The most cost-effective way to limit fraud losses is to prevent fraud from occurring in the first place. The largest risk any organisation faces is internal or employee fraud. This checklist is intended to help organisations test the effectiveness of their internal fraud prevention measures.
- Is regular anti-fraud training provided to all employees of the organisation?
Employers need to make it clear to employees that fraud prevention involves everyone. The first step is to make sure everyone knows what fraud is and its consequences.
- Do employees understand what constitutes fraud?
- Have the costs of fraud to the organisation and everyone in it – including lost profits, adverse publicity, reputational damage, potential job loss and decreased morale and productivity – been made clear to employees?
- Do employees know where to seek advice when faced with uncertain ethical decisions, and do they believe that they can speak freely?
- Has a policy of zero tolerance for fraud been communicated to employees through words and actions?
- Is there an effective fraud reporting mechanism?
Employees are the eyes and ears of an organisation and it should be easy for them to report potential issues either internally or even via a confidential telephone “hotline”
- Have employees been taught how to communicate concerns about known or potential wrongdoing?
- Is there an established reporting channel, such as a third-party hotline, available to employees?
- Do employees trust that they can report suspicious activity anonymously and/or confidentially (where legally permissible) and without fear of reprisal?
- Has it been made clear to employees that reports of suspicious activity will be promptly and thoroughly evaluated?
- Do reporting policies and mechanisms extend to suppliers, customers, and other outside parties?
- Are proactive measures taken in relation to prevention and detection of fraud?
Frauds take place because fraudsters have the means, opportunity and motive to commit fraud. The first two are internal to the organisation and so can be controlled. An effective and adequately resourced internal audit function act is a great resource. Proactive measures include:
- Is possible fraudulent conduct pro-actively sought out, rather than dealt with passively by a reaction to its discovery?
- Does the organisation send the message that it actively seeks out fraudulent conduct through fraud assessment questioning by auditors?
- Are surprise fraud audits performed in addition to regularly scheduled audits?
- Is continuous monitoring software used to detect fraud and, if so, has the use of such software been made known throughout the organisation?
- Does the organisation have a written fraud response plan in place?
- Is the tone at the top one of honesty and integrity?
It is essential that management is seen to lead the way when it comes to honesty, integrity and business ethics. Employees will follow the example they are set.
- Are employees surveyed anonymously to determine the extent to which they believe management acts with honesty/integrity and measure the morale of the organisation?
- Are the ethics of the business communicated to employees, customers and suppliers?
- Are performance goals realistic?
- Is remuneration and reward closely linked to achieving target?
- Have fraud prevention goals been incorporated into the performance measures that are used to evaluate managers and to determine performance-related compensation?
- Has the organisation established, implemented, and tested a process for oversight of fraud risks by the Board of Directors or others charged with governance (e.g. the audit committee)?
- Is there a fraud risk assessments programme in place?
Fraud risks are constantly changing and it is vital that the 4 step process to fraud risks is followed:
- Assessment of potential vulnerabilities
- Reduction and mitigation
- Monitoring and managing
- Response to red flags
- Are strong and specific anti-fraud controls in place?
It is important to distinguish between “procedures” and “controls”. The former set out what should be done. The latter is a check that the procedure has been followed correctly. Many straight forward controls sound obvious but are not implemented. Some examples are:
- Proper segregation of duties
- Use of authorisations
- Physical safeguards
- Job rotations
- Mandatory vacations
- CCTV and logging of access to computers and network
- Regular changes to passwords
- Does the recruitment policy include the following, where possible?
Many fraudsters are let go by previous employers and move on quietly to new organisations. Pre-employment checks are a vital control to identifying potential issues before it is too late. Including:
- Past employment verification
- Criminal and civil background checks
- Credit checks
- Drug screening
- Education verification
- Reference checks
- Is an employee assistance programs in place to help employees struggling with addiction, mental/emotional health, family or financial problems?
All frauds require means, opportunity and motive. Motive is usually some form of financial pressure on an employee. Providing support to help employees deal with such issues is an important preventative measure.