Knowledge Alert

Knowledge Alert

Emerging Trends in Fraud Risks

January 2010

Disclaimer

Copyright © 2010 by The Institute of Internal Auditors (IIA) located at 247 Maitland Avenue, Altamonte Springs, FL 32701, U.S.A. All rights reserved. Published in the United States of America.

Except for the purposes intended by this publication, readers of this document may not reproduce, redistribute, display, rent, lend, resell, commercially exploit, or adapt the statistical and other data contained herein without the permission of The IIA.

The information included in this document is general in nature and is not intended to address any particular individual, internal audit activity, or organization. The objective of this document is to share tools, resources, information, and/or other knowledge that is accurate, unbiased, and timely. However, based on the date of issuance and changing environments, no individual, internal audit activity, or organization should act on the information provided in this document without appropriate consultation or examination.

Table of Contents

Executive Summary ... 1

Leading Internal Audit Practices Pertaining to Fraud Management ... 2

Fraudulent Activities Have Been on the Rise Since 2008 ... 5

Employee-related Fraud Has Had a Major Impact in Organizations ... 6

Assurance and Consulting Activities Are a Source of Added Value... 8

Fraud Risks Management Programs Are Becoming a Higher Priority ... 12

Leading Practices ... 15

Appendix A: List of 20 Questions ... 18

Appendix B: List of Key Fraud Management Oversight Functions ... 19

Executive Summary

Fraud negatively impacts

organizations in ways that extend far beyond financial losses.

According to the latest IIA Practice Guide, Internal Auditing and Fraud, the full cost of fraud is

immeasurable in terms of time, productivity, and reputation.

Consequently, it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection activities, as well as a fraud risk assessment process to identify fraud risks within the organization.¹

To identify emerging trends in fraud risks, The IIA distributed a survey asking members to describe the state of internal audit efforts pertaining to fraud risk and their opinions on current and emerging fraud trends.² As expected, the survey found that the majority of

respondents (76 percent) work in organizations where there is a program designed to manage fraud risks. These programs are either formal (34 percent) or informal (42 percent). The top three components included in the program include policies

addressing the reporting of suspected frauds, procedures for reporting suspected frauds, and processes designed to detect fraud (refer to Table 1 for a summary of all responses).

Additionally, 61 percent of respondents stated that the fraud management programs are integrated with another program, including ethics and compliance, risk management, and governance.

1 Internal Auditing and Fraud (December 2009; PDF, 1.84 MB), pg. 2

2 “Emerging Trends in Fraud Risk” (December 2009); a total of 3,776 IIA members were invited to participate in the survey of which 293 chief audit executives (CAEs) and internal audit directors and managers responded, representing an 8 percent response rate. Of these respondents, the majority work in organizations with annual revenues of US $500 million or more (64 percent) and internal audit activities consisting of 3–6 internal auditors (40 percent). The top industries represented in the survey are financial services/banking/real estate (51 percent), manufacturing (12 percent), and health services (9 percent).

Snapshot of Survey Results

This Knowledge Alert discusses the following four key results, as revealed by a recent Flash survey of 293 CAEs and internal audit directors and managers working in different industry groups:

1. There has been a significant increase of fraud occurrences since the onset of the economic crisis in 2008.

2. Employee-related fraud has had a major impact in organizations. While theft of company property and resources was the most common fraud noted, employee- related frauds and fraud related to third parties and vendors were significant.

In addition, theft of company information and data may be an area of growing exposure.

3. Internal auditing can add value to the organization’s fraud risk management efforts through its assurance and consulting activities.

4. Programs in companies to manage fraud risks are becoming a higher priority.

Table 1. Fraud Management Program Elements

Program Element Percentage

Policies addressing the reporting of suspected frauds 89%

Procedures for reporting suspected frauds 87%

Procedures designed to detect fraud 66%

Corporate or board-level policies designed to prevent fraud 63%

Business unit procedures designed to prevent fraud 62%

Policies addressing responsibilities for fraud investigations 58%

Procedures to be followed in fraud investigations 53%

Procedures on conducting fraud risk assessments 34%

Policies requiring a periodic fraud risk assessment 33%

Policies outlining fraud detection activities 27%

The survey also highlighted four key findings that describe the overall state of fraud risk activities and emerging trends in the area:

1. There has been a significant increase of fraud occurrences since the onset of the economic crisis in 2008.

2. Employee-related fraud has had a major impact in organizations. While theft of company property and resources was the most common fraud noted,

embezzlement and expense-account fraud, when combined, point to an even greater prevalence in employee-related fraud. In addition, fraud related to third parties and vendors as well as theft of company information and data may be areas of growing exposure.

