Nearly half of all global organizations in PwC's 2018 Global Economic Crime and Fraud Survey admit to having been the victim of fraud and economic crime in the past two years, resulting in more than $7 billion in total losses and a median loss of $130,000 per case. Nearly half of those frauds were because of internal control weaknesses.
Internal audit plays several key roles in the prevention, detection, and monitoring of fraud risks. First, as internal audit has broad visibility into the different areas of the enterprise, it should be aware of potential red flags of fraud in all audit engagements and identify ones that may warrant further investigation. Also, internal audit should assess the effectiveness of controls designed to mitigate fraud risk. Finally, internal audit can lend valuable expertise in an advisory role to the development of the fraud policy.
To do this, internal auditors need to understand the key elements of a strong policy, and who it should involve.
The Building Blocks
Any organization can be a victim of fraud, regardless of its size, industry, or location. The most effective recourse is to develop a strong and implementable fraud policy that defines unacceptable behavior and how the organization will respond to it. While policies can vary depending on the organization's number of employees, industry complexity, and operating environment, the fundamental elements remain the same:
* The policy has top-down support.
* It includes clear, specific language and examples.
* It accurately and effectively defines fraud.
* There is policy ownership, so a specific person or group of people are charged with overseeing the development and implementation of the fraud policy.
* It clearly spells out personnel roles and responsibilities.
* It explains the disciplinary and legal actions the organization will take.
* It makes anonymous hotlines and reporting options available.
* There is an effective communication plan around the policy.
While no fraud policy can define every fraudulent action, a well-written policy uses clear language and relatable examples to help reduce uncertainty of what the organization considers illegal activity. It also provides clear instructions regarding the responsibilities and procedures to be followed by all involved when illegal activity is suspected or uncovered.
However, it doesn't matter how well the fraud policy is written if it sits in a three-ring binder gathering dust. The organization must ensure...