Documente Academic
Documente Profesional
Documente Cultură
Management
A Guide to
Good Practice
ACKNOWLEDGEMENTS
This guide has been prepared by CIMAs Fraud and Risk Management Working Group, which was established to
look at ways of helping management accountants to be more effective in countering fraud and managing risk
in their organisations.
The Working Group comprised:
Martin Birch, Head of Finance, ActionAid
David Cafferty, Forensic Accountant, Ministry of Defence Police Fraud Squad
Kay Dickinson, Senior Assistant Director of Finance, NHS Executive Trent
Mike Frankl, Director of Finance, Reform Synagogues of Great Britain
Roy Katzenberg, Assistant Director, Forensic Services, Ernst & Young
Peter Ludlow, IT Development Manager, Costain Ltd
Richard Meade, formerly Group Auditor, Balfour Beatty plc
Peter Wishart, Financial Manager, Xerox Ltd
with Judy Finn, CIMA Technical Services.
The group would like to thank:
Michael Levi, Professor of Criminology at Cardiff University for his valuable contribution to Chapter 1
Mike Comer of Maxima Partnering Limited for permission to use material from the journal Inside Fraud
Bulletin and his book Corporate Fraud (3rd edition)
Ernst and Young for their support.
George Staple QC, Chair of the Fraud Advisory Panel, for his very helpful comments on the guide.
The many colleagues of Working Group members who have assisted with the writing of this guide.
Individual chapters of this guide have been written by different members of the group, resulting in the use of
varying styles. We hope that this will not prevent the guide from being both clear and useful.
Additional supplements to this guide are being produced on specific topics such as Computer Fraud and the
Civil Response to Fraud (based on English and Welsh law). For further information contact CIMA Technical
Services (details on the back cover).
A copy of this guide is also available on the internet at http://www.cimaglobal.com.
About CIMA
CIMA (The Chartered Institute of Management Accountants) champions management accountancy worldwide.
In an age of growing globalisation and intensified competition, modern businesses demand timely and accurate
financial information. That is why its members are sought after by companies across the world. They are
commercial business managers with wide ranging skills.
From its headquarters in London and eleven offices outside the UK, CIMA supports 50,000 members and
71,000 students in 156 countries. The CIMA qualification is recognised internationally, and its reputation and
value are maintained through high standards of assessment and regulation. It is the professional qualification of
choice for business worldwide.
CIMA 2001. All rights reserved. This booklet does not necessarily represent the views of the Council of the
Institute and no responsibility for loss associated to any person acting or refraining from acting as a result of any
material in this publication can be accepted by the authors or publishers.
ii
CONTENTS
FOREWORD
Page
iv
INTRODUCTION
1
2
2
3
5
5
6
6
7
8
9
9
3. FRAUD PREVENTION
3.1 Developing an anti-fraud culture
3.2 Sound internal control systems
11
15
4. IDENTIFYING FRAUD
4.1 What to look for indicators and warnings
4.2 Tools and techniques
18
20
5. RESPONDING TO FRAUD
5.1 The purpose of the fraud response plan
5.2 Corporate policy
5.3 Fraudulent activities
5.4 Roles and responsibilities
5.5 Organisations objectives with respect to fraud
5.6 The response
5.7 The investigation
5.8 Follow-up action
23
23
23
23
25
26
26
28
APPENDICES
Appendix 1: Sample fraud policy
Appendix 2: Outline fraud response plan
Appendix 3: Example of a fraud response plan
Appendix 4: Sample whistle-blowing policy
Appendix 5: Examples of fraud indicators, risks and controls
Appendix 6: Examples of common types of fraud
Appendix 7: Example of a risk analysis
Appendix 8: Sources of further information
29
30
32
40
42
45
47
48
iii
FOREWORD
Fraud costs organisations millions of pounds each year. Periodically, the latest major fraud hits the headlines as
other organisations sit back and watch, telling themselves that it couldnt happen here.
But the reality is that fraud can be committed anywhere. While there are only a small number of major frauds,
huge sums are lost as a result of the large number of small frauds. Surveys have shown that the majority of
companies have experienced fraud at some level, and that many do not have the formal systems and
procedures in place to deter and detect it. It is in assisting companies in establishing such systems that this
guide should prove very valuable.
No system is completely foolproof, but there are steps which can be taken to deter fraud and make it much less
attractive to commit. The role of the management accountant is a key one in detection and prevention.
We welcome the publication of this guide. It is a timely contribution to fraud prevention and reduction. It aims
to increase the awareness of key decision-makers in companies whether large or small, to encourage them to
review their key areas of risk and to develop policies and contingency plans to combat fraud. We believe that it
will make a valuable contribution in equipping management accountants and others to respond to the threat
that fraud presents.
Bruce Epsley,
President, CIMA
iv
INTRODUCTION
Several surveys have been carried out in recent years looking at fraud and its management. Most of these have
suggested that organisations need to strengthen their measures for protection and detection. Among the
conclusions from one such international survey, carried out by Ernst and Young and published in their report
Fraud, the Unmanaged Risk (May 2000) are that:
Almost two-thirds of the organisations participating in the survey had been defrauded in the last
twelve months. Almost one in ten had suffered more than 50 frauds.
Eighty-two per cent of the worst frauds were committed by employees, and almost a third of them by
management.
More than 80 per cent of respondents were concerned that a significant fraud could occur in their
organisation.
Only 29 per cent of the total value of the worst frauds known to have been suffered in the last twelve
months had been recovered at the date of the survey.
High fraud losses were not restricted to a particular sector or country; organisations in 23 sectors
suffered losses of more than US$1 million.
Management accountants, whose professional training includes the analysis of information and systems can
have a significant role to play in the development and implementation of fraud prevention and internal control
systems within their organisations. A survey carried out of readers of Management Accounting (now Financial
Management) confirmed the conclusions of the Ernst and Young survey and others which conclude that fraud
is a widespread and serious problem but that businesses are still not taking fraud prevention seriously enough.
CIMAs Fraud and Risk Management Working Group was established as part of the Institutes response to this
problem. This guide to good practice is the result of the groups first year of work.
