Fraud Detection, Prevention and Risk Management

Overview:

No precise legal definition of fraud exists; many of the offences referred to as fraud are covered
by the Theft Acts of 1968 and 1978. The term is used to describe such acts as deception, bribery,
forgery, extortion, corruption, theft, conspiracy, embezzlement, misappropriation, false
representation, concealment of material facts and collusion.

What is Fraud?

“Fraud” is usually used to describe depriving someone of something by deceit, which might
either be straight theft, misuse of funds or other resources, or more complicated crimes like false
accounting and the supply of false information. In legal terms, all of these activities are the same
crime – theft.

Some useful definitions:

• Theft: Dishonestly appropriating the property of another with the intention of permanently
depriving them of it (Theft Act 1968). This may include the removal or misuse of funds,
assets of cash

• False Accounting : Dishonestly destroying, defacing, concealing, or falsifying any account,

record, or document required for any accounting purpose, with a view to personal gain for
another, or with intent to cause loss to another or furnishing information which is or may be
misleading, false or deceptive (Theft Act 1968)

• Bribery and Corruption : The offering, giving, soliciting or acceptance of an inducement or

reward that may influence the actions taken by the authority, its members or officers
(Prevention of Corrupt Practices Act 1889 and 1916)

• Deception : Obtaining property or pecuniary advantage by deception (Sections 15 and 16 of

the Theft Act 1968( and obtaining services or evading liability by deception (Sections 1 and
2 of the Theft Act 1978)

• Collusion: The term “collusion” in the context of reporting fraud to the Treasury is used to
cover any case in which someone incites, instigates aids and abets, or attempts to commit any
of the crimes listed above.

Description and Characteristics of Fraud

• Fraud is a legal concept, and auditors do not have the professional expertise to make such
a legal determination. Instead, auditors are interested in acts that cause a material

1
misstatement of the financial statements. The basic difference between fraud and error is
that in fraud the misstatements are intentional.

• Fraud is defined as an intentional act that results in a material misstatement in financial

statements that are the subject of an audit.

Who commits financial fraud?

There are three main groups of people who commit financial statement fraud. In descending
order of likelihood of involvement, they are as follows:

• Senior management

• Mid- and lower-level employees.

• Organized criminals.

Where Fraud Breeds

Fraud and abuse are crimes, and they occur because someone has a financial need–or incentive–
to perpetrate them. Organizations that provide an environment "friendly" to a sufficiently
motivated or needful person often find themselves victimized. There are three main categories
that, separately or in combination, enable fraud and abuse:

– Complacency

– Inadequate supervision of employees & volunteers

– Lack of internal controls

Complacency: You may believe that fraud and abuse can’t or won’t happen in your
organization, but fraud is an equal-opportunity crime. It happens in organizations of all sizes,
whether they are for profit or non-profit entities, and is committed by people of every social and
educational strata at every level of the management hierarchy.

– What’s more, losses caused by managers and executives are often greater than those caused
by non-managerial employees.

– Turning a blind eye to irregularities and ignoring suspicious activity will cost you in the long
run.

Inadequate supervision of employees and volunteers: This is a by-product of the complacency

problem. Monitoring your departmental staff doesn’t mean that you need to become Big Brother, but

2
it does mean that you may have opportunities to enhance your management practices while keeping
better tabs on the people working in your department.

Lack of internal controls: Who has the keys? Who has the access? Does your board president know
what the head of the finance committee is doing? Any organization, regardless of size, needs a
system of internal checks-and-balances to protect board members and volunteers, and to insure
against fraud and abuse. To quote an old adage; the left hand must know what the right is doing

The above three culminate into a fraud triangle as shown in the Context/Incentives for fraud risk.

The context of fraud risk:

Three conditions are generally present when fraud occurs; Incentive/pressure, opportunity, and
attitude/rationalisation

Incentive/Pressure: an incentive to commit fraud is not only to misappropriate an asset, e.g.

cash, but can also consist of manipulating information regarding key performance indicators with
the objective of reaping a financial reward. Personal issues, e.g. financial pressures, can increase

3
the occurrence of fraud. Unnecessary demanding business related pressures, e.g. pressure to
reach set objectives and targets, also contribute to the likelihood of fraud occurring.

Opportunity: lack of internal controls, poor control environment, lack of proper segregation of
duties, etc, are all examples of opportunities in the work environment, which increases the
likelihood of fraud.

Attitude/Rationalisation: a work culture embracing and rewarding dishonesty can be a fertile

ground for breeding fraudulent activities.

Fraud Detection & Prevention: Responsibilities

 The governing body (BOD)

 Supervisors, and
 Employees

BOD

The governing body within the Organisation has overall responsibility for the Organisation’s
counter-fraud policy and procedures, and for establishing and maintaining a sound system of
internal control that supports the achievement of the Organisation’s policies, aims and objectives.

Depending on its size ‘the governing body’ of the Organization may comprise trustees, a board,
management/executive committee, council of management. Responsibility may be delegated to
an individual nominated by the governing body e.g. (Chief Executive).

