2_fraudriskmanagement

7/26/2019 2_FraudRiskManagement

1/53

Fraud Risk

Management A Guide toGood Practice


2/53

ACKNOWLEDGEMENTS

This guide has been prepared by CIMAs Fraud and Risk Management Working Group, which was established to

look at ways of helping management accountants to be more effective in countering fraud and managing risk

in their organisations.

The Working Group comprised:

Martin Birch, Head of Finance, ActionAid

David Cafferty, Forensic Accountant, Ministry of Defence Police Fraud Squad

Kay Dickinson, Senior Assistant Director of Finance, NHS Executive Trent

Mike Frankl, Director of Finance, Reform Synagogues of Great Britain

Roy Katzenberg, Assistant Director, Forensic Services, Ernst & Young

Peter Ludlow, IT Development Manager, Costain Ltd

Richard Meade, formerly Group Auditor, Balfour Beatty plc

Peter Wishart, Financial Manager, Xerox Ltd

with Judy Finn, CIMA Technical Services.

The group would like to thank:

Michael Levi, Professor of Criminology at Cardiff University for his valuable contribution to Chapter 1

Mike Comer of Maxima Partnering Limited for permission to use material from the journal Inside Fraud

Bulletin and his book Corporate Fraud (3rd edition)

Ernst and Young for their support.

George Staple QC, Chair of the Fraud Advisory Panel, for his very helpful comments on the guide.

The many colleagues of Working Group members who have assisted with the writing of this guide.

Individual chapters of this guide have been written by different members of the group, resulting in the use of

varying styles. We hope that this will not prevent the guide from being both clear and useful.

Additional supplements to this guide are being produced on specific topics such as Computer Fraud and the

Civil Response to Fraud (based on English and Welsh law). For further information contact CIMA Technical

Services (details on the back cover).

A copy of this guide is also available on the internet at http://www.cimaglobal.com.

About CIMA

CIMA (The Chartered Institute of Management Accountants) champions management accountancy worldwide.

In an age of growing globalisation and intensified competition, modern businesses demand timely and accurate

financial information. That is why its members are sought after by companies across the world. They are

commercial business managers with wide ranging skills.

From its headquarters in London and eleven offices outside the UK, CIMA supports 50,000 members and

71,000 students in 156 countries. The CIMA qualification is recognised internationally, and its reputation and

value are maintained through high standards of assessment and regulation. It is the professional qualification of

choice for business worldwide.

CIMA 2001. All rights reserved. This booklet does not necessarily represent the views of the Council of the

Institute and no responsibility for loss associated to any person acting or refraining from acting as a result of anymaterial in this publication can be accepted by the authors or publishers.


3/53

CONTENTSPage

FOREWORD iv

INTRODUCTION v

1. FRAUD ITS EXTENT, PATTERNS AND CAUSES

1.1 What is fraud? 1

1.2 The scale of the problem 2

1.3 Why do people commit fraud? 2

1.4 Who commits fraud? 3

2. RISK MANAGEMENT AN OVERVIEW

2.1 The context corporate governance 5

2.2 Managing risk the risk management cycle 5

2.3 Establish a risk management group and set goals 6

2.4 Identify risk areas 6

2.5 Understand and assess the scale of risk 7

2.6 Develop a risk management strategy 8

2.7 Implement the strategy and allocate responsibilities 9

2.8 Implement and monitor implementation of the suggested controls 9

3. FRAUD PREVENTION

3.1 Developing an anti-fraud culture 11

3.2 Sound internal control systems 15

4. IDENTIFYING FRAUD4.1 What to look for indicators and warnings 18

4.2 Tools and techniques 20

5. RESPONDING TO FRAUD

5.1 The purpose of the fraud response plan 23

5.2 Corporate policy 23

5.3 Fraudulent activities 23

5.4 Roles and responsibilities 23

5.5 Organisations objectives with respect to fraud 25

5.6 The response 26

5.7 The investigation 26

5.8 Follow-up action 28

APPENDICES

Appendix 1: Sample fraud policy 29

Appendix 2: Outline fraud response plan 30

Appendix 3: Example of a fraud response plan 32

Appendix 4: Sample whistle-blowing policy 40

Appendix 5: Examples of fraud indicators, risks and controls 42

Appendix 6: Examples of common types of fraud 45

Appendix 7: Example of a risk analysis 47Appendix 8: Sources of further information 48


4/53

FOREWORD

Fraud costs organisations millions of pounds each year. Periodically, the latest major fraud hits the headlines as

other organisations sit back and watch, telling themselves that it couldnt happen here.

But the reality is that fraud can be committed anywhere. While there are only a small number of major frauds,

huge sums are lost as a result of the large number of small frauds. Surveys have shown that the majority of

companies have experienced fraud at some level, and that many do not have the formal systems and

procedures in place to deter and detect it. It is in assisting companies in establishing such systems that this

guide should prove very valuable.

No system is completely foolproof, but there are steps which can be taken to deter fraud and make it much less

attractive to commit. The role of the management accountant is a key one in detection and prevention.

We welcome the publication of this guide. It is a timely contribution to fraud prevention and reduction. It aims

to increase the awareness of key decision-makers in companies whether large or small, to encourage them toreview their key areas of risk and to develop policies and contingency plans to combat fraud. We believe that it

will make a valuable contribution in equipping management accountants and others to respond to the threat

that fraud presents.

Bruce Epsley, Detective Superintendent Ken Farrow,

President, CIMA Head of City of London Police Fraud Squad


5/53

INTRODUCTION

Several surveys have been carried out in recent years looking at fraud and its management. Most of these have

suggested that organisations need to strengthen their measures for protection and detection. Among the

conclusions from one such international survey, carried out by Ernst and Young and published in their report

Fraud, the Unmanaged Risk (May 2000) are that:

Almost two-thirds of the organisations participating in the survey had been defrauded in the last

twelve months. Almost one in ten had suffered more than 50 frauds.

Eighty-two per cent of the worst frauds were committed by employees, and almost a third of them by

management.

More than 80 per cent of respondents were concerned that a significant fraud could occur in their

organisation.

Only 29 per cent of the total value of the worst frauds known to have been suffered in the last twelve

months had been recovered at the date of the survey. High fraud losses were not restricted to a particular sector or country; organisations in 23 sectors

suffered losses of more than US$1 million.

Management accountants, whose professional training includes the analysis of information and systems can

have a significant role to play in the development and implementation of fraud prevention and internal control

systems within their organisations. A survey carried out of readers of Management Accounting (now Financial

Management) confirmed the conclusions of the Ernst and Young survey and others which conclude that fraud

is a widespread and serious problem but that businesses are still not taking fraud prevention seriously enough.

CIMAs Fraud and Risk Management Working Group was established as part of the Institutes response to this

problem. This guide to good practice is the result of the groups first year of work.

The law relating to fraud varies from country to country. Where it is necessary for this guide to make reference

to specific legal measures, this is generally to UK law. It would be impossible to include references to the laws

of all countries where this guide will be read. While some references may, therefore, not be relevant to all

readers, the general principles of fraud prevention will still apply.


6/53

CHAPTER 1

FRAUD: ITS EXTENT, PATTERNS AND CAUSES

1.1 WHAT IS FRAUD?

Fraud and the law

Fraud can be defined as dishonestly obtaining an advantage, avoiding an obligation or causing a loss to

another party. The term fraud commonly includes activities such as theft, corruption, conspiracy,

embezzlement, deception, bribery and extortion. The legal definition varies from country to country, and

indeed there may be no coherent definition at all. For example, in England and Wales, related offences are

scattered about in many areas of general, companies, financial services and tax legislation. The Theft Acts

1968 and 1978 created offences of false accounting, obtaining goods, money and services by deception

which are the most often used in England and Wales and the Companies Act 1985 includes the offence

of fraudulent trading. There are also offences of fraud under the income tax and value-added tax

legislation, and the common law offence of conspiracy to defraud.

