Fraud Risk Management

malingerer in aegis of inf electroshock therapyion direction A playfulness to wide enforce 1 This involve is found on the fi rst edition of deceit jeopardy counsel A exit to well-be abided Practice. The fi rst edition was prep atomic figure of speech 18d by a stratagem and insecurity decoct Working assembly, which was accomplished to look at ways of helping solicitude accountants to be more than effective in countering shammer and managing fortune in their cheeks. This s exposehward edition of tommyrot Risk counseling A Guide to Good Practice has been updated by Helenne Doody, a specialist within CIMA psychiatric hospital and Develop manpowert.Helenne specialises in imposter Risk focus, having hold uped in re riped fi elds for the past nine-spot days, both(prenominal) in the UK and other countries. Helenne in like manner has a grad certifi cate in travesty Investigation by means of La Trobe University in Australia and a graduate certifi cate in cunning focus through the University of Teeside in the UK. For their contri howeverions in modify the elapse to levy this second edition, CIMA would alike(p) to thank Martin Birch FCMA, MBA theatre director Finance and Information Management, Christian Aid.Roy Katzenberg Chief pecuniary Offi cer, RITC Syndicate Management Limited. Judy Finn Senior Lecturer, S step uphampton Solent University. Dr Stephen Hill E-crime and Fraud Manager, Chantrey Vellacott DFK. Ric weighty Sharp BSc, FCMA, MBA Assistant Finance film director (Governance), fagston Hospital NHS Trust. Allan McDonagh Managing Director, Hibis europium Ltd. Martin Robinson and Mia Campbell on behalf of the Fraud Advisory Panel. CIMA would like in any case to thank those who contributed to the fi rst edition of the contribute. Ab come in CIMACIMA, the Chartered implant of Management Accountants, is the b arly planetary accountancy body with a key focus on teleph unmatched circuit. It is a world leadi ng professional institute that forwarders an internation entirelyy recognised qualifi cation in counsel accounting, with a full focus on art, in both the private and man heavenss. With 164,000 members and students in 161 countries, CIMA is tearted to upholding the highest ethical and professional standards of its members and students. CIMA 2008. All rights reserved.This booklet does non necessarily represent the views of the Council of the Institute and no responsibility for loss associated to all person acting or refraining from acting as a conclusion of any material in this publication aro determination be accepted by the authors or publishers. Ack without delayledgements Fraud venture charge a guide to satis concomitantory practice 2 Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Fraud its extent, patterns and yards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1. 1 What is spirtr? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1. 2 The scale of the task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1. 3 Which businesses atomic return 18 stirred? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1. 4 Why do pack indue faker? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1. 5 Who commits pasquinade? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1. 6 stocky . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Risk concern an overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2. 1 What is bump focussing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2. 2 collective governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2. 3 The pretend forethought unit of ammunition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2. 4 Establish a seek of exposure counsel crowd and dumbfound goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2. 5 Identify jeopardize aras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2. 6 deduce and task the scale of guess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2. 7 Develop a encounter response system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 8 run through the strategy and eitherocate responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 9 Implement and monitor suggested controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 10 Review and refi ne and do it once again . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 11 Information for d ecision making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2. 12 compendious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Fraud prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3. 1 A strategy to combat device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3. 2 Developing a sound ethical culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3. 3 Sound inborn control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3. 4 Summ ary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Fraud detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4. 1 Detection methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4. 2 Indicators and warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4. 3 Tools and techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4. 4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Responding to art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5. 1 Purpose of the faker response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5. 2 incorporated policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5. 3 Defi nition of caper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5. 4 Roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5. 5 The response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5. 6 The arrangeigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 5. 7 Organisations objectives with respect to dealing with bosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5. 8 Follow-up action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5. 9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 1 2 3 4 5 3 Appendices appendage 1 Fraud and the law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 concomitant 2 Examples of usual types of inwrought histrion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Appendix 3 Example of a endangerment abridgment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Appendix 4 A sample taradiddle policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Appendix 5 Sample whistleblowing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Appendix 6 Examples of craft indicators, jeopardys and controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Appendix 7 A 16 step role player prevention plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Appendix 8 Outline tosh response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Appendix 9 Example of a fraud response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Appendix 10 References and further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Appendix 11 Listed abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 var.s Figure 1 Types of inseparable fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Figure 2 The fraud triangle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Figure 3 The CIMA assay guidance steering wheel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Figure 4 Anti-fraud strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Figure 5 Ethics advice/ work provided . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Figure 6 Methods of fraud detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 contingency Studies shimmy count 1 Fraud doesnt involve just m peerlessy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 eggshell prove 2 Size rightfully doesnt matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 study study 3 A br individually of trus t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Case study 4 Management bump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Case study 5 A fi ne warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Case study 6 Vet or regret? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Case study 7 Tipped shoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Case study 8 Risk or returns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Case study 9 Reporting fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Case study 10 trinitrotoluene roots our fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4 5 Periodically, the latelyst study(ip)(ip) fraud hits the headlines as other presidential terms sit back and watch, telling themselves that it couldnt happen here. But the reality is that fraud eject happen anywhere. sequence tho relatively few major frauds atomic number 18 picked up by the media, huge sums are lost by all kinds of businesses as solvent of the high number of minusculeer frauds that are connected. Surveys are regularly carried out in an attempt to estimate the true scale and cost of fraud to business and society. Findings vary, and it is diffi cult to obtain a complete p icture as to the full extent of the issue, but these surveys all indicate that fraud is normal within organisations and remains a serious and costly fuss. The gambles of fraud whitethorn nevertheless be increasing, as we see growing internationalisation, more matched markets, rapid evolutions in engineering, and achievements of economic diffi culty. Among other fi ndings, the heterogeneous surveys highlight that organisations may be losing as much as 7% of their annual perturbation as a result of fraud rottenness is estimated to cost the global thriftiness intimately $1. 5 trillion severally year only a small percentage of losings from fraud are cured by organisations a high percentage of frauds are commit by precedential caution and executives greed is one of the main motivators for committing fraud fraudsters much work in the fi nance function fraud losings are non restricted to a come a peculiar(prenominal) celestial sphere or sphere the preval ence of fraud is increasing in emerging markets. Introduction scorn the serious jeopardize that fraud presents to business, any organisations still do not surrender formal systems and procedures in drive to prevent, detect and respond to fraud. patch no system is completely foolproof, in that location are locomote which tooshie be taken to deter fraud and leave it much little attractive to commit. It is in assisting organisations in taking much(prenominal) steps that this guide should prove valuable. The original guide to undecomposed practice was based on the work of CIMAs Fraud and Risk Management Working Group that was established as theatrical role of the Institutes response to the problem of fraud. Since the publication of the original guide, we have continued to see high rofi le accounting s ignoredals and unacceptable levels of deceitful behaviour. This second edition of the guide allows updates to refl ect the many another(prenominal) an(prenominal) changes in the wellnessy surround and governance agenda in recent long time, aimed at tackling the ongoing problem of fraud. The guide starts by defi ning fraud and giving an overview of the extent of fraud, its causes and its effects. The initial chapters of the guide in any case set out the legal environment with respect to fraud, corporeal governance requirements and ordinary luck concern principles. The guide goes on to discuss the key components of an anti-fraud strategy nd outlines methods for preventing, detecting and responding to fraud. A number of case studies are acceptd throughout the guide to support the text, demonstrating real life problems that fraud presents and giving examples of actions organisations are taking to fi ght fraud. Fraud risk precaution a guide to good practice Management accountants, whose professional training includes the analysis of information and systems, sack have a signifi chamfer role to play in the development and murder of anti-fraud b ank notes within their organisations. This guide is intended to help circumspection accountants in that role and forget also be seful to others with an interest in tackling fraud in their organisation. The law relating to fraud varies from country to country. Where it is necessity for this guide to receive reference to specifi c legal measures, this is generally to UK law, as it would be unachievable to include references to the laws of all countries where this guide will be read. It is strongly sure that readers ensure they are familiar with the law relating to fraud in their experience jurisdiction. Although virtually references may thitherfore not be relevant to all readers, the general principles of fraud risk management will still contain and rganisations around the world are encouraged to take a more stringent approach to preventing, detecting and responding to fraud. 6 7 Defi nition of fraud The landmark fraud commonly includes activities such as theft, degeneracy, conspiracy, embezzlement, coin la under(a)ing, bribery and extortion. The legal defi nition varies from country to country, and it is only since the initiation of the Fraud consummation in 2006, that there has been a legal defi nition of fraud in England and Wales. Fraud essentially involves utilize deception to dishonestly make a in-person gain for oneself and/or create a loss for other. Although defi nitions vary, ost are based around these general themes. Fraud and the law forward the Fraud set came into force, related offences were confused slightly in many areas of the law. The Theft figure outs of 1968 and 1978 created offences of untrue accounting, and obtaining goods, money and serve by deception, and the Companies Act 1985 included the offence of duplicitous merchandise. This remains part of the Companies Act 2006. on that point are also offences of fraud under income assess and hold dear-added tax legislation, insolvency legislation, and the common law offence of conspiracy to defraud. The Fraud Act is not the only new piece of legislation.Over the last few years there have been many changes to the legal system with regard to fraud, both in the UK and internationally. This guide focuses mainly on UK requirements, but touches on international requirements that blow UK organisations. In the UK, the Companies Act and the Public Interest Disclosure Act (PIDA) have been amended and legislation such as the Serious iniquitys Act 2007 and the Proceeds of Crime Act 2002 (POCA) have been introduced. Internationally the Sarbanes-Oxley Act 2002 (Sarbox) has been introduced in the united States (US), a major piece of legislation that affects not only companies in the US ut also those in the UK and others based all over the globe. Further information on these pieces of legislation can be found in Appendix 1. As well as modify the