The law relating to fraud varies from country to country. Where it is necessary for this guide to make reference
to specific legal measures, this is generally to UK law. It would be impossible to include references to the laws
of all countries where this guide will be read. While some references may, therefore, not be relevant to all
readers, the general principles of fraud prevention will still apply.
CHAPTER 1
FRAUD: ITS EXTENT, PATTERNS AND CAUSES
1.1 WHAT IS FRAUD?
Fraud and the law
Fraud can be defined as dishonestly obtaining an advantage, avoiding an obligation or causing a loss to
another party. The term fraud commonly includes activities such as theft, corruption, conspiracy,
embezzlement, deception, bribery and extortion. The legal definition varies from country to country, and
indeed there may be no coherent definition at all. For example, in England and Wales, related offences are
scattered about in many areas of general, companies, financial services and tax legislation. The Theft Acts
1968 and 1978 created offences of false accounting, obtaining goods, money and services by deception
which are the most often used in England and Wales and the Companies Act 1985 includes the offence
of fraudulent trading. There are also offences of fraud under the income tax and value-added tax
legislation, and the common law offence of conspiracy to defraud.
Different types of fraud
Fraud can mean many things and result from many varied relationships between offenders and victims.
Fraud includes, for example:
crimes by individuals of higher status against consumers, clients or other, lower status businesspeople,
e.g. the looting of a bank or building society in a country that does not have a full compensation
scheme; misrepresentation of the quality of goods;
employee fraud against employers, e.g. payroll fraud; falsifying expense claims;
crimes by small businesses against consumers and employees, e.g. selling counterfeit goods as genuine
ones; pocketing the National Insurance Contributions paid by staff;
crimes by persistent offenders/opportunists against financial institutions, e.g. using lost and stolen
credit card and cheque frauds;
crimes by individuals of various status against government, e.g. grant fraud; social security benefit
claim frauds; tax evasion;
crimes by professional criminals against major organisations, e.g. major counterfeiting rings; mortgage
frauds; advance fee frauds.
Looking at the same issue from the fraudsters perspective, it is necessary to take account of:
motivation (including the conditions under which people can rationalise their prospective crimes away
as necessary especially when done for the firm or the political party harmless because the
victim is large enough to absorb the impact or even justified because the victim deserved it or
because I was mistreated);
opportunities to commit crime(s) (which may include the existence of national and international social
networks, and transferable criminal skills);
technical ability of the fraudster;
expected and actual risk of discovery after the fraud has been carried out;
expectations of consequences of discovery (including non-penal consequences such as job loss and
family stigma, proceeds of crime confiscation, and traditional criminal sanctions);
actual consequences of discovery.
It is worth noting that the UKs National Criminal Intelligence Service has identified that organised crime
organisations are becoming more involved in fraud as there is currently less risk of being caught for
committing fraud than for crimes involving drugs.
Summary
A major reason why people commit fraud is because they are allowed to do so. There are a wide range of
threats facing businesses. The threat of fraud can come from inside or outside the organisation, but the
likelihood that a fraud will be committed will be greatly decreased if the potential fraudster believes that
the rewards will be modest, that they will be detected or that the potential punishment will be
unacceptably high. The main way of achieving this must be to establish a comprehensive system of control
which increases the likelihood of detection and increases the cost to the fraudster.
It has been said that there are three requirements which need to be met to reduce the risk of fraud
good ethics, good people and good systems (David Sherwin, Ernst and Young).
This guide sets out some of the measures which can be put in place to minimise risks to the organisation.
CHAPTER 2
RISK MANAGEMENT AN OVERVIEW
Risks are the opportunities and dangers associated with uncertain future events. There is risk in any situation
where there is a possibility of more than one outcome. The existence of risk leads in itself to uncertainty, but
the level of uncertainty will vary both with knowledge and attitude. Risks may not even be recognised, but a
lack of recognition does not alter their existence.
Risk management is the process of understanding the nature of such future events and, where they represent
threats, making positive plans to counter them. This guide is primarily focused on managing the risk of fraud,
but, first, this chapter looks at more general aspects of risk management. It is proposed that risk management
will be covered in more depth in a future guide.
Managing the risk of fraud is the same in principle as managing any other business risk. It is best
approached systematically both at the organisational level e.g. by using ethics policies and anti-fraud
policies, and at the operational level. A number of iterative steps should be taken:
1.
2.
3.
4.
5.
6.
high probable;
moderate possible;
low remote.
Department/
area
Details of risk
area
Management
Employees
Third parties
Collusion
False accounting
Theft
These will need to be assessed for each area and process of the business, for example, cash payments,
cash receipts, sales, purchasing, expenses, inventory, payroll, fixed assets, loans, etc.
ignoring small risks (but ensuring that they remain under cyclical review);
contractual transfer of risk;
risk avoidance;
risk reduction via controls and procedures;
transferring risks to insurers.
There are risks in most situations. Risk management is an important element of corporate governance
and every organisation should review their risk status and develop their approach as described in the
Risk Management Cycle in 2.2 above.
CHAPTER 3
FRAUD PREVENTION
An effective fraud prevention strategy has five main objectives:
prevention;
deterrence;
disruption;
identification;
civil action/ prosecution.
While the hope would always be that the strategy succeeds in preventing incidences of fraud, the very
existence of the strategy acts as a deterrent. Likewise, the risk management strategies, described earlier, will
have the effect of disrupting the activities of any existing fraudster and allow the organisation to identify any
high-risk activities, or control weaknesses. The totality of these measures should, therefore, ensure that costly
civil action, or disruptive and lengthy criminal prosecutions, will not be necessary.
The reduction of opportunities to commit fraud linked to a heightened risk to perpetrators of being caught
are the main defences which an organisation can develop in reducing fraud. No organisation is immune if the
organisation has valuable property (cash, goods, information or services) then fraud will be attempted. In recent
years frauds have occurred in many charities, including religious ones, as well as across the whole range of
government and commercial organisations.
This section will examine some of the main preventative approaches which can be implemented to minimise the
cost of fraud within an organisation. These approaches are generic and can be applied as appropriate to
particular circumstances.
11
Guiding principles
Avoid acting in any way that could bring the organisation into disrepute or undermine the values it
represents.
Act with integrity towards colleagues, staff, clients, suppliers and members of the public and treat
them with respect.
Ensure that the organisations aims, objectives and policies are clearly stated and communicated to
members of the public.
