Add to collection(s) Add to saved
  1. No category
Uploaded by Redwan Muskeen

1. Fruad Prevention

advertisement 
Fraud Prevention: A Guide for Small and Medium Sized
Enterprises
Copyright Ross Maynard 2021
Script
Contents
Part 1: What is Fraud and Who Commits it? ........................................................... 3
Lesson 1: What is Fraud? ....................................................................................... 3
Introduction ............................................................................................................. 3
Preventing Fraud .................................................................................................... 4
What is Fraud? ....................................................................................................... 4
The Impact of Fraud ............................................................................................... 5
Fraud and the Law .................................................................................................. 6
Lesson 2: The Variable Nature of Honesty ............................................................. 7
The Variable Nature of Honesty ............................................................................. 7
The Honesty Questionnaire .................................................................................... 7
How Honest are You?............................................................................................. 9
Who Commits Fraud? ............................................................................................. 9
The Corporate Psychopath ................................................................................... 10
Types of Fraudster................................................................................................ 11
Part 2: Creating an Anti-Fraud Culture ................................................................. 11
Lesson 3: Creating an Anti-Fraud Culture ............................................................ 11
Elements in an Anti-Fraud Culture ........................................................................ 11
Creating an Anti-Fraud Culture ............................................................................. 12
Barriers to the Development of an Anti-Fraud Culture .......................................... 13
Lesson 4: Internet Fraud and Cybercrime ............................................................ 14
The Danger of Internet Fraud ............................................................................... 14
Protecting Against Internet Fraud ......................................................................... 15
Part 3: Fraud Risk Management ........................................................................... 16
Fraud Prevention
1
Lesson 5: The Fraud Risk Management Strategy Part 1 ...................................... 16
The Components of Fraud Risk Management ...................................................... 16
The Fraud Risk Management Strategy ................................................................. 17
Element 1: Establish a Fraud Risk Group and build an Anti-Fraud Culture .......... 18
Element 2: Identify Risk Areas and Assess Risks ................................................ 18
Lesson 6: The Fraud Risk Management Strategy Part 2 ...................................... 19
Element 3: Develop a Fraud Response Plan ........................................................ 19
Element 4: Implement the Strategy....................................................................... 20
Element 5: Monitor Controls and Investigate Red Flags ...................................... 21
Element 6: Review and Report Regularly ............................................................. 22
Lesson 7: Sanctions for Fraud .............................................................................. 22
Detecting Fraud .................................................................................................... 22
Sanctions for Fraud .............................................................................................. 23
Parallel Sanctions ................................................................................................. 23
Civil versus Criminal Sanctions............................................................................. 24
Civil Recovery and Damages ............................................................................... 25
Regulatory Action ................................................................................................. 25
Disciplinary Action ................................................................................................ 25
Lesson 8: Tips to help Prevent Fraud ................................................................... 26
Tips to help Prevent Fraud ................................................................................... 26
Involving your Staff in Fraud Prevention ............................................................... 27
What to do Now .................................................................................................... 28
Lesson 9: The Fraud Risk Mini-Audit .................................................................... 29
The Fraud Risk mini-audit..................................................................................... 29
Section 1: Management Issues ............................................................................ 29
Section 2: Senior Management ............................................................................ 30
Section 3: Employee Issues ................................................................................. 31
Section 4: Workflow and Process Issues .............................................................. 31
Section 5: Bribery Risk ......................................................................................... 32
Scores .................................................................................................................. 33
Lesson 10: Fraud Prevention Exercises ............................................................... 33
Fraud Prevention Exercises .................................................................................. 33
Part 4: Managing Bribery Risk .............................................................................. 36
Lesson 11: The Bribery Act 2010 ......................................................................... 36
The Bribery Act 2010 ............................................................................................ 36
Fraud Prevention
2
Failing to Prevent Bribery ..................................................................................... 37
Procedures to Prevent Bribery .............................................................................. 38
Lesson 12: The Bribery Risk Mini Audit ................................................................ 39
The Bribery Risk Mini Audit .................................................................................. 39
Principle 1: Proportionate Procedures .................................................................. 39
Principle 2: Top Level Commitment ...................................................................... 40
Principle 3: Risk Assessment ............................................................................... 40
Principle 4: Due Diligence ..................................................................................... 41
Principle 5: Communication .................................................................................. 41
Principle 6: Monitoring and Review....................................................................... 42
Part 5: Appendices: Sample Policies .................................................................... 43
Ladies and gentlemen, welcome to Fraud Prevention a guide for Small and Medium
Sized Enterprises on Listenable. I’m Ross Maynard and I’m your tutor for this course.
Slide
Part 1: What is Fraud and Who Commits it?
Lesson 1: What is Fraud?
Slide
Introduction
The aim of this course is to help managers in small or medium sized organisations
understand the fraud risk that they face. The course covers frauds risks and fraud
management and includes a fraud mini-audit and sample anti-fraud policies, and
related policy documents. The course is designed as an introduction to fraud
prevention, and you should seek support from your technical and professional advisors
on the specific protections you should put in place in your organisation. Although I
cover basic protections against internet fraud and cybercrime, this course does not
cover software and hardware technologies for detecting or preventing fraud as this is
a constantly evolving area, and you should seek specialist support to cover your I.T.
systems.
I cover relevant UK legislation on fraud and bribery in this course. This legislation will
not apply in other jurisdictions, but your local laws are likely to cover similar topics.
The issues in fraud prevention are the same wherever in the world you operate.
Fraud Prevention
3
Fraud has always been a risk for business. The internet age only increases the danger.
Steps need to be taken to minimise the risk of fraud, and this course provides a simple
and practical guide to doing that.
The course has five parts:
1)
What is Fraud and Who Commits it?
2)
Creating an Anti-Fraud Culture
3)
Fraud Risk Management
4)
Managing Bribery Risk
5)
Appendices with sample anti-fraud policies
Let’s get started
Slide
Preventing Fraud
The best way to prevent fraud is to have clear anti-fraud policies and procedures which
all staff understand, and which are rigorously enforced; coupled with an open,
communicative environment, where staff feel safe and supported to question actions
and raise concerns.
The riskiest environment is one where one or more managers dominate their staff who
are afraid to question or query; and where procedures such as separation of duties,
payment authorisations, internal audits, supplier and customer audits, and stock
checks, are not taken seriously or not enforced.
Anti-fraud policies and procedures are the subject of this course. However, an open,
communicative environment is not something you can create through procedures and
“state of the nation” speeches. The tone and example that your management team set
defines the organisation’s culture and working environment. I provide some pointers
to creating an open anti-fraud culture in this course, but, ultimately, it is the leaders in
the organisation who set the tone for how it operates.
Slide
What is Fraud?
The Chartered Institute of Management Accountants in the UK define fraud in their
“Fraud Risk Management Guide” as
Fraud Prevention
4
“using deception to make personal gain dishonestly for oneself and/ or create loss
for another”.
There are many types of fraud including the theft of cash or assets; fraudulent financial
statements; and bribery and corruption, including kick-backs.
Transition
Not all frauds are to the detriment of the business. Indeed, the most common type of
fraud – financial statement fraud – is carried out to supposedly benefit the business.
Other frauds may also be planned and executed to “benefit” the business, for example
tax avoidance; using bribery to win contracts; price-fixing; or attempting to inflate share
prices.
Fraud happens in all sectors, though some sectors are considered higher risk than
others. These include retail, land and construction, industrial manufacturing and
insurance (although financial services generally is considered low risk). There have
been high profile frauds in the defence industry and the public sector, among others.