legislation in the UK, there have been, and will continue to be, signifi cant developments in the national appro ach to combating fraud, curiously as we see capital punishment of actions resulting from the national Fraud Review. Appendix 1 uses further information on the Fraud Review. thither are also many law enforcement agencies compound in the fi ght against fraud in the UK, including the Serious Fraud Offi ce, the Serious nonionised Crime Agency SOCA), the Financial Services Authority (FSA), and Economic Crime Units within the constabulary force. diametric types of fraud Fraud can convey many things and result from many varied relationships between offenders and victims. Examples of fraud include crimes by individuals against consumers, clients or other business people, e. g. misrepresentation of the quality of goods profit transaction schemes employee fraud against employers, e. g. acquitroll fraud falsifying expense claims thefts of change, assets or understanding property (IP) false accounting crimes by businesses against investors, consumers and employees, e. g. i nanc ial rumor fraud selling fudge goods as genuine ones not paid over tax or National Insurance contributions paid by staff crimes against fi nancial institutions, e. g. utilise lost and stealn credit cards substantiation frauds fraudulent insurance claims crimes by individuals or businesses against giving medication, e. g. grant fraud social certificate benefi t claim frauds tax evasion crimes by professional turns against major organisations, e. g. major counterfeiting rings mortgage frauds advance fee frauds collective identity operator fraud money laundering e-crime by people using com trampers and engine room to commit crimes, e. . phishing spamming copyright crimes hacking social engineering frauds. 1. 1 What is fraud? 1 Fraud its extent, patterns and causes Figure 1 Types of knowledgeable fraud Cash Non-cash Financial Non-fi nancial Confl icts of interest Bribery and extortion Asset embezzlement Fraudulent statements Corruption native fraud Fraud risk management a guide to good practice 8 The fi nal of the lead fraud categories is corruption. This includes activities such as the use of bribes or acceptance of kickbacks, improper use of confi dential information, confl icts of interest and collusive tendering. These types of interior fraud are summa breakd n Figure 1. Surveys have sh testify that asset misappropriation is the nearly widely rooted type of fraud in UK, although corruption and bribery are growing the some rapidly. Further information on common types of inside fraud, and methods by which they may be perpetrated, is included in Appendix 2. This guide focuses on fraud against businesses, typically by those privileged to the organisation. fit in to the Association of Certifi ed Fraud Examiners (ACFE), there are three main categories of fraud that affect organisations. The fi rst of these is asset misappropriations, which involves the theft or slander f an organisations assets. Examples include theft of plant, inventory or c ash, false invoicing, accounts receivable fraud, and payroll fraud. The second category of fraud is fraudulent statements. This is usually in the form of falsifi cation of fi nancial statements in order to obtain around form of improper benefi t. It also includes falsifying documents such as employee credentials. 9 1. 2 The scale of the problem There have been many attempts to measure the true extent of fraud, but compiling reliable statistics around fraud is not easy. As one of the key aspects of fraud is deception, it can be diffi cult to observe and urvey results often only refl ect the instances of fraud that have really been discover. It is estimated that the mass of frauds go unseen and, even when a fraud has been found, it may not be typographyed. One reason for this may be that a corporation that has been a victim of fraud does not trust to risk negative publicity. Also, it is often hard to distinguish fraud from drippiness and shortsighted record keeping. Althoug h survey results and research may not give a complete picture, the various statistics do offer a helpful indication as to the extend of the problem. There can be no doubt that fraud is prevalent within organisations nd remains a serious issue. PricewaterhouseCoopers Global Economic Crime Survey (PwCs survey) in 2007 found that over 43% of international businesses were victims of fraud during the prior twain years. In the UK, the fi gures were higher than the global average, with 48% of companies having tumbleen victim to fraud. Some surveys put the fi gures much higher. For example, during 2008, Kroll fit the Economist Intelligence Unit (EIU) to poll nearly 900 senior executives across the world. The EIU found that 85% of companies had suffered from at least one fraud in the past three years1. This fi gure had rise from 80% in a imilar poll in 2007. KPMGs Fraud Barometer, which has been running since 1987, has also shget a considerable increase in the number of frauds affilia ted in the UK in recent years, including a 50% rise in fraud cases in the fi rst half of 2008. fit in to the UK report of PwCs survey, the average direct loss per society over a two year period as a result of fraud has rise to ? 1. 75 one thousand one thousand thousand, increasing from ? 0. 8 million in the equivalent 2005 survey. These fi gures obviate undetected losses and indirect costs to the business such as management costs or damage to reputation, which can be signifi cant. Management costs lone were estimated to be on average another ? 0. 75 million. Participants of the ACFE Report to the Nation 2008 (ACFE report) estimated that organisations lose 7% of their annual revenues to fraud. It is diffi cult to put a total cost on fraud, although many studies have seek to. For example an independent report by the Association of Chief law of nature Offi cers (the ACPO) in 2007 revealed that fraud results in losses of ? 20 one thousand million each year in the UK. The World Ba nk has estimated that the global cost of corruption and bribery is about 5% of the value of the world economy or about $1. 5 trillion per year. It is thought that these stimates are conservative, and they also head off other types of fraud such as misappropriation of assets. plot it may be impossible to calculate the total cost of fraud, it is said to be more signifi cant than the total cost of most other crimes. harmonise to the attorney General in the UK, fraud is an area of crime which is second only to drug traffi cking in terms of causing harm to the economy and society2. 