Fraud Risk - Conclusion & Appendix

D  E  V  E  L  O  P  I  N  G    A    S  T  R  A T  E  G  Y    F  O  R    P  R  E  V  E  N  T  I  O  N  ,    D  E  T  E  C  T  I  O  N  ,    A  N  D    R  E  S  P  O  N  S  E            2  1 

When designing controls, management should endeavor to do more than observe regulatory requirements (i.e., minimum criteria defined by various regulatory frameworks). Rather, management should take into account the relevance of a variety of leading practices (i.e., practices that similarly situated organizations have generally found to be effective). Incorporating leading practices into the design of fraud controls increases the likelihood that those controls will ultimately prove to be effective.

Each entity is unique and thus will have individualized control considerations. Management would be well served to consider the organization’s unique circumstances when designing fraud controls. Control attributes that may be appropriate for a global telecommunications company may be inappropriate for a national bank, and vice versa. Management should seek to design controls that satisfy not only legal requirements but also the organization’s distinct business needs.

Implementation

Once fraud controls have been designed, management should establish a strategy and process for implementing the new controls throughout the organization and assign to a senior individual responsibility and resources for leading the overall effort. Meaningful and consistent implementation typically requires a substantial change in workplace culture and practices. Therefore, employees should receive clear and frequent communications with respect to when, how, and by whom the controls will be rolled out as well as the manner with which compliance with the new controls will be enforced.

Evaluation

Simply because a control exists is no guarantee that it is operating as intended. After a control has been operating for a designated period of time, it should be evaluated to determine whether it was designed and implemented to achieve optimal effectiveness. Such an evaluation should first consider those controls identified as “higher risk” before other, lower-priority controls.

On the other hand, simply because a particular control does not yet exist, management should not automatically conclude that the organization’s risk management objective is not being met. In the absence of a specific control, other compensating controls may be operating effectively and mitigating the risk of fraud and misconduct.

When evaluating the design effectiveness of a control, management should take into account both regulatory requirements and leading practices that similarly situated organizations have found to correlate with effective risk mitigation. Management can then use a “gap analysis” process to determine whether the control in question.

F  R  A  U  D    R  I  S  K    M  A  N  A  G  E  M  E  N  T           2 2

Indeed incorporates the required design criteria. For instance, where a design criteria calls for the organization’s whistleblower hotline to allow anonymous submission of questions or concerns regarding accounting and auditing matters, management should seek to determine whether the hotline protocols indeed allow for caller anonymity.

To evaluate the operational effectiveness of a particular control, management should focus on the extent to which the control’s objectives have been achieved. For example, have the mitigation strategies identified during the fraud and misconduct risk assessment been implemented properly? Similarly, management may have put in place a well-designed code of conduct, but are employees actually using the code to guide their day-to-day activities? In the end, the integrity climate will determine the perceptions employees have of the ability of the organization to prevent, detect, and respond to fraud and misconduct and base their own conduct on those perceptions.

Only when such basic questions are addressed can management focus on gathering empirical data on control effectiveness using review and evaluation techniques (e.g., proactive forensic data analysis). For instance, management may wish to ascertain whether employees truly understand the standards contained in the code of conduct or whether employees feel comfortable calling the hotline. To gather such hard-to-audit qualitative data, management may wish to field a survey of employee perceptions and attitudes. Such a survey can be a powerful tool, generating data that can be benchmarked against prior-year results to note improvements and demonstrate control effectiveness.

An organization’s particular situation should be taken into account in conducting an effectiveness evaluation, and such an inquiry should remain ongoing. Management should continuously consider how its risk strategy and control effectiveness are affected by changes in market expectations, external scrutiny, and regulatory or legislative developments.

D  E  V  E  L  O  P  I  N  G    A    S  T  R  A T  E  G  Y    F  O  R    P  R  E  V  E  N  T  I  O  N  ,    D  E  T  E  C  T  I  O  N  ,    A  N  D    R  E  S  P  O  N  S  E                 2  3

Conclusion

Faced with an increasing array of rules and standards governing business conduct, many organizations worldwide continue to struggle with how to mitigate the innumerable risks posed by fraud and misconduct.

The development of a broad ranging fraud risk management program is an important step in managing this challenge. Organizations undertaking the effort should begin by assessing how well they are managing fraud risk. Identifying known risks and existing controls is an important first step. Then the organization can determine its ideal future state, perform a gap analysis, and prioritize activities that will help enable the development of a company-specific antifraud program.

Such a program will not only help enable appropriate compliance with regulatory mandates but also help the organization align its corporate values and performance as well as protect its many assets, including its reputation.

F  R  A  U  D    R  I  S  K    M  A  N  A  G  E  M  E  N  T                2  4
               

Australia

Commonwealth Criminal Code Act (1995)

Boards have a responsibility to foster a culture of compliance with Australian law. Under the Criminal Code, a company can be convicted of Commonwealth criminal offenses if it is established that the company had a culture that directed or encouraged, tolerated, or led to noncompliance, or that the body failed to maintain a culture that required compliance with relevant legislation. (Schedule, Part 2.5, Division 12)

Corporations Act 2001 (Including CLERP 9 Amendments) (2001)

AUS 210 (2002)

Establishes a requirement for auditors to consider fraud and error in an audit of a financial report. (AUS 210)

Australian Stock Exchange Guidance Note 9A (2003)

Requires the board or appropriate board committee to establish policies on risk oversight and management. (Principle 7)

Australian Standard 8001 - 2003 Fraud and Corruption Control (2003)

Provides guidance on fraud and corruption control that is considered best practice.

