Fraud Risk Management

Fraud risk management
A guide to good practice

Acknowledgements
This guide is based on the first edition of Fraud Risk Management: A Guide to Good Practice. The first edition was
prepared by a Fraud and Risk Management Working Group, which was established to look at ways of helping
management accountants to be more effective in countering fraud and managing risk in their organisations.
This second edition of Fraud Risk Management: A Guide to Good Practice has been updated by Helenne Doody, a
specialist within CIMA Innovation and Development. Helenne specialises in Fraud Risk Management, having worked
in related fields for the past nine years, both in the UK and other countries. Helenne also has a graduate certificate
in Fraud Investigation through La Trobe University in Australia and a graduate certificate in Fraud Management
through the University of Teeside in the UK.
For their contributions in updating the guide to produce this second edition, CIMA would like to thank:
Martin Birch FCMA, MBA Director – Finance and Information Management, Christian Aid.
Roy Katzenberg Chief Financial Officer, RITC Syndicate Management Limited.
Judy Finn Senior Lecturer, Southampton Solent University.
Dr Stephen Hill E-crime and Fraud Manager, Chantrey Vellacott DFK.
Richard Sharp BSc, FCMA, MBA Assistant Finance Director (Governance), Kingston Hospital NHS Trust.
Allan McDonagh Managing Director, Hibis Europe Ltd.
Martin Robinson and
Mia Campbell on behalf of the Fraud Advisory Panel.
CIMA would like also to thank those who contributed to the first edition of the guide.
About CIMA
CIMA, the Chartered Institute of Management Accountants, is the only international accountancy body with a key
focus on business. It is a world leading professional institute that offers an internationally recognised qualification
in management accounting, with a full focus on business, in both the private and public sectors. With 164,000
members and students in 161 countries, CIMA is committed to upholding the highest ethical and professional
standards of its members and students.
© CIMA 2008. All rights reserved. This booklet does not necessarily represent the views of the Council of the
Institute and no responsibility for loss associated to any person acting or refraining from acting as a result of any
material in this publication can be accepted by the authors or publishers.
1
Fraud risk management: a guide to good practice
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1 Fraud – its extent, patterns and causes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.1 What is fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2 The scale of the problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3 Which businesses are affected? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.4 Why do people commit fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.5 Who commits fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2 Risk management – an overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.1 What is risk management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2 Corporate governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.3 The risk management cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.4 Establish a risk management group and set goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5 Identify risk areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.6 Understand and assess the scale of risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.7 Develop a risk response strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.8 Implement the strategy and allocate responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.9 Implement and monitor suggested controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.10 Review and refine and do it again . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.11 Information for decision making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3 Fraud prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1 A strategy to combat fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2 Developing a sound ethical culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3 Sound internal control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4 Fraud detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.1 Detection methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2 Indicators and warnings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.3 Tools and techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5 Responding to fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.1 Purpose of the fraud response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2 Corporate policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.3 Definition of fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.4 Roles and responsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.5 The response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.6 The investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.7 Organisation’s objectives with respect to dealing with fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.8 Follow-up action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2
Appendices
Appendix 1 Fraud and the law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Appendix 2 Examples of common types of internal fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Appendix 3 Example of a risk analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Appendix 4 A sample fraud policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Appendix 5 Sample whistleblowing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Appendix 6 Examples of fraud indicators, risks and controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Appendix 7 A 16 step fraud prevention plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Appendix 8 Outline fraud response plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Appendix 9 Example of a fraud response plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Appendix 10 References and further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Appendix 11 Listed abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Figures
Figure 1 Types of internal fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 2 The fraud triangle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 3 The CIMA risk management cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 4 Anti-fraud strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 5 Ethics advice/services provided . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 6 Methods of fraud detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Case Studies
Case study 1 Fraud doesn’t involve just money . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Case study 2 Size really doesn’t matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Case study 3 A breach of trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Case study 4 Management risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Case study 5 A fine warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Case study 6 Vet or regret? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Case study 7 Tipped off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Case study 8 Risk or returns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Case study 9 Reporting fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Case study 10 TNT roots our fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3
4
Introduction
Periodically, the latest major fraud hits the headlines Despite the serious risk that fraud presents to business,
as other organisations sit back and watch, telling many organisations still do not have formal systems
themselves that ‘it couldn’t happen here.’ But the and procedures in place to prevent, detect and respond
reality is that fraud can happen anywhere. While to fraud. While no system is completely foolproof,
only relatively few major frauds are picked up by the there are steps which can be taken to deter fraud and
media, huge sums are lost by all kinds of businesses as make it much less attractive to commit. It is in assisting
a result of the high number of smaller frauds that are organisations in taking such steps that this guide should
committed. prove valuable.
Surveys are regularly carried out in an attempt to The original guide to good practice was based on the
estimate the true scale and cost of fraud to business work of CIMA’s Fraud and Risk Management Working
and society. Findings vary, and it is difficult to obtain a Group that was established as part of the Institute’s
complete picture as to the full extent of the issue, but response to the problem of fraud. Since the publication
these surveys all indicate that fraud is prevalent within of the original guide, we have continued to see high
organisations and remains a serious and costly problem. profile accounting scandals and unacceptable levels of
The risks of fraud may only be increasing, as we see fraudulent behaviour. This second edition of the guide
growing globalisation, more competitive markets, rapid includes updates to reflect the many changes in the
developments in technology, and periods of economic legal environment and governance agenda in recent
difficulty. years, aimed at tackling the ongoing problem of fraud.
Among other findings, the various surveys highlight The guide starts by defining fraud and giving an
that: overview of the extent of fraud, its causes and its
• organisations may be losing as much as 7% of their effects. The initial chapters of the guide also set
annual turnover as a result of fraud out the legal environment with respect to fraud,
• corruption is estimated to cost the global economy corporate governance requirements and general
about $1.5 trillion each year risk management principles. The guide goes on to
• only a small percentage of losses from fraud are discuss the key components of an anti-fraud strategy
recovered by organisations and outlines methods for preventing, detecting and
• a high percentage of frauds are committed by senior responding to fraud. A number of case studies are
management and executives included throughout the guide to support the text,
• greed is one of the main motivators for committing demonstrating real life problems that fraud presents
fraud and giving examples of actions organisations are taking
• fraudsters often work in the finance function to fight fraud.
• fraud losses are not restricted to a particular sector
or country
• the prevalence of fraud is increasing in emerging
markets.
5
Management accountants, whose professional training

includes the analysis of information and systems, can
have a significant role to play in the development
and implementation of anti-fraud measures within
their organisations. This guide is intended to help
management accountants in that role and will also be
useful to others with an interest in tackling fraud in
their organisation.
The law relating to fraud varies from country to

country. Where it is necessary for this guide to make
reference to specific legal measures, this is generally to
UK law, as it would be impossible to include references
to the laws of all countries where this guide will be
read. It is strongly advised that readers ensure they
are familiar with the law relating to fraud in their
own jurisdiction. Although some references may
therefore not be relevant to all readers, the general
principles of fraud risk management will still apply and
organisations around the world are encouraged to take
a more stringent approach to preventing, detecting and
responding to fraud.
6
1 Fraud: its extent, patterns and causes
1.1 What is fraud?
Definition of fraud As well as updating the legislation in the UK, there

The term ‘fraud’ commonly includes activities such as have been, and will continue to be, significant
theft, corruption, conspiracy, embezzlement, money developments in the national approach to combating
laundering, bribery and extortion. The legal definition fraud, particularly as we see implementation of actions
varies from country to country, and it is only since the resulting from the national Fraud Review. Appendix 1
introduction of the Fraud Act in 2006, that there has gives further information on the Fraud Review. There
been a legal definition of fraud in England and Wales. are also many law enforcement agencies involved in
the fight against fraud in the UK, including the Serious
Fraud essentially involves using deception to Fraud Office, the Serious Organised Crime Agency
dishonestly make a personal gain for oneself and/or (SOCA), the Financial Services Authority (FSA), and
create a loss for another. Although definitions vary, Economic Crime Units within the police force.
most are based around these general themes.
Different types of fraud
Fraud and the law Fraud can mean many things and result from many
Before the Fraud Act came into force, related offences varied relationships between offenders and victims.
were scattered about in many areas of the law. The Examples of fraud include:
Theft Acts of 1968 and 1978 created offences of false • crimes by individuals against consumers, clients or
accounting, and obtaining goods, money and services other business people, e.g. misrepresentation of the
by deception, and the Companies Act 1985 included quality of goods; pyramid trading schemes
the offence of fraudulent trading. This remains part of • employee fraud against employers, e.g. payroll fraud;
the Companies Act 2006. There are also offences of falsifying expense claims; thefts of cash, assets or
fraud under income tax and value-added tax legislation, intellectual property (IP); false accounting
insolvency legislation, and the common law offence of • crimes by businesses against investors, consumers
conspiracy to defraud. and employees, e.g. financial statement fraud; selling
counterfeit goods as genuine ones; not paying over
The Fraud Act is not the only new piece of legislation. tax or National Insurance contributions paid by staff
Over the last few years there have been many changes • crimes against financial institutions, e.g. using lost
to the legal system with regard to fraud, both in the and stolen credit cards; cheque frauds; fraudulent
UK and internationally. This guide focuses mainly insurance claims
on UK requirements, but touches on international • crimes by individuals or businesses against
requirements that impact UK organisations. In the UK, government, e.g. grant fraud; social security benefit
the Companies Act and the Public Interest Disclosure claim frauds; tax evasion
Act (PIDA) have been amended and legislation such as • crimes by professional criminals against major
the Serious Crimes Act 2007 and the Proceeds of Crime organisations, e.g. major counterfeiting rings;
Act 2002 (POCA) have been introduced. Internationally mortgage frauds; ‘advance fee’ frauds; corporate
the Sarbanes-Oxley Act 2002 (Sarbox) has been identity fraud; money laundering
introduced in the United States (US), a major piece of • e-crime by people using computers and technology
legislation that affects not only companies in the US to commit crimes, e.g. phishing; spamming; copyright
but also those in the UK and others based all over the crimes; hacking; social engineering frauds.
globe. Further information on these pieces of legislation
can be found in Appendix 1.
7
This guide focuses on fraud against businesses, typically The final of the three fraud categories is corruption.
by those internal to the organisation. According This includes activities such as the use of bribes or
to the Association of Certified Fraud Examiners acceptance of ‘kickbacks’, improper use of confidential
(ACFE), there are three main categories of fraud information, conflicts of interest and collusive
that affect organisations. The first of these is asset tendering. These types of internal fraud are summarised
misappropriations, which involves the theft or misuse in Figure 1.
of an organisation’s assets. Examples include theft
of plant, inventory or cash, false invoicing, accounts Surveys have shown that asset misappropriation is the
receivable fraud, and payroll fraud. most widely reported type of fraud in UK, although
corruption and bribery are growing the most rapidly.
The second category of fraud is fraudulent statements.
This is usually in the form of falsification of financial Further information on common types of internal fraud,
statements in order to obtain some form of improper and methods by which they may be perpetrated, is
benefit. It also includes falsifying documents such as included in Appendix 2.
employee credentials.
Figure 1 Types of internal fraud
Internal fraud
Asset Fraudulent
Corruption
misappropriation statements
Conflicts of Bribery and

Cash Non-cash Financial Non-financial
interest extortion
8
1.2 The scale of the problem
There have been many attempts to measure the According to the UK report of PwC’s survey, the average
true extent of fraud, but compiling reliable statistics direct loss per company over a two year period as a
around fraud is not easy. As one of the key aspects of result of fraud has risen to £1.75 million, increasing
fraud is deception, it can be difficult to identify and from £0.8 million in the equivalent 2005 survey. These
survey results often only reflect the instances of fraud figures exclude undetected losses and indirect costs to
that have actually been discovered. It is estimated the business such as management costs or damage to
that the majority of frauds go undetected and, even reputation, which can be significant. Management costs
when a fraud has been found, it may not be reported. alone were estimated to be on average another £0.75
One reason for this may be that a company that has million. Participants of the ACFE Report to the Nation
been a victim of fraud does not want to risk negative 2008 (ACFE report) estimated that organisations lose
publicity. Also, it is often hard to distinguish fraud from 7% of their annual revenues to fraud.
carelessness and poor record keeping.
It is difficult to put a total cost on fraud, although many
Although survey results and research may not give a studies have tried to. For example an independent
complete picture, the various statistics do offer a useful report by the Association of Chief Police Officers (the
indication as to the extend of the problem. There can ACPO) in 2007 revealed that fraud results in losses
be no doubt that fraud is prevalent within organisations of £20 billion each year in the UK. The World Bank
and remains a serious issue. PricewaterhouseCooper’s has estimated that the global cost of corruption and
Global Economic Crime Survey (PwC’s survey) in 2007 bribery is about 5% of the value of the world economy
found that over 43% of international businesses were or about $1.5 trillion per year. It is thought that these
victims of fraud during the previous two years. In the estimates are conservative, and they also exclude other
UK, the figures were higher than the global average, types of fraud such as misappropriation of assets.
with 48% of companies having fallen victim to fraud.
While it may be impossible to calculate the total cost
Some surveys put the figures much higher. For example, of fraud, it is said to be more significant than the total
during 2008, Kroll commissioned the Economist cost of most other crimes. According to the Attorney
Intelligence Unit (EIU) to poll nearly 900 senior General in the UK, fraud is an area of crime which is
executives across the world. The EIU found that 85% of second only to drug trafficking in terms of causing harm
companies had suffered from at least one fraud in the to the economy and society2.
past three years1. This figure had risen from 80% in a
similar poll in 2007. KPMG’s Fraud Barometer, which has
been running since 1987, has also shown a considerable
increase in the number of frauds committed in the UK
in recent years, including a 50% rise in fraud cases in
the first half of 2008.
1 Kroll Global Fraud Report, Annual Edition 2008/2009

2 Attorney General’s interim report on the government’s Fraud Review, March 2006
9
Fraud is often mistakenly considered a victimless Taxpayers also suffer due to reduced payments of
crime. However, fraud can have considerable social corporation tax from businesses that have suffered
and psychological effects on individuals, businesses losses. Fraud drains resources, affects public services
and society. For example, when a fraud causes the and, perhaps of more concern, may fund other criminal
collapse of a major company, numerous individuals and terrorist activity. According to the Fraud Review,
and businesses can be affected. In addition to the fraud is a major and growing threat to public safety and
company’s own employees, employees of suppliers prosperity. Case study 1 demonstrates just how much
can be affected by the loss of large orders, and of a threat fraud can be to public safety and that there
other creditors, such as banks, can be indirectly truly are victims of fraud.
affected by huge losses on loans. Consumers have
to pay a premium for goods and services, in order to
compensate for the costs of fraud losses and for money
spent on investigations and additional security.
Case study 1
Fraud doesn’t just involve money
Counterfeiting is one example of fraud that can have extremely serious consequences. Technology is ever
improving, making it easier for counterfeiters to produce realistic looking packaging and fool legitimate
wholesalers and retailers. Counterfeiting is a potentially lucrative business for the fraudster, with possibilities
of large commercial profits, and it is a problem affecting a wide range of industries including wines and
spirits, pharmaceuticals, electrical goods, and fashion. However, there are often many victims affected by
such a fraud and not just the business that has been duped or had their brand exploited. For some, the
outcome of counterfeiting goes way beyond financial losses and can even be fatal:
• In late 2006, 14 Siberian towns declared a state of emergency due to mass poisonings caused by fake
vodka. Around 900 people were hospitalised with liver failure after drinking industrial solvent that was
being sold as vodka. This is not a one off problem and sales of fake alcohol have been known to kill people.
• Also in 2006, a counterfeit product did result in more tragic consequences. At least 100 children died after
ingesting cough syrup that had been mixed with counterfeit glycerine. The counterfeit compound, actually
a dangerous solvent, had been used in place of more expensive glycerine. The manufacturing process had
been sourced to China and the syrup passed through trading companies in Beijing and Barcelona before
reaching its final destination in Panama. The certificate attesting to the product’s purity was falsified and
not one of the trading companies tested the syrup to confirm its contents along the way. It is thought that
the number of deaths is likely to be much higher than the 100 cases that have been confirmed.
10
1.3 Which businesses are affected?
Fraud is an issue that all organisations may face commissioned by Kroll in 2007 found that respondents
regardless of size, industry or country. If the in countries such as India and China have seen a
organisation has valuable property (cash, goods, significant increase in the prevalence of corporate fraud
information or services), then fraud may be attempted. in the last three years and this trend is likely to increase
It is often high profile frauds in large multi-national in businesses operating in emerging markets3.
organisations that are reported on in the media and
smaller organisations may feel they are unlikely to be Although fraud is prevalent across organisations of all
a target of fraudsters. However, according to the ACFE sizes and in all sectors and locations, research shows
report, small businesses (classified as those with less that certain business models will involve greater levels
than 100 employees) suffer fraud more frequently than of fraud risk than others. The control environment
large organisations and are hit by higher average losses. should be adjusted to fit with the degree of risk
When small companies are hit by large fraud losses, exposure. Further guidance on risk assessment and
they are less likely to be able to absorb the damage controls is given in later chapters.
than a larger company and may even go out of business
as a result.
The results of PwC’s survey showed that companies

reporting fraud were spread across many industries,
with at least a quarter of the respondents in any one
industry suffering from fraudulent incidents. Industries
suffering the highest average losses were insurance
and industrial manufacturing. Losses in the financial
services industry, a sector frequently in the press and
one with which fraud is often associated, were actually
below average. Even not-for-profit organisations are
not immune to fraud, with government institutions
and many charities falling victim to unscrupulous
fraudsters. As one director working in the international
development and aid sector has pointed out, ‘In my
sector, fraud is not a possibility, it is a reality and we are
always dealing with a number of suspicious incidents on
a more or less permanent basis.’
PwC’s survey also revealed that incidences of fraud

were highest in companies in North America, Africa
and Central and Eastern Europe (CEE), where more than
half of the companies reported fraud. It was lowest in
the Western European region, although the UK was
much higher than the average for this region, with
levels of fraud similar to those in CEE. The EIU poll
3 Kroll Global Fraud Report, Annual Edition 2007/2008
11
Case study 2
Size really doesn’t matter
From a family affair...

