bank account. 

There were several warning signs that something wasn’t right because the cash inflows weren’t tying up to the revenue and the P&Ls for the same periods. What we picked up on was that there was a separate bank account into which the fraudulent invoices were being paid. Funds were then being diverted and paid out to the bank. 

It was in this instance where we uncovered the fraud, because there was a death that occurred. There was a deathbed confession, which basically said, “The extent of the fraud is what I’m telling you, and it was committed by me and only me.” And the reason they did that was to try and protect everybody else who was involved in it. 

But what we found was that there was an element of collusion here, and it extended beyond the organisation—because the customers were party to it. They had to be party to it, because otherwise this illusion of the invoices couldn’t continue. 

The financiers have their routine annual reviews where they write to the customers and say, “Is this the valid extent of your debt?” And these parties were saying, “Yes, they are.” When we wrote to these debtors saying, “Look, our records show you owe X, Y, Z—can you please pay up?”—that’s when we started to realise they were disputing that the amounts were owed. 

In their haste to deny that the funds were owed, they overlooked what it was telling us, which was: there’s a pattern here of non-payment of invoices or false invoices that are being generated. 

Gosh. You identified the fraud or potential fraud—what did you do then? You’re the insolvency practitioner? 

In this case, we reported the fraud to the police. I prepared an expert report together with the evidence that we had collated, and we lodged that with the police. We also reported the fraud to ASIC. 

And it’s funny, because—as I say—the fact that the director was deceased may have led people to think that that was the end of it. But clearly all the other parties that were involved had to be reported for their non-compliance as well. 

It was only the beginning. 

Exactly. 

You had a financier that was an innocent party, lending money to the organisation. You had an organisation that was operating both a legitimate business and an illegitimate business. And then you had companies that would issue invoices—and I’m assuming getting some kind of compensation or commission? 

Compensation. And the difficulty is always proving the benefit that these third parties have received. That’s where an element of funds tracing comes in. 

But to your point, there’s a legitimate business and then the fraudsters need to keep some type of record of the illegitimate invoices they’re generating. In this case, there were in fact markers—patterns in how the customers were labelled. Over time it becomes clear. You go through enough of these invoices, you recognise the pattern or the marker that helps you identify, “These are the false invoices, and these are the legitimate ones.” 

And ultimately, you trace the funds. You can see the legitimate funds being banked in the bank account they’re supposed to be banked into, and the illegitimate ones being diverted. The clip that goes to the fraudulent customer comes out, they get their clip, and the residual portion goes to the financier in repayment of the first batch. 

Right. And was there any action taken by the police and ASIC in that matter, as far as you’re aware? 

To the best of my knowledge, the police read our report and were commencing investigations on that one. I lost track on the court action thereafter—I wasn’t called to give evidence. 

Right. And I think that’s an interesting point—around what happens when you identify a fraud. There are provisions in the New South Wales Crimes Act: if you’re aware of a serious indictable offence, there’s a positive obligation to go and report that to the police. 

What reporting looks like could be verbally going and telling your local police—going down to the local police station and getting an event ID, and you’ve met your obligation. Or, as Robyn has done, you’re putting a brief or an expert witness statement together and submitting that to the police. 

And our experience is that if you are doing that work—preparing the brief of evidence, collating the documents, taking it down to the police—Paul, with his ex-law enforcement background and connections within NSW Police, has been able to navigate that. In instances where there has been fraud, going and speaking to someone in person and walking them through the brief is far more successful than lobbying a brief or a verbal report to the police and saying, “Hey, investigate this.” 

And I think there’s probably a mismatch in public expectation versus the reality of some of the stuff with this. Even with ASIC, they’ve got a threshold that they’ve got to meet before they’ll even investigate something. The New South Wales Police have got a—and Paul, you’re better to talk to this than I am—but they’ve got a priority list. 

And fraud unfortunately falls lower on the scale. It requires a special level of expertise. Some people don’t find that as sexy as some of the other matters. It’s not high on the priority list. And unfortunately, how that plays out is that some matters don’t end up getting prosecuted. 

We’ve seen numerous frauds go from organisation to organisation—rinse and repeat, rinse and repeat. Some organisations will terminate without investigating, and that’s how they deal with it. But it takes an organisation to go, “No. Yes, there’s a cost associated here, but that’s against our values. We want to pursue this, and we’ll take it to the police and spend the money to get the brief.” 