Ensure that the allocation of services and benefits to the organisations intended clients or
beneficiaries is made and seen to be made, fairly and impartially.
Safeguard the confidentiality of personal data and information of a non-public nature.
Comply with legal requirements, such as copyright legislation, that apply to your day-to-day work.
Extract from an ethics statement produced by the UKs Jewish Association for Business Ethics printed
with the Associations permission.
Organisations which have created a positive ethical culture have normally either been driven by a
committed chief executive or have been forced to do so because of incidents which caused, or almost
caused, significant loss to the organisation.
Benchmark organisations will generally have:
A mission statement which refers to quality or more unusually to ethics which defines how the
organisation wants to be regarded externally;
A clear policy statement on business ethics with explanations about acceptable behaviour in risk prone
circumstances;
A route through which suspected fraud can be reported;
A process of reminders about ethical and fraud policies e.g. annual letter;
An aggressive audit process which concentrates on areas of risk;
Management who are seen to be committed through their actions.
One question worthy of consideration is how much publicity should be given to exposed fraud. A
publicised successful fraud investigation can be a sharp reminder to those who may be tempted and a
warning to those who are responsible for the management of controls. While there may be
embarrassment for those who were close to the fraud and did not identify it and an adverse impact on
the organisations public image there can be advantages in publishing internally the outcome of a
successful fraud investigation.
Risk awareness
Almost every time a major fraud occurs many people who were unwittingly close to it are shocked that
they were unaware of what was happening. Therefore, it is important to raise awareness through a formal
education and training programme as part of the overall risk management strategy. Particular attention
should be paid to those managers and staff operating in high-risk areas, such as procurement and bill
paying, and to those with a role in the prevention and detection of fraud, for example human resources
and staff with investigation responsibility.
There are arguments about how far training on fraud should go within an organisation beyond the audit
group for example a question often raised is whether management and staff who have been trained in
fraud prevention techniques will then use the knowledge to commit fraud. However, there is advantage in
covering the subject of fraud in generic terms, the corporate ethic, the audit approach and the types of
checks and balances built into processes.
12
Each type of organisation has different areas of risk and these should be identified, then cost effective
controls developed to minimise the risk. There is obviously a cost to combating risk so a risk profile
statement of activities (as described in the previous chapter) should be drawn up to enable the
identification of appropriate risk management strategies.
Overall responsibility for the organisations system of internal control must be at the highest level in the
organisation. As the UKs Turnbull Committee (referred to in the previous chapter) stated in its report, the
board of directors is responsible for the companys system of internal control and should seek regular
assurance that will enable it to satisfy itself that the system is functioning effectively. The board must
further ensure that the system of internal control is effective in managing risks in the manner which it has
approved. Whether this responsibility is carried out through an audit committee which provides regular
reports to the board will depend on the size and structure of the organisation, the complexity of its
operations and the nature of the risks it faces.
Extract from IFAC Exposure Draft Fraud and Error (March 2000)
Responsibility of management and of those charged with governance
The primary responsibility for the prevention and detection of fraud and error rests with both
the management of an entity and those charged with the governance of that entity.
It is the responsibility of the management of an entity to establish and maintain policies and
procedures to assist in achieving the objective of ensuring, as far as possible, the orderly and
efficient conduct of the entitys business. This responsibility includes implementing and ensuring
the continued operation of accounting and internal control systems which are designed to
prevent and detect fraud and error. Such systems reduce but do not eliminate the risk of
misstatements, whether caused by fraud or error.
It is the responsibility of those charged with governance of an entity to ensure through
oversight of management the integrity of an entitys accounting and financial reporting systems
and that appropriate systems of control are in place, in particular, systems for monitoring risk,
financial control and compliance with the law
It is clear that spending money on preventing fraud occurring brings many benefits but the cost benefit
analysis is not easy to construct. The downside risk is to create excessive and expensive controls which
reduce efficiency and demotivate staff. However, the head of fraud investigation for a major bank made
the following observation. A 1m increase in expenditure on fraud prevention has led to a 25m increase
in profits.
Whistle-blowing
Very many frauds are known or suspected by people who are not involved. The challenge for
management is to encourage these innocent people to speak out to demonstrate that it is very much
in their own interest.
In this area there are many conflicting emotions influencing the potential whistle-blower
disinterest/sneaking admiration;
fear of consequences;
13
The organisations anti-fraud culture and reporting processes can be a major influence on the whistleblower but, it is often fear of the consequences which has the impact. To the whistle-blower the impact of
speaking out can be traumatic, ranging from being dismissed to being shunned by other employees.
Where fraud is committed by senior managers (and this can be as high as the chief executive) then the
predicament faced by the whistleblower is exacerbated. And this is where managements greatest
challenge lies to convince staff that everyone is responsible for combating fraud and that the good
An example of legislation on whistle-blowing: The UKs Public Interest Disclosure Act 1998
The Public Interest Disclosure Act received Royal Assent on 2 July 1999. It offers potential
protection for disclosure by a worker of information within a broad range of qualifying
disclosures. Worker is defined so as to cover all forms of employment but excludes Crown Servants
whose work covers national security issues, the armed forces, police officers and employees who
work outside the UK. Qualifying Disclosures are defined as information which, in the reasonable
belief of the worker making the disclosure, tends to show one or more of the following:
A workers employer.
Some other responsible person if the disclosure is relevant to that person.
A third party, in accordance with outlined and agreed procedures.
The general rule for external qualifying disclosures is that they may only be made where the
worker can show that:
They reasonably believed they would be subjected to detriment if they had raised the matter
internally, or to the responsible person.
They reasonably believed the evidence would be concealed.
They had previously made a similar disclosure.
It is reasonable to make the disclosure.
An aggrieved whistleblower can seek legal redress through an industrial tribunal and
agreements between employers and employees which seek to exclude disclosure are void.
However corporations cannot rely on legislation they must create an environment where
employees do not feel at risk in reporting suspicions. There must be a written policy statement
which includes the following safeguards:
Reporting off-line to a senior manager or director well separated from the irregularity, or to
the audit, legal, computer or security departments
The maintenance of confidentiality
The whistleblower to be commended or rewarded for the information.