A member of a small family business in Australia committed a $2m fraud, costing profits, jobs and a great
deal of trust. The business owners became suspicious when they realised that their son in law used the
company diesel card to buy petrol for his own car. On closer scrutiny, they soon uncovered a company
cheque for $80,000 made payable to the son in law’s personal account. BDO’s Brisbane office discovered that
the cheque and the fuel were just the tip of a vast iceberg. The company’s complex accounts system allowed
the son in law to disguise cheques payable to himself as creditor payments. He then became a signatory and
took ever larger cheques. He claimed that the poor cash flow was due to losses in one particular division
which the family therefore closed, creating redundancies and losing what was in truth a successful business.
The costs of inefficient accounting systems and undue trust can be massive. Every business should protect
itself with thorough controls and vigilance.
Adapted from ‘FraudTrack 5 Fraud: A Global Challenge’ published by BDO Stoy Hayward
...to a major corporate scandal

WorldCom filed for bankruptcy protection in June 2002. It was the biggest corporate fraud in history,
largely a result of treating operating expenses as capital expenditure. WorldCom (now renamed MCI)
admitted in March 2004 that the total amount by which it had misled investors over the previous 10 years
was almost US$75 billion (£42 billion) and reduced its stated pre-tax profits for 2001 and 2002 by that
amount. WorldCom stock began falling in late 1999 as businesses slashed spending on telecom services
and equipment. A series of debt downgrades raised borrowing costs for the company, struggling with about
US$32 billion in debt. WorldCom used accounting tricks to conceal a deteriorating financial condition and to
inflate profits.
Former WorldCom chief executive Bernie Ebbers resigned in April 2002 amid questions about US$366 million
in personal loans from the company and a federal probe of its accounting practices. Ebbers was subsequently
charged with conspiracy to commit securities fraud and filing misleading data with the Securities and
Exchange Commission (SEC) and was sentenced to 25 years in prison. Scott Sullivan, former Chief Financial
Officer, pleaded guilty to three criminal charges and was sentenced to five years in prison. Ultimately, losses
to WorldCom shareholders were close to US$180 billion and the fraud also resulted in the loss of 17,000 jobs.
The SEC said that WorldCom had committed ‘accounting improprieties of unprecedented magnitude’ – proof,
it said, of the need for reform in the regulation of corporate accounting.
Adapted from CIMA Official Learning System, Management Accounting Risk and Control Strategy
12
1.4 Why do people commit fraud?
There is no single reason behind fraud and any Motivation

explanation of it needs to take account of various In simple terms, motivation is typically based on either
factors. Looking from the fraudster’s perspective, it is greed or need. Stoy Hayward’s (BDO) most recent
necessary to take account of: FraudTrack survey found that greed continues to be the
• motivation of potential offenders main cause of fraud, resulting in 63% of cases in 2007
• conditions under which people can rationalise their where a cause was cited. Other causes cited included
prospective crimes away problems from debts and gambling. Many people are
• opportunities to commit crime(s) faced with the opportunity to commit fraud, and only
• perceived suitability of targets for fraud a minority of the greedy and needy do so. Personality
• technical ability of the fraudster and temperament, including how frightened people
• expected and actual risk of discovery after the fraud are about the consequences of taking risks, play a role.
has been carried out Some people with good objective principles can fall into
• expectations of consequences of discovery (including bad company and develop tastes for the fast life, which
non-penal consequences such as job loss and tempts them to fraud. Others are tempted only when
family stigma, proceeds of crime confiscation, and faced with ruin anyway.
traditional criminal sanctions)
• actual consequences of discovery. Opportunity
In terms of opportunity, fraud is more likely in
A common model that brings together a number of companies where there is a weak internal control
these aspects is the Fraud Triangle. This model is built system, poor security over company property, little
on the premise that fraud is likely to result from a fear of exposure and likelihood of detection, or unclear
combination of three factors: motivation, opportunity policies with regard to acceptable behaviour. Research
and rationalisation. has shown that some employees are totally honest,
some are totally dishonest, but that many are swayed
by opportunity.
Figure 2 The fraud triangle
Rationalisation
Many people obey the law because they believe in it
and/or they are afraid of being shamed or rejected by
Motivation
people they care about if they are caught. However,
some people may be able to rationalise fraudulent
actions as:
• necessary – especially when done for the business
• harmless – because the victim is large enough to
The fraud absorb the impact
triangle • justified – because ‘the victim deserved it’ or
‘because I was mistreated.’
Opportunity Rationalisation
13
Case study 3
A breach of trust
A good example of the fraud triangle in practice is the highly publicised case of the secretary that stole over
£4.3 million from her bosses at Goldman Sachs.
Motivation
There were some suggestions that Joyti De-Laurey originally started down her fraudulent path because
of financial difficulties she found herself in before starting work at the investment bank. De-Laurey had
previously run her own sandwich bar business, but it was closed down due to insufficient finances. According
to her defence, De-Laurey’s ‘first bitter experience of financial turmoil coincided with a novel introduction to
a Dallas-type world where huge, unthinkable amounts of money stared her in the face, day in and day out.’
The motive behind the fraud was primarily greed though, with De-Laurey spending her ill gotten gains on a
luxury lifestyle, including villas, cars, jewellery, designer clothes and first class holidays. De-Laurey has even
admitted that she did not steal because she needed to, but because she could. She explained that she first
started taking money simply to find out if she could get away with it. She says that it then became ‘a bit
addictive’ and that she ‘got a huge buzz from knowing they had no idea what I was doing.’
Opportunity
In terms of opportunity, De-Laurey’s bosses trusted her and held her in high regard. She had proved herself
indispensable, on both business and personal fronts, and was given access to their cheque books in order to
settle their domestic bills and personal finances.
A little over a year after starting at Goldman Sachs, De-Laurey began forging her bosses’ signatures on
personal cheques to make payments into her own accounts. Realising she had got away with it, De-Laurey
continued to steal money by issuing forged cheques and making false money transfers. Before long she was
forging signatures on a string of cash transfer authorities, siphoning off up to £2.5 million at a time from
supposedly secure New York investments.
Rationalisation
De-Laurey was able to rationalise her actions by convincing herself that she had earned the money she stole.
De-Laurey believed that she deserved the plundered amounts as a just reward for her dedication, discretion
and loyalty, and claims that she had the consent of her bosses to take money in return for her ‘indispensable
services’. The fact that they were so rich they did not even notice the money was missing, only served to
fuel De-Laurey’s fraudulent activities. She justified her actions through the belief that her bosses had cash to
spare. According to De-Laurey; ‘They could afford to lose that money.’
Caught out
After four years of siphoning off vast amounts of money, De-Laurey was eventually caught when her boss
at the time decided to make a six-figure donation to his former college. He took a look at his bank accounts
to see if he could cover the donation and was surprised to find the balance on the accounts so low. He
investigated further and realised that large sums had been transferred to an unknown account. De-Laurey
was the obvious suspect. By this time, De-Laurey had actually stolen around £3.3 million from this particular
boss.
De-Laurey was the first woman in the UK to be accused of embezzling such a large sum and, after a long and
high profile trial in 2004, she was sentenced to seven years imprisonment.
Various sources including The Guardian, The Times, The Independent and the BBC News
14
One of the most effective ways to tackle the problem In 2007, KPMG carried out research on the Profile of a
of fraud is to adopt methods that will decrease motive Fraudster (KPMG survey), using details of fraud cases
or opportunity, or preferably both. Rationalisation is in Europe, India, the Middle East and South Africa. The
personal to the individual and more difficult to combat, ACFE carried out similar research on frauds committed
although ensuring that the company has a strong in the US. These surveys highlight the following facts
ethical culture and clear values should help. These and figures in relation to fraudsters:
methods and principles are developed further in later • perpetrators are typically college educated white
chapters of this guide. male
• most fraudsters are aged between 36 and 55
• the majority of frauds are committed by men
1.5 Who commits fraud? • median losses caused by men are twice as great as
those caused by women
Different types of fraudster • a high percentage of frauds are committed by senior
Fraudsters usually fall into one of three categories: management (including owners and executives)
• losses caused by managers are generally more than
1 Pre-planned fraudsters, who start out from the double those caused by employees
beginning intending to commit fraud. These can be • average losses caused by owners and executives are
short-term players, like many who use stolen credit nearly 12 times those of employees
cards or false social security numbers; or can be • longer term employees tend to commit much larger
longer-term, like bankruptcy fraudsters and those frauds
who execute complex money laundering schemes. • fraudsters most often work in the finance
department, operations/sales or as the CEO.
2 Intermediate fraudsters, who start off honest but
turn to fraud when times get hard or when life The ACFE report also found that the type of person
events, such as irritation at being passed over for committing the offence depends on the nature of the
promotion or the need to pay for care for a family fraud being perpetrated. Employees are most likely
member, change the normal mode. to be involved in asset misappropriation, whereas
owners and executives are responsible for the majority
3 Slippery-slope fraudsters, who simply carry on of financial statement frauds. Of the employees,
trading even when, objectively, they are not in a the highest percentage of schemes involved those
position to pay their debts. This can apply to ordinary in the accounting department. These employees
traders or to major business people. are responsible for processing and recording the
organisation’s financial transactions and so often have
the greatest access to its financial assets and more
opportunity to conceal the fraud.
15
Case study 4
Management risk
In 2007, a major British construction firm suffered from extensive fraud committed by management
at one of its subsidiaries. Accounting irregularities dating back to 2003 were said to include systematic
misrepresentation of production volumes and sales by a number of senior figures at the division.
Management at the subsidiary attempted to cover their behaviour by selling materials at a discounted price
and the fraud went undetected for several years despite internal and external audits. The irregularities were
eventually uncovered by an internal team sent to investigate a mismatch between orders and sales.
Following an initial internal investigation, a team of external experts and the police were brought in to
identify the full extent of malpractice. The investigation found that the organisation was defrauded of nearly
£23 million, but the fraud was said to cost the company closer to £40 million due to the written down value
of the business and factoring in the cost of the investigation. The managing director of the subsidiary was
dismissed, another manager faced disciplinary action and five others left before disciplinary proceedings
could be commenced. Civil proceedings were ruled out on the basis that losses were unlikely to be recovered.
Operations at the centre of the incident had to be temporarily closed and more than 160 jobs were cut at the
business.
In addition to individual fraudsters, there has also The main way of achieving this must be to establish a
been an increase in fraud being committed by gangs of comprehensive system of control which aims to prevent
organised criminals. Examples include false or stolen fraud, and where fraud is not prevented, increases the
identities being used to defraud banks, and forms of likelihood of detection and increases the cost to the
e-fraud exploiting the use of internet by commercial fraudster.
businesses. SOCA is responsible for responding to such
threats, with the support of the victim organisations. Later chapters of this guide set out some of the
measures which can be put in place to minimise fraud
1.6 Summary risks to the organisation. Before looking specifically
at fraud risk, the guide considers risk management in
A major reason why people commit fraud is because general.
they are allowed to do so. There are a wide range
of threats facing businesses. The threat of fraud can
come from inside or outside the organisation, but the
likelihood that a fraud will be committed is greatly
decreased if the potential fraudster believes that the
rewards will be modest, that they will be detected or
that the potential punishment will be unacceptably
high.
16
2 Risk management – an overview
2.1 What is risk management? 2.2 Corporate governance
Risk management is defined as the ‘process of Risk management is an increasingly important process
understanding and managing risks that the entity in many businesses and the process fits in well with the
is inevitably subject to in attempting to achieve its precepts of good corporate governance. In recent years,
corporate objectives’ (CIMA Official Terminology, the issue of corporate governance has been a major
2005). area for concern in many countries. In the UK, the first
corporate governance report and code of best practice
For an organisation, risks are potential events that is considered to be the Cadbury Report in 1992, which
could influence the achievement of the organisation’s was produced in response to a string of corporate
objectives. Risk management is about understanding collapses. There have been a number of reports since,
the nature of such events and, where they represent covering provisions around areas such as executive
threats, making positive plans to mitigate them. Fraud remuneration, non-executive directors, and audit
is a major risk that threatens the business, not only committees. The principles of these various reports
in terms of financial health but also its image and have been brought together to form the Combined
reputation. Code on Corporate Governance (Combined Code).
This guide is primarily focused on managing the risk The Combined Code was first introduced in 1998 and
of fraud, but first, this chapter looks at more general among other matters, calls for boards to establish
aspects of risk management and corporate governance. systems of internal control and to review the
effectiveness of these systems on a regular basis. UK
listed companies are required to provide a statement
in their annual reports confirming that they comply
with the Combined Code, and where they do not, they
must provide an explanation for departures from it
(the ‘comply or explain’ principle). The assessment of
internal controls should be included in the report to
shareholders. The Combined Code is reviewed regularly
and the most recent version was published in June
2008.
Following the original introduction of the Combined

Code, the Turnbull Committee was set up to issue
guidance to directors on how they should assess
and report on their review of internal controls. The
Turnbull Committee made it clear that establishment
of embedded risk management practices is key to
effective internal control systems. The Turnbull
guidance was first published in 1999 and revised in
2005. In the revised report (sometimes referred to as
Turnbull 2) there is now a requirement for directors to
give explicit confirmation that any significant failings or
weaknesses identified from the review of effectiveness
of internal controls have been, or are being, remedied.
17
The Financial Reporting Council is responsible for

maintaining and reviewing the Combined Code, IT Governance
although the Combined Code is annexed to the rules of IT governance is about ensuring that the
the UK Listing Authority, which is part of the FSA. The organisation’s IT systems support and enable
FSA is responsible for ensuring that listed companies achievement of the organisation’s strategies
provide the appropriate ‘comply or explain’ statement and objectives. It encompasses leadership,
in their annual report. While the guidance is generally organisational structures, businesses processes,
applicable to listed companies, the principles are standards and compliance.
relevant to all organisations and have been widely used
as a basis for codes of best practice in the public and There are five specific drivers for organisations to
not-for-profit sectors. Fraud risk management practices adopt IT governance strategies:
are developing along the same lines. • regulatory requirements e.g. IT governance is
covered by the Combined Code and Turnbull
Many other countries have also produced reports on guidance in the UK
corporate governance, usually accompanied by codes • increasing intellectual capital value that the
of best practices. For example, South Africa has had the organisation has at risk
King Report (version I and now II) since 1994, Malaysia • alignment of technology with strategic
has had its Code of Corporate Governance in place organisational goals
since 2000 and Sri Lanka issued the Rules on Corporate • complexity of threats to information security
Governance as part of its Listing Rules in January 2007. • increase in the compliance requirements of
information and privacy-related regulation.
Corporate governance requirements in the US are
now largely set out within the Sarbox legislation, A key benefit of an effective, integrated IT
further details on which are provided at Appendix 1. governance framework is the integration of IT into
As previously mentioned, these requirements extend the strategic and overall operational approach of
beyond the US, capturing any company that is SEC an organisation. There are a series of international
listed and its subsidiaries. Some other countries have Information Security (IS) standards that provide
also introduced a statutory approach to corporate guidance on implementing an effective IT
governance, such as that in the US, although none are governance framework, known as the ISO 27000
currently as comprehensive. A number of international series. For example, ISO/IEC 27001 defines a
organisations have also launched guidelines and set of IS management requirements in order to
initiatives on corporate governance, including help organisations establish and maintain an IS
the Organisation for Economic Co-operation and management system.
Development (OECD) and the European Commission.
The standards apply to all types of organisation
An example of a growing area of corporate governance regardless of size or sector. They are particularly
is IT governance, which has developed in light of rapid suitable where the protection of information is
and continuing advances in information technology. critical to the business, for example in the finance,
The following box gives more information on IT health and public sectors, and for organisations
governance. which manage information on behalf of others,
such as IT outsourcing companies.
ISACA also offers a series of IS standards and

certification. ISACA is a leading global association
in the IT governance and control field. With a
network across more than 160 countries, its IS
standards are followed by practitioners worldwide.
18
2.3 The risk management cycle
Controls assurance The risk management cycle is an interactive process of

Controls assurance is the process whereby controls are identifying risks, assessing their impact, and prioritising
reviewed by management and staff. There are various actions to control and reduce risks. A number of
ways to conduct these exercises, from highly interactive iterative steps should be taken:
workshops based on behavioural models at one end of
the spectrum to pre-packaged self audit internal control 1 Establish a risk management group and set goals.
questionnaires at the other. These models all include 2 Identify risk areas.
monitoring and risk assessment among their principal 3 Understand and assess the scale of risk.
components. 4 Develop a risk response strategy.
5 Implement the strategy and allocate responsibilities.
6 Implement and monitor the suggested controls.
7 Review and refine the process and do it again.
Figure 3 The CIMA risk management cycle
Establish risk
management group Identify risk areas
and set goals
Review and refine

Understand and
process and do it
assess scale of risk
again
Information for
decision making
Implementation
Develop risk response
and monitoring of
strategy
controls
Implement strategy
and allocate
responsibilities
19
2.4 Establish a risk management group 2.6 Understand and assess the scale of risk
and set goals
A risk management group should be established whose Once risks have been identified, an assessment
task it is to facilitate and co-ordinate the overall risk of possible impact and corresponding likelihood
management process. Possible members of the group of occurrence should be made using consistent
could include a chief risk officer, a non executive parameters that will enable the development of
director, finance director, internal auditor, heads of a prioritised risk analysis. In the planning stage,
planning and sales, treasurer and operational staff. management should agree on the most appropriate
Depending on the size and nature of the organisation, definition and number of categories to be used when
the risk management group may be in the form of a assessing both likelihood and impact.
committee who meet from time to time.
The assessment of the impact of the risk should not
The risk management group will promote the simply take account of the financial impact but should
understanding and assessment of risk, and facilitate the also consider the organisation’s viability and reputation,
development of a strategy for dealing with the risks and recognise the political and commercial sensitivities
identified. They may also be responsible for conducting involved. The analysis should either be qualitative
reviews of systems and procedures to identify and or quantitative, and should be consistent to allow
assess risks faced by the business, which include the comparisons. The qualitative approach usually involves
risk of fraud, and introducing the controls that are best grading risks in high, medium and low categories.
suited to the business unit. However, line managers and
their staff may also be involved in the risk identification Impact
and assessment process, with the risk management The assessment of the potential impact of a particular
group providing guidance. risk may be complicated by the fact that a range of
possible outcomes may exist or that the risk may occur
a number of times in a given period of time. Such
2.5 Identify risk areas complications should be anticipated and a consistent
approach adopted which, for example, may seek to
Each risk in the overall risk model should be explored estimate a worst case scenario over, say, a 12 month
to identify how it potentially evolves through the time period.
organisation. It is important to ensure that the risk is
carefully defined and explained to facilitate further Likelihood of occurrence
analysis. The likelihood of a risk occurring should be assessed on
a gross, a net and a target basis.
The techniques of analysis include:
• workshops and interviews The gross basis assesses the inherent likelihood of the
• brainstorming event occurring in the absence of any processes which
• questionnaires the organisation may have in place to reduce that
• process mapping likelihood.
• comparisons with other organisations
• discussions with peers. The net basis assesses the likelihood, taking into
account current conditions and processes to mitigate
the chance of the event occurring.
The target likelihood of a risk occurring reflects the risk

appetite of the organisation.
20
Where the net likelihood and the target likelihood for Analysing fraud risks
a particular risk differ, this would indicate the need to Fraud risk is one component of operational risk.
alter the risk profile accordingly. Operational risk focuses on the risks associated with
errors or events in transaction processing or other
It is common practice to assess likelihood in terms of: business operations. A fraud risk review considers
• high – probable whether these errors or events could be the result of a
• moderate – possible deliberate act designed to benefit the perpetrator. As
• low – remote. a result, fraud risk reviews should be detailed exercises
conducted by teams combining in depth knowledge of
An example of a risk analysis is contained in Appendix the business and market with detailed knowledge and
3. The resulting document is often referred to as a experience of fraud.
risk register. The overall risk registers at organisational
and operational levels should include the risk of fraud Risks such as false accounting or the theft of cash
being perpetrated. Some organisations also prepare or assets need to be considered for each part of the
detailed fraud risk registers that consider possible organisation’s business. Frequently, businesses focus on
fraudulent activity. The fraud risk register often directs a limited number of risks, most commonly on third-
the majority of proactive fraud risk management work party thefts. To avoid this, the risks should be classified
undertaken by an organisation. by reference to the possible type of offence and the
potential perpetrator(s).
Fraud risks need to be assessed for each area and