3. Internal auditing can add value to the organization’s fraud risk management efforts through its assurance and consulting activities.

4. Programs in companies to manage fraud risks are becoming a higher priority. In particular, these programs are receiving more attention and starting to become more effective.

Leading Internal Audit Practices Pertaining to Fraud Management An effective internal audit activity can help organizations address fraud. ―Although management and the board are ultimately responsible for fraud deterrence, internal auditors can assist management by determining whether the organization has adequate internal controls and fosters an adequate control environment.‖³ Leading practices

identified in the survey pertaining to the role of internal auditors in fraud management are:

3 Internal Auditing and Fraud (December 2009), pg. 2

Increase fraud awareness, communication, and training throughout the organization.

Review systems in place and their corresponding policies, procedures, and controls.

Perform regularly scheduled audits that monitor key, high-risk areas.

Review/audit specific financial activities.

Implement a continuous audit process.

Perform risk assessments and risk-based audits.

Increase the level of coordination and cooperation with internal and external groups and other programs.

Increase fraud awareness, communication, and training with executive, senior and business line managers.

Conduct or assist in fraud investigations.

Perform data analysis and mining.

In addition, the survey unveiled eight leading practices organizations can implement to ensure the effectiveness of their fraud management program or effort:

1. Implement a well-publicized fraud management program that has a dedicated role for monitoring compliance with program policies and procedures and is

commensurate with the organization’s business model.

2. Ensure the effectiveness of established controls or control processes.

3. Encourage strong tone at the top in support for the organization’s fraud management program or effort.

4. Ensure internal audit plans encompass key fraud prevention activities.

5. Engage in effective activities pertaining to management, such as providing management training on internal control procedures, fostering ongoing

communication among senior management, and sharing information to educate leadership regarding their role and responsibility to deter and detect fraud.

6. Implement a code of conduct or ethics program for all staff that is part of the organization's corporate governance structure.

7. Perform an annual fraud risk assessment and control self-assessment.

8. Implement or increase ERM efforts.

Similarly, to ensure the effectiveness of fraud prevention efforts, CAEs need to recommend the establishment of the following key fraud prevention elements, as described by survey respondents:

1. A strong control environment that includes a code of conduct, ethics policy, or fraud policy to set the appropriate tone at the top; an ethics and compliance hotline or program to report concerns; hiring and promotion guidelines and practices; and oversight by the audit committee, board, or other oversight body.

2. A risk assessment that considers fraud risk factors and fraud schemes.

3. Control activities (i.e., policies and procedures for business processes) including appropriate authority limits and segregation of duties.

4. Information and communication to promote the importance of the fraud management program and the organization’s position on fraud risks.

5. Monitoring that provides a periodic evaluation of anti-fraud controls using

independent evaluations of the fraud management program by internal auditing or other groups and by implementing technology to aid in continuous monitoring and detection activities.

The rest of this Knowledge Alert provides a more detailed explanation of these and other leading practices and survey findings.

Fraudulent Activities Have Been on the Rise Since 2008

According to survey results, there has been a significant increase of fraud occurrences since the onset of the economic crisis in 2008. The prevalence of fraudulent activity has been quite significant as well.

Of the nearly one-third of organizations where fraud has occurred (31 percent), 43 percent stated that fraud occurrences have increased from 1 percent to 10 percent, 28 percent indicated fraud has increased from 11 percent to 20 percent, and 14 percent stated fraud has increased from 21 percent to 30 percent.

In terms of the types of fraud that have been on the rise,

theft of company property and resources was chosen as the number one fraud, followed by embezzlement and expense- account fraud. (Table 2 summarizes of all responses.)

However, although noteworthy, the Table 2. Type of Fraud Seen on the Rise Since 2008

number of fraudulent activities detected since the onset of the economic recession might be a lagging indicator on the prevalence of fraud as many fraudulent schemes are discovered after they take place. Consequently, it is possible that more fraudulent activities have taken place that will be visible at a later date.

Several comments from survey

participants justify this trend. According to

one respondent, several fraudulent activities were detected in 2009, which started to be perpetrated before the economic downturn took place.

Three Common Fraud Characteristics

According to new guidance provided by The IIA, the following are three common characteristics of fraud:

1) Pressure or incentive represents a need that an individual attempts to satisfy by committing fraud. Often, pressure comes from a significant financial need or problem, such as the need to keep one’s job, earn a bonus, or meet or beat analyst financial estimates.

