Managing Fraud

New Guidance for Managing Fraud Risk

Managing the Business Risk of Fraud: A Practical Guide now available.

In August 2006, IIA President Dave Richards, CIA, was talking with representatives from the American Institute of Certified Public Accountants (AICPA) and the Association of Certified Fraud Examiners (ACFE) about a project they were interested in undertaking, but had not been able to get off the ground. "This project was first suggested by a group of individuals who work daily with the aftermath of fraud cases," Richards explains. "Their experiences continued to emphasize the need for a proactive effort to plan for and deal with potential fraud within organizations."

Dave RichardsDave Richards Receives Recognition for Fraud Guide

IIA President Dave Richards, CIA, has been listed as one of the 100 most influential people in finance in the latest issue of Treasury and Risk magazine. Richards is cited for leading a task force of more than 20 experts to produce Managing the Business Risk of Fraud: A Practical Guide, which is sponsored by the Association of Certified Fraud Examiners, the American Institute of Certified Public Accountants, and The IIA. Richards is listed in the Risk Management section of the cover story along with such industry leaders as Brad Jewett, ERM director for Microsoft Corp., and Miles Everson, a partner in Global Risk Management Solutions at PricewaterhouseCoopers.

The end product of Richard's discussions with the AICPA and ACFE is 80 pages of guidance that proactively addresses fraud in the workplace. Managing the Business Risk of Fraud: A Practical Guide is available as a free download. The guidance, which includes five key principles of fraud risk management, has been endorsed by several organizations, including The Association of Chartered Certified Accountants, Chartered Accountants of Canada, the Institute of Management Accountants, the Society of Corporate Compliance and Ethics, the Open Compliance and Ethics Group, and The Value Alliance.

Fraud Management Principles

The guidance is the result of almost two years of work on the part of The IIA, AICPA, ACFE, and a team of more than 20 experts from the public and private sectors as well as academia. An initial conference call was held in December 2006 and a two-day, face-to-face meeting of team members took place in January 2007. Along with many other accomplishments during these meetings, participants identified the top five areas to be covered in the guidance — governance, risk assessment, prevention, detection, and response.

The five areas correspond to the five key principles of fraud risk management:

  1. As part of an organization's governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.
  2. The organization should periodically assess fraud risk exposure to identify specific potential schemes and events that the organization needs to mitigate.
  3. Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.
  4. Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
  5. A reporting process should be in place to solicit inputs on potential fraud and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is appropriately dealt with timely.

"With fraud cases coming to light almost daily, we are seeing more expectations being raised in the marketplace for organizations to identify and deal with fraud timely," Richards says. "Recent guidance from the U.S. Securities and Exchange Commission and Auditing Standard No. 5 issued by the U.S. Public Company Accounting Oversight Board emphasize the responsibilities of management and auditors regarding fraud prevention and detection."

According to the guide, vigilant handling of fraud within an organization sends clear signals to the public, stakeholders, and regulators about the board and management's attitude toward fraud risks and about the organization's fraud risk tolerance. Personnel at all levels of the organization — including the board, every level of management, staff, and internal auditors, as well as the organization's external auditors — have responsibility for dealing with fraud risk.

The guidance includes reference materials, examples of fraud policies, a framework for fraud risk assessment, fraud prevention and detection scorecards, OCEG Foundation principles that relate to fraud, and The Committee of Sponsoring Organizations of the Treadway Commission's fraud risk management activities.

Using the Guidance

The guide provides credible guidance from leading professional organizations on how organizations of various sizes and types can establish their own fraud risk management programs. "The guide can be used to assess or improve an organization's fraud risk management program, or to develop an effective program where none exists," says Stephen Winters, CPA, CITP, director, Specialized Communities and Practice Management, AICPA. "Using this guidance will help establish the fraud risk roles and responsibilities of officers, directors, and employees throughout an organization."

"Internal auditors are required by The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) to understand the fraud risks to their organizations and how management has designed controls to mitigate those risks," Richards adds. "Further, the Standards require internal auditors to evaluate the specific fraud risks in each audit undertaken. This guidance provides helpful tools to identify these risks and offers ideas to structure a good anti-fraud policy."

"Fraud losses exceed billions of dollars each year," Winters continues. "It may not ever be completely eliminated, but following the guidance of this paper will better position an organization to discourage it and address it when it does happen."

Managing the Business Risk of Fraud: A Practical Guide is availble to download for free from the sponsoring organization Web sites at www.aicpa.org, www.acfe.org, and www.theiia.org.