Saturday, September 14, 2019

Fraud Risk Management

Fraud risk management A guide to good practice 1 This guide is based on the fi rst edition of Fraud Risk Management: A Guide to Good Practice. The fi rst edition was prepared by a Fraud and Risk Management Working Group, which was established to look at ways of helping management accountants to be more effective in countering fraud and managing risk in their organisations. This second edition of Fraud Risk Management: A Guide to Good Practice has been updated by Helenne Doody, a specialist within CIMA Innovation and Development.Helenne specialises in Fraud Risk Management, having worked in related fi elds for the past nine years, both in the UK and other countries. Helenne also has a graduate certifi cate in Fraud Investigation through La Trobe University in Australia and a graduate certifi cate in Fraud Management through the University of Teeside in the UK. For their contributions in updating the guide to produce this second edition, CIMA would like to thank: Martin Birch FCMA, MBA Director – Finance and Information Management, Christian Aid.Roy Katzenberg Chief Financial Offi cer, RITC Syndicate Management Limited. Judy Finn Senior Lecturer, Southampton Solent University. Dr Stephen Hill E-crime and Fraud Manager, Chantrey Vellacott DFK. Richard Sharp BSc, FCMA, MBA Assistant Finance Director (Governance), Kingston Hospital NHS Trust. Allan McDonagh Managing Director, Hibis Europe Ltd. Martin Robinson and Mia Campbell on behalf of the Fraud Advisory Panel. CIMA would like also to thank those who contributed to the fi rst edition of the guide. About CIMACIMA, the Chartered Institute of Management Accountants, is the only international accountancy body with a key focus on business. It is a world leading professional institute that offers an internationally recognised qualifi cation in management accounting, with a full focus on business, in both the private and public sectors. With 164,000 members and students in 161 countries, CIMA is committed to upho lding the highest ethical and professional standards of its members and students.  © CIMA 2008. All rights reserved.This booklet does not necessarily represent the views of the Council of the Institute and no responsibility for loss associated to any person acting or refraining from acting as a result of any material in this publication can be accepted by the authors or publishers. Acknowledgements Fraud risk management: a guide to good practice 2 Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Fraud – its extent, patterns and causes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1. 1 What is fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1. 2 The scale of the problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1. 3 Which businesses are affected? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1. 4 Why do people commit fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1. 5 Who commits fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1. 6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Risk management – an overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2. 1 Wh at is risk management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2. 2 Corporate governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2. 3 The risk management cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2. 4 Establish a risk management group and set goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2. 5 Identify risk areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2. 6 Understand and assess the scale of risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2. 7 Develop a risk response strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 8 Implement the strategy and allocate responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 9 Implement and monitor suggested controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 10 Review and refi ne and do it again . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 11 Information for decision making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Fraud prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3. 1 A strategy to combat fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3. 2 Developing a sound ethical culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3. 3 Sound internal control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3. 4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Fraud detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4. 1 Detection methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4. 2 Indicators and warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4. 3 Tools and techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4. 4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Responding to fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5. 1 Purpose of the fraud response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5. 2 Corpor ate policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5. 3 Defi nition of fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5. 4 Roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5. 5 The response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5. 6 The investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 5. 7 Organisation’s objectives with respect to dealing with fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5. 8 Follow-up action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5. 9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 1 2 3 4 5 3 Appendices Appendix 1 Fraud and the law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Appendix 2 Examples of common types of internal fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Appendix 3 Example of a risk analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Appendix 4 A sample fraud policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Appendix 5 Sample whistleblowing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Appendix 6 Examples of fraud indicators, risks and controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Appendix 7 A 16 step fraud prevention plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Appendix 8 Outline fraud response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Appendix 9 Example of a fraud response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Appendix 10 References and further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Appendix 11 Listed abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Figures Figure 1 Types of internal fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Figure 2 The fraud triangle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Figure 3 The CIMA risk management cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Figure 4 Anti-fraud strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Figure 5 Ethics advice/services provided . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Figure 6 Meth ods of fraud detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Case Studies Case study 1 Fraud doesn’t involve just money . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Case study 2 Size really doesn’t matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Case study 3 A breach of trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Case study 4 Management risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Case study 5 A fi ne warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Case study 6 Vet or regret? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Case study 7 Tipped off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Case study 8 Risk or returns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Case study 9 Reporting fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Case study 10 TNT roots our fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4 5 Periodically, the latest major fraud hits the headlines as other organisations sit back and watch, telling themselves that ‘it couldn’t happen here. ’ But the reality is that fraud can happen anywhere. While only relatively few major frauds are picked up by the media, huge sums are lost by all kinds of businesses as result of the high number of smaller frauds that are committed. Surveys are regularly carried out in an attempt to estimate the true scale and cost of fraud to business and society. Findings vary, and it is diffi cult to obtain a complete picture as to the full extent of the issue, but these surveys all indicate that fraud is prevalent within organisations and remains a serious and costly problem. The risks of fraud may only be increasing, as we see growing globalisation, more competitive markets, rapid developments in technology, and periods of economic diffi culty. Among other fi ndings, the various surveys highlight that: organisations may be losing as much as 7% of their annual turnover as a result of fraud †¢ corruption is esti mated to cost the global economy about $1. 5 trillion each year †¢ only a small percentage of losses from fraud are recovered by organisations †¢ a high percentage of frauds are committed by senior management and executives †¢ greed is one of the main motivators for committing fraud †¢ fraudsters often work in the fi nance function †¢ fraud losses are not restricted to a particular sector or country †¢ the prevalence of fraud is increasing in emerging markets. Introduction Despite the serious risk that fraud presents to business, any organisations still do not have formal systems and procedures in place to prevent, detect and respond to fraud. While no system is completely foolproof, there are steps which can be taken to deter fraud and make it much less attractive to commit. It is in assisting organisations in taking such steps that this guide should prove valuable. The original guide to good practice was based on the work of CIMA’s Fraud and Ri sk Management Working Group that was established as part of the Institute’s response to the problem of fraud. Since the publication of the original guide, we have continued to see high rofi le accounting scandals and unacceptable levels of fraudulent behaviour. This second edition of the guide includes updates to refl ect the many changes in the legal environment and governance agenda in recent years, aimed at tackling the ongoing problem of fraud. The guide starts by defi ning fraud and giving an overview of the extent of fraud, its causes and its effects. The initial chapters of the guide also set out the legal environment with respect to fraud, corporate governance requirements and general risk management principles. The guide goes on to discuss the key components of an anti-fraud strategy nd outlines methods for preventing, detecting and responding to fraud. A number of case studies are included throughout the guide to support the text, demonstrating real life problems th at fraud presents and giving examples of actions organisations are taking to fi ght fraud. Fraud risk management: a guide to good practice Management accountants, whose professional training includes the analysis of information and systems, can have a signifi cant role to play in the development and implementation of anti-fraud measures within their organisations. This guide is intended to help management accountants in that role and will also be seful to others with an interest in tackling fraud in their organisation. The law relating to fraud varies from country to country. Where it is necessary for this guide to make reference to specifi c legal measures, this is generally to UK law, as it would be impossible to include references to the laws of all countries where this guide will be read. It is strongly advised that readers ensure they are familiar with the law relating to fraud in their own jurisdiction. Although some references may therefore not be relevant to all readers, the general principles of fraud risk management will still apply and rganisations around the world are encouraged to take a more stringent approach to preventing, detecting and responding to fraud. 6 7 Defi nition of fraud The term ‘fraud’ commonly includes activities such as theft, corruption, conspiracy, embezzlement, money laundering, bribery and extortion. The legal defi nition varies from country to country, and it is only since the introduction of the Fraud Act in 2006, that there has been a legal defi nition of fraud in England and Wales. Fraud essentially involves using deception to dishonestly make a personal gain for oneself and/or create a loss for another. Although defi nitions vary, ost are based around these general themes. Fraud and the law Before the Fraud Act came into force, related offences were scattered about in many areas of the law. The Theft Acts of 1968 and 1978 created offences of false accounting, and obtaining goods, money and services by decept ion, and the Companies Act 1985 included the offence of fraudulent trading. This remains part of the Companies Act 2006. There are also offences of fraud under income tax and value-added tax legislation, insolvency legislation, and the common law offence of conspiracy to defraud. The Fraud Act is not the only new piece of legislation.Over the last few years there have been many changes to the legal system with regard to fraud, both in the UK and internationally. This guide focuses mainly on UK requirements, but touches on international requirements that impact UK organisations. In the UK, the Companies Act and the Public Interest Disclosure Act (PIDA) have been amended and legislation such as the Serious Crimes Act 2007 and the Proceeds of Crime Act 2002 (POCA) have been introduced. Internationally the Sarbanes-Oxley Act 2002 (Sarbox) has been introduced in the United States (US), a major piece of legislation that affects not only companies in the US ut also those in the UK and othe rs based all over the globe. Further information on these pieces of legislation can be found in Appendix 1. As well as updating the legislation in the UK, there have been, and will continue to be, signifi cant developments in the national approach to combating fraud, particularly as we see implementation of actions resulting from the national Fraud Review. Appendix 1 gives further information on the Fraud Review. There are also many law enforcement agencies involved in the fi ght against fraud in the UK, including the Serious Fraud Offi ce, the Serious Organised Crime Agency SOCA), the Financial Services Authority (FSA), and Economic Crime Units within the police force. Different types of fraud Fraud can mean many