Establishing Accountabilities and Responsibilities for Your Anti-

Fraud Efforts

By Dan Swanson

03/04/2008

Some companies have far lower levels of misappropriation of assets

and fraudulent financial reporting than others. Why? Because they
aggressively take steps to prevent and detect fraud, end of story.

At these exemplary companies, management take seriously their

ethical responsibilities for designing and implementing systems,
procedures and controls to catch fraudand, along with the board of
directors, for promoting a culture and corporate environment that
demands honesty and ethical behaviour.

How does your company stack up? Well, run through this checklist:

Does your organization have a strong fraud oversight process at

both the board and management levels?
Does your organization have robust and effective anti-fraud
policies, procedures and controls?
Does management regularly evaluate fraud risks and anti-fraud
controls?
Have the risks of management override and conflicts of interest
been independently reviewed within the last 12 months?
Would you say your workforce has a strong ethical culture?
Does your company have a corporate policy that encourages
whistleblowers to come forward? And do those would be
whistleblowers actually believe it?

If you answered yes to all of the above questions great!

The two critical questions that will help get you ahead of the crowd:

What are the boards and managements roles regarding fraud?

What should internal audits role regarding fraud be?

To properly answer the second question, you must first have clear
answers to the first.
Specifically: The board is responsible for defining and approving the
organizations overall strategic direction and system of internal control,
as well as setting the tone-at-the-top (corporate governance).
Management operates and expands the business within the guidelines
set by the board, periodically reporting on performance as well as
progress toward key strategies and objectives. Management also
directs and monitors operations. That includes regular assessments of
the effectiveness of the overall system of internal control against the
requirements set by the board, as well as the companys own ethical
values and beliefs.

As mentioned earlier, the board is accountable for ensuring an effective

system of internal control is established to fight fraud; management is
responsible for how that system is designed and enforced to fight
fraud. Once you have that clearand actually donethe internal audit
department can also contribute to those anti-fraud efforts.

Audits Job: Helping Managements Prevention Efforts

Today there is a perception, if not the expectation, that auditors are

looking for, as well as investigating and hopefully stopping frauds,
e.g. arent auditors the last line of defense in identifying crooked
management? No one can catch all fraud and internal audit should
address the misperception that that is what internal audit does.
Everyone in the company has a role in fraud prevention and detection
and the PRIMARY responsibility lies with all members of management
and at all levels of management.

The IIAs international internal audit standards are clear: internal audit
should be aware of the possibility of fraud, but internal auditors are
not responsible for the detection and prevention of fraud. In my view
however, the standards are inconsistent with the benefit and need for
internal auditors to be actively looking for signs of fraudulent activities
in support of management and the board.
An effective internal audit function improves the companys ethical
culture and control environment, both overtly through its audit work
and in a more general sense by promoting good practices. Internal
audits of anti-fraud activities provide valuable feedback to
management and the board regarding improvement opportunities and
overall performance, contributing in the long term to more effective
fraud risk management efforts. It can also be a deterrent when
employees know that the internal audit department possesses persons
with fraud detection knowledge, skills, and tools.

Internal audit should design and plan audits to specifically detect

fraud, thereby directly strengthening the organizations internal control
system. The internal audit plan should be driven by an audit risk
assessment and the internal audit efforts regarding fraud should
similarly be driven by a fraud risk assessment because the greater the
organizations exposure to fraud, the more anti-fraud audit effort must
be allocated. This must also be done in a thoughtful and correct
manner because you cannot have your workforce feeling that internal
auditors thinks everyone is to be distrusted, i.e. we need to emphasize
audit is looking for fraud prevention and detection controls which
should be part of the overall system of internal controls.

Audit work should include evaluating the organizations efforts in fraud

prevention, fraud detection, and fraud investigation. If detective
procedures are not in place, frauds that are discovered will require
more investigative effort and result in greater loss. Over the long term,
fraud prevention and deterrence efforts have the most impact on
reducing the incidence of fraud and therefore this should be a top
management priority and be regularly evaluated by internal audit.

Always remember that auditing provides only a reasonable level of

assurance; auditors cannot, and will not, provide an insurance policy
against every possible fraud. Because of their objectivity and integrity
however, internal auditors are able to reinforce an organizations anti-
fraud effort by investigating reports of possible fraudulent behavior. In
fact, more and more corporate internal audit departments include
trained forensic accountants.
There are numerous fraud audit techniques today and more should be
implemented within todays audit departments. Some simple examples
of forensic exercises include: correlating employee names, addresses
and other contact details against the supplier database to help identify
suspect transactions; examining expenses claims closely; following-up
religiously on seemingly insignificant discrepancies in control totals;
using data mining and computer audit techniques in general to craft
and answer cunning questions; and always being aware of the
possibility of collusion, deception, and fraud.

