acfe fraud prevention check-up - BKD

ACFE FRAUD PREVENTIONCHECK-UP

ACFE FRAUD PREVENTIONCHECK-UPOne of the ACFE’s most valuable fraud prevention resources, theACFE Fraud Prevention Check-Up is a simple yet powerful test ofyour company’s fraud health. Test fraud prevention processes designedto help you identify major gaps and fix them before it is too late.OVERVIEWHow Taking the ACFE Fraud Prevention Check-Up Can Help.................................. 3Before You Take the ACFE Fraud Prevention Check-Up........................................... 4Who Should Perform the ACFE Fraud Prevention Check-Up?................................. 4How Many Points Should We Award For Each Answer?......................................... 4Take the ACFE Fraud Prevention Check-Up.......................................................... 5ACFE.com (800) 245-3321 / +1 (512) 478-9000 2

ACFE FRAUD PREVENTIONCHECK-UPThe Benefits of Taking the ACFE Fraud Prevention Check-Up❑❑Since fraud can be a catastrophic risk, taking the ACFE Fraud Prevention Check-Up can save your company from disaster. If you do not proactively identify andmanage your fraud risks, they could put you out of business almost overnight.Even if you survive a major fraud, it can damage your reputation so badly that youcan no longer succeed independently.❑❑The ACFE Fraud Prevention Check-Up can pinpoint opportunities to save youmoney. Fraud is an expensive drain on a company’s financial resources. In today’sglobally competitive environment, no one can afford to throw away the fivepercent of revenues that represents the largely hidden cost of fraud. Thosebusinesses that have identified their most significant fraud costs (such asinsurance and credit card companies) have made great strides in attacking andreducing those costs. If your organization is not identifying and tackling its fraudcosts, it is vulnerable to competitors who lower their costs by doing so.❑❑Fraud is a common risk that should not be ignored. Fraud is now so common thatits occurrence is no longer remarkable, only its scale. Any organization that failsto protect itself appropriately faces increased vulnerability to fraud.❑❑It is the least expensive way to find out your company’s vulnerability to fraud.Most organizations score very poorly in initial fraud prevention check-ups becausethey don’t have appropriate anti-fraud controls in place. By finding this out early,they have a chance to fix the problem before becoming a victim of a major fraud.It’s like finding out you have seriously high blood pressure. It may be bad news,but not finding out can be a lot worse.❑❑It is a great opportunity for your organization to establish a relationship with aCertified Fraud Examiner (CFE) you can call on when fraud questions arise. CFEsare experts in detecting fraud and helping organizations prevent it in the future.❑ ❑ Strong fraud prevention processes help increase the confidence investors,regulators, audit committee members and the general public have in the integrityof your company’s financial reports. This could help to attract and retain capital.ACFE.com (800) 245-3321 / +1 (512) 478-9000 3

ACFE FRAUD PREVENTIONCHECK-UPBefore You Take the ACFE Fraud Prevention Check-Up❑❑Let your organization’s general counsel or outside legal counsel know you planto take the test. They may want to have you use the test under their direction, toprotect your legal rights.❑❑Do not take the check-up if you plan to ignore the results. If it shows you havepoor fraud prevention processes, you need to fix them. Failing to act could causelegal problems.Who Should Perform the ACFE Fraud Prevention Check-Up?❑❑The check-up should ideally be a collaboration between objective, independentfraud specialists (such as CFEs) and people within the organization who haveextensive knowledge about its operations. To locate a CFE in your area, visitACFE.com/FindaCFE or call (800) 245-3321.❑❑Internal auditors bring extensive knowledge and a valuable perspective to suchan evaluation. At the same time, the perspective of an independent and objectiveoutsider is also important, as is the deep knowledge and experience of fraud thatfull-time fraud specialists provide.❑❑It is helpful to interview senior members of management as part of theevaluation process. But it is also valuable to interview employees at other levelsof the organiation, since they may sometimes provide a “reality check” thatchallenges the rosier view management might present, e.g., about management’scommitment to ethical business practices.How Many Points Should We Award For Each Answer?❑❑The number of points available is given at the bottom of each question.You can award zero points if your organization has not implemented therecommended processes for that area. You can give the maximum number ofpoints if you have implemented those processes and have had them tested in thepast year and found them to be operating effectively. Award no more than half theavailable points if the recommended process is in place but has not been testedin the past year.❑ ❑ The purpose of the check-up is to identify major gaps in your fraud preventionprocesses, as indicated by low point scores in particular areas. Even if you score80 points out of 100, the missing 20 could be crucial fraud prevention measuresthat leave you exposed to major fraud. Therefore, there is no passing grade otherthan 100 points.ACFE.com (800) 245-3321 / +1 (512) 478-9000 4

ACFE FRAUD PREVENTIONCHECK-UPACFE FRAUD PREVENTION CHECK-UPOrganization: ________________________________ResultsDate of Check-up: ___________________________1. Fraud risk oversight❑❑To what extent has the organization establisheda process for oversight of fraudrisks by the board of directors or otherscharged with governance (e.g., an auditcommittee)?Score from 0 (process not in place) to 20 points(process fully implemented, tested within the pastyear and working effectively).Score:2. Fraud risk ownership❑❑To what extent has the organization created“ownership” of fraud risks by identifyinga member of senior managementas having responsibility for managing allfraud risks within the organization and byexplicitly communicating to business unitmanagers that they are responsible formanaging fraud risks within their area?Score from 0 (process not in place) to 10 points(process fully implemented, tested within the pastyear and working effectively).Score:3. Fraud risk assessment❑❑To what extent has the organization implementedan ongoing process for regularidentification of the significant fraud risksto which it is exposed?Score from 0 (process not in place) to 10 points(process fully implemented, tested within the pastyear and working effectively).Score:ACFE.com (800) 245-3321 / +1 (512) 478-9000 5

ACFE FRAUD PREVENTIONCHECK-UPACFE FRAUD PREVENTION CHECK-UP4. Fraud risk tolerance and riskmanagement policy❑❑To what extent has the organization identifiedand had approved by the board ofdirectors its tolerance for different typesof fraud risks? For example, some fraudrisks may constitute a tolerable cost ofdoing business, while others may posea catastrophic risk of financial or reputationaldamage.❑❑To what extent has the organization identifiedand had approved by the board ofdirectors a policy on how it will manageits fraud risks? Such a policy should identifythe risk owner responsible for managingfraud risks, what risks will be rejected(e.g., by declining certain business opportunities),what risks will be transferred toothers through insurance or by contract,and what steps will be taken to managethe fraud risks that are retained.ResultsScore from 0 (processes not in place) to 10 points(processes fully implemented, tested within thepast year and working effectively).Score:ACFE.com (800) 245-3321 / +1 (512) 478-9000 6

ACFE FRAUD PREVENTIONCHECK-UPACFE FRAUD PREVENTION CHECK-UP5. Process-level anti-fraudcontrols / reengineering❑❑To what extent has the organization implementedmeasures to eliminate or reducethrough process reengineering each ofthe significant fraud risks identified in itsrisk assessment? Basic controls includesegregation of duties relating to authorization,custody of assets and recording orreporting of transactions. In some casesit may be more cost-effective to reengineerbusiness processes to reduce fraudrisks rather than layer on additional controlsover existing processes. For example,some fraud risks relating to receiptof funds can be eliminated or greatly reducedby centralizing that function or outsourcingit to a bank’s lockbox processingfacility, where stronger controls can bemore affordable.❑❑To what extent has the organization implementedmeasures at the process level designedto prevent, deter and detect eachof the significant fraud risks identified inits risk assessment? For example, the riskof sales representatives falsifying sales toearn sales commissions can be reducedthrough effective monitoring by theirsales manager, with approval required forsales above a certain threshold.ResultsScore from 0 (processes not in place) to 10points (processes fully implemented, testedwithin the past year and working effectively).Score:ACFE.com (800) 245-3321 / +1 (512) 478-9000 7

ACFE FRAUD PREVENTIONCHECK-UPACFE FRAUD PREVENTION CHECK-UP6. Environment-level anti-fraudcontrolsMajor frauds usually involve senior membersof management who are able to override process-levelcontrols through their high level ofauthority. Preventing major frauds thereforerequires a strong emphasis on creating aworkplace environment that promotes ethicalbehavior, deters wrongdoing and encouragesall employees to communicate anyknown or suspected wrongdoing to the appropriateperson. Senior managers may beunable to perpetrate certain fraud schemesif employees decline to aid and abet them incommitting a crime. Although “soft” controlsto promote appropriate workplace behaviorare more difficult to implement and evaluatethan traditional “hard” controls, they appearto be the best defense against fraud involvingsenior management.Results❑❑To what extent has the organization implementeda process to promote ethicalbehavior, deter wrongdoing and facilitatetwo-way communication on difficult issues?Such a process typically includes:——Having a senior member of managementwho is responsible for the organization’sprocesses to promote ethical behavior, deterwrongdoing and communicate appropriatelyon difficult issues. In large publiccompanies, this may be a full-time position,such as ethics officer or complianceofficer. In smaller companies, this will be anadditional responsibility held by an existingmember of management.ACFE.com (800) 245-3321 / +1 (512) 478-9000 8

ACFE FRAUD PREVENTIONCHECK-UPACFE FRAUD PREVENTION CHECK-UP——A code of conduct for employees at all levels,based on the company’s core values,which gives clear guidance on what behaviorand actions are permitted and whichones are prohibited. The code should identifyhow employees should seek additionaladvice when faced with uncertain ethicaldecisions and how they should communicateconcerns about known or potentialwrongdoing.——Training for all personnel upon hiring, andregularly thereafter, concerning the code ofconduct, seeking advice and communicatingpotential wrongdoing.——Communication systems to enable employeesto seek advice where necessary priorto making difficult ethical decisions and toexpress concern about known or potentialwrongdoing. Advice systems may includean ethics or compliance telephone help lineor email to an ethics or compliance office/officer. The same or similar systems may beused to enable employees (and sometimesvendors, customers and others) to communicateconcerns about known or potentialwrongdoing. Provision should be made toenable such communications to be madeanonymously, though strenuous effortsshould be made to create an environmentin which callers feel sufficiently confident toexpress their concerns openly. Open communicationmakes it easier to resolve theissues raised, but protecting callers fromretribution is an important concern.ResultsACFE.com (800) 245-3321 / +1 (512) 478-9000 9

ACFE FRAUD PREVENTIONCHECK-UPACFE FRAUD PREVENTION CHECK-UP——A process for promptly investigating (whereappropriate) and resolving expressionsof concern regarding known or potentialwrongdoing,then communicating the resolutionto those who expressed the concern.The organization should have a plan thatsets out what actions will be taken, and bywhom, to investigate and resolve differenttypes of concerns. Some issues will be bestaddressed by human resources personnel,some by general counsel, some by internalauditors and some may require investigationby fraud specialists. Having a prearrangedplan will greatly speed and ease theresponse and will ensure appropriate personsare notified where potentially significantissues are involved (e.g., legal counsel,board of directors, audit committee,independent auditors, regulators, etc.).——Monitoring of compliance with the code ofconduct and participation in related training.Monitoring may include requiring atleast annual confirmation of complianceand auditing of such confirmations to testtheir completeness and accuracy.——Regular measurement of the extent towhich the organization’s ethics/complianceand fraud prevention goals are beingachieved. Such measurement typically includessurveys of a statistically meaningfulsample of employees. Surveys of employees’attitudes towards the company’sethics/compliance activities and the extentto which employees believe managementacts in accordance with the code of conductprovide invaluable insight into howwell those components are functioning.——Incorporation of ethics/compliance andfraud prevention goals into the performancemeasures against which managersare evaluated and which are used to determineperformance-related compensation.ResultsScore from 0 (process not in place) to 30 points(process fully implemented, tested within the pastyear and working effectively).Score:ACFE.com (800) 245-3321 / +1 (512) 478-9000 10

ACFE FRAUD PREVENTIONCHECK-UPACFE FRAUD PREVENTION CHECK-UP7. Proactive fraud detection❑❑To what extent has the organization establisheda process to detect, investigateand resolve potentially significant fraud?Such a process should typically includeproactive fraud detection tests that arespecifically designed to detect the potentiallysignificant frauds identified in the organization’sfraud risk assessment. Othermeasures can include audit “hooks” embeddedin transaction processing systemsthat can flag suspicious transactionsfor investigation and/or approval prior tocompletion of processing. Leading-edgefraud detection methods include computerizedemail monitoring (where legallypermitted) to identify use of certain phrasesthat might indicate planned or ongoingwrongdoing.ResultsScore from 0 (process not in place) to 10 points(process fully implemented, tested within the pastyear and working effectively).ADD ALL SCORES FOR THE TOTAL SCORE(Out of a possible 100 points)Score:total Score:Interpreting the ScoreA brief fraud prevention check-up provides a broad idea of your organization’s performancewith respect to fraud prevention. The scoring necessarily involves broad judgments, whilemore extensive evaluations would have greater measurement data to draw upon. Theimportant information to take from the check-up is the identification of particular areas forimprovement in your company’s fraud prevention processes. The precise numerical scoreis less important and is only presented to help communicate an overall impression.The desirable score for an organization of any size is 100 points, since the recommended processesare scalable to the size of your organization. Most companies should expect to fall significantlyshort of 100 points in an initial fraud prevention check-up. That is not currently consideredto be a material weakness in internal controls that represents a reportable conditionunder securities regulations. However, significant gaps in fraud prevention measures shouldbe closed promptly in order to reduce fraud losses and reduce the risk of future disaster.ACFE.com (800) 245-3321 / +1 (512) 478-9000 11

World Headquarters • the gregor building716 West Ave • Austin, TX 78701-2727 • USAPhone: (800) 245-3321 / +1 (512) 478-9000Fax: +1 (512) 478-9297ACFE.com • info@ACFE.com©2012 Association of Certified Fraud Examiners, Inc. Association of Certified Fraud Examiners, ACFE, the ACFE Logo andCertified Fraud Examiner (CFE) are trademarks owned by the Association of Certified Fraud Examienrs, Inc.

Sponsored by:The Institute of Internal AuditorsThe American Institute ofCertified Public AccountantsAssociation ofCertified Fraud ExaminersManagingthe BusinessRisk of Fraud:A Practical Guide1

From the Sponsoring Organizations:The Institute of Internal AuditorsDavid A. Richards, CIA, CPAPresident and Project ManagerThe American Institute of Certified Public AccountantsBarry C. Melancon, CPAPresident and CEOAssociation of Certified Fraud ExaminersJames D. Ratley, CFEPresidentThe views expressed in this document are for guidance purposes only and are not binding on organizations.Organizations should design and implement policies and procedures that best suit them. The IIA, AICPA, and ACFEshall not be responsible for organizations failing to establish policies and procedures that best suit their needs.This guide is intended to be applicable globally but heavily references practices in the United States and, whereavailable, provides references to information from other countries, as well. We anticipate further references will beincluded in future updates.1

Team Members:Toby J.F. Bishop, CPA, CFE, FCADirector, Deloitte Forensic CenterDeloitte Financial Advisory Services LLPCorey Anne Bloom, CA, CA•IFA, CFESenior Associate, Dispute Resolution and FinancialInvestigation ServicesRSM Richter Inc.Joseph V. Carcello, Ph.D., CIA, CPA, CMADirector of Research, Corporate Governance CenterErnst & Young ProfessorUniversity of TennesseeDavid L. Cotton, CPA, CFE, CGFMChairmanCotton & Company LLPHolly Daniels, CIA, CISATechnical Director, Standards and GuidanceThe Institute of Internal AuditorsRonald L. Durkin, CPA, CFE, CIRANational Partner in Charge, Fraud & MisconductInvestigationsKPMG LLPDavid J. Elzinga, CA•IFA, CFEPartner, Forensic Accounting & Investigation ServicesGrant Thornton LLPRobert E. Farrell, CFEPrincipal, White Collar InvestigationsBruce J. Gavioli, CPA, MBAPartner & National Leader, Anti-fraud ConsultingDeloitte Financial Advisory Services LLPJohn D. Gill, JD, CFEResearch DirectorAssociation of Certified Fraud ExaminersSandra K. Johnigan, CPA, CFEJohnigan, P.C.Thomas M. Miller, CPA\ABV, CFE, PITechnical Manager, Forensic and Valuation ServicesAICPALynn Morley, CIA, CGAMorley Consulting & Training Services Inc.Thomas SanglierPartnerErnst & Young LLPJeffrey SteinhoffManaging Director, Financial Management andAssurance (Retired)U.S. Government Accountability OfficeWilliam E. StewartPartner, Fraud Investigation & Dispute ServicesErnst & Young LLPBill WarrenDirector, Fraud Risks and ControlsPricewaterhouseCoopers LLPMark F. Zimbelman, Ph.D.Associate Professor and Selvoy J. Boyer FellowBrigham Young UniversityProject Advisors:Eleanor BloxhamChief Executive OfficerThe Value Alliance and Corporate Governance AllianceLarry HarringtonVice President, Internal AuditRaytheon Company2

®Endorsers:The following organizations endorse the nonbinding guidance of this guide as being of use to management andorganizations interested in making fraud risk management programs work. The views and conclusions expressed inthis guide are those of the authors and have not been adopted, approved, disapproved, or otherwise acted upon bya committee, governing body, or the membership of the endorser.3

Managing the Business Risk of Fraud: A Practical GuideTABLE OF CONTENTSPAGEINTRODUCTION ........................................................................................................................................................ 5SECTION 1: FRAUD RISK GOVERNANCE ................................................................................................................... 10SECTION 2: FRAUD RISK ASSESSMENT ...................................................................................................................... 19SECTION 3: FRAUD PREVENTION .............................................................................................................................. 30SECTION 4: FRAUD DETECTION ................................................................................................................................ 34SECTION 5: FRAUD INVESTIGATION AND CORRECTIVE ACTION ............................................................................... 39CONCLUDING COMMENTS ....................................................................................................................................... 44APPENDICES:APPENDIX A: REFERENCE MATERIAL ........................................................................................................................ 45APPENDIX B: SAMPLE FRAMEWORK FOR A FRAUD CONTROL POLICY ..................................................................... 48APPENDIX C: SAMPLE FRAUD POLICY ...................................................................................................................... 50APPENDIX D: FRAUD RISK ASSESSMENT FRAMEWORK EXAMPLE ........................................................................... 55APPENDIX E: FRAUD RISK EXPOSURES ..................................................................................................................... 57APPENDIX F: FRAUD PREVENTION SCORECARD ....................................................................................................... 61APPENDIX G: FRAUD DETECTION SCORECARD ......................................................................................................... 65APPENDIX H: OCEG FOUNDATION PRINCIPLES THAT RELATE TO FRAUD .................................................................. 69APPENDIX I: COSO INTERNAL CONTROL INTEGRATED FRAMEWORK ...................................................................... 794

Managing the Business Risk of Fraud: A Practical GuideFraud is any intentional act or omission designed to deceive others, resulting in the victim suffering aloss and/or the perpetrator achieving a gain 1 .INTRODUCTIONAll organizations are subject to fraud risks. Large frauds have led to the downfall of entire organizations, massiveinvestment losses, significant legal costs, incarceration of key individuals, and erosion of confidence in capitalmarkets. Publicized fraudulent behavior by key executives has negatively impacted the reputations, brands, andimages of many organizations around the globe.Regulations such as the U.S. Foreign Corrupt Practices Act of 1977 (FCPA), the 1997 Organisation for EconomicCo-operation and Development Anti-Bribery Convention, the U.S. Sarbanes-Oxley Act of 2002, the U.S. FederalSentencing Guidelines of 2005, and similar legislation throughout the world have increased management’sresponsibility for fraud risk management.Reactions to recent corporate scandals have led the public and stakeholders to expect organizations to take a“no fraud tolerance” attitude. Good governance principles demand that an organization’s board of directors, orequivalent oversight body, ensure overall high ethical behavior in the organization, regardless of its status as public,private, government, or not-for-profit; its relative size; or its industry. The board’s role is critically important becausehistorically most major frauds are perpetrated by senior management in collusion with other employees 2 . Vigilanthandling of fraud cases within an organization sends clear signals to the public, stakeholders, and regulators aboutthe board and management’s attitude toward fraud risks and about the organization’s fraud risk tolerance.In addition to the board, personnel at all levels of the organization — including every level of management, staff,and internal auditors, as well as the organization’s external auditors — have responsibility for dealing with fraudrisk. Particularly, they are expected to explain how the organization is responding to heightened regulations, as wellas public and stakeholder scrutiny; what form of fraud risk management program the organization has in place; howit identifies fraud risks; what it is doing to better prevent fraud, or at least detect it sooner; and what process is inplace to investigate fraud and take corrective action 3 . This guide is designed to help address these tough issues.This guide recommends ways in which boards 4 , senior management, and internal auditors can fight fraud intheir organization. Specifically, it provides credible guidance from leading professional organizations that definesprinciples and theories for fraud risk management and describes how organizations of various sizes and types can1This definition of fraud was developed uniquely for this guide, and the authors recognize that many other definitions of fraud exist, includingthose developed by the sponsoring organizations and endorsers of this guide.2Refer to The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 1999 analysis of cases of fraudulent financialstatements investigated by the U.S. Securities and Exchange Commission (SEC).3Refer to June 2007 SEC Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting UnderSection 13(a) or 15(d) of the Securities Exchange Act of 1934 and U.S. Public Company Accounting Oversight Board (PCAOB) AuditingStandard No. 5 (AS5), An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, forcomments on fraud responsibilities.4Throughout this paper the terms board and board of directors refer to the governing body of the organization. The terms chief executiveofficer (CEO) and chief financial officer (CFO) refer to the senior level management individuals responsible for overall organizationperformance and financial reporting.5

establish their own fraud risk management program. The guide includes examples of key program components andresources that organizations can use as a starting place to develop a fraud risk management program effectivelyand efficiently. Each organization needs to assess the degree of emphasis to place on fraud risk management basedon its size and circumstances.Executive SummaryAs noted, fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a lossand/or the perpetrator achieving a gain. Regardless of culture, ethnicity, religion, or other factors, certain individualswill be motivated to commit fraud. A 2007 Oversight Systems study 5 discovered that the primary reasons why fraudoccurs are “pressures to do ‘whatever it takes’ to meet goals” (81 percent of respondents) and “to seek personalgain” (72 percent). Additionally, many respondents indicated that “they do not consider their actions fraudulent”(40 percent) as a reason for wrongful behavior.Only through diligent and ongoing effort can an organization protect itself against significant acts of fraud. Keyprinciples for proactively establishing an environment to effectively manage an organization’s fraud risk include:Principle 1: As part of an organization’s governance structure, a fraud risk management program 6should be in place, including a written policy (or policies) to convey the expectations of theboard of directors and senior management regarding managing fraud risk.Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specificpotential schemes and events that the organization needs to mitigate.Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, wherefeasible, to mitigate possible impacts on the organization.Principle 4: Detection techniques should be established to uncover fraud events when preventivemeasures fail or unmitigated risks are realized.Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinatedapproach to investigation and corrective action should be used to help ensure potentialfraud is addressed appropriately and timely.The following is a summary of this guide, which provides practical evidence for organizations committed topreserving stakeholder value. This guide can be used to assess an organization’s fraud risk management program,as a resource for improvement, or to develop a program where none exists.Fraud Risk GovernanceOrganization stakeholders have clearly raised expectations for ethical organizational behavior. Meanwhile,regulators worldwide have increased criminal penalties that can be levied against organizations and individuals5The 2007 Oversight Systems Report on Corporate Fraud, www.oversightsystems.com.6Fraud risk management programs, also known as anti-fraud programs, can take many forms, as noted in Section 1 (Fraud Risk Governance)under the Fraud Risk Management Program heading.6

who participate in committing fraud. Organizations should respond to such expectations. Effective governanceprocesses are the foundation of fraud risk management. Lack of effective corporate governance seriouslyundermines any fraud risk management program. The organization’s overall tone at the top sets the standardregarding its tolerance of fraud.The board of directors should ensure that its own governance practices set the tone for fraud risk managementand that management implements policies that encourage ethical behavior, including processes for employees,customers, vendors, and other third parties to report instances where those standards are not met. The boardshould also monitor the organization’s fraud risk management effectiveness, which should be a regular item on itsagenda. To this end, the board should appoint one executive-level member of management to be responsible forcoordinating fraud risk management and reporting to the board on the topic.Most organizations have some form of written policies and procedures to manage fraud risks. However, few havedeveloped a concise summary of these activities and documents to help them communicate and evaluate theirprocesses. We refer to the aggregate of these as the fraud risk management program, even if the organization hasnot formally designated it as such.While each organization needs to consider its size and complexity when determining what type offormal documentation is most appropriate, the following elements should be found within a fraud riskmanagement program:• Roles and responsibilities.• Commitment.• Fraud awareness.• Affirmation process.• Conflict disclosure.• Fraud risk assessment.• Reporting procedures and whistleblower protection.• Investigation process.• Corrective action.• Quality assurance.• Continuous monitoring.Fraud Risk AssessmentTo protect itself and its stakeholders effectively and efficiently from fraud, an organization should understandfraud risk and the specific risks that directly or indirectly apply to the organization. A structured fraud riskassessment, tailored to the organization’s size, complexity, industry, and goals, should be performed and updatedperiodically. The assessment may be integrated with an overall organizational risk assessment or performedas a stand-alone exercise, but should, at a minimum, include risk identification, risk likelihood and significanceassessment, and risk response.7

Fraud risk identification may include gathering external information from regulatory bodies (e.g., securitiescommissions), industry sources (e.g., law societies), key guidance setting groups (e.g., Cadbury, King Report 7 , and TheCommittee of Sponsoring Organizations of the Treadway Commission (COSO)), and professional organizations (e.g.,The Institute of Internal Auditors (IIA), the American Institute of Certified Public Accountants (AICPA), the Associationof Certified Fraud Examiners (ACFE), the Canadian Institute of Chartered Accountants (CICA), The CICA Alliance forExcellence in Investigative and Forensic Accounting, The Association of Certified Chartered Accountants (ACCA),and the International Federation of Accountants (IFAC), plus others noted in Appendix A of this document). Internalsources for identifying fraud risks should include interviews and brainstorming with personnel representing a broadspectrum of activities within the organization, review of whistleblower complaints, and analytical procedures.An effective fraud risk identification process includes an assessment of the incentives, pressures, and opportunitiesto commit fraud. Employee incentive programs and the metrics on which they are based can provide a map to wherefraud is most likely to occur. Fraud risk assessment should consider the potential override of controls by managementas well as areas where controls are weak or there is a lack of segregation of duties.The speed, functionality, and accessibility that created the enormous benefits of the information age have alsoincreased an organization’s exposure to fraud. Therefore, any fraud risk assessment should consider access andoverride of system controls as well as internal and external threats to data integrity, system security, and theft offinancial and sensitive business information.Assessing the likelihood and significance of each potential fraud risk is a subjective process that should consider notonly monetary significance, but also significance to an organization’s financial reporting, operations, and reputation,as well as legal and regulatory compliance requirements. An initial assessment of fraud risk should consider theinherent risk 8 of a particular fraud in the absence of any known controls that may address the risk.Individual organizations will have different risk tolerances. Fraud risks can be addressed by establishing practicesand controls to mitigate the risk, accepting the risk — but monitoring actual exposure — or designing ongoing orspecific fraud evaluation procedures to deal with individual fraud risks. An organization should strive for a structuredapproach versus a haphazard approach. The benefit an implemented fraud risk management program providesshould exceed its cost. Management and board members should ensure the organization has the appropriate controlmix in place, recognizing their oversight duties and responsibilities in terms of the organization’s sustainabilityand their role as fiduciaries to stakeholders, depending on organizational form. Management is responsible fordeveloping and executing mitigating controls to address fraud risks while ensuring controls are executed efficientlyby competent and objective individuals.Fraud Prevention and DetectionFraud prevention and detection are related, but are not the same concepts. Prevention encompasses policies,procedures, training, and communication that stop fraud from occurring, whereas, detection focuses on activitiesand techniques that promptly recognize timely whether fraud has occurred or is occurring.7The Cadbury Report refers to The Report of the Committee on the Financial Aspects of Corporate Governance, issued by the UnitedKingdom on Dec. 10, 1992 and the King Report refers to the King Report on Corporate Governance for South Africa, issued in 1994.8Inherent risk is the risk before considering any internal controls in place to mitigate such risk.8

