As the risks of the COVID-19 pandemic saw various small to large entities crumble, it was an opportunity for fraudsters to flourish too. Assurance providers throughout the value chain of the integrated assurance should therefore ensure vigilance in managing the risks associated with fraud during a remote-working period
The lockdown meant that most people, including employees, that are not performing essential services were working from home without access to printing and scanning equipment or devices. This working arrangement proved complex for people who preferred approving documents in the traditional way of printing and physically signing documents with ink from a pen, as they were unable to approve in this manner. Alternative tools, platforms, applications and/or technologies had therefore to be used by organisations, which created exposure to new or increased cyber and business risks.
The most prevalent of these risks was the risk of fraud and corruption perpetuated through forgery of documents and/or signatures resulting from various opportunities, among others:
- Some organisations did not have/own secure digital platforms or applications to ensure secure digital signing of documents.
- Some employees were and are still not digitally savvy to use secure digital platforms or applications to securely approve documents.
- There was inadequate time for proper change management or training of those authorised to approve documents to use digital applications and/or platforms to approve documents when the COVID-19 lockdown was initially declared.
Based on the above exposures to the risk of forgery, it became easy for fraudsters to forge documents and signatures, because some signatories that were not yet using secure digital applications and/or platforms to approve documents used their names and emails to approve formal documents,
In some instances, formal documents were approved via emails without any actual signing of the respective documents. This also made it difficult to determine whether the email represent a genuine email sent by the authorised signatory or a fictitious email sent by fraudsters.
The abovementioned acceptable norm for approving formal documents had made it difficult for assurance providers to verify whether documents have been signed by the authorised signatories. This also made it difficult to verify the authenticity of signatures.
Therefore, there is a need for assurance providers to be vigilant and use alternative ways to verify the authenticity of the approvals, particularly in areas where fraud risk is assessed to be very high. Alternative methods to verify authenticity include assessing the level of controls implemented with regard to signing of documents during the lockdown period, the tools, technology, applications and/or platforms used to sign formal documents, and confirming approvals with the relevant signatories.
Organisations should invest in secure digital tools and technologies that will enable secure digital approval of documents, thereby ensuring authenticity and security of approvals. This may include applications are equipped with security technologies which ensure that signatures are locked to avoid the copying and pasting of signatures into fictitious documents.
It is equally necessary for organisations to provide adequate training and awareness to employees to ensure proper and secure access and usage of digital platforms, applications tools and/or technologies. Furthermore, awareness should be extended to clients and suppliers to ensure they can avoid fraudulent documents purporting to be genuine and formally approved by the organisation.
Risk managers should ensure that the correct risks and root causes relating to fraudulent imitation of documents and signatures are identified and appropriate mitigations are implemented to manage such risks. Incidents of forgery of documents and signatures should be reported and investigated, and proper actions should be taken against the perpetrators. These incidents should be monitored by management and governance structures to ensure effective systems are implemented to manage such incidents. Actions taken should be commensurate to the stance taken by an organisation regarding fraud and corruption, and in line with the relevant laws and regulation.
Assurance providers should adjust their plans to ensure appropriate response to the increased risk of fraud and corruption through forgery of documents. Organisations should equally ensure that control systems and processes are implemented to reduce the exposures to the risk of fraud and corruption through forgery of documents and signatures.
Sidney Mongala, Chief Risk Officer: Department of Communications and Digital Technologies (DCDT) and Acting Chief Financial Officer: Universal Service and Access Agency of South Africa (USAASA)