things and result from many varied relationships between offenders and victims. Examples of fraud include: †¢ crimes by individuals against consumers, clients or other business people, e. g. misrepresentation of the quality of goods; pyramid trading schemes †¢ em ployee fraud against employers, e. g. payroll fraud; falsifying expense claims; thefts of cash, assets or intellectual property (IP); false accounting †¢ crimes by businesses against investors, consumers and employees, e. g. i nancial statement fraud; selling counterfeit goods as genuine ones; not paying over tax or National Insurance contributions paid by staff †¢ crimes against fi nancial institutions, e. g. using lost and stolen credit cards; cheque frauds; fraudulent insurance claims †¢ crimes by individuals or businesses against government, e. g. grant fraud; social security benefi t claim frauds; tax evasion †¢ crimes by professional criminals against major organisations, e. g. major counterfeiting rings; mortgage frauds; ‘advance fee’ frauds; corporate identity fraud; money laundering †¢ e-crime by people using computers and technology to commit crimes, e. . phishing; spamming; copyright crimes; hacking; social engineering frauds. 1. 1 Wh at is fraud? 1 Fraud: its extent, patterns and causes Figure 1 Types of internal fraud Cash Non-cash Financial Non-fi nancial Confl icts of interest Bribery and extortion Asset misappropriation Fraudulent statements Corruption Internal fraud Fraud risk management: a guide to good practice 8 The fi nal of the three fraud categories is corruption. This includes activities such as the use of bribes or acceptance of ‘kickbacks’, improper use of confi dential information, confl icts of interest and collusive tendering. These types of internal fraud are summarised n Figure 1. Surveys have shown that asset misappropriation is the most widely reported type of fraud in UK, although corruption and bribery are growing the most rapidly. Further information on common types of internal fraud, and methods by which they may be perpetrated, is included in Appendix 2. This guide focuses on fraud against businesses, typically by those internal to the organisation. According to the Associa tion of Certifi ed Fraud Examiners (ACFE), there are three main categories of fraud that affect organisations. The fi rst of these is asset misappropriations, which involves the theft or misuse f an organisation’s assets. Examples include theft of plant, inventory or cash, false invoicing, accounts receivable fraud, and payroll fraud. The second category of fraud is fraudulent statements. This is usually in the form of falsifi cation of fi nancial statements in order to obtain some form of improper benefi t. It also includes falsifying documents such as employee credentials. 9 1. 2 The scale of the problem There have been many attempts to measure the true extent of fraud, but compiling reliable statistics around fraud is not easy. As one of the key aspects of fraud is deception, it can be diffi cult to identify and urvey results often only refl ect the instances of fraud that have actually been discovered. It is estimated that the majority of frauds go undetected and, even wh en a fraud has been found, it may not be reported. One reason for this may be that a company that has been a victim of fraud does not want to risk negative publicity. Also, it is often hard to distinguish fraud from carelessness and poor record keeping. Although survey results and research may not give a complete picture, the various statistics do offer a useful indication as to the extend of the problem. There can be no doubt that fraud is prevalent within organisations nd remains a serious issue. PricewaterhouseCooper’s Global Economic Crime Survey (PwC’s survey) in 2007 found that over 43% of international businesses were victims of fraud during the previous two years. In the UK, the fi gures were higher than the global average, with 48% of companies having fallen victim to fraud. Some surveys put the fi gures much higher. For example, during 2008, Kroll commissioned the Economist Intelligence Unit (EIU) to poll nearly 900 senior executives across the world. The EIU found that 85% of companies had suffered from at least one fraud in the past three years1. This fi gure had risen from 80% in a imilar poll in 2007. KPMG’s Fraud Barometer, which has been running since 1987, has also shown a considerable increase in the number of frauds committed in the UK in recent years, including a 50% rise in fraud cases in the fi rst half of 2008. According to the UK report of PwC’s survey, the average direct loss per company over a two year period as a result of fraud has risen to ? 1. 75 million, increasing from ? 0. 8 million in the equivalent 2005 survey. These fi gures exclude undetected losses and indirect costs to the business such as management costs or damage to reputation, which can be signifi cant. Management costs lone were estimated to be on average another ? 0. 75 million. Participants of the ACFE Report to the Nation 2008 (ACFE report) estimated that organisations lose 7% of their annual revenues to fraud. It is diffi cult to put a total cost on fraud, although many studies have tried to. For example an independent report by the Association of Chief Police Offi cers (the ACPO) in 2007 revealed that fraud results in losses of ? 20 billion each year in the UK. The World Bank has estimated that the global cost of corruption and bribery is about 5% of the value of the world economy or about $1. 5 trillion per year. It is thought that these stimates are conservative, and they also exclude other types of fraud such as misappropriation of assets. While it may be impossible to calculate the total cost of fraud, it is said to be more signifi cant than the total cost of most other crimes. According to the Attorney General in the UK, fraud is an area of crime which is second only to drug traffi cking in terms of causing harm to the economy and society2. 1 Kroll Global Fraud Report, Annual Edition 2008/2009 2 Attorney General’s interim report on the government’s Fraud Review, March 2006 Fraud risk managemen t: a guide to good practice 10 Case study 1 Fraud doesn’t just involve moneyCounterfeiting is one example of fraud that can have extremely serious consequences. Technology is ever improving, making it easier for counterfeiters to produce realistic looking packaging and fool legitimate wholesalers and retailers. Counterfeiting is a potentially lucrative business for the fraudster, with possibilities of large commercial profi ts, and it is a problem affecting a wide range of industries including wines and spirits, pharmaceuticals, electrical goods, and fashion. However, there are often many victims affected by such a fraud and not just the business that has been duped or had their brand exploited.For some, the outcome of counterfeiting goes way beyond fi nancial losses and can even be fatal: †¢ In late 2006, 14 Siberian towns declared a state of emergency due to mass poisonings caused by fake vodka. Around 900 people were hospitalised with liver failure after drinking indu strial solvent that was being sold as vodka. This is not a one off problem and sales of fake alcohol have been known to kill people. †¢ Also in 2006, a counterfeit product did result in