acfe fraud prevention check-up - BKD

More documents

Recommendations

Info

(whistleblower hotline), process controls, and proactive fraud detection procedures specifically designed to identifyfraudulent activity.Whistleblower HotlinesThe use of a whistleblower hotline 36 , which has markedly increased among SEC registrants since it was mandated bythe U.S. Sarbanes-Oxley Act of 2002, is one of the more effective measures organizations can implement as part oftheir fraud risk assessment program. Various surveys 37 indicate that anonymous tips received through hotlines or byother methods are the most likely means of detecting fraud. In addition, knowledge that an employee hotline is inplace can help prevent fraud because individuals may fear that a fraud will be discovered and reported.Marketing the existence of a hotline to increase awareness, making it easy to use, and promoting the timelyhandling of all reported issues are strong preventive measures that should supplement the detective controlof hotlines. The hotline should be promoted with educational materials provided to shareholders, employees,customers, and vendors, all of whom can provide valuable information from a variety of reliable sources. Hotlinesideally support a multilingual capability and provide access to a trained interviewer 24 hours a day, 365 days a year.Provision for anonymity to any individual who willingly comes forward to report a suspicion of fraud is a keyto encouraging such reporting and should be a component of the organization’s policy. The most effectivewhistleblower hotlines preserve the confidentiality of callers and provide assurance to employees that they will notbe retaliated against for reporting their suspicions of wrongdoing including wrongdoing by their superiors. Anotherkey is demonstrating that their reporting will result in appropriate and timely action being taken. To preserve theintegrity of the whistleblower process, it must also provide a means of reporting suspected fraud that involves seniormanagement, possibly reporting directly to the audit committee.A single case management system should be used to log all calls and their follow-up to facilitate management ofthe resolution process, testing by internal auditors, and oversight by the board and/or the audit committee 38 as theboard’s designee. The board should approve protocols to ensure reported fraud-related issues are disseminatedtimely to appropriate parties, such as the ethics/compliance team, HR, the board and/or the audit committee, legal,and security. Distributing reports to these parties of occurrences in their respective areas of responsibility ensuresthat no single person or functional area controls this highly sensitive information and increases accountability.Charged with the responsibility for having documented procedures for receiving, retaining, and investigatingcomplaints or tips alleging the possibility of misconduct or possible fraud, many audit committees have turned toindependent service providers to operate hotlines and notify the organization of any reported accusations.An effective hotline program should analyze the data received and compare results to norms for similarorganizations. Ongoing analysis allows an organization to reshape its fraud risk management program to addressevolving risks. The whistleblower process should be independently evaluated periodically for effectiveness, includingcompliance with established protocols.36Whistleblower hotlines may not be legal or ethical, or may be subject to restrictions in some countries outside the United States. As such,multinational organizations may not be able to implement hotlines on a worldwide basis.37The ACFE Occupational Fraud and Abuse Survey and the KPMG Fraud Survey are examples.38The United Kingdom (UK) report, “Audit Committees Combined Code Guidance,” by Sir Robert Smith, suggests that audit committees shouldreview whistleblowing arrangements regarding the appropriate and independent investigations and follow-up action.35
Process ControlsProcess controls specifically designed to detect fraudulent activity, as well as errors, include reconciliations,independent reviews, physical inspections/counts, analyses, and audits. A lack of, or weakness in, preventive controlsincreases the risk of fraud and places a greater burden on detective controls. The more significant the fraud risk, themore sensitive to occurrence (e.g., use of thresholds, performance frequency, and population tested) the detectivecontrol should be.The nature of fraud risks is such that there should be a systematic identification of the types of fraud schemesthat can be perpetrated against or within the organization to identify the process controls needed to reduce andcontrol the risks. Each industry is susceptible to different types of fraud schemes. The assessment becomes morecumbersome in organizations that span different industries. Organizations with