2) Opportunity is the ability to commit fraud and not be detected. Opportunity is created by weak internal controls, poor management, lack of board oversight, and through the use of one’s position and authority to override controls. Failure to establish adequate procedures to detect fraudulent activity also increases the opportunities for fraud to occur.

3) Rationalization is the ability for a person to justify a fraud and is a crucial component in most frauds. Rationalization involves a person reconciling his/her behavior with the commonly accepted notions of decency and trust. The fraudster, for instance, may believe stealing is justified so he/she can pay for high medical bills.

Of the three elements, opportunity is the one organizations can influence the most. Therefore, organizations need procedures and internal controls that deter employees from committing fraud and detect fraudulent activities.

Source: Internal Auditing and Fraud (December 2009), The IIA, pg. 6

Type of Fraud Percentage

Theft of company property and resources 52%

Embezzlement 38%

Expense-account fraud 37%

Third-party/vendor fraud 33%

Theft of company information and data 13%

Financial statement or accounting irregularities 7%

Foreign corrupt practices 4%

Employee-related Fraud Has Had a Major Impact in Organizations

In organizations where fraud has been on the rise since the onset of the economic recession, theft of company property and resources was identified as the most common type of fraud discovered (refer to Table 2 on page 5). However, when analyzed closely survey results unveil another finding:

embezzlement and expense-account fraud, when combined, point to an even greater prevalence in employee- related fraud. This last finding makes sense as the recession has affected countless employees at a personal financial level, often involving the complete loss of income from one or more household members.

In addition, fraud related to third parties and vendors as well as theft of company information and data may be areas of growing exposure. The growing trend toward third-party fraud and data theft could be explained by

the increase in outsourcing and offshoring activities as way to reduce operational expenses during the last couple of years.

Respondents also were asked to identify if they have experienced a new type of fraud or scenario. Of the 38 responses provided in the open-ended question, 58 percent dealt with a financial fraudulent scheme, including:

Inappropriate use of reward points on credit cards.

Scams involving counterfeited check images, duplicated checks, or forged signatures.

Customers using the company to apply for government guaranteed loans under false pretences.

Duplicate billings for services using separate work orders and invoice numbers.

Wire transfer fraud and credit card fraud by accessing the merchant’s processing network.

Use of electronic signatures on documents provided to support travel and entertainment approvals.

Typical Profile of a Fraudster Most frauds begin small and continue to grow as the scheme remains undetected.

Perpetrators also primarily exploit inadequate internal controls for their own gain, resulting in substantial damage to the organization.

The typical fraudster is male of middle age, employed by the organization for a number of years. He often works in the finance department and typically commits the deed driven by a desire for money and opportunity.

Many studies indicate that most frauds are committed by members of management as managers generally have access to

confidential information, thus enabling them to override internal controls. In addition, fraud perpetrators tend to be in positions of trust, educated, heads of households, and members of community organizations who are motivated by a personal need.

Source: Internal Auditing and Fraud (December 2009), The IIA, pg. 5

In spite of the rise in finance-related fraudulent activity, most organizations perform a fraud risk assessment as part of their public reporting on financial controls (42 percent).⁴ The role of internal auditing in this process is mostly to manage the risk assessment process (42 percent). Other roles identified include to act as a consultant throughout the process (30 percent) or to facilitate it (22 percent).

Finally, survey participants were asked to identify the top three risks that are most likely to impact organizations within the next 12 months. Similar to survey results illustrated on Table 3, employee-related frauds, theft of company property and resources, and fraud pertaining to third parties and vendors were the top three risks identified. Thus, organizations are expecting a continuation of the same kinds of fraudulent activities in 2010.

Table 3. Top 10 Fraud Risks That Are Most Likely to Impact Organizations Within the Next 12 Months

Description of Fraud Risk Total No. of

Responses Employee-related fraud or risks (e.g., expense account fraud, worker's compensation fraud, personal use

of company mobile devices, employees not understanding their job responsibilities, overstatement of hours worked, new employees risks, abuse of employee discounts and other benefits, falsified time reporting, ghost employees, reduced/frozen salaries and bonuses)

119

Theft of company property and resources (e.g., custodial risks, property theft or poor property management, misuse or improper use of company resources/assets, misappropriation of assets, loss/theft of company property or resources)