While prevention techniques do not ensure fraud will not be committed, they are the first line of defense inminimizing fraud risk. One key to prevention is promoting from the board down throughout the organization anawareness of the fraud risk management program, including the types of fraud that may occur.Meanwhile, one of the strongest fraud deterrents is the awareness that effective detective controls are in place.Combined with preventive controls, detective controls enhance the effectiveness of a fraud risk managementprogram by demonstrating that preventive controls are working as intended and by identifying fraud if it doesoccur. Although detective controls may provide evidence that fraud has occurred or is occurring, they are notintended to prevent fraud.Every organization is susceptible to fraud, but not all fraud can be prevented, nor is it cost-effective to try. Anorganization may determine it is more cost-effective to design its controls to detect, rather than prevent, certainfraud schemes. It is important that organizations consider both fraud prevention and fraud detection.Investigation and Corrective ActionNo system of internal control can provide absolute assurance against fraud. As a result, the board should ensurethe organization develops a system for prompt, competent, and confidential review, investigation, and resolution ofinstances of noncompliance and allegations involving potential fraud. The board should also define its own role inthe investigation process. An organization can improve its chances of loss recovery, while minimizing exposure tolitigation and damage to reputation, by establishing and preplanning investigation and corrective action processes.The board and the organization should establish a process to evaluate allegations. Individuals assigned toinvestigations should have the necessary authority and skills to evaluate the allegation and determine theappropriate course of action. The process should include a tracking or case management system where allallegations of fraud are logged. Clearly, the board should be actively involved with respect to allegationsinvolving senior management.If further investigation is deemed appropriate as the next course of action, the board should ensure that theorganization has an appropriate and effective process to investigate cases and maintain confidentiality. A consistentprocess for conducting investigations can help the organization mitigate losses and manage risk associated with theinvestigation. In accordance with policies approved by the board, the investigation team should report its findings tothe appropriate party, such as senior management, directors, legal counsel, and oversight bodies. Public disclosuremay also need to be made to law enforcement, regulatory bodies, investors, shareholders, the media, or others.If certain actions are required before the investigation is complete to preserve evidence, maintain confidence,or mitigate losses, those responsible for such decisions should ensure there is sufficient basis for those actions.When access to computerized information is required, specialists trained in computer file preservation should beused. Actions taken should be appropriate under the circumstances, applied consistently to all levels of employees(including senior management), and taken only after consultation with human resources (HR) and individualsresponsible for such decisions. Consulting legal counsel is also strongly recommended before undertaking aninvestigation and is critical before taking disciplinary, civil, or criminal action. As a matter of good governance,management and the board should ensure that the foregoing measures are in place.9

Thus, to properly address fraud risk within the organization, principles described in the following sections of thispaper are needed to make sure:• Suitable fraud risk management oversight and expectations exist (governance) — Principle 1.• Fraud exposures are identified and evaluated (risk assessment) — Principle 2.• Appropriate processes and procedures are in place to manage these exposures (prevention and detection)— Principles 3 & 4.• Fraud allegations are addressed, and appropriate corrective action is taken in a timely manner (investigationand corrective action) — Principle 5. 9SECTION 1: FRAUD RISK GOVERNANCEPrinciple 1: As part of an organization’s governance structure, a fraud risk management program shouldbe in place, including a written policy (or policies) to convey the expectations of the board of directorsand senior management regarding managing fraud risk.Corporate governance has been defined in many ways, including “The system by which companies are directedand controlled,” 10 and “The process by which corporations are made responsive to the rights and wishes ofstakeholders.” 11 Corporate governance is also the manner in which management and those charged with oversightaccountability meet their obligations and fiduciary responsibilities to stakeholders.Business stakeholders (e.g., shareholders, employees, customers, vendors, governmental entities, communityorganizations, and media) have raised the awareness and expectation of corporate behavior and corporategovernance practices. Some organizations have developed corporate cultures that encompass strong boardgovernance practices, including:• Board ownership of agendas and information flow.• Access to multiple layers of management and effective control of a whistleblower hotline.• Independent nomination processes.• Effective senior management team (including chief executive officer (CEO), chief financial officer, and chiefoperating officer) evaluations, performance management, compensation, and succession planning.• A code of conduct specific for senior management, in addition to the organization’s code of conduct.• Strong emphasis on the board’s own independent effectiveness and process through board evaluations,executive sessions, and active participation in oversight of strategic and risk mitigation efforts.These corporate cultures also include board assurance of business ethics considerations in hiring, evaluation,promotion, and remuneration policies for employees as well as ethics considerations in all aspects of theirrelationships with customers, vendors, and other business stakeholders. Effective boards and organizations will also9The Open Compliance and Ethics Group (OCEG) Foundation principles displayed in Appendix F of this document also provide guidance onunderlying principles of good governance relative to fraud risk management.10Sir Adrian Cadbury, The Committee on the Financial Aspects of Corporate Governance.11Ada Demb and F. Friedrich Neubauer, The Corporate Board: Confronting the Paradoxes.10

address issues of ethics and the impact of ethical behavior on business strategy, operations, and long-term survival.The level of board and corporate commitment to these areas varies widely and directly affects the fraud risk profileof an organization.Effective business ethics programs can serve as the foundation for preventing, detecting, and deterring fraudulentand criminal acts. An organization’s ethical treatment of employees, customers, vendors, and other partners willinfluence those receiving such treatment. These ethics programs create an environment where making the rightdecision is implicit.The laws of most countries prohibit theft, corruption, and financial statement fraud. Government regulationsworldwide have increased criminal penalties that can be levied against companies and individuals who participatein fraud schemes at the corporate level, and civil settlements brought by shareholders of public companies orlenders have rocketed to record amounts 12 . Market capitalizations of public companies drop dramatically at anyhint of financial scandal, and likewise, customers punish those firms whose reputations are sullied by indications ofharmful behavior. Therefore, it should be clear that organizations need to respond to such expectations, and that theboard and senior management will be held accountable for fraud. In many organizations this is managed as part ofcorporate governance through entity-level controls, including a fraud risk management program 13 .Roles and ResponsibilitiesTo help ensure an organization’s fraud risk management program effective, it is important to understand the rolesand responsibilities that personnel at all levels of the organization have with respect to fraud risk management.Policies, job descriptions, charters, and/or delegations of authority should define roles and responsibilities relatedto fraud risk management. In particular, the documentation should articulate who is responsible for the governanceoversight of fraud control (i.e., the role and responsibility of the board of directors and/or designated committee ofthe board). Documentation should also reflect management’s responsibility for the design and implementation ofthe fraud risk strategy, and how different segments of the organization support fraud risk management. Fraud riskmanagement will often be supported by risk management, compliance, general counsel, the ethics office, security,information technology (IT), and internal auditing, or their equivalents. The board of directors, audit committee,management, staff, and internal auditing all have key roles in an organization’s fraud risk management program.Board of DirectorsTo set the appropriate tone at the top, the board of directors first should ensure that the board itself is governedproperly. This encompasses all aspects of board governance, including independent-minded board memberswho exercise control over board information, agenda, and access to management and outside advisers, andwho independently carry out the responsibilities of the nominating/governance, compensation, audit, and othercommittees.12In the United States and Europe, regulators assessed fines and penalties in excess of US $1 billion for fraudulent and/or criminal behaviorduring 2007. See www.sec.gov.13ALARM (The National Forum for Risk Management in the Public Sector (UK)) lists a fraud risk management program as one of fiveessential governance strategies to manage fraud risk. Other strategies include a zero-tolerance culture, a sound counter-fraud and corruptionframework, strong systems of internal control, and close working relationships with partners regarding fraud risk management activities.11

The board also has the responsibility to ensure that management designs effective fraud risk managementdocumentation to encourage ethical behavior and to empower employees, customers, and vendors to insist thosestandards are met every day. The board should:• Understand fraud risks.• Maintain oversight of the fraud risk assessment by ensuring that fraud risk has been considered as partof the organization’s risk assessment and strategic plans. This responsibility should be addressed under aperiodic agenda item at board meetings when general risks to the organization are considered.• Monitor management’s reports on fraud risks, policies, and control activities, which include obtainingassurance that the controls are effective. The board also should establish mechanisms to ensure it isreceiving accurate and timely information from management, employees, internal and external auditors,and other stakeholders regarding potential fraud occurrences.• Oversee the internal controls established by management.• Set the appropriate tone at the top through the CEO job description, hiring, evaluation, and successionplanningprocesses.• Have the ability to retain and pay outside experts where needed.• Provide external auditors with evidence regarding the board’s active involvement and concern about fraudrisk management.The board may choose to delegate oversight of some or all of such responsibilities to a committee of the board.These responsibilities should be documented in the board and applicable committee charters. The board shouldensure it has sufficient resources of its own and approve sufficient resources in the budget and long-range plans toenable the organization to achieve its fraud risk management objectives.Audit Committee (or similar oversight body) 14The audit committee should be composed of independent board members and should have at least one financialexpert, preferably with an accounting background. The committee should meet frequently enough, for longenough periods, and with sufficient preparation to adequately assess and respond to the risk of fraud, especiallymanagement fraud, because such fraud typically involves override of the organization’s internal controls. It is keythat the audit committee receive regular reports on the status of reported or alleged fraud.An audit committee of the board that is committed to a proactive approach to fraud risk management maintainsan active role in the oversight of the organization’s assessment of fraud risks and uses internal auditors, orother designated personnel, to monitor fraud risks. Such a committee also provides the external auditors withevidence that the committee is committed to fraud risk management and will discuss with the external auditor theauditors’ planned approach to fraud detection as part of the financial statement audit. Management Override ofInternal Controls: The Achilles’ Heel of Fraud Prevention, an AICPA publication, provides valuable information foraudit committees that take this approach.14This heading discusses more detailed governance roles, using the audit committee as an illustration. Some organizations may requirethis level of responsibility by the full board, or the board may delegate it to a risk management committee, strategic planning committee,etc. Accounting standards and securities regulations in each country provide more detailed guidance as to what is a best practice or legalrequirement in their jurisdictions.12

At each audit committee meeting, the committee should meet separately from management with appropriateindividuals, such as the chief internal audit executive and senior financial person. The audit committee shouldunderstand how internal and external audit strategies address fraud risk. The audit committee should not only focuson what the auditors are doing to detect fraud, but more importantly on what management is doing to preventfraud, where possible.The audit committee should be aware that the organization’s external auditors have a responsibility to plan andperform the audit of the organization’s financial statements to obtain reasonable assurance 15 about whether thefinancial statements are free of material misstatement, whether caused by error or fraud. The extent and limitationsof an external audit are generally governed by the applicable audit standards in place. 16 The audit committeeshould insist on openness and honesty with the external auditors. The external auditors should also havecommitment and cooperation from the audit committee. This includes open and candid dialogue between auditcommittee members and the external auditors regarding the audit committee’s knowledge of any fraud or suspectedfraud affecting the organization as well as how the audit committee exercises oversight activities with respect tothe organization’s assessment of the risks of fraud and the programs and controls the organization has establishedto mitigate these risks.The audit committee should also seek the advice of legal counsel whenever dealing with issues of allegationsof fraud. Fraud allegations should be taken seriously since there may be a legal obligation to investigateand/or report them.In addition, since reputation risk resulting from fraudulent behavior often has a severe impact on shareholdervalue, the audit committee should provide specific consideration and oversight of this exposure when reviewingthe work of management and internal auditors, and ask them to be alert for and report such exposure as theycarry out their duties.ManagementManagement has overall responsibility for the design and implementation of a fraud risk managementprogram, including:• Setting the tone at the top for the rest of the organization. As mentioned, an organization’s culture plays animportant role in preventing, detecting, and deterring fraud. Management needs to create a culture throughwords and actions where it is clear that fraud is not tolerated, that any such behavior is dealt with swiftlyand decisively, and that whistleblowers will not suffer retribution.15The inherent limitations of an external audit regarding matters related to fraud are described in applicable audit standards. The standardsacknowledge that owing to the inherent limitations of an external audit, there is an unavoidable risk that some material misstatements of thefinancial statements — particularly those resulting from fraud — will not be detected, even though the external auditor has properly plannedand performed in accordance with generally accepted standards.16Internationally, refer to International Standards on Auditing (ISA) No. 240, The Auditor’s Responsibility to Consider Fraud in an Audit ofFinancial Statements. In the United States, refer to Statement of Auditing Standards (SAS) No. 99 (AU sec 316), Consideration of Fraud ina Financial Statement Audit; SAS No. 1 (AU sec 1), Codification of Auditing Standards and Procedures; PCAOB AS5; and Section 10A of theSecurities Exchange Act of 1934. In Canada, refer to CICA Handbook – Assurance Section 5135, The Auditor’s Responsibility to ConsiderFraud. One may also refer to the International Organisation of Supreme Audit Institutions (INTOSAI), the International Federationof Accountants (IFAC) International Auditing and Assurance Standards Board (IAASB), and the Association of Chartered CertifiedAccountants (ACCA).13

• Implementing adequate internal controls — including documenting fraud risk management policies andprocedures and evaluating their effectiveness — aligned with the organization’s fraud risk assessment.To conduct a reasonable evaluation, it is necessary to compile information from various areas of theorganization as part of the fraud risk management program.• Reporting to the board on what actions have been taken to manage fraud risks and regularly reporting onthe effectiveness of the fraud risk management program. This includes reporting any remedial steps that areneeded, as well as reporting actual frauds.Whenever the external auditor has determined that there is evidence that fraud may exist, the external auditor’sprofessional standards require that the matter should be brought to the attention of an appropriate level ofmanagement in a timely manner. If the external auditor suspects fraud involving management, the external auditormust report these suspicions to those charged with governance (e.g., the audit committee).In many organizations, one executive-level member of management is appointed to be responsible for fraud riskmanagement and to report to the board periodically. This executive, a chief ethics officer for instance, is responsiblefor entity-level controls that establish the tone at the top and corporate culture. These expectations are oftendocumented in the organization’s values or principles, code of conduct, and related policies; demonstrated throughexecutive communications and behaviors; and included in training programs. The person appointed should befamiliar with the organization’s fraud risks and process-level controls, and is often responsible for the design andimplementation of the processes used to ensure compliance, reporting, and investigation of alleged violations.StaffStrong controls against fraud are the responsibility of everyone in the organization. The importance of internalcontrols in fraud risk management is not a new concept. In 1992, after more than three years of collaborationbetween corporate leaders, legislators, regulators, auditors, academics, and many others, COSO presented a commondefinition of internal controls and provided a framework against which organizations could assess and improve theirinternal control systems. COSO identified five components in its landmark Internal Control–Integrated Framework —control environment, risk assessment, control activities, information and communication, and monitoring — thatmay serve as the premise for the design of controls. The elements are deeply intertwined and overlapping in theirnature, providing a natural interactive process to promote the type of environment in which fraud simply will not betolerated at any level. 17All levels of staff, including management, should:• Have a basic understanding of fraud and be aware of the red flags.• Understand their roles within the internal control framework. Staff members should understand how theirjob procedures are designed to manage fraud risks and when noncompliance may create an opportunity forfraud to occur or go undetected.• Read and understand policies and procedures (e.g. the fraud policy, code of conduct, and whistleblowerpolicy), as well as other operational policies and procedures, such as procurement manuals.17Appendix I suggests control activities aligned with each COSO component.14

• As required, participate in the process of creating a strong control environment and designing andimplementing fraud control activities, as well as participate in monitoring activities.• Report suspicions or incidences of fraud.• Cooperate in investigations.Internal AuditingThe IIA’s Definition of Internal Auditing states, “Internal auditing is an independent, objective assurance andconsulting activity designed to add value and improve an organization’s operations. It helps an organizationaccomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectivenessof risk management, control, and governance processes.” In relation to fraud, this means that internal auditingprovides assurance to the board and to management that the controls they have in place are appropriate given theorganization’s risk appetite.Internal auditing should provide objective assurance to the board and management that fraud controls aresufficient for identified fraud risks and ensure that the controls are functioning effectively. Internal auditors mayreview the comprehensiveness and adequacy of the risks identified by management — especially with regard tomanagement override risks 18 .Internal auditors should consider the organization’s assessment of fraud risk when developing their annual auditplan and review management’s fraud management capabilities periodically. They should interview and communicateregularly with those conducting the organization’s risk assessments, as well as others in key positions throughoutthe organization, to help them ensure that all fraud risks have been considered appropriately. When performingengagements, internal auditors should spend adequate time and attention to evaluating the design and operationof internal controls related to fraud risk management. They should exercise professional skepticism when reviewingactivities and be on guard for the signs of fraud. Potential frauds uncovered during an engagement should betreated in accordance with a well-defined response plan consistent with professional and legal standards. Internalauditing should also take an active role in support of the organization’s ethical culture. 19The importance an organization attaches to its internal audit function is an indication of the organization’scommitment to effective internal control. The internal audit charter, which is approved by the board or designatedcommittee, should include internal auditing’s roles and responsibilities related to fraud. Specific internal auditroles in relation to fraud risk management could include initial or full investigation of suspected fraud, root causeanalysis and control improvement recommendations, monitoring of a reporting/whistleblower hotline, and providingethics training sessions. 20 If assigned such duties, internal auditing has a responsibility to obtain sufficient skillsand competencies, such as knowledge of fraud schemes, investigation techniques, and laws. Effective internal auditfunctions are adequately funded, staffed, and trained, with appropriate specialized skills given the nature, size,and complexity of the organization and its operating environment. Internal auditing should be independent (haveindependent authority and reporting relationships), have adequate access to the audit committee, and adhere toprofessional standards.18Refer to the AICPA’s Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention publication.19Refer to IIA Practice Advisory 2130-1: Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture of an Organization.20For additional information, refer to IIA Practice Advisories 1210-A2-1: Auditor’s Responsibilities Relating to Fraud Risk Assessment,Prevention, and Detection; and 1210-A2-2: Auditor’s Responsibilities Relating to Fraud Investigation, Reporting, Resolution, andCommunication; as well as the IIA–UK and Ireland Fraud Position Statement.15

Fraud Risk Management Program ComponentsMost organizations have written policies and procedures to manage fraud risks, such as codes of conduct, expenseaccount procedures, and incident investigation standards. They usually have some activities that managementhas implemented to assess risks, ensure compliance, identify and investigate violations, measure and report theorganization’s performance to appropriate stakeholders, and communicate expectations. However, few havedeveloped a concise summary of these documents and activities to help them communicate and evaluate theirprocesses. We refer to the aggregate of these as the fraud risk management program (“program”), even if theorganization has not formally designated it as such.It is management’s prerogative, with oversight from the board, to determine the type and format of documentationit wishes to adopt for its program. Suggested formats include:• A single comprehensive and complete document that addresses all aspects of fraud risk management (i.e., afraud control policy 21 ).• A brief strategy outline emphasizing the attributes of fraud control, but leaving the design of specificpolicies and procedures to those responsible for business functions within the organization.• An outline, within a control framework, referencing relevant policies, procedures, plans, programs, reports,and responsible positions, developed by the organization’s head office, divisions, or subsidiaries. 22While each organization needs to consider its size and complexity when determining what type of formaldocumentation is most appropriate, the following elements should be found within a fraud riskmanagement program:CommitmentThe board and senior management should communicate their commitment to fraud risk management. One methodwould be to embed this commitment in the organization’s values or principles and code of conduct. Another methodis issuing a short document (e.g., letter) made available to all employees, vendors, and customers. This summarydocument should stress the importance of fraud risk mitigation, acknowledge the organization’s vulnerability tofraud, and establish the responsibility for each person within the organization to support fraud risk management.The letter should be endorsed or authored by a senior executive or board member, provided to employees as partof their orientation process, and reissued periodically. The letter could serve as the foundation for, and may be theexecutive summary of, a fraud control policy.Fraud AwarenessAn ongoing awareness program is a key enabler to convey fraud risk management expectations, as well asan effective preventive control. Awareness of fraud and misconduct schemes is developed through periodic21For examples of fraud control policies, see Appendices B and C.22Some organizations centralize fraud risk management information under the chief ethics officer or within a framework used by internalauditing or the chief financial officer. Others may have this information spread out across the organization — for example, investigationstandards and files in legal, hiring and training information in human resources, hotline information in internal auditing, risk assessment in theenterprise risk management group — and will need to compile it to do an effective evaluation and to enable concise reporting to the board.16

assessment, training, and frequent communication. An organization’s fraud risk management program will assistthe organization with fraud awareness. Documentation to support fraud awareness should define and describefraud and fraud risks. 23 It should also provide examples of the types of fraud that could occur and identify potentialperpetrators of fraud.When designing fraud awareness programs, management should consider who should attend, frequency and length,cultural sensitivities, guidance on how to solve ethical dilemmas, and delivery methods. Management should alsoconsider the training needs of the board or board committee members.Affirmation ProcessAn organization should determine whether there are any legal issues involved with having an affirmation process,which is the requirement for directors, employees, and contractors to acknowledge they have read, understood,and complied with the code of conduct, a fraud control policy, and other such documentation to support theorganization’s fraud risk management program. There is a fraud risk to the organization of not having an affirmationprocess. This should be acknowledged and accepted at or above a senior management level.The affirmation process may be handled electronically or via manual signature. Organizations implementing bestpractice often also require personnel to acknowledge that they are not aware of anyone who is in violation of thepolicies. Management should establish consequences for refusal to sign-off and apply such action consistently.Some organizations include terms in their contracts that require service providers to agree to abide by theorganization’s code of conduct, a global standard, or the like, which may also prevent fraud. Others require seniormanagement to sign a code of conduct specific to employees at higher levels of the organization and require serviceproviders to sign separate agreements on specific topics, such as confidentiality or use of company technologies.Conflict DisclosureA process should be implemented for directors, employees, and contractors to internally self-disclose potential oractual conflicts of interest. Once conflicts are internally disclosed, there are several decision paths:• Management may assert that there is in fact, a conflict and require the individual to terminate the activityor leave the organization.• Management may accept the internal disclosure and determine that there is no conflict of interest in thesituation described.• Management may decide that there is a potential for conflict of interest and may impose certain constraintson the individual to manage the identified risk and to ensure there is no opportunity for a conflict to arise.The disclosure of a potential conflict of interest and management’s decision 24 should be documented and disclosedto legal counsel. Any constraints placed on the situation need to be monitored. For example, a buyer who has23Refer to Section 2 (Fraud Risk Assessment) for a more detailed discussion of fraud risks and risk assessments.24Conflict of interest policy provision waivers for executive officers of New York Stock Exchange-listed companies can only be granted by theboard of directors or a committee thereof, and such waivers have to be disclosed to shareholders promptly. Waivers for executive officers ofNASDAQ-listed companies can only be granted by independent board members, and such waivers need to be disclosed.17

ecently been hired in the purchasing department is responsible for all purchases in Division A. His brother has alocal hardware store that supplies product to Division A. The buyer discloses the potential conflict of interest andis told that transactions with the hardware store are permitted, as long as the department supervisor monitors amonthly report of all activity with the hardware store to ensure the activity and price levels are reasonable andcompetitive. When the buyer is promoted or transferred, the constraints may be removed or altered.Other disclosure processes may also exist, such as insider trading disclosures. Those processes that mitigatepotential fraud risk should be linked to the fraud risk management program. Organizations should evaluate thelegal requirements and/or business benefits of disclosing their code of conduct, fraud control policy, or relatedstatements to the public.Fraud Risk Assessment 25The foundations of an effective fraud risk management program are rooted in a risk assessment, overseen by theboard, which identifies where fraud may occur within the organization. A fraud risk assessment should be performedon a systematic and recurring basis, involve appropriate personnel, consider relevant fraud schemes and scenarios,and mapping those fraud schemes and scenarios to mitigating controls. The existence of a fraud risk assessment andthe fact that management is articulating its existence may even deter would-be fraud perpetrators.The system of internal controls in an organization is designed to address inherent business risks. The business risksare identified in the enterprise risk assessment protocol, and the controls associated with each risk are noted.COSO’s Enterprise Risk Management–Integrated Framework describes the essential ERM components, principles, andconcepts for all organizations, regardless of size.Reporting Procedures and Whistleblower ProtectionDocumentation should not only articulate the organization’s zero tolerance 26 for fraud, it should also establish theexpectation that suspected fraud must be reported immediately and provide the means to do so. The channels toreport suspected fraud issues should be clearly defined and communicated. These may be the same or different fromchannels for reporting other code of conduct violations.Considering that people commit fraud and that people are an organization’s best asset in preventing, detecting, anddeterring fraud, an organization should consider promoting available fraud reporting resources that individuals mayaccess, such as a fraud or ethics page on the organization’s Web site, an ombudsman, or a whistleblower hotline.To encourage timely reporting of suspected issues, the organization should communicate the protections affordedto the individual reporting the issue — often referred to as whistleblower protection. In some countries, securitiesregulations require organizations to have whistleblower protection.25For more information on fraud risk assessments, refer to Section 2: Fraud Risk Assessment.26ALARM (The National Forum for Risk Management in the Public Sector (UK)) lists a culture of zero tolerance as one of five essentialgovernance strategies to manage fraud risk. Other strategies include an embedded strategic approach to risk management, a sound counterfraudand corruption framework, strong systems of internal control, and close working relationships with partners regarding fraud riskmanagement activities.18