process of the business, for example, cash payments,
cash receipts, sales, purchasing, expenses, inventory,
payroll, fixed assets and loans.
21
2.7 Develop a risk response strategy 2.9 Implement and monitor suggested
controls
Once the risks have been identified and assessed, The chosen strategy may require the implementation
strategies to deal with each risk identified can be of new controls or the modification of existing controls.
developed by line management, with guidance from the Businesses are dynamic and the controls that are in
risk management group. place will need to be monitored to assess whether or
not they are succeeding in their objectives. The risk
Strategies for responding to risk generally fall into one management group should be empowered to monitor
of the following categories: the effectiveness of the actions being taken in each
• risk retention (e.g. choosing to accept small risks) specific area, as these can be affected by internal and
• risk avoidance (e.g. stopping sale of certain products external factors, such as changes in the marketplace or
to avoid the risk to occurring) the introduction of new computer systems.
• risk reduction (e.g. through implementing controls
and procedures)
• risk transfer (e.g. contractual transfer of risk; 2.10 Review and refine and do it again
transferring risks to insurers).
All of the elements outlined above form part of an
Before strategies are developed, it is necessary to iterative cycle where risk management is continually
establish the risk appetite of the organisation. Risk reviewed and developed. As the cycle continues, risk
appetite is the level of risk that the organisation is management should increasingly become embedded
prepared to accept and this should be determined in the organisation so that it really becomes part of
by the board. The appetite for risk will influence the everyone’s job.
strategies to be developed for managing risk. It is
worth noting that a board’s risk appetite may vary for
different types of risk and over time. For example, the 2.11 Information for decision making
board may have a low risk tolerance on compliance and
regulatory issues, but be prepared to take significant Risk management should form a key part of the
strategic risks. The board may also reduce their risk organisation’s decision-making process. Information is
appetite as the external environment changes, such as gathered at all stages of the risk management cycle and
in times of recession. this information should be fed into the decision-making
mechanisms.
2.8 Implement the strategy and allocate For more information on risk management, please refer
responsibilities to CIMA’s publication Risk Management: A guide to good
The chosen strategy should be allocated practice.
and communicated to those responsible for
implementation. For the plan to be effective it is
essential that responsibility for each specific action is
assigned to the appropriate operational manager and
that clear target dates are established for each action.
It is also important to obtain the co-operation of those
responsible for the strategy, by formal communication,
seminars, action plans and adjustments to budgets.
22
2.12 Summary
There are risks in most situations. Risk management

is an important element of corporate governance and
every organisation should review their risk status and
develop their approach as described in the CIMA Risk
Management Cycle in 2.3 to 2.11 above.
Managing the risk of fraud is the same in principle as

managing any other business risk. First, the potential
consequences of fraud on the organisation need to
be understood, using the principles set out in this
chapter. The risks should then be reduced by developing
and implementing an anti-fraud strategy across the
organisation. This is best approached systematically,
both at the organisational level, for example by using
ethics policies and anti-fraud policies, and at the
operational level, through introduction of controls and
procedures. The following chapters expand on the fraud
risk management process in the context of an anti-
fraud strategy.
23
3 Fraud prevention
3.1 A strategy to combat fraud
Given the prevalence of fraud and the negative Fraud detection

consequences associated with it, there is a compelling As fraud prevention techniques may not stop all
argument that organisations should invest time and potential perpetrators, organisations should ensure that
resources towards tackling fraud. There is, however, systems are in place that will highlight occurrences
sometimes debate as to whether these resources should of fraud in a timely manner. This is achieved through
be committed to fraud prevention or fraud detection. fraud detection. A fraud detection strategy should
involve use of analytical and other procedures to
Fraud prevention highlight anomalies, and the introduction of reporting
Based on the earlier discussion around why people mechanisms that provide for communication
commit fraud, it would seem that one of the most of suspected fraudulent acts. Key elements of a
effective ways to deal with the problem of fraud is comprehensive fraud detection system would include
to adopt methods that will decrease motive, restrict exception reporting, data mining, trend analysis and
opportunity and limit the ability for potential fraudsters ongoing risk assessment.
to rationalise their actions. In the case of deliberate
acts of fraud, the aim of preventative controls is to Fraud detection may highlight ongoing frauds that are
reduce opportunity and remove temptation from taking place or offences that have already happened.
potential offenders. Prevention techniques include the Such schemes may not be affected by the introduction
introduction of policies, procedures and controls, and of prevention techniques and, even if the fraudsters
activities such as training and fraud awareness to stop are hindered in the future, recovery of historical losses
fraud from occurring. will only be possible through fraud detection. Potential
recovery of losses is not the only objective of a
It is profitable to prevent losses, and fraud prevention detection programme though, and fraudulent behaviour
activities can help to ensure the stability and continued should not be ignored just because there may be no
existence of a business. However, based on recent recovery of losses. Fraud detection also allows for the
surveys, many organisations do not have a formal improvement of internal systems and controls. Many
approach to fraud prevention. Once a fraud has already frauds exploit deficiencies in control systems. Through
occurred, the likelihood of recovering stolen funds from detection of such frauds, controls can be tightened
the perpetrator or through insurance is often relatively making it more difficult for potential perpetrators to
low. According to KPMG’s survey in 2007, only 16% of act.
organisations profiled were able to recover their losses.
A number of others are still trying to recover stolen Fraud prevention and fraud detection both have a role
assets, but the process is often difficult and lengthy. to play and it is unlikely that either will fully succeed
At least half of the organisations have been unable to without the other. Therefore, it is important that
recover any assets at all. As such, it is preferable to try organisations consider both fraud prevention and fraud
to prevent the loss from occurring in the first place and detection in designing an effective strategy to manage
the old adage ‘prevention is better than cure’ certainly the risk of fraud.
applies to fraud.
It is worth bearing in mind though, that fraud

prevention techniques, while worth investing in,
cannot provide 100% protection. It is difficult, if not
impossible, to remove all opportunities for perpetrating
fraud.
24
An anti-fraud strategy It is clear from Figure 4 that the various elements of an
An effective anti-fraud strategy in fact has four main effective anti-fraud strategy are all closely interlinked
components: and each plays a significant role in combating fraud.
• prevention Fraud detection acts as a deterrent by sending a
• detection message to likely fraudsters that the organisation
• deterrence is actively fighting fraud and that procedures are in
• response. place to identify any illegal activity that has occurred.
The possibility of being caught will often persuade
The following diagram summarises these components a potential perpetrator not to commit a fraud.
and the context within which an anti-fraud strategy Complementary detection controls should also be in
sits. place to counter the fact that the prevention controls
may be insufficient in some cases.
Figure 4 Anti-fraud strategy
��
��
��
��
��
��
��
��
��
��
��
��
25
3.2 Developing a sound ethical culture
A consistent and comprehensive response to suspected Attitudes within an organisation often lay the
and detected incidents of fraud is also important. This foundation for a high or low fraud risk environment.
sends a message that fraud is taken seriously and that Where minor unethical practices may be overlooked
action will be taken against perpetrators. Each case (e.g. petty theft, expenses frauds), larger frauds
that is detected and investigated should reinforce committed by higher levels of management may
this deterrent and, therefore, act as a form of fraud also be treated in a similar lenient fashion. In this
prevention. environment there may be a risk of total collapse of
the organisation either through a single catastrophic
The various components of an effective anti-fraud fraud or through the combined weight of many smaller
strategy are discussed over the next few chapters. The frauds.
remainder of this chapter examines some of the main
preventative approaches which can be implemented to Organisations which have taken the time to consider
minimise the occurrence and cost of fraud within an where they stand on ethical issues have come to
organisation. These approaches are generic and can be realise that high ethical standards bring long term
applied, as appropriate, to different organisations and benefits as customers, suppliers, employees and
particular circumstances. the community realise that they are dealing with a
trustworthy organisation. They have also realised that
dubious ethical or fraudulent practices cause serious
adverse consequences to the people and organisations
concerned when exposed.
The definition of good ethical practice is not simple.

Ideas differ across cultural and national boundaries
and change over time. But corporate ethics statements
need not be lengthy to be effective. The following is an
example of guiding business principles that BT applies
to all employees, agents, and others representing BT.
These principles could form the basis of an ethics
statement in an international environment.
26
Organisations which have created a positive ethical
BT’s business principles culture have normally either been driven by a
committed chief executive or have been forced to do so
• Legal because of incidents which caused, or almost caused,
We will act within the law, our licensing/ significant loss to the organisation.
authorisations obligations and any other
regulations. With regards to establishing a sound ethical culture,
• Compete fairly CIMA recommends that organisations have:
Compete vigorously but fairly in our markets,
being honest and trustworthy in all our dealings. • a mission statement that refers to quality or, more
• Inducements unusually, to ethics and defines how the organisation
Not offer or accept gifts, hospitality or other wants to be regarded externally
inducements which encourage or reward a • clear policy statements on business ethics and
decision, or engage in any form of bribery. anti-fraud, with explanations about acceptable
Report and record any incident. behaviour in risk prone circumstances (a sample fraud
• Conflicts policy is included at Appendix 4)
Avoid or declare conflicts of interest that may • a route through which suspected fraud can be
lead (or be seen to lead) to divided personal reported
loyalties. • a process of reminders about ethical and fraud
• Commitments policies – e.g. annual letter and/or declarations
Ensure others have confidence in the • an aggressive audit process which concentrates on
commitments we make on behalf of BT, and that areas of risk
agreements are suitably authorised. • management who are seen to be committed through
• Risks their actions.
Assess and manage risks to our business.
• Assets IFAC’s Professional Accountants in Business (PAIB)
Protect our brand, physical, financial and Committee has produced guidance that focuses on the
intellectual assets. role of accountants in developing and promoting codes
• Information of conduct within their business (see Further Reading
Protect the confidentiality of company, in Appendix 10 for more detail). CIMA members
employee and customer information. should also bear in mind the CIMA Code of Ethics for
• Communication Professional Accountants, which sets out standards
Be truthful, helpful and accurate in our around ethical conduct and acting with integrity and
communication. objectivity, even in potentially difficult circumstances.
• Diversity For example, the CIMA Code of Ethics deals with
Treat all individuals fairly and impartially, safeguarding assets, potential conflicts, preparation
without prejudice, and never tolerate harassment and reporting of information, threats of financial self
in any form. interest, inducements, and confidentiality. Members
• Health and safety of other professional bodies are likely to be bound by
Care for the health and safety of each other, our similar codes.
products and our operations.
• Environment
Minimise the potential harmful effects of our
activities on the environment.
Reproduced with kind permission of BT
27
A code of ethics or an anti-fraud policy is not sufficient with the IBE, found that although most organisations
to prevent fraud though. Ethical behaviour needs to have adopted a code of ethics, many are not backing up
be embedded within the culture of an organisation. their written statements with action. Less than half of
Commitment from senior management and ‘tone at the respondents’ organisations provide ethics training
the top’ is key. Employees are more likely to do what or a hotline for reporting unethical conduct, and only
they see their superiors doing than follow an ethics a few offer incentives for employees to uphold ethical
policy, and it is essential that management do not apply standards. These results are summarised in Figure 5.
double standards.
In addition to encouraging senior management to
To demonstrate commitment, resources should be set ethical examples by their actions, organisations
allocated to communicating ethics and values to should ensure that senior management are committed
all employees, suppliers and business partners, and to controlling the risks of fraud. Senior management
providing training programmes where necessary. should be assigned with responsibility for fraud
Research by the Institute of Business Ethics (IBE) has prevention, as this sends a message to employees that
demonstrated that, through helping to establish an the organisation is serious about fraud and ensures
ethical culture, there is a correlation between ethics that tackling fraud will be considered at senior levels.
training and improved financial performance4. However, Adherence to policies and codes should be regularly
a recent survey conducted by CIMA, in conjunction monitored and policed by appropriate people within
Figure 5 Ethics advice/services provided
Does your organisation provide?

A statement of its ethical values, business
7 21 72
principles or commitments to its stakeholders?
A code of ethics or similar document to guide
5 23 72
staff about ethical standards in their work?
Training on ethical standards at work? 9 46 46

A hotline for reporting conduct that violates
the organisaton’s standards of ethics? 8 53 40
A helpline where you can get advice or
information about behaving ethically at work? 11 55 35
Incentives for staff to uphold the organisation’s
standards of ethical conduct? 13 68 19
Base: All respondents (1300) 0 10 20 30 40 50 60 70 80 90 100%

Don’t know No Yes
Source: Managing Responsible Business, CIMA, 2008
28
the organisation (such as management and/or internal it is important to raise awareness through a formal
audit), and the documents themselves should also be education and training programme as part of the
regularly reviewed and amended. overall risk management strategy. Particular attention
should be paid to those managers and staff operating
Periodic assessment of fraud risk in high risk areas, such as procurement and bill paying,
In order to manage fraud risk, organisations should and to those with a role in the prevention and detection
periodically identify the risks of fraud within their of fraud, for example human resources and staff with
organisation, using the process set out in Chapter investigation responsibility.
2. Fraud risks should be identified for all areas and
processes of the business and then be assessed in terms There are arguments about how far training on fraud
of impact and likelihood. In addition to the monetary risk management should go within an organisation
impact, the assessment should consider non financial beyond the audit group – for example a question
factors such as reputation. often raised is whether management and staff who
have been trained in fraud prevention techniques will
An effective fraud risk assessment will highlight risks then use the knowledge to commit fraud. Fraud is
previously unidentified and strengthen the ability for often highlighted through a tip off and therefore it is
timely prevention and detection of fraud. Opportunities essential that all employees are made aware of what
for cost savings may also be identified as a result of constitutes fraud, how to identify fraudulent behaviour,
conducting the fraud risk assessment. and how to respond if they suspect or detect instances
of fraud. There is advantage in covering the subject of
Fraud risk training and awareness fraud in generic terms, the corporate ethic, the audit
Almost every time a major fraud occurs many people approach and the types of checks and balances built
who were unwittingly close to it are shocked that into processes. Such training is more likely to decrease
they were unaware of what was happening. Therefore, rather than increase the number of fraudulent incidents.
Opposing double standards
It is too often presumed that there should be one set of rules for ordinary people and another for their leaders.
Such attitudes breed cynicism and resentment. Though there will be some valid exceptions, leaders must
almost always live by the rules they impose on others. Amongst other things this means taking a firm line on
fraud by senior executives.
Reproduced with kind permission of the Fraud Advisory Panel from its Ninth Annual Review 2006-2007
‘Ethical behaviour is the best defence against fraud’
4 Does business ethic pay – revisited, IBE

29
Employees may be educated through a number of In this area there are many conflicting emotions
mediums, such as formal training sessions, group influencing the potential ‘whistleblower’:
meetings, posters, employee newsletters, payroll • working group/family loyalties
bulletins or awareness pages on internal websites. • disinterest/sneaking admiration
Communication should be ongoing and a combination • fear of consequences
of methods is usually most successful. For example, • suspicion rather than proof.
the UK’s National Health Service (NHS) uses several
different media to raise fraud risk awareness, including The organisation’s anti-fraud culture and reporting
a quarterly staff newsletter called Insight that covers processes can be a major influence on the
topics such as training updates, fraud case studies, risk whistleblower, as it is often fear of the consequences
measurement and prosecution examples. that has the impact. To the whistleblower the impact
of speaking out can be traumatic, ranging from being
It is clear that spending money on preventing fraud dismissed to being shunned by other employees.
brings many benefits – but the cost benefit analysis
is not easy to construct. The downside risk of fraud Where fraud is committed by senior managers (and
prevention is that excessive and expensive controls may this can be as high as the chief executive), then the
be created, which reduce efficiency and demotivate predicament faced by the whistleblower is exacerbated.
staff. However, the head of fraud investigation for a And this is where management’s greatest challenge
major bank made the following observation: ‘A £1m lies – to convince staff that everyone is responsible
increase in expenditure on fraud prevention has led to a for combating fraud and that the good health of the
£25m increase in profits.’ organisation, and potentially their future employment,
could be at risk from fraud. Organisations that
Reporting mechanisms and whistleblowing encourage openness and can overcome the culture of
Establishing effective reporting mechanisms is one of silence are likely to benefit in many ways (see box on
the key elements of a fraud prevention programme page 31).
and can have a positive impact on fraud detection.
Many frauds are known or suspected by people who
are not involved. The challenge for management is
to encourage these ‘innocent’ people to speak out
– to demonstrate that it is very much in their own
interest. Research by the IBE has shown that although
one in four employees are aware of misconduct in the
workplace, over half of those people stay silent6.
6 Speak Up Procedures (2007), IBE

30
Benefits of a culture that encourages whistleblowing
An organisation where the value of open whistleblowing is recognised will be better able to:
• deter wrongdoing
• pick up potential problems early
• enable critical information to get to the people who need to know and can address the issue
• demonstrate to stakeholders, regulators, and the courts that they are accountable and well managed
• reduce the risk of anonymous and malicious leaks
• minimise costs and compensation from accidents, investigations, litigation and regulatory inspections
• maintain and enhance its reputation.
Enlightened organisations implement whistleblowing arrangements because they recognise that it makes good
business sense.
Reproduced with kind permission of BSI from

