Identity Risk Starts in HR

Fraud Risk along the Employee Lifecycle – Identity Risk Starts in HR

This article is the first deep-dive in the Fraud Risk along the Employee Lifecycle article series.

The umbrella article introduced the employee lifecycle as a practical lens for identifying HR Fraud Risk across hiring, onboarding, role changes, incentives, access rights and offboarding.

The central idea was simple:

HR processes create organisational truth — and organisational truth defines control reality.

That organisational truth starts with identity.

Before a person can approve an invoice, submit an expense claim, access a system, receive salary, influence Internal Controls, manage a team or represent the organisation, the organisation must first answer a basic question:

Who is this person?

This question may sound administrative.

It is not.

From a Fraud Risk perspective, identity is the first control-relevant fact created in the Employee Lifecycle. Once an organisation accepts a person as an employee, contractor, consultant, temporary worker, external user or privileged insider, many downstream systems begin to rely on that assumption.

Payroll may rely on it.

Identity and Access Management may rely on it.

Approval workflows may rely on it.

Finance, Procurement Fraud controls, Expense Reimbursement Fraud controls, physical access, Data Protection Law, Compliance, and the Audit Trail may rely on it.

This is why Identity Risk starts in HR.

Identity as Organisational Truth

In many organisations, HR is the first place where a person becomes visible as an organisational actor.

A candidate becomes a hire.

A hire becomes an employee.

An employee becomes a user.

A user receives access, equipment, reporting lines, cost centre assignments and, in some cases, approval authority.

This process creates more than a personnel file. It creates an organisational identity.

That organisational identity usually contains several fraud-relevant attributes:

legal name
date of birth or other identifying information
employment type
start date
organisational unit
role or position
manager
work location
cost centre
payroll status
bank details
contract type
system access eligibility
termination or end date

Once these attributes are recorded, they often travel into other systems.

If they are correct, they support the control environment.

If they are incomplete, outdated, manipulated or insufficiently verified, the control environment may rely on a false premise.

The problem is not only that HR Master Data may be wrong.

The deeper problem is that other controls may behave exactly as designed while relying on an identity that should never have been created, should have been questioned, or should no longer be active.

What Identity Risk Means

Identity Risk arises when an organisation cannot reliably determine whether the person, employment relationship or organisational status represented in HR and connected systems is real, correct, authorised and current.

This can take different forms.

A person may be real, but their role or employment type may be wrong.

A person may be correctly hired, but duplicate records may exist.

A contractor may be treated like an employee for access purposes.

An external user may remain active without a clear business owner.

A payroll record may exist for someone who does not perform work.

A remote applicant may use false, stolen or proxy identity information.

A hiring process may verify documents but fail to connect the person on screen, the person in the file and the person later using the account.

Not every weakness in identity verification is fraud.

But weak identity governance creates conditions in which Fraud Risk can be easier to initiate, conceal or sustain.

The Fraud-Relevant Identity Question

Traditional hiring processes often ask whether a person is suitable for a role.

The Fraud Risk question is slightly different:

What organisational trust will be created if this identity is accepted?

That question changes the perspective.

A low-risk role with limited access may require one level of verification.

A privileged IT role, finance position, payroll function, procurement role, executive assistant, external consultant, system administrator or remote developer may require a different level of assurance.

The point is not to over-engineer every hiring process.

The point is to recognise that identity assurance should be proportionate to the trust, access, authority and data exposure attached to the role.

Identity is not only about whether a person exists.

It is about what the organisation will allow that person to do once their identity has been accepted.

Ghost Employees and Payroll Identity

One of the clearest examples of Identity Risk is Ghost Employee Fraud.

In a ghost employee scheme, a non-existent or illegitimate person is added to payroll, and wages or benefits are diverted to someone who controls or benefits from that payroll record.

The Association of Certified Fraud Examiners describes ghost employee fraud as a form of internal occupational fraud where someone, typically with payroll access, adds a non-existent employee to payroll and collects wages or benefits intended for that phantom employee.

From an Employee Lifecycle perspective, the fraud does not start with the payment.

It starts with the creation or acceptance of the identity.

A payroll run may process the payment correctly.

The bank transfer may be properly executed.

The accounting entry may be technically accurate.

But the underlying organisational fact is false: the person should not exist in the payroll population.

