Professional Documents
Culture Documents
THE FRAUD
MARKETING
RISK
FINANCE INTERFACE
MANAGEMENT
How to measure
A guide to
and reduce strategy risk
good practice
CONTENTS
Executive summary 2
Introduction 3
Fraud prevention 7
Fraud detection 13
Fraud response 19
Author
Gillian Lees is Head of Corporate Governance at CIMA
1
EXECUTIVE SUMMARY
1. Fraud is prevalent within organisations and 7. An effective anti-fraud strategy has four
remains a serious and costly problem for main components:
virtually every type of organisation in every
a. Prevention
part of the world. The risks of fraud may only be
increasing, as we see growing globalisation, b. Detection
more competitive markets, rapid developments in
c. Response
technology, and periods of economic difculty.
d. Deterrence
2. Despite the serious risk that fraud presents to
business, many organisations still do not have It is the combination of effective fraud
formal systems and procedures in place to prevention, detection and response measures
prevent, detect and respond to fraud. Yet, that create an effective fraud deterrent.
most research shows that organisations which
actively manage their fraud risk reap benets in 8. Key components of a fraud prevention
terms of reducing the negative impact of fraud. strategy:
a. a sound ethical culture
3. While the law relating to fraud varies from
country to country, there are universal b. sound internal control systems.
principles of fraud risk management relating
to prevention, detection and response. These can 9. A signicant number of frauds are detected either
be applied by organisations of all sizes in any accidentally or as a result of tip-offs. This
sector and/or country. reinforces the importance of raising general
fraud awareness in the organisation and
4. There is no universal denition of fraud. But emphasising that it is everyones responsibility
it essentially involves using deception to make in the organisation to nd and report fraud.
a personal gain dishonestly for oneself and/or
create a loss for another. 10. It will never be possible to eliminate all fraud.
However, there are a range of fraud indicators
both warning signs and fraud alerts (red
5. There are three key types of fraud that affect
organisations: asset misappropriation, fraudulent ags) which can provide early warning that
statements and corruption. something is not quite right and increase the
likelihood that the fraudster will be discovered.
6. The fraud triangle is a useful model for
understanding the motivation to commit fraud. It 11. There are also two key tools for detecting
is built on the premise that fraud is likely to result fraud training and experience combined with
from a combination of three factors: motivation, the necessary mindset that fraud is always
opportunity and rationalisation. An effective a possibility. These can be supplemented
way of tackling fraud is to adopt methods that by a range of techniques for identifying and
will address these factors. analysing anomalies to help determine whether
further action is required.
Aim of this guide Despite the serious risk that fraud presents to
business, many organisations still do not have
Periodically, the latest major fraud hits the headlines formal systems and procedures in place to prevent,
as other organisations sit back and watch, telling detect and respond to fraud. While no system is
themselves that it couldnt happen here. But the completely foolproof, there are steps which can be
reality is that fraud can happen anywhere. While taken to deter fraud and make it much less attractive
only relatively few major frauds are picked up by the to commit. As one recent survey of 1,265 executives
media, huge sums are lost by all kinds of businesses worldwide concluded, All businesses are confronted
as a result of the high number of smaller frauds that with the risk of fraud. How they respond the
are committed. nature of their approach to prevention, detection,
investigation and disclosure will separate those who
Surveys are regularly carried out to estimate the manage through the issues from those who suffer
true scale and cost of fraud to business and society. signicant loss.2
Findings vary and it is difcult to obtain a complete
picture as to the full extent of the issue, but these This guide aims to help nance professionals and
surveys all indicate that fraud is prevalent within others with an interest in tackling fraud in
organisations and remains a serious and costly their organisations to take practical steps towards
problem for virtually every type of organisation establishing more robust procedures to tackle
in every part of the world. The risks of fraud may only fraud, particularly in terms of prevention, detection
be increasing, as we see growing globalisation, more and response. It is aimed at readers across the
competitive markets, rapid developments in world as the law relating to fraud varies from
technology and periods of economic difculty. country to country, we strongly advise readers to
ensure that they are familiar with the law relating
There is a wealth of surveys and research 1 which to fraud in their own jurisdiction. However, the
demonstrate the extent and effect of corporate fraud. general principles of good fraud risk management
Typical ndings are that: are universally applicable and we hope that the
emphasis on the practical in this guide will provide
Organisations may be losing as much of 5 of plenty of pointers for action.
their annual revenues as a result of fraud.
Small organisations are disproportionately affected Also included in the guide are insights from the
by fraud. 2011 AICPA Forensic and Valuation Services (FVS)
Trend Survey of over 1,000 respondents including
Anti-fraud controls help to reduce the cost and
both forensic accounting practitioners and senior
duration of frauds.
nance professionals in business and industry. This
A high percentage of frauds are committed by survey explored a number of issues around fraud,
senior management and executives. including methods of prevention and detection, as
well as types of fraud and departments where frauds
Fraudsters often work in the nance function.
took place.
Fraud losses are not restricted to a particular
sector.
The prevalence of fraud is increasing in emerging
markets.
The threat of fraud is evolving and organisations
which actively manage fraud risk stand to benet.
3
What is fraud? This guide focuses on fraud against businesses,
typically by those internal to the organisation.
There is no universal denition of fraud. But it According to the Association of Certied Fraud
essentially involves using deception to make a personal Examiners (ACFE), there are three main categories of
gain dishonestly for oneself and/or create a loss for fraud that affect organisations:
another.
Asset misappropriation, which involves the theft
or misuse of an organisations assets. Examples
Examples of fraud include:
include: theft of plant, inventory or cash, false
Crimes by individuals against consumers, clients invoicing, accounts receivable fraud and payroll
or other business people eg pyramid trading fraud.
schemes.
Fraudulent statements usually in the form of
Employee fraud against employers eg payroll falsication of nancial statements in order to
fraud, falsifying expenses. obtain improper benet. It also includes falsifying
documents such as employee credentials.
Crimes by businesses against investors eg selling
counterfeit goods. Corruption such as the use of bribes or acceptance
of kickbacks, improper use of condential
Crimes against nancial institutions eg fraudulent
information, conicts of interest and collusive
insurance claims.
tendering.