The system of internal control is based on an ongoing process designed to identify the principal
risks, to evaluate the nature and extent of those risks and to manage them effectively. Managing
fraud risk will be seen in the context of the management of this wider range of risks.

Responsibilities of the governing Body include:

• Developing a fraud risk profile and undertaking a regular review of the fraud risks
associated with each of the key organisational objectives in order to keep the profile
current;

• Establishing an effective anti-fraud policy and fraud response plan, commensurate to the
level of fraud risk identified in the fraud risk profile;

• Designing an effective control environment to prevent fraud commensurate with the

fraud risk profile;

4
• Establishing appropriate mechanisms for:

– reporting fraud risk issues;

– reporting incidents of fraud to the governing body;

– reporting to the Department and / or the Police; and

• Liaising with the Risk Management Committee and / or Audit Committee;

• Ensuring that the Organisation’s recruitment policy is adhered to and that effective steps
are taken at recruitment to establish, as far as possible, the honesty and integrity of
potential employees, whether for permanent, temporary or casual posts.

• Making sure that all staff are aware of the Organisation’s anti-fraud policy and know
what their responsibilities are in relation to combating fraud;

• Ensuring that appropriate counter-fraud training is available to staff;

• Ensuring that vigorous and prompt investigations are carried out if fraud occurs or is
suspected;

• Ensuring that appropriate legal and / or disciplinary action is taken against perpetrators of
fraud;

• Taking appropriate disciplinary action against supervisors where supervisory failures

have contributed to the commission of fraud;

• Taking appropriate disciplinary action against staff who fail to report fraud;

• Taking appropriate action to recover assets;

• Ensuring that appropriate action is taken to minimise the risk of similar frauds occurring
in future.

Responsibilities (Supervisors)

• Operational managers / supervisors are responsible for:

– Ensuring that an adequate system of internal control exists within their areas of
responsibility and that controls operate effectively;

– Preventing and detecting fraud;

5
– Assessing the types of risk involved in the operations for which they are
responsible;

• Reviewing and testing the control systems for which they are responsible regularly;

• Ensuring that controls are being complied with and their systems continue to operate
effectively;

• Implementing new controls to reduce the risk of similar fraud occurring where frauds
have taken place.

Every member of staff is responsible for:

• Acting with propriety in the use of the Organisation’s resources and the handling and use
of funds whether they are involved with cash or payments systems, receipts or dealing
with suppliers;

• Being alert to the possibility that unusual events or transactions could be indicators of
fraud;

• Reporting details immediately through the appropriate channel if they suspect that a fraud
has been committed or see any suspicious acts or events;

• Cooperating fully with whoever is conducting internal checks or reviews or fraud

investigations.

The bottom-line is that an Organisation must have a Fraud Response Plan that sets out, for
example, how to report suspicions of fraud, how the fraud will be investigated and by whom,
what experts to contact for advice. The Plan forms part of the Organisation’s anti-fraud policy.

Detection of Fraud

• In order to catch a fraud, one must "think like a thief, not an auditor," says fraud
consultant Nigel Lyer, Managing Director at Hibis Scandinavia.

• An organisation's internal controls can provide a false sense of security, so auditors and
fraud examiners must look beyond the controls, as a criminal does, to find loopholes in
the system where fraud could occur.

• Typically, fraudsters detect or stumble upon areas with weak cross-departmental or cross-
organizational controls

There are two approaches to fraud detection:

6
 The traditional approach, and

 Transactional Analysis And Continuous Monitoring

The Traditional Approach

• Organisations have traditionally sought to prevent and detect fraud by implementing

appropriate internal controls. Internal Audit tests and validates these controls during regular
audit processes. It does not, however, usually have direct responsibility for ensuring that
fraud does not occur.

• Although Internal Audit often uncovers instances of fraud-18 percent of detected cases
according to the ACFE study-its role is essentially reactive.

• Internal controls and external audit are responsible for uncovering a further 30 percent of
detected fraud, while the balance of detected cases comes to light through tips or accident.

• While strong internal controls and appropriate audit procedures undoubtedly have a degree of
effectiveness in preventing and detecting fraud, it is unrealistic to assume that they are
completely effective

• The ACFE study found that 46 percent of detected frauds occurred because of insufficient
controls. A further 40 percent occurred because controls were ignored. There also remains a
strong likelihood for many large organizations that a very significant number of frauds are
simply never detected.

• Even when frauds do come to light, many detection methods, such as audit procedures, only
occur sometime after the fraud has taken place. They are, by nature, historical examinations
of data. The problem is that the longer the period the fraud remains undetected, the larger the
financial loss is likely to be-and the smaller the chance of recovering the losses from the
perpetrator. The average fraud scheme in the ACFE study lasted 18 months before detection.

Transactional Analysis and Continuous Monitoring

Both the Association of Certified Fraud Examiners and the American Institute of Certified Public
Accountants (AICPA) refer specifically to the use of computerized analysis to assist in fraud
detection techniques. Such analyses are particularly effective in detecting frauds that fall into the
most common fraud categories of asset misappropriation and fraudulent disbursements.