106 Fraud or risks pertaining to third-parties or vendors (e.g., bid rigging, competitor fraud, vendor curtailment,

supplier failures, payments for services not rendered, medical providers committing fraud, managing vendors/contractors, contract compliance, overpaying contractors, fraudulent billings, fake vendors, favoring a particular vendor or supplier for personal benefit, inappropriate vendor relationships or vendor selection process)

63

Data/information risks (e.g., disclosing corporate data to competitors, skimming, release of confidential data, protecting credit card data, data integrity, data or information security breaches, theft of customer information/corporate data, phishing scams, ID theft, stealing credit card data, intellectual property theft)

38 Billing schemes/fraud (e.g., procurement fraud, overbilling contractors, invoice fraud) 26 Corruption (e.g., bribery of foreign officials, bribe/facilitation payments related to imports, side

agreements, letters, bribes/kickbacks) 25

Fraud or risks pertaining to high unemployment rate/layoffs/frozen staff positions (e.g., reduction of audit

staff/coverage, downsizing without remapping processes or controls) 25

Overall risks due to the impact of the economy (e.g., slow turnaround in the economy, reduced/constraint resources, reduced capital spending, employee stress, increased costs, lower revenues, increased need of cash by employees)

21 Risks due to management issues (e.g., questionable ethics by management, overall decision-making,

management's view of internal auditing, lack of management oversight/integrity, insufficient management oversight and monitoring of operating entities, management override, lack of management support at the C-level)

17

IT risks (e.g., use of IT to cover up fraud, systems not capable of detecting fraud, risks associated with

new financial systems, IT security risks, access to IT systems, legacy systems requiring security updates) 15

4 Twenty-five percent of respondents indicated that public reporting on financial controls is not applicable to their organization.

Assurance and Consulting Activities Are a Source of Added Value

Internal auditing was identified as the number one function responsible for the day-to-day management of the organization’s fraud program.⁵ To help CAEs ensure internal auditors add the most value, the survey asked participants to identify the role that the internal audit activity plays as part of the fraud management program. Overall, the survey found that internal auditors perform a variety of consulting and assurance activities that add value to the organization’s fraud management efforts (refer to Table 4 for a summary of all

responses).

Table 4. Role of Internal Auditing as Part of the Fraud Management Program

Response Percentage

Conducts tests to determine if fraud is present in areas where potential fraud risks are present 73%

Evaluates the design and operation of internal controls related to fraud risk management 71%

Takes an active role in support of the organization’s ethical culture 66%

Performs its own fraud risk assessment 61%

Is responsible for reporting cases of fraud to the audit committee 60%

Provides assurance to the board and senior management that fraud risks are being identified and

appropriately addressed 57%

Conducts root-cause analyses of actual frauds to identify control improvement recommendations 51%

Performs periodic monitoring of key fraud indicators 50%

Provides assurance to the board and senior management that the organization’s fraud program is

effective 42%

Participates, under the direction of another function, in investigation of suspected fraud 42%

Has overall responsibility for investigations of suspected fraud 39%

Works with external auditors regarding their fraud assessment 37%

Participates in the organization’s fraud risk assessment 32%

Provides fraud or ethics training sessions to business units 30%

Is responsible for the organization’s fraud reporting mechanism or whistleblower hotline 29%

Interviews and communicates regularly with those conducting the risk assessment and others in key

positions to help them ensure all fraud risks have been considered appropriately 28%

Conducts or participates in fraud-scenario analysis 24%

Runs automated software routines specifically designed to identify possible fraudulent activities 21%

Performs continuous monitoring of key fraud indicators 17%

5 Thirty-seven percent of respondents identified internal auditing as the number one function responsible for the fraud program. Other functions identified, in order of importance, include: legal or general counsel (11 percent), corporate security (7 percent), and the chief risk officer (or equivalent) or chief financial officer (or equivalent) (5 percent each).

For instance, in terms of assurance activities, internal auditors provide assurance to the board and senior management that the organization’s fraud program is effective and that fraud risks are being identified and addressed appropriately. On the other hand, consulting activities include being an active participant in the organization’s fraud risk assessment, evaluating the design and operation of internal controls related to fraud risk management, and providing fraud or ethics training sessions to business units.

Additionally, the survey asked participants to identify the top three activities internal auditors can perform that can provide added value to the organization’s overall fraud management efforts.

Again, respondents identified a number of consulting and assurance efforts. The top three are:

1. Increase fraud awareness, communication, and training throughout the organization.

2. Review systems in place and corresponding policies,

procedures, and controls.

3. Perform regularly scheduled audits that monitor key, high-risk areas.

Table 5 provides a detailed summary of the top 15 activities internal auditors can perform to add value to the organization’s fraud management efforts.