Crimes by individuals or businesses against
government eg tax evasion. These types of internal fraud are summarised in the
Crimes by professional criminals against major chart shown in Figure 1.
organisations eg money laundering.
Further information on common types of internal
E-crime eg phishing, spamming, hacking. fraud and methods by which they may be
perpetrated is included in appendix 1.
Internal fraud
Asset Fraudulent
misappropr iation statements Corruption
Other 3%
Payroll 6%
Skimming cash 4% Employee theft 19%
Opportunity Rationalisation
5
Who commits fraud? Another common nding is that senior management
and executives commit a signicant number of
Surveys often show that fraudsters often work in frauds and invariably cause greater losses than
the nance department or operations/sales. This is more junior employees.
reected in the ndings of the AICPA Forensic and
Valuation Services (FVS) Trend Survey.
Other 5%
Accounting and nance-
Marketing 8%
accounts payable 18%
IT department 4%
Sales 18%
Third party 8%
Screening of current
Other 1%
employees 5%
Division of responsibilities 15%
Screening of new
employees 15%
Anti-fraud education
programmes 3% Computer based controls 12%
7
Fraud detection Fraud prevention and detection both have role to
play and it is unlikely that either will fully succeed
As fraud prevention techniques cannot be 100 without the other. Therefore, it is important that
effective, organisations also need to engage in fraud organisations consider both fraud prevention and
detection. A fraud detection strategy should involve fraud detection in designing an effective strategy to
use of analytical and other procedures to highlight manage the risk of fraud.
anomalies, and the introduction of reporting
mechanisms that provide for communication
An anti-fraud strategy
of suspected fraudulent acts. Key elements of a
comprehensive fraud detection system would In fact, an effective anti-fraud strategy has four main
include: components:
Exception reporting a. Prevention
Data mining b. Detection
Trend analysis c. Response
Ongoing risk assessment. d. Deterrence
suppliers, employees and members of the community.
9
A code of ethics or an anti-fraud policy is not Fraud risk training and awareness
sufcient to prevent fraud. Ethical behaviour
needs to be embedded within the culture of the Almost every time a major fraud occurs, many
organisation. Commitment from senior management people who were unwittingly close to it, are shocked
and tone at the top is key. Employees are more that they had no idea it was going on. It is therefore
likely to do what they see their senior management important to raise awareness through education
doing than follow an ethics policy and it is essential and training. Particular attention should be paid to
that management does not apply double standards. employees working in high risk areas, such as
procurement and nance, and to those with a role in
To demonstrate commitment, resources should be the prevention and detection of fraud, for example
allocated to: human resources.
communicating ethics and values to all employees,
One question often raised is whether fraud training
suppliers and business partners.
provides employees with the knowledge to commit
providing training programmes where necessary. fraud! However, fraud is often discovered through
a tip-off. It is therefore essential that all employees
In addition to encouraging senior management to understand what constitutes fraud, how to identify it
set ethical examples by their actions, organisations and how they should respond. On balance, training
should ensure that senior management is committed is more likely to reduce rather than increase the risk
to controlling the risks of fraud. Senior managers of fraud.
should be assigned with responsibility for fraud
prevention as this sends a message to employees that Training methods may include:
the organisation is serious about fraud and ensures
formal training sessions
that tackling fraud will be handled at a senior level.
Adherence to policies and codes should be regularly group meetings
monitored and policed by appropriate staff within
posters, employee newsletters and Intranet
the organisation, such as management and/or
content.
internal audit. The documents themselves should
also be regularly reviewed and revised.
Communication should be ongoing and a
combination of methods is usually most successful.
Periodic assessment of fraud risk
Spending money on preventing fraud brings many
Organisations should regularly identify and assess
benets but there can be downsides, for example,
fraud risks perhaps as part of an overall risk
excessive and expensive controls may be created,
management process3. Fraud risks should be
which reduce efciency and demotivate staff.
identied for all areas and processes of the business.
However, the head of fraud investigation for a major
They should then be assessed in terms of impact
bank made the following observation:
and likelihood. In addition to the monetary impact,
the assessment should consider non-nancial factors
A 1m increase in expenditure on fraud prevention
such as reputation. An example of a risk analysis is
shown in appendix 3. has led to a 25m increase in prots.
fear of consequences
Sound internal control systems
suspicion rather than proof.
A strong system of internal controls is considered by
The organisations anti-fraud culture and reporting the ACFE to be the most valuable fraud prevention
processes can be a major inuence on the whistle- device by a wide margin.
blower, as it is often fear of the consequences, which
has the greatest impact. To the whistle-blower, the Overall responsibility for the organisations system
impact of speaking out can be traumatic, ranging from of internal control must be at the highest level in the
being dismissed to being shunned by other employees. organisation.
Where fraud is committed by senior management An internal control system comprises all those
even the Chief Executive, the predicament faced policies and procedures that, taken together, support
by the whistle-blower is exacerbated. This is where an organisations effective and efcient operation.
the greatest challenge lies to convince staff that Internal controls typically deal with factors such as
every employee is responsible for combating fraud approval and authorisation processes, access
and that the good health of the organisation, and restrictions and transaction controls, account
potentially their future employment, could be at risk reconciliations, pre-employment screening and
from fraud. Organisations that encourage openness physical security. These procedures often include
are likely to benet in many ways, for example, in the division of responsibilities as well as checks and
being able to detect potential problems early and to balances to reduce risk.
ensure that the critical information gets to the right
people at the right time to enable them to address Ultimately, the internal control system should be
issues effectively. embedded within the culture and operations of the
organisation. It should also be consistent with the
While many countries have legislation in place to nature and size of the organisation.
protect whistle-blowers, legal redress should be a last
resort and organisations should strive for a culture
that actively encourages employees to speak up and
challenge inappropriate behaviour. It is also essential
that the organisation follows up any disclosures.
Employees are more likely to speak up if they know
that action will be taken in response.