more tragic consequences. At least 100 children died after ingesting cough syrup that had been mixed with counterfeit glycerine.The counterfeit compound, actually a dangerous solvent, had been used in place of more expensive glycerine. The manufacturing process had been sourced to China and the syrup passed through trading companies in Beijing and Barcelona before reaching its fi nal destination in Panama. The certifi cate attesting to the product’s purity was falsifi ed and not one of the trading companies tested the syrup to confi rm its contents along the way. It is thought that the number of deaths is likely to be much higher than the 100 cases that have been confi rmed. Fraud is often mistakenly considered a victimless rime. However, fraud can have considerable social and psychologic al effects on individuals, businesses and society. For example, when a fraud causes the collapse of a major company, numerous individuals and businesses can be affected. In addition to the company’s own employees, employees of suppliers can be affected by the loss of large orders, and other creditors, such as banks, can be indirectly affected by huge losses on loans. Consumers have to pay a premium for goods and services, in order to compensate for the costs of fraud losses and for money spent on investigations and additional security.Taxpayers also suffer due to reduced payments of corporation tax from businesses that have suffered losses. Fraud drains resources, affects public services and, perhaps of more concern, may fund other criminal and terrorist activity. According to the Fraud Review, fraud is a major and growing threat to public safety and prosperity. Case study 1 demonstrates just how much of a threat fraud can be to public safety and that there truly are victims of fraud. 11 1. 3 Which businesses are affected? Fraud is an issue that all organisations may face regardless of size, industry or country. If the rganisation has valuable property (cash, goods, information or services), then fraud may be attempted. It is often high profi le frauds in large multi-national organisations that are reported on in the media and smaller organisations may feel they are unlikely to be a target of fraudsters. However, according to the ACFE report, small businesses (classifi ed as those with less than 100 employees) suffer fraud more frequently than large organisations and are hit by higher average losses. When small companies are hit by large fraud losses, they are less likely to be able to absorb the damage han a larger company and may even go out of business as a result. The results of PwC’s survey showed that companies reporting fraud were spread across many industries, with at least a quarter of the respondents in any one industry suffering from f raudulent incidents. Industries suffering the highest average losses were insurance and industrial manufacturing. Losses in the fi nancial services industry, a sector frequently in the press and one with which fraud is often associated, were actually below average. Even not-for-profi t organisations are not immune to fraud, with government institutions nd many charities falling victim to unscrupulous fraudsters. As one director working in the international development and aid sector has pointed out, ‘In my sector, fraud is not a possibility, it is a reality and we are always dealing with a number of suspicious incidents on a more or less permanent basis. ’ PwC’s survey also revealed that incidences of fraud were highest in companies in North America, Africa and Central and Eastern Europe (CEE), where more than half of the companies reported fraud. It was lowest in the Western European region, although the UK was uch higher than the average for this region, with l evels of fraud similar to those in CEE. The EIU poll commissioned by Kroll in 2007 found that respondents in countries such as India and China have seen a signifi cant increase in the prevalence of corporate fraud in the last three years and this trend is likely to increase in businesses operating in emerging markets3. Although fraud is prevalent across organisations of all sizes and in all sectors and locations, research shows that certain business models will involve greater levels of fraud risk than others. The control environment hould be adjusted to fi t with the degree of risk exposure. Further guidance on risk assessment and controls is given in later chapters. 3 Kroll Global Fraud Report, Annual Edition 2007/2008 Fraud risk management: a guide to good practice 12 Case study 2 Size really doesn’t matter From a family affair†¦ A member of a small family business in Australia committed a $2m fraud, costing profi ts, jobs and a great deal of trust. The business owner s became suspicious when they realised that their son in law used the company diesel card to buy petrol for his own car.On closer scrutiny, they soon uncovered a company cheque for $80,000 made payable to the son in law’s personal account. BDO’s Brisbane offi ce discovered that the cheque and the fuel were just the tip of a vast iceberg. The company’s complex accounts system allowed the son in law to disguise cheques payable to himself as creditor payments. He then became a signatory and took ever larger cheques. He claimed that the poor cash fl ow was due to losses in one particular division which the family therefore closed, creating redundancies and losing what was in truth a successful business.The costs of ineffi cient accounting systems and undue trust can be massive. Every business should protect itself with thorough controls and vigilance. Adapted from ‘FraudTrack 5 Fraud: A Global Challenge’ published by BDO Stoy Hayward †¦ to a major corporate scandal WorldCom fi led for bankruptcy protection in June 2002. It was the biggest corporate fraud in history, largely a result of treating operating expenses as capital expenditure. WorldCom (now renamed MCI) admitted in March 2004 that the total amount by which it had misled investors over the previous 10 years was almost US$75 billion (? 2 billion) and reduced its stated pre-tax profi ts for 2001 and 2002 by that amount. WorldCom stock began falling in late 1999 as businesses slashed spending on telecom services and equipment. A series of debt downgrades raised borrowing costs for the company, struggling with about US$32 billion in debt. WorldCom used accounting tricks to conceal a deteriorating fi nancial condition and to infl ate profi ts. Former WorldCom chief executive Bernie Ebbers resigned in April 2002 amid questions about US$366 million in personal loans from the company and a federal probe of its accounting practices.Ebbers was subsequently charged with conspir acy to commit securities fraud and fi ling misleading data with the Securities and Exchange Commission (SEC) and was sentenced to 25 years in prison. Scott Sullivan, former Chief Financial Offi cer, pleaded guilty to three criminal charges and was sentenced to fi ve years in prison. Ultimately, losses to WorldCom shareholders were close to US$180 billion and the fraud also resulted in the loss of 17,000 jobs. The SEC said that WorldCom had committed ‘accounting improprieties of unprecedented magnitude’ – proof, it said, of the need for reform in the regulation of corporate ccounting. Adapted from CIMA Offi cial Learning System, Management Accounting Risk and Control Strategy 13 1. 