Operating in certain countries too, brings a higher risk of fraud. Central and Eastern
Europe, Africa, Russia, India, China the Caribbean and parts of Central and South
America are all considered high risk. Western Europe has the lowest risk.
Slide
The Impact of Fraud
The impact of fraud is hard to gauge particularly as much of it is unreported, or
undiscovered. However, research indicates that, on average, as much as 7% of sales
revenue is lost to fraud each year by business, and only a small proportion of the loss
is ever recovered.
An Economist Intelligence Unit survey of 900 large businesses in the UK found that
85% had experienced fraud. The UK comes out higher than the global average.
The six most common types of business fraud in 2021 are:
1.
Asset misappropriation – This is a very common type of fraud and it usually
includes skimming cash, which can be very difficult to track and uncover. It can
also include payroll or invoice frauds.
2.
Identity theft generally impacts small businesses the most, but a financial hit from
this type of fraud can happen to a business of any size.
3.
Data hijacking. Data theft is big business for criminal gangs, and there has been
a steep rise in hackers stealing data from organisations for a ransom. Some of
the criminal gangs are alleged to be sheltered by, or even supported by, nation
states.
Fraud Prevention
5
4.
Financial reporting fraud – This usually includes over- or understating revenue,
earnings and assets.
5.
Intellectual property (IP) theft – Stealing intellectual property has been on the rise
since current technology has made it much easier to steal company and trade
secrets. Outsourcing has also made it easier to steal intellectual property.
6.
Insurance fraud – There are several types of insurance fraud from customers or
workers alleging injury to business owners alleging the loss of business assets.
Slide
Fraud and the Law
This course does not go into detail about the many pieces of legislation around the
world which feature offences of fraud. In the UK the main piece of legislation covering
businesses is the Fraud Act of 2006.
Like legislation in other jurisdictions, the Fraud Act creates offences for three types of
fraud:
1.
fraud by false representation
2.
fraud by failing to disclose information
3.
fraud by abuse of position
The Act is drafted so that it can catch most types of dishonest deception by both
individuals and corporations. Like the Bribery Act of 2010, the Fraud Act covers
offences committed outside the UK by organisations or individuals connected to the
UK.
Other relevant legislation includes:
•
The Bribery Act 2010 – covering bribery and the new corporate offence of failing
to prevent bribery
•
The Companies Act 2006 – covering directors’ duties, fraudulent trading, and
misleading financial statements
•
The Proceeds of Crime Act – covering money laundering and the civil recovery
of proceeds of crime
•
Sarbannes Oxley Act – US legislation which applies to all companies listed in the
United States, and covers internal controls and financial statement fraud
Fraud Prevention
6
•
There is also legislation relating to tax avoidance, protecting whistleblowers, and
so on.
End of lesson 1
Slide
Lesson 2: The Variable Nature of Honesty
Slide
The Variable Nature of Honesty
Most of us think that we would never commit fraud. But the fact is that almost all of us
already have! To realise that we have been undercharged by a retailer and not point
out the error is, technically, a fraud. To pay cash to have some work done on your
house is fraud. To add a few miles to a business mileage claim is fraud!
The fact that we are not wracked with guilt about these behaviours illustrates the
variable nature of honesty. Different people have different views on “honest”
behaviour. In the Honesty Questionnaire, in the next slide, most people can answer
“yes” to five, or more, questions and still consider themselves honest. Everyone bends
the rules to some extent. The extent to which the rules are bent depends on the
opportunity and the motivation.
In addition, individual personalities differ and “risk takers” – such as sales people or
managing directors in innovative businesses – may have a higher propensity to “bend
the rules” than others.
What is “acceptable” behaviour may vary too. It certainly varies in different countries,
but organisational culture also has an impact and individuals in one organisation might
be drawn into practices they would not consider elsewhere.
Similarly, a lack of guidance to employees can mean that boundaries are blurred
leading to risky behaviours.
Slide
The Honesty Questionnaire
The honesty questionnaire I have created here is adapted from the book “A Short
Guide to Fraud Risk”, by Samociuk and Iyer, published by Gower in 2010.
The honesty questionnaire offers 20 questions reflecting minor misdemeanours we
may have participated in during our lives. It is not meant as a scientific study but more
as an indication that we can still consider ourselves as honest whilst being relaxed
about actions which are technically illegal.
Fraud Prevention
7
Note down in your head, or on a piece of paper how many of the questions you say
“yes” to.
Have you ever …
Answer
Y/N
1
Illegally downloaded music, movies or software?
2
Travelled on a bus or train without paying the full fare?
3
Used office/ work equipment for personal use at work, or
taken it home for use?
4
Knowingly inflated an insurance claim?
5
Paid “cash in hand” to a tradesman?
6
Deliberately exceeded the speed limit?
7
Added things you should not have to an expenses claim?
8
Claimed a benefit you did not qualify for?
9
Told a “white lie” about your qualifications?
10
Not paid a fine or penalty?
11
Not owned up to some misdemeanour?
12
Received and not declared a gift from a supplier or
customer?
13
Made a “facilitation payment” to get a contract or win
business?
14
Stolen anything, even of low value?
15
Submitted personal expenses as business expenses?
16
Channelled company purchases through a business in
which you or your family have a personal interest?
17
Understated or left out items from your tax return
18
Accepted a “tip” or gift to do something which was your job
anyway, or to speed up a procedure?
19
Parked in a “disabled” space without the appropriate badge;
or in a “parent and child” space with no child on-board?
20
Brought items through customs which you should have
declared?
Score (Yes = 1)
10 seconds
Slide
Fraud Prevention
8
How Honest are You?
Most people can answer “yes” to five, or even more, of these questions and still
consider themselves fundamentally honest. Nearly everyone bends the rules given the
opportunity and the motivation.
Personal morality is a strange thing, and difficult to rationalise. Many of us would be
quite relaxed about paying £500 “cash in hand” for some work carried out at home;
but we wouldn’t dream of registering a false invoice for the same amount in a
company’s accounting system. But what, really, is the difference? The personal risk?
The shock that others would express if they knew? Why is one behaviour considered
“normal” and the other “abnormal”?
And what if we knew that a company was ripping off its customers, and treating its
employees badly? What if we knew that same company’s accounting system was very
poorly managed, with no real checks? Would we then feel justified in registering a
false invoice? Is that “getting one back for the little guy”? What is the boundary and in
what circumstances would we cross it?
Transition
It is not “special” or “devious” people who commit fraud. We all do. The issue is the
severity, the risk, the opportunity, and the motivation. Fraud Prevention not only
protects the organisation; it protects each one of us from being drawn in by temptation
and opportunity.
Slide
Who Commits Fraud?
Fraud is about people misusing the process and other people. Fraud can only take
place where an individual or group:
•
sees an opportunity to make money (or benefit) and thinks they can get away
with it.
•
is motivated to act.
•
can justify or rationalise their actions.
Most thinking about fraud risk focuses on dishonest employees, but these are not the
only risk category by any means. Indeed, employees in most job-roles face a high risk
of getting caught for relatively low reward; while external parties, such as suppliers or
business partners, run a lower risk for a potentially higher reward.