Different types of fraud

Fraud can mean many things and result from many varied relationships between offenders and victims.

Fraud includes, for example:

crimes by individuals of higher status against consumers, clients or other, lower status businesspeople,

e.g. the looting of a bank or building society in a country that does not have a full compensation

scheme; misrepresentation of the quality of goods;

employee fraud against employers, e.g. payroll fraud; falsifying expense claims;

crimes by small businesses against consumers and employees, e.g. selling counterfeit goods as genuineones; pocketing the National Insurance Contributions paid by staff;

crimes by persistent offenders/opportunists against financial institutions, e.g. using lost and stolen

credit card and cheque frauds;

crimes by individuals of various status against government, e.g. grant fraud; social security benefit

claim frauds; tax evasion;

crimes by professional criminals against major organisations, e.g. major counterfeiting rings; mortgage

frauds; advance fee frauds.

Case study 1: Fraud doesnt just involve money

Those who remain in any doubt about the severity of counterfeiting, perhaps quoting the popularmantra that manufacturers overcharge customers anyway so deserve to be ripped off, should

consider the following. Large quantities of fake/date expired malaria tablets were seized by Ugandan drug authorities

last June; the tablets would have killed users.

Scottish Trading Standards found 15 million in fake car parts last year, including brake shoes

made from compressed grass which burst into flames when operated.

The practice of selling super strength spirits is a common one, but do tipplers realise their next

drink could be their last? Fake vodka killed 32 in Russia two years ago, and last year a liquor

containing methyl alcohol killed 36 Chinese. The five people responsible for the latter

counterfeit operation were executed

Material reproduced from Inside Fraud Bulletin, October/November 1999, by kind permission of

the publishers Maxima Partnering Limited.


7/53

1.2 THE SCALE OF THE PROBLEM

There have been many attempts to measure the extent of fraud, which, while giving an incomplete

picture, indicate the size of the problem. The Association of Certified Fraud Examiners sets fraud at

US$ 400 billion worldwide. A KPMG survey found that a quarter of international businesses were victims

of international fraud, and that 52 per cent of respondent companies had experienced fraud in 1995. The

international survey published in May 2000 by Ernst & Young, and already quoted in the introduction to

this guide, found that the combined impact of the single worst frauds suffered by each of the 739

respondents in the last twelve months was US$172million, an average of over US$ 200,000. Of this, only

US$ 49 million had been recovered by the time of the survey.

Although the total cost of fraud cannot be known, it is much larger than the cost of all other crimes in the

UK. It is estimated that the cost of fraud amounts to significantly more than the total cost of retail,

burglary and motor offences added together. It also can have considerable social and psychological effects

on individuals and businesses: for example when a fraud causes the collapse of a major business

numerous individuals and businesses can be affected. In addition to the companys own employees,

employees of suppliers can be affected by the loss of large orders and other creditors such as banks

can be indirectly affected by huge losses on loans. Even taxpayers suffer from reduced payment ofcorporation tax.

There are immense difficulties in measuring fraud. It is difficult to identify, often hard to distinguish from

carelessness and poor record-keeping, and often is not reported. However, given the statistics above, there

can be no doubt that it is a serious problem for businesses.

1.3 WHY DO PEOPLE COMMIT FRAUD?

There is no single reason behind fraud. Any explanation of it needs to take account of various factors,

such as:

the perceived suitability of targets for fraud;

the incapability of potential fraud victims (including governments) to look after their interests;

the motivation of potential offenders.

Looking at the same issue from the fraudsters perspective, it is necessary to take account of:

motivation (including the conditions under which people can rationalise their prospective crimes away

as necessary especially when done for the firm or the political party harmless because the

victim is large enough to absorb the impact or even justified because the victim deserved it or

because I was mistreated);

opportunities to commit crime(s) (which may include the existence of national and international socialnetworks, and transferable criminal skills);

technical ability of the fraudster;

expected and actual risk of discovery after the fraud has been carried out;

expectations of consequences of discovery (including non-penal consequences such as job loss and

family stigma, proceeds of crime confiscation, and traditional criminal sanctions);

actual consequences of discovery.


8/53

The motivation of fraudsters

In simple terms, motivation is based on either greed or need. Many people are faced with the opportunity to

commit fraud, and only a minority of the greedy and needy do so. Personality and temperament including

how frightened people are about the consequences of taking risks play a role. Some people with good

objective opportunities fall into bad company and develop tastes for the fast life, which tempts them to fraud.

Others are tempted only when faced with ruin anyway.

Many people obey the law because they believe in it and/or they are afraid of being shamed by people they

care about if they are caught. However, if the prospective fraudster is part of a subculture of professional

criminals, career welfare claimants, or of businesspeople who consider it acceptable, for example, to deceive

consumers, tax officials or even other businesses when youre in a tight spot, then the inhibiting effect of

publicity is reduced, perhaps to almost nothing. The role of this rationalisation varies with the persons

commitment to respectability.

1.4 WHO COMMITS FRAUD?

Different types of fraudsterFraudsters usually fall into one of three categories:

1. Pre-planned fraudsters, who start out from the beginning intending to commit fraud. (These can be

short-term players, like many who use stolen credit cards or bogus social security claimants; or can be

longer-term, like bankruptcy fraudsters and those who execute complex laundering schemes.)

2. Intermediate fraudsters, who start off honest but turn to fraud when times get hard or when life-

events such as a divorce, the need to pay for care for a family member, irritation at being passed over

for promotion, or nagging from family change the normal mode.

3. Slippery-slope fraudsters, who simply carry on trading even when, objectively, they are not in a position

to pay their debts. This can apply to ordinary traders or to major businesspeople.

The Association of Certified Fraud Examiners carried out research on frauds committed in the US for their

report Report to the Nation on Occupational Fraud and Abuse (published 1996). This found that in cases

of occupational fraud:

the typical perpetrator was a college-educated white male;

men committed nearly three-quarters of the offences;

median losses caused by men were nearly four times those caused by women;

losses caused by managers were four times those caused by employees;

median losses caused by executives were 16 times those of their employees.

It is worth noting that the UKs National Criminal Intelligence Service has identified that organised crimeorganisations are becoming more involved in fraud as there is currently less risk of being caught for

committing fraud than for crimes involving drugs.


9/53

Summary

A major reason why people commit fraud is because they are allowed to do so. There are a wide range of

threats facing businesses. The threat of fraud can come from inside or outside the organisation, but the

likelihood that a fraud will be committed will be greatly decreased if the potential fraudster believes that

the rewards will be modest, that they will be detected or that the potential punishment will be

unacceptably high. The main way of achieving this must be to establish a comprehensive system of control

which increases the likelihood of detection and increases the cost to the fraudster.

It has been said that there are three requirements which need to be met to reduce the risk of fraud

good ethics, good people and good systems (David Sherwin, Ernst and Young).

This guide sets out some of the measures which can be put in place to minimise risks to the organisation.


10/53

CHAPTER 2

RISK MANAGEMENT AN OVERVIEW

Risks are the opportunities and dangers associated with uncertain future events. There is risk in any situation

where there is a possibility of more than one outcome. The existence of risk leads in itself to uncertainty, butthe level of uncertainty will vary both with knowledge and attitude. Risks may not even be recognised, but a

lack of recognition does not alter their existence.

Risk management is the process of understanding the nature of such future events and, where they represent

threats, making positive plans to counter them. This guide is primarily focused on managing the risk of fraud,

but, first, this chapter looks at more general aspects of risk management. It is proposed that risk management

will be covered in more depth in a future guide.