This illustrates why identity is upstream of finance.

By the time the fraudulent salary payment appears in financial records, the critical control failure may already have occurred in HR Master Data, onboarding, approval rights or payroll identity governance.

Remote Hiring and Proxy Identity

Identity Risk has also become more visible in remote and hybrid work environments.

Remote hiring is legitimate and often necessary. But it can weaken traditional identity cues that organisations used to rely on informally: physical presence, local onboarding, in-person document checks, direct equipment handover and face-to-face interaction with colleagues.

Recent public enforcement and advisory activity illustrates this risk.

In 2025, the U.S. Department of Justice described schemes in which North Korean individuals fraudulently obtained remote IT employment with U.S. companies using stolen and fake identities, supported by facilitators, fraudulent websites and laptop farms. The DOJ stated that these workers obtained employment at more than 100 U.S. companies and, once employed, received salary payments and gained access to sensitive employer information.

The FBI has similarly warned that such actors use techniques to disguise identity, including U.S.-based facilitators, fraudulent employment arrangements, remote access infrastructure and support during virtual interviews. Its mitigation guidance includes scrutinising identity documents and verifying prior employment and education directly with relevant organisations.

The relevance for Fraud Prevention is broader than this specific threat scenario.

It shows that hiring, identity verification, device delivery, remote access, payroll and data security are not separate topics.

They are connected through one control question:

Is the person who was hired the same person who is using the organisation’s access, equipment and trust?

HR, IAM and the Source of Identity

Identity Risk is often treated as an IT or cybersecurity topic.

That is only partly correct.

Identity and Access Management systems may create user accounts, enforce authentication, assign groups, apply role templates and deactivate access.

But many of these technical processes depend on HR Master Data.

If HR data says that a person is an active employee, a specific role holder, part of a defined organisational unit or eligible for certain access, the technical system may provision access accordingly.

The technical process may be functioning properly.

The underlying identity assumption may still be wrong.

This is why HR and Identity and Access Management cannot be separated from a Fraud Risk perspective.

NIST SP 800-63-4 Digital Identity Guidelines cover identity proofing, authentication and federation of users, including employees and contractors. They define technical requirements across identity proofing, enrollment, authenticators, management processes, authentication protocols, federation and related assertions.

NIST SP 800-63A-4 focuses specifically on identity proofing and enrollment. In practical terms, this is relevant because authentication and identity proofing answer different control questions.

Authentication proves that someone can use a credential.

It does not, by itself, prove that the original HR identity was valid, complete or fraud-risk appropriate.

Strong authentication is important.

But it cannot fully compensate for weak identity creation.

Identity Risk Is Also Data Integrity Risk

Identity Risk is closely connected to Data Integrity and HR Master Data integrity.

A person’s identity in the organisation is not defined by a single field. It is defined by a combination of attributes.

Some of these attributes are personal.

Some are contractual.

Some are organisational.

Some are technical.

Some are financial.

A Fraud Risk can arise when one of these attributes is wrong or manipulated.

For example:

a person is recorded as an employee although they are an external contractor
a start date is entered before verification is complete
a termination date is missing or wrong
a bank account is changed without sufficient approval
a manager field is incorrect
a cost centre assignment is manipulated
an external user has no named business owner
duplicate HR records exist for the same person
a privileged role is assigned based on an outdated position
an emergency onboarding exception is never reviewed

In each case, the issue may appear administrative.

But the control impact can be significant.

The wrong HR attribute can trigger the wrong access, the wrong payment, the wrong approval path, the wrong reporting line or the wrong control owner.

This is why the next layer of the Employee Lifecycle Fraud Risk Lens is HR Master Data.

Identity is created first.

HR Master Data determines how that identity behaves inside the control environment.

Typical Identity Risk Scenarios

Identity Risk can appear in different parts of the hiring and onboarding process.

1. Non-existent or illegitimate employees

The organisation creates or maintains a personnel or payroll record for someone who does not legitimately work for the organisation.

This can support Ghost Employee Fraud, Payroll Fraud or unauthorised benefit payments.

2. Duplicate identities

The same person appears in multiple records, systems or employment categories.

Duplicate identities can create confusion around access, payment, reporting, the Audit Trail and accountability.

3. False or stolen identity information

A person uses identity information that does not belong to them, or combines real and false information to pass onboarding checks.

