Ensure compliance. The senior management defines mechanisms to monitor, identify and address breaches of internal controls. Effective implementation of processes and internal controls must be assessed through periodic monitoring processes.
Ensure Compliance: Step 6 In Fraud Risk Management
Organizations usually set “Zero tolerance” for non-compliance with regulatory and legal requirements, and zero tolerance levels may also support making the fraud risk management program effective. Zero Tolerance means that all the employees are required to adopt the strong compliance culture cascaded down the line from the Board of Directors.
Any non-compliance, such as regulatory, legal, or policy, is considered critical and extreme; therefore, strict punishments are defined by management for such non-compliances because these may also lead to the occurrence of frauds.
To monitor the compliance of policies and procedures, a separate department such as the risk management department is responsible for monitoring the compliances.
Fraud Risk Management Department
The monitoring may be performed by the fraud risk management department or the organization’s risk management function. Monitoring is performed to ensure compliance with approved policies and procedures.
The monitoring department must be allowed and provided with resources to check compliances and identify any non-compliance issues.
Apart from regular monitoring, the formal sanctions for intentional non-compliance must be publicized to ensure that all employees know about the repercussions of non -compliances with the policies and procedures leading to the occurrence of frauds. The punishment levels must be consistent to ensure that employees are prohibited from participating in any fraudulent activity.
To depart such knowledge and monitor the behavior of employees in different departments, the management may vest the responsibility to an individual or group of individuals, depending on the size and diversity of business and operations of the organization. In large organizations such as banks, there may be a separate fraud risk management department working under the reporting line of the Chief Risk Officer (CRO).
Fraud Risk Governance
Fraud risk management must be ingrained in an organization’s DNA through written policies, clearly defined responsibilities, and ongoing procedures that implement an effective program. There must be a clear role for the Board and top management in developing these policies, with reporting in place to provide them with the necessary information about the program and its performance. The tone set at the top will be reflected in the organization’s perception of fraud prevention and detection.
It is critical to have a responsible person in charge of the program who has access to top management and adequate resources. This individual should be in charge of designing and evaluating the program, as well as communicating it throughout the organization as needed. There is no one-size-fits-all program because organizations vary greatly in complexity, inherent risk, and size, but all programs will address issues such as:
Responsibilities and rolesFraud detectionConflict of interest disclosureFraud risk evaluationProcedures for reportingProtection for whistleblowersThe investigation procedureRemedial actionQuality controlContinuous monitoring
A structured risk assessment that addresses the actual risks faced by the organization as determined by its purpose, industry (products or services), complexity, scale, and exposure to network risks serves as the foundation for fraud prevention and detection. In a traditional expected value framework, the assessment’s goal is to determine the type, likelihood, and potential cost of risks. This enables the organization to tailor program efforts toward cost-effective mitigation, which may include a greater or lesser tolerance for a particular risk.
Final Thoughts
It is far preferable to prevent fraud than to detect it after the fact. In practice, the same systems and controls put in place to prevent fraud may also help detect it (e.g., segregation of duties for a certain procedure may help boost the chances that someone will be in place to report potential fraud).
Prevention, on the other hand, is based on a culture of fraud awareness, understanding common policies and procedures, a safe harbor for whistleblowers, and ongoing communication about the importance of fraud prevention from the top down. It is less likely to occur when everyone understands that fraud is a possibility and a serious problem for which the organization has developed detection mechanisms.