Internal Auditing’s Role During Fraud Investigations

According to the practice guide Internal Auditing and Fraud, the role of internal auditing during fraud investigations needs to be defined in the internal audit charter as well as in the organization’s fraud policies and procedures.

Acceptable roles for internal auditors include:

Having the primary responsibility for fraud investigations.

Acting as a resource during investigations.

Refraining from involvement in investigations as they are either responsible for assessing the effectiveness of investigations or lack the appropriate resources to be involved in investigations.

In organizations where the internal audit activity is responsible for fraud investigations, it may conduct an investigation using in-house staff, a third-party, or a combination of both. Appendix A of this report provides a list of 20 questions taken from the practice guide CAEs can ask about fraud on a regular basis to enhance the

organization’s fraud management program or efforts.

Source: Internal Auditing and Fraud (December 2009), The IIA, pg. 23

Table 5. Top 15 Activities Internal Auditors Can Perform to Provide Added Value to Fraud Management Efforts

Description of Value-added Activity

Increase fraud awareness, communication, and training throughout the organization (e.g., help educate employees on awareness/anti- fraud efforts, educate process owners/customers, and help to promote companywide policies and procedures).

Review systems in place and their corresponding policies, procedures, and controls (e.g., audit financial reporting controls, fraud detection and prevention controls, inventory/shipping/invoicing functions, and risk mitigation plans; verify internal control effectiveness in all financial and other high-risk areas; and review segregation of duties activities).

Perform regularly scheduled audits that monitor key, high-risk areas (e.g., perform IT security assessments and other IT-targeted reviews; perform payroll control reviews, operational audits, risk-based audits, and financial control audits; and increase the audit scope on key business areas including HR, general ledger activity, and ethics and compliance).

Review/audit specific financial activities (e.g., accounts receivable trends, cash management activities, disbursement cycles, record keeping reports, expense claims, customer accounts, changes in financial statement and balance sheet accounts, commissions paid versus revenues, credit card transactions for emerging trends, high risk/suspicious transactions and accounts, and procurement cards).

Implement a continuous audit process to eliminate sample bias; audit credit and accounts payable activity; audit employee expenses;

and continuously monitor controls, high-risk areas, financial transactions, IS, and control self-assessments.

Perform risk assessments/risk-based audits.

Increase level of coordination and cooperation with internal and external groups and other programs already in place.

Review/audit key risk activities other than financial areas.

Increase fraud awareness/communication/training/discussion with management/leadership.

Conduct or assist in fraud investigations.

Perform data analysis and mining.

Include fraud risk assessment as a part of every audit.

Perform regulatory control/compliance testing.

Remain/be visible and accessible throughout the organization by conducting site visits and regular audit reviews of each location.

Help develop a fraud plan for the organization.

Finally, the survey asked a number of questions pertaining to the relationship between internal auditing and the individual department responsible for the organization’s fraud program if other than internal auditing. The majority of responses (58 percent) indicate there is a high degree of coordination and information sharing between the two functions (refer to Table 6). (For a description of additional roles read ―Internal Auditing’s Role During Fraud Investigations‖ on page 9.)

Also, although the internal audit activity is not primarily responsible for fraud detection activities — only 18 percent of participants stated that this is the sole responsibility of internal auditing — 61 percent of respondents stated there is an underlying expectation from management and the audit committee that internal auditors must help in this area.

As a result, more than half of all the internal audit activities represented in the survey (56 percent) employ internal auditors with forensic or investigative skills including internal auditors with the certified fraud examiner designation, experienced fraud managers, and internal audit staff with investigative and forensic training.

Table 6. Relationship Between Internal Auditing and the Organization’s Fraud Management Function

Responses Percentage

High-level of coordination and information sharing* 38%

Not applicable — internal auditing manages the program 36%

Performs investigations jointly with fraud staff* 12%

Clear responsibilities delineated for each function* 9%

Little to no coordination and information sharing 4%

Investigations are solely the responsibility of the fraud function 2%

Fraud function does separate reporting on fraud to senior management and the audit committee 2%

* These responses indicate a high degree of coordination and information sharing between the internal audit activity and fraud management function.

Fraud Risks Management Programs Are Becoming a Higher Priority

Finally, survey results indicate that fraud risk management efforts or programs are becoming a higher priority. First, programs within companies that manage fraud risks are receiving increased attention. As explained earlier, 76 percent of respondents indicated they work in organization where there is either a formal (34 percent) or informal (42 percent) fraud risk management program in place. And 24 percent are planning on implementing a program in the future. Hence, fraud risk management is a topic of discussion in all of the organizations represented in the survey.