7
Both professional associations provide details of indicators of the most common types of fraud
and examples of the types of analyses that can be performed to detect the indicators. However,
many organizations only use such techniques on an occasional test basis and often only on a
reactive basis, once a problem is suspected. In many cases, the tests performed are fairly
simplistic and are unlikely to uncover the more sophisticated of frauds.

Transactional analysis is one of the most powerful and effective ways of detecting fraud within
an organization. It generally includes a comprehensive series of tests designed to detect
indicators of a wide range of frauds. To maximize its effectiveness as a fraud detection system,
transactional analysis ideally will:

 Allow easy comparisons of data and transactions from separate functional systems.
 Work with a comprehensive set of indicators of potential fraud, taking into account both
the most common fraud schemes and those that relate specifically to the unique risks a
particular organization may face.
 Analyze all transactions within a given area and test them against the parameters that
highlight indicators of fraud.
 Perform the analyses and tests as close to the time of the transaction as possible, ideally
even before the transaction has been finalized, and preferably on a continuous monitoring
basis. By continuously monitoring operational data, organizations can catch frauds earlier
in the fraud cycle, preventing greater losses, and quite often serving as deterrent to other
possible frauds.

Despite their proven and potential benefits, there have been good reasons for the lack of
effective, widespread application of transactional analysis and continuous monitoring.

One reason has been the significant time and costs involved in extracting and comparing data
from two different systems in order to detect a single instance of suspected fraud.

Many indicators of potential fraud only arise when transactional data from one system is
compared to that of another.

Another has been developing flexible, easily adaptable continuous monitoring programs that can
run alongside application systems, test data independently of those systems and notify
management in a timely manner when fraud indicators are detected. Such programs traditionally
have been costly and time-consuming to create, often requiring existing systems to be retrofitted.

In some organizations, difficulties arise from limited knowledge of the many types of possible
fraud and how they might be perpetrated given the organization's operations. To find fraud, you
have to know what it looks like. This requires a thorough understanding of the organization's
internal controls and their weaknesses, in order to design and conduct transactional analyses that
provide meaningful results.

8
Transactional Analysis: specific statistical data analysis techniques

 Calculation of statistical parameters such as averages, standard deviations and highest and
lowest values, which are used to identify statistical anomalies
 Classifications to find patterns and associations among groups of data
 Stratifications of numeric values to identify unusual and outlying values
 Digital analysis, using Benford's Law, to identify statistically unlikely occurrences of
numeric amounts
 Joining or matching of data fields between disparate systems, typically looking for
expected matches or differences for data such as name, address, telephone, part or serial
number
 Duplicates testing that identifies simple or complex combinations of duplication
 Gaps testing that identifies missing sequential data
 Summing and totalling to check control totals that may be falsified
 Graphing to provide visual identification of anomalous transactions

Transactional Analysis: Typical Frauds, Symptoms and Tests

Knowing what to look for is critical in building a fraud detection program. The following
examples are based on descriptions of various frauds and their symptoms found in Fraud
Detection, Using Data Analysis Techniques to Detect Fraud.

• Fictitious vendors. Search for post office boxes used as addresses, matches between
vendor and employee addresses and/or phone numbers, vendors with similar sounding
names, more than one vendor with same address and phone number, and common generic
company names or vendor names that sound very much like those of well-known
businesses.

• Altered invoices. Search for duplicates of invoices and compare invoice amount with the
contract or purchase order amount.

• Kickbacks. Analyze purchases to identify purchasing agents who deal exclusively with a
limited number of vendors.

• Fixed bidding. Search for contracts awarded without formal bidding, contracts raised
just below threshold for competitive bidding, and split contracts. Compare vendor
summaries for several years to find single vendor winning most bids, calculate days
between close of bids and contract submission date by vendor to detect last bidders
consistently winning bids.

• Goods not received. Purchase quantities not in agreement with contract quantities, no
change in inventory levels, and inventory levels at odds with contract and invoice levels.

• Duplicate invoices. Duplicate invoice numbers, duplicate date and invoice amounts.

9
• Inflated prices. Prices from a particular vendor are unreasonably high when compared to
others, an increase in production compared to previous years or other plants.

• Excess quantities purchased. Unexplained increases in inventory, purchase quantities of

raw materials inappropriate for production level, increases in quantities ordered
compared to previous contracts or years, or compared to other plants.

• Duplicate payments. Repeated requests for refunds for invoices paid twice, vendors with
more than one vendor code. Test for duplicate payment with identical invoice numbers
and payment amounts.

• Carbon copies. A scanned company check in electronic form altered with either the
same or different check numbers for repeated cashing. Search for duplicates in all
company checks cashed and conduct a second search for gaps in check numbers.

• Duplicate serial numbers. High value equipment a company already owns repurchased
using duplicate serial numbers, false deliveries, and charging inventory to phony
projects-selling the company back its own inventory. Test serial numbers for duplicates
and involvement of same personnel in purchasing and shipping processes.