European Union

The Financial Services Action Plan (FSAP) (1999)

The FSAP is designed to create a single market in financial services throughout the EU. Forty-two legislative measures were contemplated as part of the action plan, many of which focused on securities regulation. As of 2004, these measures are having a tremendous effect on the regulation of EU capital markets and, as with the Sarbanes-Oxley Act, have necessitated major adjustments on the part of issuers, accountants and lawyers, and regulators affected by the legislation.

Third Directive on the Prevention of the Use of the Financial System for Money Laundering or Terrorist Financing (2005/60/EC)

Council Directive 2005/60/EC is an update to two earlier directives in response to concerns about money laundering. This Directive requires member states to:

United Kingdom

The Financial Services and Markets Act (2000)

This Act supports the Financial Services Authority’s (FSA’s) goal to reduce the likelihood that business carried on by a regulated person, or in contravention of the general prohibition, can be used for a purpose connected with financial crime. As a result, the FSA requires senior management of regulated firms to take responsibility for managing fraud risks, and firms to have effective systems and controls in place proportionate to the particular financial crime risks that they face.

Proceeds of Crime Act (2002)

The Act has strengthened the law on money laundering and sets up an Assets Recovery Agency to investigate and recover assets and wealth obtained as a result of unlawful activity.

Combined Code on Corporate Governance (2003)

The Financial Reporting Council’s (FRC) Combined Code on Corporate Governance sets out standards of good practice in relation to issues such as board composition and development, remuneration, accountability and audit, and relations with shareholders. All companies incorporated in the United Kingdom and listed on the London Stock Exchange are required under the Listing Rules to report on how they have applied the Combined Code in their annual report and accounts, or where they have not to provide an explanation.

The current version of the Combined Code was published in July 2003. In recent years, related guidance has been issued including the Turnbull guidance on Internal Control, revised in October 2005; the Smith guidance on Audit Committees; and the Higgs guidance on good practices.

An implementation review carried out by the FRC in 2005 indicated the Code is having a favorable impact on the quality of corporate governance. The results also turned up no appetite for major change, and only two suggested amendments carried strong support. The FRC began consulting on these amendments in January 2006. The main proposals would be to relax the existing provisions to allow the chairman to sit on the remuneration committee and to add a new provision regarding companies including a “vote withheld” box on the annual general meeting (AGM) proxy voting forms, as recommended by the Shareholder Voting Working Group. Consultation on possible amendments to the Code closed on April 21, 2006. If implemented, the intention is that changes would apply to financial years beginning on or after November 1, 2006.

The Money Laundering Regulations (2003)

In the United Kingdom, these regulations require various kinds of businesses to identify their customers under specific circumstances and to retain copies of identification evidence for five years. These regulations apply to banks, check cashing businesses, money transmitters, accountants, solicitors, casinos, estate agents, bureaus de change, and dealers in high-value goods. Employers may be prosecuted for a breach of these regulations if they fail to train staff.

United States

Director and Officer Liability (August 1996) 

The Delaware Chancery Court in In re Caremark Int’l Inc. Derivative Litigation held that boards of directors that exercise reasonable oversight of a compliance program may be eligible for protection from personal liability in shareholder civil suits resulting from employee misconduct. A director’s fiduciary duty goes beyond ensuring that a compliance program exists, but also includes a good faith duty to ensure that the organization’s compliance program is adequate.

Department of Justice Prosecution Policy (Original June 1999, revised January 2003)

The Department of Justice’s guidance (the Thompson Memo) instructs federal prosecutors that while having in place a compliance program does not absolve a corporation from criminal liability, it may provide factors that can be used in determiningwhether to charge an organization or only its employees and agents with a crime. These factors include evaluating whether:

Sarbanes-Oxley Act of 2002

The U.S. government had responded to widespread cases of corporate fraud and misconduct by passing the Sarbanes-Oxley Act of 2002. The Act includes the following sections, among others:

Most companies in the United States are applying the integrated internal control framework developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission for this purpose. Generally speaking, COSO addresses ethics and compliance program elements in company-level components that have a pervasive influence on organizational behavior, such as the control environment. Examples of company-level control considerations include:

• Establishment of the tone at the top by the board and management
• Existence of codes of conduct and other policies regarding acceptable business practices
• Extent to which employees are made aware of management’s expectations
• Pressure to meet unrealistic or short-term performance targets
• Management’s attitude toward overriding established controls
• Extent to which adherence to the code of conduct is a criterion in performance appraisals
• Extent to which management monitors whether internal control systems are working
• Establishment of channels for people to report suspected improprieties
• Appropriateness of remedial action taken in response to violations of the code of conduct

 NYSE Listing Standards Section 303A, Corporate Governance Standards (Modified, November 2004)
Qualitative Listing Requirements for the NASDAQ National Market (Amended, April 2004)

 U.S. Sentencing Guidelines Criteria (Amended, November 2004)

The federal sentencing guidelines for organizational defendants establish minimum compliance and ethics program requirements for organizations seeking to mitigate penalties for corporate misconduct. These guidelines make explicit the expectation that organizations promote a culture of ethical conduct, tailor each program element based on compliance risk, and periodically evaluate program effectiveness. Specifically, the amended guidelines call on organizations to: