Identify and investigate violations. Management needs to identify the fraud risks management controls violations through defined processes. These processes are required to be developed in the form of formal departments, business, and operational processes. Identification of violations is the responsibility of every employee in the organization; however, the core responsibility lies with the departmental heads and their senior employees, who possess in-depth process and operational knowledge. The organization’s governance structure requires senior management to build the internal processes for timely identification of violations related to policies, processes, and internal control systems.
Identify And Investigate Violations: Step 7 In Fraud Risk Management
The Board of Directors forms sub-committees to oversee the process and report violations. Board Audit Committee (BAC) or Board Risk Management Committee (BRMC) is usually responsible for providing oversight to the organization’s fraud risk management activities and practices. Such Board level committees consist of professionals from audit, risk management, and fraud investigations backgrounds.
BAC is reported by the Internal Audit function, which is an independent, objective assurance and consulting activity implemented to add value and improve an organization’s internal controls and its operations. The role of the Internal Audit function regarding fraud violations is conducting investigations and identifying the root cause of fraud incidents.
The internal audit function works as the third line of defense in the organization; therefore, their role comes after the fraud risk management function, which works as the second line of defense in the organization. Through its regular monitoring and transaction testing, the fraud risk management function usually identifies the fraud incidents. Incurred and reported frauds are escalated to the senior management for review and necessary feedback.
Internal audit is approached by the management to perform detailed investigations from an audit perspective. These investigations are conducted by the internal audit team in collaboration with the fraud investigation team. Fraud specialists also work in Internal audits, which collaborates with fraud investigation team members, to properly perform investigation procedures, including conducting interviews of the suspected parties and employees.
The internal audit considers where the fraud risk is present within the business and respond appropriately by auditing the controls of that department or area, evaluates the reasons for the occurrence of fraud incident and how the organization’s internal controls are breached by the suspected parties.
Violations of controls causing frauds may be of different types, such as:
- Policy violation
- Procedure violations
- Legal and regulatory violation
- Code of Conduct violation and
- Overriding internal controls
The investigation team and internal audit analyze the reported fraud incident from the perspective of the type of violation. It is necessary to correctly identify the reason for the occurrence of fraud, and all the reported frauds must be linked with the type of violation.
Only by identifying correct violations, the fraud cases may be investigated appropriately by the internal audit and fraud investigation team. Once the violations are identified, the audit activities and fraud investigation procedures are directed towards the violated sources, such as policy violations.
For example, in the case of financial reporting fraud, there might be the possibility that policy and procedures are overridden, and the finance team exploited the gaps in the finance-related policies and procedures. More precisely, if the financial fraud is related to the embezzlement of cash, then the fraud investigator shall identify the control weaknesses in the organization’s cash management manual or assets policy.
During such investigations, and linking the fraud incident with the violated program, such as policy, the root cause is identified. This root cause identification exposes the process or policy weaknesses, which enables the fraudster to exploit the system.
Once the root cause is identified, the internal audit team or fraud investigator shall be able to design targeted investigation procedures, including interviews, observations, and feedback.
For example, if the root cause of a fraud related to embezzlement of cash is identified as due to handling of cash by one person, the fraud occurred. It means the fraud investigator first read the policies and procedures related to cash management and identified that internal control related to cash management is weak because of no segregation of duties and authorization levels defined for cash management. The only person who was given the authority to manage the cash flow exploited the gap and conducted cash embezzlement fraud.
Some fraud investigations might be complex, where many employees have performed a particular fraud, such as the theft of assets worth millions of dollars. In these types of frauds, usually, more than one employee combines and exploits the loopholes in the internal control system, or they override the internal controls.
For example, two employees, one head of finance and the other operations head, may combine to exploit their powers and breach the internal controls related to the movement of assets from one location to another.
Imagine that these two employees combine to conduct a fraud. The finance head manipulates the fixed asset register and shows some fixed assets as fully depreciated in the fixed assets register. He also eliminates some fixed assets from the fixed asset register. The finance head raises the need to dispose-off fully depreciated fixed assets. On the other hand, the Operations head made arrangements to dispose-off the assets, and during the disposal process, those fixed assets which were eliminated from the fixed asset register are disposed of for personal benefits. In these types of frauds, the fraud investigation requires in-depth root cause analysis, including strong analytical skills and finance knowledge to check the financial records and linking with historical financial information.
Implementing an employee whistleblowing hotline provides your employees with a voice to confidentially report workplace concerns, allowing you to identify and correct problems before they harm your business, reputation, or employee morale. Companies are also gradually realizing the value of incorporating a whistleblower service/independent helpline as part of their fraud risk management strategy.