Managing the Risk of Fraud During COVID-19

By Kevin Doyle

When I decided to write this article, I picked up my laptop and headed to a neighborhood café to start my draft…

Then I remembered what was going on…

Back to the kitchen counter…

These are truly unprecedented times.

I wanted to share with you some thoughts I have around the potential unintended consequences connected with the necessary winnowing of hotels’ finance and operational headcount.

First and foremost, hotels had to take all steps necessary to stem their evaporating cash. Every minute counted. Many of these decisions resulted in reassignment of roles and responsibilities that under normal business operations would not be acceptable as it violated generally accepted internal control protocols.


It was Donald Cressey who hypothesized that most frauds include three elements: opportunity, pressure and rationalization. These elements are commonly referred to as “The Fraud Triangle.” To me, opportunity and pressure are very present in the current business environment. As finance and other departments shed jobs, segregation of duties for essential processes may not be possible. This results in opportunity to commit fraud, one leg of the Fraud Triangle. Fear of losing a job, health insurance, failing to meet financial benchmarks, loan covenants, dwindling stock and retirement portfolios creates pressure, another leg of the Fraud Triangle.

Areas of Consideration
The following is a compilation of things to consider that will assist you during this period of uncertainty. I understand that hotel leadership is focusing on the here and now, but I suggest, at a minimum, include these items as part of your dialogue. (For ease of discussion, the period between when an organization reduces its headcount to the time full operations can be resumed is called “COVID.”)

  • Review and revise the internal audit plan or other risk management processes with the goal of assessing the possible internal control environment deficiencies resulting from COVID. Consider “carving out” the COVID period and compare the policies, procedures and internal control processes in effect during COVID against the policies, procedures and internal control processes in effect during non-COVID times. As you perform this exercise, a picture will appear that highlights the possible exposures. Inventory and risk rank the exposures and then develop a plan to test and assess the possible impact of such exposures. The point here is gain awareness about where the undetected vulnerabilities may exist so that an informed decision can be made around acceptance of such risks.
  • As part of reviewing internal controls, include IT security vulnerabilities. Under normal circumstances, hackers are constantly searching for security weaknesses to exploit. Limited IT resources to combat data intrusions during COVID only encourages hackers to ramp up their efforts.
  • In somewhat of an odd circumstance, the COVID-related finance department reductions (whether temporary or permanent) address an effective internal control practice: enforced vacation. Individuals who do not or rarely take time off and have a significant role in a property’s finance department is a red flag. The thought behind enforced vacations is that other staff will perform the vacationer’s duties and she/he will approach such duties with a different perspective. During COVID, it is possible unidentified irregularities may appear as the perpetrator is not available to conceal the scheme.
  • Leverage data analytics. COVID data will undoubtedly include “a lot of noise” and it is important that the “noise is properly filtered” to obtain reliable information. When an outlier is identified, a completely reasonable explanation will be “it’s due to COVID,” which may be true, but further scrutiny may also be necessary.
  • Consider reviewing your insurance policies. Could any losses be covered under business interruption or other elements of your insurance program?
  • Review “lessons learned” from 9/11, Katrina and other catastrophic events.
  • Currently, there are federal programs aimed at assisting businesses during this period of economic hardship: Paycheck Protection Program and the CARES Act.
  • Engage in dialogue with your peers. Review trade association articles, blogs, etc. You are not alone in this battle and people want to help.
  • Communicate, both on a strategic and tactical level. There is a lot of uncertainty going on and staff want to know what is happening and why. Transparency is important. I believe your associates understand that leadership is enduring unprecedented headwinds and they are doing what’s best for the hotel. Continual dialogue will ease uncertainty. Leadership must continue to reinforce ownership’s ethical values.

As post-COVID appears imminent, consider engaging a seasoned hospitality-experienced consultant to assist in reviewing COVID and post-COVID processes toward identifying possible vulnerabilities and aid in strengthening internal controls.

Kevin Doyle is a certified public accountant (CPA), certified fraud investigator (CFE), certified in financial forensics (CFF), and maintains a certificate as a chartered global management accountant (CGMA) who specializes in financial fraud investigations and develops and assesses fraud prevention and internal controls for hotels. He is an active consultant with Cayuga Hospitality Consultants.

This is a contributed piece to Hotel Business, authored by an industry professional. The thoughts expressed are the perspective of the bylined individual.