What should an organisation prioritise in its anti-fraud strategy? Each step of the cycle is an inherent component of the overall strategy, and the strategy fails without each step playing its part. Governance and Risk Assessment Setting the anti-fraud agenda at the outset is key. The Board is responsible for determining corporate strategy and risk appetite, and the anti-fraud agenda stems from these commercial imperatives. Once the risk appetite is set, a risk assessment is fundamental in determining how to build effective controls. After all, how can any system of control be well-designed if it is not informed of the risks it is supposed to mitigate? To conduct an effective risk assessment, engage the business directly and avoid The first point of note is that fraud prevention is a cycle. It should not be viewed as a series of independent activities. controls developed ‘after the fact’ – that is without any proper assessment of risk. The risk assessment does not have to be expensive and overly time-consuming, but it drives well-designed and properly targeted controls which bring muchneeded efficiency and effectiveness. A large volume of literature is publicly available to support this4, but remember there is no such thing as a fraud control, only controls. Segregation of duties, effective passwords, authority limits, approvals, independent reviews and other control groups prevent errors and keep activities on budget and on target, and they also happen to prevent fraud. Do not allow this exercise to overshadow broader operational controls. Monitoring and Detection These represent the activities of the controls in practice. Proper KPIs and reporting data should be generated to help those charged with governance to determine whether the controls are effective and to identify early when a potential fraud or other anomaly may be taking place so that these can be immediately followed up. If designed correctly, this information should be fully aligned with commercial objectives and provide more than fraud monitoring alone. Investigation Normally managed by an independent team within either Internal Audit or another risk function, and in many cases with support from external investigators and legal counsel, thorough investigation undertaking the process as an academic compliance exercise. Try to put yourself in the shoes of a would-be criminal, or even consider engaging some of the new breed of consultants who have themselves previously been fraudsters, for real insight. Controls Design We often see cases of organisation 70 LAWYERMONTHLYDECEMBER 2022
RkJQdWJsaXNoZXIy Mjk3Mzkz