FRAUD PREVENTION Flashcards
corporations and other organisations may also be held liable for the criminal acts of their employees if
those acts are done in the course and scope of their employment and for the ostensible purpose of benefiting the corporation
An employee’s acts are considered to be
in the course and scope of employment if
the employee has actual authority or apparent authority to engage in those acts
Apparent authority means that
a third-party would reasonably believe the employee is authorised to perform the act on behalf of the company.
legal principle of “conscious avoidance”
establishes liability by showing
that the employer knew there was a high probability the fact existed and consciously avoided confirming the fact
A company cannot seek to avoid vicarious liability for the acts of its employees by simply claiming that it did not know what was going on.
Legally speaking, an organisation is deemed to have knowledge of all facts known by its officers and employees
if the government can prove that an officer or employee knew of conduct that raised a question as to the company’s liability, and the government can show that the company wilfully failed to act to correct the situation
then the company may be held liable, even if senior management had no knowledge or suspicion of the wrongdoing.
The corporation can be held criminally responsible even
if those in management had no knowledge or participation in the underlying criminal events and even if there were specific policies or instructions prohibiting the activity undertaken by the employees.
In fact, a corporation can be criminally responsible for the collective knowledge of several of its employees even
if no single employee intended to commit an offence
The Treadway Commission made several major recommendations that, in combination with other measures, are designed to reduce the probability of fraud in financial reports:
- A mandatory independent audit committee made up of outside directors.
- A written charter that sets forth the duties and responsibilities of the audit committee.
- The audit committee should have adequate resources and authority to carry out its responsibilities.
- The audit committee should be informed, vigilant, and effective.
The COSO report recommended that public companies’ management reports include
an
acknowledgment for responsibility for internal controls and an assessment of effectiveness in meeting those responsibilities
Internal Control is (The COSO report)
a broadly defined process … designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
− Reliability of financial reporting
− Effectiveness and efficiency of operations
− Compliance with applicable laws and regulations
Control Environment (The COSO report)
The control environment sets the moral tone of an organisation, influencing the control
consciousness of the organisation and providing a foundation for all other control
components.
There are several actions that management can take to establish the proper control environment for an organisation. (The COSO report)
- The establishment of a code of ethics for the organisation.
- Careful screening of job applicants.
- Proper assignment of authority and responsibility.
- Effective disciplinary measures.
According to COSO, risk assessment is a three-step process:
- Set objectives for the organisation.
- Analyse potential risks of violations
- Develop a strategy to manage risks.
COSO divides risks into two categories:
external risks and internal risks.
External risks include things like
increased competition, changes in
technology, shifting economic conditions, and new legislation.
Internal risks are factors such as
personnel changes, availability of funds for organisational projects, new operating systems, and the development of new products
Control activities are (The COSO report)
the policies and procedures that enforce management’s directives
Information and Communication (The COSO report)
This component relates to the exchange of information in a way that allows employees to carry out their responsibilities
A proper information system will
accomplish the following:
- Assimilate important financial, operational, and compliance information.
- Pass on pertinent information to those who need it.
- Provide for upstream communication
Monitoring is (The COSO report)
the process that assesses the quality of a control environment over time
Corporate Sentencing Guidelines provide for the substantial reduction of fines for corporations that
have vigorous fraud prevention programs
Corporations in the U.S. that wish to take advantage of the mitigation provisions of the
guidelines must
implement a “corporate compliance program.”
As provided by the Guidelines, to have an “effective compliance and ethics program,” the organisation shall:
- Exercise due diligence to prevent and detect criminal conduct; and
- Otherwise promote an organisational culture that encourages ethical conduct and a commitment to compliance with the law.
In designing “effective compliance and ethics program,”, certain factors must be considered by each organisation:
- Applicable industry size and practice – An organisation’s failure to incorporate and
follow industry practice or the standards called for by any applicable government
regulation weighs against a finding that the program is effective. - Size of the organisation – Large organisations are expected to devote more formal operations and greater resources to meeting the requirements than are small
organisations. For example, smaller organisations may use available personnel rather than employ separate staff to carry out ethics and compliance. - Recurrence of similar misconduct – The recurrence of a similar event creates doubt as to
whether the organisation took reasonable steps to meet the requirements.
To meet the two requirements of due diligence and promotion of an ethical culture, section 8B2.1 (b) sets forth the seven factors that are minimally required for such a program to be
considered effective:
- The organisation must have established standards and procedures to prevent and detect criminal conduct.
- Item 2 has three specific subparts:
a. The organisation’s governing authority shall be knowledgeable about the content and
operation of the compliance and ethics program and shall exercise reasonable
oversight with respect to implementation and effectiveness of the compliance and
ethics program.
b. High-level personnel shall ensure that the organisation has an effective compliance
and ethics program, and specific individual(s) within the organisation shall be
assigned overall responsibility for the compliance and ethics program.
c. Specific individual(s) within the organisation shall be delegated day-to-day
operational responsibility for the compliance and ethics program. These individuals shall report periodically to high-level personnel and, as appropriate, to the governing
authority (or a subgroup thereof) on the effectiveness of the program. It is also
required that these specific individuals be given adequate resources and authority to
accomplish their responsibilities and be given direct access to the governing
authority. - The organisation shall use reasonable efforts not to include within the substantial
authority personnel any individual whom the organisation knew, or should have known,
has engaged in illegal activities or other conducts inconsistent with an effective
compliance and ethics program. - Item 4 has two subparts:
a. The organisation shall take reasonable steps to communicate periodically and in a
practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subpart (b) below by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.
b. The individuals referred to in subpart (a) above are the 1) members of the governing
authority, 2) high-level personnel, 3) substantial authority personnel, 4) the
organisation’s employees, and as appropriate, the 5) organisation’s agents. - The organisation shall take reasonable steps to accomplish the following:
a. Ensure that the organisation’s compliance and ethics program is followed, including
monitoring and auditing to detect criminal conduct;
b. Evaluate periodically the effectiveness of the organisation’s compliance and ethics
program; and
c. Have and publicize a system, which may include mechanisms that allow for
anonymity or confidentiality, whereby the organisation’s employees and agents may
report or seek guidance regarding potential or actual criminal conduct without fear of
retaliation. - The organisation’s compliance and ethics program shall be promoted and enforced consistently throughout the organisation through (a) appropriate incentives to perform in accordance with the program; and (b) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
- After criminal conduct has been detected, the organisation shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organisation’s compliance and ethics program.
Proactive Fraud Policies
A proactive policy means that the organisation will aggressively seek out possible fraudulent conduct, instead of waiting for instances to come to their attention. This can be accomplished by several means,
including the use of analytical review, fraud assessment questioning, mandatory vacations, job rotation, and surprise audits where possible.
Fraud Assessment Questioning
a nonaccusatory interview technique used as a part of a normal audit. It operates on the theory that employees’ attitudes are a good indicator of potential problems, and that one of the most effective ways to deal with fraud is to ask about it.
Enforcement of Mandatory Vacations
Many internal frauds require manual intervention, and are therefore discovered when the perpetrator is away on vacation.
Job Rotation
Some frauds are detected during sickness or unexpected absences of the perpetrator, because they require continuous, manual intervention.
Surprise Audits Where Possible
All too many fraud perpetrators know when auditors are coming, and therefore have time to alter, destroy, or misplace records and other evidence.
Management Oversight
It is most common for employees who steal to use the proceeds for lifestyle improvements. Some examples include more expensive cars, extravagant vacations, expensive clothing, new or remodelled homes, expensive recreational property, and outside investments. Managers should be educated to be observant of these signs.
Increasing the Perception of Detection
this means letting employees, managers, and executives know that auditors are actively seeking out information concerning internal theft.
Increasing the Perception of Detection This can be accomplished in several ways
Employee Education
Employee Education
The goal is to make others within the company your eyes and ears.
Minimise Employee Pressures
Companies can take steps to assist an employee who might be having difficult times
Open-Door Policies
If employees and others can speak freely, many managers will understand the pressures and might be able to eliminate them before they become acute.
Employee Support Programs
Many progressive companies and agencies have realised the benefit of employee support programs. Some kinds of support programs include alcohol and drug assistance, and counselling for gambling, abortion, marital problems, and financial difficulties.
Management Climate
If the style of management is conducted by objective measures rather than by subjective measures, then employees will not manufacture or imagine the performance criteria employed by management. In addition, it is obvious that management that is perceived to be dishonest will beget dishonest employees.
Monitoring Systems
Confidential hotlines are one of the best ways for an organisation to monitor compliance.
A reporting program should emphasise that:
• Fraud, waste, and abuse occur in nearly all companies.
• Such conduct costs the company jobs and profits.
• The company actively encourages any employee with information to come forward.
• The employee can come forward and provide information anonymously and without fear of recrimination for good-faith reporting.
• There is an exact method for reporting, i.e., a telephone number, name, or other
information.
• The report need not be made to one’s immediate superiors.
Hotlines. PART-TIME, IN-HOUSE
are assigned to an employee with other duties.
The main disadvantage is that the hotline is not staffed full-time, which can
discourage calls. Also, some people might be reluctant to report to the company.
Hotlines. FULL-TIME, IN-HOUSE
The advantage is that people can make reports at any time, day or night, and talk to a person. The disadvantage is cost, and like the part-time line, some people might be reluctant to report directly to the company.
Hotlines. THIRD-PARTY
The advantages are cost, efficiency, and anonymity. Their disadvantage is
that the operation is beyond the company’s control.
REWARDS
If a reward policy exists, strict criteria should establish reward payments, and such proposed policies should be reviewed and approved by counsel.
Fraud Prevention Policy
specifically spells out who in an organisation handles varying fraud matters under
differing circumstances.
Fraud Policy Objectives
reasonable assurance that:
• Financial and operating information is accurate and reliable.
• Policies, procedures, plans, laws, and regulations are complied with.
• Assets are safeguarded against loss and theft.
• Resources are used economically and efficiently.
• Established program/operating goals and objectives are met.
Management might not support fraud prevention for one of several reasons:
- Management’s concerns are often elsewhere than audit or fraud. They don’t typically understand that fraud is hidden and that losses go undetected. They also might refuse to believe that their own workers are capable of stealing even when studies suggest a third of us might do such a thing.
- Because of the hidden nature of fraud, managers are understandably reluctant to believe in the presence of fraud. And if one employee is caught committing fraud, management might too often claim that this is an isolated problem and not worth additional consideration. Management must understand that when instances of fraud are detected, it is too late to do anything about it.
- Management sometimes unreasonably feels that bringing up the issue will alienate the work force. This problem can be addressed by reminding management that the rank- and-file workers appreciate working for an honest company. It is also helpful to point out to management what the losses might be.
Some of the following suggestions might be helpful in “selling” fraud prevention to management:
The Impact on the Bottom Line
The Impact of Publicity
Policy Statement
The policy statement sets forth that management is responsible for fraud, and each member of the management team should be familiar with the types of signals present within his scope of responsibilities. The policy statement also designates who is in charge of investigating suspected irregularities.
Scope of Policy
This area of the fraud policy statement covers what constitutes an irregularity and the fact that the policy covers everyone from management to worker.
Actions Constituting Fraud
- Any dishonest or fraudulent act
- Forgery or alteration of documents
- Misapplication of funds or assets
- Impropriety with respect to reporting financial transactions
- Profiting on insider knowledge
- Disclosing securities transactions to others
- Accepting gifts from vendors
- Destruction or disappearance of records or assets
- Any similar or related irregularity
Nonfraud Irregularities
This section covers allegations of personal improprieties or irregularities and states that they should be resolved by management and not an auditor.
Investigation Responsibilities
This part deals with who will investigate suspected irregularities as well as to whom these irregularities will be reported (management, law enforcement, or legal counsel).
Confidentiality
Under this section, the confidential nature of the investigation is set forth. It states that the investigation will not be disclosed to outsiders except as required.
Authorisation for Investigation
This delineates that whoever is in charge of the investigation has the authority to take
control of and examine records.
Reporting Procedures
This part states that anyone suspecting fraud should report it and not attempt an
investigation. It also states that management and others should not make statements regarding the alleged guilt of the perpetrator
Termination
This section states that any recommendations to terminate employees should be reviewed by counsel and management.
Communicating the Fraud Policy
During initial employee orientation
An interoffice memorandum from the chief executive officer
Posters
Employee Morale
If an employee is properly instructed, communication of a fraud policy can have a positive impact on morale.
Legal Considerations
One of the most important legal
considerations is to ensure everyone and every allegation is handled in a uniform manner
The collection of a person’s beliefs and morals makes up a set of principles known as
Ethics
Ethics are
the judgments about right and wrong or, more specifically, a person’s moral obligations to society that determine a person’s actions
There are four factors that generally affect the ethical decisions of employees:
- The law and other government regulations
- Industry and organisational ethical codes
- Social pressures
- Tension between personal standards and organisational needs
Identifying key organisational characteristics and issues is a start to development of an ethics
program. These items include:
• Understanding of why good people can commit unethical acts
• Defining current as well as desired organisational values
• Determining if organisational values have been properly communicated
• Producing written ethics policies, procedures, or structures
• Ascertaining how board members, stockholders, management, employees, and any other
pertinent members of the organisation define success
• Determining if ethics is a leadership issue in the organisation
The following 12 components are necessary to develop, implement, and manage a comprehensive ethics program:
- Focus on ethical leadership
- Vision statement
- Values statement
- Code of ethics
- Designated ethics official
- Ethics task force or committee
- Ethics communication strategy
- Ethics training
- Ethics help and fraud report telephone line
- Ethical behaviour rewards and sanctions
- Comprehensive system to monitor and track ethics data
- Periodic evaluation of ethics efforts and data