Transition
Fraud Prevention
9
Thus, fraud may be committed by anyone that interacts with the organisation:
•
Directors and senior managers
•
Employees
•
Suppliers
•
Competitors
•
Customers
•
Business partners
•
Professional criminals
Slide
The Corporate Psychopath
Frauds carried out with the connivance of senior managers are the hardest to detect,
and fraud committed by owners, directors or senior managers is probably the largest
category of business fraud. Business owners are often self-opinionated risk takers,
and Dr Robert Hare, a Canadian psychologist, identified eight traits of what he called
the “corporate psychopath” - someone who:
1)
Is glib and superficially charming
2)
Has a grandiose sense of self-worth
3)
Is a pathological liar
4)
Is a highly skilled manipulator
5)
Lacks remorse for actions that have hurt others
6)
Displays shallow emotions
7)
Is callous and lacks empathy
8)
Fails to accept responsibility for his or her own actions, and seeks to blame
others
Anyone you know? Worryingly, this set of questions puts me in mind of the leaders or
former leaders of certain globally-important countries!
Fraud is hardest to stop where there is collusion between employees, or between an
external party and employees. Criminal groups now seek to place their own person in
organisations in order to commit fraud.
Fraud Prevention
10
Slide
Types of Fraudster
Fraudsters usually fall into one of three categories:
•
Pre-Planned fraudsters who set out with the intention to commit fraud, either as
part of a criminal group, or those seeking short term gain;
•
Formerly honest employees for whom life events, hard-times, or resentment at
treatment by the company, lead them to attempt fraud;
•
Slippery Slope fraudsters who carry on trading when, objectively, they will not be
able to repay their debts. This particularly applies to financial traders and to
directors who carry on trading when bankruptcy looms.
The majority of fraudsters are men, particularly those committing large frauds. Longer
term employees tend to commit larger frauds; and most frauds are committed by those
working in finance, sales, operations or senior management roles. A high percentage
of frauds are committed by directors and senior managers.
Transition
However, being suspicious of everyone is not a helpful mindset. Implementing rigorous
procedures and checks which apply to everyone, regardless of their status in the
organisation, is more helpful. Those procedures and checks should be openly
communicated as creating a “safe” working environment to support everyone and keep
them free of inappropriate suspicion.
End of lesson 2, and end of Part 1: What is Fraud and Who Commits it?
Slide
Part 2: Creating an Anti-Fraud Culture
Lesson 3: Creating an Anti-Fraud Culture
Slide
Elements in an Anti-Fraud Culture
Attitudes within the organisation lay the foundation for a high or low risk fraud
environment. For example, an inconsistent approach to unethical behaviour by
Fraud Prevention
11
management sets the tone throughout the organisation and may encourage others to
rationalise their behaviour to the extent that they start to become a fraud risk.
The “tone from the top” is vital. This is displayed through the behaviour of directors
and senior managers and through the active promotion of an anti-fraud culture
through:
•
A code of ethics, widely and actively promoted
•
A Fraud Policy, including explanations of acceptable behaviour
•
A route for reporting suspected fraud which is confidential and has no detrimental
impact on the employee
•
A whistle-blowing policy for anonymous reporting of suspicions
•
An active and periodic risk assessment process
•
Regular communication and training in anti-fraud measures
Slide
Entertaining and involving training, using case studies and videos, is a good way to
start creating an anti-fraud culture. Involvement in creating the Fraud Policy and Code
of Ethics also helps build engagement.
Specific training is needed for those in high-risk roles.
An anonymous questionnaire is a good “ready-reckoner” way of gauging the
effectiveness of the anti-fraud culture – try the “Fraud Risk Mini Audit” in part 3 of this
course.
Directors and senior managers are a high-risk group for fraud, and preventing fraud
by this group is particularly difficult. A strong whistle-blowing policy, with independent
outside involvement, is crucial to this.
Transition
Staff are more likely to report concerns if they feel that something will be done about
it, and that their confidentiality will be respected. The most common reason for not
reporting a suspicion is the feeling that nothing will be done about it.
Slide
Creating an Anti-Fraud Culture
It is the leaders in the organisation who set the tone for how it operates, and an antifraud culture is one where people in the organisation work together, and the
Fraud Prevention
12
identification of problems and raising of queries is encouraged and supported. To
create an anti-fraud culture, managers need to:
1.
Be authentic: by listening to their staff and acting on their concerns. By seeking
to engage with the people in their organisation; and by explaining their actions
and objectives.
2.
Communicate openly and frequently, welcoming feedback and questions, and
responding to them positively.
3.
Make it safe to reveal problems without attaching blame to them.
4.
Recognise that problems are caused by poor processes, not by the people
working in them.
5.
Act quickly when problems are raised and provide feedback on the outcome.
Slide
6.
Respect people’s efforts and reward appropriate behaviour.
7.
Highlight the sanctions for inappropriate behaviour and enforce them fairly
8.
Encourage teamwork and pride in the success of the team, and organisation.
9.
Establish a fraud risk group to work on fraud prevention and detection. Rotate
the membership of the group so everyone in the organisation gets a chance to
be involved.
10. Provide regular training and updates in fraud prevention and detection.
Transition
Creating this culture is not easy. Management must move from focusing on results to
focusing on “doing the right thing”. The organisation’s policies and procedures,
including rewards and remuneration, can also affect the effectiveness of the anti-fraud
culture. Traditional targets and “Management by Objectives” approaches, which
reward the achievement of individual targets, can lead to cutting corners and dubious
practices. Replacing individual targets with team-based rewards will help improve
teamwork and encourage “best practice”.
Slide
Barriers to the Development of an Anti-Fraud Culture
A culture may have evolved where individuals do not feel much responsibility to the
organisation – “favours” and “homers” may be common, or friends and relatives of the
owners may get plum jobs. Promotion may be based on who you know and playing
politics, rather than being good at your job. These things do not help to build an antifraud culture.
Fraud Prevention
13
Other barriers to creating an anti-fraud culture include:
•
Short term incentive schemes (possibly leading to the misstatement of results).
•
Domineering executives who have little respect for company procedures and
rules.
•
Operating in different countries and cultures.
•
High staff turnover coupled with lax recruitment checks.
•
Very close personal relationships between suppliers, business partners or
customers and managers.
Indeed, the existence of one or more of these features indicates a relatively high risk
of fraud. Active steps need to be taken to counter any of these risk factors. We will
come to those actions in the next part of this course.
End of lesson 3
Slide
Lesson 4: Internet Fraud and Cybercrime
Slide
The Danger of Internet Fraud
Cybercrime has been an increasing problem for many years, but the COVID19
pandemic has accelerated the risk. People working from home greatly increases the
risk of infiltration or internet fraud, particularly where staff are using their own
computers on unsecured home networks.
According to data produced by Accenture, 43% of cyber attacks are aimed at small or
medium sized organisations, but only 14% of those organisations are well protected.
Around 60% of successful internet fraud cases are the result of phishing emails and
these are becoming increasingly sophisticated. Microsoft report that there are up to
30,000 phishing attacks every day in the United States. Around 30% of cases result
from ID theft and ID theft is increasingly being couple with a targeted phishing attack
in business internet fraud. Stolen or compromised devices are also a risk.
Internet fraud has a significant financial impact, in Australia alone it is believed that
businesses lose around $21 billion US dollars per year from cybercrime.
But there are also other serious impacts on the organisations affected including
reputational damage; loss of productivity and business continuity problems; and
potential legal liabilities.
Fraud Prevention
14
Ransomware attacks have seen an significant increase as you will likely have seen in
the news.
You should certainly seek advice from I.T. professionals and other relevant bodies.
Slide
Protecting Against Internet Fraud
Business organisations recommend the following steps be taken to protect against
internet fraud and cybercrime:
1.