This risk is particularly relevant in remote hiring, contractor onboarding and outsourced staffing arrangements.

4. Proxy or borrowed identity

One person passes the onboarding process, but another person performs the work, uses the account or controls the device.

This creates a gap between the verified person and the operational actor.

5. Misclassified employment relationship

An external contractor, consultant, temporary worker or vendor user is treated like an employee without equivalent governance, ownership or end-date discipline.

This can result in excessive access, Access Rights Abuse or weak accountability.

6. Incomplete identity verification

The organisation hires or activates a person before required identity checks, Background Checks, reference checks or Conflict of Interest disclosures are complete.

This may be justified in exceptional cases, but the exception itself becomes a control risk if it is not approved, documented and closed.

7. Unclear identity ownership

No single function owns the integrity of the person record across HR, payroll, Identity and Access Management, physical access, vendor systems and collaboration platforms.

The result is fragmented identity governance.

Red Flags

Identity-related Red Flags often appear as small inconsistencies.

Individually, they may look harmless.

Together, they can indicate a weak identity control environment.

Relevant Red Flags include:

HR records created without complete identity evidence
payroll activation before onboarding checks are complete
same bank account, address, telephone number or emergency contact linked to multiple employees or contractors
duplicate employee records with similar personal data
unusual manual changes to name, bank details, date of birth, employment type or start date
repeated emergency onboarding exceptions
external users without named business owner or end date
contractors receiving employee-like access without equivalent vetting
device shipment to addresses inconsistent with the hiring record
remote applicants avoiding live video interaction where such checks are legally and operationally appropriate
inconsistent information across CV, identity documents, payroll data, social profiles and reference checks
manager approval overriding standard identity controls without documented rationale
user accounts active before the employment relationship is formally approved
mismatch between HR status, Identity and Access Management status, payroll status and physical access status

None of these Red Flags proves fraud.

But each of them should prompt a control question.

Control Questions

A practical Fraud Risk Assessment can start with a simple set of questions.

Identity creation

Who is allowed to create a person record in the HR system?
What evidence is required before an employee, contractor or external user becomes active?
Are different assurance levels applied for different risk roles?
Are identity checks completed before payroll, access and equipment provisioning?
How are urgent onboarding exceptions approved, tracked and closed?

Identity attributes

Which HR attributes drive downstream controls?
Which systems rely on HR as the source for employment status, role, manager, cost centre, location or access eligibility?
Who can change sensitive identity attributes?
Are changes to bank details, employment type, manager, role or start date logged and reviewed?

Duplicate and anomaly detection

Are duplicate records actively detected?
Are shared bank accounts, addresses, telephone numbers or emergency contacts reviewed?
Are inactive, dormant or incomplete records periodically cleaned up?
Are contractor and employee populations reconciled?

Remote and external users

How does the organisation verify that the person interviewed, the person contracted and the person accessing systems are the same person?
Who owns the identity of external users?
Do external users have defined sponsors, access purposes and end dates?
Are staffing agencies, outsourcing partners and hiring platforms subject to equivalent identity governance expectations?

System reconciliation

Are HR, payroll, Identity and Access Management, physical access and finance records reconciled?
Can a person be active in one system but inactive in another?
Are terminated, withdrawn or never-started hires removed from connected systems?
Is there an Audit Trail from recruitment approval to HR record creation, payroll activation and access provisioning?

Practical Control Measures

Identity Risk cannot be eliminated by one control.

It requires a chain of Internal Controls across HR, IT, payroll, legal, Compliance and line management.

Treat identity creation as a control event

The creation of a person record should be treated as more than administrative data entry.

It is the moment at which the organisation creates a control-relevant identity.

Separate creation and approval

High-risk identity records should not be created, approved and activated by the same person without independent review.

This is particularly important where the identity leads to payroll activation, privileged access or financial authority.

Define risk-based evidence requirements

Not every role requires the same level of verification.

However, sensitive roles should have clear evidence standards for identity, employment eligibility, references, qualifications, Conflict of Interest declarations and Background Checks.

Link HR activation to downstream provisioning

Payroll activation, system access and equipment delivery should depend on defined HR identity status.

A person should not receive operational capability before the identity control requirements have been met or an approved exception has been recorded.