2.1 THE CONTEXT CORPORATE GOVERNANCE

In recent years, the issue of corporate governance has been a major area for concern in many countries. In

an early example, in the United States, the Treadway Commission 1987 report on fraudulent financial

reporting confirmed the role and status of audit committees. Subsequently, the Securities and Exchange

Commission (SEC) introduced the requirement that all SEC regulated companies should have an audit

committee with a majority of non-executive directors. A subgroup of the Treadway Commission then

developed a framework for internal control, providing detailed criteria for management to assess internal

control systems and giving guidance for reporting publicly on internal control. In the UK, listed companies

now have to meet the requirements of the Combined Code of Corporate Governance which calls, among

other matters, for boards to establish systems of internal control and to review the effectiveness of these

systems on a regular basis. Subsequently, the Turnbull Committee was set up to issue guidance to

directors on how they should assess and report on their review of this effectiveness. The Committee made

it clear that they considered that the establishment of embedded risk management practices key to

effective internal control systems. While guidance is generally applicable to listed companies, the principles

are relevant to all organisations. Fraud risk management practices are developing along the same lines.

Controls assurance

Controls assurance is the process whereby controls are reviewed by management and staff. There are

various ways to conduct these exercises, from highly interactive workshops based on behavioural models

at one end of the spectrum to pre-packaged self-audit internal control questionnaires at the other. These

models all include monitoring and risk assessment among their principal components.

2.2 MANAGING RISK THE RISK MANAGEMENT CYCLE

Risk management is an increasingly important process in many businesses and the process fits in well with

the precepts of good corporate governance. The risk management cycle is an interactive process of

identifying risks, assessing their impact, and prioritising actions to control and reduce risks.


11/53

Managing the risk of fraud is the same in principle as managing any other business risk. It is best

approached systematically both at the organisational level e.g. by using ethics policies and anti-fraud

policies, and at the operational level. A number of iterative steps should be taken:

1. Establish a risk management group and set goals.

2. Identify risk areas.

3. Understand and assess the scale of risk.

4. Develop a risk management strategy.

5. Implement the strategy and allocate responsibilities.

6. Implement and monitor implementation of the suggested controls.

2.3 ESTABLISH A RISK MANAGEMENT GROUP AND SET GOALS

A risk management group should be established whose task it is to conduct reviews of the risks, which

include the risk of fraud, faced by the business. The group will need to assess the risk appetite of the

business (i.e. the level of risk the company is prepared to accept). It should then begin the process of

understanding and assessing risk, prioritising, and developing a strategy to deal with the risks identified.

The risk management group should be responsible for reviewing systems and procedures, identifying and

assessing the risks, and introducing the controls that are best suited to the business unit.

2.4 IDENTIFY RISK AREAS

Each risk in the overall risk model should be explored to identify how it potentially evolves through the

organisation. It is important to ensure that the risk is carefully defined and explained to facilitate further

analysis. The techniques of analysis include:

Establish risk managementgroup and goals

Identify risk areas

Understand and assess scaleof risk

Develop risk managementstrategy

Implement strategy andallocate responsibility

Implement and monitorimplementation of controls

The Risk Management Cycle(adapted from Managing the Risk of Fraud A Guide for Managers, HM Treasury, 1997)


12/53

workshops and interviews;

brainstorming;

questionnaires;

process mapping;

comparisons with other organisations;

discussions with peers.

2.5 UNDERSTAND AND ASSESS THE SCALE OF RISK

Once risks have been identified, an assessment of possible impact and corresponding likelihood of

occurrence should be made using consistent parameters that will enable the development of a prioritised

risk analysis. In the planning stage management should agree on the most appropriate definition and

number of categories to be used when assessing both likelihood and impact.

The assessment of the impact of the risk should not simply take account of the financial impact but

should also consider the organisations viability and reputation, and recognise the political and commercial

sensitivities involved. The analysis should either be qualitative or quantitative, and should be consistent toallow comparisons. The qualitative approach usually involves grading risks in high, medium and low

categories.

Impact

The assessment of the potential impact of a particular risk may be complicated by the fact that a range of

possible outcomes may exist or that the risk may occur a number of times in a given period of time.

Such complications should be anticipated and a consistent approach adopted which, for example, may

seek to estimate a worst case scenario over, say, a twelve-month time period.

Likelihood of occurrence

The likelihood of a risk occurring should be assessed on a gross, a net and a target basis.

The gross basis assesses the inherent likelihood of the event occurring in the absence of any processes

which the organisation may have in place to reduce that likelihood.

The net basis assesses the likelihood, taking into account current conditions and processes to mitigate the

chance of the event occurring.

The target likelihood of a risk occurring reflects the risk appetite of the organisation. Where the net

likelihood and the target likelihood for a particular risk differ, this would indicate the need to alter the risk

profile accordingly.


13/53

It is common practice to assess likelihood in terms of:

high probable;

moderate possible;

low remote.

An example of a risk analysis is contained in Appendix 7.

Analysing fraud risks

Fraud risk is one component of operational risk. Operational risk focuses on the risks associated with

errors or events in transaction processing or other business operations. A fraud risk review considers

whether these errors or events could be the result of a deliberate act designed to benefit the perpetrator.

As a result, fraud risk reviews should be detailed exercises conducted by teams combining in-depth

knowledge of the business and market with detailed knowledge and experience of fraud.

Risks such as those of false accounting or the theft of cash or assets needs to be considered for each part

of the companys business. Frequently, businesses focus on a limited number of risks, most commonly on

third-party thefts. To avoid this, the risks should be classified by reference to the possible type of offenceand the potential perpetrator(s). The following matrix developed by Ernst and Young (the Ernst and

Young model) can be used:

Department/ Details of risk Management Employees Third parties Collusionarea area

False accounting

Theft

These will need to be assessed for each area and process of the business, for example, cash payments,

cash receipts, sales, purchasing, expenses, inventory, payroll, fixed assets, loans, etc.

2.6 DEVELOP A RISK MANAGEMENT STRATEGY

Once the risks have been identified and assessed, and the organisations risk appetite has been set,

strategies can be developed by the risk management group to deal with each risk that has been identified.

Strategies could include:

ignoring small risks (but ensuring that they remain under cyclical review);

contractual transfer of risk;

risk avoidance;

risk reduction via controls and procedures;

transferring risks to insurers.


14/53

2.7 IMPLEMENT THE STRATEGY AND ALLOCATE RESPONSIBILITIES

The chosen strategy should be allocated and communicated to those responsible for implementation. For

the plan to be effective it is essential that responsibility for each specific action is assigned to the

appropriate operational manager and, that clear target dates are established for each action for the plan

to be effective. It is also important to obtain the co-operation of those responsible for the strategy, by the

use of means such as formal communication, seminars, action plans and adjustments to budgets.

2.8 IMPLEMENT AND MONITOR IMPLEMENTATION OF THE SUGGESTED CONTROLS

The chosen strategy may require the implementation of new controls or the modification of existing

controls. Businesses are dynamic and the controls that are in place will need to be monitored to assess

whether or not they are succeeding in their objectives. The risk management group should also be

empowered to monitor the effectiveness of the actions being taken in each specific area as these can be

affected by internal and external factors, such as changes in the marketplace or the introduction of new

computer systems.

Summary

There are risks in most situations. Risk management is an important element of corporate governance

and every organisation should review their risk status and develop their approach as described in the

Risk Management Cycle in 2.2 above.

The following chapters will expand on some aspects of this process.


15/53

CHAPTER 3

FRAUD PREVENTION

An effective fraud prevention strategy has five main objectives:

prevention;

deterrence;

disruption;

identification;

civil action/ prosecution.

While the hope would always be that the strategy succeeds in preventing incidences of fraud, the very

existence of the strategy acts as a deterrent. Likewise, the risk management strategies, described earlier, will

have the effect of disrupting the activities of any existing fraudster and allow the organisation to identify any

high-risk activities, or control weaknesses. The totality of these measures should, therefore, ensure that costly

civil action, or disruptive and lengthy criminal prosecutions, will not be necessary.

The reduction of opportunities to commit fraud linked to a heightened risk to perpetrators of being caught

are the main defences which an organisation can develop in reducing fraud. No organisation is immune if the

organisation has valuable property (cash, goods, information or services) then fraud will be attempted. In recent

years frauds have occurred in many charities, including religious ones, as well as across the whole range of

government and commercial organisations.