Data Backup. All customer data, financial records, quotes orders, business
documents and so on should be backed-up and stored safely offline regularly –
preferably daily. Where cloud storage is used, it should be encrypted with strong
multi-factor authentication.
2.
Network Security. All software should be kept up to date with patches and
updates checked and installed regularly. Only trusted properly licensed should
be used and the system should be locked against the downloading of software
from unknown sources. Professional antivirus and other security software should
be used. All computers should be properly powered down or locked when not in
use and all portable devices should be locked away securely when not in use.
All IT equipment should be regularly scanned to ensure that no unauthorized
software or malware has become installed, and it is worth engaging IT
professionals to test the vulnerability of your network to infiltration on a regular
basis.
3.
Encryption and Passphrases. We all know that staff using weak passwords is
a significant risk. Many IT security specialists recommend using passphrases
rather than passwords. These should be at least 14 characters long using
unrelated words numbers and special characters linked together. Active
encryption should be used on networks along with multi-factor authentication.
4.
Security Policies. As well as the anti-fraud policies covered by this course,
every organization should have IT usage and cybersecurity policies, and staff
should be regularly trained in their application. Organisations also need to ensure
that past employees are removed from the system, and that the access privileges
of staff are regularly reviewed. It is not uncommon for employees that have been
fired, or have left on unfriendly terms, to attempt to gain access to their former
employers IT network in order to extract sensitive information or make a revenge
attack.
Fraud Prevention
15
5.
Cybersecurity Training. Most internet fraud is enabled by human error, either
through phishing, identity theft, or poor security practices. Employees, therefore,
are the most important line of defence against cyber threats. Training in the
nature of the threat and how to identify, avoid, and deal with a cyber-attack is
essential. All organisations receive dozens of phishing emails every day. Many
will be filtered out by good IT security software, but some will get through. Invoice
scams and emails purportedly from directors requesting a transfer of funds are
common and staff at all levels need to know the signs.
6.
I.T. Audit. It is worth engaging a reputable IT specialist to give advice and
conduct a security audit. In some sectors, such as the financial and energy
sectors, such audits and compliance with security standards are a requirement.
Frequent audits should be carried out for systems that carry a lot of customer,
financial and other business critical data.
7.
Cyber Insurance. A cyber insurance policy helps cover for the financial losses
resulting from a cyberattack as well as claims made by individuals or groups that
may have been harmed by the attack.
Transition
Professional bodies, trade organisations and government bodies all offer advice and
training, and this is worth seeking out. Some organisations consider the time and
expense involved in being prepared for internet fraud and cybercrime to be offputting,
but they are as nothing compared to the costs and damage to the business of a
successful attack. In 2019 in the UK, 46% of businesses reporting having an IT security
breach. Not all of those breaches resulted in financial losses, but where there was a
financial impact the average cost was over £3000. Of course the most serious losses
rise into millions.
End of lesson 4 and end of Part 2: Creating an Anti-Fraud Culture
Slide
Part 3: Fraud Risk Management
Lesson 5: The Fraud Risk Management Strategy Part 1
Slide
The Components of Fraud Risk Management
Fraud Prevention comprises 3 elements:
Fraud Prevention
16
•
Risk Management
•
Detection
•
Response
Fraud Risk Management is the most important of these, and the foundation of the
other elements.
Transition
A Fraud Risk Management Strategy must lie within the context of an anti-fraud culture.
Your fraud risk management efforts will be fruitless if the business operates in an
environment where some people are seen to “get away with” things that seem
unethical; or there is one set of rules for “favoured” staff and another set of rules for
everyone else. Fraud prevention policies and procedures are only as strong as the
culture in which they are implemented.
Slide
The Fraud Risk Management Strategy
The Fraud Risk Management Guide published by the Chartered Institute of
Management Accountants recommends a six part Fraud Risk Management strategy:
1.
Establish a Fraud Risk Group and build an Anti-Fraud Culture
2.
Identify Risk Areas and Assess Risk
3.
Develop a Risk Response Plan
4.
Implement the strategy
5.
Monitor controls and investigate red flags
6.
Review and Report regularly
I’ll cover the first two elements of the Fraud Risk Management Strategy in this lesson,
and the final four elements in the next lesson.
The CIMA Fraud Risk Management Guide is available for free. Go to
www.cimaglobal.com and search for fraud risk management
http://www.cimaglobal.com/Thought-leadership/Research-topics/Governance/Fraudrisk-management-a-guide-to-good-practice-/
Fraud Prevention
17
Slide
Element 1: Establish a Fraud Risk Group and build an Anti-Fraud Culture
A Fraud Risk Group should be put together to develop and implement anti-fraud
policies and procedures. This will comprise representatives of senior management,
internal audit, IT, security, legal and compliance, purchasing, finance, and so on.
The starting point for the Fraud Risk Group is to develop a Code of Conduct and a
Fraud Policy (which may be connected to a Bribery Policy).
The Code of Conduct will often be fairly short – a statement of business ethics,
acceptable behaviour and good business practices.
The Fraud Policy will generally contain clauses including:
•
Introduction and Context
•
A Statement of Intent – the Board’s attitude to fraud
•
Definitions of fraud
•
Links to other policies – e.g. Bribery, hospitality and gifts, recruitment, terms of
contract etc
•
Details of the Fraud Risk Management Strategy
•
Responsibilities for the prevention and detection of fraud
•
Procedures to be followed in the event of the detection, or suspicion of fraud
(including whistleblowing)
•
Fraud Investigation and follow-up
Sample anti-fraud policies, whistle-blowing policies, anti-bribery policy and fraud
response plans are given in the appendices to this course.
Slide
Element 2: Identify Risk Areas and Assess Risks
Various tools and techniques are available to assess fraud risk. Perhaps the most
useful approach is to analyse how a business process actually works, using process
mapping, and to use structured approach to brainstorm and rank the risk areas. FMEA
(Failure Modes and Effect Analysis) provides a useful tool for this and should usually
be carried out with a team of those working in the process (along with an experienced
fraud investigator if possible).
Fraud Prevention
18
•
FMEA examines each step in a process and asks how the process can fail at
that step; how serious that failure would be in terms of financial, quality or legal
risk; what might cause such a failure; and what controls are in place to prevent
it.
•
The potential failure is then given a risk score based on the severity were it to
occur, its frequency and the ease (or otherwise) of detection.
Be aware, that there is a tendency to under-rate both the impact and likelihood of
fraud. In addition, some risks have consequences so catastrophic that even if their
likelihood of occurrence is miniscule (and, thus, the FMEA score is low), action must
be taken to prevent the risk. Team consensus is useful, possibly backed by some
external expertise.
Team fraud risk assessment sessions can be very engaging for employees, and are
good training. They help to make people aware of the fraud risks in their area, and
more able to spot potentially fraudulent activity.
Particular risk areas include all finance processes, financial accounting, treasury/ cash
management, recruitment, stock control, and the selection of suppliers and business
partners.
The outcome of fraud risk assessment will usually be a Risk Register for Fraud Risk
which details the nature of the risks and current and suggested controls. The register
should be reviewed regularly and held securely – it holds details of all the opportunities
for fraud in the organisation!
End of lesson 5
Slide
Lesson 6: The Fraud Risk Management Strategy Part 2
Slide
Element 3: Develop a Fraud Response Plan
The discovery of fraud is a sensitive and stressful time and a pre-prepared fraud
response plan is important to minimise the negative and morale destroying impacts of
such an event.