• Payroll fraud. Terminated employees still on payroll with overpayments split between
manager and ex-employees. Compare date of termination with pay period covered by
check, and extract all pay transactions for departure date less than date of current pay
period.

• Accounts payable. Invoicing for goods delivered, but never ordered; goods not
delivered, and for order quantities higher than requested on a contract. Link Accounts
Payable files to contract and inventory files to examine contract date, price, ordered
quantity, inventory receipt quantity, invoice quantity, and payment amount by contract, to
reveal transactions not matching contract amounts.

The timely detection of fraud directly impacts the bottom line, reducing losses for an
organization. And effective detection techniques serve as a deterrent to potential fraudsters;
employees who know experts are present and looking for fraud are less likely to commit fraud,
because of a greater perceived likelihood that they will be caught.

FRAUD POLICY AND WHISTLEBLOWERS’ CHARTER

WHY HAVE A FRAUD POLICY

• Fraudulent and dishonest behaviour can result in substantial cost to the company, loss of
business and damage to our reputation.

10
• The fraud policy should be designed to protect Group operations, customers,
shareholders and employees from the adverse effect of fraudulent behaviour.

• All firm members can support our company and colleagues if we remain alert to the
possibility of impropriety and play our part in the prevention and reporting of fraud.

RECAP: WHAT IS FRAUD

• The deliberate action by a person; or allowing action to be taken by someone else; for the
purpose of:

– Obtaining money, assets or services

– Distorting personal or business performance

– Causing loss to the Group, supplier or employee

– Accepting of high value gifts or inappropriate hospitality

– Prejudicing the Group’s rights, competitive position or business reputation

– Money laundering

– Attempting any of the above

– Unauthorised release of confidential information

• Everybody covered by the fraud policy has a role to play in preventing, detecting and
reporting fraud. one must:

– Work in such a way as to prevent fraud

– Immediately report any suspicion of fraud (other than money laundering) to

• your line manager, or

• another senior manager,

– Immediately report any suspicion of money laundering to the firm’s Money

Laundering Reporting Officer

– Any manager who receives notice of fraud must ensure that it is notified to the
Finance Director.

11
• One should not

– Confront the suspect, or

– Discuss the suspicion more widely, or

– Begin any investigation that may result in loss of evidence or "tip-off" the
suspect.

– Employees have a statutory duty to report suspicion of money laundering and

knowledge of terrorist funds.

Following the reporting of suspected fraud;

• Every reported incident of fraud should be investigated.

• The confidence of those reporting the incident or suspicion of fraud should be respected.

• The investigation should be carried out by either external agencies or managers having no
operational responsibility within the business unit implicated.

• Following investigation, every fraud involving a member of staff should be reported

directly to the Chairman of the Board Audit Committee at its next scheduled meeting.
Every suspicion of money laundering will be reported to the Finance Director and the
Chairman of the Audit Committee immediately without investigation commencing in
order that the appropriate external authorities can be notified and can control the
investigation.

A fraud policy must detail the consequences of committing fraud;

• Any employee or director who has committed a fraud should expect summary dismissal.
Individuals will normally be prosecuted and the company will seek to recover losses.

• The Company will always reserve the right to publicise the details of fraud internally and
externally.

THE WHISTLEBLOWERS’ CHARTER

Anybody who is covered by the firm’s Fraud Policy and who suspects that the company, its
clients, suppliers, staff or directors are involved, either deliberately or unwittingly, in fraud,

12
money laundering, error or misstatement, should report their suspicion in accordance with the
Firm’s Fraud Policy. The following process should be observed if suspicion of fraud is reported
under the protection of the Whistleblowers’ Charter

The charter should specifically apply to Fraud (including money laundering) but equally apply to
deliberate acts or omissions that endanger the health and safety of any person or the observed
failure to report accidents in accordance with the firm’s Policy.

• The Whistleblower should report suspected malpractice, preferably in writing, to the

Independent Assessor

• Whistleblowers should be prepared to identify themselves within the report but can do so
on the understanding that the Independent Assessor will respect the confidentiality of
their report.

• The Independent Assessor should acknowledge receipt of the Whistleblower’s report by

return.

• Within 14 days of the matter being reported, the Independent Assessor should provide the
Whistleblower with details of the process that will be followed in order to deal with the
matter raised.

• The Independent Assessor should inform the Whistleblower when the matter has been
dealt with, but is not obliged to give details of action taken.

• Whistleblowers who are not satisfied that matters have been adequately dealt with should
report their grievance in writing to the Chairman of the Board Audit Committee.

• Whistleblowers should not discuss details of their concerns with any third party unless
they are exercising their legal rights to report to The Financial Services Authority, stock
exchange, the police or media under circumstances where they are protected by the
Public Interest Disclosure Act, 1998. This does not prevent an individual from discussing
the matter with his or her solicitor.

• The Independent Assessor should provide a summary report to the Board Audit
Committee on all suspected fraud and error brought to his attention.