This section will examine some of the main preventative approaches which can be implemented to minimise the

cost of fraud within an organisation. These approaches are generic and can be applied as appropriate to

particular circumstances.

3.1 DEVELOPING AN ANTI-FRAUD CULTURE

Attitudes within an organisation often lay the foundation for a high- or low-risk environment. Where

minor unethical practices may be overlooked ( e.g. petty theft, expenses frauds), larger frauds committed

by higher levels of management may also be treated in a similar lenient fashion. In this environment there

may be a risk of total collapse of the organisation either through a single catastrophic fraud or, through

the combined weight of many smaller frauds.

Organisations which have taken the time to consider where they stand on ethical issues have come to

realise that high ethical standards bring long-term benefits as customers, suppliers, employees and the

community realise that they are dealing with a trustworthy organisation. They have also realised that

dubious ethical or fraudulent practices when exposed cause serious adverse consequences to the people

and organisations concerned.

The definition of good ethical practice is not simple. Ideas differ across cultural and national boundaries

and change over time. But corporate ethics statements need not be lengthy to be effective. The following

is an example of a statement of guiding principles which could form the basis of an ethics statement in an

international environment.


16/53

Organisations which have created a positive ethical culture have normally either been driven by a

committed chief executive or have been forced to do so because of incidents which caused, or almostcaused, significant loss to the organisation.

Benchmark organisations will generally have:

A mission statement which refers to quality or more unusually to ethics which defines how the

organisation wants to be regarded externally;

A clear policy statement on business ethics with explanations about acceptable behaviour in risk prone

circumstances;

A route through which suspected fraud can be reported;

A process of reminders about ethical and fraud policies e.g. annual letter;

An aggressive audit process which concentrates on areas of risk;

Management who are seen to be committed through their actions.

One question worthy of consideration is how much publicity should be given to exposed fraud. A

publicised successful fraud investigation can be a sharp reminder to those who may be tempted and a

warning to those who are responsible for the management of controls. While there may be

embarrassment for those who were close to the fraud and did not identify it and an adverse impact on

the organisations public image there can be advantages in publishing internally the outcome of a

successful fraud investigation.

Risk awareness

Almost every time a major fraud occurs many people who were unwittingly close to it are shocked that

they were unaware of what was happening. Therefore, it is important to raise awareness through a formal

education and training programme as part of the overall risk management strategy. Particular attention

should be paid to those managers and staff operating in high-risk areas, such as procurement and bill

paying, and to those with a role in the prevention and detection of fraud, for example human resources

and staff with investigation responsibility.

There are arguments about how far training on fraud should go within an organisation beyond the audit

group for example a question often raised is whether management and staff who have been trained in

fraud prevention techniques will then use the knowledge to commit fraud. However, there is advantage in

covering the subject of fraud in generic terms, the corporate ethic, the audit approach and the types of

checks and balances built into processes.

Guiding principles

Avoid acting in any way that could bring the organisation into disrepute or undermine the values it

represents.

Act with integrity towards colleagues, staff, clients, suppliers and members of the public and treat

them with respect.

Ensure that the organisations aims, objectives and policies are clearly stated and communicated tomembers of the public.

Ensure that the allocation of services and benefits to the organisations intended clients or

beneficiaries is made and seen to be made, fairly and impartially.

Safeguard the confidentiality of personal data and information of a non-public nature.

Comply with legal requirements, such as copyright legislation, that apply to your day-to-day work.

Extract from an ethics statement produced by the UKs Jewish Association for Business Ethics printed

with the Associations permission.


17/53

Each type of organisation has different areas of risk and these should be identified, then cost effective

controls developed to minimise the risk. There is obviously a cost to combating risk so a risk profile

statement of activities (as described in the previous chapter) should be drawn up to enable the

identification of appropriate risk management strategies.

Overall responsibility for the organisations system of internal control must be at the highest level in the

organisation. As the UKs Turnbull Committee (referred to in the previous chapter) stated in its report, the

board of directors is responsible for the companys system of internal control and should seek regular

assurance that will enable it to satisfy itself that the system is functioning effectively. The board must

further ensure that the system of internal control is effective in managing risks in the manner which it has

approved. Whether this responsibility is carried out through an audit committee which provides regular

reports to the board will depend on the size and structure of the organisation, the complexity of its

operations and the nature of the risks it faces.

It is clear that spending money on preventing fraud occurring brings many benefits but the cost benefit

analysis is not easy to construct. The downside risk is to create excessive and expensive controls which

reduce efficiency and demotivate staff. However, the head of fraud investigation for a major bank made

the following observation. A 1m increase in expenditure on fraud prevention has led to a 25m increase

in profits.

Whistle-blowing

Very many frauds are known or suspected by people who are not involved. The challenge for

management is to encourage these innocent people to speak out to demonstrate that it is very much

in their own interest.

In this area there are many conflicting emotions influencing the potential whistle-blower

working group/family loyalties;

disinterest/sneaking admiration;

fear of consequences;

suspicion rather than proof.

Extract from IFAC Exposure Draft Fraud and Error (March 2000)

Responsibility of management and of those charged with governance

The primary responsibility for the prevention and detection of fraud and error rests with boththe management of an entity and those charged with the governance of that entity.

It is the responsibility of the management of an entity to establish and maintain policies and

procedures to assist in achieving the objective of ensuring, as far as possible, the orderly and

efficient conduct of the entitys business. This responsibility includes implementing and ensuring

the continued operation of accounting and internal control systems which are designed to

prevent and detect fraud and error. Such systems reduce but do not eliminate the risk of

misstatements, whether caused by fraud or error.

It is the responsibility of those charged with governance of an entity to ensure through

oversight of management the integrity of an entitys accounting and financial reporting systems

and that appropriate systems of control are in place, in particular, systems for monitoring risk,

financial control and compliance with the law


18/53

The organisations anti-fraud culture and reporting processes can be a major influence on the whistle-

blower but, it is often fear of the consequences which has the impact. To the whistle-blower the impact of

speaking out can be traumatic, ranging from being dismissed to being shunned by other employees.

Where fraud is committed by senior managers (and this can be as high as the chief executive) then the

predicament faced by the whistleblower is exacerbated. And this is where managements greatest

challenge lies to convince staff that everyone is responsible for combating fraud and that the good

An example of legislation on whistle-blowing: The UKs Public Interest Disclosure Act 1998

The Public Interest Disclosure Act received Royal Assent on 2 July 1999. It offers potential

protection for disclosure by a worker of information within a broad range of qualifying

disclosures. Workeris defined so as to cover all forms of employment but excludes Crown Servants

whose work covers national security issues, the armed forces, police officers and employees who

work outside the UK. Qualifying Disclosures are defined as information which, in the reasonable

belief of the worker making the disclosure, tends to show one or more of the following:

A criminal offence has been, is being, or is likely to be committed.

A person has failed, is failing, or is likely to fail to comply with a legal obligation.

A miscarriage of justice has occurred, is occurring, or is likely to occur.

The health and safety of an individual has been, is being, or is likely to be endangered.

The environment has been, is being, or is likely to be damaged.

Information tending to show any of the above has been, is being, or is likely to be

deliberately concealed.

The worker will be protected if the qualifying disclosure is made to:

A workers employer.

Some other responsible person if the disclosure is relevant to that person.

A third party, in accordance with outlined and agreed procedures.

The general rule for external qualifying disclosures is that they may only be made where theworker can show that:

They reasonably believed they would be subjected to detriment if they had raised the matter

internally, or to the responsible person.

They reasonably believed the evidence would be concealed.

They had previously made a similar disclosure.

It is reasonable to make the disclosure.

An aggrieved whistleblower can seek legal redress through an industrial tribunal and

agreements between employers and employees which seek to exclude disclosure are void.