They’ll get us to come in and prepare a brief of evidence and a statement of facts to go to the police that they can go, “We can run with this.” 

I’m really intrigued by this notion of a control being culture—culture and leadership. And I know we’re kind of bouncing around a bit, but is it worth pausing to unpack that notion of culture being a preventative measure? 

Culture—both Scott and I have walked into organisations and you get a quick sense as to what the culture may be. Scott touched on it earlier about accountability. But if people have an expectation that they may be held accountable, you ask them about transactions—they’re happy to walk you through it. 

Because they know: if I’m doing a hundred transactions a week and I’m queried on five to test that they’re legitimate, there should be no problem with that. But if people push back on it, you’ve got a problem. 

Why would they want to push back on something they’re doing legitimately? If anything, they should be saying, “Go for it. Here it is. Have a look.” 

That cultural aspect—it is a top-down approach, but it also comes from the bottom up. And the bottom-up is the whistleblowing aspect, where people can hold each other to account. 

Just because someone makes a complaint doesn’t mean it must be investigated, but it’s on the radar. People know that they may be held accountable by their colleagues, and that there is a top-down approach and values that are espoused by the organisation. 

It speaks to the important role of boards, directors, and executives to articulate the values of the organisation, the behaviours that give rise to those values, and a culture that is congruent with both. And it talks about risk appetite. 

Do you see organisations where they’ve had an explicit conversation around what their risk appetite is—that also goes to risk appetite around fraud and corruption? 

I think if you look at it historically, there have been some banking issues—like the BBSW rates in Australia—where traders were, quote-unquote, colluding with each other to set the rate of the bank bill swap rates. 

And there’s a couple of aspects to that. One is that it was a culture within banking and trading, but there was also an expectation of conformance amongst each other—that this is how we’ve always done it around here. Because it’s always been done this way, what’s wrong with it? 

Can you pick up a bit then, around the case study you have with the airline? I know you’ve had a case around airline ticket fraud. Can you talk about that case study, but also pull out some of the observations you’d make about culture in that organisation—both the culture that led to the fraud and the culture that led to it being investigated? 

Because it’s two-sided. 

I would like to touch on the fraud prevention aspect of that, if I could, and I’m happy to talk about the airline fraud. But I want to bring it back to the culture in an organisation. 

If I think back a number of years ago when I was in corporate, the marketing departments would come up with a great idea to go to market, but they wouldn’t risk-check it with the investigation or compliance side of the team—to help determine: if we take this product to market, what can go wrong? How can it be exploited? 

And there were lots of conversations at that time around doing something proactive to stress test the controls that might be in place when that product hits the market. But what organisations, I think, should do more of is the fraud and corruption risk management aspect. 

No one wants their organisation to hit the news around fraud and corruption. And we use the expression that there is a missile in the air at the moment—you don’t know where or when it’s going to land, or how big that missile is in terms of fraud and corruption risk. 

If you want to understand how to prevent fraud, you need to talk to the people on the ground who are processing these transactions every day of the week. They know the loopholes. They know how to exploit them. Luckily enough for most organisations, most people are honest and they won’t exploit it. But often they don’t know who to tell that these loopholes exist and mitigate the risk. We’ve done a number of fraud risk and corruption projects both in government and in the private sector. 

And recently, I was up in Papua New Guinea doing some fraud and corruption risk work up there. And you would think things in Papua New Guinea might be a bit loose compared to Australia in terms of a control environment. But interestingly enough, our findings from that fraud and corruption risk review were that it’s not that much different to what we’ve seen in Australia and elsewhere. 

But being able to talk to individuals, spending some time with them and putting the white hat on—thinking, “These are your top three or four transactions that you might process every day. How can we get around this? What if I, in this five-step transaction, inserted a false document at step three? Would someone act on that false document and make a payment?” 

Those sorts of things—where you look at what’s the value at risk. There’s also a subjective view from the individuals who know the control environment very well, because they’re the ones that may be queried about transactions that they’re processing. There’s also a subjective view about how they rate the likelihood of success of that fraud occurring. 

We go through this mechanism where we identify: this is how I can commit the fraud in the organisation. What’s the value at risk? And what’s the likelihood of success—of the fraud getting through and the money going out the door? 

And then we give them strategies to mitigate the risk—both strategic strategies and quick-fix solutions. 