PAS 1998:2008 Whistleblowing Arrangements Code of Practice
In the UK, there is legislation protecting whistleblowers, The British Standards Institute (BSI) has recently
known as PIDA. Further information on PIDA is given published a Publicly Available Specification (PAS),
in Appendix 1. Other countries also have legislation developed by Public Concern at Work, that gives
protecting whistleblowers, for example this is covered guidance on ‘good practice for the introduction,
by Sarbox in the US. Legal redress should be a last revision, operation and review of effective
resort though, and organisations should strive for a whistleblowing arrangements’ (PAS 1998:2008
culture that actively encourages people to speak up and Whistleblowing Arrangements Code of Practice). The
challenge inappropriate behaviour. nature of the whistleblowing arrangements will be
determined by an organisation’s size, structure, culture,
Although PIDA exists to protect whistleblowers, there nature of the risks that it faces and the legal framework
is no statutory requirement for a whistleblowing in which it operates.
policy under the legislation. However, organisations
are encouraged to develop a written policy statement, A confidential 24/7 hotline is said to be one of the best
and corporate governance codes in the UK provide methods for reporting fraud. However, open channels
more direction on this. Under the Combined Code, of communication from employees to management
listed companies are obliged to have whistleblowing are also essential in creating an environment that
arrangements or explain why they do not, and public encourages fraud prevention and detection. An open
bodies are expected to have a policy in place, which and honest culture should improve morale among
are assessed regularly as part of the external audit and employees and give them the confidence to come
review of local authorities and NHS bodies. Companies forward with concerns.
captured under Sarbox are also required to have
whistleblowing arrangements. A sample whistleblowing
policy can be found in Appendix 5.
31
3.3 Sound internal control systems
Following up on disclosures is an important part of A strong system of internal controls is considered by

any whistleblowing arrangement. Employees are more the ACFE to be ‘the most valuable fraud prevention
likely to speak up if they know that something will be device by a wide margin’. Having sound internal control
done about their concern. This is supported by the systems is also a requirement under the Companies
findings of the CIMA ethics survey referred to earlier. Act, Sarbox and various corporate governance codes.
A small percentage of respondents had personally
observed unethical conduct and most reported the Responsibility for internal control
wrongdoing when they came across it, but many were Overall responsibility for the organisation’s system
dissatisfied with the response. By not handling concerns of internal control must be at the highest level in the
in a satisfactory way, organisations risk losing the organisation. Under the Companies Act, directors
confidence of their employees and discouraging them are responsible for maintaining adequate accounting
from speaking up in the future. The survey highlighted records. The Combined Code prescribes that ‘the board
that the most common reason for not reporting should maintain a sound system of internal control to
a concern was thinking that it would not make a safeguard shareholders’ investment and the company’s
difference. assets’. This should include procedures designed to
minimise the risk of fraud. As mentioned in the previous
Management has to be aware of the risk of anonymous chapter, the board should satisfy itself that the system
and malicious accusations, but they cannot afford to is effective and report that it has undertaken such a
ignore any report in case it is correct. They may wish review to its shareholders. The Turnbull report provides
to state in their policy that anonymous advice will be guidance on how this should be achieved.
treated with extreme caution. Companies captured
under Sarbox have no choice but to offer a facility for There is often an expectation that auditors have
anonymous reporting. This can cause difficulty for responsibility for fraud prevention and detection. While
organisations operating in Europe, as it may conflict auditors doubtless have a role to play in fraud risk
with EU data protection rules, which state that management, they do not have primary responsibility.
personal data should only be collected fairly. The EU This lies with management and those charged
data protection authorities have issued guidance on with governance of the organisation. International
this (Guidance on Whistleblowing Schemes, 2006) and Standard on Auditing 240 (ISA 240) clarifies these
information can also be obtained from Public Concern responsibilities, an extract of which is included in the
at Work. box below. ISA 240 has recently been revised and the
redrafted standard is effective for audits of financial
statements for periods beginning on or after 15
December 2008.
32
Although primary responsibility for fraud prevention In addition to the international auditing standard,
and detection does not sit with the auditor, ISA 240 some countries also have their own auditing standards
does call for auditors to include methods for identifying that give further direction on roles and responsibilities
potential cases of fraud when planning and conducting in relation to fraud. For example, in October 2002,
the audit. It requires auditors to: the US issued Statement on Auditing Standards No.
• discuss the risk of fraud with management and those 99 Consideration of Fraud in a Financial Statement
charged with governance Audit (SAS 99), partly in response to accounting
• discuss with the audit team the susceptibility of the scandals such as Enron and WorldCom. SAS 99 is more
accounts to material misstatements due to fraud prescriptive about the role of the auditor in preventing
• consider whether one or more fraud risk factors are and detecting fraud and error than ISA 240 and was
present designed to create a substantial change in auditors’
• perform audit procedures to address the risk of performance, thereby improving the likelihood that
management override auditors will detect material misstatements due to
• test journal entries and review accounting estimates fraud.
for bias
• understand the business rationale for transactions The requirements do not only affect auditors. Given the
outside the normal course of business nature and extent of the new procedures in both ISA
• obtain representations from management 240 and SAS 99, management should plan to provide
• bear in mind the implications for money laundering auditors with more information and open themselves
reporting (taking care not to tip off the client). up to more extensive fraud detection procedures.
Extract from ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
(redrafted)
Responsibility for the prevention and detection of fraud

The primary responsibility for the prevention and detection of fraud rests with both those charged with
governance of the entity and management. It is important that management, with the oversight of those
charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for
fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of
the likelihood of detection and punishment.
This involves a commitment to creating a culture of honesty and ethical behavior which can be reinforced by
an active oversight by those charged with governance. In exercising oversight responsibility, those charged
with governance consider the potential for override of controls or other inappropriate influence over the
financial reporting process, such as efforts by management to manage earnings in order to influence the
perceptions of analysts as to the entity’s performance and profitability.
Responsibilities of the auditor

An auditor conducting an audit in accordance with ISAs is responsible for obtaining reasonable assurance
that the financial statements taken as a whole are free from material misstatement, whether caused by fraud
or error... (O)wing to the inherent limitations of an audit, there is an unavoidable risk that some material
misstatements of the financial statements will not be detected, even though the audit is properly planned and
performed in accordance with the ISAs.
Reproduced with kind permission of IFAC
33
Internal control systems The number and type of internal controls that an
An internal control system comprises all those policies organisation can introduce will again depend on the
and procedures that taken together, support an nature and size of the organisations. Internal controls
organisation’s effective and efficient operation. Internal to minimise fraud should, where possible, address fraud
controls typically deal with factors such as approval red flags (see Chapter 4 and Appendix 6). Examples of
and authorisation processes, access restrictions and the variety of such controls include:
transaction controls, account reconciliations, and • requiring multiple signatories on high value
physical security. These procedures often include the transactions (e.g. within a finance or procurement
division of responsibilities and checks and balances department)
to reduce risk. The following box gives an example • enforcing employees to take holiday (e.g. many
of division of responsibilities within the purchasing employees in the banking sector must take a
process. minimum of two weeks holiday in a given period)
• restricting belongings that can be brought into the
office environment (e.g. many call centre employees
Division of responsibilities in the purchasing are not allowed to take in pens, paper or mobile
process phones, and some organisations have restricted the
use of USB sticks)
Ideally, the purchasing process would involve the • conducting random searches of staff (e.g. in factories,
following separate roles: distribution centres or retail outlets).
• the originator who specifies the goods or services
and probably price Wherever new internal control procedures are
• the superior who approves the purchase introduced, they should be documented clearly and
• the purchasing department who negotiate the simply, in order that any deviation can be identified.
best value through competitive quotations Internal controls should be regularly reviewed as part
• the recipient of goods or services who confirms of the risk management process, and there should be
that the invoice is in line with goods or services continual improvement of controls in light of new risks,
received such as new markets and technologies, changes in
• the purchase ledger/accounting department who structure, or innovative fraudsters. Not only does this
make entries in the accounts reflect good practice, but it is also a requirement of the
• the treasury manager who ensures that Combined Code and Sarbox. Ultimately, the internal
payments are properly supported and in line control system should be embedded within the culture
with policy and operations of an organisation.
• the management accountant who ensures that
costs are in line with budgets/standards and
purchase ledger payment statistics are in line
with policy.
Segregation of duties is not always possible though,

and it may be necessary to introduce additional
management examination and control, including some
form of internal audit as a regular feature.
34
Case study 5
A fine warning
A major European banking group has suffered in more ways than one from having weak internal controls.
In 2007, a senior employee at the bank was able to transfer £1.3 million out of client accounts without
permission. This was possible because the bank did not have effective review processes in place for
transactions over £10,000 and its checking procedures were unclear.
Not only did the organisation suffer from losses and reputational damage at the hand of the fraudster, but
the bank was also fined £350,000 by the FSA because of its ineffective anti-fraud measures. The bank had
been warned by the FSA in 2002 that its internal controls needed to be improved. However, no steps were
made to change the systems in place. Following the fine in 2007, the bank strengthened its controls and now
claims to be among the best in the industry.
This is the first fine that the FSA has issued against a private bank for weaknesses in anti-fraud controls but
it is stepping up its game in this area and this should serve as a caution for other organisations. The FSA has
warned that ‘senior management must make sure their firms have robust systems and controls to reduce the
risk of them being used to commit financial crime.’
Source: Weak anti-fraud measures earn bank hefty fine, CIMA Industry focus, 15 May 2007
Pre-employment screening At a minimum, organisations should consider screening

Pre-employment screening is the process of verifying for cash handling positions, senior management posts
the qualifications, suitability and experience of a and other trusted positions such as treasury, accounts
potential candidate for employment. Techniques used payable, and security. Screening should also not be
include confirmation of educational and professional limited to new joiners. An organisation should run
qualifications, verification of employment background, checks before offering promotions and secondments
criminal history searches, and credit checks. For all into more senior or sensitive positions.
screening, the organisation must obtain the individual’s
written permission and all documents must bear the Organisations should also never assume that agency
individual’s name. staff have been properly vetted by the contracting
agency. As is demonstrated by the following case study,
Screening applicants should reduce the likelihood a recruitment agency’s screening process cannot always
of people with a history of dishonest or fraudulent be relied upon.
behaviour being given a role within the company, and
is therefore an important fraud prevention procedure.
A significant proportion of CVs contain serious
discrepancies, and in fraud cases investigated, there
are often signs in the employee’s background that
would have been a warning to a potential employer
had screening been conducted. Research has also
shown that employers who conduct pre-employment
screening experience fewer cases of fraud by
employees.
35
Case study 6
Vet or regret?
Without a trace
A finance house needed an extra junior accountant for a short period of time. The company went to a
reputable agency and employed an appropriately qualified person. The company relied on the agency’s
screening policy which had failed to uncover a series of discrepancies in the accountant’s personal history,
including a false address. The accountant removed a company chequebook from his work place and used it
to make a series of high value purchases on his own behalf. The matter came to light when a routine enquiry
was made with the finance house to verify the issue of one of the cheques. By this time the temporary
accountant had left the company. He could not be traced and the matter was referred to the police.
All in a week’s work

In another case, an organisation employed a temporary accounts clerk to work in their shared service
accounting centre. The organisation assumed the recruitment agency would perform adequate checks on
the clerk’s background. This did not happen. The clerk was able to use his access to the accounting system to
divert supplier payments to his own bank account. After a week of such diversions, he left the company with
over £150,000.
Reproduced with kind permission of the Fraud Advisory Panel from

Fighting fraud – a guide for SMEs, 2nd edition
3.4 Summary
In conclusion, a sound ethical culture and an effective

system of internal control are essential elements of an
anti-fraud strategy. Effective internal controls reduce
exposure to financial risks and ‘contribute to the
safeguarding of assets, including the prevention and
detection of fraud’ (Turnbull Guidance, 2005). However,
a sound system of internal control cannot provide
complete protection against all fraudulent behaviour,
highlighting the importance of other fraud prevention
and fraud detection measures.
Appendix 7 provides an example of a 16 step fraud

prevention plan that brings together many of the
elements described in this chapter.
36
4 Fraud detection
4.1 Detection methods
Hindsight is a wonderful thing! Fraud is always obvious The UK report of PwC’s survey looked at the method
to the fraudster’s colleagues after the event. Their of detection of the most serious frauds within
statements, and those of internal auditors, when taken organisations. The results are shown in Figure 6.
by the police or other investigatory bodies, frequently
highlight all the more common fraud indicators. It is clear from this, and other anecdotal evidence,
that external auditors do not generally find fraud. As
However, the mistake is always the same – fraud was mentioned in Chapter 3, it is not the external auditor’s
never considered a possibility. No matter how innocent responsibility to prevent and detect fraud, although
an action may be, or how plausible an explanation may they should be providing reasonable assurance that the
be, fraud is always a possibility! financial statements are free from material fraud and
error.
Figure 6 Methods of fraud detection
Whistleblowing hotline
Internal tip-off
By accident
External tip-off
Law enforcement investigation
Change of personnel/duties
Internal audit
External audit
Corporate security
Risk management
0 5 10 15 20
% of respondents
Source: Economic crime: people, culture and controls, PricewaterhouseCoopers, 2007
37
Although external auditors did not detect many cases A lot of frauds, however, are discovered accidentally or
of fraud, internal auditors on the other hand were found as a result of information received, either via a tip off
to be the most successful in identifying serious frauds. or through a whistleblowing hotline. In many cases,
Risk management procedures were also found to be one greater losses are suffered as a result of employees
of the more useful methods. If resources will allow it, at all levels ignoring the obvious. It is everyone’s
an organisation should establish a strong internal audit responsibility to find and report fraud and irregularity
function that monitors and advises on risk management within an organisation, and it is therefore essential that
and actively looks for instances of fraud. an organisation has appropriate reporting mechanisms
in place to facilitate this.
Frauds may also be discovered as a result of controls
and mechanisms put in place on the advice of internal
and external auditors.
Case study 7
Tipped off
A bank clerk who helped fraudsters to fleece customers out of nearly £500,000 was originally identified as
a result of a tip off. Ruth Akinyemi passed on the personal details of eight wealthy Barclays account holders,
including dates of birth and account passwords. The thieves to whom she gave the details then posed as real
customers and emptied vast amounts of money from the bank accounts. One victim lost nearly £400,000 in
just four days.
Investigators received an anonymous tip off that Akinyemi was the insider and she was suspended pending
investigation. Due to insufficient supporting evidence, the bank initially cleared Akinyemi of any involvement.
She simply switched branches and continued with the scam. The computer system revealed the involvement
of a bank insider in subsequent frauds and investigators were able to go through computer records and
identify the accounts that Akinyemi had accessed using her ID and password.
Akinyemi was convicted of conspiracy to steal and sentenced to 18 months imprisonment in September
2008. The operators of the fraud have never been traced and most of the money is still missing.
38
4.2 Indicators and warnings
It will never be possible to eliminate all fraud. No Management issues

system is completely fraud proof, since many fraudsters • Lack of financial management expertise and
are able to bypass control systems put in place to stop professionalism in key accounting principles, review
them. However, greater attention paid to some of the of judgements made in management reports and the
most common indicators can provide early warning review of significant cost estimates.
that something is not quite right and increase the • A history of legal or regulatory violations within the
likelihood that the fraudster will be discovered. With organisation and/or claims alleging such violations.
that in mind, this section provides details of some of • Strained relationships within the organisation
the more common indicators of fraud. between management and internal or external
auditors.
Fraud indicators fall into two categories: • Lack of management supervision of staff.
• warning signs • Lack of clear management control of responsibility,
• fraud alerts. authorities, delegation, etc.
• Bonus schemes linked to ambitious targets or directly
Warning signs to financial results.
Warning signs have been described as organisational
indicators of fraud risk and some examples are set out Employee issues
below. For convenience these have been subdivided into • Inadequate recruitment processes and absence of
business risk, financial risk, environmental risk and IT screening.
and data risk. Further examples of warning signs can be • Unusually close relationships – internal and external.
found in Appendix 6. • Potential or actual labour force reductions or
redundancies.
Business risk • Dissatisfied employees who have access to desirable
This has been subdivided into cultural issues, assets.
management issues, employee issues, process issues • Unusual staff behaviour patterns.
and transaction issues. • Personal financial pressures on key staff.
• Low salary levels of key staff.
Cultural issues • Poor dissemination of internal controls.
• Absence of an anti-fraud policy and culture. • Employees working unsocial hours unsupervised.
• Failure of management to implement a sound • Employees not taking annual leave requirements.
system of internal control and/or to demonstrate • Unwillingness to share duties.
commitment to it at all times.
Process issues
• Lack of job segregation and independent checking of
key transactions.
• Lack of identification of the asset.
• Poor management accountability and reporting
systems.
• Poor physical security of assets.
• Poor access controls to physical assets and IT security
systems.
• Lack of and/or inadequacy of internal controls.
• Poor documentation of internal controls.
39
Transaction issues • Manipulation of programs or computer records to

• Poor documentary support for specific transactions disguise the details of a transaction.
such as rebates and credit notes. • Compromised business information.
• Large cash transactions. • Breaches in data security and privacy.
• Susceptibility of assets to misappropriation. • Sensitive data being stolen leaked or lost.
Financial risk Fraud alerts
• Management compensation highly dependent on Fraud alerts have been described as specific events or
meeting aggressive performance targets. red flags, which may be indicative of fraud. A list of
• Significant pressures on management to obtain possible fraud alerts is provided below. This should not
additional finance. be considered an exhaustive list, as alerts will appear in
• Extensive use of tax havens without clear business many different guises according to circumstances.
justification.
• Complex transactions. • Anonymous emails/letters/telephone calls.
• Use of complex financial products. • Emails sent at unusual times, with unnecessary
• Complex legal ownership and/or organisational attachments, or to unusual destinations.
structures. • Discrepancy between earnings and lifestyle.
• Rapid changes in profitability. • Unusual, irrational, or inconsistent behaviour.
• Existence of personal or corporate guarantees. • Alteration of documents and records.
• Extensive use of correction fluid and unusual
Environmental risk erasures.
• The introduction of new accounting or other • Photocopies of documents in place of originals.
regulatory requirements, including health and safety • Rubber Stamp signatures instead of originals.
or environmental legislation, which could significantly • Signature or handwriting discrepancies.
alter reported results. • Missing approvals or authorisation signatures.
• Highly competitive market conditions and decreasing • Transactions initiated without the appropriate
profitability levels within the organisation. authority.
• The organisation operating in a declining business • Unexplained fluctuations in stock account balances,
sector and/or facing prospects of business failure. inventory variances and turnover rates.
• Rapid technological changes which may increase • Inventory adjustments.
potential for product obsolescence. • Subsidiary ledgers, which do not reconcile with
• Significant changes in customer demand. control accounts.
• Extensive use of ‘suspense’ accounts.
IT and data risk • Inappropriate or unusual journal entries.
• Unauthorised access to systems by employees or • Confirmation letters not returned.
external attackers. • Supplies purchased in excess of need.
• The wealth of malicious codes and tools available to • Higher than average number of failed login attempts.
attackers. • Systems being accessed outside of normal work hours
• Rapid changes in information technology. or from outside the normal work area.
• Users not adopting good computer security practices, • Controls or audit logs being switched off.
e.g. sharing or displaying passwords.
• Unauthorised electronic transfer of funds or other The above lists of fraud indicators can be indicative of
assets. any fraud type. Appendix 6 provides examples of more
specific fraud indicators.
40
4.3 Tools and techniques
The training received by management accountants Benchmarking: comparisons of one financial period
is a very good basis for implementing an anti-fraud with another; or the performance of one cost centre,
programme. The broad understanding of business or business unit, with another; or of overall business
processes, expected of a management accountant, performance with industry standards, can all highlight
is an important asset, as is their knowledge of the anomalies worthy of further investigation.
systems and procedures that should be in place within
an organisation, to allow it to operate efficiently and Systems analysis: it is important to examine the
effectively. A further asset is the ability to think and systems in place and identify any weaknesses that
act logically, which is something the management could be opportunities for the fraudster.
accountant develops with experience. Therefore, the
first important tool available is training and experience. Ratio analysis: can be used to identify any abnormal
trends or patterns.
The second tool is the necessary mindset – that fraud
is always a possibility. A healthy amount of professional Mathematical modelling: using the ‘sort’ tool
scepticism should be maintained when considering on a spreadsheet can help to identify patterns in
the potential for fraud. This does not mean that every expenditure, etc. There are also specialist mathematical
time someone seems to be working excessive overtime, models such as Benfords Law, a mathematical formula
without taking leave, they are in the process of which can help identify irregularities in accounts.
committing a fraud, or that inaccuracies in the accounts Database modelling can also be utilised.
are there to cover up a fraud. Nevertheless, they might.
Having considered the possibility of fraud, the next step Specialist software: such as audit tools for data
may be to undertake some further research or pass matching analysis can prove very useful. Other
concerns to a line manager. tools allow for analysis such as real time transaction
assessment, targeted post-transactional review, or
In addition to the tools described above, there strategic analysis of management accounts.
are everyday techniques available to help identify
irregularities which may be fraud, and research the Exception reporting: many systems can generate
anomaly to decide whether further action should be automatic reports for results that fall outside of
taken. Organisations should ensure that resources are predetermined threshold values (exceptions), enabling
allocated to identifying such anomalies and detecting immediate identification of results deviating from the
cases of fraud. norm. With today’s technology it is possible for an
email or text alert to be sent directly to a manager
Identifying anomalies when exceptions are identified.
Background reading: it is important to keep up to date
with fraud trends and issues. The general press can Many of these identification techniques can be
be a useful source of information for this, along with automated to make the process more efficient. Fraud
technical magazines, which often carry articles on fraud detection systems should be monitored and updated
and financial irregularity. Also useful is a subscription regularly to keep up with changing technology and new
to a publication specialising in fraud or buying a good methods of manipulation.
reference book. The Internet is also a valuable, and vast,
research tool.
Risk assessment: undertake a fraud risk assessment

and design specific tests to detect the significant
potential frauds identified through the risk assessment.
Act on irregularities which raise a concern.
41
Case study 8
Risk or returns
Many retail companies are investing in specialist fraud prevention and detection software and have quickly
seen the benefits from doing so:
• Within weeks of implementing new data-mining software, clothing retailer Peacocks dismissed five
employees for fraudulent activities identified by the fraud detection tool and a further 15 investigations
were underway based on information highlighted by the software. Employee were found to be involved in
activities such as processing genuine sales for customers then voiding the transaction, taking money from
the tills, and applying refunds to their own credit cards. Peacocks believe that the increased chances of
detection will stop some fraud before it is even committed. Peacocks are also using the system to pinpoint
process improvement and training requirements.
• Boots saw its investment in loss-prevention software ‘returned in only a matter of weeks’ and have found
that it continues to deliver reduced fraud losses that would have cost the business millions. The software
sends an automatic message to store managers when anomalies in till transactions are identified, such as
an above average number of refunds.
• In just over a year of using data-mining software, Lloydspharmacy identified around £400,000 of
‘previously invisible fraud’ and dismissed a number of ‘unscrupulous employee(s). One of the main types of
fraud suffered by Lloydspharmacy is where a till operator suspends a sale and then uses a ‘no-sale’ facility
to open the till drawer. The linked activity between suspended sales and no sales can be easily identified
using data-mining software though. The first investigation was within two weeks of the system going live
and in the following year there were more than 100 investigations. The investigation payback increased
through using data-mining software and further analysis showed that successful investigations have led
to higher sales figures in the stores concerned. Introduction of the software has also freed loss prevention
managers to focus on other activities, such as risk assessment and training.
• B&Q claims that its investment in a till monitoring system saved the company ‘£1 million on staff fraud in
a year’.
Source: various articles from Retail Week
42
Analysing the anomaly – a methodical approach 6 Prepare schedules (include graphics)
All of the tools covered so far have their uses in Graphical and numerical schedules/spreadsheets should
identifying the irregularity, but to be effective they be prepared to support the analysis and findings. It is
must be combined with a methodical approach to the important to make it as easy as possible for those with
analysis of the problem identified. At this stage, it is not little or no financial knowledge to understand what
a fraud investigation or internal management review has occurred. These, when consolidated, would be in
but an analysis of a problem to decide whether such a the form of an audit pack detailing the documents that
review should be carried out. One approach which can have led to the formulation of the conclusions.
be considered is detailed below.
7 Prepare the report
1 Establish the objective In preparing the report it is important to bear in mind
The objective of the research must be clear as this that, whatever the original objective, there is always the
will enable decisions to be made about the best way possibility of it being used in evidence at some form of
forward. legal proceedings. The report should be factual as far as
possible, and where opinion is given, it should be clearly
2 Identify the systems and procedures identified as such – for example, professional opinion
Undertaking a systems and risk analysis, and comparing used in the conclusions of the report.
the laid-down systems and procedures that should have
been in place with those actually in use, can help to
identify system or procedural failures. 4.4 Summary
3 Establish the scale of the risk Included in this chapter and in Appendix 6 are examples
This involves identifying the potential loss and assessing of specific fraud alerts associated with activities
whether it is material. Actual losses should be identified common to most types of organisation. However, none
where possible. of these will be of any use unless it is accepted that
fraud is possible. It is that mindset, that awareness,
4 Situation analysis which will enable an organisation to stop an incidence
This involves background research, such as company of fraud before it becomes catastrophic. A warning
searches, and identifying those involved. sign is not effective unless it is appreciated as such and
this awareness can only be achieved by means of a
5 Analyse all available data continuing programme of education and training.
Analysis of all the data will give an understanding of
what has occurred and how it occurred.
43
5 Responding to fraud
5.2 Corporate policy
An organisation’s approach to dealing with fraud The fraud response plan should reiterate the
should be clearly described in its fraud policy and fraud organisation’s commitment to high legal, ethical and
response plan. An outline fraud response plan and an moral standards in all its activities and its approach to
example of a fraud response plan are contained in dealing with those who fail to meet those standards. It
Appendices 8 and 9 respectively. Appendix 9 includes a is important that all those working in the organisation
series of flowcharts that help to highlight the decisions are aware of the risk of fraud and other illegal acts, such
an organisation might face when a fraud is suspected as dishonesty or damage to property. Organisations
and give guidance on process to follow in response to should be clear about the means of enforcing the rules
such suspicions. or controls which the organisation has in place to
counter such risks and be aware of how to report any
This chapter expands on parts of the outline fraud suspicions they may have. The fraud response plan is
response plan, where they have not already been the means by which this information is relayed to all
covered in earlier chapters, and highlights some issues members of staff and, possibly, other stakeholders, such
and considerations when dealing with fraud. Paragraph as customers, suppliers, and shareholders.
headings in this chapter are those which should form
the basis of the fraud response plan and relate to those One question worthy of consideration is – how much
in the outline response plan in Appendix 8. publicity should be given to exposed fraud? A publicised
successful fraud investigation can be a sharp reminder
to those who may be tempted and a warning to those
5.1 Purpose of the fraud response plan who are responsible for the management of controls.
While there may be embarrassment for those who were
The fraud response plan is a formal means of setting close to the fraud and did not identify it, and an adverse
down clearly the arrangements which are in place for impact on the organisation’s public image, there can be
dealing with detected or suspected cases of fraud. advantages in publishing internally the outcome of a
It is intended to provide procedures which allow for successful fraud investigation.
evidence gathering and collation in a manner which will
facilitate informed decision-making, while ensuring that Regulated financial services companies do not have
evidence gathered will be admissible in the event of any a choice on whether or not to keep identified cases
civil or criminal action. Other benefits arising from the of fraud an internal issue. These organisations are
publication of a corporate fraud response plan are its now legally obliged to report financial crime. Other
deterrence value and the likelihood that it will reduce businesses should follow this example and make it clear
the tendency to panic. It can help restrict damage that they will not sweep fraud under the carpet.
and minimise losses, enable the organisation to retain
market confidence, and help to ensure the integrity of
evidence.
44
Case study 9
Reporting fraud
It is possible to exaggerate the risks involved in reporting fraud. Aid to the Church in Need UK suffered a high
tech website attack in November 2005 which led to hundreds of its benefactors being defrauded. ‘The press
were surprised by how we went public and that we admitted what had happened – but as a Christian charity
we decided we had to be honest and we hope that others will learn from this case about the ‘conspiracy of
silence’ over internet fraud. 98% of people have been very understanding.’
Reproduced with kind permission of the Fraud Advisory Panel from its Ninth Annual Review 2006-2007
Ethical behaviour is the best defence against fraud
5.3 Definition of fraud
As has been explained in Chapter 1, fraud encompasses Finance director

criminal offences that involve deception and dishonesty The finance director will often have overall
to obtain some benefit or to cause detriment to some responsibility for the organisation’s response to fraud,
person or organisation. This section of a fraud response including the responsibility for co-ordinating any
plan could provide for legal definitions or simply a investigation and for keeping the fraud response plan
list of activities which would or could be considered up to date. They will hold the master copy of the fraud
fraudulent. response plan, and should have their own aide-memoire
to assist with the management of the investigation. The
finance director will also be responsible for maintaining
5.4 Roles and responsibilities an investigation log. An investigations log is typically a
log of all reported suspicions, including those dismissed
The division of responsibilities for fraud risk as minor or otherwise not investigated. The log will
management will vary from one organisation to contain details of actions taken and conclusions
the next, depending on the size, industry, culture reached. It is an important tool for managing, reporting
and other factors. The following are some general and evaluating lessons learned.
guidelines which can be adapted to suit the individual
circumstances. Fraud officer (where applicable)
In larger organisations it may be appropriate to
Managers and supervisors designate a senior manager as the fraud officer in
Generally managers and supervisors are in a position place of the finance director. The fraud officer will have
to take responsibility for detecting fraud and responsibility for initiating and overseeing all fraud
other irregularities in their area. Staff must assist investigations, for implementing the fraud response
management by reporting any suspected irregularities. plan and for any follow-up actions. The fraud officer
Managers and supervisors should be provided with a should be authorised to receive enquiries from staff
response card, or aide-memoire, detailing how they confidentially and anonymously, and be given the
should respond to a reported incidence of fraud. The authority to act and/or provide advice according to
aide-memoire should include a list of contacts with individual circumstances, and without recourse to
telephone numbers. senior management for approval. In the event that the
fraud officer’s superior is a suspect, he should report
to a more senior manager or non executive director,
perhaps the chair of the audit committee.
45
The fraud officer will manage any internal investigations director, the matter should be reported directly to the
and act as a liaison officer with all other interested chairman of the audit committee. In small companies
parties both internal and external, including police, a nominated non executive director may fulfil the
regulators and auditors. He should have his own job role of the audit committee. The audit committee
description, appropriate to the role, an extended list of is also responsible for reviewing and evaluating the
contacts and his own response card. One of his primary effectiveness of the internal audit function, where one
tasks would be the updating of the investigation log. exists.
Human resources Internal auditors (where applicable)

The human resources department will usually Where an organisation has its own internal audit
have responsibility for any internal disciplinary department the likelihood is that the task of
procedures, which must be in line with, and support, investigating any incidence of fraud would fall to
the fraud policy statement and fraud response plan. them. Caution should be exercised in allowing an
Their advice should be sought in relation to the investigation to be conducted by those without training
organisation’s personnel management strategies, and experience in this area, as this may jeopardise the
individual employment histories, and issues relating to outcome of an investigation. It may be appropriate
employment law, or equal opportunities. to designate specific auditors as fraud specialists and
to ensure that they have the appropriate skills and
Audit committee (where applicable) knowledge to undertake the task.
Due to recent legislative and regulatory changes (as
set out in Chapter 1 and Appendix 1), the role of the External auditors (where applicable)
audit committee in preventing and detecting fraud is An organisation without its own internal audit
now more defined. Audit committee members have department may consider consulting their external
responsibility for reviewing the organisation’s internal auditors should they discover a fraud, if only to obtain
control and risk management systems, including the the expertise to establish the level of loss. The external
design and implementation of anti-fraud programmes auditors may also be in a position to provide expert
and controls. The audit committee should monitor assistance from elsewhere within the audit firm,
the integrity of the financial statements, assess the such as from a specialist fraud investigation group. A
organisation’s performance in fraud prevention, review decision to call on external auditors should, however, be
the investigation log of cases at least once a year, and considered carefully, as there is always the possibility
report any significant matters to the board. that if the auditor has missed obvious fraud alerts, the
organisation may eventually seek damages from its
The audit committee should review arrangements by auditor.
which employees can confidentially raise concerns
about possible wrongdoing, and the audit committee’s Legal advisers (internal or external)
objective should be to ensure that arrangements Legal advice should be sought as soon as a fraud is
are in place for the proportionate and independent reported, irrespective of the route the organisation
investigation of such matters and for appropriate intends to follow. Specific advice would include such
follow-up action. If a suspicion involves the nominated issues as guidance on civil, internal and criminal
fraud contact, the finance director or an executive responses, and recovery of assets.
46
5.5 The response
IS/IT staff Reasonable steps for responding to detected or

IS and IT staff can provide technical advice on IT suspected instances of fraud include:
security, capability and access. If computers have been • clear reporting mechanisms
utilised to commit the fraud, or if they are required for • a thorough investigation
evidential purposes, specialist advice must be sought • disciplining of the individuals responsible (internal,
immediately. civil and/or criminal)
• recovery of stolen funds or property
Public relations (PR) • modification of the anti-fraud strategy to prevent
Organisations with a high profile, such as larger similar behaviour in the future.
businesses, public sector organisations or charities,
may wish to consider briefing their PR staff, so they can Reporting suspicions
prepare a brief for the press in the event that news of a The procedures for reporting fraud should be spelt
fraud becomes public. out clearly and succinctly. This may be by means of a
formal whistleblowing policy, as outlined in Chapter 3,
Police but the procedures should also be summarised within
When the police are consulted, if at all, is a matter the fraud response plan.
of internal policy in the UK. However, if it is policy to
prosecute all those suspected of fraud, then the police Establish an investigation team
should be involved at the outset of any investigation, as After recording details of the allegations, the finance
any unnecessary delay could diminish the likelihood of director, or the fraud officer if appropriate, should call
success. In respect of public bodies, Audit Commission together the investigation team and the organisation’s
guidance states that the police/external auditors should advisers. This could involve any, or all, of those listed
be informed as soon as a fraud is suspected. above.
External consultants Formulate a response

Any organisation could consider bringing in specialist The objectives of the investigation should be clearly
investigation skills from outside the organisation. identified, as should the resources required, the
Many such specialist firms exist to provide a discreet scope of the investigation, and the timescale. The
investigation and/or asset recovery service in objectives of the investigating team will be driven by
accordance with their clients’ instructions. the organisation’s attitude to fraud and the preferred
outcome for dealing with fraud. An action plan should
Insurers be prepared and roles and responsibilities should be
Many organisations take out fidelity insurance to delegated in accordance with the skills and experience
protect themselves against large fraud losses. The of the individuals involved. The individual in overall
timeframe for a report to fidelity insurers, and any control of the investigation should be clearly identified,
additional requirements, should be included in the fraud as should the powers available to team members.
response plan and is usually laid down in the insurance Reporting procedures and procedures for handling and
document. recording evidence should be clearly understood by all
concerned.
47
Case study 10
TNT roots out fraud
The security function of TNT, a leading global express and mail business, conducts professional investigations
into suspected cases of fraud and has embedded procedures for dealing with whistleblowers.
It has also taken the lead in developing proactive measures against fraud as a way of improving integrity for
all stakeholders. TNT carries out security financial reviews of its business units aimed at identifying, analysing
and dealing with the red flags of fraud.
Parallel with the security financial review, employers are trained through the TNT integrity programme, which
was developed by a newly created group integrity department in conjunction with other key departments,
including security and corporate audit.
Simon Scales, TNT’s Deputy Global Security and Compliance Director, says: ‘Prevention is better than cure.
It’s about doing the right things as well as doing things right.’
Source: Cut out a rotten core, Excellence in Leadership, Issue 2 2007
5.6 The investigation
Preservation of evidence If an individual does end up being charged with a

A key consideration in any investigation must always be criminal offence, and this may not be planned at the
how to secure or preserve sufficient evidence to prove a outset of the investigation, all investigations, and
case of fraud. It is vitally important that control is taken relevant evidence arising from such investigations, will
of any physical evidence before the opportunity arises be open to discovery by that individual’s defence. It is,
for it to be removed or destroyed by the suspect(s). therefore, important that proper records are kept from
Physical evidence may therefore need to be seized at the outset, including accurate notes of when, where and
an early stage in the investigation, before any witness from whom the evidence was obtained and by whom.
statements are collected or interviews conducted. If The police, or legal advisers, will be able to advise on
a criminal act is suspected, the police should also be how this should be done.
consulted early in the process, before any overt action
is taken and the suspect is alerted. If appropriate, written consent should be obtained
from the relevant department or branch manager
In English and Welsh law, for the purposes of criminal before any items are removed. This can be done with
proceedings, the admissibility of evidence is governed senior management authority, as the items are the
by the Police and Criminal Evidence Act 1984 (PACE). organisation’s own property. Similarly, electronic
In addition, the Criminal Procedures and Investigations evidence must be secured before it can be tampered
Act 1996 provides a statutory framework and code with by the suspect.
of practice for disclosure of material collected during
the course of investigations. Although PACE does not
apply in civil or disciplinary proceedings, it should
nevertheless be regarded as best practice.
48
Physical evidence Principle 3
If an internal investigation is being conducted, then an An audit trial or other record of all processes applied to
organisation has a right to access its own records and computer based electronic evidence should be created
may bring disciplinary action against any member of and preserved. An independent third party should be
staff who tries to prevent this. Where physical evidence able to examine those processes and achieve the same
is owned or held by other organisations or individuals result.
who are not employees, it may be necessary to obtain
a court order or injunction to secure access to or to Principle 4
allow seizure of the evidence. The exact means of The person in charge of the investigation (the case
obtaining physical evidence depends on the particular officer) has overall responsibility for ensuring that the
circumstances of the case and whether criminal or civil law and these principles are adhered to.
action is being pursued, or both.
Interviews (general)
When taking control of any physical evidence, original Managers are quite entitled to interview staff under
material is essential. Photocopies are not acceptable. their direction and to ask them to account for
Records should be kept of when it was obtained and assets which were, or are, under their direct control,
the place that it was taken from. If evidence consists or to explain their performance in respect of the
of several items, for example many documents, management or supervision of specific employees.
each one should be tagged with a reference number However, the point at which it is considered that there
that corresponds with the written record. Taking are reasonable grounds for suspicion of an individual is
photographs or video recordings of the scene, such as the point where questioning should be stopped and the
the suspect’s office, may also prove helpful. individual advised that their actions will be the subject
of a formal investigation (should criminal prosecution
Electronic evidence be considered). From this moment on any interviews
In order to ensure case integrity and compliance with should be conducted by trained personnel or by police
current UK legislation, retrieval of electronic evidence officers. Detailed notes should be kept of questions and
should be treated in a similar manner to that of other answers, and interviews should be taped if possible.
physical evidence, although there will be some distinct
differences. These are covered in the UK Good Practice Statements from witnesses
Guide issued by the ACPO, which sets outs four If a witness is prepared to give a written statement, it
principles for dealing with computer-based electronic is good practice for someone else, normally a trained
evidence. These principles are as follows: or experienced manager, to take a chronological record
of events using the witness’s own words. The witness
Principle 1 must be happy to sign the resulting document as a
No action taken by law enforcement agencies or their true record. The involvement of an independent person
agents should change data held on a computer or usually helps to confine the statements to the relevant
storage media, which may be relied upon in court. facts and the witness should be given the opportunity
to be supported by a colleague, acquaintance or trade
Principle 2 union official.
In exceptional circumstances, where a person finds it
necessary to access original data held on a computer
or on storage media, that person MUST be competent
to do so and be able to give evidence explaining the
relevance and the implications of their actions.
49
5.7 Organisation’s objectives with respect

to dealing with fraud
Statements from suspects The thoroughness of an investigation may depend on
If a criminal act is suspected, the requirements of PACE, the course of action that the organisation plans to
and other legislation, must be considered before any take with regard to a case of fraud. The organisation’s
interview with a suspect takes place, since compliance policy may include any or all of the following preferred
determines whether evidence is admissible in criminal outcomes in dealing with fraud.
proceedings. Before initiating any interview under
caution, the interviewer must ensure that they fully Internal disciplinary action
understand the requirements of PACE, as laid down in In accordance with the organisation’s personnel and
the codes of practice issued in accordance with Section disciplinary guidelines.
66 of the Act. These codes are periodically reviewed
and the most recent amendment to the codes came A civil response
into effect from 1 February 2008. As PACE is essentially Whereby action is taken through the civil courts to
aimed at police officers and other trained investigators, recover losses.
if the need for an interview under caution arises, police
involvement should again be considered. Criminal prosecution
Whereby action is taken against the individual(s)
The codes of practice under PACE do still apply to concerned in a police managed enquiry.
others, with Section 67 of the Act making it clear that
‘Persons other than police officers who are charged with A parallel response
the duty of investigating offences, shall ...have regard Where civil action to recover misappropriated assets is
to any relevant provision of such a code.’ Failure to taken in parallel with a police investigation.
observe the codes of practice may therefore jeopardise
vital evidence, rendering it useless. In practice,
therefore, it is suggested that interviews should only 5.8 Follow-up action
be conducted by trained personnel, with advice and
guidance from the organisations legal advisers or the Lessons learned
police. This guidance could be supported by means of a There are lessons to be learned from every
brief or an aide-memoire for the personnel concerned identified incident of fraud, and the organisation’s
and supplemented with formal training. willingness to learn from experience is as important
as any other response. The larger organisation may
When conducting investigations it is also important to consider establishing a special group to examine the
be mindful of the provisions of the Human Rights Act, circumstances and conditions which allowed the fraud
in particular the rights to privacy and to a fair trial or to occur, with a view to making a report to senior
hearing. management detailing improvements to systems
and procedures. A smaller organisation may consider
discussing the issues with some of its more experienced
people, with the same objectives in mind.
50
5.9 Summary
Management response It is important that organisations have a documented

Internal reviews plan for responding to suspected or detected cases
Having experienced an incident of fraud, the of fraud. A fraud response plan should include a
organisation may consider a fundamental review of clear statement on the corporate policy with regard
all of its systems and procedures so as to identify any to dealing with fraud, and set out the roles and
other potential system failures or areas of weakness. responsibilities of those involved in responding to
Changes to systems or policy should be implemented suspicions. It should outline how an investigation should
as soon as possible. be handled, ensuring that due process is followed and
integrity of evidence is maintained. The fraud response
Implement changes plan may also detail follow up action that will be taken
Should weaknesses have been identified, it can only be by an organisation in light of established incidents of
of benefit to the organisation to take the appropriate fraud.
remedial action. Recent statistics have again confirmed
that many organisations suffer more than one incident
of fraud per year.
Annual report
An investigations log should be maintained and an
annual report should be submitted to the board of
all investigations carried out, outcomes and lessons
learned.
Enforcement policies
A growing number of organisations are introducing
enforcement policies that highlight the organisation’s
zero tolerance approach to fraud and clearly state
that if a case of fraud is identified, appropriate action
will be taken and those responsible will be made an
example of, no matter who the perpetrator is. For
example, financial institutions are keen to demonstrate
a commitment to dealing with wrongdoers and are
increasingly prosecuting fraudulent employees rather
than ‘sweeping the matter under the carpet’.
51
Appendix 1 Fraud and the law
UK law
The Fraud Act The Companies Act 2006

The Fraud Act made fraud a criminal offence and The Companies Act in the UK has been subject to major
provides for the following ways of committing the reform, resulting in the Companies Act 2006, which
offence: came into force in its entirety in October 2008. The
• fraud by false representation new legislation sets out a statutory statement of the
• fraud by failing to disclose information general duties of directors and introduces a right for
• fraud by abuse of position. shareholders to sue directors individually for breach of
these duties, either as a result of negligence or fraud.
For each of the different ways of perpetrating fraud
set out in the Fraud Act, the common theme is that a The duties include:
person has acted dishonestly with the intent to make • duty to promote the success of the company
a gain for himself or another, cause loss to another, or • duty to exercise reasonable care, skill and diligence
expose another to a risk of loss. • duty to avoid conflicts of interest
• duty to declare interests in proposed transactions or
In addition to those listed above, the Fraud Act arrangements
also covers the offences of carrying on a business • duty not to accept benefits from third parties.
fraudulently; making, supplying or possessing articles
for use in frauds; and obtaining services dishonestly. The Companies Act 2006 includes the offence of
These offences include the creation or possession fraudulent trading and also creates a new offence in
of software which has been created or adapted for relation to documents to be delivered to Companies
fraudulent use. The newly created fraud offences carry House. Under Section 1112 of the Act, where a person
a maximum penalty of 10 years’ imprisonment, a fine knowingly or recklessly delivers or causes to be
or both. delivered a document or statement that is misleading,
false or deceptive in a material particular, they will be
The Fraud Act affects both companies and individuals liable to up to two years imprisonment, a fine, or both.
and is part of a wider initiative to combat the increasing
problem of fraud. It has been loosely drafted so that it
will be able to capture forms of fraud using the internet
and new technologies. Previous legislation proved
inadequate at keeping up with rapid developments in
technology and the wide range of possible fraudulent
activity resulting from it.
The Fraud Act also extends the territorial scope of

previous legislation. Not all activities of the offence
must take place in the UK in order for a prosecution
under the Fraud Act. UK courts have jurisdiction even
where the only activity to have taken place in the UK is
the gain or loss of property.
52
Public Interest Disclosure Act (PIDA) Serious Crimes Act
PIDA is known as the whistleblowing law in the UK, The Serious Crimes Act aims to improve the ability of
as it offers protection to employees who blow the law enforcement agencies to tackle fraud and other
whistle in one of the ways set out in the Act. Under serious organised crime, and strengthen the recovery of
PIDA, employers should not victimise a ‘worker’ if they criminal assets. It also introduces additional measures
make ‘qualifying disclosures’. PIDA’s definition of a to prevent or disrupt serious crime, including the
worker covers all forms of employment but excludes prevention of fraud. Most of the provisions of the
Crown Servants whose work covers national security Serious Crimes Act came into force in early 2008 and
issues, police officers and employees who ordinarily make several radical changes to criminal law.
work outside the UK. Qualifying disclosures are defined
as information which, in the reasonable belief of the The Serious Crimes Act gives certain courts in the UK
worker making the disclosure, tends to show one or the ability to issue serious crime prevention orders.
more of the following is either happening now, has These create a new form of civil injunction, the breach
happened already or is likely to happen: of which is a criminal act punishable by imprisonment
and a fine. A prevention order can be imposed where
• a criminal offence the court is satisfied that a person (including an
• failure to comply with a legal obligation individual, a partnership or a company) has been
• a miscarriage of justice involved in a serious crime and where it has reasonable
• danger to the health and safety of an individual grounds to believe the order would protect the public
• damage to the environment by prohibiting or restricting the person’s activities,
• deliberate concealment of information tending to including financial holdings, business dealings, working
show any of the above. arrangements and communications. Serious crimes
covered by this Act include attempting, committing,
PIDA has a stepped disclosure regime, which helps facilitating or encouraging serious offences such as
to balance the public interest and the interests of fraud, money laundering, corruption and bribery.
employers. Under this regime, the worker will be
protected if the disclosure is made to their employer, With regard to additional measures, the Serious
some other responsible person if the disclosure is Crimes Act makes new provisions for disclosure and
relevant to that person, or to a third party, where this information sharing by public authorities to any
is in accordance with outlined and agreed procedures. anti-fraud organisation, in order to prevent fraud or
PIDA most readily protects workers where disclosures in relation to proceeds of crime. The government is
are made internally. to prepare a code of practice with respect to such
disclosure. The Act also authorises certain bodies to
With regard to internal disclosures, the worker is conduct data matching exercises for the purpose of
protected if the disclosure has been made in good preventing or detecting fraud. This provision puts a
faith and with reasonable belief that there has been statutory basis around the National Fraud Initiative that
wrongdoing. There are then different levels of external has operated in the UK for some years.
disclosure. Protection is given for disclosures to
prescribed regulators where the worker reasonably
believes that the information or allegation is
substantially true. Wider public disclosures (including to
the media or a consumer group) may still be protected
under PIDA, and more readily so where whistleblowing
arrangements are not in place within the organisation
or are ineffective. There must be justifiable cause for
going wider and the particular disclosure must be
reasonable.
53
Proceeds of Crime Act (POCA) The Fraud Review

POCA was brought into effect during 2002 and 2003, Between 2005 and 2006, the UK Attorney General’s
and allows for the civil recovery of the proceeds of office conducted an extensive review of the national
crime. It consolidated existing laws on confiscation and arrangements for dealing with fraud (The Fraud
money laundering into a single piece of legislation, in Review), with the aim of reducing the extent of fraud
order to improve the efficiency of the recovery process and minimising the harm that it causes to the economy
and increase the amount of illegally obtained assets and wider society.
recovered from criminals.
The Fraud Review was completed in July 2006 with
POCA also created new money laundering offences the publication of an extensive report that contained a
and provided financial investigation officers with new number of recommendations covering measurement,
investigative powers. Under POCA, a money laundering reporting, prevention, investigation and prosecution of
offence is committed where someone conceals, fraud. The report was welcomed by the government
disguises, converts or transfers criminal property or and selected key recommendations were taken forward
removes it from the UK or even between countries as part of an integrated strategy to tackle fraud (the
with in the UK. It is also an offence to enter into an National Fraud Programme).
arrangement that one knows or suspects facilitates
the acquisition, retention, use or control of criminal The National Fraud Programme includes:
property. As such, partaking or assisting in many • formation of a National Fraud Strategic Authority to
activities aimed at defrauding a business may also be co-ordinate strategy between organisations both in
money laundering offences. the public and private sectors who tackle fraud
• creation of a Fraud Loss Measurement Unit to provide
Under POCA, there is no de minimis limit (i.e. it covers robust estimates for the measurement of fraud losses
proceeds of any criminal conduct and not just ‘serious’ and assessment of value and risks of future fraud
crime) and there is no requirement for the activities threats
resulting in the offence to have been conducted in the • enhanced data sharing provisions through creation of
UK. The Serious Organised Crimes and Police Act 2005 a National Fraud Reporting Centre and Intelligence
made some adjustments to POCA, intended to clarify Bureau
the situation in cases where doubt arose under POCA. • creation of a National Lead Force for Fraud based on
the City of London Police Fraud Squad to act as a
The Asset Recovery Agency (ARA) was established centre of excellence
under POCA in 2003. ARA had the powers to use civil • extension of sentencing provisions through new
court procedures to recover the proceeds of crime by powers for the Crown Court.
way of an action in the High Court. However, from April
2008, ARA ceased to exist following its transfer to the The National Fraud Programme brings a greater
Serious Organised Crime Agency under the provisions emphasis on prevention and deterrence of fraud, but
of the Serious Crimes Act. spans the entire spectrum of counter fraud activity,
including detection, prosecution, sanctioning, and
For further information on money laundering, please redress for victims. In October 2007 the government
refer to the Anti-Money Laundering page on CIMA’s announced that £29 million of new funding would
website (www.cimaglobal.com). be put forward to implement the National Fraud
Programme and many of the recommendations have
started to be put into place during 2008.
54
US law
Sarbanes-Oxley Act (Sarbox) Title 4 describes enhanced reporting requirements

Sarbox is a US federal law. However, it is far reaching for financial transactions and includes Section 404.
legislation and impacts on many businesses in the Section 404 of Sarbox is one of the more controversial
UK and globally, and has therefore been included parts of the act, and requires management and the
in this guide. Sarbox was passed in US Congress in external auditor to report on the effectiveness of the
January 2002 and came into effect in November 2004. company’s internal controls over financial reporting.
Compliance is mandatory for all companies listed in the The Securities Exchange Commission (SEC) has noted in
US, regardless of the size of the company or where the its final rules for Section 404 that an adequate internal
company is actually based. control structure must include ‘controls related to
the prevention, identification and detection of fraud.’
Sarbox was introduced in response to a number of This covers more than just accounting fraud. Insider
major corporate and accounting scandals, the most trading, intellectual property theft, misappropriation
well known probably being the collapses of Enron of customer data and other internal frauds would all
and WorldCom. The Act introduced major changes need to be considered. There has been debate over
to the regulation of financial practice and corporate whether Sarbox, and Section 404 in particular, has
governance, aimed at improving accuracy and been too onerous. In 2007, the SEC responded to this
transparency around financial reporting and increasing criticism by issuing management guidance to ensure
oversight of the assurance process. Sarbox is a large that companies focus efforts on what truly matters.
piece of legislation, arranged into 11 titles. This guide According to the Financial Reporting Council, the SEC
will focus on the specific requirements relating to fraud has also identified the Turnbull guidance as a suitable
risk management. framework for complying with the requirements of
Section 404.
Sarbox targets the perceived drivers of financial
statement fraud (or accounting fraud) by attempting Title 8 describes specific penalties for altering,
to strengthen risk management and internal controls, manipulating or destroying financial records or evidence
increase board and audit committee oversight, improve in an investigation, and for defrauding shareholders
auditor vigilance and independence, and create of publicly traded companies. It is also referred to
accounting fraud penalties that act as a significant as the Corporate and Criminal Fraud Accountability
deterrence. It requires companies to implement Act of 2002, based on a fraud bill that was originally
extensive corporate governance policies, procedures proposed following the fall out of Enron. Penalties
and tools to prevent and respond to fraudulent activity include imprisonment of up to 20 years and fines of
within the company. up to $5 million. Title 8 also includes protections for
whistleblowers under Section 806. Procedures for
Title 3 requires chief executives and chief financial handling whisteblower reports are covered by Section
officers (the signing officers) to certify the integrity 301.
of the financial reports. Pursuant to Section 302, the
signing officers must attest that they have evaluated
the internal control system and must give information
on any fraud, regardless of materiality, that involves
management or employees who have significant
involvement in internal control activities.
55
Title 9 increases the criminal penalties for white collar

crimes and conspiracies, and is also called the White
Collar Crime Penalty Enhancement Act of 2002. It
recommends stronger sentencing guidelines and
creates a new criminal offence of failure to certify
corporate financial reports. Attempts and conspiracies
to commit a criminal fraud offence are subject to the
same penalties as committing the offence itself. Again,
penalties of up to 20 years and fines of up to $5 million
can be imposed.
Title 11 makes it a criminal offence to tamper with

records and interfere with official proceedings, and
is also known as the Corporate Fraud Accountability
Act of 2002. It revises sentencing guidelines and
strengthens the associated penalties. Under this title,
the SEC has authority to temporarily freeze large or
unusual payments to directors, officers, agents and
employees of a company during investigations of
security law violations. It also codifies the SEC’s right
to prohibit persons convicted of securities fraud from
serving as a director or officer of a public company.
Sarbox also encourages companies to establish an

ethical culture and requires disclosure of whether
the company has adopted a code of ethics for senior
finance officers. It also has whistleblower provisions to
help uncover lapses in ethics and fraudulent behaviour.
56
Appendix 2 Examples of common types of internal fraud
This appendix looks at common types of internal fraud Misuse of accounts

and some of the methods through which they may be • Wire transfer fraud (fraudulent transfers into bank
perpetrated. accounts).
• Unrecorded sales or receivables.
• Employee account fraud (where an employee is also
Asset misappropriation a customer and the employee makes unauthorised
adjustments to their accounts).
Cash • Writing false credit note to customers with details
of an employee’s personal bank account or of an
Theft of cash account of a company controlled by the employee.
• Stealing from petty cash. • Stealing passwords to payment systems and
• Taking money from the till. inputting series of payments to own account.
• Skimming of cash before recording revenues or
receivables (understating sales or receivables). Non-cash
• Stealing incoming cash or cheques through an
account set up to look like a bona fide payee. Inventory and fixed assets
• Theft of inventory.
False payment requests • False write offs and other debits to inventory.
• Employee creating false payment instruction with • False sales of inventory.
forged signatures and submitting it for processing. • Theft of fixed assets, including computers and other
• False email payment request together with hard copy IT related assets.
printout with forged approval signature. • Theft or abuse of proprietary or confidential
• Taking advantage of the lack of time which typically information (customer information, intellectual
occurs during book closing to get false invoices property, pricing schedules, business plans, etc).
approved and paid. • Receiving free or below market value goods and
services from suppliers.
Cheque fraud • Unauthorised private use of company property.
• Theft of company cheques. • Employees trading for their own account.
• Duplicating or counterfeiting of company cheques.
• Tampering with company cheques (payee/amount). Procurement
• Depositing a cheque into a third party account • Altering legitimate purchase orders.
without authority. • Falsifying documents to obtain authorisation for
• Cheque kiting (a fraud scheme using two deposit payment.
accounts to withdraw money illegally from the bank). • Forging signatures on payment authorisations.
• Paying a cheque to the company knowing that • Submitting for payment false invoices from fictitious
insufficient funds are in the account to cover it. or actual suppliers.
• Improper changes to supplier payment terms or other
Billing schemes supplier details.
• Over-billing customers. • Intercepting payments to suppliers.
• Recording of false credits, rebates or refunds to • Sending fictitious or duplicate invoices to suppliers.
customers. • Improper use of company credit cards.
• Pay and return schemes (where an employee creates • Marked up invoices from contracts awarded to
an overpayment to a supplier and pockets the supplier associated with an employee.
subsequent refund). • Sale of critical bid information, contract details or
• Using fictitious suppliers or shell companies for false other sensitive information.
billing.
57
Payroll • Bill and hold transactions (where the seller bills the
• Fictitious (or ghost) employees on the payroll. customer for goods but does not ship the product
• Falsifying work hours to achieve fraudulent overtime until a later date).
payments. • Early delivery of product/services (e.g. partial
• Abuse of commission schemes. shipments, soft sales, contracts with multiple
• Improper changes in salary levels. deliverables, up front fees).
• Abuse of holiday leave or time off entitlements. • Channel stuffing or trade loading (where a company
• Submitting inflated or false expense claims. inflates its sales figures by forcing more products
• Adding private expenses to legitimate expense claims. through a distribution channel than the channel is
• Applying for multiple reimbursements of the same capable of selling).
expenses.
• False workers’ compensation claims. Misstatement of assets, liabilities and/or expenses
• Theft of employee contributions to benefit plans. • Fictitious fixed assets.
• Overstating assets acquired through merger and
acquisitions.
Fraudulent statements • Improper capitalisation of expenses as fixed assets
(software development, research and development,
Financial start up costs, interest costs, advertising costs).
• Manipulation of fixed asset valuations.
Improper revenue recognition • Schemes involving inappropriate depreciation or
• Holding the books open after the end of the amortisation.
accounting period. • Incorrect values attached to goodwill or other
• Inflation of sales figures which are credited out after intangibles.
the year end. • Fictitious investments.
• Backdating agreements. • Improper investment valuation (misclassification
• Recording fictitious sales and shipping. of investments, recording unrealised investments,
• Improper classification of revenues. declines in fair market value/overvaluation).
• Inappropriate estimates for returns, price adjustments • Fictitious bank accounts.
and other concessions. • Inflating inventory quantity through inclusion of
• Manipulation of rebates. fictitious inventory.
• Recognising revenue on disputed claims against • Improper valuation of inventory.
customers. • Fraudulent or improper capitalisation of inventory.
• Recognising income on products shipped for trial or • Manipulation of inventory counts.
evaluation purposes. • Accounts receivable schemes (e.g. creating fictitious
• Improper recording of consignment or contingency receivables or artificially inflating the value of
sales. receivables).
• Over/under estimating percentage of work completed • Misstatement of prepayments and accruals.
on long-term contracts. • Understating loans and payables.
• Incorrect inclusion of related party receivables • Fraudulent management estimates for provisions,
• Side letter agreements (agreements made outside of reserves, foreign currency translation, impairment,
formal contracts). etc.
• Round tripping (practice whereby two companies • Off balance sheet items.
buy and sell the same amount of a commodity • Delaying the recording of expenses to the next
at the same price at the same time. The trading accounting period.
lacks economic substance and results in overstated
revenues).
58
Other accounting misstatements Personal interests
• Improper treatment of inter-company accounts. • Collusion with customers and/or suppliers.
• Non clearance or improper clearance of suspense • Favouring a supplier in which the employee has a
accounts. financial interest.
• Misrepresentation of suspense accounts for • Employee setting up and using own consultancy
fraudulent activity. for personal gain (conflicts with the company’s
• Improper accounting for mergers, acquisitions, interests).
disposals and joint ventures. • Employee hiring someone close to them over another
• Manipulation of assumptions used for determining more qualified applicant.
fair value of share based payments. • Transfer of knowledge to a competitor by an
• Improper or inadequate disclosures. employee who intends to joins the competitor’s
• Fictitious general ledger accounts. company.
• Journal entry fraud (using accounting journal entries • Misrepresentation by insiders with regard to a
to fraudulently adjust financial statements). corporate merger, acquisition or investment.
• Concealment of losses. • Insider trading (using business information not
released to the public to gain profits from trading in
Non-financial the financial markets).
• Falsified employment credentials e.g. qualifications Bribery and extortion

