The fraud prevention strategy outlines a high level plan on how the Institution will go about implementing its fraud prevention policy. The strategy forms the most important part of the fraud prevention plan therefore it must be uncomplicated and practical.
The fraud prevention strategy is informed by the fraud risk management policy and Institutions’ fraud risk profile.
2. Developing a Fraud Prevention Strategy
This is a document that describes how ongoing fraud risk management will work in the Institution. The strategy should be developed on a Risk Based Approach (RBA), taking into account cost versus benefit.
Note: The above should not be confused with investigating all incidents of fraud reported, which is part of the investigations policy / procedure.
2.1 Matters to consider
Identification & assessment of vulnerable areas
In order to develop and implement a Fraud Prevention Strategy, the Institution needs to identify where exposures to fraud exist within the Institution's current operating systems and procedures. Only once these exposures have been identified will it be possible to implement action to counter the exposures and, wherever possible, prevent or reduce the incidence of fraud in the future.
Ownership of fraud risk
All employees are responsible for the management of fraud risk, to some extent, but the Accounting Officer / Authority has the ultimate responsibility. The Accounting Officer / Authority can delegate the responsibility to line managers in specific areas of the Institution. The Accounting Officer / Authority can delegate responsibility of fraud risk management along with the flow of activities from strategic to operational level.
As part of the response plan the Institution should develop clear procedures on how to address controls deficiency.
The Institution should develop clear lines of reporting fraud. Fraud reporting should be part of the response plan or investigation policy. The response plan should also outline the activities and the personnel responsible for specific response activities.
The legislation that is relevant to addressing civil and criminal acts against the Institution should be outlined and clearly interpreted. It should be clear what constitutes the act of fraud and/or corruption.
The Accounting Officer / Authority should put structures in place to promote and educate the stakeholders about the Institution’s culture on fraud and corruption.
Management can be charged with responsibility of training other employees under their supervision, on fraud and corruption, as part of anti-fraud programme.
2.2 Understanding fraud triangle
The following conditions have to occur for fraud to take place and the Institution’s fraud prevention mechanisms must take them into consideration:
Diagram 1: Fraud Triangle
· Financial Pressures;
· Personal Habits (Gambling, Drugs, Alcohol);
· Work-related Factors (Overworked, Underpaid, Not Promoted);
· Achieve Financial Results (Bonus, Compensation); and
· High Debt Level.
· Poor Internal Control;
· Low Fraud Awareness;
· Treat Fraudster With Leniency;
· Rapid Turnover of Employees;
· Use of Many Banks;
· Weak Subordinate Personnel; and
· Absence of Mandatory Vacations.
· I am only borrowing the money and will pay it back;
· Nobody will get hurt;
· The Institution treats me unfairly and owes me;
· It is for a good purpose; and
· It is only temporary, until operations improve.
2.3 Key pillars of fraud prevention
The fraud prevention strategy should focus on the following key-pillars:
· Investigation; and
Fraud prevention is a primary control which should lower the likelihood of fraud occurring. The prevention efforts should focus on identifying controls to prevent all three conditions (e.g. opportunity, rationalisation and pressure) that have to occur for fraud to take place.
The following are potential controls that can be implemented:
· Anti-fraud programmes;
· Code of Ethics;
· Internal control & compliance;
· Risk Identification & Assessment;
· Creation of anti-fraud culture / behaviours;
· Training & Awareness; and
· Lessons Learned and Communications Process.
The following tools can assist with detecting fraud when it occurs:
· Line Management;
· Fraud Audit Program;
· Internal Reporting; and
· Computer Imaging and Analysis and Data Mining Tools.
Every key fraud and corruption risk in each part of the group should be included in a structured and systematic process of risk management. The fraud and corruption risk management processes should be embedded in the group's systems and processes, ensuring that the responses to fraud and corruption risk remain current and dynamic.
All fraud and corruption risk management efforts should be focused on supporting the Institution's objectives. Stakeholders’ expectations are focused on how the Institution performs. An Institution's reputation could be significantly damaged if these expectations are not met.
The identification of exposures to fraud can be performed by conducting a series of workshops with management and employees involved in the operations at the "coal face". These are the individuals who work on a daily basis either enforcing controls or adhering to them during the course of their duties. It is these individuals who become aware of which controls are in place and which are effective and which are observed more in the breach than in the application. Their input is invaluable to the assessment of the effectiveness of controls.
The investigation process follows after the actual fraud has been committed or there is a suspicion that fraud has occurred.
