Managing fraud risk proactively is imperative in today’s transparent world. It is not only about protecting against financial losses commonly associated with fraud. It is also about surviving reputational risk. An example of reputational risk is the recent Wells Fargo revelation alleging that former bank employees opened over 2 Million bank accounts and credit cards without clients consent. The Bank is paying $190 million in fines and fired 5,300 employees. The fines are manageable for Wells Fargo, but the reputational damage is probably less so.
There is a need for Organizations to create an environment, and implement appropriate controls for detecting fraud ahead of time. An increasing “perception of detection” is widely believed to be the most effective fraud prevention method within an organization. Directors, officers and employees in an organization should ask themselves if what they are doing is legal, is it something permitted/encouraged in the organization and what could happen if the information goes public.
The ACFE (the world’s largest anti-fraud organization) developed a Fraud Prevention Checkup that serves as a self-check for determining if adequate fraud prevention systems are in place within an Organization. The Checkup list consists of the following:
1. Is there a process for fraud oversight? To what extent are the Board of Directors and Audit Committee involved?
2. Is there ownership of fraud risk? Are member of senior management responsible for managing fraud risk across the organization, and for communicating with all business unit managers that are responsible for managing risks within their areas?
3. Is there an ongoing assessment of fraud risk?
4. Are there tolerance metrics for fraud risk? Has the Board of Directors approved the tolerance for different types of fraud risk? Some fraud risks are more tolerable and are associated with the risk of doing business. Other fraud risks can create financial as well as unwanted and unacceptable reputational damage.
5. Is there a management policy for fraud risk? Is there a policy approved by the Board of Directors that identifies the “risk owner” responsible for managing fraud risk and identifying which risks will be rejected (rejecting certain types of business, transferring to third partied or internally managing the risk).
6. Are there implemented measures for fraud risk? Are there measures to eliminate or minimize fraud risks
identified in the assessment through process reengineering (segregation of duties, asset custody and
recordkeeping/reporting transactions)? Are these measures designed to prevent, deter and detect the fraud risks identified in the assessment?
7. Is the environment in the work place anti-fraud? Is there a strong emphasis on promoting ethical behavior deterring wrongdoing and encouraging all employees to communicate suspected or known wrongdoing to the appropriate person?
Some of the processes that an Organization ought to consider in order to promote ethical behavior, discourage wrongdoing and encourage communication are:
Have a senior member of manager openly communicate difficult issues that the organization is facing.
Have a Code of Conduct with employee annual compliance confirmation.
Training for all employees – at hiring and ongoing.
A Helpline that might include an email or telephone line for employees. Anonymous tips ought to be
Prompt investigations, measures and resolution in place.
Survey employees to measure if goals are being achieved.
Incorporate ethics/compliance and fraud prevention goals to employee performance.
8. Is there Proactive fraud detection? Are there fraud detection tests in place such as audit hooks and email monitoring?
Under the Sarbanes-Oxley Act, Organizations are required to have an Audit Committee in place that will establish the procedures for receipt of complaints and anonymous employee tips with respect to irregularities in accounting methods, internal controls or auditing matters.
Don’t be a victim of your own making. Consult a Certified Fraud Examiner (CFE) to ensure that your Organization has the appropriate controls in place to manage fraud risk