Add to collection(s) Add to saved
  1. Business

Fraud Position Statement

advertisement 
Position
Statement
The Institute of Internal Auditors – UK and Ireland
Fraud Position Statement
Introduction
This paper outlines the role and responsibilities of the internal auditor in relation to corporate fraud. It is also relevant to line management
and other interested parties for instances of fraud that are committed below board level. This paper does not address the role of internal
audit in relation to fraud committed by members of the executive board or anyone to whom the internal auditor directly reports, as these
may involve the auditor becoming a whistleblower.
Definitions for the Purposes of this Statement
Currently, the clearest definition of fraud is that used by the Metropolitan Police Fraud Squad:
Fraud: Theft involving the distortion, suppression or falsification of financial records.
A broader definition has been developed by the Law Commission in its report on Fraud (July 2002):
Any person who, with intent to make a gain or to cause loss or to expose another to a risk of loss, dishonestly:
(i) Makes a false representation, or
(ii) Fails to disclose information to another person which,
a) He or she is under a legal duty to disclose,
b) Is of a kind which the other person trusts him or her to disclose, and is information which in the circumstances it is reasonable to
expect him or her to disclose, or
(iii) Abuses a position in which he or she is expected to safeguard, or not to act against, the financial interests of another person or of
anyone acting on that person’s behalf.
The offence of obtaining services dishonestly would be committed where, with intent to avoid payment, a person by any dishonest act
obtains services in respect of which payment is required. Deception is not an essential element of the offence. It would therefore extend
to the obtaining of services by providing false information to computers and machines, which under the present law may not amount to
any offence at all.
Taken together, these definitions show that fraudulent behaviour could involve either internal disciplinary action, proceedings in the civil
courts or prosecution by the police. Fraud can also be linked to other serious criminal activity taking place outside of the organisation in
which it occurs, including extortion and money laundering.
Fraud Position Statement
Identifying the risk of fraud and its impact on the organisation
Every organisation should:
Set the tone from the top by having a policy that makes it clear that fraud will not be tolerated, that fraudsters will be prosecuted and
that the organisation is committed to preventing and detecting fraud;
Have a risk management strategy, which includes fraud risk mitigation measures, aimed at detecting fraud and deterring would-be
fraudsters;
Have a fraud response plan setting out exactly what steps to take if a fraud is reported or detected;
Have a continuous programme of fraud awareness and regular updates and training for new and existing staff.
The highest level of management should formally adopt the policy, strategy and plan.
Roles and responsibilities of executive board, line management, staff, internal audit, the police and others in relation to fraud
The primary responsibility for the prevention, detection and investigation of fraud rests with management, which also has the
responsibility to manage the risk of fraud. Many organisations now have a dedicated in-house “security” function with responsibility to
manage fraud investigations. This function may be assisted by internal audit.
The executive board is responsible for:
Corporate policy on fraud tolerance, dealing with the occurrence of fraud and laying down responsibilities and measures to mitigate
fraud risk;
Notifying appropriate regulatory authorities of relevant frauds;
Ratifying policy, mitigation strategy and response plan;
Corporate ethos, setting the right ethics and policies;
Risk and threat assessment;
Adequate and effective internal control;
Adequate and effective internal audit.
Line management is responsible for managing, controlling, reporting and taking action on the risk of fraud including:
Having processes in place to deter and detect fraud;
Applying adequate controls to prevent fraud;
Leading fraud investigations;
Overseeing investigations conducted by specialists on their behalf;
Dealing effectively with issues raised by staff (including taking appropriate action to deal with reported or suspected fraudulent activity);
Involving the police where necessary.
Staff
Operating procedures to safeguard the organisation’s assets;
Alerting management when they believe that the possibility of fraud exists;
Reporting immediately to management when they suspect that fraud has been committed.
Fraud Position Statement
Internal audit’s role:
It is not a primary role of internal audit to detect fraud, but it is a role most people expect internal audit to undertake. There is, therefore,
an expectations gap that needs to be managed. Internal audit has no legal responsibility for fraud but is required to give independent
assurance on the effectiveness of the processes put in place by management to manage the risk of fraud. Any additional activities
carried out by internal audit should be in the context of and not prejudicial to this primary role. The roles that internal audit should
undertake include the following:
Investigating the causes of fraud;
Reviewing fraud prevention controls and detection processes put in place by management;
Making recommendations to improve those processes;
Advising the audit committee on what, if any, legal advice should be sought if a criminal investigation is to proceed;
Bringing in any specialist knowledge and skills to assist in fraud investigations, or leading investigations where appropriate and
requested by management;
Liaising with the investigation team;
Responding to whistleblowers;
Considering fraud risk in every audit;
Having sufficient knowledge to identify the indicators of fraud;
Facilitating corporate learning.