11
Internal controls to minimise fraud should address
fraud red ags. Examples of controls may be:
Requiring multiple signatories on high value
transactions.
Requiring employees to take holiday (this is
common in the banking sector).
Restricting belongings that can be brought into the
work environment eg USB sticks.
Conducting random searches of employees eg in
retail outlets.
The PwC 2011 Global Economic Crime Survey, 5 However, the PwC survey also noted changing
covering 3,877 respondents from 78 countries trends in fraud detection, with the number of
established that the most prevalent fraud detection economic crimes detected by people (eg tip-offs)
methods in reported cases of fraud were: going down and those detected by computers going
up. PwC therefore fears that this could mean more
Internal audit (14 of respondents said that frauds fraud overall going undetected as headcounts fall in
were detected by internal audit). control functions.
Internal tip-off (11 ) but only 5 of respondents
said frauds were uncovered via whistle-blowing Indicators and warnings
mechanisms.
It will never be possible to eliminate all fraud.
Fraud risk management measures (10 ). No system is completely fraud-proof, since many
By accident (8 ). fraudsters are able to bypass control systems put in
place to stop them. However, greater attention paid
The AICPA Forensic and Valuation Services (FVS) Trend to some of the most common indicators can provide
Survey shows a relatively similar picture. early warning that something is not quite right and
increase the likelihood that the fraudster will be
In both cases, a striking feature is the number of discovered. With that in mind, this section provides
frauds that are uncovered either accidentally or as a details of some of the more common indicators of
result of tip-offs. This reinforces the importance of fraud.
raising general fraud awareness in the organisation
Other 2%
Internal controls 16%
Internal audit 14%
By accident 17%
13
Fraud indicators fall into two categories:
warning signs
fraud alerts.
Warning signs
These are organisational indicators of fraud risk and
some examples are set out below. Further examples
can be found in appendix 6.
Business risk
Cultural issues Dissatised employees who have access to
desirable assets.
Absence of anti-fraud policy and culture.
Unusual employee behaviour patterns.
Failure of management to implement a sound
system of internal control and/or to demonstrate Personal nancial pressures on key employees.
commitment to it at all times.
Low salary levels of key employees.
Management issues
Poor dissemination of internal controls.
Lack of nancial management expertise and
Employees working unsocial hours unsupervised.
professionalism in key accounting principles,
review of judgements made in management Employees not taking annual leave requirements.
reports and the review of signicant cost Unwillingness to share duties.
estimates.
Process issues
A history of legal or regulatory violations within
the organisation and/or claims alleging such Lack of job segregation and independent
violations. checking of key transactions.
External risk
Introduction of new accounting or other The organisation is operating in a declining
regulatory requirements, including health and business sector and/or facing prospects of
safety or environmental legislation, which could business failure.
alter reported results signicantly.
Rapid technological changes which may
Highly competitive market conditions and increase potential for product obsolescence.
decreasing protability levels within the Signicant changes in customer demand.
organisation.
15
Fraud alerts
These are specic events or red ags, which may
be indicative of fraud. A list of possible fraud alerts
is provided below. This should not be considered
an exhaustive list, as alerts will appear in many
different guises according to circumstances.
Fraud alerts
Anonymous emails/letters/telephone calls. Unexplained uctuations in stock account
balances, inventory variances and turnover
Emails sent at unusual times, with unnecessary
rates.
attachments or to unusual destinations.
Inventory adjustments.
Discrepancy between earnings and lifestyle.
Subsidiary ledgers, which do not reconcile with
Unusual, irrational or inconsistent behaviour.
control accounts.
Alteration of documents and records.
Extensive use of suspense accounts.
Extensive use of correction uid and unusual
Inappropriate or unusual journal entries.
erasures.
Conrmation letters not returned.
Photocopies of documents in place of originals.
Supplies purchased in excess of need.
Rubber stamp signatures instead of originals.
Higher than average number of failed login
Signature or handwriting discrepancies.
attempts.
Missing approvals or authorisation signatures.
Systems being accessed outside of normal work
Transactions initiated without the appropriate hours or from outside the normal work area.
authority.
Controls or audit logs being switched off.
It is important to keep up to date with fraud Undertake a fraud risk assessment and design
trends and issues through the press, technical specic tests to detect the signicant potential
journals, books and the internet. frauds identied through the risk assessment. Act
on irregularities which raise concern.
Comparisons of one nancial period with It is important to examine the systems in place
another; or the performance of one cost centre, and identify any weaknesses that could be
or business unit, with another; or of overall opportunities for the fraudster.
business performance with industry standards,
can all highlight anomalies worthy of further
investigation.
Can be used to identify any abnormal trends or Using the sort tool on a spreadsheet can help
patterns. to identify patterns in expenditure etc. There
are also specialist mathematical models such as
Benfords Law, a formula which can help identify
irregularities in accounts. Database modelling
can also be used.
Such as audit tools for data matching analysis Many systems can generate automatic reports
can prove very useful. Other tools allow for results that fall outside predetermined
for analysis such as real time transaction threshold values (exceptions), enabling
assessment, targeted post-transactional review, immediate identication of results deviating
or strategic analysis of management accounts. from the norm. Emails or text alerts can be sent
directly to appropriate managers to follow up.
17
Analysing anomalies a systematic
approach
This can help determine whether further fraud
investigation or review is required.
The objective of the research must be clear as this will enable decisions to be made about the best way
forward.
Undertaking a systems and risk analysis and comparing the actual practice with those in the procedures
manual, can help to identify system or procedural failures.
This involves identifying the potential loss and assessing whether it is material.
4. Situation analysis
This involves background research, such as company searches and identifying those involved.
Analysis of all the data will give an understanding of what has occurred and how.
6. Prepare schedules
Graphical and numerical schedules/spreadsheets should be prepared to support the analysis and
ndings. It is important to make it as easy as possible for those with little or no nancial knowledge to
understand what has occurred.
In preparing the report, bear in mind that, whatever the original objective, there is always the possibility
of it being used in evidence in legal proceedings. The report should be as factual as far as possible and
where opinion is given, it should be clearly identied as such for example, professional opinion used in
the conclusions of the report.