Investigation Process 27Organizations should require that an investigation process be in place. Once an issue is suspected and reported, aninvestigation process will follow. The board and management should have a documented protocol for this process,including consideration of who should conduct the investigation — whether it be internal personnel or hiringexperts in this field — rules of evidence, chains of custody, reporting mechanisms to those charged with governance,regulatory requirements, and legal actions. Organizations should also consider whether to require all employees, as acondition of employment, to cooperate fully with an investigation into any alleged or suspected fraud.Corrective ActionAs a deterrent, policies should reflect the consequences and processes for those who commit or condone fraudulentactivity. These consequences may include termination of employment or of a contract and reporting to legal andregulatory authorities. The organization should articulate that it has the right to institute civil or criminal actionagainst anyone who commits fraud.When fraud does occur within the organization, policies should reflect the need to conduct a postmortem to identifythe control weakness that contributed to the fraudulent act. The postmortem should lead to a remediation of anyidentified control deficiencies. Internal auditors are important resources for this activity.Process Evaluation and Improvement (Quality Assurance)Documentation should describe whether, and/or how, management will periodically evaluate the effectiveness of thefraud risk management program and monitor changes. It may include the need for measurements and analysis ofstatistics, benchmarks, resources, and survey results. The results of this evaluation should be reported to appropriateoversight groups and be used by management to improve the fraud risk management program.Continuous MonitoringThe fraud risk management program, including related documents, should be revised and reviewed based on thechanging needs of the organization, recognizing that documentation is static, while organizations are dynamic.Fraud risk management program documentation should be updated on an ongoing basis to reflect current conditionsand to reflect the organization’s continuing commitment to the fraud risk management program.SECTION 2: FRAUD RISK ASSESSMENTPrinciple 2: Fraud risk exposure should be assessed periodically by the organization to identify specificpotential schemes and events that the organization needs to mitigate.Regulators, professional standard-setters, and law enforcement authorities have emphasized the crucial rolerisk assessment plays in developing and maintaining effective fraud risk management programs and controls. 2827Refer to Section 5 (Investigation and Corrective Action) for more details on the investigation process and corrective action.28Refer to June 2007 SEC Guidance to Management; PCAOB AS5; IIA Practice Advisory 1210-A2-1: Auditor’s Responsibilities Relating toFraud Risk Assessment, Prevention, and Detection; COSO for Small Business: Principle 10–Fraud Risk; SAS No. 99, Consideration of Fraud in AFinancial Statement Audit; and ISA No. 240.19

Organizations can identify and assess fraud risks in conjunction with an overall enterprise risk assessment oron a stand-alone basis.Guidance for conducting a fraud risk assessment is provided in this section of the guide. Organizations can tailor thisapproach to meet their individual needs, complexities, and goals.The foundation of an effective fraud risk management program should be seen as a component of a largerenterprise risk management (ERM) effort and is rooted in a risk assessment that identifies where fraud may occurand who the perpetrators might be. To this end, control activities should always consider both the fraud scheme andthe individuals within and outside the organization who could be the perpetrators of each scheme. If the schemeis collusive 29 , preventive controls should be augmented by detective controls, as collusion negates the controleffectiveness of segregation of duties.Fraud, by definition, entails intentional misconduct, designed to evade detection. As such, the fraud risk assessmentteam should engage in strategic reasoning to anticipate the behavior of a potential fraud perpetrator. 30 Strategicreasoning, which is also important in designing fraud detection procedures that a perpetrator may not expect,requires a skeptical mindset and involves asking questions such as:• How might a fraud perpetrator exploit weaknesses in the system of controls?• How could a perpetrator override or circumvent controls?• What could a perpetrator do to conceal the fraud?With this in mind, a fraud risk assessment generally includes three key elements:• Identify inherent fraud risk 31 — Gather information to obtain the population of fraud risks that couldapply to the organization. Included in this process is the explicit consideration of all types of fraud schemesand scenarios; incentives, pressures, and opportunities to commit fraud; and IT fraud risksspecific to the organization.• Assess likelihood and significance of inherent fraud risk — Assess the relative likelihood and potentialsignificance of identified fraud risks based on historical information, known fraud schemes, and interviewswith staff, including business process owners.• Respond to reasonably likely and significant inherent and residual fraud risks — Decide what the responseshould be to address the identified risks and perform a cost-benefit analysis of fraud risks over which theorganization wants to implement controls or specific fraud detection procedures.29A collusive scheme is one performed by two or more individuals working together.30T. Jeffrey Wilks and M.F. Zimbelman, “Using Game Theory and Strategic Reasoning Concepts to Prevent and Detect Fraud,” AccountingHorizons, Volume 18, No. 3 (September 2004).31The initial assessment of fraud risk should consider the inherent risk of particular frauds occurring in the absence of internal controls. Afterall relevant fraud risks have been identified, internal controls are mapped to the identified risks. Fraud risks that remain unaddressed byappropriate controls comprise the population of residual fraud risks.20

Organizations should apply a framework to document their fraud risk assessment. The framework below illustrateshow the elements of fraud risk identification, assessment, and response are applied in a rational, structuredapproach. This example begins with a list of identified fraud risks and schemes, which are then assessed for relativelikelihood and significance of occurrence. Next, the risks and schemes are mapped to the people and/or departmentsthat may be impacted and to relevant controls, which are evaluated for design effectiveness and tested to validateoperating effectiveness. Lastly, residual risks are identified, and a fraud risk response is developed. 32IdentifiedFraud Risks and SchemesLikelihoodSignificancePeople and/orDepartmentExistingAnti-fraudControlsControlsEffectivenessAssessmentResidualRisksFraud RiskResponseFinancial reportingRevenue recognition- Backdating agreements- Channel stuffing- Inducing distributors toaccept more product thannecessary- Holding books open- Via recording detailtransactions in a sub-ledger- Via recording top-sidejournal entries- Additional revenue risksManagement estimates- Self insurance- Altering underlying detailclaims and estimate data- Fraudulently changingunderlying assumptions inestimation of liability- Allowance for bad debts- Altering underlying A/Raging to manipulatecomputation- Fraudulent input fromsales persons or creditdepartment on credit quality- Additional estimatesDisclosures- Footnotes- Additional disclosuresMisappropriation of assetsCash/check- Point of sale- Accounts receivable applicationprocess- Master vendor file controlsoverride- Additional risks- Inventory- Theft by customers- Theft by employees- Other assets at riskCorruption- Bribery- Aiding and abettingOther Risks32Refer to Appendix D of this document for an example of the use of this framework.21

The Risk Assessment TeamA good risk assessment requires input from various sources. Before conducting a risk assessment, managementshould identify a risk assessment team. This team should include individuals from throughout the organizationwith different knowledge, skills, and perspectives and should include a combination of internal and externalresources such as:• Accounting/finance personnel, who are familiar with the financial reporting process and internal controls.• Nonfinancial business unit and operations personnel, to leverage their knowledge of day-to-day operations,customer and vendor interactions, and general awareness of issues within the industry.• Risk management personnel, to ensure that the fraud risk assessment process integrates with theorganization’s ERM program.• Legal and compliance personnel, as the fraud risk assessment will identify risks that give rise to potentialcriminal, civil, and regulatory liability if the fraud or misconduct were to occur.• Internal audit personnel, who will be familiar with the organization’s internal controls and monitoringfunctions. In addition, internal auditors will be integral in developing and executing responses to significantrisks that cannot be mitigated practically by preventive and detective controls.• If expertise is not available internally, external consultants with expertise in applicable standards, key riskindicators, anti-fraud methodology, control activities, and detection procedures.Management, including senior management, business unit leaders, and significant process owners (e.g., accounting,sales, procurement, and operations) should participate in the assessment, as they are ultimately accountable for theeffectiveness of the organization’s fraud risk management efforts.Fraud Risk IdentificationOnce assembled, the risk assessment team should go through a brainstorming activity to identify the organization’sfraud risks. Effective brainstorming involves preparation in advance of the meeting, a leader to set the agendaand facilitate the session, and openness to ideas regarding potential risks and controls 33 . Brainstorming enablesdiscussions of the incentives, pressures, and opportunities to commit fraud; risks of management override ofcontrols; and the population of fraud risks relevant to the organization. 34 Other risks, such as regulatory and legalmisconduct and reputation risk, as well as the impact of IT on fraud risks also should be considered in the fraud riskidentification process.The organization’s fraud risk identification information should be shared with the board or audit committee andcomments should be solicited. The board also should assess the implications of its own processes with respect to itscontribution to fraud risk, including incentive pressures.33Sources of information about good brainstorming practices include (a) Mark S. Beasley and Gregory Jenkins, “A Primer for BrainstormingFraud Risks,” Journal of Accountancy, December 2003, and (b) Michael J. Ramos, “Brainstorming Prior to the Audit,” in Fraud Detection in aGAAS Audit: Revised Edition, Chapter 2: “Considering Fraud in a Financial Statement Audit.”34Refer to Appendix E: Fraud Risk Exposures of this document for a list of potential fraud risk which could be used in brainstorming.22

Incentives, Pressures, and OpportunitiesMotives for committing fraud are numerous and diverse. One executive may believe that the organization’s businessstrategy will ultimately be successful, but interim negative results need to be concealed to give the strategy time.Another needs just a few more pennies per share of income to qualify for a bonus or to meet analysts’ estimates.The third executive purposefully understates income to save for a rainy day.The fraud risk identification process should include an assessment of the incentives, pressures, and opportunities tocommit fraud. Incentive programs should be evaluated — by the board for senior management and by managementfor others — as to how they may affect employees’ behavior when conducting business or applying professionaljudgment (e.g., estimating bad debt allowances or revenue recognition). Financial incentives and the metrics onwhich they are based can provide a map to where fraud is most likely to occur. There may also be nonfinancialincentives, such as when an employee records a fictitious transaction so he or she does not have to explain anotherwise unplanned variance. Even maintaining the status quo is sometimes a powerful enough incentive forpersonnel to commit fraud.Also important, and often harder to quantify, are the pressures on individuals to achieve performance or othertargets. Some organizations are transparent, setting specific targets and metrics on which personnel will bemeasured. Other organizations are more indirect and subtle, relying on corporate culture to influence behavior.Individuals may not have any incremental monetary incentive to fraudulently adjust a transaction, but there may beample pressure — real or perceived — on an employee to act fraudulently.Meanwhile, opportunities to commit fraud exist throughout organizations and may be reason enough to commitfraud. These opportunities are greatest in areas with weak internal controls and a lack of segregation of duties.However, some frauds, especially those committed by management, may be difficult to detect because managementcan often override the controls. Such opportunities are why appropriate monitoring of senior management by astrong board and audit committee, supported by internal auditing, is critical to fraud risk management.Risk of Management’s Override of ControlsAs part of the risk identification process, it is important to consider the potential for management override ofcontrols established to prevent or detect fraud. Personnel within the organization generally know the controls andstandard operating procedures that are in place to prevent fraud. It is reasonable to assume that individuals whoare intent on committing fraud will use their knowledge of the organization’s controls to do it in a manner thatwill conceal their actions. For example, a manager who has the authority to approve new vendors may create andapprove a fictitious vendor and then submit invoices for payment, rather than just submit false invoices for payment.Hence, it is also important to keep the risk of management’s override of controls in mind when evaluating theeffectiveness of controls; an anti-fraud control is not effective if it can be overridden easily.Population of Fraud RisksThe fraud risk identification process requires an understanding of the universe of fraud risks and the subset of risksspecific to the organization. This may involve obtaining information from external sources such as industry news;criminal, civil, and regulatory complaints and settlements; and organizations such as The IIA, AICPA, ACFE, and CICA.23

This also involves understanding the organization’s business processes and gathering information about potentialfraud from internal sources by interviewing personnel and brainstorming with them, reviewing complaints from thewhistleblower hotline, and performing analytical procedures.Various taxonomies are available to organize fraud risks. Appendix H displays the Foundation Principles issued bythe Open Compliance and Ethics Group (OCEG) that relate to fraud risk identification. The ACFE, on the other hand,classifies occupational fraud risks into three general categories: fraudulent statements, misappropriation of assets,and corruption 35 . Using the ACFE’s categories as a starting point, a more detailed breakout can be developed toproduce an organization-specific fraud risk assessment. For example, potential fraud risks to consider in the ACFE’sthree general categories include:1) Intentional manipulation of financial statements, which can lead to:a) Inappropriately reported revenues.b) Inappropriately reported expenses.c) Inappropriately reflected balance sheet amounts, including reserves.d) Inappropriately improved and/or masked disclosures.e) Concealing misappropriation of assets.f) Concealing unauthorized receipts and expenditures.g) Concealing unauthorized acquisition, disposition, and use of assets.2) Misappropriation of:a) Tangible assets by:i) Employees.ii) Customers.iii) Vendors.iv) Former employees and others outside the organization.b) Intangible assets.c) Proprietary business opportunities.3) Corruption including:a) Bribery and gratuities to:i) Companies.ii) Private individuals.iii) Public officials.b) Receipt of bribes, kickbacks, and gratuities.c) Aiding and abetting fraud by other parties (e.g., customers, vendors).Fraudulent Financial ReportingEach of the three categories outlined by the ACFE includes at least one scheme of how the fraud could occur.For instance, acceleration of revenue recognition can be achieved via numerous schemes, including backdatingagreements, recognizing revenue on product not shipped by period end, or channel stuffing. Some fraudulent35The ACFE’s Report to the Nation on Occupational Fraud and Abuse.24

financial reporting schemes are common across all organizations (e.g., setting aside unsupported reserves foruse in future periods and fraudulent top-side entries); other schemes are more industry-specific (e.g., backdatingagreements at software companies or channel stuffing for organizations that sell via distributors). Each scheme thatcould be relevant to the organization should be considered in the assessment.Organizations can use the framework in Appendix D to identify specific areas of greatest risk and as a foundationfor customizing the assessment process for their specific needs. For example, starting with the revenue recognitioncomponent of fraudulent financial reporting, the assessment should consider the following questions:• What are the main drivers of revenue at the organization?• Are revenues primarily from volume sales of relatively homogeneous products, or are they driven by arelatively few individual transactions?• What are the incentives and pressures present in the organization?• Are revenues recorded systematically or manually?• Are there any revenue recognition fraud risks specific to the organization’s industry?For significant marketplace disclosures (e.g., loan delinquency percentages) consider the following questions:• What controls are in place to monitor internal gathering and reporting of these disclosures?• Is there oversight from someone whose compensation is not directly affected by his or her performance?• Does someone monitor the organization’s disclosures in relation to other organizations and ask hardquestions about whether the organization’s disclosures are adequate or could be improved?The types of fraudulent financial reporting outlined by the ACFE typically focus on improving the organization’sfinancial picture by overstating income, understating losses, or using misleading disclosures. Conversely, someorganizations understate income to smooth earnings. Any intentional misstatement of accounting informationrepresents fraudulent financial reporting.Another consideration involves fraud where the objective is not to improve the organization’s financial statements,but to cover up a hole left by the misappropriation or misuse of assets. In this case, the fraud also includesfraudulent financial reporting.Misappropriation of AssetsAn organization’s assets, both tangible (e.g., cash or inventory) and intangible (e.g., proprietary or confidentialproduct, or customer information), can be misappropriated by employees, customers, or vendors. The organizationshould ensure that controls are in place to protect such assets. Considerations to be made in the fraud riskassessment process include gaining an understanding of what assets are subject to misappropriation, the locationswhere the assets are maintained, and which personnel have control over or access to tangible or intangible assets.Common schemes include misappropriation by:• Employees.- Creation of, and payments to, fictitious vendors.- Payment of inflated or fictitious invoices.25

- Invoices for goods not received or services not performed.- Theft of inventory or use of business assets for personal gain.- False or inflated expense claims.- Theft or use of customer lists and proprietary information.• Employees in collusion with vendors, customers, or third parties.- Payment of inflated or fictitious invoices.- Issuance of inflated or fictitious credit notes.- Invoices for goods not received or services not performed.- Preferred pricing or delivery.- Contract bid rigging.- Theft or use of customer lists and proprietary information.• Vendors.- Inflated or fictitious invoices.- Short shipments or substitution of lower quality goods.- Invoices for goods not received or services not preformed.• Customers.- False claims for damaged or returned goods or short shipments.Protecting against these risks requires not only physical safeguarding controls, but also periodic detective controlssuch as physical counts of inventory with reconciliations to the general ledger. Remember, a smart perpetrator maybe thinking about such controls and design the fraud to circumvent or be concealed from those controls. Thoseconducting the risk assessment should keep this in mind when deliberating misappropriation of asset schemes andtheir impact to the organization.CorruptionCorruption is operationally defined as the misuse of entrusted power for private gain. In the United States, theFCPA prohibits U.S. entities, their foreign subsidiaries, and others from bribing foreign government officials,either directly or indirectly, to obtain or retain business. There are similar anti-corruption laws in other countriesas well as guidelines established by the United Nations Convention Against Corruption, to which more than 100countries are signatories.Organizations that have operations outside their home countries need to consider other relevant anti-corruptionlaws when establishing a fraud risk management program. Transparency International, a multinational organizationfocused on anti-corruption and transparency in business and government, issues an annual Corruption PerceptionIndex, which ranks countries on their perceived levels of corruption. The Corruption Perception Index canassist organizations in prioritizing their anti-corruption efforts in areas of the world at greatest risk. It must beremembered, of course, that corruption can also occur in an organization’s home country.A common form of corruption is aiding and abetting. Law enforcement authorities worldwide have prosecutednumerous cases where organizations were not misstating their financial statements, but were knowingly structuringtransactions or making representations that enabled other organizations to fraudulently misstate their financialstatements. A thorough risk assessment will consider the risk that someone may be engaging in such behavior aswell as other types of corruption that may be applicable to the organization.26

Information Technology and Fraud RiskOrganizations rely on IT to conduct business, communicate, and process financial information. A poorly designedor inadequately controlled IT environment can expose an organization to fraud. Today’s computer systems, linkedby national and global networks, face an ongoing threat of cyber fraud and a variety of threats that can result insignificant financial and information losses. IT is an important component of any risk assessment, especially whenconsidering fraud risks. IT risks include threats to data integrity, threats from hackers to system security, and theft offinancial and sensitive business information. Whether in the form of hacking, economic espionage, Web defacement,sabotage of data, viruses, or unauthorized access to data, IT fraud risks can affect everyone. In fact, IT can be usedby people intent on committing fraud in any of the three occupational fraud risk areas defined by the ACFE.Examples of those risks by area include:Fraudulent Financial Reporting• Unauthorized access to accounting applications — Personnel with inappropriate access to the generalledger, subsystems, or the financial reporting tool can post fraudulent entries.• Override of system controls — General computer controls include restricted system access, restrictedapplication access, and program change controls. IT personnel may be able to access restricted data oradjust records fraudulently.Misappropriation of Assets• Theft of tangible assets — Individuals who have access to tangible assets (e.g., cash, inventory, and fixedassets) and to the accounting systems that track and record activity related to those assets can use IT toconceal their theft of assets. For example, an individual may establish a fictitious vendor in the vendormaster file to facilitate the payment of false invoices, or someone may steal inventory and charge the costof sales account for the stolen items, thus removing the asset from the balance sheet.• Theft of intangible assets — Given the transition to a services-based, knowledge economy, more and morevaluable assets of organizations are intangibles such as customer lists, business practices, patents, andcopyrighted material. Examples of theft of intangible assets include piracy of software or other copyrightedmaterial by individuals either inside or outside of the organization.Corruption• Misuse of customer data — Personnel within or outside the organization can obtain employee or customerdata and use such information to obtain credit or for other fraudulent purposes.Keep in mind, cyber fraudsters do not even have to leave their homes to commit fraud, as they can routecommunications through local phone companies, long-distance carriers, Internet service providers, and wireless andsatellite networks. They may go through computers located in several countries before attacking targeted systemsaround the globe. What is important is that any information — not just financial — is at risk, and the stakes are veryhigh and rising as technology continues to evolve.To manage the ever-growing risks of operating in the information age, an organization should know itsvulnerabilities and be able to mitigate risk in a cost-effective manner. Therefore, IT risk should be incorporatedinto an organization’s overall fraud risk assessment.27

Other RisksRegulatory and Legal MisconductRegulatory and legal misconduct includes a wide range of risks, such as conflicts of interest, insider trading, theft ofcompetitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations inareas of import/export. Depending on the particular organization and the nature of its business, some or all of theserisks may be applicable and should be considered in the risk assessment process.Reputation RiskReputation risk is evaluated differently by different individuals, either as a separate risk or the end result of otherrisks (e.g., operational, regulatory, or financial reporting). Fraudulent acts can damage an organization’s reputationwith customers, suppliers, and the capital markets. For example, fraud leading to a financial restatement damagesan organization’s reputation in the capital markets, which could increase the organization’s cost of borrowing anddepress its market capitalization. Because the board is responsible for the longevity of the organization and hasresponsibilities to multiple stakeholders, it should evaluate its performance regularly with respect to reputation risksand ensure that consideration of reputation risk is part of the organization’s risk assessment process.Assessment of the Likelihood and Significanceof Identified Inherent Fraud RisksAssessing the likelihood and significance of each potential fraud risk is a subjective process. All fraud risks arenot equally likely, nor will all frauds have a significant impact on every organization. Assessing the likelihood andsignificance of identified inherent risks allows the organization to manage its fraud risks and apply preventive anddetective procedures rationally. It is important to first consider fraud risks to the business on an inherent basis,or without consideration of known controls. By taking this approach, management will be better able to considerall relevant fraud risks and design controls to address the risks. After mapping fraud risks to relevant controls,certain residual risks will remain, including the risk of management’s override of established controls. Managementmust evaluate the potential significance of those residual risks and decide on the nature and extent of the fraudpreventive and detective controls and procedures to address such risks.Likelihood — Management’s assessment of the likelihood of a fraud risk occurring is informed by instances ofthat particular fraud occurring in the past at the organization, the prevalence of the fraud risk in the organization’sindustry, and other factors, including the number of individual transactions, the complexity of the risk, and thenumber of people involved in reviewing or approving the process. Organizations can categorize the likelihood ofpotential frauds occurring in as many buckets as deemed reasonable, but three categories are generally adequate:remote, reasonably possible, and probable.Significance — Management’s assessment of the significance of a fraud risk should include not only financialstatement and monetary significance, but also significance to an organization’s operations, brand value, andreputation, as well as criminal, civil, and regulatory liability. For example, two different organizations may havesimilar amounts of expenses charged via employee expense reports, but one organization is a professionalservices firm that charges those expenses to clients. Although the likelihood of the risk of fraudulent expense28

eports and the monetary exposure may be similar at both organizations, the relative significance of fraudulentexpense reports to the professional services firm may be greater, given the impact that fraudulent expensereports can have on customer relationships. Organizations can categorize the significance of potential frauds inas many buckets as deemed reasonable, but three categories are generally adequate: inconsequential, more thaninconsequential, and material.People/department — As part of the risk assessment process, the organization will have evaluated the incentivesand pressures on individuals and departments and should use the information gained in that process to assesswhich individuals or departments are most likely to have incentive to commit a fraudulent act, and, if so, via whatmeans. This information can be summarized into the fraud risk assessment grid and can help the organization designappropriate risk responses, if necessary.Response to Residual Fraud RisksRisk tolerance varies from organization to organization. At the highest level, the board sets the organization’s risktolerance level, taking into consideration its responsibilities to all shareholders, capital providers, and stakeholders.While some organizations want only to address fraud risks that could have a material financial statement impact,other organizations want to have a more robust fraud response program. Many organizations will state that thereis a “zero tolerance” policy with respect to fraud. However, there may be certain fraud risks that an organizationconsiders too expensive and time-consuming to address via controls. Consequently, the organization may decide notto put controls in place to address such risks. If a fraud is discovered, zero tolerance for fraud will be applied.An organization’s risk tolerance level provides management support on how to respond to fraud risk. Fraud riskscan be addressed by accepting the risk of a fraud based on the perceived level of likelihood and significance,increasing the controls over the area to mitigate the risk, or designing internal audit procedures to address specificfraud risks. The board should ensure management has implemented the right level of controls based on the risktolerance it has established for the organization. In effect, one should look at an organization’s financial statementsand operations and ask “What can be wrong in this picture?”, and then design appropriate controls. The key isto be selective and efficient. There are probably thousands of potential controls that could be put in place. Thegoal is a targeted and structured approach — not an unstructured or haphazard approach — and efficientcontrols that deliver the most benefit for the cost of resources. The overall objective is to have the benefit ofcontrols exceed their cost.In addressing fraud risks, one should be careful to ensure that anti-fraud controls are operating effectively andhave been designed to include appropriate steps to deal with the relevant risks. Where an internal control mightbe executed with limited skepticism (e.g., agreeing an accrual balance to underlying support) an anti-fraud controlwould include an evaluation of the underlying support for consistency in application from prior periods and forpotential inappropriate bias. Therefore, anti-fraud controls should be designed appropriately and executed bycompetent and objective individuals. Management’s documentation of anti-fraud controls should include thedescription of what the control is designed to do, who is to perform the control, who is to monitor and assess theeffectiveness of the control, and the related segregation of duties.29

SECTION 3: FRAUD PREVENTIONPrinciple 3: Prevention techniques to avoid potential key fraud risk events should be established, wherefeasible, to mitigate possible impacts on the organization.Despite the best efforts of those responsible for preventing fraud, one inevitable reality remains: “fraud happens.”Because fraud and misconduct can occur at various levels in any organization, it is essential that appropriatepreventive and detective techniques are in place. Although fraud prevention and detection are related concepts,they are not the same. While prevention encompasses policies, procedures, training, and communication, detectioninvolves activities and programs designed to identify fraud or misconduct that is occurring or has occurred.Although preventive measures cannot ensure that fraud will not be committed, they are the first line of defensein minimizing fraud risk. This section of the guide will cover preventive techniques. Detective techniques will becovered in Section 4.One key to prevention is making personnel throughout the organization aware of the fraud risk managementprogram, including the types of fraud and misconduct that may occur. This awareness should enforce the notion thatall of the techniques established in the program are real and will be enforced. The ongoing communication effortscould provide information on the potential disciplinary, criminal, and civil actions that the organization could takeagainst the individual.With this in mind, prevention and deterrence are interrelated concepts. If effective preventive controls are in place,working, and well-known to potential fraud perpetrators, they serve as strong deterrents to those who mightotherwise be tempted to commit fraud. Fear of getting caught is always a strong deterrent. Effective preventivecontrols are, therefore, strong deterrence controls.The system of internal controls in an organization is designed to address inherent business risks. The business risksare identified in the enterprise risk assessment protocol, and the controls associated with each risk are noted.COSO’s Enterprise Risk Management–Integrated Framework describes the essential ERM components, principles, andconcepts for all organizations, regardless of size.Establishing internal controls may not address all of an organization’s fraud risks. Fraud risks, although a form ofbusiness risk, necessitate specific controls to mitigate them, which makes an organization’s fraud risk assessmentprocess essential to fraud prevention. In addition to implementing fraud preventive controls, it is important that theorganization assess and continuously monitor their operational effectiveness to help prevent fraud from occurring.Fraud Preventive ControlsPrevention is the most proactive fraud-fighting measure. The design and implementation of control activities shouldbe a coordinated effort spearheaded by management with an assembled cast of employees. Collectively, this crosssection of the organization should be able to address all of the identified risks, design and implement the controlactivities, and ensure that the techniques used are adequate to prevent fraud from occurring in accordance with theorganization’s risk tolerance.30

