Global Composite Model: A Plan to Detect and Prevent Fraud Worldwide

Entities throughout the world are devising models to detect and prevent fraud in the workplace. This CFE from the United Kingdom constructs a composite from three countries that can be adapted to any public or private entity. 

Governments, regulators, and commercial entities worldwide are considering the best practical measures for preventing fraud. Here I identify the common elements of some of these global models and establish a composite model that any entity large enough to segregate different business functions can use. Smaller organisations can adapt the model to suit individual circumstances.

Existing Models 

As a basis for this composite model, I have utilised some of the work which has taken place in the U.S., Australia, and the United Kingdom:

• United States of America - the findings of Committee of the Sponsoring Organisations (COSO) of the Treadway Commission, and implications arising from the Sarbanes-Oxley Act;
• United Kingdom - Corporate Governance (CG) Initiatives - The Combined Code (CC) - incorporating aspects of the Higgs and Smith reports; and
• Australia - examples from New South Wales (NSW) and a paper produced by Russell G. Smith for the Australian Institute of Criminology (AIC).

Both the COSO model and the Combined Code model were developed to address the subject of internal controls in a financial reporting environment. However, the framework for both of these models assumes that fraud is a business risk to be managed in the same way as any other business or financial risk. One can confirm this by examining the commentary supporting the five key points in each model. The Australian models, on the other hand, specifically address the subject of fraud prevention and control.

More recently, the Sarbanes-Oxley Act in the U.S., and the combined efforts of the Smith and Higgs Reports in the UK have reinforced the requirement for corporate responsibility and management assessment of internal controls. The onus in each case is placed both on corporate responsibility with oversight from the audit committee. However, oversight responsibility requires an appropriate level of knowledge of what is required in order to protect the organisation's interests. This model aims to provide an example of the best practice.

On the face of it the four models can be split into two groups - the COSO model and the Combined Code in one group, with the two Australian models forming a separate group. (See the chart below.) However, closer examination reveals many overlaps. The first three models identify "risk" as a significant factor to consider in establishing effective fraud prevention systems. The heading "control environment" encompasses ethics, philosophies, training, culture, and standards among other issues. All identify, and rely on, the need for effective information and communication systems whether they are for reporting incidences of fraud or as an aid to education, awareness, and training programmes. Effective monitoring is another common factor even if in some cases it is hidden away in the detail. The AIC paper spells out many of the control activities referred to elsewhere.

Objectives 

All the models have the same objective (only the layouts vary) but these objectives have not as yet been spelled out. It may therefore be worthwhile to establish what we are trying to achieve and the objectives of a fraud prevention/control model.
Any fraud prevention and control model should achieve any, or all, of five primary objectives:

• prevention - stop incidents of fraud from occurring;
• deterrence - deter potential fraudsters from even attempting fraudulent activity;
• disruption - make life as difficult for the fraudster as possible and keep the fraudster on the move and under pressure;
• identification - a good fraud prevention strategy will help identify high-risk activities and weaknesses in the control environment; and
• civil action /criminal prosecution - effective strategies will reduce the likelihood of needing to resort to costly civil actions or time consuming and disruptive police investigations.

Composite Model 

Consider Fraud Risk an Integral Part of an Overall Corporate Risk Management Strategy
Fraud is as much of a threat to an entity as changes in legislation, competitor action, or inflation. Its overall effect therefore needs to be fully understood and managed accordingly.

Develop an Integrated Strategy for Fraud Prevention and Control
Every organisation should possess an integrated strategy for fraud prevention and control in order to draw all elements of the strategy together to form a holistic and complementary raft of fraud countermeasures. Those organisations with an integrated strategy are less likely to suffer catastrophic losses from fraud than those without.

Develop an Ownership Structure Which Cascades Down Throughout the Entity
Fraud prevention is everyone's responsibility but top management's acceptance and ownership is essential if the strategy is to work. Specific ownership responsibilities may also be placed on individual managers or on the internal audit department (as appropriate). If the entity does not have an internal audit department the task can be undertaken by managers from another business unit within the entity, by a senior management team, or by specialists bought in from outside the entity.

Introduce a Fraud Policy Statement
The fraud policy statement should emphasise the organisation's attitude to fraud in its many guises, its determination to combat and prevent fraud, and a commitment to punishing those found guilty of wrongdoing. It should be simple, focused, and easily understood by all members of staff. The policy statement is the foundation of the organisation's fraud prevention strategy.

Introduce an Ethics Policy Statement
The ethics statement supports the fraud policy statement. It should be a code of business conduct emphasising the norms and values expected in daily activity. It may spell out the entity's approach to the payment of bribes, "commissions" or "management fees," particularly in relation to overseas business ventures. It ensures that all staff is aware of what is expected from them.

Actively Promote Ethics Policy Throughout Organisation
There is no point in having an ethics policy if no one knows about it. Staff cannot be made accountable for fraud prevention unless they are made aware of its importance and the benefits arising from it. Consider issuing personal copies to all staff members and to those with whom the organisation does business. This ensures that customers and suppliers know exactly where the company stands on fraud and ethical issues. The existence of such a policy can also be used as a marketing tool: "We always prosecute fraudsters" or "We don't pay kickbacks or secret commissions."

Establish a Sound Control Environment
This requires a positive approach from all concerned. It is easy to become sloppy and to take short cuts. Adherence to procedures can often require more effort but a positive approach can reap benefits for all concerned. Management philosophy and operating styles are important factors as are appropriate organisational structures and adequate staff levels. Senior management needs to lead by example and to provide the right direction. Staff shortages can lead to short cuts and missing controls i.e., inadequate supervision.