The following are types of investigations that can be undertaken:
· Security / Audit Investigations;
· Forensic Investigation;
· HR / Disciplinary Procedures;
· Fraud Investigation Principles;
· Internal Audit & Security; and
· Security & Internal Audit Regulations.
In September 2003, the South African Cabinet approved a proposal for the establishment of minimum anti-corruption capacity in all Departments and organisational components of the public service. The approved proposal in the Cabinet Memorandum 46 of 2003 entails:
· Minimum anti-corruption capacity for departments and public entities under the jurisdiction of departments;
· Guidelines on structures to accommodate minimum anti-corruption capacity;
· National functions with regard to coordination and reporting on corruption in departments; and
· Implementation plan and implementation support.
It is therefore highly recommended that the Institutions develop a policy or a set of procedures to give direction to such anti-corruption units and regulate the manner in which investigations are handled. This will allow transparency and consistency in processes followed when incidents are reported.
Investigation Policy / Procedure
The investigation policy / procedure should focus on the following:
· Manner in which incidents should be reported
· There must be structures in place to allow employees to report incidents of fraud and corruption, e.g. fraud hot line.
· Roles and responsibilities in the process
· Policy / procedure should be clear on who is responsible for what, e.g. preliminary investigations to be carried out by line managers or risk management unit
· Procedure in carrying preliminary investigations
· In light of the fact that every incident must be investigated, preliminary investigation will help to establish reasonable grounds on whether investigation is justified or not.
· Procedure in taking resolutions after preliminary findings
· This is the reviewing of preliminary investigation findings. There must be a procedure on who decides on escalation of cases to internal and/or external investigating units. It is important that other law enforcement agencies are involved as early as possible. In deciding to involve other law enforcement agencies the Institution can look at:
o the nature of fraudulent act (criminal or misconduct);
o internal capacity;
o amounts involved (potential loss);
o likelihood of asset forfeiture; and
o likelihood of criminal prosecution.
· Involvement of other law enforcements
Depending on the facts of the incidents, investigations can immediately be referred to internal and/or external investigating units.
This stage focuses on post-investigation activities which can include the following:
· Disciplinary actions
The disciplinary actions will be a result of the findings from internal investigations. There is no legislation around decisions made, however, precedent is important for future reference.
· Civil recovery,
It is important for the Institution to recover losses suffered during fraudulent, corrupt and/or misconduct act.
· Decision on controls to be developed / reviewed
This requires involvement of other functions in the Institution to avoid re-occurrence
· Awareness and communication
As a preventative measure and for transparency purpose, all incidents reported and investigated must be communicated all employees.
· Lesson learned
This is part of ensuring that the Institution is not hit by one scheme more than once.
· Updating incidents database for future reference
This database is used for future reference, all the information pertaining to the incident must be recorded and kept, i.e nature of the incident, how it was investigated and the resolutions that were taken.
Information about cases investigated and finalised by the Institution may be required by other bodies, e.g. the National Treasury, DPSA, and Auditor-General.
Diagram 2 below illustrates the fraud prevention processes that can be linked to key-pillars.
3. Developing a fraud prevention implementation plan
The strategy should include the detailed processes to be adopted by the Institution in the identification of exposures to fraud and corruption. Once exposures to fraud and corruption have been identified, it will be necessary to evaluate the effectiveness of existing controls and counter measures. Where additional or new controls and procedures are deemed to be necessary, responsibility for their development and application must be allocated to individual management personnel. Ultimate responsibility for the application of anti-fraud controls and procedures is that of every Institution stakeholder.
Monitoring of the application and ensuring adequate supervision and dynamism of the controls and procedures will be the responsibility of the Risk Management Committee (RMC).
The following steps need to be taken when developing the fraud prevention implementation plan:
· Determine the fraud risk management activities to be performed taking into account the fraud risk profile and related costs versus the benefits
· Resourcing requirements: This element describes the capacity and competence of personnel and the strategy to address capacity gaps. It also addresses the technology and funding requirements to give effect to the fraud risk management strategy;
· Determine the sequence of activities and the target implementation dates
· Assign ownership for and communicate fraud risk management activities;
· Agree on frequency and format of reporting
Consensus should be obtained regarding the frequency, content and responsibility for reporting.
4. Fraud Risk Management Committee
The size of the Institution and the magnitude of fraud & corruption can be used to decide whether to have a separate oversight committee for fraud risk management or to use the Risk Management Committee (RMC) as an oversight body.
The fraud prevention strategy and implementation plan should ideally be developed together to ensure connectivity and continuity. Both documents should be approved by the Accounting Officer / Authority and reviewed on annual basis.