The objectives of a Fraud Response Plan may include, to:
•
establish an investigative team
•
engage suitable experts
•
control the situation as soon as possible
Fraud Prevention
19
•
continue business operations with minimal disruption
•
understand the full extent of the fraud and the people involved
•
clear innocent people from suspicion as quickly as possible
•
determine why controls failed
•
dismiss dishonest employees
•
terminate the contracts of colluding third parties
•
preserve evidence to enable prosecution of perpetrators
•
recover losses by all available means including insurance
•
deter others from attempting fraud in the future
•
maintain effective communications internally and with stakeholders, the media
and customers
Slide
The Fraud Response Plan may also include measures to deal with counterattacks
mounted by those accused of the fraud. These attacks may include:
•
leaking adverse stories to the media
•
releasing compromising information to discredit management or the organisation
•
spreading malicious rumours in the organisation
•
launching civil or defamation actions
Transition
Fraud investigation is a specialist area and requires trained and experienced
investigators. Inappropriately conducted interviews, for example, can seriously
damage the chances of successful prosecution. Evidence may also be compromised.
Part of the Fraud Response Plan, therefore, should involve engaging suitable
expertise as soon as fraud is detected.
It is always advisable to discuss a suspected fraud with the police, although it may be
that a complaint is not formally registered. Involving the police can have a useful
deterrent effect, but they may not have the resources (or desire) to uncover the full
extent of the fraud or of the controls compromised. In addition, the police may only be
interested in prosecuting very large frauds or those involving criminal gangs.
Sample Fraud Response Plans are given in the appendices to this course.
Slide
Element 4: Implement the Strategy
Fraud Prevention
20
There are a number of ways the Fraud Risk Management Strategy may chose to deal
with fraud risk:
•
avoid the risk by ceasing the activity that creates the risk – for example refusing
to accept cheques or to pay suppliers by cheque; refusing to pay wages in cash;
etc
•
transfer the risk to someone else, for example by outsourcing “risky” functions or
activities. Note, however, that this may not absolve the organisation from its
responsibilities in law, and it doesn’t remove the need for policies and procedures
to prevent fraud;
•
retain the risk with mitigating controls and procedures put in place.
The Fraud Risk Management Strategy will almost always involve the implementation
of new controls and the tightening of existing ones. These controls may include more
detailed pre-recruitment checks; proper due diligence on potential business partners
and large suppliers; more rigorous internal controls and separation of duties; and so
on.
Transition
There should be clear (and active) board-level responsibility for the Fraud Risk
Management Strategy, and clear lines of responsibility for internal controls and other
anti-fraud activities (reporting to the board).
Communication and training will be vital parts of the implementation.
Slide
Element 5: Monitor Controls and Investigate Red Flags
The Risk Management Group should continue to monitor the effectiveness of the
implementation of the strategy and of the controls established, and it should report to
the board regularly.
The controls put in place will include criteria which will raise “red flags” regarding the
risk of fraud. The two most efficient ways of detecting fraud are:
1.
training employees to recognise, raise, and respond to the “red flags” of fraud
2.
proactively seeking out the red flags (detection)
Managers should have guidance on how to respond to red flags. Strong reporting and
whistleblowing policies are also beneficial since staff are often more likely to report
fraud anonymously than in person, particularly when they don’t know what the
consequences might be.
Fraud Prevention
21
Transition
Proactively detecting fraud involves analysis of computer transactions; review of
indicators relating to human behaviour; document analysis; and due diligence of third
parties.
Some of the red flags of fraud are covered in the fraud risk mini-audit in lesson 9.
Slide
Element 6: Review and Report Regularly
The Fraud Risk Management Strategy, and the internal controls it establishes, need
to be reviewed regularly (perhaps every two or three years in most areas, more
frequently for high-risk activities).
In addition, the Fraud Risk Group should report to the organisation’s Board at regular
(perhaps six-monthly) intervals – with actual frauds attempted or detected reported
immediately. Reports to the board will cover the robustness of controls implemented;
red flags detected and follow-up action; priority risk areas and the action to control
them; and forthcoming priorities for action (for example new markets being entered, or
new IT systems being implemented).
End of lesson 6
Slide
Lesson 7: Sanctions for Fraud
Slide
Detecting Fraud
Research indicates that around 40% of frauds are detected through internal controls,
internal audit or IT security; with another 35% of frauds detected following tip-offs, or
by personnel changing roles. Around 10% of frauds are discovered accidentally.
These findings reinforce the importance of good reporting and whistle-blowing
mechanisms that are trusted by staff, as well good controls.
Transition
It is worth noting that external audits rarely find fraud and you shouldn’t rely on your
annual accounting audit to detect fraudulent activity.
Fraud Prevention
22
Slide
Sanctions for Fraud
A sanction is a penalty or enforcement action that can be taken against a person who
is found to have committed fraud or, in some cases, failed to prevent it.
Sanctions can include:
•
Disciplinary: Human resource issues and internal disciplinary measures.
•
Regulatory: Regulatory sanction, against individuals and possibly the
organisation itself.
•
Civil: Civil recovery, freezing and restraint orders and damages.
•
Criminal: Prosecution and associated orders such as disqualification, restraint,
receivership and confiscation through the criminal courts.
Slide
Parallel Sanctions
The term “Parallel sanctions” applies when an organisation affected by fraud commits
to pursuing different sanctions at the same time (in parallel), to try to maximise the
possibility of a successful outcome. In most circumstance this approach should be
taken as it has the maximum deterrent effect and increases the chances of recovering
some of the damage done.
Parallel sanctions include:
•
Dismissal for gross misconduct
•
Action through the civil courts to recover sums lost
•
Action through the civil courts for damages for losses incurred due to the fraud –
for example lost sales
•
Criminal action for fraud or related crimes
•
Actions through professional or trade bodies to delist the individual as a member
or ban the individual from practicing as a registered member
•
Action to ban the individual from acting as a director of a company
•
Any available actions under corporate laws
Careful planning is needed at the outset of an investigation to ensure that all options
are available and do not conflict with one another. Failure to do so may increase the
risk of closing off one or more options.
Fraud Prevention
23
Slide
Civil versus Criminal Sanctions
Important differences exist between civil and criminal sanctions that have implications
for fraud investigations. These include evidential and interview requirements; and
burdens of proof that must be met in court. For example, in civil cases the claimant
must prove their case ‘on the balance of probabilities’, whereas in criminal cases the
burden of proof must be established ‘beyond all reasonable doubt’.
Transition
In most cases, fraud should be reported to the police, Serious Fraud Office or other
Government body for investigation and possible criminal prosecution and
compensation. Private organisations can also initiate criminal proceedings in certain
circumstances.
Slide
Issues to consider include:
•
Whether the police will have an appetite to investigate and prosecute and at what
stage to involve them (this should be immediately in most cases).
•
If the organisation has the willingness and resources to undertake a private
prosecution?
•
Is a forensic approach being taken to the gathering and retention of evidence?
This is particularly important when recovering, restoring or recreating digital
records.
•
Should those suspected of criminal conduct be cautioned before interview?
•
Are statements being taken from all relevant witnesses?
•
What is the likelihood of a successful criminal court recovery?
•
Whether the organisation has a clear policy about when to pursue criminal
sanctions for acts of dishonesty?
A professional fraud investigator, or your legal representatives will guide you when
you get to this stage.
Fraud Prevention
24
Slide
Civil Recovery and Damages
Civil recovery measures can be used by victims of fraud to recover their losses. The
emphasis is on the victim obtaining compensation (a payment of money or transfer of
assets) from the fraudster or someone else who participated in the fraud.
