minimising the risk of fraud (e.g. fraud policy statements ... · an anti-fraud strategy an...

An anti-fraud strategyAn effective anti-fraud strategy in fact has four maincomponents:• prevention• detection• deterrence• response.

• Minimising the risk of fraud (e.g. fraud policy statements, effective recruitment policies and good internal controls, such as approval procedures and separation of functions, especially over procurement and cash).

CIMA. The future of business.1

Fraud preventionBased on the earlier discussion around why people commit fraud, it would seem that one of the most effective ways to deal with the problem of fraud is to adopt methods that will decrease motive, restrict opportunity and limit the ability for potential fraudsters to rationalise their actions. In the case of deliberate acts of fraud, the aim of preventative controls is toreduce opportunity and remove temptation from potential offenders.

Prevention techniques include:1. the introduction of policies2. procedures and controls3. activities such as training and fraud awareness to stop fraud from occurring.

It is profitable to prevent losses, and fraud prevention activities can help to ensure the stability and continued existence of a business.


3

NOV 2008 P3: Question 5

Q

4 Q

NOV 2008 P3: Question 5

Fraud detectionAs fraud prevention techniques may not stop all potential perpetrators, organisations should ensure that systems are in place that will highlight occurrences of fraud in a timely manner. This is achieved through fraud detection.

A fraud detection strategy should involve use of analytical and other procedures to highlight anomalies, and the introduction of reporting mechanisms that provide for communicationof suspected fraudulent acts. Key elements of a comprehensive fraud detection system would include1. exception reporting2. data mining3. trend analysis and4. ongoing risk assessment.


Fraud detection may highlight ongoing frauds that are taking place or offences that have already happened. Such schemes may not be affected by the introduction of prevention techniques and, even if the fraudsters are hindered in the future, recovery of historical losses will only be possible through fraud detection. Potential recovery of losses is not the only objective of a detection programme though, and fraudulent behaviour should not be ignored just because there may be no recovery of losses. Fraud detection also allows for the improvement of internal systems and controls. Many frauds exploit defi ciencies in control systems. Through detection of such frauds, controls can be tightened making it more difficult for potential perpetrators to act.

Fraud prevention and fraud detection both have a role to play and it is unlikely that either will fully succeed without the other. Therefore, it is important that organisations consider both fraud prevention and fraud detection in designing an effective strategy to manage the risk of fraud.


• The principles of good corporate governance for listed companies, for the review of the internal control system and reporting on compliance.

OverviewAn organisation can be viewed as consisting of corporate governance processes on the one hand (a so called framework of accountability) and value-creating activities such as strategic decision-making on the other.

Both elements are necessary, since focusing on performance without having adequate checks and balances is like building on sand.


Broad DefinitionIn A Board Culture of Corporate Governance business author Gabrielle O'Donovan defines corporate governance as

'an internal system encompassing policies, processes and people, which serves the needs of shareholders and other stakeholders, by directing and controlling management activities with good business savvy, objectivity and integrity. Sound corporate governance is reliant on external marketplace commitment and legislation, plus a healthy board culture which safeguards policies and processes'.

O'Donovan goes on to say that

'the perceived quality of a company's corporate governance can influence its share price as well as the cost of raising capital. Quality is determined by the financial markets, legislation and other external market forces plus the international organisational environment; how policies and processes are implemented and how people are led.’


CIMA Official Terminology, 2005

'The system by which companies and other entities are directed and controlled. The boards of directors are responsible for the governance of their companies and other entities.

The shareholders’ role in governance is to appoint the directors and the auditors, and to satisfy themselves that an appropriate governance structure is in place.

The responsibilities of the board include•setting the company’s (or entity’s) strategic aims, •providing the leadership to put them into effect, •supervising the management of the company (or entity) and •reporting to shareholders on their stewardship.

The board’s actions are subject to laws, regulations and the shareholders in general meeting.'


Concept Corporate governance (from the Combined Code) typically covers the following areas:

• the board of directors – its composition and role, appointments, performance

• executive remuneration

• financial reporting and internal control – including mechanisms such as audit committees to ensure that the board fulfils its responsibilities in these areas

• relations with shareholders, plus shareholder rights and responsibilities.


Boards of directors

• The role of the board. • Frequency of meetings. • Whether the role of chairman and chief executive should be split. • The overall size of the board. • The balance of the board between non-executive and executive directors. • The proportion of non-executive directors who should be independent. • Procedures for board appointments and re-election, includingnominations committees. • Evaluation of board performance.