• Staff who are considering whether to report a suspected fraud (and in respect of money
laundering they have a legal obligation to do so) should be aware that their Company
encourages them to come forward and that the Company will take steps to ensure that
Whistleblowers are not victimised. Whistleblowers will be regarded as witnesses, not
complainants.

13
DESIGNING A ROBUST FRAUD PREVENTION PROGRAM FOR YOUR COMPANY

Creating a fraud prevention culture that works

• Fraud prevention can be seen as cumulative effect of both preventative and detection
systems incorporated by management. Detection of fraud can only lead to the prevention
thereof if the response thereto acts as deterrent.

• The FBI suggests that if a company wants to implement a truly effective fraud prevention
strategy, they have to start at the top which will thereafter permeate downwards.

Why is Fraud Prevention Important?

• Your duty in terms of legislation; AML act, anti-corruption act, PFMA, and other
treasury regulations

• Good corporate governance; the principles of corporate governance necessitate the

establishment of a fraud prevention strategy

• Increased efficiency and effectiveness; the establishment of a fraud prevention plan can
further act, as a deterring factor to would be perpetrators and enhance the external
perceptions from stakeholders, i.e. the entity is seen to be acting.

Who is responsible for Fraud Prevention?

• The accounting officer is ultimately held accountable for the design and implementation
of a fraud prevention strategy and plan.

• The success of such a plan will require an acceptance and the commitment of all role
players. Every official within the department needs to be held accountable for the
activities/assets under his/her control.

• It must further be emphasised that an understanding of overall risk (cumulative effect of

inherent, control and detection risk) in relation to fraud risk is critical to the success of a
fraud prevention plan.

• Line managers therefore need to be made aware of the relationship between risk and
fraud

• Since criminals react to prevention and detection mechanisms designed to curtail their
activities, the firm must commit itself to review the fraud prevention plan on a continuous
basis.

• Relevant legislation requires annual review of risk management strategy, including fraud
prevention plan.

14
The treasury regulation (s) states that: “the accounting officer must ensure that a risk assessment
is conducted regularly to identify emerging risks of the Institution. A risk management strategy,
which must include a fraud prevention plan, must be used to direct internal audit effort and
priority, and to determine the skills required of managers and staff to improve controls and to
manage these risks. The strategy must be clearly communicated to all officials to ensure that the
risk management is incorporated into the language and culture of the Institution”

• Objectives of a fraud prevention plan can include:

– To provide a richer understanding of the environment in which fraud is likely to

occur.

– To form the basis of the firm’s fraud strategy.

Building a Fraud Strategy

Deciding on an appropriate strategy to address fraud, the Risk management committee of the
firm should consider the context of fraud as indicated in the fraud triangle.

• Incentive/Pressure: the context variable is to a large extent unresponsive to management

intervention. Management can however, through increased focus on the control
environment and internal controls increase the incentive/pressure threshold.

• Opportunity: the opportunity to commit fraud within an entity is under the control of
management. The implementation of effective and efficient internal controls (both
detection prevention controls) is one of the mechanisms available to management.
Occurrence of fraud with an entity should initiate a redesign, or if appropriate a re-
engineering of related internal controls.

• Attitude/Rationalisation: is to lesser extent under the control of management.

Incorporating a zero-tolerance attitude and culture within an entity can act as a powerful
deterrent for fraud.

• Leading by example can be one of the tools used by management to create such a culture
of zero-tolerance towards fraud

15
Components of Fraud Strategy

• The prevention of fraud is the most important component of any entity’s strategy in
dealing with fraud. The fraud prevention plan developed by any entity should include a
fraud strategy as one of the outputs of the plan

The relationship between risk and fraud management

• The risk of fraud is seen as a sub-component of risk within an Entity. As such risk
management activities will include the estimation of the likelihood of the occurrence of
fraud.

• Risk evaluation within an entity is done using a business process approach. This entails
in short; the identification of the critical business processes, the identification of risks
associated with each process, and the development of effective, efficient and transparent
controls to reduce exposure to risks.

16
• Each critical process identified during the business process approach should be evaluated
for its susceptibility to fraud. The end result will a fraud risk map for all business/or
departmental processes.

BUILDING A FRAUD PREVENTION PLAN

Objectives of building the plan:

o To present a step by step plan for implementation of the fraud prevention plan

o To assign responsibilities and deadlines to each step

o Implementation of the fraud strategy can only be effected through a series of interrelated
steps. Some of these steps may need annual revision as required by the treasury.