Figure 1. Overall Effectiveness of Fraud Program

Second, of the 76 percent of respondents who stated their organization has a formal or informal program, more than half stated that the fraud risk management program is somewhat effective to highly effective (refer to Figure 1). Furthermore, these respondents were asked to identify the current trend toward overall program effectiveness. According to survey results, 49 percent of respondents who work in an organization with a fraud risk management program stated that the program is starting to become more effective.

Hence, even in organizations where fraud management efforts are ineffective, corrective actions are being put in place to increase the likelihood of detecting or preventing future fraud risks (refer to Figure 2).

Figure 2. Current Trend Toward Overall Fraud Program Effectiveness

Third, organizations are starting to commit specific resources toward fraud management, including the creation of a dedicated fraud management unit or function. According to survey results, more than a quarter of all the organizations represented in the study (28 percent) have a dedicated business unit or department to manage or investigate fraud.

In terms of staffing, 63 percent of all respondents have full-time staff (33 percent), part- time staff (19 percent), or a combination of both (11 percent) dedicated to the program or unit. Table 7 summarizes the total number of full-time staff equivalents dedicated to the organization’s fraud program or unit.

Table 7. Full-time Staff Equivalents Dedicated to Fraud Management Program or Unit

Total No. of Staff Percentage

1 26%

2–5 37%

6–9 7%

10–15 3%

16+ 5%

Not applicable 22%

As organizations hire dedicated staff to enhance their fraud risk management efforts, CAEs need to ensure that the appropriate oversight is provided to effectively manage the program. As The IIA’s new practice guide Internal Auditing and Fraud explains, oversight can take many forms and can be performed by many within and outside the organization under the overall oversight of the board of directors.⁶

6 Internal Auditing and Fraud (December 2009), pg. 10

In addition to internal auditors, the following eight functions play a key role in the organization’s fraud management program:

Board of directors.

Audit committee.

Management.

Legal counsel.

External auditors.

Loss prevention manager.

Fraud investigators.

Other employees, from the summer intern to the CEO.

(Appendix B describes the main roles of each function.)

Finally, another finding that further confirms fraud risk management is becoming a higher priority is the belief among respondents that fraud prevention is more important than fraud detection. For instance, the survey asked participants to identify their level of agreement with three statements pertaining to the value seen in fraud prevention versus fraud detection activities. Nearly all participants agree to highly agree that the organization’s board/audit committee, senior management, and internal audit activity perceives more value in preventing fraud rather than detecting fraud (refer to Table 8 for a summary of all responses).

This finding is not surprising considering that once fraud is detected, the organization may have incurred a significant financial loss. Hence, preventing fraud from occurring saves the organization more time, money, and other resources in the long run, especially in cases where the fraudulent activity leads to a criminal investigation. As many organizations start to enhance their fraud risk management efforts, this is a good time for CAEs to review their internal audit activities related to fraud risk and ensure they are consistent and aligned with what management is doing.

Table 8. Value Given to Fraud Prevention Versus Fraud Detection Activities 1

Highly Disagree

2 3 4 5

Highly Agree Our board/audit committee sees more value in

preventing fraud rather than detecting fraud. 3% 6% 25% 32% 35%

Senior management sees more value in

preventing fraud rather than detecting fraud. 4% 10% 22% 35% 30%

Internal auditing sees more value in

preventing fraud rather than detecting fraud. 2% 5% 5% 25% 62%

Leading Practices

To obtain leading fraud management practices respondents were asked to describe the most effective strategies an organization can implement to prevent fraud. In order of importance, these strategies are:

Implement a well-publicized fraud management program that:

o Has a dedicated role for monitoring compliance with program policies and procedures.

o Is commensurate with the organization’s business model.

o Ensures staff are aware of their responsibility to identify fraud.

o Provides a tool for confidential reporting of suspected frauds, such as the implementation of an ethics and compliance (i.e., whistleblower) hotline.

o Communicates to employees the critical elements contained in the organization’s code of conduct.

o Enables staff to question activities that are outside the norm.

o Requires fraud training.

o Outlines the actions to be taken against fraud perpetrators.

o Publicizes fraud management efforts.

o Celebrates good behavior.

Ensure the effectiveness of established controls or control processes, including:

o Vendor management activities such as vendor qualification and competitive bidding procedures.

o Regular updates to master vendor files.

o Expenditure reviews.

o Inventory accountability, such as consequences for management personnel if

Leading Practices in Fraud Prevention Survey results unveiled eight leading practices in the area of fraud prevention.

