Entities throughout the world are devising models to detect and prevent fraud in the workplace. This CFE from the United Kingdom constructs a composite from three countries that can be adapted to any public or private entity.
Governments, regulators, and commercial entities worldwide are considering the best practical measures for preventing fraud. Here I identify the common elements of some of these global models and establish a composite model that any entity large enough to segregate different business functions can use. Smaller organisations can adapt the model to suit individual circumstances.
As a basis for this composite model, I have utilised some of the work which has taken place in the U.S., Australia, and the United Kingdom:
- United States of America - the findings of Committee of the Sponsoring Organisations (COSO) of the Treadway Commission, and implications arising from the Sarbanes-Oxley Act;
- United Kingdom - Corporate Governance (CG) Initiatives - The Combined Code (CC) - incorporating aspects of the Higgs and Smith reports; and
- Australia - examples from New South Wales (NSW) and a paper produced by Russell G. Smith for the Australian Institute of Criminology (AIC).
Both the COSO model and the Combined Code model were developed to address the subject of internal controls in a financial reporting environment. However, the framework for both of these models assumes that fraud is a business risk to be managed in the same way as any other business or financial risk. One can confirm this by examining the commentary supporting the five key points in each model. The Australian models, on the other hand, specifically address the subject of fraud prevention and control.
More recently, the Sarbanes-Oxley Act in the U.S., and the combined efforts of the Smith and Higgs Reports in the UK have reinforced the requirement for corporate responsibility and management assessment of internal controls. The onus in each case is placed both on corporate responsibility with oversight from the audit committee. However, oversight responsibility requires an appropriate level of knowledge of what is required in order to protect the organisation's interests. This model aims to provide an example of the best practice.
On the face of it the four models can be split into two groups - the COSO model and the Combined Code in one group, with the two Australian models forming a separate group. (See the chart below.) However, closer examination reveals many overlaps. The first three models identify "risk" as a significant factor to consider in establishing effective fraud prevention systems. The heading "control environment" encompasses ethics, philosophies, training, culture, and standards among other issues. All identify, and rely on, the need for effective information and communication systems whether they are for reporting incidences of fraud or as an aid to education, awareness, and training programmes. Effective monitoring is another common factor even if in some cases it is hidden away in the detail. The AIC paper spells out many of the control activities referred to elsewhere.