When Controls Break Down: Fraud and Business Risk Areas That Emerge in a Crisis - Aryan Consultancy

When an organisation faces disruption — whether from a pandemic, a rapid expansion, a system migration, or a leadership change — the immediate focus falls on continuity. Keep the business running. Keep the customers served. Keep the team together. What often falls away in that same moment is the control environment. And fraud is patient. It waits for exactly this.

The fraud and business risk areas described here were catalogued in detail during the COVID-19 period, but none of them are unique to a pandemic. They emerge whenever an organisation's normal control architecture is stretched, bypassed, or deliberately relaxed in the name of speed. Understanding them is the starting point for building a control layer that holds under pressure.

User Access Controls

When teams are reorganised, systems are accessed remotely, or processes are covered by people unfamiliar with them, user access controls are the first thing that breaks. Segregation of duties — the principle that no single person should be able to initiate, approve, and record a transaction — gets quietly suspended. One person covers two roles. An admin gets temporary elevated access. The temporary access never gets revoked.

The risk is not always intentional. The exposure is structural: when the audit trail is incomplete, management overrides become undetectable, and conflicts of interest become invisible until the reconciliation three months later.

The control response is specific. Do not remove segregation of duties rules without replacing them with compensating controls. Log all changes to user access. Review access permissions at the end of every operational disruption, not the beginning of the next one.

Finance and Cash Flow Controls

Disruption creates pressure on cash. Forecasts are compressed, payment terms are renegotiated, and leadership makes financial commitments faster than the accounting system can record them. This is the environment in which finance fraud becomes easiest and financial reporting becomes least reliable.

The specific vulnerabilities: cash flow forecasts built on assumptions that have not been validated; provisions for bad debt, inventory write-down, and asset impairment that are either over-stated (to build reserves) or under-stated (to protect reported profit); duplicate payment processing when invoice approval is rushed; and payment fraud when vendor details change without verification.

None of these require malicious intent. All of them are preventable with a structured review of financial commitments before they are made, not after they are recorded.

Internal Controls Under Stress

Every organisation has a set of controls that work well in normal conditions and degrade under pressure. The question is which ones and by how much. The four categories that typically degrade first are management review controls, accounting judgement controls, transaction processing controls, and key person dependency.

Management review controls — where a senior person reviews and signs off on reports, reconciliations, and postings — are the first to be skipped when managers are overloaded. The fix is not to require the review anyway (it becomes a formality) but to automate the underlying check so the review has something substantive to approve.

Accounting judgement controls are the most dangerous because they are invisible. The decision about how much bad debt to provision, whether inventory is impaired, and how to value an asset under uncertainty requires judgement — and under pressure, that judgement will be optimistic. An independent review of these provisions at the end of every reporting period, not just year-end, is the structural fix.

Cyber and Data Security

When people work remotely, from personal devices, using collaboration tools that were not designed for corporate security, the attack surface of the business expands immediately. Phishing attempts increase. Employees click on links they would not click in an office. Sensitive data gets shared through channels that leave no audit trail.

The practical exposure points: remote access controls that were not designed for scale; unapproved applications being used because they are convenient; third-party service providers whose own security posture has degraded; insider threats from displaced or disgruntled employees; and the basic risk of sensitive information on unsecured home networks.

The control response requires a combination of technical measures (VPN access, device management, collaboration tool governance) and behavioural ones (regular security awareness communication, clear escalation paths for suspected incidents, monitoring of unusual access patterns).

Insurance and Regulatory Coverage

Disruption changes the risk profile of the business faster than insurance and regulatory compliance can keep pace. When operations move to a new environment — remote work, new locations, changed service delivery models — the existing coverage may no longer apply, and regulatory obligations may change in ways that are not immediately obvious.

The questions to ask: Does the insurance policy cover the current operating model? Have health and safety obligations been reviewed for the new environment? Are all regulatory deadlines still being met, and does the team responsible for meeting them have the resources and access to do so?

Supply Chain and Contractor Controls

When normal supply chains are disrupted, organisations turn to alternative suppliers under time pressure. Vendor onboarding procedures get shortened. Purchase orders are raised without the usual approval chain. Payment is expedited. This is a high-risk environment for procurement fraud, overbilling, and the onboarding of vendors who have not been properly vetted.

The specific risks: payments to fraudulent vendors established during the disruption; overbilling by legitimate vendors who know oversight has loosened; contractual commitments made without legal review; and the loss of visibility into what subcontractors and outsourced service providers are doing on the organisation's behalf.

The Control Layer Response

The common thread across all of these risk areas is that they are not caused by bad people. They are caused by control environments that were not designed to hold under pressure. The businesses that emerge from a disruption with their financial integrity intact are not the ones that got lucky — they are the ones that had a control layer between their operations and their accounting system, with approval workflows, audit trails, and access governance that continued to function even when everything else was improvised.

At Aryan Consultancy, building that control layer is exactly what we do — in stable conditions, so it holds when conditions are not. If you want to understand where your control environment has gaps, book a free 30-minute consultation and we will walk through your current setup together. Book a free consultation →