1 Kroll Global Fraud Report, Annual Edition 2008/2009 2 Attorney Generals interim report on the governments Fraud Review, March 2006 Fraud risk management a guide to good practice 10 Case study 1 Fraud doesnt just involve moneyCounterfeiting is one example of fraud that can have extremely serious consequences. Technology is ever improving, making it easier for counterfeiters to produce realistic looking pa ckaging and fool legitimate wholesalers and retailers. Counterfeiting is a potentially lucrative business for the fraudster, with possibilities of bighearted commercial message profi ts, and it is a problem bear upon a wide range of industries including wines and spirits, pharmaceuticals, electrical goods, and fashion. However, there are often many victims affected by such a fraud and not just the business that has been duped or had their brand exploited.For some, the outcome of counterfeiting goes way beyond fi nancial losses and can even be fatal In late 2006, 14 Siberian towns declared a state of emergency due to mass poisonings caused by fake vodka. Around 900 people were hospitalised with liver loser later drinking industrial solvent that was organism sold as vodka. This is not a one off problem and sales of fake alcohol have been known to kill people. Also in 2006, a counterfeit reaping did result in more tragic consequences. At least 100 children died after ingestin g cough syrup that had been mixed with counterfeit glycerine.The counterfeit compound, truely a dangerous solvent, had been used in train of more expensive glycerine. The manufacturing process had been sourced to chinaware and the syrup passed through trading companies in Beijing and Barcelona onward reaching its fi nal destination in Panama. The certifi cate attesting to the products purity was falsifi ed and not one of the trading companies tried the syrup to confi rm its contents along the way. It is thought that the number of deaths is believably to be much higher than the 100 cases that have been confi rmed. Fraud is often mistakenly considered a victimless(prenominal) rime. However, fraud can have considerable social and mental effects on individuals, businesses and society. For example, when a fraud causes the collapse of a major company, numerous individuals and businesses can be affected. In addition to the companys own employees, employees of suppliers can be affect ed by the loss of round orders, and other creditors, such as banks, can be indirectly affected by huge losses on loans. Consumers have to pay a premium for goods and services, in order to compensate for the costs of fraud losses and for money spent on investigations and additional security.Taxpayers also suffer callable to reduced payments of corporation tax from businesses that have suffered losses. Fraud drains resources, affects public services and, perhaps of more concern, may fund other criminal and terrorist activity. According to the Fraud Review, fraud is a major and growing threat to public safety and prosperity. Case study 1 demonstrates just how much of a threat fraud can be to public safety and that there truly are victims of fraud. 11 1. 3 Which businesses are affected? Fraud is an issue that all organisations may face regardless of surface, industry or country. If the rganisation has valuable property (cash, goods, information or services), then fraud may be attempt ed. It is often high profi le frauds in large multi-national organisations that are reported on in the media and smaller organisations may feel they are un plausibly to be a object glass of fraudsters. However, according to the ACFE report, small businesses ( frameifi ed as those with less than 100 employees) suffer fraud more frequently than large organisations and are hit by higher average losses. When small companies are hit by large fraud losses, they are less likely to be able to absorb the damage han a big company and may even go out of business as a result. The results of PwCs survey showed that companies reporting fraud were spread across many industries, with at least a quarter of the respondents in any one industry suffering from fraudulent attendants. Industries suffering the highest average losses were insurance and industrial manufacturing. Losses in the fi nancial services industry, a sector frequently in the press and one with which fraud is often associated, wer e actually below average. Even not-for-profi t organisations are not immune to fraud, with government institutions nd many charities falling victim to unscrupulous fraudsters. As one director working in the international development and aid sector has pointed out, In my sector, fraud is not a possibility, it is a reality and we are always dealing with a number of envious incidents on a more or less permanent basis. PwCs survey also revealed that incidences of fraud were highest in companies in North America, Africa and Central and Eastern Europe (CEE), where more than half of the companies reported fraud. It was lowest in the Western European region, although the UK was uch higher than the average for this region, with levels of fraud exchangeable to those in CEE. The EIU poll commissioned by Kroll in 2007 found that respondents in countries such as India and China have seen a signifi cant increase in the prevalence of integrated fraud in the last three years and this trend is l ikely to increase in businesses operating in emerging markets3. Although fraud is prevalent across organisations of all sizes and in all sectors and locations, research shows that accepted business models will involve greater levels of fraud risk than others. The control environment hould be adjusted to fi t with the degree of risk exposure. Further focussing on risk judging and controls is given in later chapters. 3 Kroll Global Fraud Report, Annual Edition 2007/2008 Fraud risk management a guide to good practice 12 Case study 2 Size really doesnt matter From a family thing A member of a small family business in Australia committed a $2m fraud, costing profi ts, jobs and a great deal of trust. The business owners became suspicious when they realised that their son in law used the company diesel engine card to buy petrol for his own car.On closer scrutiny, they soon reveal a company cheque for $80,000 do payable to the son in laws personal account. BDOs Brisbane offi ce disc overed that the cheque and the fuel were just the tip of a vast iceberg. The companys complex accounts system allowed the son in law to disguise cheques payable to himself as creditor payments. He then became a signatory and took ever big cheques. He claimed that the poor cash fl ow was due to losses in one crabbed division which the family therefore closed, creating redundancies and losing what was in truth a fortunate business.The costs of ineffi cient accounting systems and undue trust can be massive. all business should protect itself with thorough controls and vigilance. Adapted from FraudTrack 5 Fraud A Global Challenge published by BDO Stoy Hayward to a major corporate scandal WorldCom fi led for bankruptcy protection in June 2002. It was the biggest corporate fraud in history, largely a result of treating operating expenses as nifty expenditure. WorldCom (now renamed MCI) admitted in March 2004 that the total amount by which it had misled investors over the precedent 10 years was almost US$75 billion (? 2 billion) and reduced its stated pre-tax profi ts for 2001 and 2002 by that amount. WorldCom stock began falling in late 1999 as businesses slashed outlay on telecom services and equipment. A series of debt downgrades raised borrowing costs for the company, struggling with about US$32 billion in debt. WorldCom used accounting tricks to conceal a deteriorating fi nancial condition and to infl ate profi ts. Former WorldCom chief executive Bernie Ebbers resigned in April 2002 amid questions about US$366 million in personal loans from the company and a federal probe of its accounting practices.Ebbers was subsequently charged with conspiracy to commit securities fraud and fi ling misleading data with the Securities and Exchange Commission (SEC) and was sentenced to 25 years in prison. Scott Sullivan, former Chief Financial Offi cer, pleaded guilty to three criminal charges and was sentenced to fi ve years in prison. Ultimately, losses to WorldCom s hareholders were close to US$180 billion and the fraud also resulted in the loss of 17,000 jobs. The SEC said that WorldCom had committed accounting improprieties of unprecedented magnitude proof, it said, of the requisite for reform in the edict of corporate ccounting. Adapted from CIMA Offi cial Learning System, Management Accounting Risk and command Strategy 13 1. 4 Why do people commit fraud? There is no single reason behind fraud and any explanation of it needs to take account of various factors. sounding from the fraudsters perspective, it is necessary to take account of motivation of potential offenders conditions under which people can rationalise their prospective crimes away opportunities to commit crime(s) perceived suitability of targets for fraud technical ability of the fraudster expected and actual risk of discovery after the fraud has been carried out expectations of consequences of discovery (including non-penal consequences such as job loss and family st igma, proceeds of crime confi scation, and traditional criminal sanctions) actual consequences of discovery. A common model that brings together a number of these aspects is the Fraud Triangle. This model is built on the premise that fraud is likely to result from a combination of three factors motivation, prospect and rationalisation. Motivation In uncomplicated terms, motivation is typically based on either reed or need. Stoy Haywards (BDO) most recent FraudTrack survey found that greed continues to be the main cause of fraud, resulting in 63% of cases in 2007 where a cause was cited. Other causes cited included problems from debts and gambling. Many people are face with the opportunity to commit fraud, and only a minority of the greedy and needy do so. Personality and temperament, including how frightened people are about the consequences of taking risks, play a role. Some people with good objective principles can fall into bad company and develop tastes for the fast life, wh ich empts them to fraud. Others are tempted only when faced with ruin anyway. Opportunity In terms of opportunity, fraud is more likely in companies where there is a weak internal control system, poor security over company property, little fear of exposure and likeliness of detection, or unclear policies with regard to acceptable behaviour. Research has shown that some employees are totally honest, some are totally dishonest, but that many are swayed by opportunity. rationalization Many people obey the law because they retrieve in it and/or they are afraid of being shamed or rejected by eople they care about if they are caught. However, some people may be able to rationalise fraudulent actions as necessary especially when done for the business harmless because the victim is large tolerable to absorb the impact justifi ed because the victim be it or because I was mistreated. Figure 2 The fraud triangle Motivation Opportunity The fraud triangle Rationalisation Fraud risk ma nagement a guide to good practice 14 Case study 3 A breach of trust A good example of the fraud triangle in practice is the highly publicised case of the secretary that stole over ? . 3 million from her bosses at Goldman Sachs. Motivation There were some suggestions that Joyti De-Laurey originally started down her fraudulent path because of fi nancial diffi culties she found herself in before starting work at the investment bank. De-Laurey had previously run her own sandwich bar business, but it was closed down due to insuffi cient fi nances. According to her defence, De-Laureys fi rst bitter experience of fi nancial turmoil coincided with a novel entree to a Dallas-type world where huge, unthinkable amounts of money stared her in the face, day in and day out. The motive behind the fraud was primarily greed though, with De-Laurey spending her ill gotten gains on a luxury lifestyle, including villas, cars, jewellery, designer clothes and fi rst class holidays. De-Laurey has even adm itted that she did not steal because she needed to, but because she could. She explained that she fi rst started taking money simply to fi nd out if she could get away with it. She says that it then became a bit addictive and that she got a huge buzz from knowing they had no idea what I was doing. Opportunity In terms of opportunity, De-Laureys bosses sure her and held her in high regard.She had proved herself indispensable, on both business and personal fronts, and was given access to their cheque books in order to settle their domestic help bills and personal fi nances. A little over a year after starting at Goldman Sachs, De-Laurey began forging her bosses signatures on personal cheques to make payments into her own accounts. Realising she had got away with it, De-Laurey continued to steal money by issuing forged cheques and making false money transfers. Before long she was forging signatures on a string of cash transfer authorities, siphoning off up to ? 2. million at a time from supposedly secure New York investments. Rationalisation De-Laurey was able to rationalise her actions by convincing herself that she had earned the money she stole. De-Laurey believed that she deserved the plundered amounts as a just reward for her dedication, discretion and loyalty, and claims that she had the live with of her bosses to take money in return for her indispensable services. The fact that they were so rich they did not even notice the money was missing, only served to fuel De-Laureys fraudulent activities. She justifi ed her actions through the belief that her bosses had cash to spare.According to De-Laurey They could afford to lose that money. Caught out After four years of siphoning off vast amounts of money, De-Laurey was eventually caught when her boss at the time decided to make a six-fi gure donation to his former college. He took a look at his bank accounts to see if he could cover the donation and was surprised to fi nd the balance on the accounts so l ow. He investigated further and realised that large sums had been transferred to an unknown account. De-Laurey was the obvious suspect. By this time, De-Laurey had actually stolen around ? 3. 3 million from this particular boss.De-Laurey was the fi rst woman in the UK to be accused of embezzling such a large sum and, after a long and high profi le trial in 2004, she was sentenced to seven years imprisonment. Various sources including The Guardian, The Times, The Independent and the BBC intelligence agency 15 One of the most effective ways to tackle the problem of fraud is to adopt methods that will decrease motive or opportunity, or preferably both. Rationalisation is personal to the individual and more diffi cult to combat, although ensuring that the company has a strong ethical culture and clear values should help. These methods and principles are develop further in later hapters of this guide. 1. 5 Who commits fraud? Different types of fraudster Fraudsters usually fall into one of three categories 1 Pre-planned fraudsters, who start out from the beginning intending to commit fraud. These can be short-term players, like many who use stolen credit cards or false social security numbers or can be longer-term, like bankruptcy fraudsters and those who escape complex money laundering schemes. 2 Intermediate fraudsters, who start off honest but turn to fraud when measure get hard or when life events, such as irritation at being passed over for promotion or the need to pay for care for a family ember, change the normal mode. 3 Slippery-slope fraudsters, who simply carry on trading even when, objectively, they are not in a position to pay their debts. This can implement to ordinary traders or to major business people. In 2007, KPMG carried out research on the Profi le of a Fraudster (KPMG survey), using elaborate of fraud cases in Europe, India, the Middle East and South Africa. The ACFE carried out similar research on frauds committed in the US. These surveys highlight the avocation facts and fi gures in relation to fraudsters perpetrators are typically college educated white male most fraudsters are aged between 36 and 55 the majority of frauds are committed by men median losses caused by men are twice as great as those caused by women a high percentage of frauds are committed by senior management (including owners and executives) losses caused by managers are generally more than double those caused by employees average losses caused by owners and executives are nearly 12 times those of employees longer term employees tend to commit much larger frauds fraudsters most often work in the fi nance department, operations/sales or as the CEO. The ACFE report also found that the type of person ommitting the offence depends on the nature of the fraud being perpetrated. Employees are most likely to be involved in asset misappropriation, whereas owners and executives are accountable for the majority of fi nancial statement frauds. Of t he employees, the highest percentage of schemes involved those in the accounting department. These employees are obligated for treat and recording the organisations fi nancial transactions and so often have the greatest access to its fi nancial assets and more opportunity to conceal the fraud. Fraud risk management a guide to good practice 16 Case study 4 Management riskIn 2007, a major British construction fi rm suffered from extensive fraud committed by management at one of its subsidiaries. Accounting irregularities dating back to 2003 were said to include organized misrepresentation of production volumes and sales by a number of senior fi gures at the division. Management at the subsidiary attempted to cover their behaviour by selling materials at a discounted price and the fraud went undetected for several years despite internal and external studys. The irregularities were eventually uncovered by an internal team sent to investigate a match between orders and sales.Followi ng an initial internal investigation, a team of external experts and the police were brought in to identify the full extent of malpractice. The investigation found that the organisation was defrauded of nearly ? 23 million, but the fraud was said to cost the company closer to ? 40 million due to the written down value of the business and factoring in the cost of the investigation. The managing director of the subsidiary was dismissed, another manager faced disciplinary action and fi ve others left before disciplinary proceedings could be commenced. Civil proceedings were ruled out on the basis that osses were unlikely to be recovered. Operations at the centre of the incident had to be temporarily closed and more than clx jobs were cut at the business. In addition to individual fraudsters, there has also been an increase in fraud being committed by gangs of organised criminals. Examples include false or stolen identities being used to defraud banks, and forms of e-fraud exploiting t he use of internet by commercial businesses. SOCA is responsible for responding to such threats, with the support of the victim organisations. 1. 6 Summary A major reason why people commit fraud is because they are allowed to do so.There are a wide range of threats veneer businesses. The threat of fraud can come from inside or outdoors the organisation, but the likelihood that a fraud will be committed is greatly decreased if the potential fraudster believes that the rewards will be modest, that they will be detected or that the potential punishment will be intolerably high. The main way of achieving this must be to establish a across-the- mature system of control which aims to prevent fraud, and where fraud is not prevented, increases the likelihood of detection and increases the cost to the fraudster. Later chapters of this guide set out some of the easures which can be put in place to minimise fraud risks to the organisation. Before looking specifi cally at fraud risk, the gui de considers risk management in general. Risk management is defi ned as the process of understanding and managing risks that the entity is inevitably subject to in attempting to achieve its corporate objectives (CIMA Offi cial Terminology, 2005). For an organisation, risks are potential events that could infl uence the achievement of the organisations objectives. Risk management is about understanding the nature of such events and, where they represent threats, making positive plans to apologise them. Fraud s a major risk that threatens the business, not only in terms of fi nancial health but also its image and reputation. This guide is primarily focused on managing the risk of fraud, but fi rst, this chapter looks at more general aspects of risk management and corporate governance. 17 2 Risk management an overview Risk management is an increasingly big process in many businesses and the process fi ts in well with the precepts of good corporate governance. In recent years, the is sue of corporate governance has been a major area for concern in many countries. In the UK, the fi rst corporate governance report and code of stovepipe practice s considered to be the Cadbury Report in 1992, which was produced in response to a string of corporate collapses. There have been a number of reports since, concealment provisions around areas such as executive remuneration, non-executive directors, and audit committees. The principles of these various reports have been brought together to form the have Code on Corporate Governance (Combined Code). The Combined Code was fi rst introduced in 1998 and among other matters, calls for boards to establish systems of internal control and to recap the effectiveness of these systems on a regular basis. UK isted companies are required to provide a statement in their annual reports confi rming that they take after with the Combined Code, and where they do not, they must provide an explanation for departures from it (the comply or explain principle). The assessment of internal controls should be included in the report to shareholders. The Combined Code is reviewed regularly and the most recent version was published in June 2008. Following the original introduction of the Combined Code, the Turnbull Committee was set up to issue focusing to directors on how they should assess and report on their review of internal controls. TheTurnbull Committee made it clear that establishment of infix risk management practices is key to effective internal control systems. The Turnbull guidance was fi rst published in 1999 and revised in 2005. In the revised report (sometimes referred to as Turnbull 2) there is now a requirement for directors to give hardcore confi rmation that any signifi cant failings or weaknesses identifi ed from the review of effectiveness of internal controls have been, or are being, remedied. 