The fraud response plan is a formal means of setting In some industries, for example the regulated
down clearly the arrangements which are in place nancial services industry, there are often legal
for dealing with detected or suspected cases of fraud. requirements to report nancial crime. Other
It should provide procedures for evidence gathering businesses should follow this example and make it
and collation in a manner which will facilitate clear that they will not sweep fraud under the carpet.
informed decision-making, while ensuring that
evidence gathered will be admissible in the event of Denition of fraud
any legal action.
The plan should provide a clear explanation of
Other benets of the plan are its deterrence value activities which would or could be considered
and the likelihood that it will reduce the tendency to fraudulent. Where appropriate, it could also provide for
panic. It can: legal denitions.
help restrict damage and minimise losses
enable the organisation to retain market
Roles and responsibilities
condence The division of responsibilities for fraud risk
help ensure the integrity of the evidence. management will vary between organisations,
depending on size, industry, culture and other
factors. The following are some general guidelines
which can be adapted to suit specic circumstances.
19
General management Audit committee 6
Should take responsibility for detecting fraud in Has an active role to play in the prevention and
their departments. detection of fraud. In some countries, this role
has been reinforced by recent legislative and
Ensure their staff report any suspected
regulatory change.
irregularities.
Typically, audit committees have responsibility
Should be provided with a response card, detailing
for reviewing the organisations internal control
how they should respond to a reported incidence
systems, including the design, implementation
of fraud. This should include a list of appropriate
and effectiveness of anti-fraud programmes and
contacts.
controls.
Finance Director/Chief Financial Ofcer Also have responsibility for ensuring that the
organisation has whistle-blowing arrangements in
Will often have overall responsibility for the
place and that these are effective.
organisations response to fraud, including
responsibility for coordinating investigations and The audit committee will also need to oversee the
keeping the fraud response plan up to date. effectiveness of both the internal and external
auditors in performing their respective
Will hold the master copy of the fraud response
responsibilities in relation to fraud.
plan.
Responsible for maintaining an investigation log, Internal audit
which details all reported suspicions, including
Likely to investigate any incidence of fraud.
those dismissed as minor or otherwise not
investigated. It will also contain details of actions Caution should be exercised in allowing an
taken and conclusions reached. An important tool investigation to be conducted by those without
for managing, reporting and evaluating lessons training and experience in this area, as this may
learnt. jeopardise the outcome of an investigation.
It may be appropriate to designate specic auditors
Fraud Ofcer (where applicable) as fraud specialists and to ensure that they have
May be appropriate to designate a senior manager as the appropriate skills and knowledge to undertake
Fraud Ofcer instead of the CFO especially in the task.
larger organisations.
Should be authorised to receive enquiries from
External audit
employees condentially and anonymously. An organisation without its own internal audit
function may consider consulting its external
Should have authority to act and/or provide
auditors if it discovers fraud, if only to obtain the
advice according to individual circumstances,
expertise to establish the level of loss.
and without recourse to senior management for
approval. The external auditors may also be in a position
to provide expert assistance from elsewhere
Where the suspect is more senior than the Fraud
within the audit rm, such as a specialist fraud
Ofcer, reports should be made to another senior
investigation team.
manager or non-executive director, ideally the
Chairman of the Audit Committee. A decision to call in external auditors should,
however, be considered carefully, as there is
Human resources always the possibility that if the auditor has missed
obvious fraud alerts, the organisation may
Usually responsible for any internal disciplinary
eventually seek damages from its auditor.
procedures, which must be in line with the fraud
response plan.
Organisations with a high prole, such as larger This may be by means of a formal whistle-blowing
businesses, public sector organisations or charities, policy see Fraud prevention section but the
may wish to consider brieng their PR staff, procedures should also be summarised in the fraud
so they can prepare a brief for the press if the response plan.
fraud becomes public knowledge. Alternatively,
an organisation may decide that it is in its best Establish an investigation team
interests to be proactive and make a public After recording details of the allegations, the
statement before news leaks out. Finance Director/CFO, or the Fraud Ofcer if
appropriate, should call together the investigation
Police team and the organisations advisers. This could
If it is in the organisations policy to prosecute all involve any, or all, of those listed above.
those suspected of fraud, the police should be
involved at the outset of any investigation, as any Formulate a response
delay could reduce the chances of success. The objectives of the investigation should be
clearly identied along with resources required,
External consultants the scope of the investigation and the timescale.
Organisations can consider using specialist The objectives will be driven by the organisations
investigation skills from outside the organisation attitude to fraud and the preferred outcome for
such as forensic accountants. dealing with fraud.
Many specialist organisations exist to provide a An action plan should be prepared and roles and
discreet investigation and/or asset recovery service responsibilities should be delegated in accordance
in accordance with their clients instructions. with the skills and experience of the individuals
involved.
Insurers
The individual in overall control of the investigation
Many organisations take out delity insurance to should be clearly identied, as should the powers
protect themselves against large fraud losses. available to team members.
The timeframe for a report to insurers, and any Reporting procedures as well as protocols for
additional requirements, should be included in the handling and recording evidence should be clearly
fraud response plan and is usually specied in the understood by everybody.
insurance document.
21
The investigation The exact means of obtaining physical evidence
depends on the particular circumstances of the
Preservation of evidence case and whether criminal or civil action is being
pursued, or both.
A key consideration must always be how to secure
and preserve evidence to prove a case of fraud. When taking control of physical evidence,
original material is essential. Photocopies are not
It is vitally important that control is taken of any
acceptable.
physical evidence before the opportunity arises for
it to be removed or destroyed by the suspect(s). Records should be kept of when the evidence was
obtained and the place that it was taken from.
Physical evidence may therefore need to be seized at
an early stage in the investigation, before any If evidence consists of several items, eg a number
witness statements are collected or interviews of documents, each one should be tagged with
conducted. a reference number that corresponds with the
written record.
If a criminal act is suspected, the police should
also be consulted early in the process, before any Taking photographs or video recordings of the
overt action is taken and the suspect alerted. scene, such as the suspects ofce, may also prove
helpful.