4 Why do people commit fraud? There is no single reason behind fraud and any explanation of it needs to take account of various factors. Looking from the fraudster’s perspective, it is necessary to take account of: †¢ motivation of potential offenders †¢ conditions unde r which people can rationalise their prospective crimes away †¢ opportunities to commit crime(s) †¢ perceived suitability of targets for fraud †¢ technical ability of the fraudster expected and actual risk of discovery after the fraud has been carried out †¢ expectations of consequences of discovery (including non-penal consequences such as job loss and family stigma, proceeds of crime confi scation, and traditional criminal sanctions) †¢ actual consequences of discovery. A common model that brings together a number of these aspects is the Fraud Triangle. This model is built on the premise that fraud is likely to result from a combination of three factors: motivation, opportunity and rationalisation. Motivation In simple terms, motivation is typically based on either reed or need. Stoy Hayward’s (BDO) most recent FraudTrack survey found that greed continues to be the main cause of fraud, resulting in 63% of cases in 2007 where a cause was cited. Other causes cited included problems from debts and gambling. Many people are faced with the opportunity to commit fraud, and only a minority of the greedy and needy do so. Personality and temperament, including how frightened people are about the consequences of taking risks, play a role. Some people with good objective principles can fall into bad company and develop tastes for the fast life, which empts them to fraud. Others are tempted only when faced with ruin anyway. Opportunity In terms of opportunity, fraud is more likely in companies where there is a weak internal control system, poor security over company property, little fear of exposure and likelihood of detection, or unclear policies with regard to acceptable behaviour. Research has shown that some employees are totally honest, some are totally dishonest, but that many are swayed by opportunity. Rationalisation Many people obey the law because they believe in it and/or they are afraid of being shamed or rejected by eople the y care about if they are caught. However, some people may be able to rationalise fraudulent actions as: †¢ necessary – especially when done for the business †¢ harmless – because the victim is large enough to absorb the impact †¢ justifi ed – because ‘the victim deserved it’ or ‘because I was mistreated. ’ Figure 2 The fraud triangle Motivation Opportunity The fraud triangle Rationalisation Fraud risk management: a guide to good practice 14 Case study 3 A breach of trust A good example of the fraud triangle in practice is the highly publicised case of the secretary that stole over ? . 3 million from her bosses at Goldman Sachs. Motivation There were some suggestions that Joyti De-Laurey originally started down her fraudulent path because of fi nancial diffi culties she found herself in before starting work at the investment bank. De-Laurey had previously run her own sandwich bar business, but it was closed down due to ins uffi cient fi nances. According to her defence, De-Laurey’s ‘fi rst bitter experience of fi nancial turmoil coincided with a novel introduction to a Dallas-type world where huge, unthinkable amounts of money stared her in the face, day in and day out. The motive behind the fraud was primarily greed though, with De-Laurey spending her ill gotten gains on a luxury lifestyle, including villas, cars, jewellery, designer clothes and fi rst class holidays. De-Laurey has even admitted that she did not steal because she needed to, but because she could. She explained that she fi rst started taking money simply to fi nd out if she could get away with it. She says that it then became ‘a bit addictive’ and that she ‘got a huge buzz from knowing they had no idea what I was doing. ’ Opportunity In terms of opportunity, De-Laurey’s bosses trusted her and held her in high regard.She had proved herself indispensable, on both business and personal fronts , and was given access to their cheque books in order to settle their domestic bills and personal fi nances. A little over a year after starting at Goldman Sachs, De-Laurey began forging her bosses’ signatures on personal cheques to make payments into her own accounts. Realising she had got away with it, De-Laurey continued to steal money by issuing forged cheques and making false money transfers. Before long she was forging signatures on a string of cash transfer authorities, siphoning off up to ? 2. million at a time from supposedly secure New York investments. Rationalisation De-Laurey was able to rationalise her actions by convincing herself that she had earned the money she stole. De-Laurey believed that she deserved the plundered amounts as a just reward for her dedication, discretion and loyalty, and claims that she had the consent of her bosses to take money in return for her ‘indispensable services’. The fact that they were so rich they did not even noti ce the money was missing, only served to fuel De-Laurey’s fraudulent activities. She justifi ed her actions through the belief that her bosses had cash to spare.According to De-Laurey; ‘They could afford to lose that money. ’ Caught out After four years of siphoning off vast amounts of money, De-Laurey was eventually caught when her boss at the time decided to make a six-fi gure donation to his former college. He took a look at his bank accounts to see if he could cover the donation and was surprised to fi nd the balance on the accounts so low. He investigated further and realised that large sums had been transferred to an unknown account. De-Laurey was the obvious suspect. By this time, De-Laurey had actually stolen around ? 3. 3 million from this particular boss.De-Laurey was the fi rst woman in the UK to be accused of embezzling such a large sum and, after a long and high profi le trial in 2004, she was sentenced to seven years imprisonment. Various sources in cluding The Guardian, The Times, The Independent and the BBC News 15 One of the most effective ways to tackle the problem of fraud is to adopt methods that will decrease motive or opportunity, or preferably both. Rationalisation is personal to the individual and more diffi cult to combat, although ensuring that the company has a strong ethical culture and clear values should help. These methods and principles are developed further in later hapters of this guide. 1. 5 Who commits fraud? Different types of fraudster Fraudsters usually fall into one of three categories: 1 Pre-planned fraudsters, who start out from the beginning intending to commit fraud. These can be short-term players, like many who use stolen credit cards or false social security numbers; or can be longer-term, like bankruptcy fraudsters and those who execute complex money laundering schemes. 