(whistleblower hotline), process controls, and proactive <strong>fraud</strong> detection procedures specifically designed to identify<strong>fraud</strong>ulent activity.Whistleblower HotlinesThe use of a whistleblower hotline 36 , which has markedly increased among SEC registrants since it was mandated bythe U.S. Sarbanes-Oxley Act of 2002, is one of the more effective measures organizations can implement as part oftheir <strong>fraud</strong> risk assessment program. Various surveys 37 indicate that anonymous tips received through hotlines or byother methods are the most likely means of detecting <strong>fraud</strong>. In addition, knowledge that an employee hotline is inplace can help prevent <strong>fraud</strong> because individuals may fear that a <strong>fraud</strong> will be discovered and reported.Marketing the existence of a hotline to increase awareness, making it easy to use, and promoting the timelyhandling of all reported issues are strong preventive measures that should s<strong>up</strong>plement the detective controlof hotlines. The hotline should be promoted with educational materials provided to shareholders, employees,customers, and vendors, all of whom can provide valuable information from a variety of reliable sources. Hotlinesideally s<strong>up</strong>port a multilingual capability and provide access to a trained interviewer 24 hours a day, 365 days a year.Provision for anonymity to any individual who willingly comes forward to report a suspicion of <strong>fraud</strong> is a keyto encouraging such reporting and should be a component of the organization’s policy. The most effectivewhistleblower hotlines preserve the confidentiality of callers and provide assurance to employees that they will notbe retaliated against for reporting their suspicions of wrongdoing including wrongdoing by their s<strong>up</strong>eriors. Anotherkey is demonstrating that their reporting will result in appropriate and timely action being taken. To preserve theintegrity of the whistleblower process, it must also provide a means of reporting suspected <strong>fraud</strong> that involves seniormanagement, possibly reporting directly to the audit committee.A single case management system should be used to log all calls and their follow-<strong>up</strong> to facilitate management ofthe resolution process, testing by internal auditors, and oversight by the board and/or the audit committee 38 as theboard’s designee. The board should approve protocols to ensure reported <strong>fraud</strong>-related issues are disseminatedtimely to appropriate parties, such as the ethics/compliance team, HR, the board and/or the audit committee, legal,and security. Distributing reports to these parties of occurrences in their respective areas of responsibility ensuresthat no single person or functional area controls this highly sensitive information and increases accountability.Charged with the responsibility for having documented procedures for receiving, retaining, and investigatingcomplaints or tips alleging the possibility of misconduct or possible <strong>fraud</strong>, many audit committees have turned toindependent service providers to operate hotlines and notify the organization of any reported accusations.An effective hotline program should analyze the data received and compare results to norms for similarorganizations. Ongoing analysis allows an organization to reshape its <strong>fraud</strong> risk management program to addressevolving risks. The whistleblower process should be independently evaluated periodically for effectiveness, includingcompliance with established protocols.36Whistleblower hotlines may not be legal or ethical, or may be subject to restrictions in some countries outside the United States. As such,multinational organizations may not be able to implement hotlines on a worldwide basis.37The ACFE Occ<strong>up</strong>ational Fraud and Abuse Survey and the KPMG Fraud Survey are examples.38The United Kingdom (UK) report, “Audit Committees Combined Code Guidance,” by Sir Robert Smith, suggests that audit committees shouldreview whistleblowing arrangements regarding the appropriate and independent investigations and follow-<strong>up</strong> action.35
Process ControlsProcess controls specifically designed to detect <strong>fraud</strong>ulent activity, as well as errors, include reconciliations,independent reviews, physical inspections/counts, analyses, and audits. A lack of, or weakness in, preventive controlsincreases the risk of <strong>fraud</strong> and places a greater burden on detective controls. The more significant the <strong>fraud</strong> risk, themore sensitive to occurrence (e.g., use of thresholds, performance frequency, and population tested) the detectivecontrol should be.The nature of <strong>fraud</strong> risks is such that there should be a systematic identification of the types of <strong>fraud</strong> schemesthat can be perpetrated against or within the organization to identify the process controls needed to reduce andcontrol the risks. Each industry is susceptible to different types of <strong>fraud</strong> schemes. The assessment becomes morecumbersome in organizations that span different industries. Organizations with multiple divisions/business unitswill need to first perform a broad organizationwide assessment and then perform more detailed and focusedassessments of individual business units to identify the necessary process controls to detect <strong>fraud</strong>.Proactive Fraud Detection ProceduresIn addition to detective process