Managing fraud risk: Preparing a response plan
In this snapshot of the CGMA report “Fraud Risk Management: A Guide to Good Practice”, Gillian Lees, CIMA’s head of corporate governance, highlights how properly responding to fraud can make or break an organisation’s recovery from an incident.
Periodically, the latest major fraud hits the headlines as other organisations sit back and watch, telling themselves “it couldn’t happen here”. But the reality is that fraud can happen anywhere. While relatively few major frauds are detailed in media coverage, huge sums are lost by all kinds of businesses as a result of the high number of smaller frauds.
The CGMA report “Fraud Risk Management: A Guide to Good Practice” contains telling fraud statistics and tips designed to help financial professionals and others with an interest in fighting fraud in their organisations to take practical steps towards establishing more robust procedures. Management accountants can find in the report a 16-step fraud prevention plan, sample fraud and whistle-blowing policies, and examples of fraud indicators, risks and controls.
While the law relating to fraud varies from jurisdiction to jurisdiction, there are universal principles of fraud risk management relating to prevention, detection and response. These can be applied by organisations of all sizes in any sector or country.
The report includes findings of the “2011 AICPA Forensic and Valuation Services (FVS) Trend Survey”, which included more than 1,000 responses from forensic practitioners and senior finance professionals in business and industry. The survey sheds light on where in organisations fraud is likely to occur. It found that one-quarter of the types of fraud described involved false payment requests. Twenty-one percent was cheque or credit card fraud, and 19% consisted of employee theft.
The report explores how to discover fraud when it occurs. Here we’ll focus on one aspect of the report – best practices for responding to suspected fraud. A sound plan for dealing with fraud can help a company overcome the problem and prosper. Tools available in the report include an outline of a fraud response plan and a sample response plan. A well-crafted plan can deter fraud and reduce panic if it occurs.
Properly executed, a fraud plan can:
Restrict damage and minimise losses.
Enable the company to retain market confidence.
Ensure the integrity of the evidence.
A fraud response plan would likely include corporate policy, a definition of fraud, roles and responsibilities of various internal and external stakeholders, considerations for establishing an investigation team and for the investigation itself, such as preservation of evidence and statements from witnesses, and potential outcomes, such as disciplinary, civil or criminal actions.
The division of responsibilities for fraud risk management will vary between organisations, depending on size, industry, culture and other factors. Some general guidelines that can be adapted to specific circumstances include:
The finance director/CFO: Will often have overall responsibility for the organisation’s response to fraud; will hold a master copy of the fraud response plan; and will maintain an investigation log detailing all reported suspicions, including those dismissed as minor or otherwise not investigated. It will also contain details of actions taken and conclusions reached and provides an important tool for managing, reporting and evaluating lessons learnt.
Internal auditors: Likely to investigate incidences of fraud. It may be appropriate to designate specific auditors as fraud specialists and ensure that they have the appropriate skills and knowledge to undertake the task.
Legal advisers: Should be consulted as soon as fraud is reported. They can give advice on civil, internal and criminal responses and recovery of assets.
IT staff: Can provide technical advice on how to gather evidence if the fraud was computer based.
General management: Should take responsibility for detecting fraud in their departments and ensure their staff report any suspected irregularities.
This group and other individuals such as the fraud officer and human resource representatives can form an investigative team, delegating duties based on expertise. Members of the team should be informed of goals of the investigation before it begins.
Organisations can consider using specialist investigation skills from outside the organisation such as forensic accountants. Many specialist organisations exist to provide a discreet investigation and/or asset recovery service in accordance with their clients’ instructions.
An organisation’s willingness to learn from experience is as important as any other fraud response. Organisations should review each fraud with the goal of recommending improvements to systems and procedures. It’s important that recommended changes are implemented promptly.
Organisations may be losing as much as 5% of their revenue due to fraud, and small organisations are disproportionately affected. Having a plan in place for difficult scenarios may make the difference between managing the issues and suffering significant losses.
Gillian Lees is CIMA’s head of corporate governance.