FRAUD

Fraud is defined as an intentional, deceitful act for gain with concealment. As such, it is
more than theft. Defalcation is theft by a person in a position of trust. Often, the fraudster has
access to details that the intended victim does not, enabling him to trick the victim. At its heart, a
fraudster exploits information asymmetry, namely, the fact that the resource cost of updating and
checking the information may be high enough to generate a disincentive to completely invest in
fraud prevention.
Management is responsible for the detection and prevention of fraud, misappropriations,
and other irregularities. Each member of the management team will be familiar with the types of
improprieties that might occur within his or her area of responsibility and be alert for any
indication of irregularity.
Fraud may be perpetrated by one person working on his or her own, but many frauds are
able to occur only as a result of collusion—between collateral associates working in different
positions within the business, between a manager and someone reporting to that manager, or
between an insider and an outsider. There may be mass collusion, for instance, between many
salespeople and many customers, even to the extent that the fraud tacitly may have become
regarded as a regular perk.
There are a number of ways in which a corporation can commit fraud. Corporate fraud
can encompass the loss of assets by the business, acts perpetrated by the corporation to take
funds from others, or the falsification of its reported results and financial position. Here are
several examples.

Personal Purchases
An employee can divert funds to buy goods or services on his own behalf. This is usually
done by approving his own expense reports or supplier invoices. The person must hold a
sufficiently senior position to be able to browbeat other employees into participating in this
diversion of assets. Usually, the potential amount of funds diverted increases with the seniority
of the job title of the individual committing the fraud.

Ghost Employees
The payroll staff can create fake employees and then pay these "ghost employees,"
directing the funds into their own bank accounts. Weak controls over the payment of employees
makes this type of fraud more likely.

Skimming
Incoming funds are intercepted before they can be recorded in a company's accounting
records. This is usually caused when a person is allowed to both open the mail and record
accounting transactions. This fraud typically occurs in either the mail room or the accounting
department.
Tax Avoidance
A company can alter its tax returns to reveal less taxable corporate income than is really
the case, resulting in lower tax remittances. This can only be done with the connivance of senior
management, which typically signs off on the tax returns.

Asset Theft
Any employee can steal from an organization by making off with assets, such as cash or
fixed assets. Weak controls can encourage employees to engage in this activity.

Unauthorized Use
An employee may use company assets in an unauthorized manner, such as driving a
company car for personal use, or using a company condominium for personal use. Though the
asset is not stolen, it is being consumed, so its value lessens over time.

Financial Statement Falsification

An organization can falsify its financial statements to reveal excellent financial results. These
documents can then be used as the basis for obtaining bank loans or selling stock to investors.
Such falsification can be conducted entirely within the accounting department, or be forced upon
it by management. Examples of such falsification are:

 Extending the depreciation period to delay depreciation recognition

 Shifting debt to special purpose entities
 Accelerate the recognition of revenues and delay the recognition of expenses
 Capitalize expenses
 Counting nonexistent inventory, which reduces the cost of goods sold

It is frequently because of the collusion characteristic that fraud is so difficult to prevent

and detect since effective systems of internal control often become ineffective when collusion
circumvents the segregation features of a control system. This illustrates that an effective system
of internal control requires much more than a good set of control activities such as segregation of
duties—it also always requires the other components of internal control as the COSO report
called them: control environment, risk assessment, information and communication, and
monitoring.
The following five components work to support the achievement of an entity’s mission,
strategies and related business objectives:
Control Environment
 Exercise integrity and ethical values.
 Make a commitment to competence.
 Use the board of directors and audit committee.
 Facilitate management’s philosophy and operating style.
 Create organizational structure.
 Issue assignment of authority and responsibility.
 Utilize human resources policies and procedures.
Risk Assessment
 Create companywide objectives.
 Incorporate process-level objectives.
 Perform risk identification and analysis.
 Manage change.
 Control Activities
 Follow policies and procedures.
 Improve security (application and network).
 Conduct application change management.
 Plan business continuity/backups.
 Perform outsourcing.
Information and Communication
 Measure quality of information.
 Measure effectiveness of communication.
Monitoring
 Perform ongoing monitoring.
 Conduct separate evaluations.
 Report deficiencies.