Audit Committees
The report by Sir Robert Smith on the Combined Code Guidance for Audit Committees (January 2003) advised that:
“The audit committee should review arrangements by which staff of the company may, in confidence, raise concerns about possible
improprieties in matters of financial reporting, financial control or any other matters. The audit committee’s objective should be to ensure that
arrangements are in place for the proportionate and independent investigation of such matters and for appropriate follow-up action, and that
any matters relevant to its own responsibilities are brought to its attention”.
Police
The police may:
Investigate links to offences;
Give prevention advice;
Advise on any pre-investigation work;
Maintain a dialogue with management and/or internal audit during an investigation.
Whistleblowing
The primary responsibility for ensuring that appropriate whistleblowing processes are in place lies with management and the role of
internal audit might be to review those processes.
In some cases internal audit may well have a responsibility to investigate allegations from whistleblowers, although an external firm may
be used as the contact point with the whistleblower to preserve their anonymity. It is good practice for larger organisations to have wellpublicised systems for reporting fraud.
Fraud Position Statement
If an investigation shows evidence of criminal activity, the internal auditor must discuss the issue with management. It is possible that
management may be unwilling to admit publicly that they have been defrauded, particularly if they have concerns about the impact on
their business. However, the responsibility for deciding whether such cases are reported to the police must rest with management. It
should be noted that there is no obligation in UK law to report crime to the police or other law enforcement bodies.
The primary legislation and regulations defining the requirement to report suspicions of money laundering are:
Money Laundering Regulations 1993 and 2001
Terrorism Act 2000
Proceeds of Crime Act 2002
The Terrorism Act 2000 deals specifically with the funding of terrorist activities; the Proceeds of Crime Act 2002 deals with the proceeds of
any criminal activity. Under both Acts, failure to report suspicions of money laundering is punishable by up to five years imprisonment.
With the exception of money laundering provisions outlined above, there is no requirement for the internal auditor to report concerns of
criminal activity to a third party. However, if the internal auditor is not satisfied that a matter has been properly dealt with, he or she may
elect to disclose his or her concerns to a third party. The Public Interest Disclosure Act 1998 provides some protection to the individual
making the report, but it is strongly recommended that the internal auditor should obtain independent legal advice before making any
external disclosure.
For further guidance you should refer to the Institute’s position paper on Whistleblowing and Practice Advisory 2600-2.
Questions for the internal auditor and the executive board to consider before becoming involved in fraud investigation:
Should internal audit be involved in this type of work and, if so, to what extent?
Does internal audit have the necessary investigative skills?
Does internal audit have the necessary knowledge of the law?
When is the right time to involve the police?
The answers to these questions will vary according to the stance that each organisation has adopted on fraud issues. However, in general,
specially trained individuals should undertake the investigation of fraud. In many cases these would not be internal auditors, but would
instead be a separate investigations unit or external experts hired for the purpose. Internal auditors should receive specialist training
necessary to allow them to undertake investigation of fraud, where appropriate.
Fraud investigation is not a police priority unless it involves major sums or concerns high-profile cases. This is likely to lead to internal
audit becoming more involved in investigations.
www.iia.org.uk
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
Telephone 020 7498 0101 Fax 020 7978 2492
Email technical@iia.org.uk www.iia.org.uk
© The Institute of Internal Auditors – UK and Ireland, April 2003
Related documents
Using CommonKADS Method to Build Prototype System in
Using CommonKADS Method to Build Prototype System in
WCMSRiskManagement
WCMSRiskManagement
Problem Solving Essay.doc
Problem Solving Essay.doc
The Headright System Yazoo Land Fraud (Allocation By Price)
The Headright System Yazoo Land Fraud (Allocation By Price)
Chapter Outlines
Chapter Outlines
Training Announcement
Training Announcement
Mystery Fraud Training Outline
Mystery Fraud Training Outline
Download
advertisement