Monitor sensitive identity changes

Changes to bank details, name, employment status, role, manager, cost centre, work location and employment type should be logged and, where appropriate, reviewed.

Reconcile identity populations

Periodic reconciliation between HR, payroll, Identity and Access Management, physical access, contractor records and finance systems can identify mismatches before they become fraud or control failures.

Govern external identities

Contractors, consultants, temporary workers, vendor users and other non-employees should be part of the identity governance model.

They may not be employees, but they can still create employee-like Fraud Risk, access risk and data protection risk.

Preserve audit trails

Identity-related decisions should be traceable.

In a later investigation, the organisation should be able to reconstruct who created the identity, what evidence was reviewed, who approved activation, what changes were made and which systems relied on the record.

FICAM / IDManagement.gov describes identity lifecycle management as encompassing creating, identity proofing, vetting, provisioning, aggregating, maintaining and deactivating digital identities. That lifecycle view is useful because Identity Risk does not end when the person record is created.

Forensic Relevance

When a fraud case involves Payroll Fraud, Access Rights Abuse, Expense Reimbursement Fraud, Procurement Fraud or unauthorised data access, the investigation often starts downstream.

Who approved the transaction?

Who used the account?

Who received the payment?

Who changed the bank details?

Those questions are necessary.

But the Employee Lifecycle Fraud Risk Lens adds an upstream question:

How did this person become a trusted organisational identity in the first place?

Relevant evidence may include:

recruitment files
onboarding records
identity verification documentation
Background Checks
Conflict of Interest declarations
HR Master Data change logs
payroll activation records
bank detail changes
access provisioning logs
device shipment records
physical access records
contractor or vendor onboarding files
exception approvals
manager approvals
termination or withdrawal records

This is especially important where the fraud appears technically valid.

A payment may have been made to an active employee.

An account may have been used with valid credentials.

An approval may have followed the workflow.

A device may have been assigned to a named user.

But if the identity foundation is wrong, the downstream control trail may only show that the organisation consistently relied on a false or manipulated organisational fact.

Why This Matters

Identity Risk is often underestimated because it appears early, quiet and administrative.

It does not always look like fraud.

It looks like onboarding.

It looks like data entry.

It looks like a missing document.

It looks like an exception.

It looks like a contractor record.

It looks like a user account waiting to be activated.

But these are the points where the organisation creates trust.

Once identity is accepted, other controls begin to rely on it.

That is why HR is not only a support function in Fraud Prevention. It is part of the control environment.

And that is why the first deep-dive in the Employee Lifecycle Fraud Risk Lens starts here:

Identity Risk starts in HR.

Conclusion

Fraud Risk does not always begin with a transaction.

Sometimes it begins when an organisation accepts that a person is who they claim to be, belongs where they are placed, and should receive the trust attached to a role.

Identity is the first organisational fact in the Employee Lifecycle.

It determines who can be paid, who can access systems, who can receive equipment, who can be assigned authority and who appears in the Audit Trail.

If that identity is false, incomplete, duplicated, misclassified or insufficiently governed, downstream controls may operate on the wrong reality.

The Employee Lifecycle Fraud Risk Lens helps make this visible.

Before asking whether a transaction was approved, whether access was used properly or whether a payment was justified, organisations should also ask:

Was the identity itself properly created, verified and governed?

Further Perspectives

This article is part of the Fraud Risk along the Employee Lifecycle series.

The umbrella article introduced the Employee Lifecycle as a practical lens for identifying Fraud Risk across hiring, onboarding, role changes, incentives, access rights and offboarding.

This first deep-dive focused on Identity Risk. The next article will examine why HR Master Data is not merely administrative information, but a fraud control surface.

Related Terms

Employee Lifecycle Fraud Risk Lens
Employee Lifecycle
HR Fraud Risk
Identity Risk
Identity Fraud
Ghost Employee Fraud
Payroll Fraud
HR Master Data
Data Integrity
Internal Controls
Fraud Risk Assessment
Fraud Prevention
Identity and Access Management
Access Rights Abuse
Segregation of Duties
Conflict of Interest
Credential Fraud
Background Checks
Joiner-Mover-Leaver
Contractor Risk
Audit Trail
Control Override
Whistleblowing
Data Protection Law
GDPR / DSGVO

Sources and References

Wie bewerten Sie diesen Beitrag?