Home
Fit For Fraud Blog
About About Us
Our Services
Our Approach
Client Testimonials
Electronic Risk Management Electronic Risk
Computer Forensics
Cellphone Forensics
Anti-Forensics
Data Analytics
Fraud Risk Management Fraud Risk
Fraud Prevention
Fraud Detection
Operational Risk Management Operational Risk
Community Contact Us
Downloads
Stay In Touch
Anti Fraud Tribe
Exactech in the News
White Collar Crime

Fraud Prevention

The Fraud Deterrence Lifecycle has four elements of which Fraud Prevention is obviously 1st prize, but if you do suffer a fraud you need to correct the processes that allowed the fraud to take place, otherwise you are doomed to repeat the same frauds over and over.

This means you should use Root Cause / Trend Analysis to drive Process Correction and not focus on just the symptoms of the fraud. The root causes would be established from the forensic investigations and/or internal audits and should be fed back into the fraud prevention plan in order to ensure that it is a 'living' document and correction would also focus on maximising recoveries of stolen monies.

This is where pure investigators tend to fall down as they don't understand business processes and/or they think their job is done when the perpetrator is put in jail - they seem to forget that there a particular vulnerability was exploited in order for the fraudster to commit the crime and if this is not plugged the next employee will most probably try the same thing.

Deterrence modifies the person's behavior through perception of being caught and being punished while Prevention focuses on removing the root cause of the problem, hence prevention and correction logically go together.

The Prevention element of the Fraud Deterrence Lifecycle tends to be the most misunderstood and yet can provide the most value, so let’s see what the best practice elements of a fraud prevention process are.

Fraud prevention should be looked at holistically and, based on the ACFE's fraud prevention check-up, is presented here as sequential building blocks making up the program:

Fraud Risk Assessment - Management should assess the vulnerability of the organisation to fraudulent activity every 18 to 24 months. This is traditionally done by evaluating the type of fraud risk, the potential impact of the fraud, the likelihood of its occurrence and the pervasiveness of the risk. Fraud is like cancer. Most of us know someone who has it. We know people who will eventually have it. It has become common but we can take steps to protect ourselves through healthy choices and regular check-ups using the latest tools & technology.

Accountability - Dishonest employees may not commit a fraud if they know the organization has an oversight and confirmation process. After giving the code of ethics to all employees (in both hard and soft copy if possible), require that they sign a statement that says they have read and understood the code's requirements and will comply with them. The fraud prevention plan should include an accountability matrix that lists the anti-fraud functions and which staff have primary, secondary or a shared responsibility. This then eliminates the excuse of ignorance.

Controls - After the fraud risk assessment results have been perused, management should determine whether there are controls in place to mitigate the identified fraud risks or if additional emphasis should be placed on existing controls. Where controls are lacking, management should design and implement additional antifraud controls to specifically address the identified fraud risks or redesign the process to be more fraud resistant.

"If you were to ask a group of typical accountants what deters fraud, they would respond in unison: 'Internal control!' Using this logic, companies with adequate controls would not have fraud. But they do, time & again".

- Joe Wells, founder of the Association of Certified Fraud Examiners.

Data Analytics - Many organisations have been scared away from data analytics for the following reasons:

• There are too many software products to choose from

• Obtaining data is difficult

• The exercise takes too long, Involves too many analysts and costs too much

• The results tend to be extremely lengthy and difficult to understand

For the above reasons, many organisations perform data analytics only during the annual audit or after they have stumbled across fraud. This 'ad-hoc' analytics should progress to 'repeated review' and then ultimately to 'CCM' (continuous controls monitoring). CCM is a solution that uses automated, pre-defined analytic tests to critical control points within specific business process areas.

By automating sophisticated analytics and embedding audit "best practices" in organisations' business operations, management receives timely notification of anomalies and control breaches, mitigating risks of ineffective or missing controls within application systems. Business process owners receive timely notification of control breaches, can quickly review quantified exposure of business risk, and can drill down to specific exceptions and transactions to resolve potential problems before they escalate.