However corporations cannot rely on legislation they must create an environment where

employees do not feel at risk in reporting suspicions. There must be a written policy statementwhich includes the following safeguards:

Reporting off-line to a senior manager or director well separated from the irregularity, or to

the audit, legal, computer or security departments

The maintenance of confidentiality

The whistleblower to be commended or rewarded for the information.

This is just a brief summary of some of the key elements of the Act. Further reference should be

made to local procedures and instructions and, more importantly, to the Act itself.

Based on material from Inside Fraud Bulletin, Issue 5/1999, by kind permission of the publishers

Maxima Partnering Limited.


19/53

health of the organisation and potentially their future employment could be at risk from fraud. Some

companies are considering implementing a policy of recognising and rewarding employees who save the

company money by identifying fraud. Indeed, in the United States, an individual with knowledge that a

false claim has been submitted to the government can elect to become a whistle-blower, and file a

complaint under the False Claims Act. If the Justice Department decides to join the lawsuit, the whistle-

blower receives a share of the recovery. If the Justice Department decides not to participate, the whistle-

blower is entitled to pursue the claim on behalf of the United States and will receive a greater share of anymonies recovered.

Management, of course, has to be aware of the risk of anonymous and malicious accusations, but they

cannot afford to ignore any report in case it is correct. They may wish to state in their policy that

anonymous advice will be treated with extreme caution.

Professional associations and trade unions can help with both legal advice and support for whistle-blowers

and government legislation, such as that introduced in the UK, will give protection to all but a few

specialist workers. Until there is some history of successful defence of whistle-blowers there will continue

to be disinclination to take the associated risks.

A sample whistle-blowing policy can be found at Appendix 4.

3.2 SOUND INTERNAL CONTROL SYTEMS

A companys system of internal control has as its principal aim the management of risks that are significant to

the fulfilment of its business objectives with a view to safeguarding the companys assets and enhancing over

time the value of the shareholders interest. (Extract from the Combined Code, part of the London Stock

Exchange Listing Requirements.)

An internal control system comprises all those policies and procedures that taken together, support a companys

effective and efficient operation. These procedures can include the division of responsibilities and checks andbalances to reduce risk.

For example the purchasing process would involve:

the originator who specifies the goods or services and probably price;

thesuperior who approves the purchase;

thepurchasing dept. who negotiate the best value through competitive quotations;

the recipient of goods or services who confirms that the invoice is in line with goods or services received;

thepurchase ledger/accounting department who make entries in the accounts;

the treasury manager who ensures that payments are properly supported and in line with policy;

the management accountant who ensures that costs are in line with budgets/standards and purchase

ledger payment statistics are in line with policy.

Division of responsibilities is not always possible and it may be necessary to introduce additional management

examination and control and some form of internal audit as a regular feature. Wherever new internal control

procedures are introduced, they should be documented clearly and simply, in order that any deviation can be

identified.


20/53

Summary

In conclusion, when an internal control system meets the following standard, it can be deemed effective:

Internal control can be judged effective for each of three business objectives:

1. If management have reasonable assurance that they understand the extent to which the organisations

objectives are being met,

2. Financial management reports are being prepared reliably, and

3. applicable laws and regulations are being complied with.

(Extract from the report of the Committee of the Sponsoring Organisations of the Treadway Committee, USA

September 1992).

Case study 2: The problem of control

A recent survey of stationery consumption at a well-known consultancy showed that each employee

had used 1,000 pens a year or approximately three pens a day. Maybe the pens were wanted to write

long reports, to fill in expense claims or other legitimate purposes, but it is far more likely that they

ended up in schoolbags or at the local Womens Institute Quiz Nite. On average, employees used

three bars of soap and two toilet rolls a day

No doubt the increasing use of computers has resulted in a corresponding reduction in the theft of

pens. In turn this results in increased purloining of floppy disks, ink jet cartridges and other

consumables to feed the home computer.

This demonstrates some fundamental principles of control; risks have been displaced rather than

prevented; criminals have been deflected rather than deterred, and if it is light and small enough to

fit in a bag, it will be nicked.

Material reproduced from Inside Fraud Bulletin v, October/November 1999, by kind permission of

the publishers Maxima Partnering Limited


21/53

CHAPTER 4

IDENTIFYING FRAUD

Hindsight is a wonderful thing! Fraud is always obvious to the fraudsters colleagues after the event. Their

statements, and those of internal auditors, when taken by the police or other investigatory bodies, frequently

highlight all the more common fraud indicators. However, the mistake is always the same fraud was never

considered as an option. No matter how innocent an action may be, or how plausible an explanation may be,

fraud is always an option!

A survey carried out in the UK by Ernst and Young looked at the method of detection of fraudulent activity. The

results are shown in the graph below:

It is clear from this and other anecdotal evidence that external auditors do not generally find fraud. It is not

their job to find fraud, although fraud may be discovered by internal or external auditors as a result of controls

and mechanisms put in place on the advice of external auditors. It is everyones responsibility to find and report

fraud and irregularity within an organisation. Most frauds are, however, discovered accidentally or as a result of

information received most notably from ex-employees and spurned lovers! In many cases greater losses are

suffered as a result of employees at all levels ignoring the obvious.

It will never be possible to eliminate fraud because no system is completely fraudproof since many fraudsters

are able to by-pass control systems put in place to stop them. However, greater attention paid to some of the

most common indicators can provide early warning that something is not quite right and increase the likelihood

that the fraudster will be discovered. With that in mind this chapter provides details of some of the more

common indicators that something is not quite right.

25%

20%

15%

10%

5%

0%

normalprocedures

outsideinformation

internalinvestigation

managementreview

Method of detection

tip off audit


22/53

4.1 WHAT TO LOOK FOR INDICATORS AND WARNINGS

Fraud indicators fall into two categories:

Warning signs; and

Fraud alerts.

Warning signsWarning signs have been described as organisational indicators of fraud risk and some examples are set out

below. For convenience these have been sub-divided into business risk, financial risk and environmental risk.

Further examples can be found in Appendix 5.

Business risk

This has been sub-divided into cultural issues, management issues, employee issues, process issues and

transaction issues.

Cultural issues

Absence of an anti-fraud policy.

Failure of management to make a clear commitment to implementing a sound framework of internal

control and demonstrating this at all times.

Management issues

Lack of professionalism and appropriate financial management involvement in key accounting principles,

review of management judgements made in reporting results and the review of significant cost estimates.

A history of legal or regulatory violations within the organisation and/or claims against the entity alleging

such violations.

The presence of strained relationships within the organisation between management and internal or

external auditors.

Lack of management supervision. Lack of clear management control of responsibility, authorities, delegation, etc.

Employee issues

Absence of adequate recruitment screening.

Employee relationships internal and external.

Potential labour force reductions/ redundancies.

Dissatisfied employees who have access to desirable assets.

Unusual staff behaviour patterns.

Personal financial pressures on key staff.

Low salary levels of key staff.

Poor dissemination of internal controls.

Employees working unsocial hours unsupervised.

Process issues

Lack of job segregation and independent checking of key transactions.

Lack of identification of the asset.

Poor management accountability and reporting systems.

Poor physical security of assets.

Poor access controls to physical assets and IT security systems.

Lack or inadequacy of internal controls.

Poor documentation of internal controls.


23/53

Transaction issues

Poor documentation support for specific transactions such as rebates and credit notes.

Large cash transactions.

Susceptibility of assets to misappropriation.

Financial risk

Management compensation highly dependent on meeting aggressive performance targets. Significant pressures on management to obtain additional finance.

Extensive use of tax havens etc. without a clear business justification.

Complex transactions.

Complex legal ownership, organisational structures etc.

Rapid changes in profitability.

Existence of personal or corporate guarantees.

Environmental risk

The introduction of new accounting or other regulatory requirements, including health & safety or

environmental legislation, which could significantly alter the reported results of an entity.

Highly competitive market conditions and decreasing profitability levels within the organisation.