These components work to establish the foundation for sound internal control within the
company through directed leadership, shared values and a culture that emphasizes accountability
for control. The various risks facing the company are identified and assessed routinely at all
levels and within all functions in the organization. Control activities and other mechanisms are
proactively designed to address and mitigate the significant risks. Information critical to
identifying risks and meeting business objectives is communicated through established channels
across the company. The entire system of internal control is monitored continuously, and
problems are addressed timely.
We may classify fraud as:
 management fraud, for instance fraudulent financial reporting
 employee fraud
 outsider fraud
 collusive fraud
Some fraud, especially computer program frauds, may be continuous, working for the
defrauder indefinitely into the future. Some continuous frauds require no further direct action by
the defrauder once they have been set up, as they continue working automatically. Some
continuous frauds require constant maintenance by the defrauder, such as teeming and lading
frauds. Other frauds are not continuous but have a “smash and grab” character with the defrauder
absconding with the gains in a carefully timed way just before the perhaps inevitable detection.
One important deterrent for fraud is for the business to have a good record of detecting
fraud. If a prospective defrauder knows there is a high risk of detection and that the
consequences upon detection will not be pleasant, then that person will be less likely to engage
in the fraud. Given a personal need, an opportunity to perpetrate a fraud and a conviction that
detection is most unlikely or that the consequences upon detection would not be too disgraceful,
then many ordinary people will be sorely tempted to engage in fraud. It is up to management to
make sure that these ingredients are not present in their business.

Fraud Prevention and Detection

Fraud prevention and detection are related, but are not the same concepts. Prevention
encompasses policies, procedures, training, and communication that stop fraud from occurring,
whereas, detection focuses on activities and techniques that promptly recognize timely whether
fraud has occurred or is occurring.
Investigation and Corrective Action
No system of internal control can provide absolute assurance against fraud. As a result,
the board should ensure the organization develops a system for prompt, competent, and
confidential review, investigation, and resolution of instances of noncompliance and allegations
involving potential fraud. The board should also define its own role in the investigation process.
An organization can improve its chances of loss recovery, while minimizing exposure to
litigation and damage to reputation, by establishing and preplanning investigation and corrective
action processes. The board and the organization should establish a process to evaluate
allegations. Individuals assigned to investigations should have the necessary authority and skills
to evaluate the allegation and determine the appropriate course of action. The process should
include a tracking or case management system where all allegations of fraud are logged. Clearly,
the board should be actively involved with respect to allegations involving senior management.

Only through diligent and ongoing effort can an organization protect itself against
significant acts of fraud. Key principles for proactively establishing an environment to
effectively manage an organization’s fraud risk include:
Principle 1: As part of an organization’s governance structure, a fraud risk management
program should be in place, including a written policy (or policies) to convey the expectations of
the board of directors and senior management regarding managing fraud risk.
Effective business ethics programs can serve as the foundation for preventing, detecting,
and deterring fraudulent and criminal acts. An organization’s ethical treatment of employees,
customers, vendors, and other partners will influence those receiving such treatment. These
ethics programs create an environment where making the right decision is implicit. The laws of
most countries prohibit theft, corruption, and financial statement fraud. Government regulations
worldwide have increased criminal penalties that can be levied against companies and
individuals who participate in fraud schemes at the corporate level, and civil settlements brought
by shareholders of public companies or lenders have rocketed to record amounts.
Most organizations have some form of written policies and procedures to manage fraud
risks. However, few have developed a concise summary of these activities and documents to help
them communicate and evaluate their processes. We refer to the aggregate of these as the fraud
risk management program, even if the organization has not formally designated it as such.
While each organization needs to consider its size and complexity when determining
what type of formal documentation is most appropriate, the following elements should be found
within a fraud risk management program:
1. Roles and responsibilities. To help ensure an organization’s fraud risk management
program effective, it is important to understand the roles and responsibilities that personnel at all
levels of the organization have with respect to fraud risk management. Policies, job descriptions,
charters, and/or delegations of authority should define roles and responsibilities related to fraud
risk management.
The board also has the responsibility to ensure that management designs effective fraud
risk management documentation to encourage ethical behavior and to empower employees,
customers, and vendors to insist those standards are met every day. The board should:
• Understand fraud risks.
• Maintain oversight of the fraud risk assessment by ensuring that fraud risk has been
considered as part of the organization’s risk assessment and strategic plans. This responsibility
should be addressed under a periodic agenda item at board meetings when general risks to the
organization are considered.
• Monitor management’s reports on fraud risks, policies, and control activities, which
include obtaining assurance that the controls are effective. The board also should establish
mechanisms to ensure it is receiving accurate and timely information from management,
employees, internal and external auditors, and other stakeholders regarding potential fraud
occurrences.
• Oversee the internal controls established by management.
• Set the appropriate tone at the top through the CEO job description, hiring, evaluation,
and succession planning processes.
• Have the ability to retain and pay outside experts where needed.
• Provide external auditors with evidence regarding the board’s active involvement and
concern about fraud risk management.
2. Commitment. The board and senior management should communicate their
commitment to fraud risk management. One method would be to embed this commitment in the
organization’s values or principles and code of conduct.