If an individual is subsequently charged with a
criminal offence, all investigations, and relevant
Electronic evidence
evidence arising from such investigations, will be
open to discovery, by the defence. Retrieval of electronic evidence should be generally
treated in a similar manner to that of other physical
It is therefore important that proper records are
evidence, although there will be some distinct
kept from the outset, including accurate notes of
differences. It is essential to check the current legal
when, where and from whom the evidence was
position with respect to electronic evidence, but the
obtained and by whom.
following principles from the
The police, or legal advisers, will be able to advise UK Association of Chief Police Ofcers provide a
on how this should be done. useful starting point:
If appropriate, written consent should be obtained No action taken by law enforcement agencies
from the relevant section manager before any items or their agents should change data held on a
are removed. This can be done with senior computer or storage media, which may be relied
management authority, as the items are the on in court.
organisations own property.
In exceptional circumstances, where a person nds
Similarly, electronic evidence must be secured it necessary to access original data held on a
before it can be tampered with by the suspect. computer or on storage media, that person MUST
be competent to do so and be able to give evidence
Physical evidence explaining the relevance and implications of their
actions.
If an internal investigation is being conducted, an
organisation has a right to access its own records An audit trail or other record of all processes
and may bring disciplinary action against any applied to computer-based electronic evidence
employee who tries to prevent this. should be created and preserved. An independent
third party should be able to examine those
Where physical evidence is owned or held by other
processes and achieve the same result.
organisations or individuals who are not
employees, it may be necessary to obtain a court The person in charge of the investigation has overall
order or injunction to secure access to or to seize responsibility for ensuring that the law and these
the evidence. principles are adhered to.
23
Appendix 1 Using ctitious suppliers or shell companies for
false billing.
Examples of common types of internal fraud. This Misuse of accounts
appendix looks at common types of internal fraud
and some of the methods through which they may be Wire transfer fraud (fraudulent transfers into bank
perpetrated. accounts).
Unrecorded sales or receivables.
Asset misappropriation
Employee account fraud (where an employee
Cash
is also a customer and the employee makes
Theft of cash unauthorised adjustments to their accounts).
Stealing from petty cash. Writing false credit note to customers with details
of an employees personal bank account or of an
Taking money from the till.
account of a company controlled by the employee.
Skimming of cash before recording revenues or
Stealing passwords to payment systems and
receivables (understating sales or receivables).
inputting series of payments to own account.
Stealing incoming cash or cheques through an
Non-cash
account set up to look like a bona de payee.
Inventory and xed assets
False payment requests
Theft of inventory.
Employee creating false payment instruction with
forged signatures and submitting it for processing. False write offs and other debits to inventory.
False email payment request together with hard False sales of inventory.
copy printout with forged approval signature.
Theft of xed assets, including computers and
Taking advantage of the lack of time which other IT related assets.
typically occurs during book closing to get false
Theft or abuse of proprietary or condential
invoices approved and paid.
information (customer information, intellectual
Cheque fraud property, pricing schedules, business plans etc).
Theft of company cheques. Receiving free or below market value goods and
services from suppliers.
Duplicating or counterfeiting of company cheques.
Unauthorised private use of company property.
Tampering with company cheques (payee/amount).
Employees trading for their own account.
Depositing a cheque into a third party account
without authority. Procurement
Cheque kiting (a fraud scheme using two deposit Altering legitimate purchase orders.
accounts to withdraw money illegally from the
Falsifying documents to obtain authorisation for
bank).
payment.
Paying a cheque to the company knowing that
Forging signatures on payment authorisations.
insufcient funds are in the account to cover it.
Submitting for payment false invoices from
Billing schemes
ctitious or actual suppliers.
Over-billing customers.
Improper changes to supplier payment terms or
Recording of false credits, rebates or refunds to other supplier details.
customers.
Intercepting payments to suppliers.
Pay and return schemes (where an employee
Sending ctitious or duplicate invoices to suppliers.
creates an overpayment to a supplier and pockets
the subsequent refund). Improper use of company credit cards.
Abuse of holiday leave or time off entitlements. Early delivery of product/services (eg partial
shipments, soft sales, contracts with multiple
Submitting inated or false expense claims. deliverables, upfront fees).
Adding private expenses to legitimate expense Channel stufng or trade loading (where a
claims. company inates its sales gures by forcing more
Applying for multiple reimbursements of the same products through a distribution channel than the
expenses. channel is capable of selling).
Recognising revenue on disputed claims against Inating inventory quantity through inclusion of
customers. ctitious inventory.
25
Misstatement of prepayments and accruals. Purchase of property at higher than market value in
exchange for a kickback.
Understating loans and payables.
Preferential treatment of customers in return for a
Fraudulent management estimates for provisions,
kickback.
reserves, foreign currency translation, impairment
etc. Personal interests
Off balance sheet items. Collusion with customers and/or suppliers.
Delaying the recording of expenses to the next Favouring a supplier in which the employee has a
accounting period. nancial interest.
Other accounting misstatements Employee setting up and using own consultancy
for personal gain (conicts with the companys
Improper treatment of inter-company accounts.
interests).
Non clearance or improper clearance of suspense
Employee hiring someone close to them over
accounts.
another more qualied applicant.
Misrepresentation of suspense accounts for
Transfer of knowledge to a competitor by an
fraudulent activity.
employee who intends to join the competitors
Improper accounting for mergers, acquisitions, company.
disposals and joint ventures.
Misrepresentation by insiders with regard to a
Manipulation of assumptions used for determining corporate merger, acquisition or investment.
fair value of share based payments.
Insider trading (using business information not
Improper or inadequate disclosures. released to the public to gain prots from trading
Fictitious general ledger accounts. in the nancial markets).
Other fraudulent internal or external documents. Giving and accepting payments to favour or
not favour other commercial transactions or
relationships.
Corruption
Payments to government ofcials to obtain a
Conicts of interest benet (eg customs ofcials, tax inspectors).
Kickbacks Anti-trust activities such as price xing or bid
Kickbacks to employees by a supplier in return for rigging.
the supplier receiving favourable treatment. Illegal political contributions.