2. 1 What is risk management? 2. 2 Corporate governance Fraud risk management a guide to good practice 18 Th e Financial Reporting Council is responsible for aintaining and reviewing the Combined Code, although the Combined Code is annexed to the rules of the UK list Authority, which is part of the FSA. The FSA is responsible for ensuring that listed companies provide the assign comply or explain statement in their annual report. While the guidance is generally applicable to listed companies, the principles are relevant to all organisations and have been widely used as a basis for codes of best practice in the public and not-for-profi t sectors. Fraud risk management practices are developing along the same lines. Many other countries have also produced reports on orporate governance, usually accompanied by codes of best practices. For example, South Africa has had the King Report (version I and now II) since 1994, Malaysia has had its Code of Corporate Governance in place since 2000 and Sri Lanka issued the Rules on Corporate Governance as part of its Listing Rules in January 2007. Corpor ate governance requirements in the US are now largely set out within the Sarbox legislation, further details on which are provided at Appendix 1. As previously mentioned, these requirements extend beyond the US, capturing any company that is SEC listed and its subsidiaries. Some other countries have lso introduced a statutory approach to corporate governance, such as that in the US, although no(prenominal) are currently as comprehensive. A number of international organisations have also launched guidelines and initiatives on corporate governance, including the Organisation for Economic Co-operation and Development (OECD) and the European Commission. An example of a growing area of corporate governance is IT governance, which has developed in light of rapid and continuing advances in information technology. The following box gives more information on IT governance. IT Governance IT governance is about ensuring that the rganisations IT systems support and enable achievement of the or ganisations strategies and objectives. It encompasses leadership, organisational structures, businesses processes, standards and respect. There are fi ve specifi c drivers for organisations to adopt IT governance strategies regulatory requirements e. g. IT governance is covered by the Combined Code and Turnbull guidance in the UK increasing intellectual capital value that the organisation has at risk alignment of technology with strategical organisational goals complexity of threats to information security increase in the compliance requirements of nformation and privacy-related regulation. A key benefi t of an effective, integrated IT governance framework is the desegregation of IT into the strategic and boilersuit working(a) approach of an organisation. There are a series of international Information Security (IS) standards that provide guidance on implementing an effective IT governance framework, known as the ISO 27000 series. For example, ISO/IEC 27001 defi nes a set o f IS management requirements in order to help organisations establish and maintain an IS management system. The standards apply to all types of organisation regardless of size or sector.They are particularly suitable where the protection of information is critical to the business, for example in the fi nance, health and public sectors, and for organisations which manage information on behalf of others, such as IT outsourcing companies. ISACA also offers a series of IS standards and certifi cation. ISACA is a leading global association in the IT governance and control fi eld. With a network across more than 160 countries, its IS standards are followed by practitioners worldwide. Figure 3 The CIMA risk management round Controls assurance Controls assurance is the process whereby controls are eviewed by management and staff. There are various ways to conduct these exercises, from highly synergetic workshops based on behavioural models at one end of the spectrum to pre-packaged self a udit internal control questionnaires at the other. These models all include monitoring and risk assessment among their principal components. 19 The risk management cycle is an interactive process of identifying risks, assessing their impact, and prioritising actions to control and reduce risks. A number of iterative steps should be taken 1 Establish a risk management multitude and set goals. 2 Identify risk areas. Understand and assess the scale of risk. 4 Develop a risk response strategy. 5 Implement the strategy and allocate responsibilities. 6 Implement and monitor the suggested controls. 7 Review and refi ne the process and do it again. 2. 3 The risk management cycle Identify risk areas Review and refi ne process and do it again Implementation and monitoring of controls Implement strategy and allocate responsibilities Understand and assess scale of risk Develop risk response strategy Information for decision making Establish risk management sort and set goals Fraud risk manage ment a guide to good practice 20 2. Establish a risk management group and set goals A risk management group should be established whose task it is to facilitate and co-ordinate the overall risk management process. assertable members of the group could include a chief risk offi cer, a non executive director, fi nance director, internal auditor, heads of planning and sales, treasurer and operational staff. Depending on the size and nature of the organisation, the risk management group may be in the form of a committee who meet from time to time. The risk management group will promote the understanding and assessment of risk, and facilitate the evelopment of a strategy for dealing with the risks identifi ed. They may also be responsible for conducting reviews of systems and procedures to identify and assess risks faced by the business, which include the risk of fraud, and introducing the controls that are best suited to the business unit. However, line managers and their staff may als o be involved in the risk identifi cation and assessment process, with the risk management group providing guidance. 2. 