2 Intermediate fraudsters, who start off honest but turn to fraud when times get hard or when life events, such as irritation at being passed over for promotion or the need to pay for care for a family ember, change the normal mode. 3 Slippery-slope fraudsters, who simply carry on trading even when, objectively, they are not in a position to pay their debts. This can apply to ordinary traders or to major business people. In 2007, KPMG carried out research on the Profi le of a Fraudster (KPMG survey), using details of fraud cases in Europe, India, the Middle East and South Africa. The ACFE carried out similar research on frauds committed in the US. These surveys highlight the following facts and fi gures in relation to fraudsters: †¢ perpetrators are typically college educated white male most fraudsters are aged between 36 and 55 †¢ the majority of frauds are committed by men †¢ median losses caused by men are twice as great as those caused by women †¢ a high percentage of frauds are committed by senior management (including owners and executives) †¢ losses caused by managers are ge nerally more than double those caused by employees †¢ average losses caused by owners and executives are nearly 12 times those of employees †¢ longer term employees tend to commit much larger frauds †¢ fraudsters most often work in the fi nance department, operations/sales or as the CEO. The ACFE report also found that the type of person ommitting the offence depends on the nature of the fraud being perpetrated. Employees are most likely to be involved in asset misappropriation, whereas owners and executives are responsible for the majority of fi nancial statement frauds. Of the employees, the highest percentage of schemes involved those in the accounting department. These employees are responsible for processing and recording the organisation’s fi nancial transactions and so often have the greatest access to its fi nancial assets and more opportunity to conceal the fraud. Fraud risk management: a guide to good practice 16 Case study 4 Management riskIn 2007, a major British construction fi rm suffered from extensive fraud committed by management at one of its subsidiaries. Accounting irregularities dating back to 2003 were said to include systematic misrepresentation of production volumes and sales by a number of senior fi gures at the division. Management at the subsidiary attempted to cover their behaviour by selling materials at a discounted price and the fraud went undetected for several years despite internal and external audits. The irregularities were eventually uncovered by an internal team sent to investigate a mismatch between orders and sales.Following an initial internal investigation, a team of external experts and the police were brought in to identify the full extent of malpractice. The investigation found that the organisation was defrauded of nearly ? 23 million, but the fraud was said to cost the company closer to ? 40 million due to the written down value of the business and factoring in the cost of the investigation. The managing director of the subsidiary was dismissed, another manager faced disciplinary action and fi ve others left before disciplinary proceedings could be commenced. Civil proceedings were ruled out on the basis that osses were unlikely to be recovered. Operations at the centre of the incident had to be temporarily closed and more than 160 jobs were cut at the business. In addition to individual fraudsters, there has also been an increase in fraud being committed by gangs of organised criminals. Examples include false or stolen identities being used to defraud banks, and forms of e-fraud exploiting the use of internet by commercial businesses. SOCA is responsible for responding to such threats, with the support of the victim organisations. 1. 6 Summary A major reason why people commit fraud is because they are allowed to do so.There are a wide range of threats facing businesses. The threat of fraud can come from inside or outside the organisation, but the likelihood that a frau d will be committed is greatly decreased if the potential fraudster believes that the rewards will be modest, that they will be detected or that the potential punishment will be unacceptably high. The main way of achieving this must be to establish a comprehensive system of control which aims to prevent fraud, and where fraud is not prevented, increases the likelihood of detection and increases the cost to the fraudster. Later chapters of this guide set out some of the easures which can be put in place to minimise fraud risks to the organisation. Before looking specifi cally at fraud risk, the guide considers risk management in general. Risk management is defi ned as the ‘process of understanding and managing risks that the entity is inevitably subject to in attempting to achieve its corporate objectives’ (CIMA Offi cial Terminology, 2005). For an organisation, risks are potential events that could infl uence the achievement of the organisation’s objectives. Risk management is about understanding the nature of such events and, where they represent threats, making positive plans to mitigate them. Fraud s a major risk that threatens the business, not only in terms of fi nancial health but also its image and reputation. This guide is primarily focused on managing the risk of fraud, but fi rst, this chapter looks at more general aspects of risk management and corporate governance. 17 2 Risk management – an overview Risk management is an increasingly important process in many businesses and the process fi ts in well with the precepts of good corporate governance. In recent years, the issue of corporate governance has been a major area for concern in many countries. In the UK, the fi rst corporate governance report and code of best practice s considered to be the Cadbury Report in 1992, which was produced in response to a string of corporate collapses. There have been a number of reports since, covering provisions around areas such as exec utive remuneration, non-executive directors, and audit committees. The principles of these various reports have been brought together to form the Combined Code on Corporate Governance (Combined Code). The Combined Code was fi rst introduced in 1998 and among other matters, calls for boards to establish systems of internal control and to review the effectiveness of these systems on a regular basis. UK isted companies are required to provide a statement in their annual reports confi rming that they comply with the Combined Code, and where they do not, they must provide an explanation for departures from it (the ‘comply or explain’ principle). The assessment of internal controls should be included in the report to shareholders. The Combined Code is reviewed regularly and the most recent version was published in June 2008. Following the original introduction of the Combined Code, the Turnbull Committee was set up to issue guidance to directors on how they should assess and report on their review of internal controls. TheTurnbull Committee made it clear that establishment of embedded risk management practices is key to effective internal control systems. The Turnbull guidance was fi rst published in 1999 and revised in 2005. In the revised report (sometimes referred to as Turnbull 2) there is now a requirement for directors to give explicit confi rmation that any signifi cant failings or weaknesses identifi ed from the review of effectiveness of internal controls have been, or are being, remedied. 2. 1 What is risk management? 2. 2 Corporate governance Fraud risk management: a guide to good practice 18 The Financial Reporting Council is responsible for aintaining and reviewing the Combined Code, although the Combined Code is annexed to the rules of the UK Listing Authority, which is part of the FSA. The FSA is responsible for ensuring that listed companies provide the appropriate ‘comply or explain’ statement in their annual report. While the guidance is generally applicable to listed companies, the principles are relevant to all organisations and have been widely used as a basis for codes of best practice in the public and not-for-profi t sectors. Fraud risk management practices are developing along the same lines. Many other countries have also produced reports on orporate governance, usually accompanied by codes of best practices. For example, South Africa has had the King Report (version I and now II) since 1994, Malaysia has had its Code of Corporate Governance in place since 2000 and Sri Lanka issued the Rules on Corporate Governance as part of its Listing Rules in January 2007. Corporate governance requirements in the US are now largely set out within the Sarbox legislation, further details on which are provided at Appendix 1. As previously mentioned, these requirements extend beyond the US, capturing any company that is SEC listed and its subsidiaries. Some other countries have lso introduced a statutory appr oach to corporate governance, such as that in the US, although none are currently as comprehensive. A number of international organisations have also launched guidelines and initiatives on corporate governance, including the Organisation for Economic Co-operation and Development (OECD) and the European Commission. An example of a growing area of corporate governance is IT governance, which has developed in light of rapid and continuing advances in information technology. The following box gives more information on IT governance. IT Governance IT governance is about ensuring that the rganisation’s IT systems support and enable achievement of the organisation’s strategies and objectives. It encompasses leadership, organisational structures, businesses processes, standards and compliance. There are fi ve specifi c drivers for organisations to adopt IT governance strategies: †¢ regulatory requirements e. g. IT governance is covered by the Combined Code and Turnbull gu idance in the UK †¢ increasing intellectual capital value that the organisation has at risk †¢ alignment of technology with strategic organisational goals †¢ complexity of threats to information security †¢ increase in the compliance requirements of nformation and privacy-related regulation. A key benefi t of an effective, integrated IT governance framework is the integration of IT into the strategic and overall operational approach of an organisation. There are a series of international Information Security (IS) standards that provide guidance on implementing an effective IT governance framework, known as the ISO 27000 series. For example, ISO/IEC 27001 defi nes a set of IS management requirements in order to help organisations establish and maintain an IS management system. The standards apply to all types of organisation regardless of size or sector.They are particularly suitable where the protection of information is critical to the business, for example in t he fi nance, health and public sectors, and for organisations which manage information on behalf of others, such as IT outsourcing companies. ISACA also offers a series of IS standards and certifi cation. ISACA is a leading global association in the IT governance and control fi eld. With a network across more than 160 countries, its IS standards are followed by practitioners worldwide. Figure 3 The CIMA risk management cycle Controls assurance Controls assurance is the process whereby controls are eviewed by management and staff. There are various ways to conduct these exercises, from highly interactive workshops based on behavioural models at one end of the spectrum to pre-packaged self audit internal control questionnaires at the other. These models all include monitoring and risk assessment among their principal components. 19 The risk management cycle is an interactive process of identifying risks, assessing their impact, and prioritising actions to control and reduce risks. A n umber of iterative steps should be taken: 1 Establish a risk management group and set goals. 2 Identify risk areas. Understand and assess the scale of risk. 4 Develop a risk response strategy. 5 Implement the strategy and allocate responsibilities. 6 Implement and monitor the suggested controls. 7 Review and refi ne the process and do it again. 2. 3 The risk management cycle Identify risk areas Review and refi ne process and do it again Implementation and monitoring of controls Implement strategy and allocate responsibilities Understand and assess scale of risk Develop risk response strategy Information for decision making Establish risk management group and set goals Fraud risk management: a guide to good practice 20 2. Establish a risk management group and set goals A risk management group should be established whose task it is to facilitate and co-ordinate the overall risk management process. Possible members of the group could include a chief risk offi cer, a non executive direc tor, fi nance director, internal auditor, heads of planning and sales, treasurer and operational staff. Depending on the size and nature of the organisation, the risk management group may be in the form of a committee who meet from time to time. The risk management group will promote the understanding and assessment of risk, and facilitate the evelopment of a strategy for dealing with the risks identifi ed. They may also be responsible for conducting reviews of systems and procedures to identify and assess risks faced by the business, which include the risk of fraud, and introducing the controls that are best suited to the business unit. However, line managers and their staff may also be involved in the risk identifi cation and assessment process, with the risk management group providing guidance. 2. 5 Identify risk areas Each risk in the overall risk model should be explored to identify how it potentially evolves through the organisation.It is important to ensure that the risk is c arefully defi ned and explained to facilitate further analysis. The techniques of analysis include: †¢ workshops and interviews †¢ brainstorming †¢ questionnaires †¢ process mapping †¢ comparisons with other organisations †¢ discussions with peers. Once risks have been identifi ed, an assessment of possible impact and corresponding likelihood of occurrence should be made using consistent parameters that will enable the development of a prioritised risk analysis. In the planning stage, management should agree on the most appropriate defi nition and number of categories to be used when ssessing both likelihood and impact. The assessment of the impact of the risk should not simply take account of the fi nancial impact but should also consider the organisation’s viability and reputation, and recognise the political and commercial sensitivities involved. The analysis should either be qualitative or quantitative, and should be consistent to allow compa risons. The qualitative approach usually involves grading risks in high, medium and low categories. Impact The assessment of the potential impact of a particular risk may be complicated by the fact that a range of possible outcomes may exist or that the risk may occur number of times in a given period of time. Such complications should be anticipated and a consistent approach adopted which, for example, may seek to estimate a worst case scenario over, say, a 12 month time period. Likelihood of occurrence The likelihood of a risk occurring should be assessed on a gross, a net and a target basis. The gross basis assesses the inherent likelihood of the event occurring in the absence of any processes which the organisation may have in place to reduce that likelihood. The net basis assesses the likelihood, taking into account current conditions and processes to mitigate he chance of the event occurring. The target likelihood of a risk occurring refl ects the risk appetite of the organisa tion. 2. 