These are:

1. Implement a well-publicized fraud management program that has a dedicated role for monitoring

compliance with program policies and procedures and is commensurate with the organization’s business model.

2. Ensure the effectiveness of established controls or control processes.

3. Encourage strong tone at the top in support for the organization’s fraud management program/efforts.

4. Ensure internal audit plans encompass key fraud prevention activities.

5. Engage in effective activities pertaining to management, such as providing management training on internal control procedures, fostering ongoing communication among senior management, and sharing information to educate leadership regarding their role and responsibility to deter and detect fraud.

6. Implement a code of conduct or ethics program for all staff that is part of the organization's corporate governance structure.

7. Perform an annual fraud risk assessment and control self- assessment.

8. Implement or increase ERM efforts.

variances in inventory are detected, and routine/frequent checks and reconciliation of inventory.

o Regular updates of security clearances.

Encourage strong tone at the top by:

o Ensuring senior management sets the proper tone at the top for fraud management.

o Demonstrating the organization’s commitment to implement effective internal controls in all programs.

o Making a commitment to review internal controls and taking strong sanctions against those perpetrating fraud.

o Ensuring senior management carries the message to employees about their commitment to prevent fraud and deal directly with fraud when identified.

Ensure that audit plans encompass the following key activities:

o Surprise audits, in addition to scheduled audits on randomly selected business units.

o Regular internal audit presence in all parts of the organization.

o Compliance monitoring of fraud policies and procedures.

o Fraud audits and internal audit support for the fraud program.

o Mechanisms to audit code of conduct compliance.

o Hire antifraud professionals as part of the internal audit activity.

o Systematically assess key

controls and continuously audit fraud risk areas.

o Enable internal auditors to remain/be visible in the company.

o IT audit activities pertaining to fraud risk (e.g., use of fraud detection software, automated matching and computer-assisted audit techniques, and data mining).

Fraud Prevention Elements According to the practice guide Internal Auditing and Fraud, fraud prevention involves those actions taken to discourage fraud and limit fraud exposure when it occurs. Instilling a strong ethical culture and setting the correct tone at the top are, thus, essential elements in preventing fraud.

To ensure the effectiveness of fraud prevention efforts, CAEs need to recommend the establishment of the following key fraud prevention elements:

1. A control environment that includes a code of conduct or ethics or fraud policy to set the appropriate tone at the top; an ethics and compliance hotline or program to report concerns; hiring and promoting guidelines and practices; and oversight by the audit committee, board, or other oversight body.

2. A risk assessment that considers fraud risk factors and schemes.

3. Control activities, i.e., policies and procedures for business processes, including appropriate authority limits and segregation of duties.

4. Communication to promote the importance of the fraud management program and the organization’s position on fraud risks.

5. Periodic monitoring of anti-fraud controls through independent evaluations of the fraud

management program by internal auditing or other groups and the implementation of technology to aid in continuous monitoring and detection activities.

Source: Internal Auditing and Fraud (December 2009), The IIA, pp. 19–20

Engage in effective activities pertaining to management including:

o Training of management on internal control procedures.

o Fostering an appropriate leadership/management style to avoid the

"rationalization" process that is present in fraud scenarios.

o Ensuring ongoing communication among senior management.

o Sharing information to educate leadership regarding their role/responsibility to deter and detect fraud.

o Ensuring management support when new controls need to be implemented.

o Ensuring careful management hiring decisions.

o Building awareness of the type of fraud that can occur in a given area and the steps that can and should be taken to prevent fraud.

Implement a code of conduct/ethics program for all staff that is part of the organization's corporate governance structure. The code of conduct/ethics must:

o Communicate that fraud of any form will not be tolerated.

o Establish an adherence to accountability standards.

o Communicate to employees what integrity in the workplace means, including penalties for violations and noncompliance with the code of conduct.

o Instill an ethical culture among all staff that makes each employee accountable for detecting fraud.

Perform an annual fraud risk assessment and control self-assessment that:⁷ o Evaluates fraud risks and inventories fraud scenarios.

o Includes threat discussions and assessments.

Implement or increase ERM efforts.

When examined closely, these survey responses unveil a series of leading practices in the area of fraud management program implementation. According to respondents, once an organization establishes a fraud management program, at a minimum, the program must:

Establish the proper tone at the top through the implementation of a code of conduct.

Establish mechanisms to audit compliance to the code of conduct.

