Control, Not ‘Magic Bullet,’ Thwarts Fraud

The current climate of sharply increased online and virtual activity courtesy of the COVID-19 pandemic brings into sharper relief the need to be vigilant and put controls in place to head off fraud. An Oct. 27 session of ASPPA All Access took a look at the problem and what can be done. 

“In some organizations, it’s a head-in-the-sand mentality,” warned Paul Perry, Controls Practice Leader at Warren Averett, LLC. “So many people could be responsible for fraud in a retirement plan,” he continued.

The suddenly largely remote workforce presents fresh challenges. “You can control who comes into a building, but not who comes into someone’s home or wherever someone is working,” said Perry, “so you have to focus on controls now more than ever.” In addition, he said, the pandemic, and the Coronavirus, Aid, Relief and Economic Security (CARES) Act which President Trump signed into law on March 27, have resulted in an increase in distributions, loans and account reallocations, Perry said. “Making sure you have good controls around this area is important,” he asserted. 

Fiduciary Considerations

There are important fiduciary considerations associated with identifying and preventing fraud, Perry said. He suggested:

• understanding how account activity is triggered (e.g., additions of permitted bank accounts, phone numbers);
• balancing accessibility to funds with the protection of plan participants;
• collaborating to implement processes to safeguard information; 
• reviewing service providers’ cybersecurity capabilities and procedures at the request for proposal stage and as part of an ongoing monitoring process; 
• while it is not obligatory nor required, considering providing education on cybersecurity and fraud; and 
• reviewing insurance policies (e.g., fiduciary insurance, cyber insurance) and fidelity bonds for scope of coverage and other guarantees. That entails understanding the scope of coverage, including whether social engineering or fraud.

“When we decide to give up privacy, it’s usually for convenience,” said Perry. “You can never have both at the level you want them to be. You have to pick one.” 

Prevention

Red flags. There are some red flags by which one can identify possible fraudulent activity, Perry said, such as a party that is living beyond their means, unusually close association with a vendor, unwillingness to share duties, instability and suspiciousness. “When it comes to fraud and when it comes to red flags, you’ve just got to be super careful and observant,” he said. 

Still, Perry argued that before taking action based on red flags, one should be careful. “When you look at red flags, I’d be sure to look at all of them,” he said. Further, Perry cautioned, “When you’re looking at a fraud case, when you’re looking at potential fraud, within an organization and with participants, you’ve got to look at everything in context. You’ve got to look at everything holistically. Because you don’t always see all sides of something.” 

Control is key. Perry argued that the key to preventing fraud is to put controls in place. “There’s really no magic bullet,” he said. Perry argued that instead, it is necessary to have good controls in regard to prevention, detection, and correction. 

Preventative controls include: 

• controlling the culture and the tone at the top;
• segregation of duties (Manual and IT Controls);
• fraud awareness training;
• pre-screening and a look at individuals’ employment background;
• having a conflict of interest policy, and reviewing it annually; 
• monitoring controls;
• internal audits;
• physical safeguards; and 
• adequate documentation. 

Detection entails: 

• segregation of duties;
• having a whistleblower policy;
• review of work performed;
• consistent review of transactional statements; and
• data analytics.

Corrective controls entail:

• revisiting the risk assessment process;
• reviewing policies and procedures;
• changing personnel responsible for various functions; and 
• additional controls to prevent reoccurrence.

Perry also suggested paying attention to vendors and conducting an annual vendor risk assessment. Such assessments, he said should include several steps:

• A listing of all vendors used by the company, including a description of the services provided by the vendor, the contract period covered, who is assigned to manage accountability of the vendor relationship, and a determination whether each vendor is a critical vendor. 
• Evaluation of the internal control structure and potential risks to the company. Most companies require their critical vendors to have an independent internal control report performed by an outside accountant or security specialist (such as a System and Organization Controls report). 
• Vendor risk management. Each vendor should be assigned an overall risk rating.

Perry offered some good news: he suggested that in 2020, the speed of business activity and spending has slowed down, and that helps in finding fraudulent activity.