Managing Fraud Risks Using An Effective Internal Control Framework
October 07, 2020
The recently released Association of Certified Fraud Examiners (ACFE) 2020 Report to the Nations survey on occupational fraud (fraud committed by staff against their employers), indicates that asset misappropriation had the highest number of reported employee fraud cases (88%) followed by corruption (56%). Increase in fraud incidences is largely due to organizations lacking a systematic approach to risks and issues. A robust internal control framework, such as the one we have highlighted below, enables companies to develop systems of internal controls that reduce risks, including fraud risks, while supporting sound governance in an organization:
Line 1: Business Operations & Activities
- Employees conducting company business activities need to understand what is expected of them and are accountable for conducting business according to the written policies and procedures. Conventionally, this is known as the first line of defence.
- Assess risks as a starting point for building anti-fraud controls and other risk treatment strategies.
- Train staff to ensure they operate competently in whatever activity they undertake
- Functional managers should communicate the framework and encourage staff to quickly report non-compliance and breaches to procedures
- Functional monitoring should be done by managers who are risk owners who are accountable for the controls in their area.
- Business function should respond to issues arising out of deviations in activities and take corrective action in line with policy.
- Enforcement/ disciplinary action should be taken consistently and fairly on violations in line with disciplinary policy. All learnings should be documented and feed back in the internal control environment
Line 2: Assurance, Risk Management, Compliance & Business Monitoring
- Risk Management, Fraud/ Forensic, IT Security, Business Monitoring or Compliance functions are accountable for ensuring an effective monitoring programme is in place in line with the various risks and in line with their mandates. Conventionally, this is known as the second line of defence.
Line 3: Independent Internal Audit
- Internal Audit is accountable for providing independent and objective assurance on the effectiveness of the framework, internal controls, and all other functions in the business. Internal Audit should have specialized capabilities such as being able to conduct Information System (IS) Audits. Conventionally, this is known as the third line of defence.
Line 4: Governance, Oversight, Business Ethics & Company Values
- Board and Management oversight should be organised and systematic and in line. The Ethics management programme & company values should provide the management tone-at-the-top for the whole organisation.