The ongoing success of any fraud prevention program depends on its continuous communication and reinforcement.Stressing the existence of a fraud prevention program through a wide variety of media — posters on bulletinboards, flyers included with invoices and vendor payments, and articles in internal and external communications —gets the message out to both internal and external communities that the organization is committed to preventingand deterring fraud.Among the many elements in fraud prevention are HR procedures, authority limits, and transaction level procedures.Human Resources ProceduresAn organization’s HR function can play an important role in fraud prevention by implementing the followingprocedures.Performing Background InvestigationsA key business and fraud risk in any organization lies in the people hired to operate the business and promotedinto positions of trust and authority. For that reason, it is important to know employees in order to evaluatetheir credentials and competence, match skills to the job requirements, and be aware of any issues of personalintegrity that may impact their suitability for the position. Much can be learned about an individual throughconfirmation of work history and education presented on a job application or résumé or in follow-up withreferences provided. It is possible to find false or embellished information or undisclosed history and reputationthat may represent increased, and possibly unacceptable, risk.While the organization should establish procedures to obtain sufficient information to assess a job applicant orpromotion candidate, the nature and extent of information that can be requested from a prospective or existingemployee or obtained independently is governed by applicable laws and regulations. Further or enhancedbackground checking for criminal record or personal financial situation may only be possible upon receiving theindividual’s consent. Legal counsel should be sought to advise on what background information can and cannotbe obtained and the appropriate procedures to follow.Background checks should also be performed on new and existing suppliers, customers, and businesspartners to identify any issues of financial health, ownership, reputation, and integrity that may represent anunacceptable risk to the business.Anti-fraud TrainingAn organization can hire or promote competent individuals who, having undergone appropriate backgroundchecks, represent a low fraud risk. It is possible that such individuals have a comprehensive understanding ofwhat fraud is and what its red flags are, and an appreciation of its potential to devastate an organization. Thereshould not, however, be any exemption from receiving an initial orientation and ongoing education on the fraudrisk management program in place, regardless of the individual’s position in the organization. Such educationserves to establish and reinforce the tone from the top regarding the individual’s responsibility and the processto deal with suspected fraud.31

An organization’s HR group is often responsible for developing and providing the necessary training on thepurpose of the fraud risk management program, including the codes of conduct and ethics, what constitutesfraud, and what to do when fraud is suspected. The effectiveness of this training is dependent on mandatoryattendance with periodic updates and refresher sessions.Evaluating Performance and Compensation ProgramsHR managers should be involved in both the performance management and compensation programs.Performance management involves the evaluation of employee behavior and performance as well as workrelatedcompetence. It is a human trait to want recognition of competence and reward for positive performanceand success. Regular and robust assessment of employee performance with timely and constructive feedbackgoes a long way to preventing potential problems. Employees who are not recognized for what they do andwhat they have accomplished, especially those who may have been bypassed for promotion, may feel theirinappropriate and fraudulent conduct is justified.Reward can also be reflected in compensation. By conducting compensation surveys and local market analysis,HR can determine whether senior management and employees are compensated appropriately and thereforedriving desired behavior by striking a balance between fixed and variable compensation. Managers whosecompensation is largely based on short-term performance-related bonuses may be motivated to cut corners ordeliberately fabricate financial results to achieve those bonuses.Conducting Exit InterviewsA policy of conducting exit interviews of terminated employees or those who have resigned can help in bothprevention and detection efforts. These interviews may help HR managers determine whether there are issuesregarding management’s integrity or information regarding conditions conducive to fraud. HR should alsoreview the content and information contained in resignation letters as they may contain information regardingpossible fraud and misconduct existing within the organization.Authority LimitsFraud is less likely when an individual’s level of authority is commensurate with his or her level of responsibility. Amisalignment between authority and responsibility, particularly in the absence of control activities and segregationof duties, can lead to fraud.An organization may establish authoritative approval levels across the enterprise to serve as an entity-level control.On the other hand, individuals working within a specific function may be assigned only limited IT access as aprocess-level control. These types of controls, supported by an appropriate segregation of duties, assist in the firstline of defense in fraud prevention.Transaction-level ProceduresReviews of third-party and related-party transactions can also help prevent fraud. Because fraud schemes ofteninvolve the use of third-party entities/individuals, organizations need thorough measures at the front-end that32

will prevent the back-end activities. False vendors or employees are two of the more obvious and noted schemesin this arena.Preventive measures are especially needed for related-party transactions that can be controlled by board membersor by employees of authority with an interest in an outside entity with which the organization may conduct business.Such individuals may mandate transactions that ultimately benefit them at the expense of the organization.Documentation of Fraud Prevention TechniquesAn organization should formally document the techniques developed and implemented to prevent fraud. Thisincludes documenting processes used to monitor the performance of fraud preventive controls or to indicate whensuch controls are ineffective. Testing procedures conducted to ensure adequate operation of fraud preventivecontrols and the test results should also be thoroughly documented.Paramount to this documentation is a detailed description of the elements of the organization’s fraud preventiontechniques, with emphasis placed on the roles and responsibilities of all parties involved.Assessing the Organization’s Fraud PreventionOrganizations just beginning to assess their fraud risk management program, as well as organizations strivingto improve their fraud risk management program, should conduct overall assessments of their fraud preventiontechniques. The Fraud Prevention Scorecard in Appendix F can be used to assess how comprehensive theorganization’s preventive controls are and how well they are working. Organizations should periodically reassesstheir fraud prevention techniques to ensure that progress is being made to get to an “all-green” fraud preventionstatus and that no elements of fraud prevention are deteriorating. Organizations with strong commitments to fraudprevention may also wish to engage independent outside experts to assess their fraud prevention techniques.Continuous Monitoring of Fraud Preventive ControlsThe organization’s plan, approach, and scope of monitoring its fraud prevention techniques should be documentedand updated as necessary. With all of the parties involved in the risk assessment process and the subsequent designof the control activities, it is difficult to require that fraud prevention be monitored regularly by an independententity. But reviews should be conducted separately from any routine or planned audits and should be designed toassure management of the effectiveness of the organization’s fraud prevention.Before each program review, issues such as significant changes in the organization and their associated risks,changes in personnel responsible for implementing the activities, and the results of previous assessments willdetermine if the scope of the current examination needs to be altered. Each evaluation should include evidence thatmanagement is actively retaining responsibility for oversight of the fraud risk management program, that timelyand sufficient corrective measures have been taken with respect to any previously noted control deficiencies orweaknesses, and that the plan for monitoring the program continues to be adequate for ensuring the program’songoing success.33

SECTION 4: FRAUD DETECTIONPrinciple 4: Detection techniques should be established to uncover fraud events when preventivemeasures fail or unmitigated risks are realized.Having effective detective controls in place and visible is one of the strongest deterrents to fraudulent behavior.Used in tandem with preventive controls, detective controls enhance a fraud risk management program’seffectiveness by providing evidence that preventive controls are working as intended and identifying fraud thatoccurs. Although detective controls may provide evidence that fraud is occurring or has occurred, they are notintended to prevent fraud.In some cases, the types of detective controls implemented may depend on the fraud risks identified for anorganization. For example, if an organization operates in countries that are identified as having high risks forcorruption, it may implement detective controls to identify possible violations of the FCPA, such as a recurringreview of expense reports or consulting fees. Similarly, if an organization has a high frequency of subjectiveestimates, it may implement detective controls related to regular internal audit review of such activity. Overall,additional detection controls may be necessary based on the fraud risks identified for the organization. As with fraudprevention, it is important that the organization assess and continuously monitor its fraud detection techniques tohelp detect fraud that is occurring or has occurred.Fraud Detective ControlsOrganizations can never eliminate the risk of fraud entirely. There are always people who are motivated to commitfraud, and an opportunity can arise for someone in any organization to override a control or collude with others todo so. Therefore, detection techniques should be flexible, adaptable, and continuously changing to meet the variouschanges in risk.While preventive measures are apparent and readily identifiable by employees, third parties, and others, detectivecontrols are clandestine in nature. This means they operate in a background that is not evident in the everydaybusiness environment. Such techniques will usually:• Occur in the ordinary course of business.• Draw on external information to corroborate internally generated information.• Formally and automatically communicate identified deficiencies and exceptions to appropriate leadership.• Use results to enhance and modify other controls.Although every organization is susceptible to fraud, it is not cost-effective to try to eliminate all fraud risk. Anorganization may choose to design its controls to detect, rather than prevent, certain fraud risks, as approved by theboard. If the estimated costs of designing, implementing, and monitoring the controls against fraud — such as tools,personnel, or training — exceeds the estimated impact of the risk, they may not be cost-effective to implement. Forexample, a property and casualty insurance company may set threshold limits on the total of losses paid plus thosereserved on large policies to identify that fraud may be occurring, rather than relying solely on the identificationof fraudulent individual claims. Important detection methods include an anonymous reporting mechanism34

(whistleblower hotline), process controls, and proactive fraud detection procedures specifically designed to identifyfraudulent activity.Whistleblower HotlinesThe use of a whistleblower hotline 36 , which has markedly increased among SEC registrants since it was mandated bythe U.S. Sarbanes-Oxley Act of 2002, is one of the more effective measures organizations can implement as part oftheir fraud risk assessment program. Various surveys 37 indicate that anonymous tips received through hotlines or byother methods are the most likely means of detecting fraud. In addition, knowledge that an employee hotline is inplace can help prevent fraud because individuals may fear that a fraud will be discovered and reported.Marketing the existence of a hotline to increase awareness, making it easy to use, and promoting the timelyhandling of all reported issues are strong preventive measures that should supplement the detective controlof hotlines. The hotline should be promoted with educational materials provided to shareholders, employees,customers, and vendors, all of whom can provide valuable information from a variety of reliable sources. Hotlinesideally support a multilingual capability and provide access to a trained interviewer 24 hours a day, 365 days a year.Provision for anonymity to any individual who willingly comes forward to report a suspicion of fraud is a keyto encouraging such reporting and should be a component of the organization’s policy. The most effectivewhistleblower hotlines preserve the confidentiality of callers and provide assurance to employees that they will notbe retaliated against for reporting their suspicions of wrongdoing including wrongdoing by their superiors. Anotherkey is demonstrating that their reporting will result in appropriate and timely action being taken. To preserve theintegrity of the whistleblower process, it must also provide a means of reporting suspected fraud that involves seniormanagement, possibly reporting directly to the audit committee.A single case management system should be used to log all calls and their follow-up to facilitate management ofthe resolution process, testing by internal auditors, and oversight by the board and/or the audit committee 38 as theboard’s designee. The board should approve protocols to ensure reported fraud-related issues are disseminatedtimely to appropriate parties, such as the ethics/compliance team, HR, the board and/or the audit committee, legal,and security. Distributing reports to these parties of occurrences in their respective areas of responsibility ensuresthat no single person or functional area controls this highly sensitive information and increases accountability.Charged with the responsibility for having documented procedures for receiving, retaining, and investigatingcomplaints or tips alleging the possibility of misconduct or possible fraud, many audit committees have turned toindependent service providers to operate hotlines and notify the organization of any reported accusations.An effective hotline program should analyze the data received and compare results to norms for similarorganizations. Ongoing analysis allows an organization to reshape its fraud risk management program to addressevolving risks. The whistleblower process should be independently evaluated periodically for effectiveness, includingcompliance with established protocols.36Whistleblower hotlines may not be legal or ethical, or may be subject to restrictions in some countries outside the United States. As such,multinational organizations may not be able to implement hotlines on a worldwide basis.37The ACFE Occupational Fraud and Abuse Survey and the KPMG Fraud Survey are examples.38The United Kingdom (UK) report, “Audit Committees Combined Code Guidance,” by Sir Robert Smith, suggests that audit committees shouldreview whistleblowing arrangements regarding the appropriate and independent investigations and follow-up action.35

Process ControlsProcess controls specifically designed to detect fraudulent activity, as well as errors, include reconciliations,independent reviews, physical inspections/counts, analyses, and audits. A lack of, or weakness in, preventive controlsincreases the risk of fraud and places a greater burden on detective controls. The more significant the fraud risk, themore sensitive to occurrence (e.g., use of thresholds, performance frequency, and population tested) the detectivecontrol should be.The nature of fraud risks is such that there should be a systematic identification of the types of fraud schemesthat can be perpetrated against or within the organization to identify the process controls needed to reduce andcontrol the risks. Each industry is susceptible to different types of fraud schemes. The assessment becomes morecumbersome in organizations that span different industries. Organizations with multiple divisions/business unitswill need to first perform a broad organizationwide assessment and then perform more detailed and focusedassessments of individual business units to identify the necessary process controls to detect fraud.Proactive Fraud Detection ProceduresIn addition to detective process controls, organizations may be able to use data analysis, continuous auditingtechniques, and other technology tools effectively to detect fraudulent activity. Data analysis uses technology toidentify anomalies, trends, and risk indicators within large populations of transactions. Users of this technologymay be able to drill down into journal entries looking for suspicious transactions occurring at the end of a period orthose that were made in one period and later reversed in the next period. These tools may also allow users to lookfor journal entries posted to revenue or expense accounts that improve net income to meet analysts’ expectationsor incentive compensation targets. Moreover, data analysis allows users to identify relationships among people,organizations, and events.Proactive consideration of how certain fraud schemes may result in identifiable types of transactions or trendsenhances an organization’s ability to design and implement effective data analysis. Data analytics can also be usedto cost-effectively ensure the effectiveness of other fraud preventive and detective controls.Continuous auditing is the use of data analytics on a continuous or real-time basis, thereby allowing management orauditing to identify and report fraudulent activity more rapidly. For example, a Benford’s Law analysis 39 can examineexpense reports, general ledger accounts, and payroll accounts for unusual transactions, amounts, or patterns ofactivity that may require further analysis. Similarly, continuous monitoring of transactions subject to certain “flags”may promote quicker investigation of higher-risk transactions.Technology tools enhance the ability of management at all levels to detect fraud. Data analysis, data mining, anddigital analysis tools can:• Identify hidden relationships among people, organizations, and events.• Identify suspicious transactions.• Assess the effectiveness of internal controls.39Benford’s Law analysis is a process of comparing actual results vs. expected results by looking for unusual transactions that do not fit anexpected pattern.36

• Monitor fraud threats and vulnerabilities.• Consider and analyze thousands or millions of transactions.Some auditors and consulting firms have developed tools, as part of their fraud detection efforts, that analyzejournal entries to mitigate management override of the internal control system. These tools identify transactionssubject to certain attributes that could indicate risk of management override, such as user identification, date ofentry, and unusual account pairings.Evidence of fraud can sometimes be found in e-mail as well. The ability of an organization to capture, maintain,and review the communications of any of its employees has led to the detection of numerous frauds in the pastdecade. This is accomplished through the use of strict and regular backup programs that capture data, not with theintent of uncovering fraud, but merely as a safeguard in the event that a retrospective search for evidence may benecessary. Recent amendments to the U.S. Federal Rules of Civil Procedure could affect future policy decisions aboutthe retention of backup materials. The benefit of backup for business purposes, compared to a possible obligation toprovide evidence in discovery, will need to be balanced in an organization’s risk analysis.As organizations grow and technology needs change, so do the opportunities for fraud. Because all fraud andmisconduct schemes cannot be fought with the same tools and techniques, the organization periodically will need toassess the effectiveness of process controls, anonymous reporting, and internal auditing.Documentation of Fraud Detection TechniquesAn organization should document the techniques developed and implemented to detect fraud. This includesdocumenting processes used to monitor the performance of fraud detective controls or to indicate when suchcontrols are ineffective. Testing procedures conducted to ensure adequate operation of fraud detective controls andthe test results should also be documented thoroughly.Paramount to this documentation is a detailed description of the elements of the organization’s fraud detectiontechniques, with emphasis placed on the roles and responsibilities of all parties involved. Organizations shoulddesignate and document the individuals and departments responsible for:• Designing and planning the overall fraud detection process.• Designing specific fraud detection controls.• Implementing specific fraud detection controls.• Monitoring specific fraud detection controls and the overall system of these controls for realization of theprocess objectives.• Receiving and responding to complaints related to possible fraudulent activity.• Investigating reports of fraudulent activity.• Communicating information about suspected and confirmed fraud to appropriate parties.• Periodically assessing and updating the plan for changes in technology, processes, and organization.Although the organization may want to describe and explain some aspects of its fraud detection techniques to itsemployees, vendors, and stakeholders to promote deterrence, there will be aspects of the plan that the organizationwill want to remain confidential. During the fraud detection development phase, participants should be warned to37

keep such information confidential. The board should approve a specific list of individuals who are permitted accessto the information and define its own level of information access related to fraud detection controls.Once the final fraud detection plan is completed, the team should develop a public communication regarding theplan and its implementation. Knowledge throughout the organization that a comprehensive fraud detection planexists is, in and of itself, a strong deterrent. By communicating this to employees, vendors, shareholders, and others,the organization affirms that it has a fraud detection plan in place and that it takes fraud seriously without revealingall the relevant characteristics of the organization’s fraud detection techniques.Assessing the Organization’s Fraud DetectionOrganizations just beginning to assess their fraud risk management program, as well as those striving to improvetheir fraud risk management program, should conduct overall assessments of their fraud detection techniques. TheFraud Detection Scorecard in Appendix G can be used to assess how comprehensive the organization’s detectivecontrols are and how well they are working. Organizations periodically should reassess their fraud detectiontechniques to ensure that progress is being made to get to an “all-green” fraud detection status and that noelements of fraud detection are deteriorating. Organizations with strong commitments to fraud detection may alsowish to engage independent outside experts to assess their fraud detection techniques.Continuous Monitoring of Fraud DetectionThe organization should develop ongoing monitoring and measurements to evaluate, remedy, and continuouslyimprove the organization’s fraud detection techniques. If deficiencies are found, management should ensure thatimprovements and corrections are made as soon as possible. Management should institute a follow-up plan to verifythat corrective or remedial actions have been taken.The organization should establish measurement criteria to monitor and improve fraud detection. These measuresshould be provided to the board on an ongoing basis.Measurable criteria include the:• Number of known fraud schemes committed against the organization.• Number and status of fraud allegations received by the organization that required investigation.• Number of fraud investigations resolved.• Number of employees who have/have not signed the corporate ethics statement.• Number of employees who have/have not completed ethics training sponsored by the organization.• Number of whistleblower allegations received via the organization’s hotline.• Number of allegations that have been raised by other means.• Number of messages supporting ethical behavior delivered to employees by executives.• Number of vendors who have/have not signed the organization’s ethical behavior requirements.• Benchmarks with global fraud surveys, including the type of fraud experienced and average losses.• Number of customers who have signed the organization’s ethical behavior requirements.• Number of fraud audits performed by internal auditors.38

• Results of employee or other stakeholder surveys concerning the integrity or culture of the organization.• Resources used by the organization.Appropriate measurement techniques will vary by organization based on factors, such as controls in place, fraudrisks identified, and resources available. Examples of specific measurement techniques are:• The recurrence of frauds uncovered.• The timeliness of implementation of remediation plans.• Timeliness in implementing additional controls to prevent new frauds.• Assessment of the likelihood that frauds perpetrated against other organizations in the same industry willoccur in the organization.• Comparison of fraud versus complaints, grievances, etc., via hotline calls.• Comparison of the number of frauds discovered versus the number of fraud audits performed.• Ratios of problems revealed in background checks versus the number of checks performed.A senior member of management should be assigned as the process owner for each technique implemented. Eachprocess owner should:• Evaluate the effectiveness of the technique regularly.• Adjust the technique as required.• Document any adjustments.• Report immediately through the appropriate channels details of any modification necessary or anytechnique that becomes less effective.SECTION 5: fraud INVESTIGATION AND CORRECTIVE ACTIONPrinciple 5: A reporting process should be in place to solicit input on potential fraud, and a coordinatedapproach to investigation and corrective action should be used to help ensure potential fraud isaddressed appropriately and timely.It is essential that any violations, deviations, or other breaches of the code of conduct or controls, regardlessof where in the organization, or by whom, they are committed, be reported and dealt with in a timely manner.Appropriate punishment must be imposed, and suitable remediation completed. The board should ensure that thesame rules are applied at all levels of the organization, including senior management.Fraud Investigation and Response ProtocolsReceiving the AllegationPotential fraud may come to the organization’s attention in many ways, including tips from employees, customers, orvendors; internal audits; process control identification; external audits; or by accident. The board should ensure thatthe organization develops a system for prompt, competent, and confidential review, investigation, and resolution ofallegations involving potential fraud or misconduct. Protocols for the board’s involvement in such cases — which39

will vary depending on the nature, potential impact, and seniority of persons involved — should be defined clearlyand communicated to management by the board.The investigation and response system should include a process for:• Categorizing issues.• Confirming the validity of the allegation.• Defining the severity of the allegation.• Escalating the issue or investigation when appropriate.• Referring issues outside the scope of the program.• Conducting the investigation and fact-finding.• Resolving or closing the investigation.• Listing types of information that should be kept confidential.• Defining how the investigation will be documented.• Managing and retaining documents and information.The process approved by the board should include a tracking or case management system in which all allegations offraud are logged. Designated senior management approved by the board and the board itself may be given accessto this system if necessary to ensure that appropriate action is being taken.Evaluating the AllegationOnce an allegation is received, the organization should follow the process approved by the board to evaluate theallegation. The process should include designating an individual or individuals with the necessary authority andskills to conduct an initial evaluation of the allegation and determine the appropriate course of action to resolve it.In cases that involve the board or senior management, the board may want to hire outside independent advisers toassist in this evaluation.The allegation should be examined to determine whether it involves a potential violation of law, rules, or companypolicy. Depending on the nature and severity of the allegation, other departments may need to be consulted, such asHR, legal counsel, senior management, IT, internal auditing, security, or loss prevention. The organization’s externalauditor must also be advised of any fraud that could affect the organization’s financial statements.If an allegation involves senior management, or if the allegation affects the financial statements, there may bestandards, regulations, or laws that require that others (e.g., audit committee, board, external auditors, counsel) benotified of the allegation. For example, if the allegation relates to misconduct involving the CEO, the board shouldbe notified of the allegation and should ensure that the CEO is not overseeing the investigation.Investigation ProtocolsInvestigations should be performed in accordance with protocols approved by the board. A consistent process forconducting investigations can help the organization mitigate losses and manage risks associated with the investigation.40

Factors to consider in developing the investigation plan include:• Time-sensitivity — Investigations may need to be conducted timely due to legal requirements, to mitigatelosses or potential harm, or to institute an insurance claim.• Notification — Certain allegations may require notification to regulators, law enforcement, insurers, orexternal auditors.• Confidentiality — Information gathered needs to be kept confidential and distribution limited to those withan established need.• Legal privileges — Involving legal counsel early in the process or, in some cases, in leading theinvestigation, will help safeguard work product and attorney-client communications.• Compliance — Investigations should comply with applicable laws and rules regarding gatheringinformation and interviewing witnesses.• Securing evidence — Evidence should be protected so that it is not destroyed and so that it is admissible inlegal proceedings.• Objectivity — The investigation team should be removed sufficiently from the issues and individuals underinvestigation to conduct an objective assessment.• Goals — Specific issues or concerns should appropriately influence the focus, scope, and timing of theinvestigation.Responsibility for overseeing an investigation should be given to an individual with a level of authority at leastone level higher than anyone potentially involved in the matter. Investigations of allegations involving seniormanagement should be overseen by the board or a committee of the board designated for that purpose. Legalcounsel may be appointed to supervise the investigation.Depending on the specifics of the allegation, the investigation team may need to include members of differentdepartments or disciplines to provide the knowledge and skill sets required. The following resources should beconsidered to determine whether their participation or assistance is necessary:• Legal counsel.• Fraud investigators.• Internal auditors.• External auditors.• Accountants or forensic accountants.• HR personnel.• Security or loss prevention personnel.• IT personnel.• Computer forensics specialists.• Management representative.The investigation team leader should coordinate the investigation and interface with management as necessary. Theroles and responsibilities of each team member should be communicated clearly. All team members should considerwhether there is an actual or potential conflict of interest with any of the issues or parties that could be involved.Should the organization not have adequate internal resources and/or if it is determined that internal resources arenot sufficiently objective, consideration should be given to retaining outside expertise.41

Conducting the InvestigationPlanning is essential to a thorough and competent investigation. The investigation team should establish theinvestigation tasks and assign each task to the appropriate team members. The plan should prioritize theperformance of tasks to provide an interim report of findings, if necessary, and to revise or plan next steps. It is atthis stage that appropriate consideration be given to legal issues and constraints in dealing with employees andthird parties, obtaining relevant information, and documentation, including seeking assistance from the courts andmonitoring the integrity of the results of the investigation, thereby maximizing the prospects of success.Investigations generally include many of the following tasks:1) Interviewing, including:a) Neutral third-party witnesses.b) Corroborative witnesses.c) Possible co-conspirators.d) The accused.2) Evidence collection, including:a) Internal documents, such asi) Personnel files.ii) Internal phone records.iii) Computer files and other electronic devices.iv) E-mail.v) Financial records.vi) Security camera videos.vii) Physical and IT system access records.b) External records, such asi) Public records.ii) Customer/vendor information.iii) Media reports.iv) Information held by third parties.v) Private detective reports.3) Computer forensic examinations.4) Evidence analysis, including:a) Review and categorization of information collected.b) Computer-assisted data analysis.c) Development and testing of hypotheses.42

The investigation team should document and track the steps of the investigation, including:• Items maintained as privileged or confidential.• Requests for documents, electronic data, and other information.• Memoranda of interviews conducted.• Analysis of documents, data, and interviews and conclusions drawn.Reporting the ResultsThe investigation team should report its findings to the party overseeing the investigation, such as seniormanagement, directors, or legal counsel. Where legal counsel is supervising the investigation, counsel willdetermine the appropriate form of the report. The nature and distribution of the report may be affected by thegoals of protecting legal privileges and avoiding defamatory statements. For similar reasons, advice of counselshould be sought before the party overseeing the investigation makes public statements or other communicationsregarding the investigation.Corrective ActionAfter the investigation has been completed, the organization will need to determine what action to take in responseto the findings. Any findings of actual or potential material impact may need to be reported to the board, the auditcommittee, and the external auditor if they are not receiving investigation reports directly. Notification may also berequired to legal and regulatory agencies and the organization’s insurers.In some cases it may be necessary to take certain actions before the investigation is complete (e.g., to preserveevidence, maintain confidence, or mitigate losses). This could require suspension or reassignment of individualsor legal actions to restrain assets. Those responsible for such decisions should ensure there is a sufficient basisfor those actions.Any action taken should be appropriate under the circumstances, applied consistently to all levels of employees,including senior management, and should be taken only after consultation with individuals responsible for suchdecisions. Management consultation with legal counsel is strongly recommended before taking disciplinary, civil,or criminal action.Possible actions include one or more of the following:• Criminal referral — The organization may refer the case to law enforcement voluntarily, and, in somecases, it may be required to do so. Law enforcement has access to additional information and resources thatmay aid the case. Additionally, referrals for criminal prosecution may increase the deterrent effect of theorganization’s fraud prevention policy. An appropriate member of senior management, such as thechief legal counsel, should be authorized to make the decision as to whether pursuing criminal prosecutionis appropriate.• Civil action — The organization may wish to pursue its own civil action against the perpetrators to recoverfunds.• Disciplinary action — Internal disciplinary action may include termination, suspension (with or withoutpay), demotion, or warnings.• Insurance claim — The organization may be able to pursue an insurance claim for some or all of its losses.43