The organisation operating in a declining industrial sector and possibly facing prospects of business failure.

Rapid technological changes taking place within the industry, which may increase the potential for product

obsolescence.

Significant changes in customer demand.

Fraud alerts

Fraud alerts have been described as specific events, which may be indicative of fraud. A list of possible fraud

alerts is provided below. This should not be considered an exhaustive list, as alerts will appear in many different

guises according to circumstances.

Anonymous letters/telephone calls.

Discrepancy between earnings and lifestyle.

Unusual, irrational, or inconsistent behaviour.

Alteration of documents and records.

Extensive use of correction fluid and unusual erasures.

Photocopies of documents instead of originals.

Rubber Stamp signatures instead of originals.

Signature or handwriting discrepancies.

Missing approval or authorisation signatures.

Transactions initiated without the appropriate authority.

Unexplained fluctuations in stores/stock account balances inventory variances and inventory turnover rates.

Subsidiary ledgers, which do not reconcile with control accounts.

Confirmation letters not returned.

Supplies purchased in excess of need.

Inventory adjustments.

The above lists of fraud indicators can be indicative of any fraud type. Appendix 4 provides examples of more

specific fraud indicators.


24/53

4.2 TOOLS AND TECHNIQUES

The training received by management accountants is a very good basis for implementing a fraud prevention

programme. The broad understanding of business processes, expected of a management accountant is an

important asset, as is their knowledge of the systems and procedures that should be in place within an

organisation, and which allow it to operate efficiently and effectively. A further asset is the ability to think, and

act, logically, which is something the management accountant develops with experience. The first important

tool available is, therefore, training and experience.

The second tool is the necessary mindset that fraud is always an option. This does not mean that every time

someone seems to be working excessive overtime, without taking leave, they are in the process of committing

a fraud, or that inaccuracies in the accounts are there to cover up a fraud. Nevertheless, they might be and,

having considered the possibility of fraud, the next step may be to undertake some further research or pass

concerns to a line manager.

In addition to the tools described above, there are everyday techniques available to help identify irregularities

which may be fraud and, research the anomaly identified to decide whether it should be taken further.

Identifying anomalies

Background reading: it is important to keep up to date with fraud trends and issues. Technical magazines often

carry articles on fraud and financial irregularity. Also useful is a subscription to a publication specialising in fraud

or buy a good reference book. The Internet is also a very useful, and vast, research tool.

Risk assessment: a response to irregularities which raise a concern could be to undertake a fraud risk

assessment and act according to the findings.

Benchmarking: comparisons of one financial period with another; or the performance of one cost centre, or

business unit, with another; or of overall business performance with industry standards, can all highlight

anomalies worthy of further investigation.

Systems analysis: it is important to examine the systems in place and identify any weaknesses that could be

opportunities for the fraudster.

Ratio analysis: can be used to identify any abnormal trends or patterns.

Mathematical modelling: using a spreadsheets sort facility can help to identify patterns in expenditure etc.

There are also specialist mathematical models such as Benfords Law, a mathematical formula which can help

identify irregularities in accounts. Database modelling can also be utilised.

Specialist software: such as audit tools for data matching analysis can prove very useful.

Analysing the anomaly a methodical approachAll of the tools covered so far have their uses in identifying the irregularity but to be effective they must be

combined with a methodical approach to the analysis of the problem identified. At this stage it is not a fraud

investigation or internal management review but analysis of a problem to decide whether such a review should

be carried out. One approach which can be considered is detailed below.

1 Establish the objective. The objective of the research must be clear as this will enable decisions to be made

about the best way forward.

2. Identify the systems and procedures. Undertaking a systems and risk analysis and comparing the laid-

down systems and procedures that should have been in place with those actually in use can help to

identify system or procedural failures.


25/53

3. Establish the scale of the risk. This involves identifying the potential loss and assessing whether it is

material. Actual losses should be identified where possible.

4. Situation analysis. This involves background research such as company searches, and identifying those

involved.

5. Analyse all available data. Analysis of all the data will give an understanding of what has occurred and

how it occurred.

6. Prepare schedules (include graphics). Graphical and numerical schedules/spreadsheets should be prepared

to support the analysis and findings. It is important to make it as easy as possible for those with little or no

financial knowledge to understand what has occurred. These, when consolidated, would be in the form

of an audit pack detailing the documents that have led to the formulation of the conclusions.

7. Prepare the report. In preparing the report it is important to bear in mind that whatever the original

objective there is always the possibility of it being used in evidence at some form of legal proceedings. The

report should be factual and where opinion is given it should be clearly identified as such for example,

professional opinion used in the conclusions of the report. The facts should be kept to as much as possible

but that does not mean that the conclusions cannot encompass professional opinion.

Summary

Included in Appendix 4 are examples of specific fraud alerts associated with activities common to most types of

organisation. However, none of these will be of any use unless it is accepted that fraud is possible. It is that

mindset, that awareness, which will enable an organisation to stop an incidence of fraud before it becomes

catastrophic. A warning sign is not effective unless it is appreciated as such and this awareness can only be

achieved by means of a continuing programme of education and training.


26/53

CHAPTER 5

RESPONDING TO FRAUD

An organisations approach to fraud should be described in its fraud policy and fraud response plan. A sample

policy and example plan are contained in Appendices 1 and 2 respectively. This chapter expands on parts of theoutline plan where they have not already been covered in earlier chapters and highlights some issues and

considerations. Paragraph headings in this chapter are those which should form the basis of the fraud response

plan and relate to the actions in the outline response plan in Appendix 2.

5.1 THE PURPOSE OF THE FRAUD RESPONSE PLAN

The fraud response plan is a formal means of setting down clearly the arrangements which are in place for

dealing with suspected cases of theft, fraud or corruption. It is intended to provide procedures which

allow for evidence gathering and collation in a manner which will facilitate informed decision-making,

while ensuring that evidence gathered will be admissible in the event of any civil or criminal action. Other

benefits arising from the publication of a corporate fraud response plan are its deterrence value and the

likelihood that it will reduce the tendency to panic. It can help restrict damage and minimise losses, enable

the organisation to retain market confidence, and help to ensure the integrity of evidence.

5.2 CORPORATE POLICY

The fraud response plan should reiterate the organisations commitment to high legal, ethical and moral

standards in all its activities and its approach to dealing with those who fail to meet those standards. It is

important that all those working in the organisation are aware of the risk of fraud and other illegal acts

such as dishonesty or damage to property. As discussed in Chapter 3, they should be clear about the

means of enforcing the rules or controls which the organisation has in place to counter such risks and be

aware of how to report any suspicions they may have. The fraud response plan is the means by which this

information is relayed to all members of staff and, possibly, other stakeholders, such as customers,

suppliers, and shareholders.

5.3 FRAUDULENT ACTIVITIES

As has been explained in Chapter 1, there is no universal legal definition of fraud as an offence but the

term encompasses criminal offences involving the obtaining of some benefit, or causing detriment of

some person or organisation by dishonest means. This section could provide for legal definitions or simply

a list of activities which would or could be considered fraudulent.

5.4 ROLES AND RESPONSIBILITIES

The division of responsibilities for fraud management will vary from one organisation to the next,

depending on the size, industry, culture and other factors. However, the following are some general

guidelines which can be adapted to suit the individual circumstances.


27/53

Managers and supervisors

Generally managers and supervisors are in a position to take responsibility for detecting fraud,

misappropriation, and other irregularities in their area. Staff must assist management by reporting any

suspected irregularities. Managers, and supervisors, should be provided with a response card, or aide-

memoire, detailing how they should respond to a reported incidence of fraud. The aide-memoire should

include a list of contacts with telephone numbers.

Director of finance

The director of finance will often have overall responsibility for the organisations response to fraud,

including the responsibility for co-ordinating any investigation and for keeping the fraud response plan up

to date. He will hold the master copy of the fraud response plan, and should have his own aide-memoire

to assist with the management of the investigation. He will also be responsible for maintaining the

investigation log.

