Fraud as a concept has been understood ever since human society became organised. More than one ancient Greek or Roman author has commented on fraud in state affairs or business. Closer to home the Saxon and Danish kings in England understood fraud but it took William the Conqueror to set out the first English administrative system designed to prevent and detect fraud. He made his barons and sheriffs ‘account’ annually for their business affairs and had his most trusted aides hold ‘audit’ courts to hear what the barons had to say against the previous year’s records. It was these arrangements, designed both to maximise tax revenues and to set out an ordered feudal system, that eventually led to the idea of accountants, auditors, controls and segregation of duties (i.e., the basics of modern business controls in the public and private sectors).

Although there have been legal maxims around fraud enshrined in codifications of English and UK law that developed during the Middle Ages, these references do not define what is meant by fraud. Instead they set out its impact on the legal system in coming to a judgement about a matter affected by the fraudulent behaviour of one or other of the parties in court. For instance, it is a legal maxim that ‘fraud is odious’ and that a fraudster shall not profit by their own fraud in a judgement by the courts. However, until 2006 there was no criminal offence of ‘fraud’ in UK law and, apart from Scotland, no common law offence either. All that changed with the Fraud Act 2006, enacted in UK law from 15 January 2007.¹

Many bodies had attempted to give an all-embracing definition of fraud before that, particularly the major accountancy and auditing bodies. Most of these definitions either were incoherent, too detailed and therefore lacking clarity, or too oriented towards the accountancy profession and not user-friendly for would-be investigators. For UK police and those conducting criminal investigations, prior to the Fraud Act they generally placed their reliance on the Theft Act to define whether an offence was likely to have been committed by a fraud reported to them.

Perhaps the snappiest older definition came from a Scotland Yard Fraud Squad detective sergeant at the National Police Detective Training School, who in the 1980s defined fraud simply as a sophisticated sort of thieving to each new generation of would-be detectives. In many ways that description has to have been the most accurate of all until the 2006 Fraud Act came into being.

The 2006 Fraud Act describes and defines three key types of fraud that are the most relevant to organisations, their employees and their contractors.

The sad truth is that most professional bodies—and the professional members of those bodies do not want to be seen to be responsible for detecting fraud—and I include police officers among that number.³ No one minds a straightforward theft, where it is clear what has been stolen and who has lost it, even if you don’t immediately know who took the cash, asset or other item that has been stolen. Fraud is usually much more complex and most people would prefer it to be someone else’s problem.

Corruption can take many forms and its defining characteristic is that the colluding parties conspire together to enable the intended event to occur, which might be a fraud, or could be as simple as the enhancement of an individual’s career through corrupt influence. Fraud may or may not involve others and individuals can commit frauds on other parties without the need to involve other fraudsters, but corruption can only take place between two or more individuals.

As a general principle, you should try to avoid having to prove corruption when looking at potentially fraudulent activity. The only exception to this is when two or more conspirators are either caught in the act with irrefutable proof (e.g., reliably recorded on camera and sound—and preferably a suitably upright citizen as a witness as well) or all the parties to the corruption are prepared to confess on paper and when interviewed. It doesn’t usually help the investigator with a case if only one party admits the corruption, although it can be useful intelligence that may help find a fraud further down the line.

For a classic example of the difficulties in pursuing corruption with its roots at the top end of an organisation, the case of Gordon Foxley is worthy of study, even just from the details available through the likes of Wikipedia. Foxley was the Head of Defence Procurement at the Ministry of Defence (MoD) between 1981 and 1984. Prior to that he was Director of Ammunition procurement for a number of years and during that time had developed cosy and corrupt relationships with a number of major suppliers of ordnance to the MoD. The MoD is one of the few organisations in the UK that has its own private police force, including a fraud squad, and it was to them that the responsibility for investigating Foxley’s activities finally fell. They estimated that Foxley had received millions in bribes. The case took many years and cost an inordinate amount to the taxpayer to bring home. Eventually Foxley was convicted in 1996 on £1.3m of bribes and sentenced to four years. He was due to serve a further sentence if he did not hand over assets purchased with bribe money. Foxley never did and the Crown Prosecution Service ‘forgot’ to pursue him about it. After serving two years, mainly in an open prison, Foxley was a free man with most of his ill-gotten gains still in his possession. As a result of one of his corrupt deals the Royal Ordnance Factories were closed with the loss of thousands of employees’ jobs.

