Establishing an Organization Wide Fraud Policy

Establishing an Organization Wide Fraud

Policy

October 8, 2013

Special Guest Panelist:Paul McCormack, CFE

Copyright © 2013 FraudResourceNet™ LLC


About Jim Kaplan, MSc, CIA, CFE

President and Founder of AuditNet®, the global resource for auditors

Auditor, Web Site Guru,

Internet for Auditors Pioneer

Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award.

Author of “The Auditor’s Guide to Internet Resources” 2nd Edition


About Paul McCormack, CFE

18 years of fraud, litigation and business consulting experience

Worked directly with agents from federal, state and local law enforcement agencies including the F.B.I., G.B.I., D.E.A., and the Secret Service

Previously managed fraud departments for SunTrust Bank, & Delta Air Lines

Frequently writes and speaks on topics involving fraud, cyber security, intellectual property theft and money laundering

Certified Fraud Examiner since 2002


Webinar Housekeeping

This webinar and its material are the property of FraudResourceNet LLC. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We will be recording the webinar and you will be provided access to that recording within 5-7 business days after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited.

Please complete the evaluation to help us continuously improve our Webinars.Unless you are participating in a group that is viewing this Webinar on a common computer screen, you must answer the polling questions to qualify for CPE per NASBA.

Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.

If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.


Disclaimers

4

The views expressed by the presenters do not necessarily represent the views, positions, or opinions of FraudResourceNet LLC (FRN) or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship.

While FRN makes every effort to ensure information is accurate and complete, FRN makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. FRN specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the FRN website

Any mention of commercial products is for information only; it does not imply recommendation or endorsement by FraudResourceNet LLC


Today’s Agenda

Introduction: Fraud Statistics: The Growing Fraud Threat

Auditing for Fraud: Standards & Essentials Ethics policy vs. Fraud policy Components of a fraud policy Pros & Cons of a fraud policy Creation and ownership – best practices “Behind the scenes” – making the policy work Traps to avoid Embedding the policy in the corporate DNA Your Questions Conclusion


Fraud: The Big Picture

According to major accounting firms, professional fraud examiners and law enforcement:

Fraud jumps significantly during tough economic times

Business losses due to fraud increased 20% in last 12 months, from $1.4 million to $1.7 million per billion dollars of sales. (Kroll 2010/2011 Global Fraud Report)

Average cost to for each incident of fraud is $160,000 (ACFE) Of Financial Statement fraud: $2 million

Approx. 60% of corporate fraud committed by insiders (PwC)

Approx. 50% of employees who commit fraud have been with their employers for over 5 years (ACFE)


The Auditor’s Role

1200: Proficiency and Due Professional Care

1220: Due Professional Care

2060: Reporting to Senior Management and the Board

2120: Risk Management

2210: Engagement Objectives


Ethics Policy vs. Fraud Policy

Fraud, ethics and code of conduct are often used interchangeably – not always correct to do so

Ethics policy is a set of principles of conduct within an organization - guide “day to day” decision making and behavior. It serves as the “moral compass” for the organization

A fraud policy has a much narrower focus. It addresses fraudulent conduct by employees and third parties

Creating a stand alone fraud policy shines a much needed light on fraud prevention


Fraud Policy – One Element of Ethics / Code of Conduct

Ethics Program

Discrimination & Harassment

Information Security

Compliance with Laws

Conflict of Interest

Fraud Policy


Fraud Policy – Pros & Cons

• Establishes expectations

• Creates basis for HR discipline

• Ensures consistent approach

• Enhances “perception of detection” and prevents fraud

Pros

• Can alienate employees

• Creates expectations that the company may not always meet

• Can be time consuming to create and monitor over time

Cons


So what does a fraud policy include?

A fraud policy contains the following: Details on what constitutes fraud and to whom the policy

applies

Details employees’ / management’s responsibility to report fraud

List of channels available to report suspect activity –multiple and independent

Areas within the company that are responsible for investigating fraud (note: it is not a “regular” employee’s job)

Statement that all investigations will be conducted in a consistent manner without consideration of rank or tenure


Polling Question 1

An organization’s fraud policy should be _________ its Ethics Program

A. Part of

B. Supplemental to

C. Completely separate from


So what does a fraud policy include? (cont.)

