Low on immunity?
John Connor appeared to be your ordinary run of the mill Chief Financial Officer; at least that’s what the Directors believed. Mr Connor had a good thing going for himself, limited oversight by Directors who lacked financial literacy, control of bank accounts and the opportunity to manipulate the books any which way he pleased.
It was the call of the head entity in the Netherlands to conduct an audit across the globe that swung this CFO into a forced exit leaving behind a trail of destruction and a fraud team to clean it up.
Businesses all too often lack the oversight required to successfully prevent and respond to fraud within the organisation.
The booster program
Here are some key questions to consider when assessing the ‘fraud health’ of your business, consider these and you will be well on your way to boosting the fraud health in your organisation:
1. Fraud risk oversight
To what extent has your organisation established a process for oversight of fraud risks by the board of directors or others charged with governance (e.g. an audit committee)?
Not establishing appropriate oversight can open the window of opportunity for those pressured to jump through it. Pair this with the rationalisations; ‘just this once’ or ‘I’ll pay it back’ and the grand schemes begin.
2. Fraud risk ownership
To what extent has your organisation created “ownership” of fraud risks by identifying a member of senior management as having responsibility for managing all fraud risks within the organisation and by explicitly communicating to business unit managers that they are responsible for it?
In small business this is not always practicable; however someone must take the lead role in owning the Fraud Risk, usually someone not involved in day to day accounting. Bear in mind that there should be a go to person where the person in charge of fraud risk may be a suspect.
3. Fraud Risk Assessment (FRA)
To what extent has your organisation implemented an ongoing process for regular identification of the significant fraud risks to which it is exposed?
Today, a fraud risk assessment is a standard tool used to see the big picture of the Fraud Risk to an organisation. Set and forget is not an option. The assessment must include input from all levels of the hierarchy and ideally be led by an expert. Organisations and fraud schemes change, it is critical to have a functional current FRA.
4. Fraud risk tolerance and risk management policy
To what extent has your organisation identified and had approved by the board of directors its tolerance for different types of fraud risks?
Is it bearable that a parking meter inspector pockets $5 in sundry each day? What about the $100m project manager winning bids through his shell company? Some fraud risks may constitute a tolerable cost of doing business, whilst others may pose a catastrophic risk of financial or reputational damage.
5. Process-level anti-fraud controls
To what extent has your organisation implemented measures to eliminate or reduce each of the significant fraud risks identified in its risk assessment through process re-engineering?
Basic controls include segregation of duties relating to authorisation, custody of assets and recording or reporting of transactions. In some cases it may be more cost-effective to re-engineer business processes to reduce fraud risks rather than layer on additional controls over existing processes. For example, some fraud risks relating to receipt of funds can be eliminated or greatly reduced by centralising that function or outsourcing it to a bank’s lockbox processing facility, where stronger controls can be more affordable.
6. Environment-level anti-fraud controls
To what extent has your organisation implemented a process to promote ethicalbehaviour, deter wrong-doing and facilitate two-way communication on difficult issues?
Examples of processes may include:
7. Proactive fraud detection
To what extent has your organisation established a process to detect, investigate and resolve potentially significant fraud?
Such a process should typically include proactive fraud detection tests that are specifically designed to detect the potentially significant frauds identified in the organisation’s fraud risk assessment. Other measures can include audit “hooks” embedded in transaction processing systems that can flag suspicious transactions for investigation and/or approval prior to completion of processing. Leading-edge fraud detection methods include computerised email monitoring (where legally permitted) to identify use of certain phrases that might indicate planned or ongoing wrongdoing.