3. Fraud awareness. An ongoing awareness program is a key enabler to convey fraud risk
management expectations, as well as an effective preventive control. Awareness of fraud and
misconduct schemes is developed through periodic assessment, training, and frequent
communication. An organization’s fraud risk management program will assist the organization
with fraud awareness. Documentation to support fraud awareness should define and describe
fraud and fraud risks. It should also provide examples of the types of fraud that could occur and
identify potential perpetrators of fraud.

4. Affirmation process. An organization should determine whether there are any legal
issues involved with having an affirmation process, which is the requirement for directors,
employees, and contractors to acknowledge they have read, understood, and complied with the
code of conduct, a fraud control policy, and other such documentation to support the
organization’s fraud risk management program.
5. Conflict disclosure. The disclosure of a potential conflict of interest and management’s
decision should be documented and disclosed to legal counsel. Any constraints placed on the
situation need to be monitored. For example, a buyer who has recently been hired in the
purchasing department is responsible for all purchases in Division A. His brother has a local
hardware store that supplies product to Division A. The buyer discloses the potential conflict of
interest and is told that transactions with the hardware store are permitted, as long as the
department supervisor monitors a monthly report of all activity with the hardware store to ensure
the activity and price levels are reasonable and competitive. When the buyer is promoted or
transferred, the constraints may be removed or altered.

6. Fraud risk assessment. A fraud risk assessment should be performed on a systematic

and recurring basis, involve appropriate personnel, consider relevant fraud schemes and
scenarios, and mapping those fraud schemes and scenarios to mitigating controls. The existence
of a fraud risk assessment and the fact that management is articulating its existence may even
deter would-be fraud perpetrators. The system of internal controls in an organization is designed
to address inherent business risks. The business risks are identified in the enterprise risk
assessment protocol, and the controls associated with each risk are noted. COSO’s Enterprise
Risk Management–Integrated Framework describes the essential ERM components, principles,
and concepts for all organizations, regardless of size.

7. Reporting procedures and whistleblower protection. Documentation should not only

articulate the organization’s zero tolerance for fraud, it should also establish the expectation that
suspected fraud must be reported immediately and provide the means to do so. The channels to
report suspected fraud issues should be clearly defined and communicated. These may be the
same or different from channels for reporting other code of conduct violations.

8. Investigation process. Organizations should require that an investigation process be in

place. Once an issue is suspected and reported, an investigation process will follow. The board
and management should have a documented protocol for this process, including consideration of
who should conduct the investigation — whether it be internal personnel or hiring experts in this
field — rules of evidence, chains of custody, reporting mechanisms to those charged with
governance, regulatory requirements, and legal actions.

9. Corrective action. As a deterrent, policies should reflect the consequences and

processes for those who commit or condone fraudulent activity. These consequences may
include termination of employment or of a contract and reporting to legal and regulatory
authorities. The organization should articulate that it has the right to institute civil or criminal
action against anyone who commits fraud.

10. Quality assurance. Documentation should describe whether, and/or how,

management will periodically evaluate the effectiveness of the fraud risk management program
and monitor changes. It may include the need for measurements and analysis of statistics,
benchmarks, resources, and survey results. The results of this evaluation should be reported to
appropriate oversight groups and be used by management to improve the fraud risk management
program.

11. Continuous monitoring. The fraud risk management program, including related
documents, should be revised and reviewed based on the changing needs of the organization,
recognizing that documentation is static, while organizations are dynamic. Fraud risk
management program documentation should be updated on an ongoing basis to reflect current
conditions and to reflect the organization’s continuing commitment to the fraud risk management
program.

Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify
specific potential schemes and events that the organization needs to mitigate.
A fraud risk assessment generally includes three key elements:
• Identify inherent fraud risk — Gather information to obtain the population of fraud risks
that could apply to the organization. Included in this process is the explicit consideration of all
types of fraud schemes and scenarios; incentives, pressures, and opportunities to commit fraud;
and IT fraud risks specific to the organization.
• Assess likelihood and significance of inherent fraud risk — Assess the relative
likelihood and potential significance of identified fraud risks based on historical information,
known fraud schemes, and interviews with staff, including business process owners.
• Respond to reasonably likely and significant inherent and residual fraud risks —
Decide what the response should be to address the identified risks and perform a cost-benefit
analysis of fraud risks over which the organization wants to implement controls or specific fraud
detection procedures.
A good risk assessment requires input from various sources. Before conducting a risk
assessment, management should identify a risk assessment team. This team should include
individuals from throughout the organization with different knowledge, skills, and perspectives
and should include a combination of internal and external resources such as:
• Accounting/finance personnel, who are familiar with the financial reporting process and
internal controls.
• Nonfinancial business unit and operations personnel, to leverage their knowledge of
day-to-day operations, customer and vendor interactions, and general awareness of issues within
the industry.
• Risk management personnel, to ensure that the fraud risk assessment process integrates
with the organization’s ERM program.
• Legal and compliance personnel, as the fraud risk assessment will identify risks that
give rise to potential criminal, civil, and regulatory liability if the fraud or misconduct were to
occur.
• Internal audit personnel, who will be familiar with the organization’s internal controls
and monitoring functions. In addition, internal auditors will be integral in developing and
executing responses to significant risks that cannot be mitigated practically by preventive and
detective controls.
• If expertise is not available internally, external consultants with expertise in applicable
standards, key risk indicators, anti-fraud methodology, control activities, and detection
procedures. Management, including senior management, business unit leaders, and significant
process owners (e.g., accounting, sales, procurement, and operations) should participate in the
assessment, as they are ultimately accountable for the effectiveness of the organization’s fraud
risk management efforts.
Principle 3: Prevention techniques to avoid potential key fraud risk events should be established,
where feasible, to mitigate possible impacts on the organization.
Prevention is the most proactive fraud-fighting measure. The design and implementation
of control activities should be a coordinated effort spearheaded by management with an
assembled cast of employees. Collectively, this cross section of the organization should be able
to address all of the identified risks, design and implement the control activities, and ensure that
the techniques used are adequate to prevent fraud from occurring in accordance with the
organization’s risk tolerance. The ongoing success of any fraud prevention program depends on
its continuous communication and reinforcement. Stressing the existence of a fraud prevention
program through a wide variety of media — posters on bulletin boards, flyers included with
invoices and vendor payments, and articles in internal and external communications — gets the
message out to both internal and external communities that the organization is committed to
preventing and deterring fraud.
Among the many elements in fraud prevention are HR procedures, authority limits, and
transaction level procedures.
 Human Resources Procedures. It is important to know employees in order to evaluate
their credentials and competence, match skills to the job requirements, and be aware of
any issues of personal integrity that may impact their suitability for the position.

 Authority Limits. Fraud is less likely when an individual’s level of authority is

commensurate with his or her level of responsibility. A misalignment between authority
and responsibility, particularly in the absence of control activities and segregation of
duties, can lead to fraud. An organization may establish authoritative approval levels
across the enterprise to serve as an entity-level control.

 Transaction-level Procedures. Reviews of third-party and related-party transactions can

also help prevent fraud. Because fraud schemes often involve the use of third-party
entities/individuals, organizations need thorough measures at the front-end that will
prevent the back-end activities.

Principle 4: Detection techniques should be established to uncover fraud events when preventive
measures fail or unmitigated risks are realized.
Used in tandem with preventive controls, detective controls enhance a fraud risk
management program’s effectiveness by providing evidence that preventive controls are working
as intended and identifying fraud that occurs. Although detective controls may provide evidence
that fraud is occurring or has occurred, they are not intended to prevent fraud.
Documentation of Fraud Detection Techniques.
An organization should document the techniques developed and implemented to detect
fraud. This includes documenting processes used to monitor the performance of fraud detective
controls or to indicate when such controls are ineffective. Testing procedures conducted to
ensure adequate operation of fraud detective controls and the test results should also be
documented thoroughly.
Continuous Monitoring of Fraud Detection.
The organization should develop ongoing monitoring and measurements to evaluate,
remedy, and continuously improve the organization’s fraud detection techniques. If deficiencies
are found, management should ensure that improvements and corrections are made as soon as
possible. Management should institute a follow-up plan to verify that corrective or remedial
actions have been taken.
Principle 5: A reporting process should be in place to solicit input on potential fraud, and a
coordinated approach to investigation and corrective action should be used to help ensure
potential fraud is addressed appropriately and timely.
It is essential that any violations, deviations, or other breaches of the code of conduct or
controls, regardless of where in the organization, or by whom, they are committed, be reported
and dealt with in a timely manner. Appropriate punishment must be imposed, and suitable
remediation completed. The board should ensure that the same rules are applied at all levels of
the organization, including senior management.
Investigation.
The investigation team should establish the investigation tasks and assign each task to the
appropriate team members.
Corrective Action.
After the investigation has been completed, the organization will need to determine what
action to take in response to the findings. Any findings of actual or potential material impact may
need to be reported to the board, the audit committee, and the external auditor if they are not
receiving investigation reports directly. Notification may also be required to legal and regulatory
agencies and the organization’s insurers. In some cases, it may be necessary to take certain
actions before the investigation is complete (e.g., to preserve evidence, maintain confidence, or
mitigate losses). This could require suspension or reassignment of individuals or legal actions to
restrain assets.