and references.
• Other fraudulent internal or external documents. Bribery
• Payment of agency/facilitation fees (or bribes) in
order to secure a contract.
Corruption • Authorising orders to a particular supplier in return
for bribes.
Conflicts of interest • Giving and accepting payments to favour or
not favour other commercial transactions or
Kickbacks relationships.
• Kickbacks to employees by a supplier in return for the • Payments to government officials to obtain a benefit
supplier receiving favourable treatment. (e.g. customs officials, tax inspectors).
• Kickbacks to senior management in relation to the • Anti-trust activities such as price fixing or bid rigging.
acquisition of a new business or disposal of part of • Illegal political contributions.
the business.
• Employee sells company-owned property at less Extortion
than market value to receive a kickback or to sell the • Extortion (offering to keep someone from harm in
property back to the company at a higher price in the exchange for money or other consideration).
future. • Blackmail (offering to keep information confidential
• Purchase of property at higher than market value in in return for money or other consideration).
exchange for a kickback.
• Preferential treatment of customers in return for a
kickback.
59
Appendix 3 Example of a risk analysis
The risk analysis set out below is an example of the assessment of the controls in this area, and the net
results of an assessment by a risk management group of likely impact is an assessment of the likelihood of a
the fraud risks in the contracts function. This document fraud not being detected by the controls. At this stage
is a summary of the work undertaken by the risk the risks in the contracts area can be reviewed and
management group, and they will have working papers priorities set for action to address the risk.
to document their workings and assessments.
Take for example, the risks relating to an unchanging list
The risks identified are in the first column, and the of suppliers. The risk management group believes fraud
dates of the risk assessment in the second column. The has a high likelihood of occurring and if so, it could
column Probability/likelihood records the assessment of cause significant financial loss to the business. The
the likelihood of this risk occurring in the organisation. controls are thought to be weak and unlikely to reduce
The ratings are graded high, medium or low. The the risk. They have assessed the net likely impact to be
next column, impact, is an assessment of the impact high and recommend that this is an immediate priority
of a fraud in this area. The next column records the in the contracts area.
Factor/risk area and Date of Probability/ Impact Controls Net likely Action
description contracts assessment likelihood impact
Unchanging list of Priority –
2007 High High Low High
preferred suppliers immediate
Consistent list of single
2007 Medium High High Medium –
source suppliers
Changes in contract
2007 Low Low Medium Low –
specifications
Personal relationships Priority –
between staff and suppliers 2008 Low High Low High within
x months
60
Appendix 4 A sample fraud policy
The following is an example of a policy which can be Actions constituting fraud

modified for use by any organisation.
Fraud comprises both the use of deception to obtain
an unjust or illegal financial advantage and intentional
Background misrepresentations affecting the financial statements
by one or more individuals among management, staff
This organisation has a commitment to high legal, or third parties.
ethical and moral standards. All members of staff are
expected to share this commitment. This policy is All managers and supervisors have a duty to familiarise
established to facilitate the development of procedures themselves with the types of improprieties that might
which will aid in the investigation of fraud and related be expected to occur within their areas of responsibility
offences. and to be alert for any indications of irregularity.
The board already has procedures in place that reduce

the likelihood of fraud occurring. These include standing The board’s policy
orders, documented procedures and documented
systems of internal control and risk assessment. In The board is absolutely committed to maintaining an
addition the board tries to ensure that a risk and fraud honest, open and well intentioned atmosphere within
awareness culture exists in this organisation. the organisation. It is, therefore, also committed to the
elimination of any fraud within the organisation, and to
This document, together with the fraud response the rigorous investigation of any such cases.
plan and investigator’s guide, is intended to provide
direction and help to those officers and directors who The board wishes to encourage anyone having
find themselves having to deal with suspected cases reasonable suspicions of fraud to report them.
of theft, fraud or corruption. These documents give a Therefore, it is also the board’s policy, which will be
framework for a response and advice and information rigorously enforced, that no employee will suffer in any
on various aspects and implications of an investigation. way as a result of reporting reasonably held suspicions.
These documents are not intended to provide direction
on prevention of fraud. All members of staff can therefore be confident
that they will not suffer in any way as a result of
reporting reasonably held suspicions of fraud. For these
Fraud policy purposes ‘reasonably held suspicions’ shall mean any
suspicions other than those which are shown to be
This policy applies to any irregularity, or suspected raised maliciously and found to be groundless. The
irregularity, involving employees as well as consultants, organisation will deal with all occurrences in accordance
suppliers, contractors, and/or any other parties with with the Public Interest Disclosure Act.
a business relationship with this organisation. Any
investigative activity required will be conducted
without regard to any person’s relationship to this
organisation, position or length of service.
61
Appendix 5 Sample whistleblowing policy
Introduction How the whistleblowing policy differs

from the grievance procedure
This whistleblowing policy has been introduced in This policy does not apply to raising grievances about
response to the Public Interest Disclosure Act 1998 and an employee’s personal situation. These types of
provides a procedure which enables employees to raise concern are covered by the organisation’s grievance
concerns about what is happening at work, particularly procedure. The whistleblowing policy is primarily
where those concerns relate to unlawful conduct, concerned with where the interests of others or of
financial malpractice or dangers to the public or the this organisation itself are at risk. It may be difficult to
environment. The object of this policy is to ensure that decide whether a particular concern should be raised
concerns are raised and dealt with at an early stage and under the whistleblowing policy or under the grievance
in an appropriate manner. procedure or under both. If an employee has any doubt
as to the correct route to follow, this organisation
This organisation is committed to its whistleblowing encourages the concern to be raised under this policy
policy. If an employee raises a genuine concern under and will decide how the concern should be dealt with.
this policy, he or she will not be at risk of losing their
job, nor will they suffer any form of detriment as a
result. As long as the employee is acting in good faith Protecting the employee
and in accordance with this policy, it does not matter if
they are mistaken. This organisation will not tolerate harassment or
victimisation of anyone raising a genuine concern under
the whistleblowing policy. If an employee requests
that their identity be protected, all possible steps will
be taken to prevent the employee’s identity becoming
known. If the situation arises where it is not possible to
resolve the concern without revealing the employee’s
identity (e.g. if the employee’s evidence is needed in
court), the best way to proceed with the matter will
be discussed with the employee. Employees should be
aware that by reporting matters anonymously, it will be
more difficult for the organisation to investigate them,
to protect the employee and to give the employee
feedback. Accordingly, while the organisation will
consider anonymous reports, this policy does not cover
matters raised anonymously.
62
How the matter will be handled Independent advice
Once an employee has informed the organisation of If an employee is unsure whether to use this procedure
his or her concern, the concerns will be examined and or wants independent advice at any stage, they may
the organisation will assess what action should be contact the independent charity Public Concern at
taken. This may involve an internal enquiry or a more Work on 020 7404 6609. Their lawyers can give free
formal investigation. The employee will be told who is confidential advice at any stage about how to raise
handling the matter, how they can contact him/her and a concern about serious malpractice at work. An
whether any further assistance may be needed. If the employee can, of course, also seek advice from a lawyer
employee has any personal interest in the matter, this of their own choice at their own expense.
should be declared by the employee at the outset. If
the employee’s concern falls more properly within the
grievance procedure, then they will be advised of this. External contacts
It is intended that this policy should give employees

How to raise a concern internally the reassurance they need to raise concerns internally.
However, this organisation recognises that there may
Step 1 be circumstances where employees should properly
If an employee has a concern about malpractice, he report matters to outside bodies, such as regulators or
or she should consider raising it initially with their the police. If an employee is unsure as to whether this is
line manager. This may be done orally or in writing. appropriate and does not feel able to discuss the matter
An employee should specify from the outset if they internally, Public Concern at Work will be able to give
wish the matter to be treated in confidence so that advice on such an option and on the circumstances in
appropriate arrangements can be made. which an employee should contact an outside body
rather than raise the matter internally.
Alternatively, employees can call the 24 hour
whistleblowing telephone hotline. This service is strictly
confidential and callers will not be asked to give their Matters raised maliciously
name if they do not want to.
Employees who are found to maliciously raise a matter
Step 2 that they know to be untrue will be subject to the
If these channels have been followed and the employee disciplinary policy.
still has concerns, or an employee feels that they
are unable to raise a particular matter with their line
manager, for whatever reason, they should raise the
matter with their head of department, the head of
human resources or the chief internal auditor.
63
Appendix 6 Examples of fraud indicators, risks and controls
The following are examples of indicators for two After the award of contract
specific types of fraud – procurement fraud and fraud • Unexplained changes in the contract after its award.
in the selling process. There are many other types of • Contract awarded to a supplier with a poor
fraud and each will have its own set of indicators as performance record.
well as some of the general indicators that are set out • Split contracts to circumvent controls or contract
in Chapter 4. conditions.
• Suppliers who are awarded contracts
disproportionate to their size.
Example 1: Procurement fraud • Frequent increases in the limits of liability.
• Frequent increases in contract specifications.
Fraud in the purchasing or procurement function is a
particular risk. The following may be indicators of fraud Organisations may wish to consider at invitation to
in the tendering and contract award process. tender acknowledgement stage, or at bid submission,
formally requesting the tenderer to sign a document
Before contract award confirming that no fraud or corrupt practice has
• Disqualification of suitable tenderers. occurred when developing the bid.
• ‘Short’ invitation to tender list.
• Unchanging list of preferred suppliers. This has two effects:
• Consistent use of single source contracts.
• Contracts specifications that do not make 1 It acts as a deterrent – tenderers are alerted to the
commercial sense. fact that the client is aware of the risk of fraud and
• Contracts that include special, but unnecessary will be on the lookout for any evidence that it has
specifications, that only one supplier can meet. occurred.
• Personal relationships between staff and suppliers.
2 It ensures that should something fraudulent come to
During the contract award process light, tenderers can have no excuse that they were
• Withdrawal of a lower bidder without apparent unaware of the client’s policy.
reason and their subsequent sub-contracting to a
higher bidder.
• Flexible evaluation criteria.
• Acceptance of late bids.
• Changes in the specification after bids have been
opened.
• Consistently accurate estimates of tender costs.
• Poor documentation of the contract award process.
• Consistent favouring of one firm over others.
64
Activity Fraud risk Prevention
Scoping of contract The contract specification is Use of control/assessment panel made up

written in a manner which favours of representatives, to ensure that more than
a particular technical, end user and one person is involved in drawing up the
financial supplier. specification.
Contract Conditions of contract are changed Standard contract conditions and
documentation to accommodate a favoured supplier, specifications to be used. Any variations to
or , to exclude competitors be approved by senior management.
Setting evaluation Original evaluation criteria are Use evaluation criteria as agreed by the
criteria changed after the receipt of contract panel prior to tendering. Where EU
submissions to ensure that favoured procurement rules apply evaluation criteria
suppliers are shortlisted are required to be stated in advance.
Contractual Altering terms and conditions to suit Contract terms and conditions should be
correspondence a preferred supplier those of the purchasing department and
not subject to change without the written
approval of senior management.
Contact False claims for work not carried Clear audit trails with written records.
management out, or exaggerated claims for actual Authorisation of changes to original
work done documentation. Random and systematic
checks of activity.
Claims negotiation Assisting the contactor to justify Claims negotiation should be carried out
claims. using professional advisers.
Certification Inadequate certification may lead to Clear separation of duties between ordering
overpayments, or payments for work the work, certification and authorisation for
not carried out. payment. Certification documents should be
returned to the originator.
Authorisation Contract splitting to keep contract The splitting of contacts should not
values under a particular staff be allowed unless authorised by senior
member’s authorisation financial management. Internal controls should be
limit. established to detect this.
Pricing Tender prices appear to drop Management reviews of the reasonableness
whenever a new supplier is invited and competitiveness of prices
to bid.
Suppliers Contract awarded to a company with Ensure contractors with a poor performance
a poor performance record. record are removed from the approved
supplier’s list.
Contract awarded to a contractor Senior management review.
who is not the lowest tenderer.
65
Example 2: Fraud in the selling process
Tender procedure – audit checks Fraud risks also exist in the selling process. Those
Tender board: Should be chaired by senior manager. involved can include any combination of the clients’
management or staff and the organisation’s own
Tender register: Should be held and reviewed by a management or staff, with or without any collusion.
senior manager.
The following are indicators of fraud in the selling
Checks should include: process:
• Were all tenders secured in a locked cabinet/box prior • Overcharging from an approved list or standard profit
to opening? mark-up.
• Who had access to the keys/combination? • Short-changing by not delivering the contracted
• If no tender box/cabinet utilised, what is the quantity or quality.
procedure for dealing with tenders? • Diversion of orders to a competitor or associate.
• Does the tender register show an unbroken, • Bribery of a customer by one of the organisation’s
sequentially numbered and dated list of all tenders own sales representatives.
received? • Bribery of a customer by a competitor – no proper
• Were all the entries signed by the tender board explanation of why the contract went elsewhere.
chairperson? • Insider information by knowing competitor’s prices.
• Confirm that tender lists show no evidence of • False warranty claims that are made or paid.
patronage or incestuous relationships. • Over selling of goods or services that are not
• Confirm that firms which persistently fail to tender necessary.
are excluded from subsequent tender lists. • Giving of free issues/samples when not necessary
• Has relevant approval been obtained before accepting • Links with cartels or ‘rings’.
any tenders whose prices exceed approval limits? • Bribery to obtain contracts which would not
• Has relevant approval been obtained where the otherwise be awarded.
lowest compliant bid is not accepted? • Issuing invoices or credit notes which do not reflect
• In the event of a clear differential in bid prices reality and of which the ultimate payer is unaware.
confirm that the same tender specification has been • Issuing credit notes to hide additional discounts or
sent to all prospective tenderers. rebates.
• Confirm that there is no excessive use of single • The use of sales intermediaries (fixers).
sources of supply or tender action. • Sales commission gates, which can often cause
• Confirm that the tender board has been advised of misreporting of orders.
the signs which would indicate tender rigging/ringing.
• Confirm that the recommended method of
procurement has been followed.
• Confirm that the contract makes commercial sense.
66
Appendix 7 A 16 step fraud prevention plan
1 Consider fraud risk as an integral part of your overall corporate risk-management strategy.
2 Develop an integrated strategy for fraud prevention and control.
3 Develop an ownership structure from the top to the bottom of the organisation.
4 Introduce a fraud policy statement.
5 Introduce an ethics policy statement.
6 Actively promote these policies through the organisation.
7 Establish a control environment.
8 Establish sound operational control procedures.
9 Introduce a fraud education, training and awareness programme.
10 Introduce a fraud response plan as an integral part of the organisation’s contingency plans.
11 Introduce a whistle-blowing policy.
12 Introduce a reporting hotline.
13 Constantly review all anti-fraud policies and procedures.
14 Constantly monitor adherence to controls and procedures.
15 Establish a learn from experience group.
16 Develop appropriate information and communication systems.
Source: Defence Mechanism, Financial Management, September 2002
67
Appendix 8 Outline fraud response plan
1 Purpose of the fraud response plan 7 Organisation’s objectives with respect to fraud
• Internal report
2 Corporate policy – no further action
– disciplinary action
3 Definition of fraud • Civil response
– legal advisers’ control
4 Roles and responsibilities – legal submissions
• Managers and supervisors – case file
• Finance director • Criminal response
• Fraud officer – police controlled
• Human resources – case file
• Audit committee • Parallel response
• Internal auditors – civil recovery
• External auditors – criminal prosecution
• Legal advisers
• IS/IT staff 8 Follow up action
• Public relations • Lessons learned
• The police • Management response
• External consultants – internal reviews
• Insurers – implement changes
– annual report
5 The response – enforcement policies
• Reporting suspicions
• Establish an investigation team
– objectives
– reporting procedures
– responsibilities
– powers
– control
• Formulate a response
– in accordance with corporate policy
6 The investigation
• Preservation of evidence
• Physical evidence
• Electronic evidence
• Interviews (general)
• Statements from witnesses
• Statements from suspects
68
Appendix 9 Example of a fraud response plan
3 The definitions of fraud
This example has been based on a response plan from The term fraud encompasses a number of criminal
an organisation within the UK’s NHS. offences involving the use of deception to obtain
benefit or causing detriment to individuals or
organisations.
1 Introduction
This document is intended to provide a framework
This document is intended to provide direction and help for investigating all suspected cases of fraud, theft or
to those officers and directors who find themselves corruption where:
having to deal with suspected cases of theft, fraud • the value of the organisation has suffered or may
or corruption. It gives a framework for a response have suffered; or
and provides information on various aspects of • has been misrepresented for personal gain
investigation. The document also contains a series of
flowcharts which provide a framework of procedures as a result of the actions or omissions of:
that allow evidence to be gathered and collated in a • directors and staff employed by the organisation; or
way which facilitates informed initial decisions, while • customers, contractors and other external
ensuring that evidence gathered will be admissible in stakeholders.
any future criminal or civil actions. This document is
not intended to provide direction on fraud prevention.
2 Corporate policy
The board is committed to maintaining an honest,