Q

Nov. 2008 P3 Question 4

13

Q


14

Executive remuneration • Remuneration policy, contracts and compensation. • Procedures for determining remuneration, including remuneration committees.

Financial reporting and internal control • The board’s responsibility for presenting information to shareholders. • Maintenance of a sound system of internal control. • The need for an audit committee or equivalent and its role.

What does the audit committee do? The audit committee helps the board of directors to fulfil its stewardship duty by monitoring and reviewing the system of internal controls and risk management; internal and external audit; and the financial information provided to shareholders. It oversees the relationship between the external auditors and the company, assesses the effectiveness of these auditors every year and makes recommendations to the board concerning their appointment or removal.


Shareholder relations • Responsibility for maintaining dialogue with shareholders. • The use of the Annual General Meeting. • Responsibilities of institutional/major shareholders. • Rights of minority shareholders.


•Audit Committee

17

•Other Committees

•Remuneration Committee•Nominations Committee•Risk Management (Board Level)•Others that the BOD deemed fit

19

Q


20

The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom.

The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. The Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The

Act also covers issues such as •auditor independence, •corporate governance, •internal control assessment, and •enhanced financial disclosure.

The Sarbanes-Oxley Act of 2002

21

Smith ReportThe Smith Report was a report on corporate governance submitted to the UK government in 2003. It was concerned with the independence of auditors in the wake of the collapse of Arthur Andersen and the Enron scandal in the US in 2002. Its recommendations now form part of the Combined Code on corporate governance, applicable through the Listing Rules for the London Stock Exchange.It was substantially influenced by the views taken by the EU Commission. One important point was that an auditor himself should look at whether a company's corporate governance structure provides safeguards to preserve his own independence.

22

Higgs reportReview of the role and effectiveness of non-executive directors (or the "Higgs review") was a report chaired by Derek Higgs on corporate governance commissioned by the UK government, published on 20 January 2003. It reviewed of the role and effectiveness of non-executive directors and of the audit committee, aiming at improving and strengthening the existing Combined Code.There was widespread unrest after the scandals in the US, involving Enron, WorldCom and Tyco. The US opted for legislation under the Sarbanes-Oxley Act.Higgs strongly backed the existing non-prescriptive approach to corporate governance: "comply or explain". Yet he advocated:more provisions with more more stringent criteria for the board composition and evaluation of independent directors. He wanted to remove some of the discretion that the Code allowed.

23

The Turnbull Report : Recommendations for internal control

Internal Control requirements of the Combined CodeWhen the Combined Code of the Committee on Corporate Governance (the Code) was published, the Institute of Chartered Accountants in England & Wales agreed with the London Stock Exchange that it would provide guidance to assist listed companies to implement the requirements in the Code relating to internal control.

Principle D.2 of the Code states that ‘The board should maintain a sound system of internal control to safeguard shareholders’ investment and the company’s assets’.Provision D.2.1 states that ‘The directors should, at least annually, conduct a review of the effectiveness of the group’s system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management’.Provision D.2.2 states that ‘Companies which do not have an internal audit function should from time to time review the need for one’.

A company that has not complied with the Code provisions, or complied with only some of the Code provisions or (in the case of provisions whose requirements are of a continuing nature) complied for only part of an accounting period, must specify the Code provisions with which it has not complied,

24

Q


25

• Application of the CIMA Code of Ethics for Professional Accountants to the resolution of ethical conflicts in the context of discoveries made in the course of internal review, especially section 210.

CIMA. The future of business.

Ethical theories of Absolutism and RelativismAbsolutism and relativism represent two extreme positions of ethical assumptions.

DefinitionsAn absolutist assumption is one that believes that there are ‘eternal’ rules that should guide all ethical and moral decision making in all situations. Accordingly, in any given situation, there is likely to be one right course of action regardless of the outcome. An absolutist believes that this should be chosen regardless of the consequences or the cost. A dogmatic approach to morality is an example of an absolutist approach to ethics. A dogmatic assumption is one that is accepted without discussion or debate.

Relativist assumptions are ‘situational’ in nature. Rather than arguing that there is a single right choice, a relativist will tend to adopt a pragmatic approach and decide, in the light of the situation being considered, which is the best outcome. This will involve a decision on what outcome is the most favourable and that is a matter of personal judgment.

26

When faced with any question on ethics, appreciate that any actions proposed to solve a dilemma must accord with the five fundamental principles laid down by CIMA for the ethical conduct of its members and students.

The principles –integrity, objectivity, confidentiality, professional behav`iour and professional competence, and due care – are drawn from the IFAC code of ethics, which all accountancy bodies affiliated to IFAC use as the basis for their codes.


