You may all be familiar with impossible situations: a bus shelter on a bike path, a tree in the middle of a parking space, or a handicapped toilet accessible by a flight of stairs.
And everyone knows someone who (rightly) complains about unnecessarily complex work environments: legacy systems of which nobody knows the details anymore, an endless stream of internal rules, having to get approval for every step before you can go ahead... How can you then possibly be expected to do your work efficiently and effectively?
In the investigations we perform in response to fraud cases we regularly see that the financial departments of organisations have very extensive procedures and protocols which, among other things, explicitly address the four-eyes principle. On the one hand, this leads to a multitude of rules and controls to which documents are subjected before they can be processed. On the other hand, targets are regularly imposed on these departments that cannot possibly be achieved in the time it takes to adequately perform all the checks and controls on the documents.
In our engagements we come across all kinds of ‘creative’ solutions to such problems. For example, working with two screens and logging in with a colleague’s details, so that you can enter data on one screen and approve them on the other. Or if the system does not enforce a check, skipping the check entirely or completing it yourself instead of passing on this task to a colleague. Or ‘saving up’ completed forms and having them approved in one go at the end of the day. This work pressure and creative solutions also increase the opportunities for undesired behaviour. For example, we came across approved fraudulent invoices that at first sight appeared to have been requested and approved by two different staff members. However, we discovered on the work floor that post-it notes with login names and passwords were visible on the various desktops. In another organisation, the financial accounts and invoicing appeared to reconcile perfectly, but we then discovered a mark-up calculation hidden in the query linked to the invoicing to customers. Only one person could build these queries and there was no other person who could check them.
Do you want to know if your risk management and the extent to which the environment enables implementing it are in balance? Please feel free to contact us if you have any questions; we are happy to discuss them with you.
This is the fourth blog in a series of 9. You can find the other blogs here: