Fraud Risk Management

Question 1

Fraud risk management program

Answer 1

• A single comprehensive and complete document that addresses all aspects of fraud risk management (i.e., a fraud control policy).
• A briefstrategy outline emphasizing the attributes of fraud control, but leaving the design ofspecific policies and procedures to those responsible for business functions within the organization.
• An outline,within a control framework,referencing relevant policies, procedures, plans, programs,reports,
and responsible positions, developed by the organization’s head office, divisions, or subsidiaries.

Question 2

The following elements should be found within a fraud risk

management program:

Answer 2

Commitment
Fraud Awareness
Affirmation Process
Conflict Disclosure
Fraud Risk Assessment
Reporting Procedures and Whistleblower Protection
Investigation Process
Corrective Action
Process Evaluation and Improvement (Quality Assurance)
Continuous Monitoring

Question 3

Commitment

Answer 3

The board and senior management should communicate their commitment to fraud risk management

Question 4

Fraud Awareness

Answer 4

Awareness of fraud and misconduct schemes is developed through periodic assessment, training, and frequent communication.

Question 5

Affirmation Process

Answer 5

An organization should determine whether there are any legal issues involved with having an affirmation process, which is the requirement for directors, employees, and contractors to acknowledge they have read, understood, and complied with the code of conduct, a fraud control policy, and other such documentation to support the organization’s fraud risk management program.

Question 6

Conflict Disclosure

Answer 6

A process should be implemented for directors, employees, and contractors to internally self-disclose potential or
actualconflicts of interest.Once conflicts are internally disclosed,there are several decision paths:
• Management may assert that there isin fact, a conflict and require the individual to terminate the activity or leave the organization.
• Management may accept the internal disclosure and determine that there is no conflict of interest in the situation described.
• Management may decide that there is a potential forconflict of interest and may impose certain constraints on the individual to manage the identified risk and to ensure there is no opportunity for a conflict to arise.

Question 7

Fraud Risk Assessment

Answer 7

a process aimed at proactively identifying and addressing an organisation’s vulnerabilities to internal and external fraud.

Question 8

Reporting Procedures and Whistleblower Protection

Answer 8

Documentation should not only articulate the organization’s zero tolerance26 for fraud, it should also establish the
expectation that suspected fraud must be reported immediately and provide the means to do so. To encourage timely reporting of suspected issues, the organization should communicate the protections afforded to the individual reporting the issue

Question 9

Investigation Proces

Answer 9

Organizations should require that an investigation process be in place. Once an issue is suspected and reported, an
investigation process will follow. The board and management should have a documented protocol for this process, including consideration of who should conduct the investigation — whether it be internal personnel or hiring experts in this field — rules of evidence, chains of custody, reporting mechanisms to those charged with governance, regulatory requirements, and legal actions. Organizations should also consider whether to require all employees, as a
condition of employment, to cooperate fully with an investigation into any alleged or suspected fraud.

Question 10

Corrective Action

Answer 10

As a deterrent, policiesshould reflect the consequences and processesfor thosewho commit orcondone fraudulent
activity. These consequences may include termination of employment or of a contract and reporting to legal and
regulatory authorities. The organization should articulate that it has the right to institute civil or criminal action
against anyone who commits fraud.
When fraud does occurwithin the organization, policiesshould reflect the need to conduct a postmortem to identify
the control weakness that contributed to the fraudulent act. The postmortem should lead to a remediation of any
identified control deficiencies. Internal auditors are important resources for this activity.

Question 11

Process Evaluation and Improvement (Quality Assurance)

Answer 11

Documentation should describe whether, and/or how, management will periodically evaluate the effectiveness of the
fraud risk management program and monitor changes. It may include the need for measurements and analysis of
statistics, benchmarks, resources, and survey results. The results of this evaluation should be reported to appropriate
oversight groups and be used by management to improve the fraud risk management program.

Question 12

Continuous Monitoring

Answer 12

The fraud risk management program, including related documents, should be revised and reviewed based on the changing needs of the organization, recognizing that documentation is static, while organizations are dynamic.
Fraud risk management program documentation should be updated on an ongoing basisto reflectcurrentconditions
and to reflect the organization’scontinuing commitment to the fraud risk management program