Establish Sound Operational Control Procedures
This requires that managers establish, document, and execute policies and procedures to counter identifiable risk and to achieve business objectives. Examples include authorisation controls, segregation of duties, physical security, and transaction controls.

Introduce Fraud Education, Training, and Awareness Programme
The programme should have its own strategy. All staff from top to bottom should be aware of the general risk of fraud from internal and external threats. They need to be educated on specific threats facing them in the workplace, both in general terms and specific threats affecting their own business units or functions e.g., personnel, procurement, sales etc. They should then be trained to identify, and respond to, the threat.

Introduce Fraud Response Plan
While the emphasis should clearly be on preventing fraud, the reality is that no system is foolproof. Every organisation will at sometime or other suffer from an incidence of fraud. The existence of a fraud response plan reduces the likelihood of panic and ensures that staff members at all levels understand what is required of them, that effective action is taken, and the security and integrity of evidence. It also can limit the damage caused by the fraud.

Introduce Whistle-blowing Policy
The whistleblower policy should clearly indicate that the board and senior management positively encourages people to come forward and report instances of fraud and malpractice. It should emphasise that protective legislation is in place and provide the opportunity to report anonymously if the individual so desires. The policy should also identify reporting procedures.

Introduce Reporting Hotline
This should be an internal line to the department or the individual who has the responsibility of investigating fraud reports. Or consider contracting with an outside service to give those reporting potential fraud a greater reassurance that they can remain anonymous if they wish.

Constantly Review All Policies and Procedures
Policies and procedures can become obsolete very quickly. It is worth noting that in many cases the first system to go in the event of organisational change is the control system - likewise the control systems are likely to be the last to be put in place after the change. Consider undertaking a review of control systems at regular intervals and in particular after restructuring, downsizing, changes in business processes, following identification of weaknesses, the introduction of new computer systems, and after an incident of fraud.

Constantly Monitor Adherence to Controls and Procedures
This should be a continuous process to identify any potential weaknesses arising as a result of complacency (or "control delusion") before a fraud occurs. Procedures should be in place which allows the ongoing examination of controls and procedures. Consider introducing test programmes and reporting systems for those in charge of identifying control weaknesses, thus allowing systems to adapt to a changing environment.

Establish a 'Learn from Experience Group'
Establish a group of experienced staff to examine system failure or system breakdown. The group should attempt to identify both the reasons for the failure and also any positive aspects arising from the failure or breakdown e.g., speedy identification and reporting. This will allow remedial action to be undertaken and enhancement of the positive aspect.

Develop Appropriate Information and Communication Systems
In addition to aiding the reporting of fraud, these systems could also encompass performance indicators, links with external parties, management reports, education and training issues, information on successful prosecutions, system reports, a supplier database, fraud trends and statistics, and risk reviews.

Composite Model Works for Any Entity
Effective fraud management strategies will:

• aid fraud prevention;
• act as a deterrent;
• increase the likelihood of disruption;
• aid the identification of high risk and problematic areas of business; and
• reduce the need for civil action or criminal prosecution.

References to corporate responsibility and audit committees suggest that fraud prevention models are aimed at larger public entities. This is a false impression. Experience has shown that the composite model described here can be adapted to suit any entity in the public and private sectors, with little or no effort. Indeed, the composite model was the basis for the UK Fraud Advisory Panel publication "Fraud Prevention - A Guide for SMEs." Feedback suggests that even by implementing part of the model, which is better than nothing at all, smaller companies have seen benefits in a short space of time.

However, in order to refine and develop the model still further, I would welcome any feedback on how the model works for your organization and clients.

David Cafferty, CFE, ACMA, is senior manager of Carter Backer Winter in London, England. 

ACFE Proposes Model Organizational Fraud Deterrence Program
In the ongoing discussion on fraud examination models, the ACFE has weighed in with its Model Organizational Fraud Deterrence Program. (See "Breaking Tradition in the Auditing Profession" in the Sept./Oct. 2003 issue of The White Paper.)
According to the ACFE, the program would:

• move the emphasis away from detecting fraud (an unwinnable strategy) to implementing fraud prevention processes;
• create an incentive for entities to adopt prevention strategies;
• provide transparency to investors; and
• solve the liability dilemma that plagues the auditing profession.

Through in-depth research, the profession would set out the factors that are present in organizations - both accounting and otherwise - which are the most likely to prevent fraud. It would then become the auditor's responsibility to determine the extent of the organization's compliance with the Model. Instead of opining that the entity is essentially free of material fraud, the auditor would grade the entity's compliance, say from A to F. Such a grading system would convey more information and reduce biasing compared to a pass/fail system. This approach would provide investors, lenders and other key stakeholders with transparency as to the entity's fraud prevention measures, allowing them to make informed financial decisions that reflect their own risk tolerance. Bond investors make similar decisions using ratings from Standard & Poor's, Moody's, etc. to take account of credit risk. People still buy "junk" bonds, but they demand a premium return to offset the increased risk of loss. The same approach can work with fraud risk.

The internal control reporting requirements of section 404 of the Sarbanes-Oxley Act is a stepping stone in this direction, but new standards are needed against which fraud-specific prevention processes can be evaluated. Also, the reporting system needs to incorporate graded responses if useful information is to be conveyed. Most public companies would be lucky to score half marks compared to recommended anti-fraud practices today, as the ACFE's Fraud Prevention Check-up (see CFEnet.com) has demonstrated. A graded system encourages transparency and improvement, while a pass/fail system is particularly vulnerable to manipulation and bias and could cause chaos if used honestly.