Kickbacks to senior management in relation to the Extortion
acquisition of a new business or disposal of part of
the business. Offering to keep someone from harm in exchange
for money or other consideration.
Employee sells company owned property at less
than market value to receive a kickback or to sell Blackmail offering to keep information
the property back to the company at a higher price in condential in return for money or other
the future. consideration.
Fraud policy
This policy applies to any irregularity, or suspected
irregularity, involving employees as well as
consultants, suppliers, contractors, and/or any
other parties with a business relationship with
this organisation. Any investigation required will
be conducted without regard to any persons
relationship to this organisation, position or length of
service.
27
Appendix 3 column records the assessment of the controls in
this area and the net likely impact is an assessment
Example of a risk analysis. The risk analysis set out of the likelihood of a fraud not being detected by
below is an example of the results of an assessment the controls. At this stage, the risks in the contracts
by a risk management group of the fraud risks in the area can be reviewed and priorities set for action to
contracts function. This document is a summary of address the risk.
the work undertaken by the risk management group
and they will have working papers to document their Take for example, the risks relating to an
workings and assessments. unchanging list of suppliers. The risk management
group believes fraud has a high likelihood of
The risks identied are in the rst column and the occurring and if so, it could cause signicant
dates of the risk assessment in the second column. nancial loss to the business. The controls are
The column probability/likelihood records the thought to be weak and unlikely to reduce the risk.
assessment of the likelihood of this risk occurring in They have assessed the net likely impact to be high
the organisation. The ratings are graded high, and recommend that this is an immediate priority in
medium or low. The impact column is an assessment of the contracts area.
the impact of a fraud in this area. The next
Unchanging
list of preferred 2010 High High Low High Priority
suppliers immediate
Consistent list
of single source 2010 Medium High High Medium
suppliers
Changes
in contract 2010 Low Low Medium Low
specications
Personal
relationships 2011 Low High Low High Priority
between staff and within
suppliers six months
29
How to raise a concern internally Independent advice
Step 1 If an employee is unsure whether to use this
procedure, to report the matter externally to
If an employee has a concern about malpractice, he
regulators/ law enforcement authorities or simply
or she should consider raising it initially with their
wants independent advice at any stage, they may
line manager. This may be done orally or in writing.
contact
An employee should specify from the outset if they
[INSERT EXTERNAL CONTACT IF
wish the matter to be treated in condence so that
APPLICABLE IN SOME JURISDICTIONS,
appropriate arrangements can be made.
THERE ARE ORGANISATIONS WHICH CAN
PROVIDE FREE CONFIDENTIAL ADVICE TO
Alternatively, employees can call the 24 hour
EMPLOYEES ABOUT MALPRACTICE AT
whistle-blowing telephone hotline. This service is
WORK.]
strictly condential and callers will not be asked to
An employee can also seek advice from a lawyer of
give their name if they do not wish to do so.
their own choice at their own expense.
Step 2
Matters raised maliciously
If these channels have been followed and the
Employees who are found to raise a matter
employee still has concerns, or feels that they are
maliciously that they know to be false, will be
unable to raise the issue with their line manager, for
subject to the organisations disciplinary policy.
whatever reason, they should address their concerns
to their head of department, the head of human
resources or the chief internal auditor [OR INSERT
OTHER APPROPRIATE NOMINATED POINTS
OF CONTACT HERE].
Anonymous reports
These may be made verbally to the 24 hour whistle-
blowing telephone hotline or in writing to
[INSERT NOMINATED POINT OF CONTACT
SUCH AS HEAD OF HUMAN RESOURCES OR
CHIEF INTERNAL AUDITOR].
The submission should be clearly marked
Condential: anonymous employee submission.
1. Consider fraud risk as an integral part of your 9. Introduce a fraud education, training and
overall corporate risk management strategy. awareness programme.
2. Develop an integrated strategy for fraud 10. Introduce a fraud response plan as an integral
prevention and control. part of the organisations contingency plans.
3. Develop an ownership structure from the top to 11. Introduce a whistle-blowing policy.
the bottom of the organisation.
12. Introduce a reporting hotline.
4. Introduce a fraud policy statement.
13. Constantly review all anti-fraud policies and
5. Introduce an ethics policy statement. procedures.
6. Actively promote these policies throughout the 14. Constantly monitor adherence to controls and
organisation. procedures.
31
Appendix 6 After the award of contract
Unexplained changes in the contract after its
Examples of fraud indicators, risks and controls. The
award.
following are examples of indicators for two specic
types of fraud procurement fraud and fraud in the Contract awarded to a supplier with a poor
selling process. There are many other types of fraud performance record.
and each will have its own set of indicators as well as Split contracts to circumvent controls or contract
some of the general indicators that are set out in the conditions.
section Fraud detection.
Suppliers who are awarded contracts
Example 1: Procurement fraud disproportionate to their size.
Fraud in the purchasing or procurement function is Frequent increases in the limits of liability.
a particular risk. The following may be indicators of Frequent increases in contract specications.
fraud in the tendering and contract award process.
Organisations may wish to consider at invitation to
Before contract award tender acknowledgement stage, or at bid submission,
Disqualication of suitable tenderers. formally requesting the tenderer to sign a document
conrming that no fraud or corrupt practice has
Short invitation to tender list. occurred when developing the bid.
Unchanging list of preferred suppliers.
This has two effects:
Consistent use of single source contracts.
1. It acts as a deterrent tenderers are alerted to the
Contracts specications that do not make
fact that the client is aware of the risk of fraud and
commercial sense.
will be on the lookout for any evidence that it has
Contracts that include special, but unnecessary occurred.
specications, that only one supplier can meet.
2. It ensures that tenderers can have no excuse that
Personal relationships between employees and they were unaware of the clients policy should
suppliers. fraudulent activity come to light.
Scoping of contract The contract specication is written in Use of control/assessment panel made
a manner which favours a particular up of representatives, to ensure that
technical, end user and nancial more than one person is involved in
supplier. drawing up the specication.