5 Identify risk areas Each risk in the overall risk model should be explored to identify how it potentially evolves through the organisation.It is authoritative to ensure that the risk is carefully defi ned and explained to facilitate further analysis. The techniques of analysis include workshops and interviews brainstorming questionnaires process mapping comparisons with other organisations discussions with peers. once risks have been identifi ed, an assessment of possible impact and corresponding likelihood of occurrence should be made using consistent parameters that will enable the development of a prioritised risk analysis. In the planning stage, management should agree on the most distinguish defi nition and number of categories to be used when ssessing both likelihood and impact. The assessment of the impact of the risk should not simply take accoun t of the fi nancial impact but should also consider the organisations viability and reputation, and recognise the political and commercial sensitivities involved. The analysis should either be qualitative or quantitative, and should be consistent to allow comparisons. The qualitative approach usually involves grading risks in high, fair and low categories. Impact The assessment of the potential impact of a particular risk may be complicated by the fact that a range of possible outcomes may exist or that the risk may occur number of times in a given period of time. Such complications should be anticipated and a consistent approach pick out which, for example, may seek to estimate a worst case scenario over, say, a 12 month time period. Likelihood of occurrence The likelihood of a risk occurring should be assessed on a gross, a net and a target basis. The gross basis assesses the inherent likelihood of the event occurring in the absence of any processes which the organisation may ha ve in place to reduce that likelihood. The net basis assesses the likelihood, taking into account current conditions and processes to mitigate he chance of the event occurring. The target likelihood of a risk occurring refl ects the risk appetite of the organisation. 2. 6 Understand and assess the scale of risk 21 Where the net likelihood and the target likelihood for a particular risk differ, this would indicate the need to alter the risk profi le accordingly. It is common practice to assess likelihood in terms of high apparent moderate possible low remote. An example of a risk analysis is contained in Appendix 3. The resulting document is often referred to as a risk bear witness. The overall risk registers at organisational nd operational levels should include the risk of fraud being perpetrated. Some organisations also prepare exposit fraud risk registers that consider possible fraudulent activity. The fraud risk register often directs the majority of proactive fraud ris k management work undertaken by an organisation. Analysing fraud risks Fraud risk is one component of operational risk. Operational risk focuses on the risks associated with errors or events in transaction processing or other business operations. A fraud risk review considers whether these errors or events could be the result of a deliberate act knowing to benefi t the perpetrator.As a result, fraud risk reviews should be detailed exercises conducted by teams combining in depth knowledge of the business and market with detailed knowledge and experience of fraud. Risks such as false accounting or the theft of cash or assets need to be considered for each part of the organisations business. Frequently, businesses focus on a limited number of risks, most commonly on thirdparty thefts. To avoid this, the risks should be classifi ed by reference to the possible type of offence and the potential perpetrator(s). Fraud risks need to be assessed for each area and process of the business, fo r example, cash payments, ash receipts, sales, purchasing, expenses, inventory, payroll, fi xed assets and loans. Fraud risk management a guide to good practice 22 2. 7 Develop a risk response strategy Once the risks have been identifi ed and assessed, strategies to deal with each risk identifi ed can be developed by line management, with guidance from the risk management group. Strategies for responding to risk generally fall into one of the following categories risk memory board (e. g. choosing to accept small risks) risk avoidance (e. g. stopping sale of certain products to avoid the risk to occurring) risk reduction (e. g. hrough implementing controls and procedures) risk transfer (e. g. contractual transfer of risk transferring risks to insurers). Before strategies are developed, it is necessary to establish the risk appetite of the organisation. Risk appetite is the level of risk that the organisation is ready to accept and this should be determined by the board. The app etite for risk will infl uence the strategies to be developed for managing risk. It is worth noting that a boards risk appetite may vary for different types of risk and over time. For example, the board may have a low risk tolerance on compliance and egulatory issues, but be prepared to take signifi cant strategic risks. The board may also reduce their risk appetite as the external environment changes, such as in times of recession. 2. 8 Implement the strategy and allocate responsibilities The chosen strategy should be allocated and communicated to those responsible for implementation. For the plan to be effective it is essential that responsibility for each specifi c action is assigned to the appropriate operational manager and that clear target dates are established for each action. It is also important to obtain the co-operation of those esponsible for the strategy, by formal communication, seminars, action plans and adjustments to budgets. The chosen strategy may require the imp lementation of new controls or the modifi cation of existing controls. Businesses are dynamic and the controls that are in place will need to be monitored to assess whether or not they are succeeding in their objectives. The risk management group should be empowered to monitor the effectiveness of the actions being taken in each specifi c area, as these can be affected by internal and external factors, such as changes in the marketplace or the introduction of new computer systems. . 10 Review and refi ne and do it again All of the elements outlined above form part of an iterative cycle where risk management is continually reviewed and developed. As the cycle continues, risk management should increasingly become embedded in the organisation so that it really becomes part of everyones job. 2. 11 Information for decision making Risk management should form a key part of the organisations decision-making process. Information is gathered at all stages of the risk management cycle and this information should be fed into the decision-making mechanisms. For more information on risk management, please refer o CIMAs publication Risk Management A guide to good practice. 2. 9 Implement and monitor suggested controls 23 There are risks in most situations. Risk management is an important element of corporate governance and every organisation should review their risk status and develop their approach as described in the CIMA Risk Management Cycle in 2. 3 to 2. 11 above. Managing the risk of fraud is the same in principle as managing any other business risk. First, the potential consequences of fraud on the organisation need to be understood, using the principles set out in this chapter. The risks should then be reduced by developing nd implementing an anti-fraud strategy across the organisation. This is best approached systematically, both at the organisational level, for example by using ethics policies and anti-fraud policies, and at the operational level, through introduct ion of controls and procedures. The following chapters expand on the fraud risk management process in the context of an antifraud strategy. 2. 12 Summary Fraud risk management a guide to good practice Given the prevalence of fraud and the negative consequences associated with it, there is a compelling argument that organisations should invest time and resources towards tackling fraud.There is, however, sometimes debate as to whether these resources should be committed to fraud prevention or fraud detection. Fraud prevention Based on the earlier discussion aroun