An overall approach should first ensure that the solution is legal, bearing in mind all relevant regulations. Second, it should be in line with CIMA’s fundamental ethical principles.

Analyse the situation. Most ethics questions are presented as “A asks B to do C, which is in breach of D”. B will probably be you or someone who has come to you for advice and A will probably be a senior manager or boss. You can take it that D is your institute’s ethical principles or some similar code of conduct that B should follow. As accountants, our codes of ethics always take precedence over any corporate code that might apply to our status as an employee. There shouldn’t be a clash, but our professional codes come first if there is one.

Identify the ethical principles involved. Your main reference guide should be the code that governs your conduct as a CIMA student and, hopefully, a future member. Most scenarios will cover a number of ethical principles. Typically, these will involve confidentiality (are you being asked to disclose client information?), integrity (are you being asked to give false or misleading information?) or objectivity (are you under economic pressure from your boss or personal pressure from a friend or relative?)


Identify the available courses of action. There will usually be more than one. Think widely – the more points you can make, the more marks you can earn, as long as your suggestions are practical.

Analyse the consequences of each option. Think clearly and logically about what the outcomes would be if you were to make the choices you have identified.

Make your recommendation. If a report is called for, provide one. Even if it’s not specifically required, the report format can be a useful way to present your answer. (And always remember the other golden rule: never recommend anything that will break the law or any of the fundamental principles of CIMA’s code of ethics.)


Threats to independenceSelf-Interest threatSelf-Review threatAdvocacy threatFamiliarity threatIntimidation threat

SafeguardsBy ProfessionBy Audit FirmBy Assurance client

Common Threats and Safeguards


1. evaluate the benefits and risks associated with information related systems .

(a) advise managers on the development of information management (IM), information systems (IS) and information technology (IT) strategies that support management and internal control requirements;

(b) evaluate IS/IT systems appropriate to an organisation’s needs for operational and control information;

(c) evaluate benefits and risks in the structuring and organisation of the IS/IT function and its integration with the rest of the business;

(d) recommend improvements to the control of IS;

(e) evaluate specific problems and opportunities associated with the audit and control of systems which use IT.

RISK AND CONTROL IN INFORMATION SYSTEMS

• The importance and characteristics of information for organisations and the use of cost-benefit analysis to assess its value.

• The purpose and content of IM, IS and IT strategies, and their role in performance management and internal control.

An information strategy is: '...a management tool linking the delivery of the organisation’s mission to the overall information resource.’

JISC, 1998 '... a strategic planning framework for the delivery, use and management of information.’ CIPFA, 2001

An information strategy is a high level strategic plan for managing an organisation’s information and knowledge resources. It is underpinned by an information policy. Elizabeth Orna, a leading writer on information strategy, stresses that the information policy stems from a clear understanding of the organisation’s strategic objectives, and the information resources required to achieve those objectives.

The information strategy puts the information policy into practice by setting out aims/objectives, actions to achieve them, and targets/deadlines. It is developed and implemented in stages, and must be periodically reviewed.

Benefits of having an information strategy includes:

• decision making on investment in systems and IT is based on organisational strategy and user needs (rather than technology push or the latest trends)

• a strategy avoids wasting time on unnecessary activities, particularly users having to interpret information received in unsuitable formats

• a strategy also ensures an organisation meets its legal requirements, so avoiding unnecessary costs and risk to reputation

• properly managed information supports innovation, productivity and competitiveness

• information activities are unified, so fully contributing to organisational objectives

• a strategy encourages co-operation and openness between managers of information resources. This results in more effective use of the organisation’s information and in more innovation.

The CIMA Study Systems offer the following definitions:•IS “determines the long-term information requirements of business”.•IM “is concerned with methods by which information is stored”.•IT “defines the specific systems that are required to satisfy the information needs”.

So, IS deals with what information we need to collect and why we need it; IM deals with how the information is made available to those who need it; and IT deals with how this information is transferred. This may mean collecting more information from inside the company or perhaps making more and/or better use of it. It may also mean identifying and/or gathering additional external information. Many people use IT as a generic term to cover all of the above.

• Data collection and IT systems that deliver information to different levels in the organisation

• The potential ways of organising the IT function (e.g. the use of steering committees, support centres for advice and help desk facilities, end user participation).

• Steering Committee/Senior Management. Senior management, under the standard of due care and ultimate responsibility for mission accomplishment, must ensure that the necessary resources are effectively applied to develop the capabilities needed to accomplish the mission. They must also assess and incorporate results of the risk assessment activity into the decision making process. An effective risk management program that assesses and mitigates IT-related mission risks requires the support and involvement of senior management.