This is just a brief summary of some of the key elements of the Act. Further reference should be
made to local procedures and instructions and, more importantly, to the Act itself.
Based on material from Inside Fraud Bulletin, Issue 5/1999, by kind permission of the publishers
Maxima Partnering Limited.
14
health of the organisation and potentially their future employment could be at risk from fraud. Some
companies are considering implementing a policy of recognising and rewarding employees who save the
company money by identifying fraud. Indeed, in the United States, an individual with knowledge that a
false claim has been submitted to the government can elect to become a whistle-blower, and file a
complaint under the False Claims Act. If the Justice Department decides to join the lawsuit, the whistleblower receives a share of the recovery. If the Justice Department decides not to participate, the whistleblower is entitled to pursue the claim on behalf of the United States and will receive a greater share of any
monies recovered.
Management, of course, has to be aware of the risk of anonymous and malicious accusations, but they
cannot afford to ignore any report in case it is correct. They may wish to state in their policy that
anonymous advice will be treated with extreme caution.
Professional associations and trade unions can help with both legal advice and support for whistle-blowers
and government legislation, such as that introduced in the UK, will give protection to all but a few
specialist workers. Until there is some history of successful defence of whistle-blowers there will continue
to be disinclination to take the associated risks.
A sample whistle-blowing policy can be found at Appendix 4.
the originator who specifies the goods or services and probably price;
the superior who approves the purchase;
the purchasing dept. who negotiate the best value through competitive quotations;
the recipient of goods or services who confirms that the invoice is in line with goods or services received;
the purchase ledger/accounting department who make entries in the accounts;
the treasury manager who ensures that payments are properly supported and in line with policy;
the management accountant who ensures that costs are in line with budgets/standards and purchase
ledger payment statistics are in line with policy.
Division of responsibilities is not always possible and it may be necessary to introduce additional management
examination and control and some form of internal audit as a regular feature. Wherever new internal control
procedures are introduced, they should be documented clearly and simply, in order that any deviation can be
identified.
15
Summary
In conclusion, when an internal control system meets the following standard, it can be deemed effective:
Internal control can be judged effective for each of three business objectives:
1. If management have reasonable assurance that they understand the extent to which the organisations
objectives are being met,
2. Financial management reports are being prepared reliably, and
3. applicable laws and regulations are being complied with.
(Extract from the report of the Committee of the Sponsoring Organisations of the Treadway Committee, USA
September 1992).
16
CHAPTER 4
IDENTIFYING FRAUD
Hindsight is a wonderful thing! Fraud is always obvious to the fraudsters colleagues after the event. Their
statements, and those of internal auditors, when taken by the police or other investigatory bodies, frequently
highlight all the more common fraud indicators. However, the mistake is always the same fraud was never
considered as an option. No matter how innocent an action may be, or how plausible an explanation may be,
fraud is always an option!
A survey carried out in the UK by Ernst and Young looked at the method of detection of fraudulent activity. The
results are shown in the graph below:
Method of detection
25%
20%
15%
10%
5%
0%
normal
procedures
outside
information
internal
investigation
management
review
tip off
audit
It is clear from this and other anecdotal evidence that external auditors do not generally find fraud. It is not
their job to find fraud, although fraud may be discovered by internal or external auditors as a result of controls
and mechanisms put in place on the advice of external auditors. It is everyones responsibility to find and report
fraud and irregularity within an organisation. Most frauds are, however, discovered accidentally or as a result of
information received most notably from ex-employees and spurned lovers! In many cases greater losses are
suffered as a result of employees at all levels ignoring the obvious.
It will never be possible to eliminate fraud because no system is completely fraudproof since many fraudsters
are able to by-pass control systems put in place to stop them. However, greater attention paid to some of the
most common indicators can provide early warning that something is not quite right and increase the likelihood
that the fraudster will be discovered. With that in mind this chapter provides details of some of the more
common indicators that something is not quite right.
17
Warning signs
Warning signs have been described as organisational indicators of fraud risk and some examples are set out
below. For convenience these have been sub-divided into business risk, financial risk and environmental risk.
Further examples can be found in Appendix 5.
Business risk
This has been sub-divided into cultural issues, management issues, employee issues, process issues and
transaction issues.
Cultural issues
Management issues
Lack of professionalism and appropriate financial management involvement in key accounting principles,
review of management judgements made in reporting results and the review of significant cost estimates.
A history of legal or regulatory violations within the organisation and/or claims against the entity alleging
such violations.
The presence of strained relationships within the organisation between management and internal or
external auditors.
Lack of management supervision.
Lack of clear management control of responsibility, authorities, delegation, etc.
Employee issues
Process issues
18
Transaction issues
Poor documentation support for specific transactions such as rebates and credit notes.
Complex transactions.
The above lists of fraud indicators can be indicative of any fraud type. Appendix 4 provides examples of more
specific fraud indicators.
19
Establish the objective. The objective of the research must be clear as this will enable decisions to be made
about the best way forward.
2.
Identify the systems and procedures. Undertaking a systems and risk analysis and comparing the laiddown systems and procedures that should have been in place with those actually in use can help to
identify system or procedural failures.
20
3.
Establish the scale of the risk. This involves identifying the potential loss and assessing whether it is
material. Actual losses should be identified where possible.
4.
Situation analysis. This involves background research such as company searches, and identifying those
involved.
5.
Analyse all available data. Analysis of all the data will give an understanding of what has occurred and
how it occurred.
6.
Prepare schedules (include graphics). Graphical and numerical schedules/spreadsheets should be prepared
to support the analysis and findings. It is important to make it as easy as possible for those with little or no
financial knowledge to understand what has occurred. These, when consolidated, would be in the form
of an audit pack detailing the documents that have led to the formulation of the conclusions.
7.
Prepare the report. In preparing the report it is important to bear in mind that whatever the original
objective there is always the possibility of it being used in evidence at some form of legal proceedings. The
report should be factual and where opinion is given it should be clearly identified as such for example,
professional opinion used in the conclusions of the report. The facts should be kept to as much as possible
but that does not mean that the conclusions cannot encompass professional opinion.
Summary
Included in Appendix 4 are examples of specific fraud alerts associated with activities common to most types of
organisation. However, none of these will be of any use unless it is accepted that fraud is possible. It is that
mindset, that awareness, which will enable an organisation to stop an incidence of fraud before it becomes
catastrophic. A warning sign is not effective unless it is appreciated as such and this awareness can only be
achieved by means of a continuing programme of education and training.
21
CHAPTER 5
RESPONDING TO FRAUD
An organisations approach to fraud should be described in its fraud policy and fraud response plan. A sample
policy and example plan are contained in Appendices 1 and 2 respectively. This chapter expands on parts of the
outline plan where they have not already been covered in earlier chapters and highlights some issues and
considerations. Paragraph headings in this chapter are those which should form the basis of the fraud response
plan and relate to the actions in the outline response plan in Appendix 2.
23
24
25
Criminal prosecution
Whereby action is taken against the individual(s) concerned in a police managed enquiry.
A parallel response
Where civil action to recover misappropriated assets is taken in parallel with a police investigation.
26
Physical evidence
It is vitally important that control is taken of any physical evidence before the opportunity arises for it to be
removed or destroyed by the suspect(s). Physical evidence may therefore need to be seized at an early
stage in the investigation, before any witness statements are collected or interviews conducted. If
appropriate, written consent should be obtained from the department or branch manager before any
items are removed. This can be done with senior management authority as the items are the
organisations own property. Similarly, electronic evidence must be secured before it can be tampered
with.
If an internal investigation is being conducted then clearly an organisation has a right to access its own
records and may bring disciplinary action against any member of staff who tries to prevent this. Where
physical evidence is owned or held by other organisations or individuals who are not employees it may be
necessary to obtain a court order or injunction to secure access to or to allow seizure of the evidence. The
exact means of obtaining physical evidence depends on the particular circumstances of the case and
whether criminal or civil action is being pursued, or both.
When taking control of any physical evidence, original material is essential photocopies are not
acceptable. Records should be kept of the time that it was taken and the place that it was taken from. If
evidence consists of several items, for example many documents, each one should be tagged with a
reference number, which corresponds with the written record. Taking photographs or video recordings of
the scene may also prove helpful.
When conducting investigations it is essential to be mindful of the provisions of the Human Rights Act, in
particular the rights to privacy and to a fair trial or hearing.
Interviews (general)
Managers are quite entitled to interview staff under their direction and to ask them to account for assets
which were, or are, under their direct control, or to explain their performance in respect of the
management or supervision of specific employees. However, the point at which it is considered that there
are reasonable grounds for suspicion of an individual is the point where questioning should be stopped
and the individual advised that their actions will be the subject of a formal investigation (should criminal
prosecution be considered). From this moment on any interviews should be conducted by trained
personnel, or by police officers. Detailed notes should be kept of questions and answers, and interviews
should be taped if possible.
Statements from witnesses
If a witness is prepared to give a written statement, it is good practice for someone else, normally a
trained, or experienced manager, to take a chronological record of events using the witnesss own words.
The witness must be happy to sign the resulting document as a true record. The involvement of an
independent person usually helps to confine the statements to the relevant facts and the witness should
also be given the opportunity to be supported by a friend or trade union official.
Statements from suspects
If a criminal act is suspected the requirements of PACE, and other legislation, must be considered before
any interview with a suspect takes place since compliance determines whether evidence is admissible in
criminal proceedings. In any interview under caution the interviewer must ensure that they fully
understand the requirements of PACE, as laid down in the codes of practice issued in accordance with S66
of the Act, before initiating the interview. As PACE is essentially a matter for police officers and other
27
trained investigators, if the need for an interview under caution arises, police involvement should again be
considered. Section 67 of the Act states Persons other than police officers who are charged with the
duty of investigating offences, shall ...... have regard to any relevant provision of the code. Failure to
observe the codes of practice may therefore jeopardise vital evidence, rendering it useless.
In practice, therefore, it is suggested that interviews should only be conducted by trained personnel with
advice and guidance from the organisations legal advisors, or the police. This guidance could be
supported by means of a brief or an aide-memoire for the personnel concerned and supplemented with
formal training.
Management response
Internal reviews
Having had one incident of fraud, the organisation may consider a fundamental review of all of its systems
and procedures so as to identify any other potential system failures. Changes to the policy or systems
should be implemented as soon as possible.
Implement changes
Should weaknesses have been identified it can only be of benefit to the organisation to take the
appropriate remedial action. Recent statistics have confirmed once again that many organisations suffer
more than one incident of fraud per annum.
Annual report
An annual report should be submitted to the board of all investigations carried out, outcomes and lessons
learned.
28
APPENDIX 1
A SAMPLE FRAUD POLICY
The following is an example of a policy which can be modified for use by any organisation.
Background
This organisation has a commitment to high legal, ethical and moral standards. All members of staff are
expected to share this commitment. This policy is established to facilitate the development of procedures which
will aid in the investigation of fraud and related offences.
The board already has procedures in place that reduce the likelihood of fraud occurring. These include standing
orders, documented procedures and documented systems of internal control and risk assessment. In addition
the board tries to ensure that a risk (and fraud) awareness culture exists in this organisation.
This document, together with the fraud response plan and investigators guide, is intended to provide direction
and help to those officers and directors who find themselves having to deal with suspected cases of theft, fraud
or corruption. These documents give a framework for a response and advice and information on various
aspects and implications of an investigation. These documents are not intended to provide direction on
prevention of fraud.
FRAUD POLICY
This policy applies to any irregularity, or suspected irregularity, involving employees as well as consultants,
vendors, contractors, and/or any other parties with a business relationship with this organisation. Any
investigative activity required will be conducted without regard to any persons relationship to this organisation,
position or length of service.
Actions constituting fraud
Fraud comprises both the use of deception to obtain an unjust or illegal financial advantage and intentional
misrepresentations affecting the financial statements by one or more individuals among management, staff or
third parties. Guidance is contained in the Appendix to this policy.
All managers and supervisors have a duty to familiarise themselves with the types of improprieties that might
be expected to occur within their areas of responsibility and to be alert for any indications of irregularity.
THE BOARDS POLICY
The board is absolutely committed to maintaining an honest, open and well intentioned atmosphere within the
organisation. It is, therefore, also committed to the elimination of any fraud within the organisation, and to the
rigorous investigation of any such cases.
The board wishes to encourage anyone having reasonable suspicions of fraud to report them. Therefore, it is
also the boards policy, which will be rigorously enforced, that no employee will suffer in any way as a result of
reporting reasonably held suspicions.
All members of staff can therefore be confident that they will not suffer in any way as a result of reporting
reasonably held suspicions of fraud. For these purposes reasonably held suspicions shall mean any suspicions
other than those which are shown to be raised maliciously and found to be groundless. The organisation will
deal with all occurrences in accordance with the Public Interest Disclosure Act.
29
APPENDIX 2
OUTLINE FRAUD RESPONSE PLAN
1.
2.
CORPORATE POLICY
3.
4.
5.
30
Internal report
no further action
disciplinary action
Civil response
legal advisors control
legal submissions
case file
Criminal response
police controlled
case file
Parallel response
civil recovery
criminal prosecution
6.
7.
THE RESPONSE
Reporting suspicions
Formulate a response
in accordance with corporate policy
THE INVESTIGATION
8.
Preservation of evidence
Physical evidence
Interviews (general)
Statements from witnesses
Statements from suspects
FOLLOW-UP ACTION
Lessons learned
Management response
internal reviews
implement changes
annual report
31
APPENDIX 3
EXAMPLE OF A FRAUD RESPONSE PLAN
This example has been based on a response plan from an organisation within the UKs National Health Service.
1.
INTRODUCTION
This document is intended to provide direction and help to those officers and directors who find themselves
having to deal with suspected cases of theft, fraud or corruption. It gives a framework for a response and
provides information on various aspects of investigation. The document also contains a series of flowcharts
which provide a framework of procedures that allow evidence to be gathered and collated in a way which
facilitates informed initial decisions, while ensuring that evidence gathered will be admissible in any future
criminal or civil actions. This document is not intended to provide direction on fraud prevention.
2.
CORPORATE POLICY
The board is committed to maintaining an honest, open and well-intentioned atmosphere within the
company. It is, therefore, also committed to the elimination of all fraud and to the rigorous investigation
of any such cases.
The board wishes to encourage anyone who has reasonable suspicions of fraud to report them. The
company has a published whistle-blowing policy which aims to ensure that concerns are raised and dealt
with in an appropriate manner. Employees raising genuine concerns will be protected and their concerns
looked into.
3.
4.
32
Either/Or
If suspicions appear
well grounded,
Dept Head or
Head of HR
tells the DoF
Log reviewed
by Audit Cttee
DoF considers need to
inform Chief Internal
Auditor and/or Chief Exec,
External Auditor and Police
To
Chart 2
33
be presented to the audit committee for inspection annually. Significant matters will be reported to the
board as soon as practical.
The director of finance will normally inform the chief internal auditor at the first opportunity. While the
director of finance will retain overall responsibility, responsibility for leading any investigation will be
delegated to the chief internal auditor.
CHIEF INTERNAL AUDITOR
The chief internal auditor will:
initiate a diary of events to record the progress of the investigation throughout;
agree the objectives, scope and timescale of the investigation and resources required with the director
of finance at the outset of the investigation;
ensure that proper records of each investigation are kept from the outset, including accurate notes of
when, where and from whom evidence was obtained and by whom.
HEAD OF HUMAN RESOURCES
Where a member of staff is to be interviewed or disciplined the director of finance and/or chief internal
auditor will consult with, and take advice from, the head of human resources.
The head of human resources will advise those involved in the investigation in matters of employment law,
company policy and other procedural matters (such as disciplinary or complaints procedures) as necessary.
LINE AND OTHER MANAGERS
If, in accordance with the companys whistle-blowing policy, a member of staff raises a concern with their
line manager, head of department or the head of human resources the details must be immediately
passed to the director of finance for investigation.
STAFF
All staff have a responsibility to protect the assets of the company, including information and goodwill as
well as property.
5. OBJECTIVES WITH RESPECT TO FRAUD
See Chart 2 Managing the Investigation
Investigations will try to establish at an early stage whether it appears that a criminal act has taken place.
This will shape the way that the investigation is handled and determine the likely outcome and course of
action.
If it appears that a criminal act has not taken place, an internal investigation will be undertaken to:
determine the facts;
consider what, if any, action should be taken against those involved;
consider what may be done to recover any loss incurred; and
identify any system weakness and look at how internal controls could be improved to prevent a
recurrence.
The chief internal auditor will present the findings of his investigation to the director of finance who will
make the necessary decisions and maintain a record of the subsequent actions in relation to closing the
case. Once concluded, details of such cases will be reported to the audit committee on an annual basis for
information.
34
Where
investigation involves
a member of staff and it is determined that no criminal act has taken p
Chart
2 anManaging
the Investigation
From
Chart 1
Does it appear
that a criminal act
has taken place?
Diary of Events
Inform
police
and
external
auditors
Yes
To
Chart 3
No
Either
No case
to answer
Investigate internally
to decide which
of the following
Or
Gross
Misconduct
From
Chart 4B
Or
DoF and/or Head of
Dept to decide what,
if any, action to take
in conjunction with
Head of HR
Consider
possibility of
making good
the loss
No
Error of judgement/
negligent conduct
No
Loss recovered?
Loss
recovered?
From
Chart 4A
Consider
possibility of
making good
the loss
including a
civil action
for recovery
Yes
Yes
In conjunction with
Head of HR, implement
disciplinary procedures
if appropriate
Initiate
dismissal
procedures
35
Where an investigation involves a member of staff and it is determined that no criminal act has taken
place the director of finance will liaise with the head of human resources and appropriate line manager to
determine which of the following has occurred and therefore whether, under the circumstances,
disciplinary action is appropriate:
gross misconduct (i.e. acting dishonestly but without criminal intent);
negligence or error of judgement was seen to be exercised; or
nothing untoward occurred and therefore there is no case to answer.
The disciplinary procedures of the company will be followed in any disciplinary action taken towards an
employee. This will usually involve a disciplinary hearing at which the results of the investigation will be
considered.
Where, after having sought legal advice, the director of finance judges it cost effective to do so, the
company will normally pursue civil action in order to recover any losses. The director of finance will refer
the case to the companys legal advisers for action.
