acfe fraud prevention check-up - BKD

ecently been hired in the purchasing department is responsible for all purchases in Division A. His brother has alocal hardware store that supplies product to Division A. The buyer discloses the potential conflict of interest andis told that transactions with the hardware store are permitted, as long as the department supervisor monitors amonthly report of all activity with the hardware store to ensure the activity and price levels are reasonable andcompetitive. When the buyer is promoted or transferred, the constraints may be removed or altered.Other disclosure processes may also exist, such as insider trading disclosures. Those processes that mitigatepotential fraud risk should be linked to the fraud risk management program. Organizations should evaluate thelegal requirements and/or business benefits of disclosing their code of conduct, fraud control policy, or relatedstatements to the public.Fraud Risk Assessment 25The foundations of an effective fraud risk management program are rooted in a risk assessment, overseen by theboard, which identifies where fraud may occur within the organization. A fraud risk assessment should be performedon a systematic and recurring basis, involve appropriate personnel, consider relevant fraud schemes and scenarios,and mapping those fraud schemes and scenarios to mitigating controls. The existence of a fraud risk assessment andthe fact that management is articulating its existence may even deter would-be fraud perpetrators.The system of internal controls in an organization is designed to address inherent business risks. The business risksare identified in the enterprise risk assessment protocol, and the controls associated with each risk are noted.COSO’s Enterprise Risk Management–Integrated Framework describes the essential ERM components, principles, andconcepts for all organizations, regardless of size.Reporting Procedures and Whistleblower ProtectionDocumentation should not only articulate the organization’s zero tolerance 26 for fraud, it should also establish theexpectation that suspected fraud must be reported immediately and provide the means to do so. The channels toreport suspected fraud issues should be clearly defined and communicated. These may be the same or different fromchannels for reporting other code of conduct violations.Considering that people commit fraud and that people are an organization’s best asset in preventing, detecting, anddeterring fraud, an organization should consider promoting available fraud reporting resources that individuals mayaccess, such as a fraud or ethics page on the organization’s Web site, an ombudsman, or a whistleblower hotline.To encourage timely reporting of suspected issues, the organization should communicate the protections affordedto the individual reporting the issue — often referred to as whistleblower protection. In some countries, securitiesregulations require organizations to have whistleblower protection.25For more information on fraud risk assessments, refer to Section 2: Fraud Risk Assessment.26ALARM (The National Forum for Risk Management in the Public Sector (UK)) lists a culture of zero tolerance as one of five essentialgovernance strategies to manage fraud risk. Other strategies include an embedded strategic approach to risk management, a sound counterfraudand corruption framework, strong systems of internal control, and close working relationships with partners regarding fraud riskmanagement activities.18