open and well intentioned atmosphere within the
organisation. It is, therefore, also committed to the
elimination of all fraud and to the rigorous investigation
of any such cases.
The board wishes to encourage anyone who has

reasonable suspicions of fraud to report them. The
organisation has a published whistleblowing policy
which aims to ensure that concerns are raised and
dealt with in an appropriate manner. Employees raising
genuine concerns will be protected and their concerns
looked into.
69
4 Roles and responsibilities
Chart 1 Reporting fraud
You suspect fraud or other illegal act

involving the organisation by an employee or
perpetrated on the organisation
Either/or
Discuss with your line manager/head of Discuss with

department head of HR/FD
If suspicions appear well grounded,

department head or head of HR tells the
financial director (FD)
FD records details immediately Fraud and other illegal

in a log acts log
FD considers need to inform chief internal Log reviewed by audit

auditor and/or chief executive, external auditor committee
and police
Where applicable FD to initiate action to end

loss, and correct any weaknesses in controls or
supervision
To Chart 2
70
Finance director Head of human resources
Responsibility for investigating fraud has been Where a member of staff is to be interviewed or
delegated to the finance director. Where appropriate/ disciplined the finance director and/or chief internal
necessary he is also responsible for informing third auditor will consult with, and take advice from, the
parties such as the external auditors or the police about head of human resources.
the investigations. The finance director will inform and
consult with the chief executive in cases where the loss The head of human resources will advise those involved
is potentially significant or where the incident may lead in the investigation in matters of employment law,
to adverse publicity. company policy and other procedural matters (such as
disciplinary or complaints procedures) as necessary.
The finance director will maintain a log of all reported
suspicions, including those dismissed as minor or Line and other managers
otherwise not investigated. The log will contain details If, in accordance with the organisation’s whistleblowing
of actions taken and conclusions reached and will policy, a member of staff raises a concern with their
be presented to the audit committee for inspection line manager, head of department or the head of
annually. human resources the details must be immediately
passed to the finance director for investigation. If a
The finance director will normally inform the chief concern involves the finance director, the matter should
internal auditor at the first opportunity. While the be reported directly to the audit committee.
finance director will retain overall responsibility,
responsibility for leading any investigation will be Staff
delegated to the chief internal auditor. Significant All staff have a responsibility to protect the assets of
matters will be reported to the board as soon as the organisation, including information and goodwill as
practical. well as property.
Chief internal auditor

The chief internal auditor will:
• initiate a diary of events to record the progress of the
investigation throughout
• agree the objectives, scope and timescale of the
investigation and resources required with the finance
director at the outset of the investigation;
• ensure that proper records of each investiation are
kept from the outset, including accurate notes of
when, where and from whom evidence was obtained
and by whom.
71
5 Objectives with respect to fraud
See Chart 2 – managing the investigation The disciplinary procedures of the organisation will
be followed in any disciplinary action taken towards
Investigations will try to establish at an early stage an employee. This will usually involve a disciplinary
whether it appears that a criminal act has taken place. hearing at which the results of the investigation will be
This will shape the way that the investigation is handled considered.
and determine the likely outcome and course of action.
Where, after having sought legal advice, the finance
If it appears that a criminal act has not taken place, an director judges it cost effective to do so, the
internal investigation will be undertaken to: organisation will normally pursue civil action in order
• determine the facts to recover any losses. The finance director will refer the
• consider what, if any, action should be taken against case to the organisation’s legal advisers for action.
those involved
• consider what may be done to recover any loss Where initial investigations point to the likelihood of
incurred a criminal act having taken place the chief internal
• identify any system weakness and look at how auditor will, with the agreement of the finance director,
internal controls could be improved to prevent a contact the police and the organisation’s legal advisers
recurrence. at once. The advice of the police will be followed in
taking forward the investigation.
The chief internal auditor will present the findings of
his investigation to the finance director who will make Where there are sufficient grounds, the organisation
the necessary decisions and maintain a record of the will, in addition to seeking recovery of losses through
subsequent actions in relation to closing the case. Once civil proceedings, also seek a criminal prosecution. The
concluded, details of such cases will be reported to the finance director will be guided by the police in arriving
audit committee on an annual basis for information. at his decision on whether a criminal prosecution is to
be pursued.
Where an investigation involves a member of staff and
it is determined that no criminal act has taken place Where appropriate the finance director will consider the
the finance director will liaise with the head of human possibility of recovering losses from the
resources and appropriate line manager to determine organisation’s insurers.
which of the following has occurred and therefore
whether, under the circumstances, disciplinary action is
appropriate:
• gross misconduct (i.e. acting dishonestly but without
criminal intent)
• negligence or error of judgement was seen to be
exercised
• nothing untoward occurred and therefore there is no
case to answer.
72
Chart 2 Managing the investigation
From Chart 1
FD appoints chief internal

auditor to oversee and start Diary of events
investigation
Does it appear Yes

Inform police and To
that a criminal act has external auditors Chart 3
taken place?
No
Either Investigate Or
No case Gross From
internally to decide which
to answer misconduct Chart 4B
of the following
Or
FD and/or head of dept to
decide what, if any, action Error of judgement/
to take in conjunction with negligent conduct Consider
head of HR possibility of
No making good
Loss recovered? the loss
No including a
Consider possibility of civil action
making good the loss Loss recovered?
for recovery
From
Chart 4A Yes
Yes
In conjunction with head of Initiate
HR, implement disciplinary dismissal
procedures if appropriate procedures
FD updates the fraud and

other illegal acts log
Fraud and other

illegal acts log
73
6 The response
See Charts 3 and 4 – gathering evidence and interview Interviewing suspect(s)

procedure. If the finance director decides to proceed with
interviewing a suspect, and where the suspect is
The chief internal auditor will normally be responsible an employee of the organisation, the interview will
for managing investigations, including interviewing usually be carried out by the line manager and head of
witnesses and gathering any necessary evidence. human resources. The individual(s) being interviewed
However, each case will be treated according to the should be informed of the reason for the interview
particular circumstances and professional advice will be and a contemporaneous record will be made of all
sought where necessary. Where there are reasonable that is said. They should also be advised that they are
grounds for suspicion, the police will be involved at not under arrest and are free to leave at any time.
an early stage but the chief internal auditor may still The individual(s) being interviewed will also be given
undertake part or all of the investigations on their the opportunity to be supported by a friend or trade
behalf, as agreed between the finance director, chief union official. This type of interview will not take
internal auditor and the police. place under caution. If the need for caution arises
during the course of an interview, the interview will
Witness statements be terminated immediately after the caution is given
If a witness is prepared to give a written statement and the individual concerned advised to seek legal
the head of HR or chief internal auditor will take a advice. The finance director will be notified and police
chronological record using the witness’s own words. advice sought at this point. Once the interview is over,
The witness will be asked to sign the document as a the suspect will be given the opportunity to read the
true record. written record and sign each page in acknowledgement
of its accuracy. All other persons present will also be
Physical and electronic evidence asked to sign to acknowledge accuracy.
The chief internal auditor will take control of any
physical evidence and maintain a record of where, when Where external organisations/individuals are involved,
and from whom it was taken. Where the evidence interviews will generally be undertaken by the
consists of several items these will be tagged with a police unless the finance director is able to gain the
reference number which corresponds with the written co-operation of the organisation’s management or
record of the investigation. He should also ensure that auditors.
electronic evidence is appropriately handled.
Before interviewing any suspect(s) the chief internal

auditor will provide a verbal or written report of the
investigation to the finance director. The finance
director may consult others e.g. head of human
resources, the chief executive and the police before
reaching a decision on how to proceed.
74
Chart 3 Gathering evidence
From
Chart 2
Criminal act believed to have

taken place
Is there No
any physical
evidence?
Yes
Collect evidence with documentary

record of time and place
Are No
there any
witnesses?
Yes
Discuss events with witnesses
Yes Are witnesses

Investigation manager to obtain
prepared to give a written
written statement(s) of the events
statement
No
Make a written note of any

discussion
Chief internal auditor to report

to FD
FD to consider if suspect should be

interviewed
To
Chart 4
75
Chart 4 Interview procedure
From
Chart 3
No Does
matter warrant interview
of suspect?
Yes
Advise suspect that chief internal

auditor wishes to discuss incident
with suspect, who may have a
representative present
Arrange a meeting at
Is Yes earliest practicable time,
suspected person willing to that allows suspect
be interviewed? opportunity to have
representative present
No
Is evidence Yes
Is there
gathered sufficient for Interview
a case to answer?
dismissal?
No
Confer with
FD, review Confer with FD and review events
events with No with Police
Police
To To
Chart 2B Chart 2A
76
Appendix 10 References and further reading
The Association of certified fraud examiners (ACFE), Felson, M. and Clarke, R., (1999), Opportunity Makes
(2008), Report to the Nation on Occupational Fraud and the Thief, Police Research Series 98, London: Home
Abuse, www.acfe.org Office.
The Association of certified fraud examiners, ACFE, Finn, J. and Cafferty, D., (September 2002), Defence
(2008), Fraud Examiners Manual. Mechanism, Financial Management.
BDO Stoy Hayward LLP, (January 2008), BDO Fisher, C. and Lovell, A., (2000), Accountants Responses
Fraudtrack 5: A global challenge, to Ethical Issues at Work.
www.bdo.co.uk/fraudtrack
Fraud Advisory Panel, (2006), Sample Fraud Policy
BT Group (2008), BT The way we work: a statement of Statements, www.fraudadvisorypanel.org
business practice, www.bt.com
Fraud Advisory Panel, (2006), Fighting Fraud: A guide for
BSi British Standards, (2008), Whistleblowing SME’s 2nd Edition.
Arrangements Code of Practice, PAS 1998-2008,
www.bsigroup.com/en/Standards-and- Fraud Advisory Panel, (2006-2007), Ninth Annual
Publications/Industry-Sectors/Risk/PAS-19982008- Review 2006-2007 Ethical behaviour is the best defence
Whistleblowing against fraud.
CIMA (2000), Corporate Governance – History, Practice HM Treasury, (May 2003), Managing the Risk of Fraud.
and Future.
Institute of Business Ethics, (2003), Developing a Code
CIMA, (2005), CIMA Official Terminology. of Business Ethics: A guide to best practice including the
IBE Illustrative Code of Business Ethics.
CIMA, (2002), Risk Management: A guide to good
practice. Institute of Business Ethics, (2007), Does Business Ethics
Pay?
CIMA and the IBE, (2008), Managing responsible
business. Institute of Business Ethics, Good Practice Guide, Speak
up Procedures www.ibe.org.uk/SpeakUp
Collier, P.M. and Agyei-Ampomah, S., (2007),
CIMA Official Learning System Management Accounting Institute of Business Ethics, Living Up to our values:
Risk and Control Strategy. developing ethical assurance,
www.ibe.org.uk/LUTOVcontents_overview.pdf
DirectNews, (2007), Weak anti-fraud measures earn
bank hefty fine, CIMA Industry Focus. The Institute of internal auditors, The Association
of certified public accountants, The Association of
Ernst & Young, (2003), Fraud, the Unmanaged Risk, certified public examiners, (2008), Managing the
www.ey.com business risk of fraud: A practical guide.
FEE Brussels, (2005), How SME’s can reduce the risk of International Federation of Accountants (IFAC), (2006),
fraud, www.fee.be/publications International Auditing and Assurance Standards Board,
ISA’s 240,300,315 and 330.
77
Useful Web links
Iyer, N. and Samociuk, M., (2006), Fraud and Governance

Corruption: Prevention and Detection.
Combined Code on Corporate Governance
Iyer, N. and Samociuk, M., (2007), Rotten to the Core, www.frc.org.uk/corporate/combinedcode.cfm
Excellence in Leadership Issue 2, SPG Media.
European Corporate Governance Network:
Kroll and the Economist Intelligence Unit, (2007/2008), www.ecgn.org
Kroll Global Fraud Report, Annual Edition 2007/2008,
www.kroll.com/about/library/fraud Good governance standard for public services, CIPFA,
www.opm.co.uk/index.html
Kroll and the Economist Intelligence Unit, (2008/2009),
Kroll Global Fraud Report Annual Edition 2008/2009, How to use Turnbull to comply with Sarbox
www.kroll.com/about/library/fraud www.frc.org.uk/documents/pagemanager/frc/
draft_guide.pdf
KPMG, (2007), Profile of a Fraudster Survey 2007,
www.kpmg.co.uk/pubs/ProfileofaFraudsterSurvey International Corporate Governance Network:
www.icgn.org
Levi, M., Burrows J., Flemming, M.H., and Hopkins,
M., with the assistance of Matthews, K., (2007), The OECD Anti-Corruption Unit:
Nature, extent and economic impact of fraud in the UK. www.oecd.org/daf/nocorruptionweb
PricewaterhouseCoopers, (2007), Economic Crime: Legislation

people, culture and controls The 4th biennial Global
Economic Crime Survey United Kingdom, Companies Act 2006 www.opsi.gov.uk/ACTS
www.pwc.com/crimesurvey
Fraud Act in 2006 www.opsi.gov.uk/ACTS
PricewaterhouseCoopers, (2007), Economic Crime:
people, culture and controls The 4th biennial Global Police and Criminal Evidence Act 1984 (PACE),
Economic Crime Survey, www.pwc.com/crimesurvey www.police.homeoffice.gov.uk/operational-
policing/powers-pace-codes/pace-code-intro
Professional Accountants in Business committee,
(2006), Defining and developing an effective code of Proceeds of Crime Act 2002 www.opsi.gov.uk/acts
conduct.
Public Interest Disclosures Act (PIDA)
Turner, C., (2007), Fraud risk management: a practical www.opsi.gov.uk/acts
guide for accountants.
Sarbanes – Oxley Act 2002 (Sarbox) www.soxlaw.com
Wells, J., (2007), Corporate fraud handbook: prevention
and detection 2nd ed. Hoboken, NJ: John Wiley and Serious Crimes Act 2007 www.opsi.gov.uk/ACTS
Sons.
78
Organisations
Financial Services Authority (FSA): www.fsa.gov.uk
Fraud Advisory Panel: www.fraudadvisorypanel.org
ISACA: www.isaca.org
National Fraud Strategic Authority:

www.attorneygeneral.gov.uk/national_fraud_
strategic_authority_page.html
Public Concern at Work: www.pcaw.co.uk
Serious Fraud Office: www.sfo.gov.uk
Serious Organised Crime Agency (SOCA):

www.soca.gov.uk
World Bank Anti-Corruption Resource Center:

www1.worldbank.org/publicsector/anticorrupt
79
Appendix 11 Listed abbreviations
ACFE Association of Certified Fraud Examiners

ACPO Association of Chief Police Officers
ARA Asset Recovery Agency
BDO BDO Stoy Hayward LLP
BSi British Standards Institute
CEE Central & Eastern Europe
CEO Chief executive officer
CIMA The Chartered Institute of Management Accounts
CV Curriculum vitae
EIU Economist Intelligence Unit
FSA Financial Services Authority
IBE Institute of Business Ethics
IFAC International Federation of Accountants
IP Intellectual property
IS Information securities
ISA International Standard on Auditing
IT Information technology
OECD Organisation for Economic Co-operation and Development
PACE Police and Criminal Evidence Act 1984
PAIB Professional Accountants in Business
PAS Publicly Available Specification
PIDA Public Interest Disclosure Act 1998
POCA Proceeds of Crime Act 2002
PR Public relations
PwC’s PricewaterhouseCoopers
Sarbox Sarbanes-Oxley Act 2002
SAS Statement on Auditing Standards
SEC Securities & Exchange Commission
SOCA Serious Organised Crime Agency
80
978-1-85971-611-3 (pdf)
January 2009
Chartered Institute of
Management Accountants
26 Chapter Street
London SW1P 4NP
United Kingdom
T. +44 (0)20 8849 2275
F. +44 (0)20 8849 2468
E. [email protected]
www.cimaglobal.com TEC050V0110

Fraud Risk Management

Uploaded by

Copyright:

Available Formats

Fraud Risk Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fraud Risk Management

Uploaded by

Copyright:

Available Formats

Fraud risk management

A guide to good practice

1 Fraud – its extent, patterns and causes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Risk management – an overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Management accountants, whose professional training

The law relating to fraud varies from country to

1.1 What is fraud?

Deﬁnition of fraud As well as updating the legislation in the UK, there

Figure 1 Types of internal fraud

Conﬂicts of Bribery and

1 Kroll Global Fraud Report, Annual Edition 2008/2009

Fraud doesn’t just involve money

The results of PwC’s survey showed that companies

PwC’s survey also revealed that incidences of fraud

3 Kroll Global Fraud Report, Annual Edition 2007/2008

Size really doesn’t matter

From a family affair...

...to a major corporate scandal

There is no single reason behind fraud and any Motivation

2.1 What is risk management? 2.2 Corporate governance

Following the original introduction of the Combined

The Financial Reporting Council is responsible for

ISACA also offers a series of IS standards and

Controls assurance The risk management cycle is an interactive process of

Figure 3 The CIMA risk management cycle

Review and reﬁne

The target likelihood of a risk occurring reﬂects the risk

Fraud risks need to be assessed for each area and

There are risks in most situations. Risk management

Managing the risk of fraud is the same in principle as

3.1 A strategy to combat fraud

Given the prevalence of fraud and the negative Fraud detection

It is worth bearing in mind though, that fraud

Figure 4 Anti-fraud strategy

3.2 Developing a sound ethical culture

The deﬁnition of good ethical practice is not simple.

Reproduced with kind permission of BT

Figure 5 Ethics advice/services provided

Does your organisation provide?

Training on ethical standards at work? 9 46 46

Base: All respondents (1300) 0 10 20 30 40 50 60 70 80 90 100%

Source: Managing Responsible Business, CIMA, 2008

Opposing double standards

4 Does business ethic pay – revisited, IBE

6 Speak Up Procedures (2007), IBE

Reproduced with kind permission of BSI from

3.3 Sound internal control systems

Following up on disclosures is an important part of A strong system of internal controls is considered by

Responsibility for the prevention and detection of fraud

Responsibilities of the auditor

Segregation of duties is not always possible though,

Pre-employment screening At a minimum, organisations should consider screening

All in a week’s work

Reproduced with kind permission of the Fraud Advisory Panel from

In conclusion, a sound ethical culture and an effective

Appendix 7 provides an example of a 16 step fraud

4.1 Detection methods

Figure 6 Methods of fraud detection

Law enforcement investigation

Source: Economic crime: people, culture and controls, PricewaterhouseCoopers, 2007