Security Management: Planning Against Corporate Crime
Corporate crime is estimated to cost Australian companies billions in lost assets and earning every year. Although controlling internal losses in the corporate environment is difficult, planning – and undertaking audit – is the key.
Planning is the cornerstone of corporate investigations. And in this case, planning doesn’t only relate to the compilation of effective investigative procedures, Instead, security managers, in conjunction with all other departments in an organization, need to work together to formulate total audit controls which deter criminal activity and allow fast and accurate investigation.
Administratively, total audit controls can be time consuming in their implementation but once up and running they perform a vital role in protecting an organisation’s assets. What you are seeking to create is a paper trail that ensures all assets are accounted for at all times. While this may sound difficult, properly managed audit trails can check corporate losses and make investigations easy.
Up front you need to establish definitions of crime as they relate to your organization. It’s safe to assume that all your company’s material assets are covered by corporate ownership. What this means is that any employee removing, or damaging company property has committed a crime. Such property might include computer hardware and software, office furniture, office supplies – any item not brought into the work environment by an individual for an individual’s personal use.
Also important to take into account are criminal laws. Breach of criminal laws might include dealing or using drugs in the workplace, making violent threats or stealing the personal property of other staff members. In all cases, breaches of criminal law will be breaches of company policy and if sufficient evidence is found, senior management will need to decide on prosecution or dismissal.
From this point onward, things become more complicated. Corporate crime can manifest itself in a huge number of ways at any level in an organization, from the padding of executive expense accounts, to sexual harassment. A few other examples of corporate crime include:
* Making unauthorized payments
* Awarding contracts on the basis of kickbacks
* Using corporate funds for personal payments
* Employing company assets for private business
* Siphoning funds from company accounts
* Counterfeiting or forging company documents
* Stealing and/or selling company secrets
* Claiming for expenditure never legitimately incurred
* Selling client databases to competitors
* Using the company’s name for private purposes
* Making private phone calls on company lines.
This by no means exhaustive list gives a broad idea of variation seen in corporate crime and should also give security managers an appreciation of the difficulties they’ll encounter when seeking to control and investigate it. Once the company’s policy on corporate crime has been formulated, it should be circulated to all members of staff. And security people who will police the rules must fully understand the company’s internal crime policy.
Audit and Control
Taking on board a comprehensive audit and control program is seen by many companies at too difficult. But without such a program, the security department’s investigations of corporate crime will become a nightmare. Consider this. A company employing 80 staff has no audit trail controlling management of assets. During an office refit, a shared computer goes missing and the loss is not noticed for a few days. When the computer is reported missing nobody knows anything about it and the company is forced to write off the loss.
While it may sound innocuous, in a large organization there are hundreds, even thousands of office machines. Many security managers would not be aware of how many PCs or laptops their organization has, how many office chairs, fax machines, printers – what software had been purchased. The only way security managers can stay on top of asset loss is to actually know when an asset has gone missing.
Encouraging department heads or the company’s property department to stay on top of asset lists and asset movement is the only way to succeed. It may be wishful thinking to expect a database of all company assets be established and constantly updated but it’s only audit controls that will allow you to limit and control loss of company property. Without audit controls it’s impossible to establish just what sort of problem the security department is facing.
Ideally, asset controls should be managed at both an organizational and departmental level and, within reason, every item of company property should be categorized and issued a reference number. Details stored on a file should include a description of the asset, including serial numbers, model and make, the location of the asset, which site, which department and which employee. You also need to log asset value.
Other site-specific details should be included. When an employee changes jobs or moves desks, asset lists should be updated and at all times, employees should be held accountable for company assets under their supervision. Other methods of crime control relate to management at an operational level. Controls implemented should include the following:
* One workstation per staff member or dual passwords if the workstation is shared
* Physical security for office machines
* A number identifying each operator that must be used with each transaction processed
* Parity checks to ensure data has been correctly transmitted through the system without manipulation
* Limit checks demanding the authorization of a supervisor or manager for large dollar figure transactions
* Separation of duties to ensure no single staff member is responsible for an entire transaction
* Sequencing checks. Each transaction should be numbered and if entries are made out of sequence, the computer should question or reject them.
In addition, managers should also be responsible to another manager and never given total control of high value operations. Another manager should co-authorise such activities whenever possible. Once controls are in place, they should be maintained with no excuses accepted for deviations from corporate policy at any level.