Transcription
Fraud risk managementA guide to good practice
AcknowledgementsThis guide is based on the first edition of Fraud Risk Management: A Guide to Good Practice. The first edition wasprepared by a Fraud and Risk Management Working Group, which was established to look at ways of helpingmanagement accountants to be more effective in countering fraud and managing risk in their organisations.This second edition of Fraud Risk Management: A Guide to Good Practice has been updated by Helenne Doody, aspecialist within CIMA Innovation and Development. Helenne specialises in Fraud Risk Management, having workedin related fields for the past nine years, both in the UK and other countries. Helenne also has a graduate certificatein Fraud Investigation through La Trobe University in Australia and a graduate certificate in Fraud Managementthrough the University of Teeside in the UK.For their contributions in updating the guide to produce this second edition, CIMA would like to thank:Martin Birch FCMA, MBADirector – Finance and Information Management, Christian Aid.Roy KatzenbergChief Financial Officer, RITC Syndicate Management Limited.Judy FinnSenior Lecturer, Southampton Solent University.Dr Stephen HillE-crime and Fraud Manager, Chantrey Vellacott DFK.Richard Sharp BSc, FCMA, MBA Assistant Finance Director (Governance), Kingston Hospital NHS Trust.Allan McDonaghManaging Director, Hibis Europe Ltd.Martin Robinson andMia Campbellon behalf of the Fraud Advisory Panel.CIMA would like also to thank those who contributed to the first edition of the guide.About CIMACIMA, the Chartered Institute of Management Accountants, is the only international accountancy body with a keyfocus on business. It is a world leading professional institute that offers an internationally recognised qualificationin management accounting, with a full focus on business, in both the private and public sectors. With 164,000members and students in 161 countries, CIMA is committed to upholding the highest ethical and professionalstandards of its members and students. CIMA 2008. All rights reserved. This booklet does not necessarily represent the views of the Council of theInstitute and no responsibility for loss associated to any person acting or refraining from acting as a result of anymaterial in this publication can be accepted by the authors or publishers.1
Fraud risk management: a guide to good practiceContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521Fraud – its extent, patterns and causes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.1 What is fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2 The scale of the problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.3 Which businesses are affected? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.4 Why do people commit fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131.5 Who commits fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Risk management – an overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.1 What is risk management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.2 Corporate governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.3 The risk management cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.4 Establish a risk management group and set goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.5 Identify risk areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.6 Understand and assess the scale of risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.7 Develop a risk response strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.8 Implement the strategy and allocate responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.9 Implement and monitor suggested controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.10 Review and refine and do it again . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.11 Information for decision making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Fraud prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.1 A strategy to combat fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.2 Developing a sound ethical culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.3 Sound internal control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364Fraud detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374.1 Detection methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374.2 Indicators and warnings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394.3 Tools and techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435Responding to fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445.1 Purpose of the fraud response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445.2 Corporate policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445.3 Definition of fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455.4 Roles and responsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455.5 The response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475.6 The investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485.7 Organisation’s objectives with respect to dealing with fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505.8 Follow-up action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
AppendicesAppendix 1Appendix 2Appendix 3Appendix 4Appendix 5Appendix 6Appendix 7Appendix 8Appendix 9Appendix 10Appendix 11Fraud and the law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Examples of common types of internal fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Example of a risk analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60A sample fraud policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Sample whistleblowing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Examples of fraud indicators, risks and controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64A 16 step fraud prevention plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Outline fraud response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Example of a fraud response plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69References and further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Listed abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80FiguresFigure 1Figure 2Figure 3Figure 4Figure 5Figure 6Types of internal fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8The fraud triangle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13The CIMA risk management cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Anti-fraud strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Ethics advice/services provided . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Methods of fraud detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Case StudiesCase study 1Case study 2Case study 3Case study 4Case study 5Case study 6Case study 7Case study 8Case study 9Case study 10Fraud doesn’t involve just money . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Size really doesn’t matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12A breach of trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Management risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16A fine warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Vet or regret? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Tipped off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Risk or returns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Reporting fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45TNT roots our fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