6 Understand and assess the scale of risk 21 Where the net likelihood and the target likelihood for a particular risk differ, this would indicate the need to alter the risk profi le accordingly. It is common practice to assess likelihood in terms of: †¢ high – probable †¢ moderate – possible †¢ low – remote. An example of a risk analysis is contained in Appendix 3. The resulting document is often referred to as a risk register. The overall risk registers at organisational nd operational levels should include the risk of fraud being perpetrated. Some organisations also prepare detailed fraud risk registers that consider possible fraudulent activity. The fraud risk register often directs the majority of proactive fraud risk management work undertaken by an organisation. Analysing fraud risks Fraud risk is one component of operational risk. Operational risk focuses on the risks associated with errors or events in transaction processing or ot her business operations. A fraud risk review considers whether these errors or events could be the result of a deliberate act designed to benefi t the perpetrator.As a result, fraud risk reviews should be detailed exercises conducted by teams combining in depth knowledge of the business and market with detailed knowledge and experience of fraud. Risks such as false accounting or the theft of cash or assets need to be considered for each part of the organisation’s business. Frequently, businesses focus on a limited number of risks, most commonly on thirdparty thefts. To avoid this, the risks should be classifi ed by reference to the possible type of offence and the potential perpetrator(s). Fraud risks need to be assessed for each area and process of the business, for example, cash payments, ash receipts, sales, purchasing, expenses, inventory, payroll, fi xed assets and loans. Fraud risk management: a guide to good practice 22 2. 7 Develop a risk response strategy Once the ri sks have been identifi ed and assessed, strategies to deal with each risk identifi ed can be developed by line management, with guidance from the risk management group. Strategies for responding to risk generally fall into one of the following categories: †¢ risk retention (e. g. choosing to accept small risks) †¢ risk avoidance (e. g. stopping sale of certain products to avoid the risk to occurring) †¢ risk reduction (e. g. hrough implementing controls and procedures) †¢ risk transfer (e. g. contractual transfer of risk; transferring risks to insurers). Before strategies are developed, it is necessary to establish the risk appetite of the organisation. Risk appetite is the level of risk that the organisation is prepared to accept and this should be determined by the board. The appetite for risk will infl uence the strategies to be developed for managing risk. It is worth noting that a board’s risk appetite may vary for different types of risk and over tim e. For example, the board may have a low risk tolerance on compliance and egulatory issues, but be prepared to take signifi cant strategic risks. The board may also reduce their risk appetite as the external environment changes, such as in times of recession. 2. 8 Implement the strategy and allocate responsibilities The chosen strategy should be allocated and communicated to those responsible for implementation. For the plan to be effective it is essential that responsibility for each specifi c action is assigned to the appropriate operational manager and that clear target dates are established for each action. It is also important to obtain the co-operation of those esponsible for the strategy, by formal communication, seminars, action plans and adjustments to budgets. The chosen strategy may require the implementation of new controls or the modifi cation of existing controls. Businesses are dynamic and the controls that are in place will need to be monitored to assess whether or n ot they are succeeding in their objectives. The risk management group should be empowered to monitor the effectiveness of the actions being taken in each specifi c area, as these can be affected by internal and external factors, such as changes in the marketplace or the introduction of new computer systems. . 10 Review and refi ne and do it again All of the elements outlined above form part of an iterative cycle where risk management is continually reviewed and developed. As the cycle continues, risk management should increasingly become embedded in the organisation so that it really becomes part of everyone’s job. 2. 11 Information for decision making Risk management should form a key part of the organisation’s decision-making process. Information is gathered at all stages of the risk management cycle and this information should be fed into the decision-making mechanisms. For more information on risk management, please refer o CIMA’s publication Risk Management : A guide to good practice. 2. 9 Implement and monitor suggested controls 23 There are risks in most situations. Risk management is an important element of corporate governance and every organisation should review their risk status and develop their approach as described in the CIMA Risk Management Cycle in 2. 3 to 2. 11 above. Managing the risk of fraud is the same in principle as managing any other business risk. First, the potential consequences of fraud on the organisation need to be understood, using the principles set out in this chapter. The risks should then be reduced by developing nd implementing an anti-fraud strategy across the organisation. This is best approached systematically, both at the organisational level, for example by using ethics policies and anti-fraud policies, and at the operational level, through introduction of controls and procedures. The following chapters expand on the fraud risk management process in the context of an antifraud strategy. 2. 12 Summar y Fraud risk management: a guide to good practice Given the prevalence of fraud and the negative consequences associated with it, there is a compelling argument that organisations should invest time and resources towards tackling fraud.There is, however, sometimes debate as to whether these resources should be committed to fraud prevention or fraud detection. Fraud prevention Based on the earlier discussion aroun

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.