• Extended investigation — Conducting a root cause analysis and performing an extended investigation mayidentify similar misconduct elsewhere in the organization.• Business process remediation — The organization may be able to re-engineer its business processes costeffectivelyto reduce or remove the opportunity for similar frauds in the future.• Internal control remediation — The organization may wish to enhance certain internal controls to reducethe risk of similar frauds going undetected in the future.The organization should consider the potential impact of its response and the message that it may send to thepublic, stakeholders, and others.MeasurementThe scale and complexity of fraud investigations often varies considerably, requiring some flexibility or customizationfor the measurements adopted. Although a variety of measures can be applied, the following may be relativelysimple and powerful measurements to track:• Issue resolution time (average number of days to resolve an issue) — This can be measured separately fordifferent categories of incident to avoid creating pressure to resolve complex cases in an unrealisticallyshort time.• Repeat incidents (number of current period incidents that are similar in nature to incidents in earlierperiods) — A low rate of repeat incidents can demonstrate effectiveness in promptly and comprehensivelyremedying business processes and internal controls in response to earlier incidents.• Value of losses recovered and future losses prevented — Fraud investigations are important for theirdeterrent effect, so their cost-effectiveness should not be judged merely by the assets they help torecover. However, pursuing asset recoveries vigorously and estimating future losses prevented can help todemonstrate the value of fraud risk management actions.CONCLUDING COMMENTSA proactive approach to managing fraud risk is one of the best steps organizations can take to mitigate exposureto fraudulent activities. Although complete elimination of all fraud risk is most likely unachievable or uneconomical,organizations can take positive and constructive steps to reduce their exposure. The combination of effective fraudrisk governance, a thorough fraud risk assessment, strong fraud prevention and detection (including specific antifraudcontrol processes), as well as coordinated and timely investigations and corrective actions, can significantlymitigate fraud risks.Although fraud is not a subject that any organization wants to deal with, the reality is most organizationsexperience fraud to some degree. The important thing to note is that dealing with fraud can be constructive, andforward-thinking, and can position an organization in a leadership role within its industry or business segment.Strong, effective, and well-run organizations exist because management takes proactive steps to anticipate issuesbefore they occur and to take action to prevent undesired results. Implementation of this guide should help establisha climate where positive and constructive steps are taken to protect employees and ensure a positive culture. Itshould be recognized that the dynamics of any organization require an ongoing reassessment of fraud exposuresand responses in light of the changing environment the organization encounters.44

APPENDIX A: REFERENCE MATERIALFor ExecutivesAmerican Institute of Certified Public Accountants (AICPA), Management Override of Internal Controls: The Achilles’Heel of Fraud Prevention, 2005, www.aicpa.org.Association of Certified Fraud Examiners (ACFE)/AICPA, Fraud Tools, www.acfe.com.Canadian Institute of Chartered Accountants (CICA), 20 Questions Directors Should Ask About Codes of Conduct,www.cica.ca.Corporate Executive Board, A Constant Vigilance, Safeguarding the Corporation from Fraud and Abuse, AuditDirectors Roundtable Research Findings, 2005.I.J. Alexander Dyck, Adair Morse, and Luigi Zingales, “Who Blows the Whistle on Corporate Fraud?”, CRSP WorkingPaper No. 618, January 2007, www.ssrn.com/abstract=959410.Robert Tillman and Michael Inderguard, Control Overrides in Financial Statement Fraud, A Report to the Institute forFraud Prevention, 2007, St. John’s University, www.theifp.org.U.S. Securities and Exchange Commission, Commission Guidance Regarding Management’s Report on Internal ControlOver Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (Release Nos. 33-8810,34-55929, FR-77; File No. S7-24-06; June 27, 2007), www.sec.gov.Fraud RisksACFE, 2006 ACFE Report to the Nation on Occupational Fraud & Abuse, 2006,www.acfe.com.Ernst & Young LLP, “9th Global Fraud Survey, Fraud Risk in Emerging Markets,” 2006, www.ey.com.Transparency International, “TI Corruption Perceptions Index,” 2007, www.transparency.org.U.S. Department of Justice, “Principles of Federal Prosecution of Business Organizations,” 2006, www.usdoj.gov.45

Fraud ControlsDeloitte Forensic Center, Ten Things About Fraud Control: How Executives View the“Fraud Control Gap,” 2007, www.deloitte.com.Ethisphere Council, 43 Considerations for Writing, Reviewing or Revising a Code of Conduct,www.ethisphere.com.KPMG LLP, Fraud Risk Management: Developing a Strategy for Prevention, Detection, and Response, 2006,www.us.kpmg.com.Open Compliance and Ethics Group (OCEG), Foundation Guidelines Red Book, 2007, www.oceg.org.OCEG, Hotline/Helpline Guide: Designing, Managing, and Measuring Hotlines/Helplines, 2006, www.oceg.org.OCEG, Internal Audit Guide: Evaluating a Compliance and Ethics Program, 2006, www.oceg.org.OCEG, Measurement & Metrics Guide: Performance Measurement Approach and Metrics for a Complianceand Ethics Program, 2006, www.oceg.org.PricewaterhouseCoopers LLP, Key Elements of Antifraud Programs & Controls, 2003, www.pwc.com.Security Executive Council, 2007 Corporate Governance and Compliance Hotline Benchmarking Report, 2007,www.securityexecutivecouncil.com.The Network, Best Practices in Ethics Hotlines, 2006, www.tnwinc.com.U.S. Sentencing Commission, 2005 Federal Sentencing Guidelines Manual, Chapter Eight: Sentencing ofOrganizations, 2005, www.ussc.gov.Internal AuditingThe Institute of Internal Auditors (IIA), Definition of Internal Auditing, www.theiia.org.The IIA, Practice Advisory 1210.A2-1: Auditor’s Responsibilities Relating to Fraud Risk Assessment, Prevention, andDetection, www.theiia.org.The IIA, Practice Advisory 1210.A2-2: Auditor’s Responsibilities Relating to Fraud Investigation, Reporting, Resolution,and Communication, www.theiia.org.The IIA–UK and Ireland, Fraud Position Statement, www.iia.org.uk.46

GeneralACFE, 2007 Fraud Examiners Manual, 2007.ALARM (The National Forum for Risk Management in the Public Sector (UK)), Managing the Risk of Fraud.Ted Avey, Ted Baskerville, and Alan Brill, The CPA’s Handbook of Fraud and Commercial Crime Prevention,AICPA, 2000.CICA, The Accountant’s Handbook of Fraud and Commercial Crime, www.cica.ca.Committee of Sponsoring Organizations of the Treadway Commission (COSO), Report of the National Commission onFraudulent Financial Reporting (Treadway Report), 1987, www.coso.org.HM Treasury, Assurance, Control, and Risk, Managing the Risk of Fraud: A Guide for Managers, 2003,www.hm-treasury.gov.uk.International Federation of Accountants, Defining and Developing an Effective Code of Conduct for Organizations,June 2007, www.ifac.org.IT Policy Compliance Group, Why Compliance Pays: Reputations and Revenues at Risk, Benchmark Research Report,2007, www.itpolicycompliance.com.Sarbanes-Oxley Act of 2002, 107th U.S. Cong., 2nd session (January 2002), H.R. 3763, www.sarbanes-oxley.com.The Chartered Institute of Management Accountants, Fraud Risk Management–A Guide to Good Practice,2001, www.cimaglobal.com.The Chartered Institute of Public Finance and Accountancy (UK), Managing the Risk of Fraud – Actions to CounterFraud and Corruption (updated 2008).UK Financial Services Authority, Firms’ High-Level Management of Fraud Risk, 2006, www.fsa.gov.uk.Joseph T. Wells, Corporate Fraud Handbook, 2nd edition, Wiley, 2007.47

APPENDIX B: SAMPLE FRAMEWORK FOR A FRAUD CONTROL POLICY(Or Plan) 40NOTE: This appendix is a sample from another entity. As such, no adjustment has been made to this material. Theinformation may or may not agree with all the concepts noted within this paper. The material is being provided as anexample that may be a used as a tool, reference, or starting point.1. EXECUTIVE SUMMARYDefinition of fraudStatement of attitude to fraudCode of conduct (relationship to)Relationship with entity’s other plansRoles and accountabilities2. SUMMARY OF FRAUD CONTROL STRATEGIESAppointment of fraud control officerExternal assistance to the fraud control officerFraud control responsibilitiesFraud risk management (including fraud risk assessment)Fraud awarenessFraud detectionFraud reportingInvestigation of fraud and other improper conductInternal control review following discovery of fraudFidelity guarantee and criminal conduct insuranceInternal audit program3. FRAUD RISK MANAGEMENTRegular program for fraud risk assessmentOngoing review of fraud control strategiesFraud risk assessmentImplementation of proposed actions4. PROCEDURES FOR REPORTING FRAUDInternal reportingReports by members of staffProtection of employees reporting suspected fraudExternal anonymous reporting40This sample is provided by The Australian Standard on Fraud and Corruption Control, AS 8001-2003. Please note that other definitions offraud exist, and thus it is important for the organization to explain clearly what types of transactions or activities are covered by the policy.48

Reports to the policeReports to external partiesAdministrative remediesRecovery of the proceeds of fraudulent conductReporting requirements5. EMPLOYMENT CONDITIONSPre-employment screeningAnnual leave6. CONFLICT OF INTERESTThe impact of conflicts of interestRegister of interestsConflict of interest policy7. PROCEDURES FOR FRAUD INVESTIGATIONInternal investigationsExternal investigative resourcesDocumentation of the results of the investigation8. INTERNAL AUDIT STRATEGYInternal audit capabilityInternal audit fraud control function9. REVIEW OF FRAUD CONTROL ARRANGEMENTS49

APPENDIX C: SAMPLE FRAUD POLICY 41NOTE: This appendix is a sample from another entity. As such, no adjustment has been made to this material. Theinformation may or may not agree with all the concepts noted within this paper. The material is being provided as anexample that may be a used as a tool, reference, or starting point.BACKGROUNDThe corporate fraud policy is established to facilitate the development of controls that willaid in the detection and prevention of fraud against ABC Corporation. It is the intent ofABC Corporation to promote consistent organizational behavior by providing guidelinesand assigning responsibility for the development of controls and conduct of investigations.SCOPE OF POLICYThis policy applies to any irregularity, or suspected irregularity, involving employees as wellas shareholders, consultants, vendors, contractors, outside agencies doing business withemployees of such agencies, and/or any other parties with a business relationship withABC Corporation (also called the Company).Any investigative activity required will be conducted without regard to the suspectedwrongdoer’s length of service, position/title, or relationship to the Company.POLICYManagement is responsible for the detection and prevention of fraud, misappropriations,and other irregularities. Fraud is defined as the intentional, false representation orconcealment of a material fact for the purpose of inducing another to act upon it to hisor her injury. Each member of the management team will be familiar with the types ofimproprieties that might occur within his or her area of responsibility and be alert for anyindication of irregularity.Any irregularity that is detected or suspected must be reported immediately to the Directorof _____________, who coordinates all investigations with the Legal Department andother affected areas, both internal and external.41This sample is provided by the Association of Certified Fraud Examiners’ Sample Fraud Policy. Please note that other definitions of fraudexist, and thus it is important for the organization to explain clearly what types of transactions or activities are covered by the policy.50

ACTIONSThe terms defalcation, misappropriation, and other fiscal irregularities refer to, but are notCONSTITUTING limited to:FRAUD • Any dishonest or fraudulent act.• Misappropriation of funds, securities, supplies, or other assets.• Impropriety in the handling or reporting of money or financial transactions.• Profiteering as a result of insider knowledge of company activities.• Disclosing confidential and proprietary information to outside parties.• Disclosing to other persons securities activities engaged in or contemplated by thecompany.• Accepting or seeking anything of material value from contractors, vendors, or personsproviding services/materials to the Company. Exception: Gifts less than US $50 invalue.• Destruction, removal, or inappropriate use of records, furniture, fixtures, andequipment.• Any similar or related irregularity.OTHER IRREGULARITIES Irregularities concerning an employee’s moral, ethical, or behavioral conduct shouldby resolved by departmental management and the Employee Relations Unit of HumanResources rather than the _________________ Unit.If there is any question as to whether an action constitutes fraud, contact the Director of______________ for guidance.INVESTIGATIONRESPONSIBILITIESThe ____________ Unit has the primary responsibility for the investigation of allsuspected fraudulent acts as defined in the policy. If the investigation substantiates thatfraudulent activities have occurred, the ______________ Unit will issue reports toappropriate designated personnel and, if appropriate, to the Board of Directors throughthe Audit Committee.Decisions to prosecute or refer the examination results to the appropriate law enforcementand/or regulatory agencies for independent investigation will be made in conjunction withlegal counsel and senior management, as will final decisions on disposition of the case.51

CONFIDENTIALITYThe ______________ Unit treats all information received confidentially. Any employeewho suspects dishonest or fraudulent activity will notify the _____________ Unitimmediately, and should not attempt to personally conduct investigations or interviews/interrogations related to any suspected fraudulent act (see Reporting Procedures sectionbelow).Investigation results will not be disclosed or discussed with anyone other than thosewho have a legitimate need to know. This is important in order to avoid damaging thereputations of persons suspected but subsequently found innocent of wrongful conductand to protect the Company from potential civil liability.AUTHORIZATION FOR Members of the Investigation Unit will have:INVESTIGATING • Free and unrestricted access to all Company records and premises, whetherSUSPECTED FRAUD owned or rented.• The authority to examine, copy, and/or remove all or any portion of the contentsof files, desks, cabinets, and other storage facilities on the premises without priorknowledge or consent of any individual who might use or have custody of any suchitems or facilities when it is within the scope of their investigation.REPORTINGPROCEDURESGreat care must be taken in the investigation of suspected improprieties orirregularities so as to avoid mistaken accusations or alerting suspected individuals that aninvestigation is under way.An employee who discovers or suspects fraudulent activity will contact the_____________ Unit immediately. The employee or other complainant may remainanonymous. All inquiries concerning the activity under investigation from the suspectedindividual, his or her attorney or representative, or any other inquirer should be directedto the Investigations Unit or the Legal Department. No information concerning the statusof an investigation will be given out. The proper response to any inquiries is: “I am not atliberty to discuss this matter.” Under no circumstances should any reference be made to“the allegation,” “the crime,” “the fraud,” “the forgery,” “the misappropriation,” or anyother specific reference.The reporting individual should be informed of the following:• Do not contact the suspected individual in an effort to determine facts or demandrestitution.• Do not discuss the case, facts, suspicions, or allegations with anyone unlessspecifically asked to do so by the Legal Department or ____________ Unit.52

TERMINATIONIf an investigation results in a recommendation to terminate an individual, therecommendation will be reviewed for approval by the designated representatives fromHuman Resources and the Legal Department and, if necessary, by outside counsel,before any such action is taken. The ___________ Unit does not have the authority toterminate an employee. The decision to terminate an employee is made by the employee’smanagement. Should the _____________ Unit believe the management decisioninappropriate for the facts presented, the facts will be presented to executive-levelmanagement for a decision.ADMINISTRATIONThe Director of ___________ is responsible for the administration, revision, interpretation,and application of this policy. The policy will be reviewed annually and revised as needed.APPROVAL ________________________________ _______________(CEO/Senior Vice President/Executive) Date53

Sample Fraud Policy Decision MatrixNOTE: This matrix can be used as a tool to summarize and visualize the responsibilities that have been defined for theorganization. This is not a standard for “who” should have “what” responsibilities.Action Required Investigation Internal Finance Exec Line Risk PR Employee LegalUnit Auditing Acctg. Mgmt. Mgmt. Mgmt. Relations1. Controls to S S S P SR S S S SPrevent Fraud2. Incident Reporting P S S S S S S S S3. Investigation of P S S SFraud4. Referrals to Law P SEnforcement5. Recovery of Monies PDue to Fraud6. Recommendations SR SR S S S S S S Sto Prevent Fraud7. Internal Control PReviews8. Handle Cases of P S S S S Sa Sensitive Nature9. Publicity/Press S S PReleases10. Civil Litigation S S P11. Corrective Action/Recommendations SR SR S SR S Sto PreventRecurrences12. Monitor Recoveries S P13. Proactive Fraud S PAuditing14. Fraud Education/ P S S STraining15. Risk Analysis ofAreas of Vulnerability S S P16. Case Analysis P S17. Hotline P S18. Ethics Line S S PP (Primary Responsibility) S (Secondary Responsibility) SR (Shared Responsibility)54

APPENDIX D: FRAUD RISK ASSESSMENT FRAMEWORK EXAMPLENOTE: This example is for illustrative purposes and focuses solely on potential revenue recognition risks withinfinancial reporting. A full fraud risk assessment would consider fraudulent financial reporting in other areasrelevant to the organization, such as accounts subject to estimation, related-party transactions, and inventoryaccounting. In addition, the risk of misappropriation of assets, corruption, and other misconduct would beassessed in the same manner.Identified Fraud Risksand Schemes (1)Likelihood (2)Significance (3)Peopleand/orDepartment (4)Existing Anti-fraud Controls (5)ControlsEffectivenessAssessment (6)ResidualRisks (7)Fraud RiskResponse (8)Financial ReportingRevenue recognition• BackdatingagreementsReasonablypossibleMaterialSales personnelControlled contract administrationsystemTested by IAN/APeriodic testingby IA• Channel stuffingRemoteInsignificantN/AN/AN/AN/AN/A• Holding books openReasonablypossibleMaterialAccountingStandard monthly close processTested by IARisk ofmanagementoverrideTesting of latejournal entriesReconciliation of invoice register togeneral ledgerTested bymanagementCut off testingby IAEstablished procedures for shipping,invoicing, and revenue recognitionTested by IAEstablished process for consolidationTested by IA• Late shipmentsReasonablypossibleSignificantShipping dept.Integrated shipping system, linked toinvoicing and sales registerDaily reconciliation of shipping logto invoice registerTested by IATested bymanagementRisk ofmanagementoverrideCut off testingby IARequired management approval ofmanual invoicesTested by IA• Side letters/agreementsProbableMaterialSales personnelAnnual training of sales and financepersonnel on revenue recognitionpracticesQuarterly signed attestation ofsales personnel concerning extracontractual agreementsTested bymanagementTested bymanagementRisk ofoverrideDisaggregatedanalysis of sales,sales returns,and adjustmentsby salespersonInternal audit confirming withcustomers that there are no otheragreements, written or oral, thatwould modify the terms of thewritten agreement• Inappropriate journalentriesReasonablypossibleMaterialAccounting &FinanceEstablished process for consolidationEstablished, systematic accesscontrols to the general ledgerStandard monthly and quarterlyjournal entry log maintained. Reviewprocess in place for standard entries,and nonstandard entries subject totwo levels of reviewTested by IATested by IATested bymanagementRisk ofoverrideN/AN/AData mining ofjournal entrypopulation byIA for:• Unusual Dr/CRcombinations• Late entriesto accountssubject toestimation55

Identified Fraud Risksand Schemes (1)Likelihood (2)Significance (3)People and/orDepartment (4)Existing Anti-fraud Controls (5)ControlsEffectivenessAssessment (6)ResidualRisks (7)Fraud RiskResponse (8)• Roundtrip transactionsRemoteInsignificantN/AN/AN/AN/AN/A• Manipulation of billand hold arrangementsRemoteInsignificantN/AN/AN/AN/AN/A• Early delivery ofproductReasonablypossibleSignificantSales andshippingSystematic matching of salesorder to shipping documentation;exception reports generated.Tested bymanagementAdequatelymitigated bycontrolsN/A• Partial shipmentsReasonablypossibleSignificantSales andshippingSystematic shipping documentsmanually checked against everyshipment.Tested bymanagementAdequatelymitigated bycontrolsN/ASystematic matching of salesorder to shipping documentation;exception reports generated.Customer approval of partialshipment required prior to revenuerecognition.• Additional revenuerisksSystematic shipping documentsmanually checked against everyshipment.1. Identified Fraud Risks and Schemes: This column should include a full list of the potential fraud risks and schemes that mayface the organization. This list will be different for different organizations and should be informed by (a) industry research, (b)interviews of employees and other stakeholders, (c) brainstorming sessions, and (d) activity on the whistleblower hotline.2. Likelihood of Occurrence: To design an efficient fraud risk management program, it is important to assess the likelihood of theidentified fraud risks so that the organization establishes proper anti-fraud controls for the risks that are deemed most likely.For purposes of the assessment, it should be adequate to evaluate the likelihood of risks as remote, reasonably possible, andprobable.3. Significance to the Organization: Quantitative and qualitative factors should be considered when assessing the significanceof fraud risks to an organization. For example, certain fraud risks may only pose an immaterial direct financial risk to theorganization, but could greatly impact its reputation, and therefore, would be deemed to be a more significant risk to theorganization. For purposes of the assessment, it should be adequate to evaluate the significance of risks as immaterial, significant,and material.4. People and/or Department Subject to the Risk: As fraud risks are identified and assessed, it is important to evaluate which peopleinside and outside the organization are subject to the risk. This knowledge will assist the organization in tailoring its fraud riskresponse, including establishing appropriate segregation of duties, proper review and approval chains of authority, and proactivefraud auditing procedures.5. Existing Anti-fraud Internal Controls: Map pre-existing controls to the relevant fraud risks identified. Note that this occurs afterfraud risks are identified and assessed for likelihood and significance. By progressing in this order, this framework intends for theorganization to assess identified fraud risks on an inherent basis, without consideration of internal controls.6. Assessment of Internal Controls Effectiveness: The organization should have a process in place to evaluate whether the identifiedcontrols are operating effectively and mitigating fraud risks as intended. Companies subject to the provisions of The U.S. Sarbanes-Oxley Act of 2002 Section 404 will have a process such as this in place. Organizations not subject to Sarbanes-Oxley shouldconsider what review and monitoring procedures would be appropriate to implement to gain assurance that their internal controlstructure is operating as intended.7. Residual Risks: After consideration of the internal control structure, it may be determined that certain fraud risks may not bemitigated adequately due to several factors, including (a) properly designed controls are not in place to address certain fraudrisks or (b) controls identified are not operating effectively. These residual risks should be evaluated by the organization in thedevelopment of the fraud risk response.8. Fraud Risk Response: Residual risks should be evaluated by the organization and fraud risk responses should be designed toaddress such remaining risk. The fraud risk response could be one or a combination of the following: (a) implementing additionalcontrols, (b) designing proactive fraud auditing techniques, and/or (c) reducing the risk by exiting the activity.56

APPENDIX E: FRAUD RISK EXPOSURES 42NOTE: This appendix is a sample from another entity. As such, no adjustment has been made to this material. Theinformation may or may not agree with all the concepts noted within this paper. The material is being provided as anexample that may be a used as a tool, reference, or starting point.The following illustrates the types of frauds an organization might encounter. This listing is not meant to be allinclusivebut to provide a starting point for an organization to identify which areas are vulnerable to fraud. Moreattention will be needed to identify specific industry, location, and cultural factors that can influence fraudulentbehavior. Once identified, the fraud risk assessment framework shown in Appendix D could be used 43 .1) Intentional manipulation of financial statements can lead to:a) Inappropriately reported revenues(1) Fictitious revenues(2) Premature revenue recognition(3) Contract revenue and expense recognitionb) Inappropriately reported expenses(1) Period recognition of expensesc) Inappropriately reflected balance sheet amounts, including reserves(1) Improper asset valuation(a) Inventory(b) Accounts receivable(c) Mergers and acquisitions(d) Capitalization of intangible items(2) Misclassification of assets(3) Inappropriate depreciation methods(4) Concealed liabilities and expenses(a) Omission(b) Sales returns and allowances and warranties(c) Capitalization of expenses(d) Tax liabilityd) Inappropriately improved and/or masked disclosures(1) Liabilities omissions(2) Subsequent events(3) Related-party transactions(4) Accounting changes(5) Management frauds uncovered(6) Backdating transactionse) Concealing misappropriation of assetsf) Concealing unauthorized receipts and expendituresg) Concealing unauthorized acquisition, disposition, and use of assets42The Fraud Risk Manual issued by the ACFE, 2007.43For a sample list of fraud schemes and potential controls to be installed to combat the fraud, see Appendix 8 of Managing the Risk of Fraud:A Guide for Managers by HM Treasury, in Appendix A of this paper.57

2) Misappropriation of:a) Tangible assets by(1) Cash theft(a) Sales register manipulation(b) Skimming(c) Collection procedures(d) Understated sales(e) Theft of checks received(f) Check for currency substitution(g) Lapping accounts(h) False entries to sales account(i) Inventory padding(j) Theft of cash from register(k) Deposit lapping(l) Deposits in transit(2) Fraudulent disbursements(a) False refunds(b) False voids(c) Small disbursements(d) Check tampering(e) Billing schemes(f) Personal purchases with company funds(g) Returning merchandise for cash(3) Payroll fraud(a) Ghost employees(b) Falsified hours and salary(c) Commission sales(4) Expense reimbursement(a) Mischaracterized expenses(b) Overstated expenses(c) Fictitious expenses(d) Multiple reimbursements(5) Loans(a) Loans to nonexistent borrowers(b) Double pledged collateral(c) False application information(d) Construction loans(6) Real estate(a) Appraisal value(b) Fraudulent appraisal(7) Wire transfer(a) System password compromise(b) Forged authorizations(c) Unauthorized transfer account(d) ATM58

(8) Check and credit card fraud(a) Counterfeiting checks(b) Check theft(c) Stop payment orders(d) Unauthorized or lost credit cards(e) Counterfeit credit cards(f) Mail theft(9) Insurance fraud(a) Dividend checks(b) Settlement checks(c) Premium(d) Fictitious payee(e) Fictitious death claim(f) Underwriting misrepresentation(g) Vehicle insurance — staged accidents(h) Inflated damages(i) Rental car fraud(10) Inventory(a) Misuse of inventory(b) Theft of inventory(c) Purchasing and receiving falsification(d) False shipments(e) Concealing inventory shrinkageb) Intangible assets(1) Theft of intellectual property(a) Espionage(b) Loss of information(c) Spying(d) Infiltration(e) Informants(f) Trash and waste disposal(g) Surveillance(2) Customers(3) Vendorsc) Proprietary business opportunities3) Corruption including:a) Bribery and gratuities to(1) Companies(2) Private individuals(3) Public officials59

) Embezzlement(1) False accounting entries(2) Unauthorized withdrawals(3) Unauthorized disbursements(4) Paying personal expenses from bank funds(5) Unrecorded cash payments(6) Theft of physical property(7) Moving money from dormant accountsc) Receipt of bribes, kickbacks, and gratuities(1) Bid rigging(2) Kickbacks(a) Diverted business to vendors(b) Over billing(3) Illegal payments(a) Gifts(b) Travel(c) Entertainment(d) Loans(e) Credit card payments for personal items(f) Transfers for other than fair value(g) Favorable treatment(4) Conflicts of interest(a) Purchases(b) Sales(c) Business diversion(d) Resourcing(e) Financial disclosure of interest in vendors(f) Ownership interest in suppliersd) FCPA violations(1) Anti-bribery provisions(2) Books and records violations(3) Internal control weaknessese) Money launderingf) Aiding and abetting fraud by other parties (customers, vendors)60