• Chief Information Officer (CIO). The CIO is responsible for the agency’s IT planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program.

• System and Information Owners. The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own. Typically the system and information owners are responsible for changes to their IT systems. Thus, they usually have to approve and sign off on changes to their IT systems (e.g., system enhancement, major changes to the software and hardware). The system andinformation owners must therefore understand their role in the risk management process and fully support this process.

• Business and Functional Managers. The managers responsible for business operations and IT procurement process must take an active role in the risk management process. These managers are the individuals with the authority and responsibility for making the trade-off decisions essential to mission accomplishment. Their involvement in the risk management process enables the achievement of proper security for the IT systems, which, if managed properly, will provide missioneffectiveness with a minimal expenditure of resources.

• ISSO. IT security program managers and computer security officers are responsible for their organizations’ security programs, including risk management. Therefore, they play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions. ISSOs also act as major consultants in support of senior management to ensure that this activity takes place on an ongoing basis.

Security Awareness Trainers (Security/Subject Matter Professionals). The organization’s personnel are the users of the IT systems. Use of the IT systems and data according to an organization’s policies, guidelines, and rules of behavior is critical to mitigating risk and protecting the organization’s IT resources. To minimize risk to the IT systems, it is essential that system and application users be provided with security awareness training. Therefore, the IT security trainers or security/subject matter professionals must understand the risk management process so that they can develop appropriate training materials and incorporate risk assessment into training programs to educate the end users.

• IT Security Practitioners. IT security practitioners (e.g., network, system, application, and database administrators; computer specialists; security analysts; security consultants) are responsible for proper implementation of security requirements in their IT systems. As changes occur in the existing IT system environment (e.g., expansion in network connectivity, changes to the existing

• Risks in IS/IT systems: erroneous input, unauthorised usage, imported virus infection, unlicensed use of software, theft, corruption of software, etc.

IT and data risk• Unauthorised access to systems by employees or external attackers.• The wealth of malicious codes and tools available to attackers.• Rapid changes in information technology.• Users not adopting good computer security practices, e.g. sharing or displaying passwords.• Unauthorised electronic transfer of funds or other assets.

• Risks and benefits of Internet and Intranet use by an organisation.

An intranet is a private network that is contained within an enterprise. An intranet in general looks like the Internet but is only accessible by people within the organization. The general public cannot access the intranet. The main purpose of an intranet is to share company information and computing resources among employees.

Most people and organizations inherently know and understand the value of telephone systems. In many ways, intranets are like telephones – they assist us in accomplishing mission-critical work all the time.

An intranet can also be used to facilitate working in groups and for teleconferences. Increasingly, intranets are being used to deliver tools and applications such as collaboration or sophisticated corporate directories, sales and CRM tools, project management etc., to advance productivity. Intranets are also being used as culture change platforms. For example, large numbers of employees discussing key issues in an online forum could lead to new ideas.

• Controls which can be designed into an information system, particularly one using IT (e.g. security, integrity and contingency controls).

The control recommendation process will involve choosing among a combination of:1. technical, 2. management, and 3. operational controls for improving the organization’s security posture.

• Support. Supporting controls are generic and underlie most IT security capabilities. These controls must be in place in order to implement other controls. Supporting controls are, by their very nature, pervasive and interrelated with many other controls. The supporting controls are as follows:• Identification. This control provides the ability to uniquely identify users, processes, and information resources. To implement other security controls (e.g., discretionary access control [DAC], mandatory access control [MAC], accountability), it is essential that both subjects and objects be identifiable.• Cryptographic Key Management. Cryptographic keys must be securely managed when cryptographic functions are implemented in various other controls. Cryptographic key management includes key generation, distribution, storage, and maintenance.

• Security Administration. The security features of an IT system must be configured (e.g., enabled or disabled) to meet the needs of a specific installation and to account for changes in the operational environment. System security can be built into operating system security or the application. Commercial off-the-shelf add-on security products are available.• System Protections. Underlying a system’s various security functional capabilities is a base of confidence in the technical implementation. This represents the quality of the implementation from the perspective both of the design processes used and of the manner in which the implementation was accomplished. Some examples of system protections are residual information protection (also known as object reuse), least privilege (or “need to know”), process separation, modularity, layering, and minimization of what needs to be trusted

minimising the risk of fraud (e.g. fraud policy statements ... · an anti-fraud strategy an...

Documents