Fraud officer

In large organisations it may be necessary designate a senior manager as the fraud officer in place of the

finance director, with responsibility for initiating and overseeing all fraud investigations, for implementingthe fraud response plan and for any follow-up actions. The fraud officer should be authorised to receive

inquiries from staff confidentially and anonymously, and be given the authority to act and/or provide

advice according to individual circumstances, and without recourse to senior management for approval.

He will manage any internal investigations and act as a liaison officer with all other interested parties both

internal, and external, including police, regulators and auditors. The fraud officer should have his own job

description, appropriate to the role, an extended list of contacts and his own response card. One of his

primary tasks would be the updating of the investigation log.

In the event that the fraud officers superior is a suspect, he should report to a more senior manager or

non-executive director, perhaps the chair of the audit committee.

Human resources

The human resources department will usually have responsibility for any internal disciplinary procedures,

which must be in line with, and support, the fraud policy statement and fraud response plan. Their advice

should be sought in relation to the organisations personnel management strategies, individual

employment histories, and issues relating to employment law, or equal opportunities.

Audit committee (where applicable)

The audit committee should take responsibility for reviewing the organisations performance in fraud

prevention, reviewing the log of cases at least once a year and reporting any significant matters to the

board. If a suspicion involves the nominated fraud contact or an executive director the matter should be

reported directly to the chairman of the audit committee. In small companies a nominated non-executive

director may fulfil the role of the audit committee.

Internal auditors (where applicable)

Where an organisation has its own internal audit department the likelihood is that the task of

investigating any incidence of fraud would fall to them. It may be appropriate to designate specific

auditors as fraud specialists and to ensure that they have the appropriate skills and knowledge to

undertake the task.


28/53

External auditors (where applicable)

An organisation without its own internal audit department may consider consulting their external auditors

should they discover a fraud, if only to obtain the expertise to establish the level of loss. However, they

may also be in a position to provide expert assistance from elsewhere within the firm; such as from a

specialist fraud investigation group. A decision to call on external auditors should, however, be considered

carefully as there is always the possibility that if the auditor has missed obvious fraud alerts, the

organisation may eventually seek damages from its auditor.

Legal advisors (internal or external)

Legal advice should be sought immediately a fraud is reported, irrespective of the route it is intended to

follow. Specific advice would include such issues as guidance on civil, internal and criminal responses, and

recovery of assets.

IS/IT staff

IS/IT staff can provide technical advice on IT security, capability and access. If computers have been utilised

to commit the fraud, or if they are required for evidential purposes specialist advice must be sought

immediately.

Public relations

Organisations with a high profile, e.g. larger businesses, public sector or charities, may wish to consider

briefing their PR staff so they can prepare a brief for the press in the event that news of a fraud becomes

public.

Police

When the police are consulted, if at all, is a matter of internal policy. However, if it is policy to prosecute all

those suspected of fraud then the police should be involved at the outset of any investigation as any

unnecessary delay could diminish the likelihood of success. In respect of public bodies, Audit Commissionguidance states that the police/ external auditors should be informed immediately fraud is suspected.

External consultants

Any organisation could consider bringing in specialist investigation skills from outside the organisation.

Many such specialist firms exist to provide a discreet investigation and/or asset recovery service in

accordance with their clients instructions.

Insurers

The timeframe for a report to fidelity insurers, and any additional requirements should be laid down in the

insurance document.

5.5 ORGANISATIONS OBJECTIVES WITH RESPECT TO FRAUD

The organisations policy may include any or all of the following preferred outcomes in dealing with fraud.

Internal disciplinary action

In accordance with the organisations personnel and disciplinary guidelines.

A civil response

This is the subject of a separate supplement to this guide which will be published shortly.


29/53

Criminal prosecution

Whereby action is taken against the individual(s) concerned in a police managed enquiry.

A parallel response

Where civil action to recover misappropriated assets is taken in parallel with a police investigation.

5.6 THE RESPONSE

Reporting suspicions

The procedures for reporting fraud should be spelt out clearly and succinctly. This may be by means of a

formal whistleblowing policy but the procedures should also be summarised within the fraud response

plan.

Establish an investigation team

After recording details of the allegations the finance director, or the fraud officer, as appropriate, should

call together the investigation team plus their advisors. This could involve any, or all, of those listed above

with the possible exception of insurers.

Formulate a response

The objectives of the investigation should be clearly identified, as should the resources required, the scope

of the investigation, and the timescale. The investigating teams objectives will be driven by the

organisations attitude to fraud; that is internal action, civil response, prosecution of offenders, or some

form of parallel response. An action plan should be prepared and roles and responsibilities should be

delegated in accordance with the skills and experience of the individuals involved. The individual in overall

control of the investigation should be clearly identified as should the powers available to team members.

Reporting procedures and evidence handling and recording procedures should be clearly understood by all

concerned.

5.7 THE INVESTIGATION

Preservation of evidence

A key consideration in any investigation must always be how to secure or preserve sufficient evidence to

prove fraud. If a criminal act is suspected, the police should be consulted at once before any overt action

is taken, otherwise suspects may be alerted and evidence removed or destroyed.

In English and Welsh law, for the purposes of criminal proceedings, the admissibility of evidence is

governed by the Police and Criminal Evidence Act (PACE). In addition, the Criminal Procedures and

Investigations Act 1996 provides a statutory framework and code of practice for disclosure of material

collected during the course of investigations. Although PACE does not apply in civil or disciplinary

proceedings it should nevertheless be regarded as best practice. If an individual does end up being

charged with a criminal offence (and this may not be planned at the outset of the investigation), all

investigations and relevant evidence will be open to discovery by that individuals defence. It is, therefore,

important that proper records are kept from the outset, including accurate notes of when, where and

from whom the evidence was obtained and by whom. The police, or legal advisors, will be able to advise

on how this should be done.


30/53


31/53

trained investigators, if the need for an interview under caution arises, police involvement should again be

considered. Section 67 of the Act states Persons other than police officers who are charged with the

duty of investigating offences, shall ...... have regard to any relevant provision of the code. Failure to

observe the codes of practice may therefore jeopardise vital evidence, rendering it useless.

In practice, therefore, it is suggested that interviews should only be conducted by trained personnel with

advice and guidance from the organisations legal advisors, or the police. This guidance could be

supported by means of a brief or an aide-memoire for the personnel concerned and supplemented with

formal training.

5.8 FOLLOW-UP ACTION

Lessons learned

There are lessons to be learned from every identified incident of fraud, and the organisations willingness

to learn from experience is as important as any other response. The larger organisation may consider

establishing a special group to examine the circumstances and conditions which allowed the fraud to

occur with a view to making a report to senior management detailing improvements to systems andprocedures. A smaller organisation may consider discussing the issues with some of its more experienced

people with the same objectives in mind.

Management response

Internal reviews

Having had one incident of fraud, the organisation may consider a fundamental review of all of its systems

and procedures so as to identify any other potential system failures. Changes to the policy or systems

should be implemented as soon as possible.

Implement changes

Should weaknesses have been identified it can only be of benefit to the organisation to take the

appropriate remedial action. Recent statistics have confirmed once again that many organisations suffer

more than one incident of fraud per annum.

Annual report

An annual report should be submitted to the board of all investigations carried out, outcomes and lessons

learned.


32/53

APPENDIX 1

A SAMPLE FRAUD POLICY

The following is an example of a policy which can be modified for use by any organisation.

Background

This organisation has a commitment to high legal, ethical and moral standards. All members of staff are

expected to share this commitment. This policy is established to facilitate the development of procedures whichwill aid in the investigation of fraud and related offences.

The board already has procedures in place that reduce the likelihood of fraud occurring. These include standing

orders, documented procedures and documented systems of internal control and risk assessment. In addition

the board tries to ensure that a risk (and fraud) awareness culture exists in this organisation.

