By Marios M. Skandalis FCCA, MIFC, CFC, CFE (*)
Following the review of the characteristics of occupational fraud in Part I of the article, it can be appreciated that fraud is one of the biggest threats a corporation faces and as such, tackling this threat is not an one-man job but a collective contribution by all members in an organisation.
Many parties involved in a corporation, both from within and outside the corporation, should move in an orderly and organised manner to produce an overall program of prevention, proactive detection and deterrence to minimize fraud and its financial impact on the company. The key players in this program are the following:
· Board of Directors
A company’s Board of Directors, oversees all of the activities of the enterprise and is responsible to the shareholders to ensure, not only maximum profits, but also to see that the organisation is a “good” corporate citizen. It does so primarily by selecting management with high ethical standards to run the company and providing an oversight to make sure that management is accomplishing its goals.
· Audit Committee
In most cases, an audit committee is appointed by the Board of Directors. Among its other duties, the committee meets regularly with the company’s internal and external auditors for the purpose of ensuring the integrity and accuracy of the company’s financial statements and other data. The audit committee is also responsible for making sure that the company has the proper control mechanisms, policies and procedures in place to protect the organisation’s assets and resources from fraud and misuse.
The management is responsible for implementing the policies and procedures of the Board of Directors. Executives also play an important role in determining the ethical tone of the company by setting the proper example. Employees have the right to expect that their leaders set high standards. In the absence of management integrity, fraud can permeate the company.
· External Auditors
The external auditors are responsible for examining the company’s books so that they may express an opinion on the overall fairness and accuracy of the company’s financial statements. Their responsibility with regards to fraud, exist whether there are large enough irregularities so as to materially impact the company’s overall financial condition.
· Internal Auditors
The internal auditors assist the company’s external auditors in their work but they also have their own unique duties. These include assisting the management and the Board of Directors in developing and implementing internal control procedures to deter and detect fraud at all levels.
· Anti-Fraud Specialists
Companies may employ the services of anti-fraud specialists such as Certified Fraud Examiners with relevant experience to investigate allegations of fraud.
The first step to combat fraud is to assess the fraud risk. Risk is the chance of two factors:
· Likelihood, which can be calculated based on an assessment of threats (internal and external events) and vulnerabilities (weaknesses within the organisation).
· Potential impact on the organisation (the adverse consequences resulting from threats and vulnerabilities, which should be expressed in monetary terms whenever possible).
This assessment will be different for each organisation, depending on the industry, control environment, economy and many other factors specific to that organisation. The risk assessment will then be determined, based on the following mathematical formula:
Risk = Likelihood x Impact
The second step is to develop appropriate risk responses, which can be classified under three main strategies that an organisation can adopt.
- Prevent or Avoid the Risk
That would mean developing responses and designing tactics that prevent the threat from materialising. Accountability, transparency, compliance and internal controls form the basis of the overall picture of co-operative action that organisations may employ in their pursuit of occupational fraud preventions.
Accountability is widely viewed as a democratic ethical value and as such, all those organisations in society who exercise power, have a duty to account for the proper exercise of that power.
Transparency is built on the uncontrolled flow and ease of access to information. It is essential that an explanation for practices and the reasons for making particular decisions are available to those on whom they have an impact. Sufficient information should be made available to allow those directly affected, to scrutinise and comprehend them and thereby encourage them to contribute to fraud prevention.
An audit process, which is described above as the procedure that both internal and external auditors adopt, is effective in making transparent the necessity for accountability in fraud prevention. Without an effective audit process, levels of accountability cannot be measured and if transparency and accountability are deficient, so then will be the whole fraud prevention process.
Compliance is necessary for ensuring relevant laws are observed. The relationship between accountability, transparency and compliance is that they are all dependant on each other to make fraud prevention effective.
Internal controls refer to the system or the plan of an organisation and all the methods and procedures adopted by the management of an organisation, to assist in achieving its objective of having adequate internal controls to prevent occupational fraud. Apart from preventing fraud, a system of internal controls performs the role for detecting fraud as well. A sophisticated system of internal controls to prevent fraud is introduced after a risk management process has been conducted. It is obvious that since people can affect the system of internal controls, it should undergo regular reviews to maintain its effectiveness in the current environment.
Within this framework, a company should set up and adopt a number of policies to pursue its strategy for preventing fraud. These policies can be categorised as follows:
· Make Fraud Less Likely to Occur
Under this category the company may adopt policies like:
- The use of proper hiring and firing practices
- Ways of managing disgruntled employees
- Training of employees in security and fraud prevention measures
- Ways of managing and track software licenses
- Having signed confidentiality agreements
· Increase the Difficulty of Committing Fraud
Under this category, the company may adopt policies like:
- Develop various levels of authorisation
- Segregate duties
- Require vacations and rotate duties
- Restrict access to computer equipment and data files
- Encrypt data and programs
- Protect telephone lines
- Protect the system from viruses
- Control sensitive data
- Monitor hacker information
· Improve Detection Methods
Under this category, the company may adopt policies like:
- Conduct frequent audits
- Use of a computer security officer
- Set up a fraud hot line
- Monitor system activities
- Use of forensic accountants
- Use of certified fraud examiners
- Implementation of Cyber Intelligence programs
- Mitigate the Risk
Based on this category, an organisation should develop responses that reduce the fraud risk to a more manageable level. The policies that an organisation could adopt to reduce its fraud losses include the following:
- Store backup copies of program and data files in a secure off-site location covering both the organisation as well as the national risk
- Develop a business continuity (contingency) plan for fraud occurrences
- Use of specialised software to monitor system activity and recover from fraud
- Transfer the Risk
Based on this category, an organisation should develop procedures for transferring the risk of the occurrence and financial impact of a fraudulent action to a third party such as an insurance carrier.
Both in this article and Part I issued in the previous edition, we have seen most of the aspects related to occupational fraud, including its characteristics and ways of controlling it. Fraud is one of the most costly corporate threats and as such, all organisations should, regardless of any costs or time they have to invest, proceed in taking those measures to avoid experiencing this threat.
Been the target of a fraudulent act is something more or less unavoidable, but it should never be considered as something insuperable provided all necessary measures are adopted as described above.
Always keep in mind this great word of wisdom:
“A hard problem is a problem that nobody works on” – J. L. Massey
|(*) Marios M. Skandalis is a Fellow Chartered Certified Accountant (UK), a Certified Financial Consultant (US) and a Certified Fraud Examiner (US). He has been a senior management consultant at Ernst & Young, the CFO of the General Insurance of Cyprus Ltd and currently heads the organization and methodology function of Bank of Cyprus Group’s overseas operations. He is the Vice President of the Institute of Certified Public Accountants of Cyprus and a Board member of Transparency International (Cyprus).|