A fraud policy contains the following: Details of organization’s tip-reporting channels (hotline,

website, Email, phone, etc) and how to use them

Retaliation / Cover up not permitted

Commitment to cooperate with law enforcement as appropriate

Disciplinary ramifications for committing fraud

Periodic reporting requirements


Creation and ownership – who’s on first?

• Cross divisional impact – need to ensure everyone on board

• Executive management, HR, Legal, Internal Audit, Corporate Security

Identify stakeholders

• Detail why a fraud policy is needed• Clearly define goals and objectivesDevelop a charter

• Who will create the content? Who will approve the final version within each department?

• “Behind the Scenes” - document the investigation process

Assign roles

• Which executives will approve the policy?• How will the new policy be communicated?

Secure final executive approval

• Develop a timetable to follow up and revisit the overall effectiveness of the fraud policy

Develop a follow up process


ImplementationInitial Assessment • If applicable, review existing fraud

policies and procedures

• Review fraud prevention training / new hire process

• Management knowledge, investment and oversight

Detailed Analysis • Review information gathered during

initial assessment for gaps

• Document gaps and share with stakeholder. Include recommendations to bridge gaps

Future State Design and Development• Use results of the initial assessment

and gap analysis to develop fraud policy

• Prior to implementation, share fraud policy with stakeholders/executive sponsor for approval

Implementation• Once approved, develop

implementation timetable and communicate to steering committee

• Track and report status, including roadblocks encountered with stakeholders


Polling Question 2

A basic fraud policy should include which of the following?A. Retaliation / Cover up not permittedB. Commitment to cooperate with law enforcement as

appropriateC. Disciplinary ramifications for committing fraudD. Periodic reporting requirementsE. All of the above


“Behind the Scenes” – Clear Lines of Responsibility


Sample Fraud Policy from ACFE








Polling Question 3

Accoording to the ACFE, ________________ is responsible for detection and prevention of fraud

A. Internal audit

B. Management

C. Audit Committee

D. Everyone who works for the organization








Traps to avoid

Strike the right tone – Fraud policy is designed to protect the company and its employees. Avoid treating all employees as “guilty until proven innocent”

Make sure everyone is on board – Fully address concerns raised by senior executives early in the process

Don’t forget foreign operations – If your company operates overseas, make sure that the policy is legally applicable

Practice what you preach – Departures from policy should be few and far between. If too prescriptive, leave it out

“Out of sight, out of mind” – Don’t create then ignore the policy


Polling Question 4

An employee who reports a possible fraud should never be told not to discuss the incident with anyone else in the organization

A. True

B. False


Embedding the policy in the corporate DNA

Include the fraud policy as a separate section within the code of conduct or ethics policy. Cross-reference where appropriate

Include discussion of the fraud policy/code of conduct during new hire orientation

Once a year, require mandatory training on the code of conduct (online or face to face). Training should include a final exam that includes scenarios to test the employee’s application of the code

Include a “signed” affirmation of the employee’s participation in the course as well as their final exam within their personnel file (an actual or electronic signature is appropriate)


Embedding the policy in the corporate DNA (cont.)

Adhere to the fraud policy in all respects. Example: If the fraud policy stipulates that all allegations will be

investigated within X of days, make sure that takes place

Without naming names, publicize instances where the fraud policy was used to terminate an employee

Ensure that senior executives routinely mention the company’s code of conduct in their speeches and written communications to employees

Display code of conduct related posters in employee break rooms. (Make sure they are replaced if damaged or appear worn)


Polling Question 5

Fraud policies should always avoid taking the tone of

A. Innocent until proven guilty

B. Guilty until proven innocent

C. Everyone in the organization should be part of the detection and prevention effort

D. None of the above


Questions?

Any Questions?Don’t be Shy!


Thank You!

Website: http://www.fraudresourcenet.com

Jim KaplanFraudResourceNet™

800-385-1625 [email protected]

Peter GoldmannFraudResourceNet™

[email protected]

Paul McCormack [email protected]


Coming Up This Month

“Using Data Analytics to Detect and Deter Procure-to-Pay Fraud”, with Rich Lanza, October 30

Economy & Finance

Establishing an Organization Wide Fraud Policy