This document, together with the fraud response plan and investigators guide, is intended to provide direction

and help to those officers and directors who find themselves having to deal with suspected cases of theft, fraud

or corruption. These documents give a framework for a response and advice and information on various

aspects and implications of an investigation. These documents are not intended to provide direction on

prevention of fraud.

FRAUD POLICY

This policy applies to any irregularity, or suspected irregularity, involving employees as well as consultants,

vendors, contractors, and/or any other parties with a business relationship with this organisation. Any

investigative activity required will be conducted without regard to any persons relationship to this organisation,

position or length of service.

Actions constituting fraud

Fraud comprises both the use of deception to obtain an unjust or illegal financial advantage and intentional

misrepresentations affecting the financial statements by one or more individuals among management, staff or

third parties. Guidance is contained in the Appendix to this policy.

All managers and supervisors have a duty to familiarise themselves with the types of improprieties that might

be expected to occur within their areas of responsibility and to be alert for any indications of irregularity.

THE BOARDS POLICY

The board is absolutely committed to maintaining an honest, open and well intentioned atmosphere within the

organisation. It is, therefore, also committed to the elimination of any fraud within the organisation, and to the

rigorous investigation of any such cases.

The board wishes to encourage anyone having reasonable suspicions of fraud to report them. Therefore, it is

also the boards policy, which will be rigorously enforced, that no employee will suffer in any way as a result ofreporting reasonably held suspicions.

All members of staff can therefore be confident that they will not suffer in any way as a result of reporting

reasonably held suspicions of fraud. For these purposes reasonably held suspicions shall mean any suspicions

other than those which are shown to be raised maliciously and found to be groundless. The organisation will

deal with all occurrences in accordance with the Public Interest Disclosure Act.

29


33/53

APPENDIX 2

OUTLINE FRAUD RESPONSE PLAN

1. PURPOSE OF THE FRAUD RESPONSE PLAN

2. CORPORATE POLICY

3. THE DEFINITION OF FRAUD

4. ROLES AND RESPONSIBILITIES

Managers and supervisors

Director of finance

Fraud officer

Human resources

Audit committee

Internal auditors

External auditors

Legal advisors

IS/IT staff

Public relations

The police

External consultants

Insurers

5. ORGANISATIONS OBJECTIVES WITH RESPECT TO FRAUD

Internal report

no further action

disciplinary action

Civil response legal advisors control

legal submissions

case file

Criminal response

police controlled

case file

Parallel response

civil recovery

criminal prosecution

30


34/53

6. THE RESPONSE

Reporting suspicions

Establish an investigation team

objectives

reporting procedures

responsibilities

powers

control

Formulate a response in accordance with corporate policy

7. THE INVESTIGATION

Preservation of evidence

Physical evidence

Interviews (general)

Statements from witnesses

Statements from suspects

8. FOLLOW-UP ACTION

Lessons learned

Management response

internal reviews

implement changes

annual report

31


35/53

APPENDIX 3

EXAMPLE OF A FRAUD RESPONSE PLAN

This example has been based on a response plan from an organisation within the UKs National Health Service.

1. INTRODUCTION

This document is intended to provide direction and help to those officers and directors who find themselves

having to deal with suspected cases of theft, fraud or corruption. It gives a framework for a response and

provides information on various aspects of investigation. The document also contains a series of flowcharts

which provide a framework of procedures that allow evidence to be gathered and collated in a way which

facilitates informed initial decisions, while ensuring that evidence gathered will be admissible in any future

criminal or civil actions. This document is not intended to provide direction on fraud prevention.

2. CORPORATE POLICY

The board is committed to maintaining an honest, open and well-intentioned atmosphere within the

company. It is, therefore, also committed to the elimination of all fraud and to the rigorous investigation

of any such cases.

The board wishes to encourage anyone who has reasonable suspicions of fraud to report them. The

company has a published whistle-blowing policy which aims to ensure that concerns are raised and dealt

with in an appropriate manner. Employees raising genuine concerns will be protected and their concerns

looked into.

3. THE DEFINITIONS OF FRAUD

The term fraud encompasses a number of criminal offences involving the use of deception to obtain

benefit or causing detriment to individuals or organisations.

This document is intended to provide a framework for investigating all suspected cases of fraud, theft or

corruption where:

the value of the company has or may have suffered; or has been misrepresented for personal gain

as a result of the actions or omissions of:

directors and staff employed by the company; or

customers, contractors and other external stakeholders.

4. ROLES AND RESPONSIBILITIES

See Chart 1 Reporting Fraud

DIRECTOR OF FINANCE

Responsibility for investigating fraud has been delegated to the director of finance. Where appropriate/necessary he is also responsible for informing third parties such as the external auditors or the police

about the investigations. The director of finance will inform and consult with the chief executive in cases

where the loss is potentially significant or where the incident may lead to adverse publicity.

The director of finance will maintain a log of all reported suspicions, including those dismissed as minor or

otherwise not investigated. The log will contain details of actions taken and conclusions reached and will

32


36/53

33

Chart 1 Reporting Fraud

You suspect fraud orother illegal act involving

the organisation by anemployee or perpetrated

on the organisation

Either/Or

Discuss with yourLine Manager/Head of Dept

If suspicions appearwell grounded,Dept Head orHead of HRtells the DoF

DoF records details

immediatelyin a log

DoF considers need toinform Chief Internal

Auditor and/or Chief Exec,External Auditor and Police

Where applicable DoF toinitiate action to end loss,

and correct anyweaknesses in controls

or supervision

To

Chart 2

Fraud and other illegal

acts log

Log reviewedby Audit Cttee

Discuss with Headof HR/Director of

Finance


37/53

be presented to the audit committee for inspection annually. Significant matters will be reported to the

board as soon as practical.

The director of finance will normally inform the chief internal auditor at the first opportunity. While the

director of finance will retain overall responsibility, responsibility for leading any investigation will be

delegated to the chief internal auditor.

CHIEF INTERNAL AUDITOR

The chief internal auditor will:

initiate a diary of events to record the progress of the investigation throughout;

agree the objectives, scope and timescale of the investigation and resources required with the directorof finance at the outset of the investigation;

ensure that proper records of each investigation are kept from the outset, including accurate notes of

when, where and from whom evidence was obtained and by whom.

HEAD OF HUMAN RESOURCES

Where a member of staff is to be interviewed or disciplined the director of finance and/or chief internal

auditor will consult with, and take advice from, the head of human resources.

The head of human resources will advise those involved in the investigation in matters of employment law,

company policy and other procedural matters (such as disciplinary or complaints procedures) as necessary.

LINE AND OTHER MANAGERS

If, in accordance with the companys whistle-blowing policy, a member of staff raises a concern with their

line manager, head of department or the head of human resources the details must be immediately

passed to the director of finance for investigation.

STAFF

All staff have a responsibility to protect the assets of the company, including information and goodwill as

well as property.

5. OBJECTIVES WITH RESPECT TO FRAUDSee Chart 2 Managing the Investigation

Investigations will try to establish at an early stage whether it appears that a criminal act has taken place.

This will shape the way that the investigation is handled and determine the likely outcome and course of

action.

If it appears that a criminal act has not taken place, an internal investigation will be undertaken to:

determine the facts;

consider what, if any, action should be taken against those involved;

consider what may be done to recover any loss incurred; and

identify any system weakness and look at how internal controls could be improved to prevent a

recurrence.

The chief internal auditor will present the findings of his investigation to the director of finance who will

make the necessary decisions and maintain a record of the subsequent actions in relation to closing the

case. Once concluded, details of such cases will be reported to the audit committee on an annual basis for

information.

34


38/53

Where an investigation involves a member of staff and it is determined that no criminal act has taken p

35

Chart 2 Managing the Investigation

DoF appoints Chief InternalAuditor to oversee and

start investigation

EitherNo case

to answer

From

Chart 1

Initiatedismissal

2_fraudriskmanagement

Documents