According to Managing Fraud Risk: A Practical Guide, “personnel at all levels of the organization—including every level of management, staff, and internal auditors, as well as the organization’s external auditors—have responsibility for dealing with fraud risk.”
While everyone within the organization has the duty to help fight fraud, the practical implementation of fraud risk management must start somewhere. The organization must have a team of specific individuals—or a dedicated department—that is made explicitly responsible for executing, monitoring, and ensuring the success of its fraud management initiatives.
Depending on the size and structure of the organization, the following individuals and groups may have key roles in ensuring effective fraud risk management:
- Executive management
- The audit committee
- The investigations group
- The compliance function
- The controller’s group
- Internal audit
- The legal department
- Human resources
Without a clear assignment of the fraud-related roles and responsibilities to the parties overseeing the organization, any fraud risk management program will be ineffective. The following discussion highlights the duties of specific parties involved in the fraud risk management process.
Board of Directors
To ensure that the fraud risk management program is effective in both operation and design, it must be fully embraced by those charged with governing and overseeing the organization. Specifically, the board of directors must recognize the true and specific risks of fraud to the organization, as well as their potential impact, and respond by:
- Setting an appropriate tone and realistic expectations of management to enforce an anti-fraud culture
- Raising awareness of the risks of fraud throughout the organization
- Developing a strategy to assess and manage fraud risks that align with the organization’s risk appetite and strategic plans
- Overseeing the organization’s fraud risk management activities
As a sub-group of the board of directors, the audit committee is often delegated oversight of the organization’s financial, accounting, and audit matters. As part of this responsibility, the committee must take an active role in overseeing the assessment and monitoring of the organization’s fraud risks. This involves:
- Receiving regular reports on the status of reported or alleged fraud
- Meeting regularly with key internal parties (e.g., the chief audit executive or other senior financial persons) to discuss identified fraud risks and the steps being taken to prevent and detect fraud.
- Understanding how internal and external audit strategies address fraud risk
- Providing external auditors with evidence that the audit committee is dedicated to effective fraud risk management
- Engaging in open conversations with external auditors about any known or suspected fraud
Management holds the primary responsibility for designing, implementing, monitoring, and improving the fraud risk management program. As part of this, management should:
- Be intimately familiar with the organization’s fraud risks.
- Perform (or oversee the performance of) a fraud risk assessment and update it regularly.
- Form a risk management team within the organization to stay actively abreast of emerging risks.
- Ensure that the organization has specific and effective internal controls in place to prevent and detect fraud. This function may be performed by an outsourced firm if internal resources are unavailable.
- Perform a cost/benefit analysis so as not to “over-control” the organization such that important business processes cannot occur or will suffer.
- Perform routine checks to ensure that internal controls are adequate and performing as intended.
- Set a tone at the top and monitor the company culture to ensure that it appropriately supports the organization’s fraud prevention and detection strategies. Senior management must bring ethics to employees to be a source of inspiration and a sense of commitment to reciprocity.
- Report clearly – in words and deeds – that fraud is not permitted.
- Send regular blast voice mails and/or emails to staff about the importance of ethics and controls.
- Give annual refresher training on company policies and expectations.
- Discuss expectations at new hire orientation training so that staff understands expectations from the very beginning.
- Take seriously all reports of fraud and undertake investigations for any such reports deemed reliable.
- Ensure open channels for communication of fraudulent activity to investigators.
- Management might not be the optimal group to perform investigations but should ensure investigations occur for all allegations of fraud deemed reliable. It may be better that we conduct investigations by other departments or outsourcing companies
- Implement mechanisms through which fraud allegations can be reported confidentially and are handled according to a defined protocol. Punish perpetrators of discovered fraud appropriately. Punishing perpetrators reinforces the culture of ethics and the fact that fraud will not be tolerated.
- Take any steps necessary to remediate weaknesses that allowed fraud to occur.
According to Managing the Business Risk of Fraud, all levels of staff, including management, should:
- Have a basic understanding of fraud and be aware of the red flags.
- Their roles within the organization’s internal control framework
- How we design their business procedures to manage fraud risk
- When non-compliance might create an opportunity for fraud to occur or go undetected
- Read and understand policies and procedures such as the organization’s fraud policy, code of conduct, whistleblower policy, procurement manuals, etc.
- As required, participate in:
- Creating a strong control environment
- Designing and implementing fraud control activities
- Monitoring activities
- Report suspicions or incidences of fraud.
- Cooperate in investigations.
In the Managing Fraud Risk Part of the internal audit function’s role is to evaluate and improve the effectiveness of the organization’s risk management, control, and governance processes. Clearly, each of these organizational components risk management strategies, internal controls, and governance processes—serves an important function in the fight against fraud. According to managing the risk of fraud, internal auditors should:
- Allow sufficient time and attention for an evaluation – until they ensure that there is an objective assurance to the Board of Directors and Management – that the fraud controls we have designed are adequate and function effectively to address the identified fraud risks.
- Review the comprehensiveness and adequacy of the fraud risks identified by management (giving particular consideration to fraud risks related to management override of controls).
- Consider the organization’s fraud risk assessment when developing its audit plan.
- Periodically review management’s fraud risk management strategy and capabilities.
- Communicate regularly with those responsible for the fraud risk assessment to ensure all fraud risks have been appropriately considered.
- Maintain an attitude of professional skepticism and be on guard for signs of fraud.
- Take an active role in supporting the organization’s ethical culture.
Additionally, depending on the organization’s structure and the internal audit charter, the internal audit function may be explicitly responsible for investigating suspected fraud, analyzing factors that contributed to the occurrence of known fraud, recommending improvements to anti-fraud controls, monitoring incoming reports of suspected fraud, and providing ethics training for employees.
Forming the Fraud Risk Management Team
When we form a fraud risk management team, the interdepartmental approach allows for the integration of a variety of skills and a holistic perspective into the fraud team’s initiatives. However, the group should have a designated leader—such as the chief compliance officer or chief ethics officer—to guide the team and monitor the achievement of its objectives. In addition, we must clearly define the roles and responsibilities of each member and define explicit expectations.