Where initial investigations point to the likelihood of a criminal act having taken place the chief internal
auditor will, with the agreement of the director of finance, contact the police and the companys legal
advisers at once. The advice of the police will be followed in taking forward the investigation.
Where there is sufficient grounds, the company will, in addition to seeking recovery of losses through civil
proceeding, also seek a criminal prosecution. The director of finance will be guided by the police in
arriving at his decision on whether a criminal prosecution is to be pursued.
Where appropriate the director of finance will consider the possibility of recovering losses from the
companys insurers.
6. THE RESPONSE
See Chart 3 Gathering Evidence
The chief internal auditor will normally be responsible for managing investigations, including interviewing
witnesses and gathering any necessary evidence. However, each case will be treated according to the
particular circumstances and professional advice will be sought where necessary. Where there are
reasonable grounds for suspicion, the police will be involved at an early stage but the chief internal
auditor may still undertake part or all of the investigations on their behalf, as agreed between the director
of finance, chief internal auditor and the police.
Witness statements
If a witness is prepared to give a written statement the head of human resources or chief internal auditor
will take a chronological record using the witnesss own words. The witness will be asked to sign the
document as a true record.
Physical evidence
The chief internal auditor will take control of any physical evidence and maintain a record of where, when
and from whom it was taken. Where the evidence consists of several items these will be tagged with a
reference number which corresponds with the written record of the investigation. He should also ensure
that electronic evidence is appropriately handled.
Before interviewing any suspect(s) the chief internal auditor will provide a verbal or written report of the
investigation to the director of finance. The director of finance may consult others e.g. head of human
resources, the chief executive and the police before reaching a decision on how to proceed.
36
See Chart
Interview Procedures
Chart
3 4 Gathering
Evidence
From
Chart 2
Criminal act
believed to have
taken place
No
Is there any
physical
evidence?
Yes
Collect evidence
with documentary
record of time
and place
No
Are there any
witnesses?
Yes
Discuss events
with witnesses
Investigation
manager to obtain
written statement(s)
of the events
Yes
Are witnesses
prepared to give a
written statement?
No
Make a written note
of any discussion
Chief Internal
Auditor to report
to DoF
DoF to consider if
suspect should be
interviewed
To
Chart 4
37
No
Does matter
warrant interview
of suspect?
Yes
Advise suspect that Chief Internal
Auditor wishes to discuss incident
with suspect, who may have a
representative present
Is suspected
person willing to be
interviewed?
Yes
Arrange a meeting
at earliest practicable
time, that allows
suspect opportunity
to have
representative
present
No
Is evidence
gathered sufficient
for dismissal?
Yes
Is there a case
to answer?
No
Confer with
DoF, review
events with
Police
To
Chart 2B
38
No
To
Chart 2A
Interview
Interviewing suspect(s)
If the director of finance decides to proceed with interviewing a suspect, and where the suspect is an
employee of the company, the interview will usually be carried out by the line manager and head of
human resources. The individual(s) being interviewed should be informed of the reason for the interview
and a contemporaneous record will be made of all that is said. They should also be advised that they are
not under arrest and are free to leave at any time. The individual(s) being interviewed will also be given
the opportunity to be supported by a friend or trade union official. This type of interview will not take
place under caution. If the need for caution arises during the course of an interview, the interview will be
terminated immediately after the caution is given and the individual concerned advised to seek legal
advice. The director of finance will be notified and police advice sought at this point. Once the interview is
over, the suspect will be given the opportunity to read the written record and sign each page in
acknowledgement of its accuracy. All other persons present will also be asked to sign to acknowledge
accuracy.
Where external organisations/individuals are involved interviews will generally be undertaken by the police
unless the director of finance is able to gain the co-operation of the organisations management or
auditors.
39
APPENDIX 4
SAMPLE WHISTLE-BLOWING POLICY
Based on an example from an UK-based organisation.
Introduction
This whistle-blowing policy has been introduced in response to the Public Interest Disclosure Act 1998 and
provides a procedure which enables employees to raise concerns about what is happening at work, particularly
where those concerns relate to unlawful conduct, financial malpractice or dangers to the public or the
environment. The object of this policy is to ensure that concerns are raised and dealt with at an early stage and
in an appropriate manner.
This organisation is committed to its whistle-blowing policy. If an employee raises a genuine concern under this
policy, he or she will not be at risk of losing their job, nor will they suffer any form of detriment as a result. As
long as the employee is acting in good faith and in accordance with this policy, it does not matter if they are
mistaken.
HOW THE WHISTLE-BLOWING POLICY DIFFERS FROM THE GRIEVANCE PROCEDURE
This policy does not apply to raising grievances about an employees personal situation. These types of concern
are covered by the organisations grievance procedure. The whistle-blowing policy is primarily concerned with
where the interests of others or of this organisation itself are at risk. It may be difficult to decide whether a
particular concern should be raised under the whistle-blowing policy or under the grievance procedure or under
both. If an employee has any doubt as to the correct route to follow, this organisation encourages the concern
to be raised under this policy and will decide how the concern should be dealt with.
PROTECTING THE EMPLOYEE
This organisation will not tolerate harassment or victimisation of anyone raising a genuine concern under the
whistle-blowing policy. If an employee requests that their identity be protected, all possible steps will be taken
to prevent the employees identity becoming known. If the situation arises where it is not possible to resolve the
concern without revealing the employees identity (e.g. if the employees evidence is needed in court), the best
way to proceed with the matter will be discussed with the employee.
Employees should be aware that by reporting matters anonymously, it will be more difficult for the organisation
to investigate them, to protect the employee and to give the employee feedback. Accordingly, while the
organisation will consider anonymous reports, this policy does not cover matters raised anonymously.
HOW THE MATTER WILL BE HANDLED
Once an employee has informed the organisation of his or her concern, the concerns will be examined and the
organisation will assess what action should be taken. This may involve an internal enquiry or a more formal
investigation. The employee will be told who is handling the matter, how they can contact him/her and
whether any further assistance may be needed. If the employee has any personal interest in the matter, this
should be declared by the employee at the outset. If the employees concern falls more properly within the
grievance procedure, then they will be told this.
40
41
APPENDIX 5
EXAMPLES OF FRAUD INDICATORS, RISKS AND CONTROLS
Withdrawal of a lower bidder without apparent reason and their subsequent sub-contracting to a higher
bidder.