Setting evaluation Original evaluation criteria are changed Use evaluation criteria as agreed by the
criteria after the receipt of submissions to ensure contract panel prior to tendering.
that favoured suppliers are shortlisted.
Contractual Altering terms and conditions to suit a Contract terms and conditions should be
correspondence preferred supplier. those of the purchasing department and
not subject to change without the written
approval of senior management.
Contract False claims for work not carried out, Clear audit trails with written records.
management or exaggerated claims for actual work Authorisation of changes to original
done. documentation. Random and systematic
checks of activity.
Claims negotiation Assisting the contractor to justify claims. Claims negotiation should be carried out
using professional advisers.
Authorisation Contract splitting to keep contract The splitting of contracts should not be
values under a particular staff members allowed unless authorised by senior
authorisation nancial limit. management. Internal controls should be
established to detect this.
33
Tender procedure audit checks Example 2: Fraud in the selling process
Tender board: should be chaired by senior Fraud risks can also exist in the selling process.
manager. Those involved can include any combination of
Tender register: should be held and reviewed by a the clients management or employees and the
senior manager. organisations own management or employees with
or without any collusion.
Checks should include:
Were all tenders secured in a locked cabinet prior to The following are indicators of fraud in the selling
opening? process:
Who had access to the keys/combination? Overcharging from an approved list or standard
prot mark-up.
If no tender cabinet used, what is the procedure for
dealing with tenders? Short-changing by not delivering the contracted
quantity or quality.
Does the tender register show an unbroken,
sequentially numbered and dated list of all tenders Diversion of orders to a competitor or associate.
received? Bribery of a customer by one of the organisations
Were all the entries signed by the tender board own sales representatives.
chairman? Bribery of a customer by a competitor no proper
Conrm that tender lists show no evidence of explanation of why the contract went elsewhere.
patronage or incestuous relationships. Insider information by knowing competitors
Conrm that companies which persistently fail to prices.
tender are excluded from subsequent tender lists. False warranty claims that are made or paid.
Has relevant approval been obtained before Over selling of goods or services that are not
accepting any tenders whose prices exceed necessary.
approval limits?
Giving of free issues/samples when not necessary.
Has relevant approval been obtained where the
lowest compliant bid is not accepted? Links with cartels or rings.
In the event of a clear differential in bid prices, Bribery to obtain contracts which would not
conrm that the same tender specication has otherwise be awarded.
been sent to all prospective tenderers. Issuing invoices or credit notes which do not reect
Conrm that there is no excessive use of single reality and of which the ultimate payer is unaware.
sources of supply or tender action. Issuing credit notes to hide additional discounts or
Conrm that the tender board has been advised of rebates.
the signs which would indicate tender rigging/ The use of sales intermediaries (xers).
ringing.
Sales commission gates, which can often cause
Conrm that the recommended method of misreporting of orders.
procurement has been followed.
Conrm that the contract makes commercial
sense.
35
Appendix 8 2. Corporate policy
The board is committed to maintaining an honest,
Example of a fraud response plan. This example
open and ethical culture within the organisation.
has been based on a response plan used by an
It is, therefore, also committed to the elimination
organisation within the UKs National Health
of any fraud within the organisation, and to the
Service. However, the principles on which it is based
rigorous investigation of any such cases.
are very general and the response plan is therefore
applicable to organisations in any sector or location.
The board wishes to encourage anyone having
reasonable suspicions of fraud to report them. The
1. Introduction
organisation has a published whistle-blowing policy
This document is intended to provide direction and which aims to ensure that concerns are raised and dealt
help to those ofcers and directors who nd with in an appropriate manner. Employees raising
themselves having to deal with suspected cases genuine concerns will be protected and their concerns
of theft, fraud or corruption. It gives a framework looked into.
for response and provides information on various
aspects of investigation. The document also contains 3. The denition of fraud
a series of owcharts which provide a framework of
Fraud encompasses a number of criminal offences
procedures that allow evidence to be gathered and
involving the use of deception to obtain benet or
collated in a way which facilitates informed initial
causing detriment to individuals or organisations.
decisions, while ensuring that evidence gathered
will be admissible in any future legal action. This
document is not intended to provide direction on This document is intended to provide a framework
fraud prevention. for investigating all suspected cases of fraud, theft or
corruption where:
Either/or
To chart 2
37
Finance Director/CFO Head of Human Resources
Responsibility for investigating fraud has been Where an employee is to be interviewed or
delegated to the nance director. Where disciplined, the nance director and/or chief
appropriate/necessary, he/she is also responsible internal auditor will consult with and take advice
for informing third parties such as the external from, the Head of Human Resources (HR).
auditors or the police about the investigations. The
nance director will inform and consult with the The Head of HR will advise those involved in
chief executive in cases where the loss is potentially the investigation in matters of employment law,
signicant or where the incident may lead to adverse company policy and other procedural matters
publicity. (such as disciplinary or grievance procedures) as
necessary.
The nance director will maintain a log of all
reported suspicions, including those dismissed as Line and other managers
minor or otherwise not investigated. The log will
If, in accordance with the organisations whistle-
contain details of actions taken and conclusions
blowing policy, an employee raises a concern with
reached and will be presented to the audit
their line manager, head of department or the Head
committee for inspection annually.
of HR, the details must be passed to the nance
director immediately for investigation. If a concern
The nance director will normally inform the chief
involves the nance director, the matter should be
internal auditor at the rst opportunity. While the
reported directly to the audit committee.
nance director will retain overall responsibility,
responsibility for leading any investigation will be
delegated to the chief internal auditor. Signicant
Employees
matters will be reported to the board as soon as All employees have a responsibility to protect the
practicable. assets of the organisation, including information and
goodwill as well as property.
Chief Internal Auditor
The chief internal auditor will:
a. Initiate a diary of events to record the progress of
the investigation.
b. Agree the objectives, scope and timescale of the
investigation and resources required with the
nance director at the outset of the investigation.
c. Ensure that proper records of each investigation are
kept from the outset, including accurate notes of
when, where and from whom evidence was
obtained and by whom.