APPENDIX F: FRAUD PREVENTION SCORECARDTo assess the strength of the organization’s fraud prevention system, carefully assess each area below and score thearea, factor, or consideration as:Red: indicating that the area, factor, or consideration needs substantial strengthening andimprovement to bring fraud risk down to an acceptable level.Yellow: indicating that the area, factor, or consideration needs some strengthening andimprovement to bring fraud risk down to an acceptable level.Green: indicating that the area, factor, or consideration is strong and fraud risk has beenreduced — at least — to a minimally acceptable level.Each area, factor, or consideration scored either red or yellow should have a note associated with it that describesthe action plan for bringing it to green on the next scorecard.Fraud Prevention Area, Factor, or Consideration Score NotesOur organizational culture — tone at the top — is as strong as it can possibly be andestablishes a zero-tolerance environment with respect to fraud.Our organization’s top management consistently displays the appropriate attituderegarding fraud prevention and encourages free and open communication regardingethical behavior.Our Code of Organizational Conduct has specific provisions that address andprohibit inappropriate relationships whereby members of our board or membersof management could use their positions for personal gain or other inappropriatepurposes.We have done a rigorous fraud risk assessment using the COSO Enterprise RiskManagement–Integrated Framework and have taken specific actions to strengthenour prevention mechanisms as necessary.We have assessed fraud risk for our organization adequately based on evaluationsof similar organizations in our industry, known frauds that have occurred in similarorganizations, in-house fraud brainstorming, and periodic reassessments of risk.We have addressed the strengths and weaknesses of our internal controlenvironment adequately and have taken specific steps to strengthen the internalcontrol structure to help prevent the occurrences of fraud.61

Fraud Prevention Area, Factor, or Consideration Score NotesOur organizational structure contains no unnecessary entities that might be used forinappropriate purposes or that might enable less-than-arms-length transactions orrelationships.We have assessed all overseas and decentralized operations carefully and havetaken proactive steps to ensure that they have fraud preventive controls in place toconform with the strictest legal standards and highest ethical principles.We have divested our organization of all unnecessary third-party and related-partyrelationships.For any remaining third-party and related-party relationships, we have taken positivemeasures to ensure that such relationships do not allow opportunities for frauds tooccur without detection.We have assessed the alignment of authorities and responsibilities at all levels oforganization management and are not aware of any misalignments that mightrepresent vulnerabilities to fraud.Our audit committee has taken a very proactive posture with respect to fraudprevention.Our audit committee is composed only of independent directors and includes personswith financial accounting and reporting expertise.Our audit committee meets at least quarterly and devotes substantial time toassessing fraud risk and proactively implementing fraud preventive mechanisms.We have a strong internal audit department (if applicable) that functionsindependently of management. The charter of our internal audit departmentexpressly states that the internal audit team will help prevent and detect fraud andmisconduct.We have designated an individual with the authority and responsibility for overseeingand maintaining our fraud prevention programs, and have given this individualthe resources needed to manage our fraud prevention programs effectively. Thisindividual has direct access to the audit committee.62

Fraud Prevention Area, Factor, or Consideration Score NotesOur human resources department conducts background investigations with thespecific objective of assuring that persons with inappropriate records or charactersinconsistent with our corporate culture and ethics are identified and eliminated fromthe hiring process.Our human resources department conducts background investigations with respectto promotions or transfers into positions of responsibility.Personnel involved in the financial reporting process have been assessed with regardto their competencies and integrity and have been found to be of the highest caliber.All of our employees, vendors, contractors, and business partners have beenmade aware of our zero-tolerance policies related to fraud and are aware of theappropriate steps to take in the event that any evidence of possible fraud comes totheir attention.We have a rigorous program for communicating our fraud prevention policies andprocedures to all employees, vendors, contractors, and business partners.We have policies and procedures in place for authorization and approvals of certaintypes of transactions and for certain values of transactions to help prevent and detectthe occurrences of fraud.Our performance measurement and evaluation process includes an elementspecifically addressing ethics and integrity as well as adherence to the Code ofOrganizational Conduct.All new hires must undergo rigorous ethics and fraud awareness and fraudprevention training.All employees must attend periodic (at least annual) ethics and fraud awarenessand fraud prevention training, and the effectiveness of this training is affirmedthrough testing.Terminated, resigning, or retiring employees participate in an exit interview processdesigned to identify potential fraud and vulnerabilities to fraud that may be takingplace in our organization. A specific focus of these interviews is an assessment ofmanagement’s integrity and adherence to the Code of Organizational Conduct. Allconcerns resulting from these interviews are communicated to our audit committee.63

Fraud Prevention Area, Factor, or Consideration Score NotesWe have an effective whistleblower protection program and fraud hotline in place,and its existence and procedures are known to all employees, vendors, contractors,and business partners.We review the above fraud preventive mechanisms on an ongoing basis anddocument these reviews as well as the communication with the audit committeeregarding areas that need improvement.We have a fraud response plan in place and know how to respond if a fraudallegation is made. The fraud response plan considers:• Who should perform the investigation.• How the investigation should be performed.• When a voluntary disclosure to the government should be made.• How to determine the remedial action.• How to remedy control deficiencies identified.• How to administer disciplinary action.64

APPENDIX G: FRAUD DETECTION SCORECARDTo assess the strength of the organization’s fraud detection system, carefully assess each area below and score thearea, factor, or consideration as:Red: indicating that the area, factor, or consideration needs substantial strengthening andimprovement to bring fraud risk down to an acceptable level.Yellow: indicating that the area, factor, or consideration needs some strengthening andimprovement to bring fraud risk down to an acceptable level.Green: indicating that the area, factor, or consideration is strong and fraud risk has beenreduced — at least — to a minimally acceptable level.Each area, factor, or consideration that scores either red or yellow should have a note associated with it thatdescribes the action plan for bringing it to green on the next scorecard.Fraud Prevention Area, Factor, or Consideration Score NotesWe have integrated our fraud detection system with our fraud prevention system in acost-effective manner.Our fraud detection processes and techniques pervade all levels of responsibilitywithin our organization, from the board of directors and audit committee, tomanagers at all levels, to employees in all areas of operation.Our fraud detection policies include communicating to employees, vendors,and stakeholders that a strong fraud detection system is in place, but certaincritical aspects of these systems are not disclosed to maintain the effectivenessof hidden controls.We use mandatory vacation periods or job rotation assignments for employees in keyfinance and accounting control positions.We periodically reassess our risk assessment criteria as our organization grows andchanges to make sure we are aware of all possible types of fraud that may occur.Our fraud detection mechanisms place increased focus on areas in which we haveconcluded that preventive controls are weak or are not cost-effective.We focus our data analysis and continuous auditing efforts based on our assessmentof the types of fraud schemes to which organizations like ours (in our industry, orwith our lines of business) are susceptible.65

Fraud Prevention Area, Factor, or Consideration Score NotesWe take steps to ensure that our detection processes, procedures, and techniquesremain confidential so that ordinary employees — and potential fraud perpetrators— do not become aware of their existence.We have comprehensive documentation of our fraud detection processes, procedures,and techniques so that we maintain our fraud detection vigilance over time and asour fraud detection team changes.Our detective controls include a well-publicized and well-managed fraud hotline.Our fraud hotline program provides anonymity to individuals who report suspectedwrongdoing.Our fraud hotline program includes assurances that employees who report suspectedwrongdoing will not face retaliation. We monitor for retaliation after an issue hasbeen reported.Our fraud hotline has a multilingual capability and provides access to a trainedinterviewer 24 hours a day, 365 days a year.Our fraud hotline uses a case management system to log all calls and their follow-upto resolution, is tested periodically by our internal auditors, and is overseen by theaudit committee.Our fraud hotline program analyzes data received and compares results to norms forsimilar organizations.Our fraud hotline program is independently evaluated periodically for effectivenessand compliance with established protocols.We use a rigorous system of data analysis and continuous auditing to detectfraudulent activity.Our information systems/IT process controls include controls specifically designed todetect fraudulent activity, as well as errors, and include reconciliations, independentreviews, physical inspections/counts, analyses, audits, and investigations.Our internal audit department’s charter includes emphasis on conducting activitiesdesigned to detect fraud.Our internal auditors participate in the fraud risk assessment process and plan frauddetection activities based on the results of this risk assessment.66

Fraud Prevention Area, Factor, or Consideration Score NotesOur internal auditors report to the audit committee and focus appropriate resourceson assessing management’s commitment to fraud detection.Our internal audit department is adequately funded, staffed, and trained to followprofessional standards, and our internal audit personnel possess the appropriatecompetencies to support the group’s objectives.Our internal audit department performs risk-based assessments to understandmotivation and where potential manipulation may take place.Our internal audit personnel are aware of, and are trained in, the tools andtechniques of fraud detection, response, and investigation as part of theircontinuing education program.Our data analysis programs focus on journal entries and unusual transactions, andtransactions occurring at the end of a period or those that were made in one periodand reversed in the next period.Our data analysis programs identify journal entries posted to revenue or expenseaccounts that improve net income or otherwise serve to meet analysts’ expectationsor incentive compensation targets.We have systems designed to monitor journal entries for evidence of possiblemanagement override efforts intended to misstate financial information.We use data analysis, data mining, and digital analysis tools to: (a) identify hiddenrelationships among people, organizations, and events; (b) identify suspicioustransactions; (c) assess the effectiveness of internal controls; (d) monitor fraud threatsand vulnerabilities; and (e) consider and analyze large volumes of transactions on areal-time basis.We use continuous auditing techniques to identify and report fraudulent activitymore rapidly, including Benford’s Law analysis to examine expense reports, generalledger accounts, and payroll accounts for unusual transactions, amounts, or patternsof activity that may require further analysis.We have systems in place to monitor employee e-mail for evidence of potential fraud.67

Fraud Prevention Area, Factor, or Consideration Score NotesOur fraud detection documentation identifies the individuals and departmentsresponsible for:• Designing and planning the overall fraud detection process.• Designing specific fraud detective controls.• Implementing specific fraud detective controls.• Monitoring specific fraud detective controls and the overall systemof these controls for realization of the process objectives.• Receiving and responding to complaints related to possiblefraudulent activity.• Investigating reports of fraudulent activity.• Communicating information about suspected and confirmed fraud toappropriate parties.• Periodically assessing and updating the plan for changes in technology,processes, and organization.We have established measurement criteria to monitor and improve compliance withfraud detective controls, including:• Number of, and loss amounts from, known fraud schemes committed againstthe organization.• Number and status of fraud allegations received by the organization thatrequired investigation.• Number of fraud investigations resolved.• Number of employees who have signed the corporate ethics statement.• Number of employees who have completed ethics training sponsoredby the organization.• Number of whistleblower allegations received via the organization’s hotline.• Number of messages supporting ethical behavior delivered to employeesby executives.• Number of vendors who have signed the organization’s ethicalbehavior policy.• Number of customers who have signed the organization’s ethicalbehavior policy.• Number of fraud audits performed by internal auditors.We periodically assess the effectiveness of our fraud detection processes, procedures,and techniques; document these assessments; and revise our processes, procedures,and techniques as appropriate.68

APPENDIX H: OCEG FOUNDATION PRINCIPLES THAT RELATE TO FRAUDNOTE: This appendix is a sample from another entity. As such, no adjustment has been made to this material. Theinformation may or may not agree with all the concepts noted within this paper. The material is being provided as anexample that may be a used as a tool, reference, or starting point.Below is a summary listing of the practices in the Open Compliance and Ethics Group (OCEG) Foundation 44 and howeach practice serves the principles of establishing a strong fraud prevention program as advocated in this paper.C-CultureC1-Ethical CultureC1.1 Define Principles & Values that reflect a desire for high ethical standards and a no tolerance position towardfraud and corruption.C1.2 Enhance Ethical Climate & Mindsets as a deterrent to fraudulent and corrupt conduct.C1.3 Foster Ethical Leadership through rewards and acknowledgment as a model of appropriate conduct in the faceof stressors that would potentially lead to fraudulent or corrupt behaviors.C2-Risk CultureC2.1 Define Philosophy & Style that communicates and cascades through the organization a no tolerance positionon fraud risk and the existence of strong anti-fraud policies and controls.C2.2 Enhance Risk Management Climate & Mindsets so that the workforce in addition to the board and seniormanagement are attune to the stressors and circumstances that create fraud risk so it can be deterred and detectedpromptly.C3-Governance CultureC3.1 Define Governance Style & Approach to specify the desired level of board oversight and involvement in theanti-fraud program, including the thresholds that escalate incidents of fraud to higher levels of visibility, up to andincluding board attention.C3.2 Enhance Governance Climate & Mindsets to ensure that accountability for managing fraud risk ripplesup to the responsible board member or committee, regularly placing a discussion of the status of the fraud riskmanagement program on the agenda.C4-Workforce CultureC4.1 Understand Workforce Management Philosophy & Style to include the aspects of workforce management thateither contribute to or deter the risk of fraudulent or corrupt behaviors.C4.2 Enhance Commitment to the Workforce & Competency by structuring policies and practices in hiring, training,performance evaluation, promotion, compensation, rewards/discipline, career advancement and terminationor retirement to deter fraudulent and corrupt behavior, including practices that deal swiftly and decisively withincidents and protect whistleblowers from retribution.C4.3 Enhance Workforce Satisfaction & Commitment to eliminate or mitigate stressors that create fraud andcorruption risk.44© Open Compliance and Ethics Group (2003-2007). OCEG Foundation (Redbook), Phoenix, Ariz.: OCEG (available for free download atwww.oceg.org/view/foundation).69

O-Organization / PersonnelO1-Leadership & ChampionsO1.1 Define Leadership & Champion Responsibilities to include communicating how fraud risk managementprogram objectives facilitate organizational objectives, how individuals contribute to achieving program objectivesand why the program is and should be supported enterprise wide.O1.2 Screen & Select Program Leadership & Champions to assure that the leaders and champions are qualified toserve as advocates for anti-fraud messaging based upon prior upstanding conduct or remorseful transformationfrom prior fraudulent/corrupt or otherwise inappropriate conduct.O1.3 Enhance Champion Skills & Competencies to include a thorough understanding of fraud, stressors that triggerfraudulent conduct, and the scope, parameters and activities of the fraud risk management program.O2-Oversight PersonnelO2.1 Define Oversight Structure & Responsibilities to:• include in the appropriate charter documents whether the entire board, a board member, or a boardcommittee has been assigned oversight responsibilities for directing the activities of the fraud riskmanagement program,• evidence a commitment to a proactive approach to fraud risk management.• play an active role in the risk assessment process, and using internal audit, and external auditors, asmonitors of fraud risks.• appoint one executive-level member of management to be responsible for fraud risk management.• approve sufficient resources in the budget and long-range plans to enable the organization to achieve theseobjectives.• ensure that management designs effective fraud risk management policies to encourage ethical behaviorand to empower employees, customers, and vendors to insist those standards are met everyday.• model good board governance practices (like board independence, ) as a component of the fraud riskmanagement program.• require that the audit committee meet separately with the external audit firm and chief audit executive todiscuss the results of the anti-fraud program on the entity’s financial statements.• ensure the board is receiving accurate and timely information from management, employees, internal andexternal auditors, and other stakeholders regarding potential fraud occurrences.• assure protection of all requisite privileges and adherence to information management policy forcommunications related to fraud investigations and audit committee discussions.O2.2 Screen & Select Oversight Personnel to identify the board member(s) best suited based upon skills, experience,knowledge, and character (based in part upon the results of background checks) to provide anti-fraud programoversight.O2.3 Enhance Oversight Skills & Competencies so the board:• has a thorough understanding of what constitutes fraud and corruption risk.• sets the appropriate “tone at the top” in its own independent practices and through the CEO jobdescription, evaluation, and succession-planning processes.• maintains oversight of the fraud and corruption risk assessment.• evaluates management’s identification of fraud and corruption risks.70

• leverages the experience of internal and external auditors regarding;- events or conditions that indicate incentives/pressures to perpetrate fraud, opportunities to carry outthe fraud, or attitudes/rationalizations to justify a fraudulent action.- how and where they believe the entity’s financial statements might be susceptible to materialmisstatement due to fraud.- inquires of management and others within the entity about the risks of fraud.- analytical procedures to identify unusual transactions or events, and amounts, ratios, and trends thatmight indicate matters that have financial statement implications.• oversees the internal controls over financial reporting established by management.• assesses the risk of financial fraud by management.• ensures controls are in place to prevent, deter, and detect fraud by management.• empowers the audit committee and external auditors to look for and report fraud of all sizes and types.O2.4 Assess Oversight Personnel & Team Performance to include the effective exercise of oversight for the entity’sfraud risk management program.O3-Strategic PersonnelO3.1 Define Strategic Structure & Responsibilities using a job description that specifies the role with responsibilityfor, sufficient resources and authority to design and implement a fraud risk management program including thesetting of policy, establishing of controls, training, implementing anti-fraud initiatives, processes for reporting andinvestigating alleged violations, and reporting to the board on the progress of program toward objectives, the statusof investigations, activities in relation to detecting and mitigating incidents of fraudulent or corrupt behavior andany remedial steps for program improvement.O3.2 Screen & Select Strategic Personnel to confirm that the individual vested with responsibility for the program iswell-qualified and an appropriate model (as determined, in part, by a background check).O3.3 Enhance Strategic Skills & Competencies in program management techniques like vision, mission andvalues development, risk assessment, program effectiveness and performance evaluations, control development,investigations management, as well as a thorough understanding of the organization’s fraud risks and process levelcontrols.O3.4 Assess Strategic Personnel & Team Performance compared to fraud risk management program performancetargets and individual performance targets.O4-Operational PersonnelO4.1 Define Operational Structure & Responsibilities that address the fraud risk management responsibilities ofall levels of operational personnel, including participate in the process of creating a strong control environment,designing and implementing control activities, and participate in monitoring activities, reporting incidences offraud and corruption, paying particular attention to the unique roles of internal audit, compliance, ethics, and legalprogram implementation and investigation roles.O4.2 Screen & Select Operational Personnel to confirm that the individuals vested with responsibility for variousaspects of the fraud risk management program are not compromised in their effectiveness or unduly pose greaterrisk to the organization by virtue of past violations of ethical standards and/or unlawful behavior.71

O4.3 Enhance Operational Skills & Competencies through training and understanding of:• their role within the internal control framework and in fraud prevention and detection, including red flags• the Code of Conduct, fraud risk program components including and policies.• policies and procedures, including fraud policy, code of conduct, fraud risk prevention and detectioncontrols, and whistleblower policy, as well as other operational policies such as procurement manuals, etc.O4.4 Assess Operational Personnel Performance against both role-based performance targets, team or programbasedperformance targets for which the individual is accountable and other individual performance targets.P-ProcessPO-Plan & OrganizePO1-Scope & ObjectivesPO1.1 Define Scope of fraud risk management program alone or as part of a broader ethics, compliance and lossprevention program to include preventing, detecting and deterring fraudulent and criminal acts.PO1.2 Define Stakeholders to include direct internal and external stakeholders of the entity plus the stakeholdersrelevant to the extended enterprise.PO1.3 Define Planning Methodology & Team that includes team members with insights into human behavior andhigher risk business processes that may prove susceptible to fraudulent behaviors.PO1.4 Define / Review Organizational Objectives in order to define, align and prioritize fraud risk managementinitiatives.PO1.5 Define Program Objectives that measure loss prevention and the protection afforded by detection controlsand the prompt resolution of allegations of fraudulent or corrupt conduct.PO2-Business Model & ContextPO2.1 Identify Key Organizational Entities, Units & Groups as a basis for scoping the program, understanding risks,and prioritizing implementation of fraud risk management program initiatives.PO2.2 Identify Key Physical, Information and Technology Assets over which or in which specific access, segregationof duty and other fraud prevention and detection controls need to be established.PO2.3 Identify Key Business Processes that may introduce fraud and corruption risks, including financial, sales andmarketing, manufacturing, distribution and fulfillment, research and development and employment.PO2.4 Identify Key Job Families, Positions, Roles & Assignments including roles in the extended enterprise that aremore susceptible to fraud risk due to performance pressures, perceived lack of monitoring, or significant authorityover assets, accounts, and disclosures.PO3-Boundary IdentificationPO3.1 Define Boundary Identification Methodology to enable the identification of both mandatory and voluntaryboundaries of legal and ethical conduct.PO3.2 Identify Mandated Boundaries including laws, regulations and treaties proscribing fraud and corruption inall regions of both operation and sales, customary practices in the industry and the geographies and professionalconduct standards to which individual in the workforce and/or agents are subject.PO3.3 Identify Voluntary Boundaries including societal values and norms for the particular industry and geographiesof operation and sales relative to fraud and corruption, organizational values to include a commitment to ethicalconduct and a no tolerance position on fraudulent, corrupt or illegal behavior.72

PO4-Event IdentificationPO4.1 Define Event Identification Methodology that includes brainstorming, defines the categories andclassifications for various fraud and corruption risks, applies a consistent methodology to facilitate the comparisonof risks across business units, departments and groups, includes consideration of unique pressures and businessmethods in particular industries and geographies that pose greater fraud risk, and past instances of fraudulent orcorrupt conduct like management override of controls and the remediation measures already put in place. (SeeAppendix C and see p. 4 for sources of risk universe information).PO4.2 Identify and Analyze Events within the organization’s culture, product and service mix, processes and systems,trends and changes in the entity’s markets, and in society that may introduce specific fraud and corruption relatedrisks like changes in accounting procedures, mergers and consolidation, shifts toward outsourcing or sourcing inareas with weaker detection of risks in the extended enterprise.PO5-Risk AssessmentPO5.1 Define Risk Assessment Methodology that identifies the frequency of or triggers that require reassessment,utilizes “strategic reasoning” and includes criteria for determining likelihood, impact (monetary, compliance andreputational) and relative priority of risks identified through historical information, known fraud schemes, experienceof internal and external audit, subject matter experts for particular geographies and industries, and interviews ofbusiness process owners. (See Appendix C).PO5.2 Analyze Likelihood / Impact in accordance with prescribed methodology and consistently across the enterpriseto be able to make meaningful comparison and facilitate prioritization.PO5.3 Define Priorities to properly allocate available resources to highest priority fraud risks.PO6-Program Design & StrategyPO6.1 Define Initiatives to Address Risks whether these are completing initiatives already underway or newinitiatives designed to prevent, detect, and mitigate fraud risk based upon an analysis that the initiative is mandatedby legal requirements or its projected benefits exceed costs.PO6.2 Define Initiatives to Address Opportunities & Values to enhance the ethical culture resulting in anenvironment that is more resistant to fraud risk.PO6.3 Select Initiatives, Controls & Accountability based upon allocated resource, and relative ranking, identify theparticular fraud risk management initiatives and controls that will be pursued, placing them against a portfolioimplementation plan and assigning accountability for project management and effectiveness.PO6.4 Define Crisis Responses to include the scenario where the degree or nature of the fraudulent or corruptconduct poses catastrophic financial or reputational risk.PO6.5 Define Strategic Plan in the form substantially like the Fraud Control Strategy or Policy Template that:• Defines fraud.• Communicates the entity’s commitment to fraud prevention, detection and deterrence.• Outlines the fraud control strategies, including training and the internal audit strategy relative to fraudcontrol.• Reflects the fraud control initiatives, including accountability and resources for those initiatives andmitigating resistance to change.• Reflects the fraud risk management methodology, including identification, assessment and prioritization.• Documents the fraud roles and responsibilities at all levels of the organization.• Communicates the procedures for reporting and investigating fraud, including disclosure and discipline.• Addresses employment considerations, conflict of interest, change challenges and approval.• Communicates how frequently and by what methods the program will be measured and evaluated.73

PR-Prevent, Protect & PreparePR1-General Controls, Policies & ProceduresPR1.1 Develop Controls, Policies & Procedures that represent a mix of controls designed to prevent, detect, monitor,and respond to fraud risk, including:• Policy defining fraud, irregularities, authority to conduct investigations, confidentiality, and reporting ofresults of investigations, and potential disciplinary action should fraud be confirmed.• Policies encouraging high ethical standards and empowering employees, customers and vendors to insistthose standards are met.• Policy that everyone be 100% open and honest with external auditors.• Policy that fraud involving senior management or that causes a material misstatement of financialstatements be reported directly to the audit committee.• Policy that fraud detected by either internal audit or external audit be brought to the attention of theappropriate level of management.• Procedures regarding the nature and extent of communications with the audit committee about fraudcommitted by lower level employees.• Preventive controls like exit interviews, background checks, training, segregation of duties, performanceevaluation, compensation practices, physical and logical access restrictions.• Detective controls like anonymous reporting, internal audit, and process controls.PR1.2 Implement and Manage Controls, Policies & Procedures confirming roles and responsibilities related to thefraud policy (See Appendix B), proper communication, implementation of, adherence to, and operation of fraud riskmanagement controls, policies and procedures.PR1.3 Automate Controls, Policies & Procedures to protect against the risk that fraudulent or corrupt conduct goundetected due to inherent variation in human-centric activities.PR2-Code Of ConductPR2.1 Develop Code of Conduct to include expectations about proper conduct in the face of opportunities for fraudor corruption, non-retaliation for and the proper procedures for reporting identified fraudulent or corrupt conductregardless of whether the opportunity arises from conflict of interest, use of corporate assets, customer, supplier,government or other business dealings.PR2.2 Distribute and Manage Code of Conduct publicly and across all levels of the organization so that each levelunderstands and receives training on their respective roles and responsibilities in relation to fraud and corruptionrisk management, keeping the Code refreshed based upon changes in laws, operating conditions and policies.PR3-Training & EducationPR3.1 Design / Develop Training related to ethical conduct in the face of stressors or opportunities for fraudulentor corrupt behavior that occur at all levels of the organization and through the extended enterprise, assuring thatsuch training is timely attended based upon changes in roles or responsibilities, and that individuals are meetingcomprehension goals.PR3.2 Implement and Manage Training to confirm that fraud risk management training appropriate to each person’srole has been delivered in accordance with the training plan and has met all performance targets.74

PR4-Workforce ManagementPR4.1 Define Roles, Responsibilities & Duties in relation to fraud risk management responsibilities includingsegregation of duties and avoidance of conflicts of interest.PR4.2 Screen & Select Workforce using selection criteria that minimize the risk of future fraudulent conduct based,in part, upon the results of background checks and how the history of any prior inappropriate or unlawful conductrelates to the responsibilities of the position for which the individual is being considered.PR4.3 Evaluate Performance & Promote Workforce based upon criteria that includes ethical and legal conduct anddoes not provide incentives or inducements to fraudulent or corrupt conduct.PR4.4 Compensate & Reward Workforce according to policies and practices that do not provide an incentive orinducement to commit fraud or corruption.PR4.5 Retire & Terminate Workforce in a manner consistent with fraud policy and using exit interviews as a finalconfirmation that all organizational assets have been returned, that confidential records have been returned ordestroyed in accordance with policy and identifying fraudulent, corrupt or otherwise inappropriate behavior.PR6-Risk Sharing & InsurancePR6.1 Design and Implement Risk Sharing & Insurance to protect the entity at an appropriate level based upon theentity’s risk tolerance after assessment of residual fraud risk not mitigated by controls, policies, and procedures.PR7-Preparedness & PracticePR7.1 Design Preparedness Exercises that afford an opportunity to practice response activities upon the detection offraud or corruption, including public disclosure and regulatory reporting.PR7.2 Conduct Preparedness Exercises to determine if planned approaches need to be modified to better protectagainst fraud risk, particularly reputational risk.M-Ongoing MonitoringM1-Control Assurance & AuditM1.1 Monitor Controls, Policies & Procedures through individuals assigned with such responsibility as periodicallyreviewed by internal audit, escalating detected issues through appropriate procedures for investigation, responseand remediation.M1.2 Survey Employees and Other Stakeholders as an additional check on whether the anti-fraud program iscreating the appropriate culture and is operating effectively, including questions related to whether there has beenobserved fraudulent or corrupt behavior, whether such was reported, and whether the discipline/response has beenconsistent, decisive and timely.M2-Hotline & HelplineM2.1 Define Hotline/Helpline Approach to consistently address concerns and issues through the validation,investigation, resolution, and remediation processes whether identified through audit or a report of suspectedfraudulent or corrupt conduct.M2.2 Provide Hotline that allows the entity to receive reports of suspected fraudulent or corrupt conduct both on anidentified and anonymous basis.M2.3 Provide Helpline that allows both internal and external stakeholders to obtain guidance on whether observedor suspected conduct constitutes fraudulent or corrupt conduct, and thus should be reported or otherwise addressedin accordance with applicable policies and procedures.75