Develop and enforce repercussions for noncompliance to the code of conduct.

Communicate with all employees on a regular basis the critical elements contained in the code of conduct.

Ensure organization leaders lead by example.

Have clear and robust policies, procedures, and controls that are well understood by all employees, enforced by management, and closely monitored by internal auditing and senior and line managers.

For additional fraud prevention practices from The IIA, read ―Fraud Prevention Elements‖

on page 16.

7 A sample fraud management assessment can be downloaded from The IIA’s Web site, www.theiia.org/

download.cfm?file=75536 (PDF, 536 KB).

Appendix A: List of 20 Questions

The following are a series of 20 questions CAEs can ask about fraud on a regular basis to enhance the organization’s fraud management program or efforts:

1. Does the organization have a fraud governance structure in place that assigns responsibilities for fraud investigations?

2. Does the organization have a fraud policy in place?

3. Has the organization identified laws and regulations relating to fraud in jurisdictions where it does business?

4. Does the organization’s fraud management program include coordination with internal auditing?

5. Does the organization have a fraud hotline?

6. Does the audit charter describe internal auditing’s roles and responsibilities relating to fraud?

7. Has responsibility for fraud detection, prevention, response, and awareness been assigned within the organization?

8. Do management and the CAE update the audit committee on fraud?

9. Does management promote fraud awareness and training within the organization?

10. Does management lead fraud risk assessments and include internal auditing in the assessment process?

11. Are the results of fraud risk assessments considered in the audit planning process?

12. Are periodic fraud awareness and training programs provided to all employees?

13. Are automated tools available to those responsible for preventing, detecting, and investigating fraud?

14. Has management identified the types of potential fraud risks in its areas of responsibility?

15. Do management and the CAE know where to obtain guidance on fraud from professional organizations?

16. Do management and internal auditors know their responsibilities relating to fraud?

17. Has management incorporated appropriate controls to prevent, detect, and investigate fraud?

18. Does management have the appropriate skill sets in place to perform fraud investigations?

19. Do management and the internal audit activity periodically assess the effectiveness and efficiency of fraud controls?

20. Are fraud investigation workpapers and supporting documents appropriately secured and retained?

Appendix B: List of Key Fraud Management Oversight Functions

Function Description of Main Role

Board of Directors

Oversee and monitor management’s actions to manage fraud risks by evaluating management’s identification of fraud risks, implementation of anti-fraud measures, and tone at the top.

Implement policies that encourage ethical behavior, including processes for employees, customers, and external business relationship partners to report instances where those policies are violated.

Monitor the organization’s fraud risk management effectiveness by appointing one executive-level member of management to be responsible for coordinating fraud risk management and reporting to the board.

Audit Committee

Evaluate management’s identification of fraud risks and the implementation of anti- fraud measures.

Provide the tone at the top that fraud will not be accepted in any form.

Hire external auditors to report on the financial statements of the organization and provide recommendations on internal control.

Management

Implement and monitor processes and internal controls to oversee employee activities.

Assess the vulnerability of the entity to fraudulent activity.

Establish and maintain an effective internal control system at a reasonable cost.

Hold discussions with investigators and legal counsel over the investigation process, including the development of policies and procedures for effective fraud

investigations and for handling the results of investigations, reporting, and communications.

Legal Counsel

The roles and responsibilities of in-house counsel will often be governed by the laws of each jurisdiction.

A lawyer generally acts in the best interest of the organization and also is required to preserve client confidences.

The discovery of fraud can bring these two ethical duties into potential conflict.

When faced with constituents in organization who intend to engage in fraud, a lawyer can urge reconsideration, advise the constituents to seek a separate legal opinion, or refer the matter to a higher authority within the organization.

External Auditors

Plan and perform the audit of the organization’s financial statements to obtain reasonable assurance about whether the financial statements are free of material misstatement and whether the misstatements were caused by error or fraud.

If fraud is discovered, external auditors must bring the matter to the attention of an appropriate level of management. In cases of fraud involving senior management, external auditors must report the matter to those charged with governance.

Fraud Investigators

Detect and investigate fraud and the recovery of assets.

Often, fraud investigators work closely with legal counsel to bring legal action against a perpetrator.

Lead investigators usually determine the knowledge, skills, and other competencies needed to carry out the investigation effectively and assign competent and appropriate people to the team.

Other Employees

Function as the eyes and ears of the organization.

Report suspicious behavior through the use of the employee hotline, internal audit department, or a member of management.

Source: Internal Auditing and Fraud, pp. 10–12