Flexible evaluation criteria.
Acceptance of late bids.
Changes in the specification after other bids have opened.
Consistently accurate estimates of tender costs.
Poor documentation of the contract award process.
Consistent favouring of one firm over others.
It acts as a deterrent tenderers are alerted to the fact that the client is aware of the risk of fraud and will
be on the lookout for any evidence that it has occurred.
2.
It ensures that should something fraudulent come to light, tenderers can have no excuse that they were
unaware of the clients policy.
42
FRAUD RISK
PREVENTION
Scoping of contract
Contract documentation
Contractual
correspondence
Contract management
Claims negotiation
Certification
Authorisation
Pricing
Suppliers
43
If no tender box/cabinet utilised, what is the procedure for dealing with tenders?
Does the tender register show an unbroken, sequentially numbered and dated list of all tenders received?
Confirm that firms which persistently fail to tender are excluded from subsequent tender lists.
Has relevant approval been obtained before accepting any tenders whose prices exceed approval limits?
Has relevant approval been obtained where the lowest compliant bid is not accepted?
In the event of a clear differential in bid prices confirm that the same tender specification has been sent to
all prospective tenderers.
Confirm that there is no excessive use of single sources of supply or tender action.
Confirm that the tender board has been advised of the signs which would indicate tender rigging/ringing.
Short-changing not delivering the contracted quantity, or quality of goods and services.
Bribery of a customer by competitor no proper explanation of why the contract went elsewhere.
44
APPENDIX 6
EXAMPLES OF COMMON TYPES OF FRAUD
HOW INFLATED
Airline tickets
All
All
All
Car mileage
Inflated claims.
Car mileage
Entertaining
Entertaining
Entertaining
Hotel bills
Petrol
False vouchers.
Rail tickets
Taxis
45
EXAMPLES OF METHODS
Fictitious sales.
Sales to related parties at non-standard prices.
Including sales from an earlier or later accounting period.
Booking fictitious commissions and licence income.
Exploiting different accounting periods used by associated companies.
Producing false contracts.
Inflating work in progress.
Suppression or overstatement
of purchases and costs
Inflation of assets
Suppression of liabilities
46
APPENDIX 7
EXAMPLE OF A RISK ANALYSIS
The risk analysis set out below is an example of the results of an assessment by the risk management group of
the fraud risks in the contracts function. This document is a summary of the work undertaken by the risk
management group, and they will have working papers to document their workings and assessments.
The risks identified are in the first column, and the dates of the risk assessment in the second column. The
column Probability/likelihood records the assessment of the likelihood of this risk occurring in the organisation.
The ratings are graded high, medium or low. The next column, Impact, is an assessment of the impact of a
fraud in this area. The next column records the assessment of the controls in this area, and the net likely impact
is an assessment of the likelihood of a fraud not being detected by the controls. At this stage the risks in the
contracts area can be reviewed and priorities set for action to address the risk.
Take for example, the risks relating to an unchanging list of suppliers. The risk management group believes
fraud has a high likelihood of occurring and if so, it could cause significant financial loss to the business. The
controls are thought to be weak and unlikely to reduce the risk. They have assessed the net likely impact to be
high and recommend that this is an immediate priority in the contracts area.
Factor/Risk area
and description
CONTRACTS
Date of
assessment
Probability/
likelihood
Impact
Controls
Net likely
impact
1999
High
High
Low
High
Priority
immediate
Consistent list of
single source suppliers 1999
Medium
High
High
Medium
Changes in contract
specifications
1999
Low
Low
Medium
Low
2000
Low
High
Low
High
Priority
within
x months
Unchanging list of
preferred suppliers
Personal relationships
between staff and
suppliers
Action
47
APPENDIX 8
SOURCES OF FURTHER INFORMATION
USEFUL READING
C Fisher and Lovell A (2000), Accountants Responses to Ethical Issues at Work, CIMA.
Ernst & Young (May 2000) Fraud, the Unmanaged Risk
Maxima Partnering Limited Inside Fraud Bulletin
Comer, M. (1998) Corporate Fraud, 3rd edition, Aldershot: Gower.
Cressey, D. (1953) Criminal violation of financial trust, American Sociological Review, 15, 738-743.
Felson, M. and Clarke, R. (1999) Opportunity Makes the Thief, Police Research Series 98, London: Home Office.
Levi, M. (1998) Organising plastic fraud: Enterprise criminals and the side-stepping of fraud prevention, The
Howard Journal of Criminal Justice, 37(4) pp. 423-438
Levi, M. and Handley, J. (1998) The Prevention of Plastic and Cheque Fraud Revisited, Home Office Research
Study 182, London: Home Office.
Levi, M. and Pithouse, A. (in press) White-Collar Crime and its Victims: the Media and Social Construction of
Business Fraud, Oxford: Clarendon Press.
K. Schlegel and D. Weisburd (eds.), White-Collar Crime Reconsidered, Boston: Northeastern University Press.
CIMA (2000), Corporate Governance History, Practice and Future
APACS: Best Practice Guidelines for users of company cheques
ICAEW (1999), Internal Control: Guidance for Directors on the Combined Code (The Turnbull Report)
International Standard on Auditing 240 Fraud and Error
UK Statement of Auditing Standards SAS110 Fraud and Error
The Association of Certified Fraud Examiners Report to the Nation on Occupational Fraud and Abuse (published
1996).
HM Treasury (December 1997) Managing the Risk of Fraud.
WEBSITES
OECD Anti-Corruption Unit: http://www.oecd.org/daf/nocorruptionweb/
World Bank Anti-Corruption Resource Center: http://www1.worldbank.org/publicsector/anticorrupt/
Serious Fraud Office (UK): http://www.sfo.gov.uk/
European Corporate Governance Network: http://www.ecgn.org
International Corporate Governance Network: http:/www.icgn.org
48
49
CIMA publishes a wide range of free technical publications and other priced publications:
CIMA Publishing
Publishing Sales Department
26 Chapter Street
London
SW1P 4NP
Tel: 020 8849 2229/2277/2270
Fax: 020 8849 2465
E-mail: publishing-sales@cimaglobal.com
Web site: http://www.cimaglobal.com