E-Periodic EvaluationE1-Evaluation Planning & ReportingE1.1 Define Evaluation Scope / Objectives to include the periodic evaluation of the fraud risk management program.E1.2 Define Type of Evaluation whether design effectiveness, operating effectiveness and/or performance.E1.3 Define Level of Assurance and Evaluation Team including whether the evaluation is to be a self-assessment,an internal evaluation with validation or third-party evaluation of the program and/or the quality of internal audit’sexecution of its role in the programE1.4 Define Privilege Status for the communications during and results of the evaluation of the fraud riskmanagement program.E1.5 Develop Evaluation Plan which will vary based upon the defined level of assurance, but must identify thecriteria and procedures to be used for assessment in addition to the other elements in the OCEG Foundation. (SeeAppendices D and E for example self-assessments).E1.6 Define and Communicate Evaluation Report Content so that the results of the evaluation are communicatedat the appropriate level of the organization and ultimately presented by the head of internal audit or the executivelevelmember of management accountable to the board for the effectiveness and performance of the fraud riskmanagement program as a regular board agenda item.E2-Program Effectiveness EvaluationE2.1 Perform Design Effectiveness (DE) Evaluation in accordance with the evaluation plan.E2.2 Perform Operating Effectiveness (OE) Evaluation in accordance with the evaluation plan.E3-Program Performance EvaluationE3.1 Perform Program Efficiency (PE) Evaluation in accordance with the evaluation plan.E3.2 Perform Program Responsiveness (PR) Evaluation in accordance with the evaluation plan.R-Respond & ImproveR1-Incident, Issue & Case ManagementR1.1 Process, Escalate & Manage Incidents in accordance with applicable legal restrictions on anonymousand confidential reporting through a mechanism and process of prompt, competent, and confidential review,investigation, and resolution of allegations involving potential fraud or misconduct which:• Categorizes issues.• Confirms the validity of the allegation(s).• Defines the severity of the allegation(s).• Escalates the issue or investigation when appropriate.• Refers issues outside the scope of the program.• Conducts the investigation and fact-finding.• Resolves or closes the investigation.• Undertakes a review of whether the conduct constitutes a control weakness to be remediated.• Identifies types of information that should be kept confidential.• Defines how the investigation will be documented.• Managing and retaining documents and information.R1.2 Resolve Issues in accordance with the methodology.76

R2-Special InvestigationR2.1 Determine Need/Scope of Investigation particularly when the subject of the alleged fraud is based uponconduct of executives or requires specialized skills like forensic accounting.R2.2 Create Investigation Team to reflect a mix of people with appropriate investigative skills and also knowledge ofthe business, its procedures, and systems.R2.3 Plan Investigation consistent with the scope, the policy on investigation procedures and informationmanagement plan.R2.4 Execute Investigation Plan in accordance with the investigation plan.R2.5 Communicate Investigation/Follow-Up in accordance with the investigation plan, including anonymity,confidentiality and external reporting requirements.R3-Crisis Response & CommunicationR3.1 Execute Crisis and Emergency Response Plan in accordance with the plan, as improved based upon the analysisof lessons learned from practicing the plan and using the designated crisis response team in the various rolesidentified in the plan.R4-Discipline & DisclosureR4.1 Discharge Discipline in accordance with the fraud policy regarding the range of discipline and in conformity tothe disciplinary precedents set by prior similar conduct.R4.2 Disclose Findings to the appropriate level of management, up to and including the board of directors or theaudit committee depending on legal requirements and the thresholds set in the escalation policy and as required, toexternal stakeholders, including the media in accordance with prescribed formats.R5-Remediation & ImprovementR5.1 Modify Program for Improvement to harden preventive controls, enhance detective controls, and/or acceleratemitigating controls to reduce the risk of loss based upon a reconsideration of how these initiatives rank whencompared to the existing portfolio of fraud risk management initiatives.I-Information & CommunicationI1-Information & Records ManagementI1.1 Classify Data & Records to facilitate their consistent handling in each of the processes executed as part of thefraud risk management program.I1.2 Define Information Access based upon each record type in accordance with informational, confidentiality,anonymity, legal and other requirements, and professional standards.I1.3 Define Information Availability, Integrity & Recovery particularly in the context of transactional history wheremissing information may be an indicator of the concealment of fraudulent activity.I1.4 Define Information Management Monitoring particularly related to reports of allegations of fraudulent conductand to confirm that system overrides or access overrides are authorized and that confidential and other sensitivereports or materials are handled in accordance with stated policy.I1.5 Define Information Disposition to support the balance of informational needs and the costs of production forinvestigations or litigation.I1.6 Define Information Management & Records Awareness Program to make sure those responsible for recordsrelated to the fraud risk management program are identifying, managing, handling, and disposing of recordsaccording to the stated policies and procedures.77

I2-CommunicationI2.1 Develop Communication Plan for fraud related policies, procedures, training, investigations, and reporting.I2.2 Deliver Communications in accordance with the communication plan(s).I3-Internal ReportingI3.1 Develop Internal Reports that reflect risk analysis, prioritized portfolio of risk initiatives, progress toward fraudrisk management objectives, the status and results of evaluations, and the status, results and discipline taken inresponse to investigations.I3.2 Develop Internal CommunicationsI4-External Reporting & FilingsI4.1 Develop Disclosure Systems and Forms that comply with information management and crisis responseprocedures and meet the informational needs and requirements of the organization and the external party,complying with submission on any mandated reporting forms.I4.2 Create and Manage Disclosures & Filings in accordance with the defined procedures and forms.T-TechnologyT1-TechnologyT1.1 Leverage Technology to Support Program particularly with regard to:• automating controls that monitoring transactions, enforce business rules, and segregation of duties.• sharing knowledge of trends and history of incidents, risks, and discipline to facilitate risk analysis anddisciplinary decisions.• enabling reporting of alleged fraud or corruption.• incident management and loss tracking.• forensic investigations.78

APPENDIX I: COSO internal control integrated frameworkCOSO ComponentControl EnvironmentFraud Risk Management Activities• Establishing appropriate “tone at the top” and organizational culture.• Documenting fraud control strategy, code of ethics/conduct, and hiringand promotion standards.• Establishing, complementing, or evaluating internal audit functions.• Developing curriculum; designing and providing training.• Developing a policy and methodology to investigate potentialoccurrences of fraud.• Investigating allegations or suspicions of fraud.• Promoting controls to prevent, deter, and detect fraud.• Implementing and maintaining a fraud and ethics hotline andwhistleblower program.Fraud Risk Assessment• Establishing a fraud risk assessment process that considers fraud risk factorsand fraud schemes.• Involving appropriate personnel in the fraud risk assessment process.• Performing fraud risk assessments on a regular basis.Anti-fraud ControlActivities• Defining and documenting mitigating controls and linking them to identifiedfraud risks.• Modifying existing controls, designing and implementing new preventive anddetective controls as necessary, and implementing supporting technologies.Information andCommunication• Promoting the importance of the fraud risk management program and theorganization’s position on fraud risk both internally and externally throughcorporate communications programs.• Designing and delivering fraud awareness training.Monitor• Providing periodic evaluation of anti-fraud controls.• Using independent evaluations of the fraud risk management program byinternal auditing or other groups.• Implementing technology to aid in continuous monitoring and detectionactivities.79

CriminologyFraud Prevention ProgramsSample Code of Business Ethics and ConductIntroductionThis section reaffirms the importance of high standards of business conduct.Adherence to this Code of Business Ethics and Conduct by all employees is theonly sure way we can merit the confidence and support of the public.Many of us came from a culture that provided answers or direction for almostevery situation possible. Managing our business was not so complex, thedilemmas we faced were—for the most part—simple, making our choicesrelatively easy. We would probably all agree that managing in today’senvironment is not so simple.This code has been prepared as a working guide and not as a technical legaldocument. Thus, emphasis is on brevity and readability rather than providingan all-inclusive answer to specific questions. For example, the term “employee”is used in its broadest sense and refers to every officer and employee of thecompany and its subsidiaries. The word “law” refers to laws, regulations,orders, etc.In observance of this code, as in other business conduct, there is no substitutefor common sense. Each employee should apply this code with common senseand the attitude of seeking full compliance with the letter and spirit of the rulespresented.It is incumbent upon you, as an employee of the company to performsatisfactorily and to follow our policies and comply with our rules as they areissued or modified from time to time.These policies and rules are necessary to effectively manage the business andmeet the ever-changing needs of the marketplace. Good performance andcompliance with business rules lead to success. Both are crucial since ourability to provide you with career opportunities depends totally upon oursuccess in the marketplace. Nonetheless, changes in our economy, our marketsand our technology are inevitable. Indeed, career opportunities will varyExcerpted from Fraud Examiners Manual 1

CriminologyFraud Prevention Programsbetween the individual companies. For these reasons, we cannot contract oreven imply that your employment will continue for any particular period oftime. While you might terminate your employment at any time, with or withoutcause, we reserve that same right. This relationship might not be modified,except in writing signed by an appropriate representative of the company.This Code of Business Ethics and Conduct is a general guide to acceptable andappropriate behavior at the company and you are expected to comply with itscontents; however, it does not contain all of the detailed information you willneed during the course of your employment. Nothing contained in this code or,in other communications, creates or implies an employment contract or term ofemployment. We are committed to reviewing our policies continually. Thus,this code might be modified or revised from time to time.You should familiarize yourself with this code so that you might readilydistinguish any proposal or act that would constitute a violation. Eachemployee is responsible for his actions. Violations can result in disciplinaryaction, including dismissal and criminal prosecution. There will be no reprisalagainst an employee who in good faith reported a violation or suspectedviolation.The absence of a specific guideline practice or instruction covering a particularsituation does not relieve an employee from exercising the highest ethicalstandards applicable to the circumstances.If any employee has doubts regarding a questionable situation that might arise,that employee should immediately consult his supervisor or higher level.Competition and AntitrustFair CompetitionThe company supports competition based on quality, service and price. We willconduct our affairs honestly, directly and fairly. To comply with the antitrustlaws and our policy of fair competition, employees:• Must never discuss with competitors any matter directly involved incompetition between us and the competitor (e.g. sales price, marketingstrategies, market shares and sales policies).Excerpted from Fraud Examiners Manual 2

CriminologyFraud Prevention Programs• Must never agree with a competitor to restrict competition by fixing prices,allocating markets or other means.• Must not arbitrarily refuse to deal with or purchase goods and services fromothers simply because they are competitors in other respects.• Must not require others to buy from us before we will buy from them.• Must not require customers to take from us a service they don’t want just sothey can get one they do want.• Must never engage in industrial espionage or commercial bribery.• Must be accurate and truthful in all dealings with customers and be carefulto accurately represent the quality, features and availability of companyproducts and services.Compliance with Laws and Regulatory OrdersThe applicable laws and regulatory orders of every jurisdiction in which thecompany operates must be followed. Each employee is charged with theresponsibility of acquiring sufficient knowledge of the laws and orders relatingto his duties in order to recognize potential dangers and to know when to seeklegal advice.In particular, when dealing with public officials, employees must adhere to thehighest ethical standards of business conduct. When we seek the resolution ofregulatory or political issues affecting the company’s interests we must do sosolely on the basis of merit and pursuant to proper procedures in dealing withsuch officials. Employees may not offer, provide or solicit, directly or indirectly,any special treatment or favor in return for anything of economic value or thepromise or expectation of future value or gain. In addition, there shall be noentertaining of employees of the U.S. Government.Foreign Corrupt Practices ActNo employee will engage in activity that might involve the employee or thecompany in a violation of the Foreign Corrupt Practices Act of 1977. TheForeign Corrupt Practices Act requires that the company’s books and recordsaccurately and fairly reflect all transactions and that we maintain a system ofinternal controls; transactions conform to management’s authorizations; andthe accounting records are accurate. No employee will falsely reporttransactions or fail to report the existence of false transactions in theExcerpted from Fraud Examiners Manual 3

CriminologyFraud Prevention Programsaccounting records. Employees certifying the correctness of records, includingvouchers or bills, should have reasonable knowledge that the information iscorrect and proper.Under the Act, it is also a federal crime for any U.S. business enterprise to offera gift, payment or bribe, or anything else of value, whether directly orindirectly, to any foreign official, foreign political party or party official, orcandidate for foreign political office for the purpose of influencing an officialact or decision, or seeking influence with a foreign government in order toobtain, retain or direct business to the company or to any person. Even if thepayment is legal in the host country, it is forbidden by the Act and violates U.S.law.Conflicts of InterestThere are several situations that could give rise to a conflict of interest. Themost common are accepting gifts from suppliers, employment by anothercompany, ownership of a significant part of another company or business, closeor family relationships with outside suppliers and communications withcompetitors. A potential conflict of interest exists for employees who makedecisions in their jobs that would allow them to give preference or favor to acustomer in exchange for anything of personal benefit to themselves or theirfriends and families.Such situations could interfere with an employee’s ability to make judgmentssolely in the company’s best interest.Gifts and EntertainmentDEFINITION OF GIFTS“Gifts” are items and services of value that are given to any outside parties, butdo not include items described below.• Normal business entertainment items such as meals and beverages are notto be considered “gifts.”• Items of minimal value, given in connection with sales campaigns andpromotions or employee services, safety or retirement awards are not to beconsidered “gifts” for purposes of this code.Excerpted from Fraud Examiners Manual 4

CriminologyFraud Prevention Programs• Contributions or donations to recognized charitable and nonprofitorganizations are not considered gifts.• Items or services with a total value under $100 per year are excluded.DEFINITION OF SUPPLIER“Supplier” includes not only vendors providing services and material to thecompany, but also consultants, financial institutions, advisors, and any personor institution which does business with the company.GIFTSNo employee or member of his immediate family shall solicit or accept from anactual or prospective customer or supplier any compensation, advance loans(except from established financial institutions on the same basis as othercustomers), gifts, entertainment, or other favors which are of more than tokenvalue or which the employee would not normally be in a position to reciprocateunder normal expense account procedures.Under no circumstances should a gift or entertainment be accepted whichwould influence the employee’s judgment. In particular, employees must avoidany interest in or benefit from any supplier that could reasonably cause them tofavor that supplier over others. It is a violation of the code for any employee tosolicit or encourage a supplier to give any item or service to the employeeregardless of its value, no matter how small. Our suppliers will retain theirconfidence in the objectivity and integrity of our company only if eachemployee strictly observes this guideline.REPORTING GIFTSAn employee who receives, or whose family member receives, an unsolicitedgift prohibited by these guidelines, should report it to his supervisor and eitherreturn it to the person making the gift or, in the case of perishable gift, give itto nonprofit charitable organization.DISCOUNTSAn employee might accept discounts on a personal purchase of the supplier’sor customer’s products only if such discounts do not affect the company’sExcerpted from Fraud Examiners Manual 5

CriminologyFraud Prevention Programspurchase price and are generally offered to others having a similar businessrelationship with the supplier or customer.BUSINESS MEETINGSEntertainment and services offered by a supplier or customer may be acceptedby an employee when they are associated with a business meeting and thesupplier or customer provides them to others as a normal part of its business.Examples of such entertainment and services are transportation to and from thesupplier’s or customer’s place of business, hospitality suites, golf outings,lodging at the supplier’s or customer’s place of business, and business lunchesand dinners for business visitors to the supplier’s or customer’s location. Theservices should generally be of the type normally used by the company’semployees and allowable under the applicable company’s expense account.Outside EmploymentEmployees must not be employed outside the company:• In any business that competes with or provides services to the company orits subsidiaries, and/or• In a manner which would affect their objectivity in carrying out theircompany responsibilities and/or• Where the outside employment would conflict with scheduled hours,including overtime, or the performance of the company assignments.Employees must not use company time, materials, information or otherassets in connection with outside employment.Relationships with Suppliers and CustomersBusiness transactions must be entered into solely for the best interests of thecompany. No employee can, directly or indirectly, benefit from his position asan employee or from any sale, purchase or other activity of the company.Employees should avoid situations involving a conflict or the appearance ofconflict between duty to the company and self-interest.No employee who deals with individuals or organizations doing or seeking to dobusiness with the company, or who makes recommendations with respect tosuch dealings, should:• Serve as an officer, director, employee or consultant; orExcerpted from Fraud Examiners Manual 6

CriminologyFraud Prevention Programs• Own a substantial interest in any competitor of the company, or anyorganization doing or seeking to do business with the company. Substantialinterest means an economic interest that might influence or reasonably bethought to influence judgment or action, but shall not include aninvestment representing less than 1% of a class of outstanding securities of apublicly held corporation. Every employee must complete the Conflict ofInterest Questionnaire included with this book.In addition, no employee who deals with individuals or organizations doing orseeking to do business with the company, or who makes recommendations withrespect to such dealings, might:• Have any other direct or indirect personal interest in any businesstransactions with the company (other than customary employee purchases ofcompany products and services as consumers and transactions where theinterest arises solely by reason of the employee relationship or that of aholder of securities);• Provide telecommunications or information service or equipment, eitherdirectly or as a reseller in a manner that would place the objectivity orintegrity of the company in question.Our policy is that employees will not do business on behalf of the companywith a close personal friend or relative; however, recognizing that thesetransactions do occur, they must be reported on the Conflict of InterestQuestionnaire.Excerpted from Fraud Examiners Manual 7

CriminologyFraud Prevention ProgramsThis policy is applicable equally to the members of the immediate family ofeach employee, which normally includes your spouse, children and theirspouses, and the father, mother, sisters and brothers of yourself and yourhousehold.Employment of RelativesRelatives of employees will not be employed on a permanent or temporary basisby the company where the relative directly reports to the employee or theemployee exercises any direct influence with respect to the relative’s hiring,placement, promotions, evaluations or pay.Confidential Information and Privacy of CommunicationsConfidential InformationConfidential information includes all information, whether technical, business,financial or otherwise concerning the company, which the company treats asconfidential or secret and/or which is not available or is not made availablepublicly. It also includes any private information of, or relating to, customerrecords, fellow employees, other persons or other companies, and nationalsecurity information obtained by virtue of the employee’s position.Company policy and various laws protect the integrity of the company’sconfidential information which must not be divulged except in strictaccordance with established company policies and procedures. The obligationnot to divulge confidential company information is in effect even thoughmaterial might not be specifically identified as confidential and the obligationexists during and continues after employment with the company.A few examples of prohibited conduct are:• Selling or otherwise using, divulging or transmitting confidential companyinformation;• Using confidential company information to knowingly convert a companybusiness opportunity for personal use;• Using confidential company information to acquire real estate which theemployee knows is of interest to the company;Excerpted from Fraud Examiners Manual 8

CriminologyFraud Prevention Programs• Using, divulging or transmitting confidential company information in thecourse of outside employment or other relationship or any succeedingemployment or other relationship at any time; and• Trading in the company stocks, or the stocks of any company, based oninformation which has not been disclosed to the public or divulging suchinformation to others so that they might trade in such stock. Insider tradingis prohibited by company policy and federal and state law.Employees shall not seek out, accept or use any confidential companyinformation of or from a competitor of the company. In particular, should wehire an employee who previously worked for a competitor, we must neitheraccept nor solicit confidential information concerning that competitor from ouremployee.Classified National Security InformationOnly employees with proper government clearance and a need to know haveaccess to classified national security information. Government regulationsoutlined in company instructions for safeguarding must be followed. Disclosingsuch information, without authorization, even after leaving employment, is aviolation of law and this code.Adverse information about employees having government clearance must bereported to the Security or Law Departments’ representatives havingresponsibility for clearances.Company AssetsCash and Bank AccountsAll cash and bank account transactions must be handled so as to avoid anyquestion or suspicion of impropriety. All cash transactions must be recorded inthe company’s books of account.All accounts of company funds, except authorized imprest funds, shall beestablished and maintained in the name of the company or one of itssubsidiaries and might be opened or closed only on the authority of thecompany’s Board of Directors. Imprest funds must be maintained in the nameof the custodian and the custodian is wholly responsible for these funds. AllExcerpted from Fraud Examiners Manual 9

CriminologyFraud Prevention Programscash received shall be promptly recorded and deposited in a company orsubsidiary bank account. No funds shall be maintained in the form of cash,except authorized petty cash, and no company shall maintain an anonymous(numbered) account at any bank. Payments into numbered bank accounts bythe company might leave that company open to suspicion of participation in apossibly improper transaction. Therefore, no disbursements of any naturemight be made into numbered bank accounts or other accounts not clearlyidentified to the company as to their ownership.No payments can be made in cash (currency) other than regular, approved cashpayrolls and normal disbursements from petty cash supported by signedreceipts or other appropriate documentation. Further, corporate checks shallnot be written to “cash,” “bearer” or similar designations.Company Assets and TransactionsCompliance with prescribed accounting procedures is required at all times.Employees having control over company assets and transactions are expected tohandle them with the strictest integrity and ensure that all transactions areexecuted in accordance with management’s authorization. All transactions shallbe accurately and fairly recorded in reasonable detail in the company’saccounting records.Employees are personally accountable for company funds over which they havecontrol. Employees who spend company funds should ensure the companyreceives good value in return and must maintain accurate records of suchexpenditures. Employees who approve or certify the correctness of a bill orvoucher should know that the purchase and amount are proper and correct.Obtaining or creating “false” invoices or other misleading documentation or theinvention or use of fictitious sales, purchases, services, loans, entities or otherfinancial arrangements is prohibited.Employees must pay for personal telephone calls and use, except to the extentthat specifically defined benefit programs or allowances otherwise provide.Excerpted from Fraud Examiners Manual 10

CriminologyFraud Prevention ProgramsExpense ReimbursementExpense actually incurred by an employee in performing company businessmust be documented on expense reports in accordance with companyprocedures. In preparing expense reports, employees should review theseprocedures for the documentation in order to be reimbursed for businessexpenses.Company Credit CardCompany credit cards are provided to employees for convenience inconducting company business. No personal expenses can be charged oncompany credit cards except as specifically authorized by company procedures.Any charged personal expenses must be paid promptly by the employee.Company credit cards should not be used to avoid preparing documentation fordirect payment to vendors. Where allowed by local law, charges on companycredit cards for which a properly approved expense report has not beenreceived at the time of an employee’s termination of employment might bededucted from the employee’s last paycheck. The company will pursuerepayment by the employee of any amounts it has to pay on the employee’sbehalf.Software and ComputersComputerized information and computer software appear intangible, but theyare valuable assets of the company and must be protected from misuse, theft,fraud, loss and unauthorized use or disposal, just as any other companyproperty.Use of mainframe computers must be customer service or job related.Employees cannot access company records of any kind for their personal use.Misappropriation of computer space, time or software includes, but is notlimited to, using a computer to create or run unauthorized jobs, operating acomputer in an unauthorized mode or intentionally causing any kind ofoperational failure.Personal computers can be used for company-sanctioned education programsas well as personal use incidental to company business use with the permissionExcerpted from Fraud Examiners Manual 11

CriminologyFraud Prevention Programsof your supervisor. However, personal use cannot be allowed for personalfinancial gain.It is also understood that personal computers will occasionally be used at homewith the permission of your supervisor.Political ContributionsFederal law and many state laws prohibit contributions by corporations topolitical parties or candidates. The term “political contributions” includes, inaddition to direct cash contributions, the donation of property or services, andthe purchases of tickets to fundraising events. Employees can make directcontributions of their own money, but such contributions are not reimbursable.In addition, employees can make contributions to a company-sponsoredPolitical Action Committee.Where corporate political contributions are legal in connection with state, localor foreign elections, such contribution shall be made only from funds allocatedfor that purpose, and with the written approval of the president of the companymaking the contribution. The amounts of contributions made shall be subjectto inter-company allocation.It is improper for an employee to use his position within the company to solicitpolitical contributions from another employee for the purpose of supporting apolitical candidate or influencing legislation. It is also improper for anemployee to make a political contribution in the name of the company.Employee ConductConduct on Company BusinessDishonest or illegal activities on company premises or while on companybusiness will not be condoned and can result in disciplinary action, includingdismissal and criminal prosecution. The following illustrates activities that areagainst company policy, and which will not be tolerated on company premises,in company vehicles or while engaged in company business:• Consumption and storage of alcoholic beverages, except where legallylicensed or authorized by an officer of the company.Excerpted from Fraud Examiners Manual 12

CriminologyFraud Prevention Programs• The use of controlled substances, such as drugs or alcohol. The unlawfulmanufacture, distribution, dispensation, possession, transfer, sale, purchaseor use of a controlled substance.• Driving vehicles or operating company equipment while under theinfluence of alcohol or controlled substances.• Illegal betting or gambling.• Carrying weapons of any sort on company premises, in company vehicles orwhile on company business. Even employees with permits or licensescannot carry weapons on company property or while on company business.The company reserves the right to inspect any property that might be used byemployees for the storage of their personal effects. This includes desks, lockersand vehicles owned by the company. It is a violation of company policy to storeany contraband, illegal drugs, toxic materials or weapons on company property.Reporting ViolationsAll employees are responsible for compliance with these rules, standards andprinciples. In the area of ethics, legality and propriety, each employee has anobligation to the company that transcends normal reporting relationships.Employees should be alert to possible violations of the code anywhere in thecompany and are encouraged to report such violations promptly. Reportsshould be made to the employee’s supervisor, the appropriate security, audit, orlegal department personnel, or elsewhere as the circumstance dictates.Employees will also be expected to cooperate in an investigation of violations.In addition, any employee who is convicted of a felony, whether related to theserules or not, should also report that fact.All cases of questionable activity involving the code or other potentiallyimproper actions will be reviewed for appropriate action, discipline, orcorrective steps. Whenever possible, the company will keep confidential theidentity of employees about or against whom allegations of violations arebrought, unless or until it has been determined that a violation has occurred.Similarly, whenever possible, the company will keep confidential the identity ofanyone reporting a possible violation. Reprisal against any employee who has,in good faith, reported a violation or suspected violation is strictly prohibited.Excerpted from Fraud Examiners Manual 13

