CISI Combating Financial Crime: Internal vs External Fraud (How to Recognise and Prevent Each)

Internal vs external fraud for CISI CFC: examples, employee warning signs, supplier/customer fraud patterns, and how to avoid exam traps.

CISI Combating Financial Crime: Internal vs External Fraud (How to Recognise and Prevent Each)

CISI Combating Financial Crime expects you to distinguish between fraud that originates inside an organisation and fraud committed by parties outside it. This distinction matters because controls, investigations, and reporting lines often differ depending on whether the threat is an employee or a customer/supplier/hacker.

In practice, internal fraud can be especially damaging because insiders may understand systems and controls, while external fraud can be high-volume and fast-moving (eg, impersonation, hacking, invoice scams). Exams commonly test your ability to match examples to the correct category and recognise behavioural warning signs.

This lesson provides exam-ready definitions plus practical examples and pitfalls.

Where this topic sits inside CISI Combating Financial Crime

This topic appears in the Types of Fraud section and supports a broader understanding of how firms design controls: segregation of duties and staff monitoring for internal risks, and CDD/transaction monitoring and cyber controls for external risks.

The concept explained in plain English

  • Internal fraud originates from within the organisation—typically employees (or contractors acting like insiders) abusing access, authority, or trust.
  • External fraud originates outside the organisation—committed by customers, suppliers, impersonators, or hackers.

Key exam idea: “Who is committing it?” is the first sorting question. The second is “How is it being enabled?” (access, authority, weak onboarding, poor vendor controls, etc.).

How it works step-by-step

  1. Identify the actor: employee/insider vs external party.
  2. Identify the asset or process targeted: cash, stock, loans, vendor payments, customer accounts.
  3. Identify the method:
    • Internal: override controls, favouritism, theft, mispricing, concealment.
    • External: misrepresentation, impersonation, hacking, false invoicing.
  4. Assess enabling weaknesses: lack of segregation of duties, poor approvals, weak reconciliation, inadequate verification.
  5. Consider signals: behavioural warning signs (internal) and unusual transaction patterns (external).

Practical examples

  • Internal fraud examples:
    • Theft of cash or stock.
    • Undercharging friends/family or not charging at all.
    • Approving credit/loans on favourable terms for connected parties that would not otherwise qualify.
  • Internal behavioural warning signs (not proof, but prompts for scrutiny):
    • Unusual resistance to taking annual leave.
    • Avoiding assistance or oversight.
    • Working excessive hours or being unusually inquisitive about systems.
    • Sudden resignation (context matters).
  • External fraud examples:
    • Customer: obtaining loans with incorrect/incomplete information, cheque fraud, card fraud.
    • Supplier: invoicing for goods/services not provided, fake vendors, kickbacks, delivering lower quality than agreed.

Exam focus: how this is tested

  • Classification questions: internal vs external based on actor and access.
  • Example recognition: supplier invoicing fraud is external; staff undercharging friends is internal.
  • Warning sign interpretation: behavioural indicators are red flags, not automatic guilt.
  • Control alignment: segregation of duties and mandatory leave (internal); onboarding/monitoring (external).

Common pitfalls and how to avoid them

  • Pitfall: Assuming internal fraud always involves cash theft. Avoid: It can involve credit decisions, vendor selection, or system abuse.
  • Pitfall: Treating warning signs as evidence. Avoid: They are prompts for review, not proof of wrongdoing.
  • Pitfall: Misclassifying supplier fraud as internal. Avoid: Supplier is an external party, even if an employee colludes.
  • Pitfall: Ignoring collusion. Avoid: Some cases blend internal + external; focus on the main origin and enabling controls.

Self-test (original questions)

  1. Question: What is the simplest distinction between internal and external fraud?
    Answer: Whether the fraud originates inside the organisation (employee/insider) or outside it.
    Explanation: The actor/origin is the primary classifier.
  2. Question: A staff member approves a loan for a friend on unusually favourable terms. Internal or external?
    Answer: Internal.
    Explanation: It originates from employee action within the organisation.
  3. Question: A supplier invoices for goods not delivered. Internal or external?
    Answer: External.
    Explanation: The supplier is outside the organisation.
  4. Question: True/False: Refusing annual leave is a definitive sign of internal fraud.
    Answer: False.
    Explanation: It is a warning sign that may warrant scrutiny, not proof.
  5. Question: Give one example of customer external fraud.
    Answer: Obtaining a loan based on incorrect or incomplete information.
    Explanation: Misrepresentation by an external customer is external fraud.
  6. Question: Why can internal fraud be hard to detect?
    Answer: Insiders may understand systems and can conceal activity within processes.
    Explanation: Access and familiarity increase concealment opportunities.
  7. Question: A hacker compromises systems and steals funds. Is that internal fraud?
    Answer: External.
    Explanation: The actor is outside the organisation.
  8. Question: What control concept is particularly relevant to internal fraud?
    Answer: Segregation of duties and oversight.
    Explanation: Reduces opportunities for single-person manipulation.
  9. Question: True/False: External fraud can include impersonation and hacking.
    Answer: True.
    Explanation: These are classic outside-origin threats.

Note for candidates in London

If you are preparing for CISI Combating Financial Crime London, make a two-page “internal vs external” map: list internal examples on the left, external examples on the right, and add one control for each. This helps because exam questions often present mixed facts and you must choose the best classification quickly. Build a revision rhythm: definitions early in the week, scenario practice on weekends. For exam booking and any changes to rules or delivery, keep your information current—verify steps directly with CISI and/or the exam provider.

FAQs

  • Can a fraud be both internal and external?
    Yes, collusion can occur; still classify by origin and the main enabling access in the scenario.
  • Are behavioural red flags proof of fraud?
    No. They are indicators that may justify further review.
  • Is supplier invoicing fraud internal?
    Typically external, unless the scenario focuses on an employee manipulating invoices internally.
  • What is a common internal fraud example?
    Approving loans on favourable conditions for friends or family.
  • What is a common external fraud example?
    Obtaining loans using incorrect or incomplete information.
  • Why does internal fraud matter in financial crime?
    Insiders can bypass controls and cause large losses or reputational harm.
  • What controls help reduce internal fraud risk?
    Segregation of duties, mandatory leave, reconciliations, and oversight.
  • What controls help reduce external fraud risk?
    Strong CDD, verification, cyber security, and transaction monitoring.

Next step

To strengthen your fraud taxonomy and control mapping, continue with the CISI Combating Financial Crime course and practise mixed-topic scenario sets on www.TadawulExams.com.

For study planning and support: Free Access | FAQ | Shop.

About Tadawul Academy
Tadawul Academy provides CISI learners with structured learning journeys, clear explanations, and exam-focused practice tools.

Disclaimer
Always verify exam rules, pass marks, and booking steps with the official CISI syllabus and the exam provider.

Quick Quiz

  1. A staff member undercharges a family member for a service. This is:

    • A. External fraud
    • B. Internal fraud
    • C. Market manipulation
    • D. DDoS
  2. A supplier bills for services never provided. This is usually:

    • A. Internal fraud
    • B. External fraud
    • C. Insider dealing
    • D. Stabilisation
  3. Which is best described as a warning sign rather than proof?

    • A. Refusing to take annual leave
    • B. A confirmed forged invoice
    • C. A confessed theft
    • D. A verified unauthorised transfer

Answers

  • 1: B
  • 2: B
  • 3: A