Civil recovery is generally easier than criminal prosecution, with a lower standard of
proof required. Issues to consider include:
•
Is urgent action required to prevent further loss?
•
Will the threat of immediate civil proceedings facilitate an offer of settlement?
Civil proceedings may provide a speedier outcome than criminal prosecution.
•
Should civil proceedings run in parallel with criminal prosecution? Civil
proceedings can often continue even if there is a dismissal or acquittal in the
criminal proceedings.
Transition
Professional legal advice should always be sought to maximise the prospects of a
successful recovery. The Fraud Advisory panel produce a guide called “Recovering
Your
Money:
A
guide
to
civil
recovery
for
fraud
victims”
at
https://www.fraudadvisorypanel.org/)
Slide
Regulatory Action
The victim of fraud may seek to involve professional or regulatory bodies in action
against the alleged fraudster, and both civil and criminal investigations and
proceedings can run in parallel with regulatory investigation and sanction. However,
care should be taken to ensure that evidence gathered for regulatory purposes can be
used in either civil or criminal proceedings if appropriate.
It is advisable to consult with the appropriate regulatory bodies at an early stage.
Transition
Disciplinary Action
Internal disciplinary action can also be investigated and concluded in parallel with
regulatory, civil or criminal sanctions. If criminal proceedings are contemplated or
underway, it is important to consult with prosecuting authorities before taking
disciplinary action.
Fraud Prevention
25
Even if an employee is found not guilty of criminal charges, it may still be possible to
instigate internal disciplinary procedures. This will require robust internal disciplinary
policies.
End of lesson 7
Lesson 8: Tips to help Prevent Fraud
Slide
Tips to help Prevent Fraud
Fraud prevention and response is, as we have seen, about having robust policies and
procedures in place. Here some of the main actions you can build into these policies
and procedures to prevent fraud:
1)
Analyse where and how you are spending your money. Are a few key suppliers
dominant? Are you getting what you have paid for? Do due diligence on your
main suppliers to check they are legit. Examine personal relationships between
any of your staff and these suppliers.
2)
Do the same for your customers. Are any of them located in areas where
corruption is rife? Is it possible that inducements were given in order to win
business? Remember that, in many countries, it is an offence in law for a
company to fail to prevent bribes being paid – this is not about knowing that
bribes were paid, but failing to take active steps to prevent bribery!
3)
Make sure that payments over an amount appropriate for your business have to
have two senior level signatories. Never waive this rule (to prevent the invoice
fraud which is now prevalent on the internet). Ensure also that smaller regular
payments to suppliers are periodically checked and signed-off.
4)
Enforce a payment delay of at least 3 days between receipt of invoice and
payment to allow time for proper checks to be run. Never waive this rule – again
to prevent invoice fraud.
5)
Ensure that the ordering of goods and services, and the payment for them, are
separate responsibilities undertaken by staff in different areas of the business
who have no personal relationships with each other. Similarly ensure that
completing tenders and contracts, and raising invoices are separate duties.
Slide
6)
Train all your staff to check documentation, records and invoices. Get into the
habit of having them audit other departments every six-months (rotate who is
checking whom).
Fraud Prevention
26
7)
Do a monthly stock-take. Reconcile all discrepancies however small (fraud
typically starts small).
8)
The most common type of fraud is financial statement fraud (misrepresenting the
accounts). Make sure that you use competent accountants and that no personal
relationships exist between your auditors and senior managers or directors. Use
an annual senior management meeting to review the accounts, and change
accountants every few years.
9)
A high percentage of frauds are committed by directors and senior managers.
These frauds are the hardest to detect. Having two signatories for significant
payments (above) will help. Be aware also of the personality traits that can
enable fraud to take place – an overbearing personality; a lack of empathy;
charming and a skilled manipulator. Such personalities must not be allowed to
shortcut the procedures and checks you have in place!
10) Establish a confidential whistle-blowing process. For credibility this should
usually be a third-party service.
11) Carry out proper checks on people youL11 recruit.
12) Establish a register of gifts and interests which all staff must complete – from
paid lunches to Christmas gifts, to golf afternoons and trips to the tennis.
Slide
Involving your Staff in Fraud Prevention
Your staff are your biggest asset in fraud prevention as well as the main risk point.
Here are things you can do to strengthen your defences by involving your staff in fraud
prevention:
1.
Tie all of your fraud prevention actions together in a formal Fraud Prevention
Policy. This will include a company-wide code of ethics, and details of fraud
prevention procedures (including internal audits, supplier and customer audits,
stock checks, separation of duties, payment authorisation, whistle-blowing
procedure, and so on). Samples are contained in the appendices to this course.
2.
Ensure all staff are trained in proper record keeping and checking. Additionally,
train all staff in fraud risk, the signs to look for, and what to do if suspicions are
raised.
3.
Publicise the company’s code of ethics with all staff and include it as part of
performance appraisal/ personal development discussions. Review each
individual’s entries in the register of gifts and interests and discuss significant
items as part of appraisals or personal development interviews.
4.
Create a small cross-functional “fraud investigation” team. This team will
undertake risk assessments, investigate any suspicions raised (or frauds
Fraud Prevention
27
committed), and undertake audits. Rotate the members of the team from time to
time and attach “observers” so that staff become educated in the signs of fraud,
and aware that it is taken very seriously.
Slide
Training and communication are crucial. The vast majority of staff want to be part of
an open and honest business. When staff feel overlooked, powerless, insignificant, or
afraid of their boss, they are less likely to report suspicions.
Transition
Everyone in the business – including directors and senior managers – must be aware
that active measures are taken to prevent and detect fraud and that punishment,
dismissal, and criminal or civil action lie in store for anyone who commits it.
Slide
What to do Now
Fraud risk is real. Organisations are targeted every day by external (and sometimes
internal) threats. It is important to protect your organisation and implement
preventative measures. To deal with fraud and bribery risk, your organisation needs
to develop and implement effective policies and procedures. I have covered these in
this course. In summary, the following steps are recommended:
1.
Form a Fraud Risk Group made up of representatives from across the
organisation.
2.
Task the Fraud Risk Group with developing the appropriate policies and
procedures – a Code of Ethics, Fraud Policy; Whistle-blowing Policy; Bribery
Policy; Fraud Response Plan; and so on.
3.
Test the policies and procedures with a group of staff and amend them as
necessary.
4.
Train all staff in the policies and procedures.
5.
Change organisational processes as required and implement the policies and
procedures.
Slide
Fraud Prevention
28
6.
Task the Fraud Risk Group with conducting risk audits on your key business
processes in each department and business area.
7.
Actively gather feedback on the operation of the policies and procedures, and
the audits. Take action as necessary.
8.
Regularly review the operation of the policies and procedures.
9.
Carry out a rolling programme of risk audits.
10.
Implement regular fraud and bribery risk reports to the Board of Directors.
End of lesson 8
Slide
Lesson 9: The Fraud Risk Mini-Audit
Slide
The Fraud Risk mini-audit
The Fraud Risk mini-audit provides an overview of the risk areas in a business and
encourages you to rank them using a traffic light system:
Red – High Risk – Urgent action is needed
Amber – Medium Risk – Action is needed in several areas to remedy defects
Green – Low Risk – Your arrangements are meeting expected best practice
The Fraud Risk mini-audit will help you identify priority areas for action but it does not
replace a comprehensive risk assessment.
