fraud risk management › uploadedfiles › acfe_website › content › ...fraud risk management...

© 2020 Association of Certified Fraud Examiners, Inc.

Fraud Risk Management

Ensuring Fraud Awareness


Discussion Questions

1. What companywide policies does your

organization have in place to address the risks

of fraud? How are these policies disseminated

to employees? Who is responsible for ensuring

compliance with these policies?


Discussion Questions

2. What information is communicated to

employees in your organization regarding fraud

risks and procedures for reporting suspected

fraud? What methods are used to disseminate

this information?


Learning Objectives

▪ Understand how to implement effective

employee anti-fraud training.

▪ Recognize the need for and components

of an effective ethics policy, code of conduct,

anti-fraud policy, and whistleblower policy.

▪ Understand how to provide support to

employees who are facing ethical dilemmas.


Introduction

▪ Employees must

see fraud prevention

and detection as

part of the daily

responsibilities of

employees at all

levels of the

organization.


Introduction

▪ A fraud awareness program should include:

• A written ethics policy

• Active support of employees with ethical questions

• Ongoing employee education

• A well-publicized reporting mechanism

• Swift and public action in the case of violations

• Monitoring of the overall program’s effectiveness


Control Activities

▪ Third component of COSO IC 2013

▪ Relates to each of the next three sections:

• Ensuring fraud awareness

• Specific transaction-level controls

• Using automated continuous monitoring tools


Fraud Risk Management Principle No. 3—

Fraud Control Activities

▪ The organization selects, develops, and

deploys preventive and detective fraud control

activities to mitigate the risk of fraud events

occurring or not being detected in a timely

manner.


Fraud Control Activities—

Points of FocusPromotes fraud

deterrence through preventive and

detective control activities

Integrates with the fraud risk

assessment

Considers organization-specific factors and relevant business processes

Considers the application of

control activities to different levels of the organization

Uses a combination of fraud control

activities

Considers management

override of controls

Uses proactive data analytics

procedures

Deploys control activities through

policies and procedures


Using a Combination of Controls

▪ HR-related controls:

• Perform background investigations.

• Provide fraud risk management training.

• Evaluate performance and compensation

programs.

• Conduct annual employee surveys.

• Conduct exit interviews.

• Utilize whistleblower systems.


Employee Anti-Fraud Education

▪ Establishes and reinforces the tone at the top

▪ Often the responsibility of the HR department:

• Could also involve legal, ethics office, etc.

▪ Effectiveness depends largely on mandatory

attendance with periodic updates and refresher

sessions


Who Should Attend?

▪ Every employee

should be required

to attend—no

exemptions.

▪ Managers and

executives should

receive special

training.


Frequency and Length of Training

▪ Frequent exposure is key.

▪ Training should be an ongoing process.

▪ Training should begin at the time of hire.

▪ Refresher training should be held at least

annually.

• Employees should sign an annual statement

acknowledging their understanding of and

commitment to the program.


Training Delivery Methods

▪ Live, in-class instruction (preferred)

▪ Recorded video or animation

▪ Interactive self-study

▪ Informal communications for reinforcement:

• Periodic newsletters

• Posters in break rooms

• Other casual reminders

▪ Cascading training


Topics to Cover

▪ Focus on the

organization’s

specific risks.

▪ Provide employees

with practical,

implementable

knowledge.


Topics to Cover

▪ What fraud is and what it is not

▪ How fraud hurts the organization

▪ How fraud hurts employees

▪ Who perpetrates fraud

▪ How to identify fraud

▪ How to report fraud

▪ The punishment for dishonest acts


Ethics Policy

▪ Provide a framework for ethical behavior.

▪ Set forth organization’s purpose and core

values.

▪ Define a standard of conduct to guide

employees in making decisions.

▪ Explain how to report violations.

▪ Include an anti-retaliation policy.

▪ Discuss penalties for violations.


Ethics Policy

▪ Include input from both management and

employees.

▪ Communicate the policy to all personnel in

clear, simple language.

▪ Make the policy easily accessible for quick

reference.


Ethics Policy

▪ Components to consider:

• Emails and voice mails

• Desks and lockers

• Video surveillance

• Proprietary information

• Managerial performance

benchmarks

• Document retention policies

• Credit reports

• Social media


Code of Conduct

▪ Might be in the same document or separate

document from ethics policy

▪ Lays out the general expectations of behavior

▪ References ethics policy and other policies and

procedures with which the staff is expected to

comply


Code of Conduct

▪ Organization should have formal processes in

place for employees to:

• Explicitly affirm that they have read, understood, and

complied with the code of conduct.

• Self-report any potential or existing conflicts of

interest.

• Report misconduct and be accountable for this

responsibility.


Anti-Fraud Policy

▪ Separate, formal anti-fraud policy sends a

strong message about the anti-fraud stance.

▪ Includes:

• A definition of fraudulent acts

• Specific examples

• Explicit prohibition of kickbacks and false time

reporting

• Consequences for fraudulent acts


Whistleblower Policy

▪ Makes clear that whistleblowers will not be fired

and that retaliation against them is prohibited

▪ Should explicitly state the expectation for

treatment of whistleblowers and the

consequences for disobeying the policy


Supporting Employees

▪ Offer guidance on how to

solve ethical dilemmas.

▪ Provide employee

support and counseling

programs.


Supporting Employees

fraud risk management › uploadedfiles › acfe_website › content › ...fraud risk management...

Documents