Implementation steps

• Incorporation of a fraud prevention committee

• Development of a fraud policy
• Promotion of a public service code of conduct
• Information session about corporate governance in the public sector
• Develop a code of ethics
• Strengthening of an entity’s disciplinary processes
• Introduction of employee screening before appointment
• Informing an entity’s officials about protected disclosure act
• Promoting official whistle blowing channels
• Compilation of a fraud risk map
• Internal audit and
• Audit committee

Fraud Prevention Committee

In an effort to create a culture of zero-tolerance to fraud, management must lead by example. The
appointment of top management to a fraud prevention committee is seen as the first step in creating
such a culture. The committee’s function is the approval, implementation and coordination of the
firm’s fraud prevention plan. Minutes of the meetings held by the committee must be kept for
control and compliance purposes

Fraud Policy

• Communication of the management’s attitude towards fraud is of paramount importance in

the fight against fraud and corruption

17
• Deciding on a statement representing management’s attitude and promoting such a statement
to her stakeholders is the second step in fraud prevention strategy implementation

Promotion of a public service code of conduct

• The purpose of a code of conduct is to guide employees in their date-today activities.

• All government units should adopt a public code of conduct, and

• The human resource division must be committed to and responsible for the promotion of this
code by developing and conducting short courses for all employees.

Corporate governance in the public sector

• The Report of the Committee on Financial Aspects of Corporate Governance (Cadbury Report)
defines corporate governance as; “the system by which organisations are directed and
controlled”. It identifies three fundamental principles of corporate governance as;

– Openness,

– Integrity, and

– Accountability

• These principles are as relevant to all public sector entities as they are to private sector
entities.

• They apply to all public sector entities irrespective of whether governing bodies are elected
or appointed, and whether or not, they comprise a group of people or an individual.

Develop a Code of Ethics

• A code of ethics is a document in which an organisation publicly declares what it regards

morally or ethically acceptable behaviour.

• Developing a code sets in motion a process that raises ethical consciousness among internal
stakeholders.

• A code clarifies what is ethical acceptable behaviour, thus making expectations more
concrete.

• A code also communicates to external stakeholders that the organisation takes its ethical
commitments seriously and that it can be held responsible and accountable.

18
Strengthening of an entity’s disciplinary processes

• Departmental disciplinary processes are a key link in the accountability cycle. It is also used
by accounting officer to act on officials who contravene the public finance management act,
regulations or other relevant acts.

• Consistent and swift reaction to all corruption/fraud cases should form the basis of
departmental disciplinary actions.

Introduction of Employee screening before appointment

• The requirement of a security clearance certificate within the public sector should be applied
in any government unit. This can work as an important prevention tool.

• Research on the prevalence of fraud within organisations shows employees as the single
biggest contributor. Prospective employees with a history of corruption can be eliminated
from the process thus decreasing the realisation of the attitude/rationalisation variable of the
fraud triangle considerably.

Promoting the Protected Disclosure Act

• Since of one the possible detection mechanisms available to identify cases of fraud is whistle
blowing within an entity, it is important to inform such officials of their rights as protected
by Protected Disclosure Act

• Mechanisms to report acts of corruption, misadministration, and misconduct within an entity

should be implemented to assist officials with the reporting of such acts

Promoting Official Whistle Blowing Channels

• Companies must develop, encourage, promote and implement whistle blowing mechanisms.

• The Inspector general of Government and or any other relevant office should be responsible
for promotion of the available whistle blowing channels in the public sector.

Compilation of the Fraud Risk Map

• During the risk management process followed by an entity, key fraud risk areas, together
with mitigating controls and the residual risk that must then be addressed will be identified.

19
• The end result of this process is the development of a Risk Map. The Risk Map will inform
management of potential problem areas and to direct management attention and effort. This
Risk map will include processes susceptible to fraud, i.e. the fraud Risk Map.

• After fraud risks have been identified, a fraud risk analysis should be performed as
follows:

 Assess the likelihood (or frequency) of fraud occurring (less likely, likely and more
likely)

 Estimate potential impact if fraud were to occur; considers both quantitative and
qualitative factors.

 Evaluate related controls in place

 Determine how the residual risk of fraud should be managed

 Re-engineer internal controls if residual risk is outside pre-determined limits.

Internal Audit

• The fraud risk map should always guide the internal audit activities

• The internal audit should focus its attention on evaluating key risk areas (i.e., risks with
reasonable likelihood of occurrence and large potential impact

Audit Committee

• The audit committee should review the fraud strategy and plan implemented any
government entity on an annual basis. The impact of the strategy and in specific the
identified high fraud risk areas (fraud risk map) should be communicated to the office of
the auditor general. The auditor general will then incorporate this information in its audit
plan.

A comprehensive approach to antifraud programs and controls

• To support clients in the development, improvement and implementation of antifraud

programs and controls, Auditing Firms utilize the Committee of Sponsoring
Organizations (COSO) of the Treadway Commission’s Internal Control – Integrated
Framework.

20
• The components that make up the framework of an effective antifraud program include:

• Management has the primary responsibility for creating the control environment;
performing fraud risk assessments; establishing control activities to prevent, deter and
detect fraud; and promoting effective communication of antifraud programs throughout
the company.

• Management’s active involvement also should include monitoring and assessment of

antifraud programs and controls; investigating facts and circumstances that may indicate
an occurrence of fraud; and remediation of control deficiencies, including addressing
issues identified during investigations.