From chart 1
No
Either Investigate Or
No case Gross From
internally to decide which
to answer misconduct chart 4B
of the following
Or
FD and/or head of dept to
decide what, if any, action Error of judgement/
to take in conjunction with negligent conduct Consider
head of HR possibility
No of making
Loss recovered? good the loss
No including a
Consider possibility of civil action
making good the loss Loss recovered?
for recovery
From
chart 4A Yes
Yes
39
Investigations will try to establish at an early stage The disciplinary procedures of the organisation
whether it appears that a criminal act has taken will be followed in any disciplinary action taken in
place. This will shape the way that the investigation respect of an employee. This will usually involve
is handled and determine the likely outcome and a disciplinary hearing at which the results of the
course of action. investigation will be considered.
If it appears that a criminal act has not taken place, an Where, after having sought legal advice, the
internal investigation will be undertaken to: Finance Director judges it cost effective to do so,
the organisation will normally pursue civil action in
a. Determine the facts.
order to recover any losses. The Finance Director
b. Consider what, if any, action should be taken will refer the case to the organisations legal advisers
against those involved. for action.
c. Consider what may be done to recover any loss
incurred. Where initial investigations point to the likelihood of
a criminal act having taken place, the chief internal
d. Identify any system weakness and look at how auditor will, with the agreement of the Finance
internal controls could be improved to prevent a Director, contact the police and the organisations
recurrence. legal advisers immediately. The advice of the police
will be followed in taking forward the investigation.
The chief internal auditor will present the ndings
of the investigation to the Finance Director who will Where there are sufcient grounds, the organisation
make the necessary decisions and maintain a record will, in addition to seeking recovery of losses
of the subsequent actions in relation to closing the through civil proceedings, also seek a criminal
case. Once concluded, details of such cases will be prosecution. The Finance Director will be guided
reported to the audit committee on an annual basis by the police in arriving at a decision on whether a
for information. criminal prosecution should be pursued.
Where an investigation involves an employee and it Where appropriate, the Finance Director will
is determined that no criminal act has taken place, consider the possibility of recovering losses from the
the nance director will liaise with the Head of HR organisations insurers.
and appropriate line manager to determine which
of the following has occurred and therefore whether,
under the circumstances, disciplinary action is
appropriate:
a. Gross misconduct (ie acting dishonestly but
without criminal intent).
b. Negligence or error of judgement.
c. Nothing untoward occurred and therefore, there
is no case to answer.
From
chart 2
Is there No
any physical
evidence?
Yes
Are No
there any
witnesses?
Yes
No
To
chart 4
41
CHART 4: Interview procedure
From
chart 3
No Does
matter warrant interview
of suspect?
Yes
Arrange a meeting at
Is Yes earliest practicable
suspected person willing to time, that allows suspect
be interviewed? opportunity to have
representative present
No
Is evidence Yes
Is there
gathered sufcient for Interview
a case to answer?
dismissal?
No
Confer with
FD, review Confer with FD and review events
events with No with Police
Police
To To
chart 2B chart 2A
43
Footnotes 4. The COSO publication Internal Control
Integrated Framework can be purchased through
1. Examples include Report to the Nations on the AICPA store at www.cpa2biz.com The
Occupational Fraud and Abuse, Association of proceeds from the sale of the framework are used to
Certied Fraud Examiners, www.acfe.com, PwC support the continuing work of COSO.
Global Economic Crime Survey, www.pwc.com,
Kroll and the Economist Intelligence Unit, Global 5. Cybercrime: protecting against the growing threat,
Fraud Report, www.kroll.com Global Economy Crime Survey, PwC, 2011,
www.pwc.com
2. Kroll/EIU Global Fraud Report Annual Edition
2011/12, www.kroll.com 6. For additional background on the role of the
audit committee in relation to fraud, see The
3. An example is the COSO Enterprise Risk AICPA Audit Committee Toolkit available from
Management Framework. COSO is The www.cpa2biz.com.
Committee of Sponsoring Organizations. It
consists of the AICPA, the Institute of Acknowledgements
Management Accountants (IMA), the Institute
of Internal Auditors (IIA), Financial Executives
This report is a revised and abridged version of CIMAs
International (FEI) and the American Accounting
Fraud risk management: a guide to good practice (2nd
Association (AAA). The COSO publication
edition), CIMA, 2008. CIMA would like to thank all
Enterprise Risk Management Integrated Framework
those who contributed to either the rst or second
can be purchased through the AICPA store at editions of the original guide.
www.cpa2biz.com. The proceeds from the
sale of the framework are used to support the
continuing work of COSO.
Distribution of this material via the internet does Certied Professional Accountants. This material
not constitute consent to the redistribution of it in any is offered with the understanding that it does not
form. No part of this material may be otherwise constitute legal, accounting, or other professional
reproduced, stored in third party platforms and services or advice. If legal advice or other expert
databases, or transmitted in any form or by any assistance is required, the services of a competent
printed, electronic, mechanical, digital or other means professional should be sought. The information
without the written permission of the owner of the contained herein is provided to assist the reader in
copyright as set forth above. For information about developing a general understanding of the topics
the procedure for requesting permission to reuse this discussed but no attempt has been made to cover
content please email copyright@CGMA.org the subjects or issues exhaustively. While every
attempt to verify the timeliness and accuracy of
The information and any opinions expressed in this the information herein as of the date of issuance
material do not represent ofcial pronouncements of has been made, no guarantee is or can be given
or on behalf of AICPA, CIMA, the CGMA regarding the applicability of the information found
designation or the Association of International within to any given set of facts and circumstances.
Chartered Institute of
Management Accountants
26 Chapter Street
London SW1P 4NP
United Kingdom
T. +44 (0)20 7663 5441
F. +44 (0)20 7663 5442
www.cgma.org
January 2012
CIMA has ofces in the following locations: Australia, Bangladesh, Botswana, China,
Ghana, Hong Kong SAR, India, Ireland, Malaysia, Nigeria, Pakistan, Poland, Russia,
Singapore, South Africa, Sri Lanka, UAE, UK, Zambia, Zimbabwe.
SM