4
IntroductionPeriodically, the latest major fraud hits the headlinesas other organisations sit back and watch, tellingthemselves that ‘it couldn’t happen here.’ But thereality is that fraud can happen anywhere. Whileonly relatively few major frauds are picked up by themedia, huge sums are lost by all kinds of businesses asa result of the high number of smaller frauds that arecommitted.Despite the serious risk that fraud presents to business,many organisations still do not have formal systemsand procedures in place to prevent, detect and respondto fraud. While no system is completely foolproof,there are steps which can be taken to deter fraud andmake it much less attractive to commit. It is in assistingorganisations in taking such steps that this guide shouldprove valuable.Surveys are regularly carried out in an attempt toestimate the true scale and cost of fraud to businessand society. Findings vary, and it is difficult to obtain acomplete picture as to the full extent of the issue, butthese surveys all indicate that fraud is prevalent withinorganisations and remains a serious and costly problem.The risks of fraud may only be increasing, as we seegrowing globalisation, more competitive markets, rapiddevelopments in technology, and periods of economicdifficulty.The original guide to good practice was based on thework of CIMA’s Fraud and Risk Management WorkingGroup that was established as part of the Institute’sresponse to the problem of fraud. Since the publicationof the original guide, we have continued to see highprofile accounting scandals and unacceptable levels offraudulent behaviour. This second edition of the guideincludes updates to reflect the many changes in thelegal environment and governance agenda in recentyears, aimed at tackling the ongoing problem of fraud.Among other findings, the various surveys highlightthat: organisations may be losing as much as 7% of theirannual turnover as a result of fraud corruption is estimated to cost the global economyabout 1.5 trillion each year only a small percentage of losses from fraud arerecovered by organisations a high percentage of frauds are committed by seniormanagement and executives greed is one of the main motivators for committingfraud fraudsters often work in the finance function fraud losses are not restricted to a particular sectoror country the prevalence of fraud is increasing in emergingmarkets.The guide starts by defining fraud and giving anoverview of the extent of fraud, its causes and itseffects. The initial chapters of the guide also setout the legal environment with respect to fraud,corporate governance requirements and generalrisk management principles. The guide goes on todiscuss the key components of an anti-fraud strategyand outlines methods for preventing, detecting andresponding to fraud. A number of case studies areincluded throughout the guide to support the text,demonstrating real life problems that fraud presentsand giving examples of actions organisations are takingto fight fraud.5
Fraud risk management: a guide to good practiceManagement accountants, whose professional trainingincludes the analysis of information and systems, canhave a significant role to play in the developmentand implementation of anti-fraud measures withintheir organisations. This guide is intended to helpmanagement accountants in that role and will also beuseful to others with an interest in tackling fraud intheir organisation.The law relating to fraud varies from country tocountry. Where it is necessary for this guide to makereference to specific legal measures, this is generally toUK law, as it would be impossible to include referencesto the laws of all countries where this guide will beread. It is strongly advised that readers ensure theyare familiar with the law relating to fraud in theirown jurisdiction. Although some references maytherefore not be relevant to all readers, the generalprinciples of fraud risk management will still apply andorganisations around the world are encouraged to takea more stringent approach to preventing, detecting andresponding to fraud.6
1 Fraud: its extent, patterns and causes1.1 What is fraud?Definition of fraudThe term ‘fraud’ commonly includes activities such astheft, corruption, conspiracy, embezzlement, moneylaundering, bribery and extortion. The legal definitionvaries from country to country, and it is only since theintroduction of the Fraud Act in 2006, that there hasbeen a legal definition of fraud in England and Wales.Fraud essentially involves using deception todishonestly make a personal gain for oneself and/orcreate a loss for another. Although definitions vary,most are based around these general themes.Fraud and the lawBefore the Fraud Act came into force, related offenceswere scattered about in many areas of the law. TheTheft Acts of 1968 and 1978 created offences of falseaccounting, and obtaining goods, money and servicesby deception, and the Companies Act 1985 includedthe offence of fraudulent trading. This remains part ofthe Companies Act 2006. There are also offences offraud under income tax and value-added tax legislation,insolvency legislation, and the common law offence ofconspiracy to defraud.The Fraud Act is not the only new piece of legislation.Over the last few years there have been many changesto the legal system with regard to fraud, both in theUK and internationally. This guide focuses mainlyon UK requirements, but touches on internationalrequirements that impact UK organisations. In the UK,the Companies Act and the Public Interest DisclosureAct (PIDA) have been amended and legislation such asthe Serious Crimes Act 2007 and the Proceeds of CrimeAct 2002 (POCA) have been introduced. Internationallythe Sarbanes-Oxley Act 2002 (Sarbox) has beenintroduced in the United States (US), a major piece oflegislation that affects not only companies in the USbut also those in the UK and others based all over theglobe. Further information on these pieces of legislationcan be found in Appendix 1.As well as updating the legislation in the UK, therehave been, and will continue to be, significantdevelopments in the national approach to combatingfraud, particularly as we see implementation of actionsresulting from the national Fraud Review. Appendix 1gives further information on the Fraud Review. T
May 15, 2007 · 1 This guide is based on the fi rst edition of Fraud Risk Management: A Guide to Good Practice. The fi rst edition was prepared by a Fraud and Risk Management Workin