21
INTERNATIONAL FRAUD RISK (MONEY LAUNDERING)

Money laundering is the process whereby criminals attempt to hide and disguise the true origin
and ownership of the proceeds of their criminal activities thereby avoiding prosecution,
conviction and confiscation of the criminal funds. The source of the proceeds may include drug
trafficking, terrorism, organised crime, fraud and many others.

Money which is laundered by criminals globally is estimated to be the equivalent to 2 - 5% of the

world's GDP and is measured in millions of US dollars. An estimated $100 billion is laundered
yearly in the US alone. Whilst many criminals deal in cash, the more serious criminals wish to
find a safer home for the proceeds of their crime and in a financial institution, quite possibly in
another country, where it is more secure and would excite less suspicion where the authorities
would simply not care or the source of money was.

This process involves 3 steps:

 Placement-physically placing cash proceeds.

 Layering-piling of layer through complex financial transactions to separate the proceeds

from illicit and /or criminal activity.

 Integration – re-introducing the illicit funds into the economy giving legitimate but false
explanations as to the origin of the funds.

Cyber-laundering is another form fraud that is related to money laundering. On-line Banks,
internet gambling, Casinos are most vulnerable.

Looking for signs of Cyber-laundering

In October 1999, the US Office of the Comptroller of the Currency issued a handbook on
Internet Banking. It recommends that banks set up a control system to identify unusual or
suspicious activities including monitoring procedures for on-line transactions. The following
types of Internet activity were highlighted as matters that should raise the suspicions of the bank:

• Unusual requests, timing of transactions or e-mail formats.

• Anomalies in the types, volumes or values of transactions.

• A customer who submits an incomplete on-line account application and then refuses to
respond to a request for more information.

• An on-line account application with conflicting information such as a physical address

that does not match the location of the given e-mail address.

22
• On-line applications for multiple accounts with no apparent reason to do so.

• A customer who uses the bank’s on-line transaction services to send repeated inter-bank
wire transfers between several accounts with no apparent reason to do so.

Guidelines for identification of suspicious customers/transactions

• One of the most important tools for combating money laundering and terrorist financing
is “Know Your Customer” policy.

• In order to prevent and detect criminal activity, organisations need to develop an

awareness of its customer base. It will help in identifying suspicious activity and be an
effective tool in the fight against money laundering and terrorist financing and other
criminal activities

• KYC policy;

• Helps detect suspicious activity in a timely manner

• Promotes compliance with all laws

• Promotes safe and sound money transfer practices

• Minimises the risk of organisation’s products being used for illegal activities

• Protects the organisation’s reputation

• Mere verifying and collecting the ID of the customer does not amount to KYC. The
firm’s staff should use their diligence and prudence to judge the customer and his
capabilities and should alert, if there are any unusual transactions which are not typical to
the customer’s background.

• The staff should try to match the profile of a customer with that of the remittance of the
customer. The staff should verify in detail the source of funds and the purpose of
remittance to satisfy the genuineness of the transaction.

• Compliance is the responsibility of every employee. Therefore, strict compliance is very

much necessary with all laws and regulations. Non compliance with the law is simply
not worth the risk.

Suspicious Transactions

• “Suspicious activity” is a difficult concept to define because it can vary from one
transaction to another based upon all circumstances surrounding the transaction. For

23
example, transaction by one customer may be normal because of knowledge of that
customer, while similar transactions by another customer may be suspicious.

• A suspicious transaction is one or more of the following:

• Involves funds derived from illegal activity, or is intended or conducted in order

to hide or disguise funds or assets derived from illegal activity.

• Designed to evade the local regulatory requirements, whether through structuring

or other means.

• Appears to serve no business or apparent lawful purpose, and the counter staff can
determine no reasonable explanation for the transaction after examining all
available facts.

• Many factors are involved in determining whether transactions are suspicious, including
the amount of remittance, type of remittance, destination of remittance, actual beneficiary
of the remittance, purpose of the remittance, source of funds, etc. These factors should
all form part of the KYC process to ensure that customers are genuine and transactions
are within his/her means.

Suspicious Transactions: Red Flags in Banking

• Customers like those mentioned below may warrant attention:

– Customers sending or receiving frequent amounts that are much greater than what
would be expected for the customer

– Customers avoiding thresholds

– Customers altering transaction upon learning that he/she must show ID

– Customers transferring money repeatedly in order to make each transaction

unnoticed and also does not draw attention but the total of transfers together form
a large amount

• Customers trying to change large quantities of small value currency into large value
currency.

• Repeated exchange of cash from one currency to another while the nature of the
customer’s activity does not require such transfers.

• Customers conducting suspicious transactions may appear nervous, rushed or defensive

to questioning about his remittances.

24
• Customers who may be reluctant to show ID

• Customers who may offer gifts to avoid certain record keeping requirements or if you
handle the transaction in a certain way as he/she desires

• Customers concealing the beneficial owner of funds

• Two customers coming together but sending money transfer separately to the same
beneficiary or coming together to receive money transfer from the same remitter.

• Large number of individuals transferring money to the same beneficiary without

appropriate reasons or explanations

• Repeated requests for travellers’ cheques or drafts in foreign currencies

Wilful Blindness

• Wilful blindness is a situation when an employee becomes suspicious about a

customer/transaction but does report his/her suspicions, even though he/she is aware that
the transaction is of illegal nature or that the intention of the customer’s transaction is
money laundering/ terrorist financing.

• By ignoring key indicators on money laundering/terrorist financing, an employee is

considered to have directly partaken in such a scheme through wilful blindness.

Politically Exposed Persons (PEP)

• PEP are individuals who are or have been entrusted with prominent public functions in a
foreign country, for example, Heads of State or of government, senior politicians, senior
government, judicial or military officials, senior executives of state owned corporations
and important political party officials. PEP would also include their immediate families
and close associates.

• It should not be deduced that all PEP’s are to be suspected. In fact, many conduct
legitimate business through financial institutions every day. But there is always a
possibility, especially in countries where corruption is widespread, that PEP’s abuse their
public powers and amass huge wealth by embezzlement or taking bribes. The proceeds
of such corruption are often transferred to other jurisdiction and concealed under the
names of relatives or close associates.

25
• Financial institutions which handle such illegal proceeds face the risk of reputation
damage and also the possibility of charges and fines, for having assisted in laundering the
proceeds and having business relationship with customers of this nature.

• Organisations may reduce the risk by conducting due diligence at the outset of the
relation and also on an ongoing basis where the organisation knows or suspects that the
customer is a PEP

Identity Theft

• Identity theft is defined as the use, transfer or theft of personal identifying information of
another person for the purpose of committing a crime. Criminals sometimes use the
name, address and other details of an innocent person to open a bank account or carry out
a financial transaction to launder money. Innocent people are being penalised because
someone is committing crimes using their names.

• Checking identity is an important way of fighting money laundering and other criminal
activities. It

• Makes it more difficult for criminals to use the financial system and to use false
names and addresses, or the identities of innocent people

• Helps the police and other law enforcement agencies to detect and investigate
crime.

• This is why the law says that banks and other financial firms must identify their
customers. So it is necessary that firms verify the original identity of the
customer properly to avoid identity theft.

Vehicle Crime

• According to research, illicit trafficking of vehicles is a form of organised crime which

generates large profits for the perpetrators. A key aspect of this form of crime is the need
to legalise stolen vehicles in order for criminals to achieve a monetary gain.

• International vehicle crime has become a growth industry, crossing many national
borders. It is a complex and highly organised crime, with a thousands of vehicles
destined for markets throughout the world.

26
• Therefore the organisational staff /compliance officers should exercise due diligence
whenever dealing with corporate/individuals who are involved in second-hand
vehicles/spare-parts purchase and sale.

Terrorist Funding

• Terrorism can be defined as the unlawful use of force against persons or property to
intimidate or coerce a government, the civilian population or any segment thereof, in the
furtherance of political or social objectives. Terrorist acts are criminal in nature and
constitute a serious threat to the individuals’ lives and freedom.

• Terrorist funding relates to provision or collection of funds to carry out an act of killing
or seriously injuring a civilian with the objective of intimidating a section of people or
compelling government to do or to abstain from doing any act.

• Combating terrorist funding is one of the highest priorities for all the financial institutions
across the world. The events of Sept 11th have placed the world’s financial institutions
on the frontline in the battle against terrorist funding. The worldwide efforts to combat
terrorist funding are gaining importance day by day. Terrorist funding is a global
problem that not only threaten security but also compromises the stability, transparency
and efficiency of the financial system

• Elements of Terrorist funding

• The primary objective behind terrorist funding is to intimidate or force a government or

population to do or abstain from doing any act. In money laundering the objective is
monetary gain

• The volume of remittances for terrorist funding need not have to be large as compared to
money laundering. They will vary according to the strategies and methods adopted by
the terrorist.

• Terrorist funds need not be from illegal sources always. In some cases, funds are also
sourced from legal income.

• What Can be Done to Fight Terrorist Funding

• Prevention: Firms (Banks) have to prevent our products and services from being used by
terrorists for transferring their money. This can be done by applying appropriate “KYC”
policies and procedures

27
• Pursuit: Firms (Banks) have to track down the terrorist transactions by blocking their
names. In case you come across any blacklisted name, it has to be immediately reported
to the Head office.

• Protection: Firms (banks) have to protect their reputation, customers and the
communities where they operate. They have to protect by being responsible in their
duties. If a customer staff does a money transfer transaction for a customer and has
reasonable cause to suspect that it may be used, in whole or in part for the purpose of
terrorism, then it should be immediately reported to the branch compliance officer.

Preventive Strategies for those dealing with customers directly

When dealing with customers, ask yourself the following questions:

• How well do I know this customer?

• Do I fully understand the transaction the customer wishes to complete?

• Am I comfortable with this transaction?

• Does the transaction make sense considering the customer’s profile?

• Is this a usual method for conducting other similar business transactions?

28