CriminologyFraud Prevention ProgramsAll employees are required to notify the company within five (5) days of anyconviction of any criminal statute violation occurring on the job. In addition,any employee who is convicted of a felony, whether related to these rules ornot, should report that fact.DisciplineViolation of this code can result in serious consequences for the company, itsimage, credibility and confidence of its customers and can include substantialfines and restrictions on future operations as well as the possibility of fines andprison sentences for individual employees. Therefore, it is necessary that thecompany ensure that there will be no violations. Employees should recognizethat it is in their best interest, as well as the company’s, to follow this codecarefully.The amount of any money involved in a violation might be immaterial inassessing the seriousness of a violation since, in some cases, heavy penaltiesmight be assessed against the company for a violation involving a relativelysmall amount of money, or no money.Disciplinary action should be coordinated with the appropriate HumanResources representatives. The overall seriousness of the matter will beconsidered in setting the disciplinary action to be taken against an individualemployee. Such action, which might be reviewed with the appropriate HumanResources organization, might include:• Reprimand• Probation• Suspension• Reduction in salary• Demotion• Combination of the above• DismissalIn addition, individual cases might involve:• Reimbursement of losses or damages• Referral for criminal prosecution or civil action• Combination of the aboveExcerpted from Fraud Examiners Manual 14

CriminologyFraud Prevention ProgramsDisciplinary action might also be taken against supervisors or executives whocondone, permit or have knowledge of illegal or unethical conduct by thosereporting to them and do not take corrective action. Disciplinary action mightalso be taken against employees who make false statements in connection withinvestigations of violations of this code.The company in its sole discretion will determine the disciplinary actionappropriate to a given matter. The listing of possible actions is informative onlyand does not bind the company to follow any particular disciplinary steps,process or procedure.The company’s rules and regulations regarding proper employee conduct willnot be waived in any respect. Violation is cause for disciplinary action includingdismissal. All employees will be held to the standards of conduct described inthis booklet.The company never has and never will authorize any employee to commit anact that violates this code or to direct a subordinate to do so. With thatunderstood, it is not possible to justify commission of such an act by sayingsomeone directed it in higher management.Compliance Letter and Conflict of Interest QuestionnaireAnnually, all officers of the company will represent in writing that there are noviolations of this code known to the officer, after the exercise of reasonablediligence, or if such violations have been committed, to disclose such violationsin a format to be specified.Annually, each employee will review the Code of Business Ethics and Conduct,sign the code’s Acknowledgment form and complete and sign the Conflict ofInterest Questionnaire. If the employee’s circumstances change at any time, anew Conflict of Interest Questionnaire or letter of explanation must becompleted.The Code of Business Ethics and Conduct Acknowledgment form should besigned and given to your supervisor for inclusion in your personnel file.Excerpted from Fraud Examiners Manual 15

CriminologyFraud Prevention ProgramsExcerpted from Fraud Examiners Manual 16

CriminologyFraud Prevention ProgramsCOMPANY NAME, INC.Code of Conduct Compliance QuestionnaireManagerial employees are being asked to complete this ComplianceQuestionnaire. COMPANY NAME, Inc. and its subsidiaries are committed toproviding a workplace where employees can and do act responsibly andethically. The COMPANY NAME, Inc. Code of Conduct sets out specificstandards of conduct which should govern our behavior towards our fellowemployees, suppliers and customers. Please answer each of the followingquestions and, if necessary, provide an explanation. For any “yes” response,please explain in the extra space provided on the last page.Conflict of Interest1. During fiscal 2003, did you, or are you aware of anyone who received from anyperson or company doing business with your employer any loan, gift, trip, gratuity,or other payment which did or could cause prejudice toward or obligation to thegiver, or could be perceived by others as creating an obligation to the giver? (Note:Each item, or the total of items from a single vendor with a value of more than $50.00 mustbe reported, except that you do not need to report loans made by financial institutions onnormal and customary terms, common stock dividends, or insurance policy payments).Yes No2. In fiscal 2003, did you, or are you aware of anyone who participated in orinfluenced any transaction between your employer and another entity in whichthey or any member of their family had a direct or indirect financial interest?Yes No3. In fiscal 2003, did you, or are you aware of anyone who had a material financialinterest in or held a position of influence with any business which furnishes goodsor services to your employer? (Note: The term “material financial interest” meanssomeone who by virtue of their stock ownership or monetary interest in a company is able todirect or to influence business decisions, or a commissioned sales representative; “position ofExcerpted from Fraud Examiners Manual 17

CriminologyFraud Prevention Programsinfluence” means someone holding an influential position such as a sole proprietor,partner, member of a board of directors, an executive, or a manager.)Yes No4. For fiscal 2003, did you, or are you aware of anyone who used company assets orother resources (including funds, equipment, supplies, or personnel) for purposesother than company business or company-sponsored activities?Yes No5. During fiscal 2003, did you, or are you aware of anyone who received gifts orentertainment from individuals or organizations having dealings with theCompany, including but not necessarily limited to loans, any form of cashgratuities, private or personal discounts not sanctioned by the Company, orremuneration or service related to illegal activities?Yes No6. During fiscal 2003, did you, or are you aware of anyone who accepted anyconsideration or special favors from suppliers or potential suppliers which in factor appearance could be deemed a bribe, kickback or reward given to influence yourbusiness judgment?Yes No7. Were you involved, or are you aware of any employee who was involved in aconflict of interest situation during fiscal year 2003?Yes No8. I have read the attached Conflict of Interest Policy Statement which is set forth inthe COMPANY NAME Inc. [and Subsidiaries] Code of Conduct and ComplianceProgram. Accordingly, I have listed below all relationships and outside activitieswhich require disclosure under the policy. I have also listed names, addresses andthe nature of the relationships of all persons or entities doing business with myemployer from whom I or any member of my immediate family has received,directly or indirectly, cash or a gift of more than nominal value ($50.00) during theExcerpted from Fraud Examiners Manual 18

CriminologyFraud Prevention Programsfiscal year ended May 31, 2003. (If there are no persons or entities to be listed, soindicate by writing “NONE” in the first space provided below.)Name of Person / EntityNature of Relationship / OutsideActivityPolitical9. In fiscal 2003, did you, or are you aware of anyone who received any paymentsfrom your employer for the purpose of making a contribution to any political party,candidate, or election committee?Yes NoSecurities Trading10. Did you, or are you aware of anyone who may have bought and/or sold stock basedon confidential information, or communicated confidential information toinfluence COMPANY NAME, Inc. stock transactions?Yes NoFinancial Integrity11. Are you aware of any entries made in the books and records of your employer infiscal 2003 that you believe are false or intentionally misleading?Yes No12. Are you aware of any assets, liabilities, or transactions that you believe wereimproperly omitted from the books of your company in fiscal 2003?Yes NoExcerpted from Fraud Examiners Manual 19

CriminologyFraud Prevention Programs13. In fiscal 2003, are you aware of anyone seeking to influence any governmentalofficial (including foreign officials) or governmental employee, or individual doingbusiness with your company, by offering money, goods, or services in return forsome special consideration?Yes NoOther14. Are you aware of any incident involving your employer which you feel constitutednon-compliance with laws, regulations, policies, guidelines, procedures, or ethicalprinciples, other than those matters referred to in other questions or incidentswhich have already been reported? (Note: If you prefer to report an incident or violationanonymously, please answer this question “NO” and contact a member of the EthicsCommittee or call the Confidential Ethics Hotline.)Yes No15. Please provide any explanations for “yes” responses.16. In the space below, please provide any suggestions you may have for improving theCode of Conduct and Compliance Program.____________________________________________Excerpted from Fraud Examiners Manual 20

CriminologyFraud Prevention ProgramsPrinted Name____________________________________________Signature____________________________________________DateExcerpted from Fraud Examiners Manual 21

CriminologyFraud Prevention ProgramsCOMPANY NAME, INC. AND SUBSIDIARIESEmployee Company / Subsidiary LocationCode of Conduct and Conflict of Interest Employee CertificationI have read the COMPANY NAME, Inc. and Subsidiaries Code of Conduct andCompliance Program.• I understand that the standards and policies in that Code of Conductrepresent the policies of COMPANY NAME, Inc. and its subsidiaries andthat violating those standards and policies, or any legal and regulatoryrequirements applicable to my job, may result in penalties set forth in theCode of Conduct or other appropriate sanction.• I understand that there are several sources within the company, includingthe Ethics Committee, that I can consult if I have questions concerning themeaning or application of the Code of Conduct or relevant legal andregulatory requirements.• I understand that it is my responsibility to disclose to an Ethics Officer, amember of the COMPANY NAME, Inc. Operations Audit Department, amember of the Ethics Committee or the Company’s Ethics Hotline anysituation that might reasonably appear to be a violation of the Code ofConduct.• I have read the attached Conflict of Interest Policy Statement which is setforth in the COMPANY NAME, Inc. and Subsidiaries Code of Conduct andCompliance Program. Accordingly, I have listed below all relationships andoutside activities which require disclosure under the policy. I have alsolisted names, addresses and the nature of the relationships of all persons orentities doing business with my employer from whom I or any member ofmy immediate family has received, directly or indirectly, cash or a gift ofExcerpted from Fraud Examiners Manual 22

CriminologyFraud Prevention Programsmore than nominal value ($50.00) during the fiscal year ended May 31, 2003.(If there are no persons or entities to be listed, so indicate by writing “NONE” in thefirst space provided below.)Excerpted from Fraud Examiners Manual 23

CriminologyFraud Prevention ProgramsName of Person / Entity Address Nature of Business /Relationship• I am not aware of any exceptions to standards and policies in the Code ofConduct except: (if none, so indicate by writing “NONE”.)_______________________________________________________________________Signature of EmployeeDateExcerpted from Fraud Examiners Manual 24

Sample Fraud PolicyAssociation of Certified Fraud ExaminersSample Fraud PolicyBACKGROUNDThe corporate fraud policy is established to facilitate thedevelopment of controls that will aid in the detection andprevention of fraud against ABC Corporation. It is the intent ofABC Corporation to promote consistent organizational behavior byproviding guidelines and assigning responsibility for thedevelopment of controls and conduct of investigations.SCOPE OF POLICYThis policy applies to any irregularity, or suspected irregularity,involving employees as well as shareholders, consultants, vendors,contractors, outside agencies doing business with employees ofsuch agencies, and/or any other parties with a business relationshipwith ABC Corporation (also called the Company).Any investigative activity required will be conducted withoutregard to the suspected wrongdoer’s length of service,position/title, or relationship to the Company.POLICYManagement is responsible for the detection and prevention offraud, misappropriations, and other irregularities. Fraud is definedas the intentional, false representation or concealment of a materialfact for the purpose of inducing another to act upon it to his or herinjury. Each member of the management team will be familiar withthe types of improprieties that might occur within his or her area ofresponsibility, and be alert for any indication of irregularity.Any irregularity that is detected or suspected must be reportedimmediately to the Director of _____________, who coordinatesall investigations with the Legal Department and other affectedareas, both internal and external.Page 1

Sample Fraud PolicyACTIONSCONSTITUTINGFRAUDOTHERIRREGULARITIESThe terms defalcation, misappropriation, and other fiscalirregularities refer to, but are not limited to:• Any dishonest or fraudulent act• Misappropriation of funds, securities, supplies, or otherassets• Impropriety in the handling or reporting of money orfinancial transactions• Profiteering as a result of insider knowledge of companyactivities• Disclosing confidential and proprietary information tooutside parties• Disclosing to other persons securities activities engaged in orcontemplated by the company• Accepting or seeking anything of material value fromcontractors, vendors, or persons providing services/materialsto the Company. Exception: Gifts less than $50 in value.• Destruction, removal, or inappropriate use of records,furniture, fixtures, and equipment; and/or• Any similar or related irregularityIrregularities concerning an employee’s moral, ethical, orbehavioral conduct should by resolved by departmentalmanagement and the Employee Relations Unit of HumanResources rather than the _________________ Unit.If there is any question as to whether an action constitutes fraud,contact the Director of ______________ for guidance.INVESTIGATIONRESPONSIBILITIESThe ____________ Unit has the primary responsibility for theinvestigation of all suspected fraudulent acts as defined in thepolicy. If the investigation substantiates that fraudulent activitieshave occurred, the ______________ Unit will issue reports toappropriate designated personnel and, if appropriate, to the Boardof Directors through the Audit Committee.Decisions to prosecute or refer the examination results to theappropriate law enforcement and/or regulatory agencies forindependent investigation will be made in conjunction with legalcounsel and senior management, as will final decisions ondisposition of the case.Page 2

Sample Fraud PolicyCONFIDENTIALITYThe ______________ Unit treats all information receivedconfidentially. Any employee who suspects dishonest orfraudulent activity will notify the _____________ Unitimmediately, and should not attempt to personally conductinvestigations or interviews/interrogations related to anysuspected fraudulent act (see REPORTING PROCEDUREsection below).Investigation results will not be disclosed or discussed withanyone other than those who have a legitimate need to know. Thisis important in order to avoid damaging the reputations of personssuspected but subsequently found innocent of wrongful conductand to protect the Company from potential civil liability.AUTHORIZATION FORINVESTIGATINGSUSPECTED FRAUDMembers of the Investigation Unit will have:• Free and unrestricted access to all Company records andpremises, whether owned or rented; and• The authority to examine, copy, and/or remove all or anyportion of the contents of files, desks, cabinets, and otherstorage facilities on the premises without prior knowledge orconsent of any individual who might use or have custody ofany such items or facilities when it is within the scope oftheir investigation.Page 3

Sample Fraud PolicyREPORTINGPROCEDURESGreat care must be taken in the investigation of suspectedimproprieties or irregularities so as to avoid mistaken accusationsor alerting suspected individuals that an investigation is underway.An employee who discovers or suspects fraudulent activity willcontact the _____________ Unit immediately. The employee orother complainant may remain anonymous. All inquiriesconcerning the activity under investigation from the suspectedindividual, his or her attorney or representative, or any otherinquirer should be directed to the Investigations Unit or theLegal Department. No information concerning the status of aninvestigation will be given out. The proper response to anyinquiries is: “I am not at liberty to discuss this matter.” Underno circumstances should any reference be made to “theallegation,” “the crime,” “the fraud,” “the forgery,” “themisappropriation,” or any other specific reference.The reporting individual should be informed of the following:• Do not contact the suspected individual in an effort todetermine facts or demand restitution.• Do not discuss the case, facts, suspicions, or allegations withanyone unless specifically asked to do so by the LegalDepartment or ____________ Unit.TERMINATIONIf an investigation results in a recommendation to terminate anindividual, the recommendation will be reviewed for approval bythe designated representatives from Human Resources and theLegal Department and, if necessary, by outside counsel, before anysuch action is taken. The ___________ Unit does not have theauthority to terminate an employee. The decision to terminate anemployee is made by the employee's management. Should the_____________ Unit believe the management decisioninappropriate for the facts presented, the facts will be presented toexecutive level management for a decision.ADMINISTRATIONThe Director of ___________ is responsible for the administration,revision, interpretation, and application of this policy. The policywill be reviewed annually and revised as needed.APPROVAL________________________________(CEO/Senior Vice President/Executive_______________DatePage 4

Sample Fraud PolicyFraud Policy Decision MatrixInvestigation Internal Finance/ Executive Line Risk Legal Public EmployeeAction Required Unit Audit Accounting Mgmt Mgmt Mgmt Relations Relations1. Controls to Prevent Fraud S S S SR SR S S S S2. Incident Reporting P S S S S S S S S3. Investigation of Fraud P S S S4. Referrals to Law Enforcement P S5. Recovery of Monies due to Fraud P6. Recommendations to Prevent Fraud SR SR S S S S S S S7. Internal Control Reviews P8. Handle Cases of a Sensitive Nature P S S S S S9. Publicity/Press Releases S S P10. Civil Litigation S S P11. Corrective Action/RecommendationsTo Prevent Recurrences SR SR S SR S S12. Monitor Recoveries S P13. Pro-active Fraud Auditing S P14. Fraud Education/Training P S S S15. Risk Analysis of Areas ofVulnerability S S P16. Case Analysis P S17. Hotline P S18. EthicsLine S S PP (Primary Responsibility) S(Secondary Responsibility) SR (Shared Responsibility)Page 5

Fraud’s Worst Enemyhttp://www.fraud-magazine.com/article.aspx?id=4294969523Page 1 of 35/14/2013Login | Become a MemberSearchHOME CURRENT ISSUE BROWSE TOPICS ARCHIVE MARKETPLACE ABOUT CONTACT ACFE.com ACFE BookstoreShare |0Fraud’s Worst EnemyA Strong Code of EthicsROBERT TIEJune 2011“How do you define honesty?” asks SteveClark, J.D., CFE, an ACFE faculty member andvisiting professor of law at St. ThomasUniversity School of Law in Miami, Florida.Formerly the attorney general of Arkansas,Clark has decades of experience as a fraudinvestigator and prosecutor.Over the years, he’s posed the question tomany students and colleagues. Most, hereports, base their definition on some absoluteconcept. But Clark says our beliefs are notalways clear cut and consistent, especiallywhen we face new or ambiguouscircumstances.“We derive our sense of honesty from each other,” he said. “So guess what happens in the workplacewhen management doesn’t clearly define, prohibit and follow through on dishonest business practices? Notsurprisingly, an untrained, uninformed employee in an ethical dilemma will look to the person across theaisle or in the next office and ask what to do. When a colleague offers bad advice, people often take it.That’s a problem when any employee does so. But if management breaks the rules, the consequences canbe catastrophic.”FALSE TONE AT THE TOPClark cites a current corporate fraud scandal in his home state of Arkansas, involving Affiliated FoodsSouthwest, Inc. (AFS), a privately held wholesale grocery distributor that declared bankruptcy in 2009.In 2010, John Mills, AFS’s former president, CEO and board chairman, pleaded guilty to a bank fraud inwhich he and the company’s CFO, Alexander Martinez, used nearly $475 million in worthless checks tobolster AFS’s shrinking cash flow. More than 500 AFS employees lost their jobs when the once strong foodcooperative, which had offered bulk purchasing power to hundreds of independent grocers in six states,closed its doors. Mills was sentenced to a three-year prison term and ordered to pay more than $3 millionin restitution. Some — including laid-off AFS staff — think he got off easy.Martinez is now on trial. Unlike Mills, whose guilty plea sped his sentencing, Martinez claims he isinnocent.In early 2009, the U.S. Attorney for the Eastern District of Arkansas, acting on findings from an audit ofAFS by its creditor, U.S. Bank, filed an information against Mills and Martinez. It charged them withdevising an elaborate check-kiting scheme involving two AFS subsidiaries.Prosecutors said the fraud violated Title 18, United States Code, Section 1344, Bank Fraud, and Section 2,Principals, which provides that anyone committing an offense against the U.S. is punishable as a principal,rather than as an accomplice. Section 2 applies because U.S. Bank is nationally chartered.“The tragic, but valuable lesson of this case is that these two executives instructed staff accountants to

Fraud’s Worst Enemyhttp://www.fraud-magazine.com/article.aspx?id=4294969523Page 2 of 35/14/2013perform fraudulent transactions that facilitated and concealed the scheme,” Clark said. “Mills and Martinezprovided the worst example possible for those looking to them for ethical leadership.”At his plea hearing, Mills explained how the check-kiting scheme worked. Each business day, an AFSaccountant would calculate the company’s cash-flow shortfall by subtracting the company’s anticipatedclearing items from its expected deposit items. AFS’s accountant then would “order” from two AFSsubsidiaries checks drawn on their virtually empty accounts and payable to AFS, which then deposited thechecks. After they cleared, AFS paid down its tab at U.S. Bank, and used its refreshed credit to supply thesubsidiaries with funds to cover the checks they had provided to AFS.“The AFS board was asleep at the wheel,” Clark said. “They didn’t notice that the positive cash flow wasphony, and no one who might have known felt empowered to tell them. If the tone at the top had beendifferent, there would have been effective ethics policies, procedures and a reporting mechanism.Someone might have spoken up. But ethics and due diligence weren’t priorities for AFS, and the fraudsterstook advantage.”THE RIGHT WAY TO DO ITLiving only 20 miles south of Walmart headquarters in Bentonville, Ark., Clark is well-versed in the retailgiant’s business culture.“Purchasers for Walmart are like investigative journalists,” he said. “They won’t let you give them anything,not even a cup of coffee. So, when a vendor says, ‘Hey, I’ve done $3 million worth of business with you.Here’s an opportunity that could give us a little something on the side,’ they throw him out. Why is thatoutcome so certain? Because Walmart leadership has communicated it, reiterated it and enforced it.There’s no doubt in employees’ minds about what’s wrong, what the penalties are and whethermanagement will back them up if they report a breach. It’s the right way — the smart way — to run abusiness.”In addition to recommending that CFEs compare their employer’s and clients’ codes of ethics withWalmart’s, Clark cites three best practices of companies that know how to make ethical profits and fend offfraudsters:1. Design and enforce a comprehensive fraud prevention policy and code of ethics. Ensure that everyemployee attends refresher training annually to stay abreast of new risks in a constantly changing businessenvironment. Establish and publicize confidential reporting mechanisms.2. Obtain unequivocal, ongoing C-suite and middle management support for the anti-fraud regime andethics program.3. When abuse or neglect is certain, fully enforce the ethics code and anti-fraud policies and procedures,regardless of the offender’s rank. Likewise, investigate allegations promptly and thoroughly, following upwith enforcement when suspicions prove true. Bear in mind that the significance of minor offenses may bemore symbolic than substantive. In such cases, when termination is inappropriate, alternatives such astemporary demotion or closer supervision can demonstrate management’s commitment to enforcementwithout depriving the organization of an otherwise valuable employee.LEGAL AVENUESClark said state or federal prosecutors primarily want to know whether you can document any loss yourclient or employer alleges. Time- and resource-strapped state prosecutors will not be interested unlessdamages have reached at least six figures, and many U.S. attorneys do not have enough time to work oncases involving less than $1 million in damages, he said.Also, prosecutors infrequently try fraud cases, Clark said. “So you, the CFE, have to explain yourinvestigative strategy and demonstrate its thoroughness,” he said. “I therefore strongly recommend thatyou develop a relationship with a CPA or auditor to deal with financial issues. And have a lawyer you cancall in when necessary.”Clark said working with a lawyer will protect communications with your client under the confidentiality of theattorney-client privilege. An attorney also will ensure you don’t violate a suspect’s legal rights, obtaininadmissible evidence or violate the provisions of any contract between your client and an employee you’reinvestigating, he said.Establish a relationship with your employer or client’s human resources department, he adds, so you’llhave access to employee records, which can be invaluable in an investigation.Finally, Clark recommended presenting evidence to prosecutors concisely.“Keep it simple,” he said. “A picture is worth a thousand words, but a thousand pictures are worth nothing.”Robert Tie is a New York business writer.The Association of Certified Fraud Examiners assumes sole copyright of any article published onwww.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permissionof the publisher is required before an article can be copied or reproduced. Requests for reprinting an articlein any form must be emailed to: FraudMagazine@ACFE.com.

Fraud’s Worst Enemyhttp://www.fraud-magazine.com/article.aspx?id=4294969523Page 3 of 35/14/2013Click here to Login and leave a comment...ReviewsBy Birzeit Consulting METone will always be at the top. It is unfortunate that developing countries are still far behindof appreciating the significance of ethics on fraud and corruption. Catastrophically, publicsector worldwide did not invest properly and sufficiently in this regard. The ethics issue iscomplex. Yet, one cannot ignore its importance any where in the world. I do think that weneed more research to be done to fight fraud globally.©2013 Association of Certified Fraud ExaminersPrivacy Policy | Advertise With UsAssociation of Certified Fraud Examiners Global Headquarters716 West Ave | Austin, TX 78701-2727 | USA | FraudMagazine@ACFE.com

ACFE Insights - ACFE Insightshttp://www.acfeinsights.com/acfe-insights/2012/8/10/the-most-effective-controls-in-limiting-fr...Page 1 of 35/15/2013The Most Effective Controls in Limiting Fraud LossesFriday, August 10, 2012 at 09:26AMMandy Moody in CFE Credential, Compliance & Ethics, Corporate Governance, Fraud Resources, acfe, fraud, globalfraud survey, report to the nationsGUEST BLOGGERJohn Warren, J.D., CFEACFE Vice President and General CounselOne of the most important things we try to accomplish with our global fraud study, the Report to theNations, is to identify key characteristics about organizations that have been victimized byoccupational fraud. Although every business is vulnerable to fraud, the more we can learn aboutorganizations that suffered frauds in the past, the more information we will have to preventoccupational fraud or at least limit its impact in the future.Perhaps the most important victim data contained in the Report to the Nations is the information wegather on anti-fraud controls. We ask each of our respondents to tell us which, if any, of 16 commonanti-fraud measures were utilized by the victim organizations while the frauds were occurring. Wethen compare the losses based on whether a particular control was or was not present. For example,in 2012 we found organizations that used a hotline experienced a median loss of $100,000 peroccupational fraud case, while organizations that did not use a hotline had a median loss of$180,000. This analysis gives us a general indication of the impact various anti-fraud controls havein limiting fraud losses. We can say, for instance, that the presence of a hotline was associated with a44.4 percent lower median fraud loss.In the table below, we’ve presented the results of this analysis for each edition of the Report to theNations dating back to 2008. For each anti-fraud measure, you can see the reduction in fraud lossesit was associated with, along with its ranking relative to other controls.[1]One interesting thing tonote is that every one of these controls was associated with lower fraud losses in all three editions ofthe Report.

ACFE Insights - ACFE Insightshttp://www.acfeinsights.com/acfe-insights/2012/8/10/the-most-effective-controls-in-limiting-fr...Page 2 of 35/15/2013The key information in thistable is contained in the yellow shaded columns at the right, where we have combined the resultsfrom all three editions of the Report. This data comprises more than 4,100 total cases of occupationalfraud. The two bold columns show the average loss reduction and overall ranking of each control forthe three combined studies. We see here that hotlines have ranked No.1 among all anti-fraudmeasures in this analysis, typically being associated with a 54.5 percent reduction in fraud losses.Hotlines were followed by employee support programs, surprise audits, fraud training for managersand executives, job rotation/mandatory vacation, and fraud training for employees. Every one ofthose six anti-fraud controls was associated with at least a 45 percent reduction in fraud losses, andall six controls ranked in the top 8, respectively, in each edition of the Report.In the two far-right columns of the table above, we have presented the average rate ofimplementation for each control. In other words, this shows what percentage of victim organizationswere utilizing each control at the time the frauds occurred. We can clearly see that the six mosteffective anti-fraud measures all scored poorly in terms of implementation. With one exception,these controls all ranked 9 th or lower in terms of implantation rate, and only two of them were usedby more than half of the organizations in our studies.What this data seems to indicate is that the anti-fraud measures which tend to have the greatestimpact on fraud losses are being under-utilized. Every control in the table above is important andthey all have an impact not only in limiting fraud losses but also in preventing them. But the sixhighest ranking anti-fraud controls, according to our study, are utilized by an unacceptably lownumber of companies and agencies.Every organization is, at some point, vulnerable to occupational fraud. Ideally we would prevent allsuch frauds from ever occurring, but sooner or later a fraud will occur, and when it does, the bestthing we can do is catch it as quickly as possible and limit the financial impact of the crime. Wehope organizations that are serious about reducing their exposure to occupational fraud will considerthis data and in future studies we will see the implementation rates for hotlines, support programs,surprise audits, fraud training and job rotation increase substantially.[1] “Formal Fraud Risk Assessments” was not a category prior to the 2012 Report.Article originally appeared on ACFE Insights (http://www.acfeinsights.com/).

ACFE Insights - ACFE Insightshttp://www.acfeinsights.com/acfe-insights/2012/8/10/the-most-effective-controls-in-limiting-fr...Page 3 of 35/15/2013See website for complete article licensing information.