Consider the statements in the following sections and rank your organisation as high
risk, medium risk or low risk in that area.
Slide
Section 1: Management Issues
•
Senior management do not display a zero tolerance attitude to fraud.
Fraud Prevention
29
•
Managers are able to shortcut procedures without consequence.
•
Little has been done to create an anti-fraud culture or to implement a Fraud
Prevention policy.
•
Management have not implemented a sound system of internal controls.
•
There is a history of “sailing close to the wind” in terms of regulation and
legislation.
•
Supervision of staff is poor, or inconsistent.
•
There is lack of clear management control of delegated authorities or separation
of duties.
•
Bonuses are linked to ambitious targets or financial results.
Are you
RED
AMBER
GREEN
What are your action points for this section?
Slide
Section 2: Senior Management
•
Directors’ outside interests, including potential conflicts are not reviewed.
•
High value expense claims by directors and senior managers (and any other
staff) are not checked.
•
Senior management compensation is highly dependent on meeting aggressive
performance targets.
•
The chart of accounts is not regularly reviewed to reveal loosely controlled or
spurious account codes.
•
Unusual transfers between accounts are not reviewed,.
•
Financial Accounts are controlled by a dominant director.
•
The outcomes of major decisions are not reviewed against plans to ensure all
procedures have been correctly followed (for example in contract awarding, or
asset disposals).
Are you
Fraud Prevention
30
RED
AMBER
GREEN
What are your action points for this section?
Slide
Section 3: Employee Issues
•
Recruitment procedures are lax with inadequate screening.
•
Staff in key roles have low pay relative to industry or local averages.
•
Staff are promoted according to how well they get on with senior managers,
rather than on ability
•
An employee is a director of a supplier company.
•
Employees, particularly those in high-risk roles, work unsocial hours
unsupervised.
•
There is a culture of borrowing assets, low-level theft, taking unwarranted sick
leave, and similar behaviours.
•
There are high workload pressures not reflected in pay and reward levels.
•
Morale is low. Managers are not trusted.
Are you
RED
AMBER
GREEN
What are your action points for this section?
Slide
Section 4: Workflow and Process Issues
•
There is little separation of duties, or checking, of key transactions (notably
invoice processing and payment; payroll and other finance tasks).
•
There is poor management information or reporting.
•
There is poor physical security of assets, IT systems or premises.
Fraud Prevention
31
•
Internal controls are weak, or inadequately documented. Training in controls is
poor.
•
There is no mechanism for reporting fraud concerns; or staff do not have
confidence in the mechanism.
•
There are large cash transactions.
•
Documentary support for important transactions is scant or weak.
Are you
RED
AMBER
GREEN
What are your action points for this section?
Slide
Section 5: Bribery Risk
•
Suppliers and recipients of one-off payments are not checked to see if they are
registered in tax havens or known bribery risk areas.
•
Some managers or staff have very close relationships with suppliers, customers
or business partners.
•
Large payments to third parties are not checked against goods and services
received.
•
The company has not developed policies and procedures to meet the
requirements of relevant anti-bribery regulations.
Are you
RED
AMBER
GREEN
What are your action points for this section?
Slide
Fraud Prevention
32
Scores
Now score yourself for each section. If you have identified a section as high risk – red
– that is 5 points. Medium risk is 3 points and low risk is 1 point. Obviously, the higher
the score the bigger the risk. Any score above 10 points is a cause for immediate
action.
Take some time to identify the main actions you need to take. We’ll cover bribery risk
in more detail in lesson 11.
10 seconds
End of Lesson 9
Slide
Lesson 10: Fraud Prevention Exercises
In this lesson I present 11 fraud prevention exercises. The response you give will
depend on business environment in which you operate, and I have not provided model
answers. – it is how you feel the issues should be dealt with that is important.
Consider what you would do in the situations described in the following slides.
Slide
Fraud Prevention Exercises
1.
You are alerted by a customer in South America that a counterfeit version of one
of your key products may be being sold there.
Formulate a plan to deal with the situation.
5 seconds
2.
An Accounts Assistant spots that the owner’s son-in-law, a director of the
business, is using a company fuel card for personal use. Further investigation
reveals that the son-in-law has set up fake supplier details in the accounts system
and has paid himself a great deal of money through this means.
Fraud Prevention
33
What should you do?
5 seconds
3.
The company’s finance manager has known the managing director for 20 years
and is highly trusted. She processes all sales and supplier invoices, has complete
control over the accounts system, and is a signatory on company cheques. She
also manages the cash balances of the business.
Are you concerned about this situation, and how should you deal with this it?
5 seconds
Slide
4. Sales through one of your company’s branches don’t seem to match their stock
records. An internal audit reveals weak stock control procedures, with virtually
everyone at the branch having access to the warehouse.
What should you do?
5 seconds
5.
A senior manager, with responsibility for client payments on account, has gone
on holiday. Going into the system to deal with a client query, a junior manager
has noticed unexpected transfers out of some client accounts.
What should you do?
5 seconds
Fraud Prevention
34
6.
To cover staff illness, you engaged a temporary accounts assistant for six weeks.
He has now left. Returning to work, your permanent accounts assistant notices
discrepancies in payments and disbursements.
What should you do now? And what should you do to control future situations where
temporary resource is needed.
5 seconds
Slide
7. You discover that a company director has a very close friendship with a particular
supplier. This supplier is your company’s only source of certain high value items,
and there has been no competitive tender for this contract in five years.
What should you do?
5 seconds
8.
Proactive internal checks reveal that one employee in one of your branches is
responsible for the vast majority of returns and refunds in that branch. Stock
discrepancies are also unusually high in that branch.
What should you do?
5 seconds
9.
A new foreign business partner informs you that you will need to pay a large
“commission” to unspecified individuals to secure a contract in that country. In
addition, they also advise you to fund some lavish entertainment for executives
of the potential client firm.
What should you do?
5 seconds
Fraud Prevention
35
10. An employee informs you that a colleague in the finance department is having
personal and financial difficulties.
What should you do?
5 seconds
11. On a sales trip, the commercial director gets drunk and boasts that he has insider
information from a major customer and will win your company a major tender bid
at premium prices (and a big bonus for him).
What should you do?
5 seconds
End of lesson 10 and end of Part 3: Fraud Risk Management
Slide
Part 4: Managing Bribery Risk
Lesson 11: The Bribery Act 2010
Slide
The Bribery Act 2010
The Bribery Act 2010 is a key piece of UK legislation. It follows international standards
and mirrors law in other jurisdictions. The Act creates four key offences:
1.
Active bribery (the offence of offering to bribe another)
2.
Passive bribery (the offence of accepting or requesting a bribe)
3.
Bribery of a foreign public official
Fraud Prevention
36
4.
Failing to prevent bribery (the offence, by a commercial organisation, of failure to
prevent bribery by any person associated with it).
Slide
Bribery is defined as offering, giving, requesting, accepting or offering to accept
"financial or other advantage" in exchange for "improperly" performing a "relevant
function or activity".
A "relevant function or activity" covers "any function of a public nature; any activity
connected with a business, trade or profession; any activity performed in the course
of a person's employment; or any activity performed by or on behalf of a body of
persons whether corporate or unincorporated".
The maximum sentence is 10 years for individuals who commit such offences, with
organisations liable for an unlimited fine. Courts also have the power to disqualify
directors and to confiscate property.