controls, organizations may be able to use data analysis, continuous auditingtechniques, and other technology tools effectively to detect <strong>fraud</strong>ulent activity. Data analysis uses technology toidentify anomalies, trends, and risk indicators within large populations of transactions. Users of this technologymay be able to drill down into journal entries looking for suspicious transactions occurring at the end of a period orthose that were made in one period and later reversed in the next period. These tools may also allow users to lookfor journal entries posted to revenue or expense accounts that improve net income to meet analysts’ expectationsor incentive compensation targets. Moreover, data analysis allows users to identify relationships among people,organizations, and events.Proactive consideration of how certain <strong>fraud</strong> schemes may result in identifiable types of transactions or trendsenhances an organization’s ability to design and implement effective data analysis. Data analytics can also be usedto cost-effectively ensure the effectiveness of other <strong>fraud</strong> preventive and detective controls.Continuous auditing is the use of data analytics on a continuous or real-time basis, thereby allowing management orauditing to identify and report <strong>fraud</strong>ulent activity more rapidly. For example, a Benford’s Law analysis 39 can examineexpense reports, general ledger accounts, and payroll accounts for unusual transactions, amounts, or patterns ofactivity that may require further analysis. Similarly, continuous monitoring of transactions subject to certain “flags”may promote quicker investigation of higher-risk transactions.Technology tools enhance the ability of management at all levels to detect <strong>fraud</strong>. Data analysis, data mining, anddigital analysis tools can:• Identify hidden relationships among people, organizations, and events.• Identify suspicious transactions.• Assess the effectiveness of internal controls.39Benford’s Law analysis is a process of comparing actual results vs. expected results by looking for unusual transactions that do not fit anexpected pattern.36
- Page 1 and 2: ACFE FRAUD PREVENTIONCHECK-UP
- Page 3 and 4: ACFE FRAUD PREVENTIONCHECK-UPThe Be
- Page 5 and 6: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 7 and 8: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 9 and 10: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 11 and 12: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 13 and 14: Sponsored by:The Institute of Inter
- Page 15 and 16: Team Members:Toby J.F. Bishop, CPA,
- Page 17 and 18: Managing the Business Risk of Fraud
- Page 19 and 20: establish their own fraud risk mana
- Page 21 and 22: Fraud risk identification may inclu
- Page 23 and 24: Thus, to properly address fraud ris
- Page 25 and 26: The board also has the responsibili
- Page 27 and 28: • Implementing adequate internal
- Page 29 and 30: Fraud Risk Management Program Compo
- Page 31 and 32: ecently been hired in the purchasin
- Page 33 and 34: Organizations can identify and asse
- Page 35 and 36: The Risk Assessment TeamA good risk
- Page 37 and 38: This also involves understanding th
- Page 39 and 40: - Invoices for goods not received o
- Page 41 and 42: Other RisksRegulatory and Legal Mis
- Page 43 and 44: SECTION 3: FRAUD PREVENTIONPrincipl
- Page 45 and 46: An organization’s HR group is oft
- Page 47: SECTION 4: FRAUD DETECTIONPrinciple
- Page 51 and 52: keep such information confidential.
- Page 53 and 54: will vary depending on the nature,
- Page 55 and 56: Conducting the InvestigationPlannin
- Page 57 and 58: • Extended investigation — Cond
- Page 59 and 60: Fraud ControlsDeloitte Forensic Cen
- Page 61 and 62: APPENDIX B: SAMPLE FRAMEWORK FOR A
- Page 63 and 64: APPENDIX C: SAMPLE FRAUD POLICY 41N
- Page 65 and 66: CONFIDENTIALITYThe ______________ U
- Page 67 and 68: Sample Fraud Policy Decision Matrix
- Page 69 and 70: Identified Fraud Risksand Schemes (
- Page 71 and 72: 2) Misappropriation of:a) Tangible
- Page 73 and 74: ) Embezzlement(1) False accounting
- Page 75 and 76: Fraud Prevention Area, Factor, or C
- Page 77 and 78: Fraud Prevention Area, Factor, or C
- Page 79 and 80: Fraud Prevention Area, Factor, or C
- Page 81 and 82: Fraud Prevention Area, Factor, or C
- Page 83 and 84: O-Organization / PersonnelO1-Leader
- Page 85 and 86: O4.3 Enhance Operational Skills & C
- Page 87 and 88: PR-Prevent, Protect & PreparePR1-Ge
- Page 89 and 90: E-Periodic EvaluationE1-Evaluation
- Page 91 and 92: I2-CommunicationI2.1 Develop Commun
- Page 93 and 94: CriminologyFraud Prevention Program
- Page 95 and 96: CriminologyFraud Prevention Program
- Page 97 and 98: CriminologyFraud Prevention Program
- Page 99 and 100:
CriminologyFraud Prevention Program
- Page 101 and 102:
CriminologyFraud Prevention Program
- Page 103 and 104:
CriminologyFraud Prevention Program
- Page 105 and 106:
CriminologyFraud Prevention Program
- Page 107 and 108:
CriminologyFraud Prevention Program
- Page 109 and 110:
CriminologyFraud Prevention Program
- Page 111 and 112:
CriminologyFraud Prevention Program
- Page 113 and 114:
CriminologyFraud Prevention Program
- Page 115 and 116:
CriminologyFraud Prevention Program
- Page 117 and 118:
Sample Fraud PolicyAssociation of C
- Page 119 and 120:
Sample Fraud PolicyCONFIDENTIALITYT
- Page 121 and 122:
Sample Fraud PolicyFraud Policy Dec
- Page 123 and 124:
Fraud’s Worst Enemyhttp://www.fra
- Page 125 and 126:
ACFE Insights - ACFE Insightshttp:/
- Page 127:
ACFE Insights - ACFE Insightshttp:/