multiple divisions/business unitswill need to first perform a broad organizationwide assessment and then perform more detailed and focusedassessments of individual business units to identify the necessary process controls to detect fraud.Proactive Fraud Detection ProceduresIn addition to detective process controls, organizations may be able to use data analysis, continuous auditingtechniques, and other technology tools effectively to detect fraudulent activity. Data analysis uses technology toidentify anomalies, trends, and risk indicators within large populations of transactions. Users of this technologymay be able to drill down into journal entries looking for suspicious transactions occurring at the end of a period orthose that were made in one period and later reversed in the next period. These tools may also allow users to lookfor journal entries posted to revenue or expense accounts that improve net income to meet analysts’ expectationsor incentive compensation targets. Moreover, data analysis allows users to identify relationships among people,organizations, and events.Proactive consideration of how certain fraud schemes may result in identifiable types of transactions or trendsenhances an organization’s ability to design and implement effective data analysis. Data analytics can also be usedto cost-effectively ensure the effectiveness of other fraud preventive and detective controls.Continuous auditing is the use of data analytics on a continuous or real-time basis, thereby allowing management orauditing to identify and report fraudulent activity more rapidly. For example, a Benford’s Law analysis 39 can examineexpense reports, general ledger accounts, and payroll accounts for unusual transactions, amounts, or patterns ofactivity that may require further analysis. Similarly, continuous monitoring of transactions subject to certain “flags”may promote quicker investigation of higher-risk transactions.Technology tools enhance the ability of management at all levels to detect fraud. Data analysis, data mining, anddigital analysis tools can:• Identify hidden relationships among people, organizations, and events.• Identify suspicious transactions.• Assess the effectiveness of internal controls.39Benford’s Law analysis is a process of comparing actual results vs. expected results by looking for unusual transactions that do not fit anexpected pattern.36
Page 1 and 2: ACFE FRAUD PREVENTIONCHECK-UP
Page 3 and 4: ACFE FRAUD PREVENTIONCHECK-UPThe Be
Page 5 and 6: ACFE FRAUD PREVENTIONCHECK-UPACFE F
Page 13 and 14: Sponsored by:The Institute of Inter
Page 15 and 16: Team Members:Toby J.F. Bishop, CPA,
Page 17 and 18: Managing the Business Risk of Fraud
Page 19 and 20: establish their own fraud risk mana
Page 21 and 22: Fraud risk identification may inclu
Page 23 and 24: Thus, to properly address fraud ris
Page 25 and 26: The board also has the responsibili
Page 27 and 28: • Implementing adequate internal
Page 29 and 30: Fraud Risk Management Program Compo
Page 31 and 32: ecently been hired in the purchasin
Page 33 and 34: Organizations can identify and asse
Page 35 and 36: The Risk Assessment TeamA good risk
Page 37 and 38: This also involves understanding th
Page 39 and 40: - Invoices for goods not received o
Page 41 and 42: Other RisksRegulatory and Legal Mis
Page 43 and 44: SECTION 3: FRAUD PREVENTIONPrincipl
Page 45 and 46: An organization’s HR group is oft
Page 47: SECTION 4: FRAUD DETECTIONPrinciple
Page 51 and 52: keep such information confidential.
Page 53 and 54: will vary depending on the nature,
Page 55 and 56: Conducting the InvestigationPlannin
Page 57 and 58: • Extended investigation — Cond
Page 59 and 60: Fraud ControlsDeloitte Forensic Cen
Page 61 and 62: APPENDIX B: SAMPLE FRAMEWORK FOR A
Page 63 and 64: APPENDIX C: SAMPLE FRAUD POLICY 41N
Page 65 and 66: CONFIDENTIALITYThe ______________ U
Page 67 and 68: Sample Fraud Policy Decision Matrix
Page 69 and 70: Identified Fraud Risksand Schemes (
Page 71 and 72: 2) Misappropriation of:a) Tangible
Page 73 and 74: ) Embezzlement(1) False accounting
Page 75 and 76: Fraud Prevention Area, Factor, or C
Page 83 and 84: O-Organization / PersonnelO1-Leader
Page 85 and 86: O4.3 Enhance Operational Skills & C
Page 87 and 88: PR-Prevent, Protect & PreparePR1-Ge
Page 89 and 90: E-Periodic EvaluationE1-Evaluation
Page 91 and 92: I2-CommunicationI2.1 Develop Commun
Page 93 and 94: CriminologyFraud Prevention Program
Page 99 and 100:
CriminologyFraud Prevention Program
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Sample Fraud PolicyAssociation of C
Page 119 and 120:
Sample Fraud PolicyCONFIDENTIALITYT
Page 121 and 122:
Sample Fraud PolicyFraud Policy Dec
Page 123 and 124:
Fraud’s Worst Enemyhttp://www.fra
Page 125 and 126:
ACFE Insights - ACFE Insightshttp:/
Page 127:
ACFE Insights - ACFE Insightshttp:/
show all

acfe fraud prevention check-up - BKD

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?