Some useful anti-fraud management practices include:

1) Identifying potential indicators of fraud for your industry,

company, and/or activities within your organization,
2) Learning from selected, experienced people to learn ideas about
how frauds may be committed and best detected,
3) devising and routinely running tests to look for fraud indicators
and data anomalies,
4) performing ad-hoc inquiries as needed to dig into the source
data underlying fraud indicators and data anomalies, and
5) perform or include as part of control self assessment sessions.

Norman Marks, a chief internal audit executive for a global company,

recommends, in regards to fraud, that internal audit periodically
assess:

1. The adequacy of the Control Environment, including: the

adequacy of the code of conduct and processes to ensure it is
understood, the adequacy of the whistleblower and investigation
processes, and the staffing and organization of those responsible
for the prevention and detection of fraud.

2. Managements risk assessment as it relates to fraud and theft,

including: are all potential fraud schemes identified and are the
fraud risks adequately assessed and appropriate strategies
implemented?

3. Managements monitoring activities, including: are actual

losses monitored and compared to risk tolerances, and are actual
losses monitored to identify areas of concern, potential failing of
controls and opportunities for improvement.
There will always be limits to an organizations anti-fraud capabilities,
for e.g.: limitations imposed by sampling, the fact that fraudsters are
cunning devils who deliberately conceal their activities, exploiting
weaknesses not only in preventive controls but also the detective and
corrective controls; and resource constraints, (and that it sometimes
takes someone who thinks like a thief to catch a thief many times!).

Organizations Must Be Ever Diligent

An open discussion among the key stakeholders about the possibility

of serious fraud and the necessary responses, is highly recommended,
ideally prior to a serious fraud incident rather than during it.

Setting clear expectations and defining everyones responsibilities

regarding your antifraud efforts is half the battle. Being diligent in your
efforts is the other half. To truly fight fraud, we need a firm policy, it
must be enforced, and violators must be investigated and appropriate
actions taken. Management must understand it is their responsibility to
design and implement their anti-fraud activities, including the
monitoring of the results. Internal auditors should also actively review
for fraudulent activities and contribute to the organizations no
tolerance attitude toward fraud.

Once your own house is in order, also consider the potential fraud risks
relating to your key business relationships. Whistle blowing by
suppliers, partners or customers is said to be one of the most common
ways of discovering fraudulent activities, and it cuts both ways. If a
partner employee wanted to disclose fraud at your company, would
they have the means and encouragement to do so? What if you or one
of your colleagues uncovered a fraud at one of your partners how
would they deal with it?

The best defense against fraud is having a motivated management,

internal audit team, and workforce to enforce your organizations
standard of zero tolerance toward fraud. There is a broad spectrum of
knowledge regarding fraud, ranging from the clueless, the slightly
aware, the aware, the slightly knowledgeable, the knowledgeable, and
finally to the motivated, who not only want to make a difference but
have the experience to make it happen. The resources Ive cited this
month will significantly increase your understanding and are written by
experts in the field. Spend some time reviewing their insights.
Proposed call out box:

Fraud risk management is here to stay! Has your organization

implemented an effective strategy for fraud prevention, detection, and
response? Have the results been independently evaluated recently?
Finally, does everyone know whos on the team and what they are
supposed to be doing?
Key Resources
Managing the Business Risk of Fraud: A Practical Guide
http://www.theiia.org/recent-iia-news/?i=4449

Management Antifraud Programs and Controls: Guidance to Help Prevent and

Deter Fraud
http://antifraud.aicpa.org/NR/rdonlyres/93FB65DA-3568-474D-8EC2-
054F16AED66F/0/SAS99Exhibit.pdf

Management Override of Internal Control: The Achilles Heel of Fraud

Prevention
http://www.aicpa.org/audcommctr/spotlight/achilles_heel.htm

The fraud disconnect: a shared understanding of where fraud-related

responsibilities lie can help internal auditing and management.
http://www.entrepreneur.com/tradejournals/article/162353729.html

Fraud Risk Management: Developing a Strategy for Prevention, Detection,

and Response
http://www.us.kpmg.com/RutUS_prod/Documents/12/FRMwp.pdf

Fraud Auditing and Forensic Accounting

http://www.amazon.com/Auditing-Forensic-Accounting-Tommie-
Singleton/dp/0471785911

Additional Leading Resources

Antifraud & Corporate Responsibility Center (AICPA)
http://antifraud.aicpa.org/

Auditing to Spot Fraud, From Start to End

http://www.complianceweek.com/index.cfm?
fuseaction=article.SavedSearchResults&search_ID=95

The Institute of Internal Auditors fraud resource repository

http://www.theiia.org/guidance/standards-and-practices/additional-
resources/fraud-repository/

The Association of Certified Fraud Examiners fraud resource repository

http://www.acfe.com/resources/resources.asp

White-Collar Crime Fighter

http://www.wccfighter.com/

Report to the Nation" A comprehensive report that sheds light on

occupational fraud and abuse, offering stark lessons and useful insight.
http://www.acfe.com/fraud/report.asp