The Bribery Act applies to any individual or company linked with the United Kingdom
regardless of where the offence is actually committed. What “linked” to the UK means
is yet to be tested, but it is believed it could apply to foreign owned companies with
activities in the UK, even if the bribery took place in another country.
Slide
Failing to Prevent Bribery
The offences of offering bribes, accepting bribes or bribing government officials are
well established in law in most countries, but the offence of failing to prevent bribery
is new and places a considerable onus on all public and private sector organisations.
•
An offence is committed if any person in the organisation, or associated with it,
offers, or pays, a bribe to obtain, or retain, business or gain a business
advantage.
•
The Bribery Act states that an organisation will be liable for the actions of any
person carrying out services for or on its behalf, in whatever capacity.
Importantly, it covers any contractors, agents, subsidiary companies or other
third parties.
•
The offence applies to organisations, individuals (i.e., senior managers and
directors) and employees, and there is no need to prove the intent or outcome of
the bribe, merely that is was offered.
•
Fraud Prevention
37
Slide
The guidance to the Act makes it clear that it is not intended to cover corporate
hospitality and gifts, provided these are proportionate and reasonable. The Act does,
however, apply to the “facilitation payments” and “commissions” common in some
countries.
Transition
Thus, an organisation commits an offence if any person associated with it offers a
bribe, whether or not the organisation’s management know anything about it!
Transition
The only defence available is if the organisation can show that, while bribery did take
place, it had "adequate procedures” in place designed to prevent bribery.
Slide
Procedures to Prevent Bribery
The guidance issued with the Bribery Act sets out six principles which it says should
be used to assess what constitutes “adequate procedures” to prevent bribery.
1
Proportionality: The action taken is proportionate to the risks the organisation
faces, and to the size of the business. So large organisations need to do more to
prevent bribery than small ones; and those operating in an overseas market
where bribery is known to be commonplace, need to do more than those
operating where bribery is not prevalent.
2
Top Level Commitment: This is about establishing and communicating policy.
Senior Managers must be active in making sure that their employees, and those
connected with the organisation, understand that bribery is not tolerated.
3
Risk Assessment: Organisations are expected to undertake reasonable risk
assessment, including research into the markets the business operates in and
the people it deals with, especially for overseas ventures.
4
Due Diligence: That appropriate checks are in place to protect the organisation.
Checks should be carried out on people, agencies and organisations who are
going to represent the organisation in business dealings.
5
Communication: Anti-bribery policies and procedures must be effectively
communicated to staff and to others who will perform services for the
organisation. Training and awareness raising, including for third parties linked to
the organisation, will often be appropriate.
6
Monitoring and Review: Anti-bribery policies and procedures should be
reviewed at appropriate intervals, and when the organisation enters new markets
or engages in new ventures.
Fraud Prevention
38
These principles can be used for any anti-fraud procedures since bribery risk and fraud
risk are closely interlinked. The actions described in the earlier parts of this course on
Fraud Risk Management also apply to bribery risk. Indeed, it makes sense to combine
both risks under the Fraud Risk Group recommended and to develop joint policies and
procedures to prevent, detect and investigate both fraud and bribery
End of lesson 11
Slide
Lesson 12: The Bribery Risk Mini Audit
Slide
The Bribery Risk Mini Audit
Like the Fraud Risk Mini Audit in lesson 8, the Bribery Risk Mini Audit can be used to
gauge your organisation’s level of risk in relation to anti-bribery legislation. The audit
is divided into the six principles laid out in the Bribery Act, although the points covered
are valid in any jurisdiction.
Classify your organisation using red-amber-green, where
Red – High Risk – Urgent action is needed
Amber – Medium Risk – Action is needed in several areas to remedy defects
Green – Low Risk – Your arrangements are meeting expected best practice
the Bribery Risk mini-audit is an informal appraisal of risk and is no replacement for a
full risk assessment.
Slide
Principle 1: Proportionate Procedures
•
Your policy and procedures are proportionate to the bribery risk the company
faces, taking into account the nature, scale and complexity of its activities.
•
Your policy and procedures are clear, practical, accessible, effectively
implemented and enforced.
Are you
Fraud Prevention
39
RED
AMBER
GREEN
What are your action points for this section?
5 seconds
Slide
Principle 2: Top Level Commitment
•
The directors, owners or equivalent have clear procedures to prevent bribery by
persons associated with it, and to foster a culture in which bribery is never
acceptable.
•
The organisation’s zero tolerance to bribery has been communicated effectively
internally to staff and externally to partners.
•
There is top-level involvement in bribery prevention policies, procedures and
activities.
Are you
RED
AMBER
GREEN
What are your action points for this section?
5 seconds
Slide
Principle 3: Risk Assessment
•
There is periodic, planned and documented assessment of the nature and extent
of the organisation’s exposure to external and internal risks of including persons,
organisations and third-parties associated with it.
Are you
RED
Fraud Prevention
AMBER
GREEN
40
What are your action points for this section?
5 seconds
Slide
Principle 4: Due Diligence
•
There are proportionate, risk-based “Due Diligence” procedures in place in
respect of persons, organisations and third parties who perform services for and
on behalf of the organisation, in order to mitigate identified bribery risks.
Are you
RED
AMBER
GREEN
What are your action points for this section?
5 seconds
Slide
Principle 5: Communication
•
Anti-bribery policies and procedures are embedded and understood throughout
the organisation. Employees and others associated with the organisation have
been properly trained in the risks and procedures appropriate to the level of risk.
Are you
RED
AMBER
GREEN
What are your action points for this section?
5 seconds
Fraud Prevention
41
Slide
Principle 6: Monitoring and Review
•
Anti-bribery policies procedures and activities are monitored and reviewed at
regular intervals (appropriate to the risk), and improvements are made where
necessary.
•
When the organisation is planning new ventures, or business in new markets
anti-bribery policies and procedures are reviewed as part of the feasibility
process.
Are you
RED
AMBER
GREEN
What are your action points for this section?
5 seconds
Slide
Scores
Now score yourself for each section. If you have identified a section as high risk – red
– that is 5 points. Medium risk is 3 points and low risk is 1 point. Obviously, the higher
the score the bigger the risk. Any score above 12 points is a cause for immediate
action.
Take some time to identify the main actions you need to take.
10 seconds
Slide
Thank you for taking “Fraud Prevention: A Guide for Small and Medium Sized
Enterprises” on listenable. I hope this course has helped you identify the actions you
need to take to protect your organisation against fraud. Fraud is an increasing risk for
every business, and I encourage you to take preventative action now. Train your staff
to be aware of the risks and assess your processes and procedures for fraud risk.
Implement tighter controls now.
Fraud Prevention
42
I wish you luck. I’m Ross Maynard and I hope you’ll join me for another of my courses.
Goodbye
Slide
Part 5: Appendices: Sample Policies
The appendices to this course contain sample anti-fraud polices which can be adapted
for use by organisations. I recommend that you seek advice from your professional
advisors on additional precautions to take.
The policies covered in the appendices comprise:
•
•
•
•
2 sample anti-fraud policies
2 sample fraud response plans
A sample whistleblowing policy
A sample anti-bribery policy
Slide
See separate documents for the policies
Fraud Prevention
43
Related documents
PaySecuri - Credit Card Fraud Protection Services
PaySecuri - Credit Card Fraud Protection Services
Document17920367 17920367
Document17920367 17920367
Using CommonKADS Method to Build Prototype System in
Using CommonKADS Method to Build Prototype System in
Green Team Researcher/Presenter Jeremy Archey
Green Team Researcher/Presenter Jeremy Archey
Download
advertisement