The investigation into Foxley was also a classic example of the difficulty in dealing with fraud and corruption cases once they become a criminal investigation, more of which will be covered in later chapters.

There is a great tendency in my line of business to see every fraud as a conspiracy and indeed on occasion frauds can involve a large number of employees or contractors. However, history clearly shows that hard as it is to bring home a fraud case, it is 10 times harder to prove corruption, whether in civil or criminal proceedings. It is far simpler and safer to look for the evidence that you need to prove what each individual has done. Then, as soon as you have sufficient information, you can act. Prevarication, waiting for the ‘Mr Big’ or over-elaborate and complex investigations to get to the root of everything have an inverse proportional relationship between the complexity and length of the investigation and the likelihood of a successful outcome.

Short and sharp works, long and complex doesn’t. For an object lesson in long and complex leading to inevitable and ultimate failure, just take the case of Her Majesty’s Customs and Excise, an organisation prone in its latter years to run overly elaborate investigations to find ‘Mr Big’. The end result of this approach? They deliberately let millions in unpaid duty escape them, never caught the ring-leaders, compromised themselves with their own informants and in the end paid the ultimate price—when the department lost its independence and most of its investigative responsibilities in the merger with Inland Revenue to create HMRC, the hiving off of its ports business to the UK Border Agency and the residue of its investigators to the Serious Organised Crime Agency (SOCA).

For any organisation, discovering fraudulent activity by employees, contractors or outside organisations can come about by a wide range of circumstances. Usually it is readily apparent that something has gone or is going wrong and as a consequence the organisation is losing cash or other assets to fraudulent activity.

So the starting point is the ability to spot whether something is going wrong—and whether that is causing a loss to your organisation. For those who are internal auditors or middle managers reading this book, then you are already well equipped to spot a potential fraud. You will know your organisation and what you expect to happen. The art is to get to the bottom of why the expected hasn’t happened—and learning when to persevere and persist until you can answer that question.

There is a basic truism inherent in every fraud ever committed on any organisation. The fraudster intends one of two outcomes. Either (1) to steal cash or assets from your organisation or (2) divert cash or assets intended for your organisation to themselves or a third party. So, the guiding principle for the investigator is, wherever possible, to follow ‘the money’. Ultimately its trail will lead you to the fraudster.

The fraudster’s motive is always greed, wanting something to which they are not entitled, although they will often intellectualise the reason for committing the fraud and may deny (as some have) to their dying day that they did it for anything other than the noblest of reasons. It is this self-justification and rationalisation—particularly prevalent among managers who commit fraud against their own organisation—that allows an otherwise apparently moral and socially responsible individual to continue their fraud. Don’t be fooled or feel soft-hearted. Fraudsters are greedy, they want something that isn’t theirs and they are prepared to alter records and lie and cheat in order to get it. They are not pink and fluffy—or innocent victims—however convincing their tale of woe may seem when caught.

Many years ago I spent some time training internal auditors for government bodies. I used to emphasise to them that in any part of an organisation there are always three systems—the prescribed, the alleged and the actual. The ‘prescribed’ is the system laid down in the manuals or set out in practice notes and the like. The ‘alleged’ system is the one that management will be keen to tell you is the way that it is done. It will inevitably usually meet most, if not all, of the expected controls to prevent fraud in a particular business area. But the ‘actual’ system will be the one that managers and employees are applying in practic...