acfe fraud prevention check-up - BKD

• Implementing adequate internal controls — including documenting fraud risk management policies andprocedures and evaluating their effectiveness — aligned with the organization’s fraud risk assessment.To conduct a reasonable evaluation, it is necessary to compile information from various areas of theorganization as part of the fraud risk management program.• Reporting to the board on what actions have been taken to manage fraud risks and regularly reporting onthe effectiveness of the fraud risk management program. This includes reporting any remedial steps that areneeded, as well as reporting actual frauds.Whenever the external auditor has determined that there is evidence that fraud may exist, the external auditor’sprofessional standards require that the matter should be brought to the attention of an appropriate level ofmanagement in a timely manner. If the external auditor suspects fraud involving management, the external auditormust report these suspicions to those charged with governance (e.g., the audit committee).In many organizations, one executive-level member of management is appointed to be responsible for fraud riskmanagement and to report to the board periodically. This executive, a chief ethics officer for instance, is responsiblefor entity-level controls that establish the tone at the top and corporate culture. These expectations are oftendocumented in the organization’s values or principles, code of conduct, and related policies; demonstrated throughexecutive communications and behaviors; and included in training programs. The person appointed should befamiliar with the organization’s fraud risks and process-level controls, and is often responsible for the design andimplementation of the processes used to ensure compliance, reporting, and investigation of alleged violations.StaffStrong controls against fraud are the responsibility of everyone in the organization. The importance of internalcontrols in fraud risk management is not a new concept. In 1992, after more than three years of collaborationbetween corporate leaders, legislators, regulators, auditors, academics, and many others, COSO presented a commondefinition of internal controls and provided a framework against which organizations could assess and improve theirinternal control systems. COSO identified five components in its landmark Internal Control–Integrated Framework —control environment, risk assessment, control activities, information and communication, and monitoring — thatmay serve as the premise for the design of controls. The elements are deeply intertwined and overlapping in theirnature, providing a natural interactive process to promote the type of environment in which fraud simply will not betolerated at any level. 17All levels of staff, including management, should:• Have a basic understanding of fraud and be aware of the red flags.• Understand their roles within the internal control framework. Staff members should understand how theirjob procedures are designed to manage fraud risks and when noncompliance may create an opportunity forfraud to occur or go undetected.• Read and understand policies and procedures (e.g. the fraud policy, code of conduct, and whistleblowerpolicy), as well as other operational policies and procedures, such as procurement manuals.17Appendix I suggests control activities aligned with each COSO component.14