And invariably—and if I give you an example where I did, a number of years ago, a project in oil and gas in a financial shared services centre where they were pumping billions of dollars through on a daily basis—there was one of three around the world. We did one, and they did it as a risk management exercise to stress test it. 

But I was told, “Don’t worry, we use SAP—everything’ll be fine.” But when we went in there, SAP—as in, the software—it wasn’t fine, because with everything else, there are always opportunities to bypass the control environment. 

We identified, I think it was somewhere around 16 to 20 methods of committing fraud. The highest value was $100 million that could go out the door on any particular day. A hundred million. 

Stress testing and talking to your staff is a crucial part of mitigating your fraud risk. 

Correct. I kind of wanted to pull together some of these issues around the red flags and the controls and the things you’ve been talking about. 

You’ve talked about leave records—people are reluctant to take leave because they don’t want to be detected. People living beyond their means can be an indicator. An unwillingness to have a level of oversight, or to have their work overseen or scrutinised. And they’re reluctant to open their kimono. I love that expression. 

Stuff like when people are under pressure—you see some bullying and intimidation or really harsh and improper pushback: “I’m the boss, you’ll do what you’re asked to do.” 

And you’ve talked about some of the controls around culture—culture of an organisation around risk controls and having executive and board oversight of risk; segregation of duties so people aren’t doing things end to end. I know particularly, mobility—HR policies that support mobility around roles—it can be a really good thing both from a business productivity point of view, from a learning and development point of view, but also from a fraud and risk control perspective. 

Whistleblower policies and practices—and, if necessary, how outsourcing that can help. Having desktop exercises around fraud. Testing things through: “If this, then what? If this, then what?” 

We did that when I worked in government in emergency services. We would desktop exercise everything from terrorist events to bushfires and floods. And if this happens, then what do we do? And we would stress test every step of the process. 

The same can be done for fraud. Data analytics and looking at what data you have and how that might tell a story—but also what isn’t there, and the story that tells. 

And then talking to people on the ground, on the front line—they’re the ones that see what’s going on and can navigate the system. 

As a sample, is that… 

Excellent. In my experience, it’s the people on the ground that know the weaknesses—the areas, the potential for exploitation, and those loopholes that can be found. And if the culture is correct, they will identify those weaknesses and report up to the relevant person who can do something about it. 

Because controls work, provided there aren’t mechanisms in place that override them. For example, segregation of duties works—provided there’s no collusion. 

Excellent. 

Fraud is common. It’s more common than we realise. And while a deathbed confession might be fabulous—you don’t get many—but it’s common, it’s subtle, it’s preventable. 

But only with awareness, the right processes in place, and the willingness to step in and take action, and to make sure that you’re ready. 

Are we able to tackle it? 

If you are a business leader today, what is the one action I should take? 

Scott, what’s the one action you would take for me? 

I would say have a whistleblower program that is properly communicated and led by senior executives with authenticity. That’s done with authenticity. 

And what does that mean? 

That means that when you receive a report, you assess it and you investigate it with integrity. 

Paul? 

Trust and verify. 

Robyn? 

I would say having an open-door policy, that your team and your staff feel free to communicate any potential weaknesses or loopholes they’ve come across in the organisation. 

For me is, understanding that when fraud happens in an organisation, this is unusual to your business. 

It is going to be… we don’t—people don’t—expect everyone to be able to deal with the aftermath of fraud. And that’s why companies like ours exist—so that we can support. 

It is a very difficult time for people. It can be very challenging—both for the person who’s committed the fraud (they are human beings), but also for the company and the people around them, and the family members. 

My advice would be to make sure that you can draw on good advice when you need it—if and when you need it—and that you have those people to hand, that you can work with and that you can trust and bring into your organisation. 

And I see that time and again in people that are used to dealing in stressful situations, and certainly understand that the government can’t be in your organisation every step of the way. 

Regulation—they can’t proactively regulate for what might happen. Often regulation follows, because something has already occurred. 

Your proactive governance is absolutely essential. 

I want to say in closing: fraud thrives in silence. Keep the conversations going. 

If you’re slightly suspicious, speak up. 

Bring in the experts—because when the tide goes out, it’s better to be prepared than exposed. 

Thank you very much. 

Thanks, Scott. Thanks, Rob.  

Thank you.