How to Prevent Fraud Risks?

Preventive controls are designed to help reduce the risk of fraud and misconduct from occurring in the first place

An effective, business-driven fraud and misconduct risk management approach is one that is focused on three objectives:

• Prevention: controls designed to reduce the risk of fraud and misconduct from occurring in the first place
• Detection: controls designed to discover fraud and misconduct when it occurs
• Response: controls designed to take corrective action and remedy the harm caused by fraud or misconduct

In this publication we will focus on the prevention of fraud risk. The other elements, detection and responses, will be discussed in the next newsletters.

The main actions to prevent the fraud risks can be summarized as follows:

a) Leadership and Governance

(i) Board/Audit Committee Oversight

An organization's board of directors plays an important role in the oversight and implementation of controls to mitigate the risk of fraud and misconduct. The board, together with management, is responsible for setting the "tone at the top” and ensuring institutional support is established at the highest levels for ethical and responsible business practices.

Directors have not only a fiduciary duty to ensure that an organization has programs and controls in place to address the risk of wrongdoing but also a duty to ensure that such controls are effective. As a practical matter, the board may delegate principal oversight for fraud and misconduct risk management to a committee (typically audit), which is tasked with, among other things:

• Reviewing and discussing issues raised during the entity's fraud and misconduct risk assessment
• Reviewing and discussing with the internal and external auditors findings on the quality of the organization's antifraud programs and controls
• Establishing procedures for the receipt and treatment of questions or concerns regarding questionable accounting or auditing matters.

(ii) Senior Management Oversight

To help ensure that fraud and misconduct controls remain effective and in line with governmental standards, responsibility for the organization's fraud and misconduct risk management approach should be shared at senior levels (i.e., individuals with substantial control or a substantial role in policy-making). This critical oversight begins with prevention and must also be part of detection and response efforts.

The chief executive officer is ideally positioned to influence employee actions through his or her executive leadership, specifically by setting the ethical tone of the organization and playing a crucial role in fostering a culture of high ethics and integrity. For instance, the chief executive can lead by example, allocating resources to antifraud efforts and holding senior management accountable for compliance violations.

Direct responsibility for antifraud efforts should reside with a senior leader, often
a chief compliance officer who works together with internal audit staff and designated subject matter experts. The chief compliance officer is responsible for coordinating the organization's approach to fraud and misconduct prevention, detection, and response. When fraud and misconduct issues arise, this individual can draw together the right resources to deal with the problem and make necessary operational changes. The chief compliance officer may also chair a committee of cross- functional managers who:

• Coordinate the organization's risk assessment efforts
• Establish policies and standards of acceptable business practice
• Oversee the design and implementation of antifraud programs and controls
• Report to the board and/or the audit committee on the results of the organization's fraud risk management activities.

Other business leaders such as department heads (e.g., product development, marketing, regulatory affairs, human resources) should also participate in responsibilities under the organization's antifraud strategy; they oversee areas of daily operations in which risks arise. Such department heads can serve as subject matter experts to assist the chief compliance officer with respect to their particular areas of expertise or responsibility.

(iii) Internal Audit Function

The modern organization's internal audit function is a key participant in antifraud activities, supporting management's approach to preventing, detecting, and responding to fraud and misconduct. The studies show that significant percent of frauds were uncovered through the work of internal audit. Such responsibilities represent a change from the more traditional role of internal audit (that is, examining the effectiveness of the entity's controls). In general, internal audit should be responsible for:

• Planning and conducting the evaluation of design and operating effectiveness of antifraud controls
• Assisting in the organization's fraud risk assessment and helping draw conclusions as to appropriate mitigation strategies
• Reporting to the audit committee on internal control assessments, audits, investigations, and related activities.

(iv) Fraud and Misconduct Risk Assessment

All organizations typically face a variety of fraud and misconduct risks. Like a more conventional entity-wide risk assessment, a fraud and misconduct risk assessment helps management understand the risks that are unique to its business, identify gaps or weaknesses in control to mitigate those risks, and develop a practical plan for targeting the right resources and controls to reduce risk.

Management should ensure that such an assessment is conducted across the entire organization, taking into consideration the entity's significant business units, processes, and accounts.

With input from control owners as to the relevant risks to achieving organizational objectives, a fraud and misconduct risk assessment includes the following steps:

• Identify business unit, locations or process to assess
• Inventory and categorize fraud/misconduct risk and occurrence
• Rate risks based on the likelihood and significance of occurrence
• Remediate risks through control optimization

While management is responsible for performing a targeted risk assessment process and considering its results in evaluating control effectiveness, the audit committee typically has an oversight role in this process. The audit committee is responsible for reviewing management's risk assessment, ensuring that it remains an ongoing effort, and interacting with the entity's independent auditor to ensure that assessment results are properly communicated.

b) Code of Conduct

An organization's code of conduct is one of the most important communications vehicles that management can use to communicate to employees on key standards that define acceptable business conduct. A well-written and communicated code goes beyond restating company policies-such a code sets the tone for the organization's overall control culture, raising awareness of management's commitment to integrity and the resources available to help employees achieve management's compliance goals.

A well-designed code of conduct typically includes:

• High-level endorsement from the organization's leadership, underscoring a commitment to integrity
• Simple, concise, and positive language that can be readily understood by all employees
• Topical guidance based on each of the company's major policies or compliance risk areas
• Practical guidance on risks based on recognizable scenarios or hypothetical examples
• A visually inviting format that encourages readership, usage, and understanding
• Ethical decision-making tools to assist employees in making the right choices
• A designation of reporting channels and viable mechanisms that employees can use to report concerns or seek advice without fear of retribution.
  
  

c) Employee and Third-Party Due Diligence

An important part of an effective fraud and misconduct prevention strategy is the use of due diligence in the hiring, retention, and promotion of employees, agents, vendors, and other third parties. Such due diligence may be especially important for those employees identified as having authority over the financial reporting process.

The scope and depth of the due diligence process typically varies based on the organization's identified risks, the individual's job function and/or level of authority, and the specific laws of the country in which the organization resides.

There are certain situations where screening third parties may be valid. For example, management may wish to screen agents, consultants, or temporary workers who may access confidential information or acquisition targets that may have regulatory or integrity risks that can materially affect the value of the transaction.

Due diligence begins at the start of an employment or business relationship and continues throughout. For instance, taking into account behavioral considerations? such as adherence to the organization's core values?in performance evaluations provides a powerful signal that management cares about not only what employees achieve but also that those achievements were made in a manner consistent with the company's values and standards.

d) Communication and Training

Making employees aware of their obligations concerning fraud and misconduct control begins with practical communication and training. While many organizations communicate on such issues in an ad hoc manner, efforts taken without planning and prioritization may fail to provide employees with a clear message that their control responsibilities are to be taken seriously.