Recruitment - There are primarily two types of fraudsters – career criminals and situational criminals. For the career criminal it is crucial to conduct background checks on all new employees. For the situational criminal it is crucial to do continual in-service screening (observing lifestyle changes as an example) and to ensure that exit interviews ask the right questions as some employees leave because of unethical behavior from a boss. Professional background checks can uncover criminal convictions, credit history problems, and questions about education, prior employment issues and integrity concerns. Remember that this goes for all grades – executives should not be immune from background checks!

Whistle-blowing System - Many frauds are known or suspected by both insiders and outsiders. A recent survey showed that an average of 20% of employees know about fraud within their organisations but only 40% of those reported the suspicions. The challenge for management is to encourage these ‘innocent’ people that ‘speaking out’ is their responsibility and is very much in their own interest. The service should then ensure anonymity and confidentiality otherwise employees will fear retaliation and will keep quiet.

Codes of Ethics - is the one critical cornerstone where no short-cuts should be taken. The success or failure of a fraud prevention plan depends primarily on the culture of the organization, and a sustainable Ethics Program will ensure that ethics is top-of-mind within the company.

Merely having a code of ethics is not sufficient so cutting-edge companies are designing and implementing training around the code, bringing what is often a dormant item to life. Far too often, the code lies buried in an organisation's employee training manual and is handed out to new employees on their first day on the job and then forgotten about.

Policy - The aim of a corporate fraud policy is to demonstrate to all stakeholders that the company is taking the threat of fraud and dishonesty seriously.

By issuing a detailed policies (such as a Fraud policy, Whistle-blowing policy, Reward policy, Fraud response plan, Code of conduct, etc.) it clearly sets out what is considered to be dishonest, warns any potential wrongdoers that the consequences of being caught will be serious and explains each process. The effect therefore will be to deter any potential wrongdoers thus resulting in reduced losses from fraud and reduced costs in respect of investigating any wrongdoing. Training & Awareness - is the other critical cornerstone and by linking fraud awareness training to the code of ethics sends a strong message and reinforces what is considered appropriate behavior by the company. Training needs to happen annually, not only when new employees join the company, and it must target existing employees as well as newcomers.

The training should also bring in the whistle blowing system and how it works, the various policies, procedures and other related documents, as well as roles and responsibilities. The training should be 'edutaining', meaning it should inform and entertain as this is the best way for people to learn and retain what they have learnt.

If you are, however, unble to prevent a fraud from occurring in your organisation the next best is to detect it as quickly as possible and then to investigatein order to recover monies and to punish the perpetrator/s.

Keep in mind that most investigations now include cyber forensics, as suspects tend to have evidence, whether emails, documents, or web history, on their computers and this is where our specialist computer forensic services can assist you.

This service can be seen as investigative or preventative - our suggestion to organisations is to image all key staff member's computer hard-drives when they resign. Once they have left and their computer is being used by their replacement, and you now suspect fraud, it is much more difficlut to obtain court-admisable evidence. Rather image and not need the image than the converse!

This service can be likened to the African Wild Dog. This is the most successful of all the African predators as they are highly-adaptive, cooperative hunters that are relentless.

Just like the RCMP (Royal Canadian Mounted Police) motto of ‘We always get our man’, the wild dogs very seldom miss their target and have a successful kill ratio of 90%! Our computer forensic services division tends to amaze clients with what we find when analyzing suspects computers.

"An ounce of prevention is worth a pound of cure"

- Benjamin Franklin

The above quote was actually fire-fighting advice from Franklin, as those people who experienced fire damage to their homes often suffered irreversible economic loss.

The quote is most applicable to fraud, as more than thirty percent of companies that suffer frauds go bankrupt.

Return from Fraud Prevention to Fraud Risk Management Page


Copyright 2008-2011 Exactech-fraud-solutions.com