Earlier this month, my mum opened a letter to learn that she was one of the thousands of Morrisons staff who had their personal details leaked online. These details included confidential items such as salaries, bank account details, and addresses, of staff from director level to shop floor. Such items that certainly no individual would wish to be published about themselves online, and even more worryingly, CIFA (The UK’s Fraud Prevention Service), announced earlier this year that identity crime is “still the biggest problem” with over 125,000 instances of identity fraud in the UK for 2013. Suddenly, the risk of those details being targeted is rapidly increased.

The question is, how could a company of Morrisons’ stature have been subject to such fraud? Surely, as a large, respected corporation, they would have systems in place to prevent such fraud?

The broad answer is, unfortunately, that fraud can affect individuals or entities of all sizes, shape or form, with the impact ranging from the levels of a minor nuisance, to the potentially devastating for all involved.

In the case of my mum, the extent of the impact resulted in a temporarily frozen bank account, added stress, and not to mention the fact that there is now a CIFA warning against her name (which will last up to 18 months), making it more difficult to get credit if she chose to do so. As for Morrisons, the impact will be more costly. Not only have they damaged their reputation, but there will be significant costs involved in investigating the fraud, and also their systems and controls will need to be reviewed in detail.

Ironically, Dalton Philips (Chief Executive of Morrisons) publicly declared that the company had upgraded its IT systems literally hours before the fraud occurred, which shows that even with up to date systems, companies are still susceptible to fraud.

Morrisons are not alone when it comes to company fraud. According to a study in June 2013 by the National Fraud Authority, an indicative cost of fraud to the Private Sector for the financial year to April 2013 was £21.2 billion.

So how can we reduce the risk of fraud impacting us?

From my 6 years’ experience in audit, a question that is always raised during discussions with clients on their systems is, “Are there sufficient controls in place to detect, prevent or deter fraud?”. “OK,” so some of you may say, “surely it depends on the entity in question whether sufficient controls can be put in place?” This is not necessarily the case. Yes, I agree that larger companies have an advantage over smaller companies in so far as duties can be segregated, and they may have more substantial funds to invest in advanced secured systems. However, I believe that there are certain simple procedures that any one person or company could generally apply to help mitigate this risk.

Basic procedures could include:

– Ensuring passwords, PIN numbers, and usernames are kept secret.
– Ensuring logging out procedures are adhered to properly.
– Changing passwords on a quarterly basis.
– Reviewing bank statements regularly.
– Obtaining and reviewing credit reports regularly.
– Performing bank reconciliations monthly.
– Reviewing daily bank transactions.
– Ensuring computers/laptops are encrypted and password protected.
– Implementing self locking systems for computers when left inactive for a period.

The above list is by no means comprehensive, and can be applied to either individuals or companies as appropriate. There are many more controls and procedures that can be put in place to reduce the risk of fraud further, something that we regularly advise clients on.

Hopefully, as society becomes more aware of the risk of fraud, the likelihood of its occurrence and potential impact will significantly be reduced in the future.