Sunday, April 26, 2009

Develop a fraud recovery plan

Planning is the key to dealing with any issue. Fraud is no exception – actually planning what your organisation will do if fraud occurs is best done before the event. When fraud occurs it can be very emotional – it is reasonably common that the person who has committed the fraud is a trusted employee / volunteer and considered a ‘friend’. So planning when people are ‘thinking straight’ (ie. Before the fraud has occurred) is the best option.

Many organisations have a Disaster Recovery Plan (and if they don’t they need to develop one of these also!). For example, a Disaster Recovery Plan can set out what should be done if the computer system fails – where can the server be hosted until a new server is purchased, installed and made operational again. Think of a Fraud Recovery Plan in the same way.

So what should an organisation include in a Fraud Recovery Plan. It should be noted that for a Fraud Recovery Plan to work appropriately, the board will need to pre-approve the use of the plan if fraud does occur. This means that the person who is responsible for the plan needs to be able to implement the plan as soon as fraud is discovered without need to first seek approval from the board – the longer it takes to commence an investigation, the increased likelihood of losing evidence.

Following are some ideas of what should be included:

  • Does the organisation have the internal skills to investigate the fraud. If not, are resources available externally to conduct the investigation and will those skills be available at short notice;
  • As per the Fraud Control Policy, the matter should be reported to the police. Therefore, who will liaise with the police in relation to the fraud;
  • Who will deal with the terminating of the employment of the person who committed the fraud. Will the organisation request the assistance of their lawyers in this regard.
  • If the organisation has insurance against fraud, what is the excess on the policy, what is the maximum amount able to be claimed and when does the insurer need to be notified of the fraud;
  • Will the organisation be at risk of losing funding such as government grants;
  • Will the organisation be at risk of having cash flow problems? If so, is it possible to gain a temporary increase in any overdraft facility;
  • How will other employees and volunteers be advised of what has happened; and
  • How do you manage any reputation risk that the organisation may suffer, such as how will the organisation deal with the media should it become known that fraud has occurred or should the organisation issue a media release about the issue.

Saturday, April 18, 2009

Clearly set out what your organisation defines fraud to mean

There are many definitions of fraud. However, to deter and detect fraud, an organisation needs to clearly define what fraud means to them and maintain a consistent definition across the Fraud Control Policy and any other policy or Code of Conduct where the definition may appear.

Examples of definitions of fraud are as follows.

Butterworths Concise Australian Legal Dictionary defines fraud as:

An intentional dishonest act or omission done with the purpose of deceiving.

Paragraph 9 of ASA 240, the Australian Auditing Standard on The Auditor’s Responsibility to Consider Fraud in an Audit of a Financial Report states:

The term “fraud” refers to an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Although fraud is a broad legal concept, for the purposes of this Auditors Standard, the auditor is concerned with fraud that causes a material misstatement in the financial report. Auditors do not make legal determinations of whether fraud has actually occurred. Fraud involving one or more members of management or those charged with governance is referred to as “management fraud”; fraud involving only employees of the entity is referred to as “employee fraud”. In either case, there may be collusion within the entity or with third parties outside of the entity.

Australia Standard AS8001-2008, Fraud and Corruption Control, defines fraud as:

Dishonest activity causing actual or potential financial loss to any person or entity including theft of moneys or other property by employees or persons external to the entity and where deception is used at the time, immediately before or immediately following the activity. This also includes the deliberate falsification, concealment, destruction or use of falsified documentation used or intended for use for a normal business purpose or the improper use of information or position for personal financial benefit.

Section 408C of the Queensland Criminal Code (this is the definition I work with mostly as Queensland is my home state) defines the criminal offense of fraud as follows:

A person who dishonestly
applies to his or her own use or to the use of any person:

  • Property belonging to another; or
  • Property belonging to the person, or which is in the person’s possession, either solely or jointly with another person, subject to a trust, direction or condition or on account of any other person; or
  • Obtains property from any person; or
  • Induces any person to deliver property to any person; or
  • Gains a benefit or advantage, pecuniary or otherwise, for any person; or
  • Causes a detriment, pecuniary or otherwise, to any person; or
  • Induces any person to do any act with the person is lawfully entitled to abstain from doing; or
  • Induces any person to abstain from doing any act which that person is lawfully entitled to do; or
  • Makes off, knowing that payment on the spot is required or expected for any property lawfully supplied or returned or for any service lawfully provided, without having paid and with intent to avoid payment;

commits the crime or fraud.

When selecting a definition of fraud to use in your anti-fraud program, you need to select a definition that best suits the size and type of your organisation. Do not be afraid to use the definition of fraud as it appears in the criminal legislation in your country or state if a criminal charge of “fraud” is clearly defined.

Sunday, April 12, 2009

Develop a series of exception reports and act on any exceptions

There are often many red flags which, in hindsight, are obvious to those who are left to deal with the aftermath of the fraud.
Risk
The risk is that fraud could be discovered but is not, as the organisation does not recognise the red flags associated with the fraud due to not having approriate exception reporting in place.
Methods to Mitigate the Risk
An organisation should be prepared to develop a series of exception reports that highlight red flags of fraud.
It must be remembered that red flags are just that. They indicate a potential problem. However, if the potential problems are not recognised and then investigated the fraud, if it is occuring, will continue to occur. For that reason, any red flags that are highlighted by the exception reports, need to be investigated.
An example of an exception report is to consider if employees have created false creditors which are being paid by the organisation. To do this involves electronically comparing employee and creditor bank account numbers, street addresses, postal addresses, post codes/zip codes, telephone numbers and mobile / call phone numbers (especially those employees in the accounts payable and payroll departments).
Another simple exception report is to consider variances between actuals to budgets for income that is below budget and expenses that are above budget.
It should be noted that there are numerous exception reports that can be utilised by an organisation. Each organisation should determine which exception reports are appropriate to them.
To make exception reporting easier, it can be computerised. An organisation should take the time to set up the exception reports that are appropriate. Once this initial investment of time has been made, the exception reports can easily be run on a regular basis. Then the investment of time will be investigating exceptions as they arise.

Sunday, April 5, 2009

Utilise an Exit Checklist when Employees Leave

Many organisations use an exit checklist when an employee and/or volunteer leave. However, it needs to be comprehensive so that it covers all areas that could cause detriment to the organisation.

When employees and / or volunteers leave the organisation, it is important that they no longer have access to the organisation’s information and no longer have possession of assets of the organisation.

Risk

The risk is that someone who leaves uses their previously provided information and/or assets to cause detriment to the organisation. This can be done in a number of ways. For example:

  • Remotely accessing a member list and deleting important information or obtaining a copy of the information for future use;
  • Remotely access client information that should remain confidential and allow that information to be released to the public damaging the reputation of the organisation;
  • Accessing the organisation’s premises to cause physical damage;
  • Keeping assets they are not entitled to keep; or
  • Incurring expenses after they have ceased employment.

Methods to Mitigate the Risk

A checklist should be established for when an employee (and in some instances a volunteer) leaves the organisation. The checklist should include all items that need to be returned to the organisation, all authorisations that need to be cancelled and any other matters that should be addressed. This is so an ex employee (or volunteer) cannot defraud the organisation after they leave.

The following is a list (but not an exhaustive list) of matters that should be included:

· Items to be handed back to the organisation:

o Corporate Credit Card

o Laptop / computer / modem / AV equipment etc

o Thumb drives / external hard drives and any other external storage devices

o Software

o Mobile phones and accessories

o Internet connection equipment

o Manuals

o Car and car keys (including all items that should be in the car (eg. First aid kit)

o Fuel card

o Keys / access card to the building, office, cupboards and filing cabinets

o Security tokens for online banking, email access and any other remote access requirements

o Staff identification card and name tag

o Uniforms

· To be changed / closed

o All computer access restricted both in the office and remotely

o Taken off the bank accounts as a signatory

o Password for online banking cancelled

o Security codes for access to the office / building cancelled

It must be remembered that the above are examples only, and a full list of items included on an Exit Checklist will vary from organisation to organisation.