In accordance with international best practices, an effective anti-fraud and abuse program should include five key elements:
Conducting a fraud risk assessment;
Using fraud detection methodologies;
Using fraud investigation procedures;
Establishing a whistleblowing system (e.g., a hotline);
Developing a zero-tolerance culture for fraud and abuse, including through a Code of Conduct.
Requirements for an effective Code of Conduct
A Code of Conduct (CEC) should include:
► Preventive mechanisms (e.g., penalties for unethical behavior);
► Detection tools, including encouraging employees to report unethical behavior;
► Focusing on ethical values, rather than solely relying on formal rules and regulations;
► Emphasizing positive examples and the benefits of ethical behavior;
► principles of fair and transparent relationships between employees and the organization (including protection of employees in disputes);
► regular monitoring of employee awareness of the Code’s provisions.
Fraud and Abuse Risk Management Objectives
To develop effective approaches to managing these risks, the system should be focused on achieving three main objectives:
- prevention — implementing controls that reduce the likelihood of fraud and abuse;
- detection — having mechanisms in place to detect such incidents in a timely manner;
- response — taking measures to eliminate consequences and compensate for damages caused.
The Concept of Fraud and Abuse
Fraud in the legal sense is defined broadly and generally refers to intentional actions aimed at obtaining an illegal or unfair advantage. Abuse and misconduct are also broadly defined and typically include violations of laws, regulations, internal company policies, and conduct contrary to business ethics.
Taken together, these actions create a number of risk areas that can lead to a loss of trust in an organization and cause significant reputational damage, including from an ethical perspective. Key risks include:
- financial reporting misrepresentation (incorrect revenue recognition, overstatement of assets, understatement of liabilities, etc.);
- asset misappropriation (embezzlement, wage fraud, theft, procurement irregularities, commission abuse, counterfeiting, etc.);
- obtaining revenue or assets through fraudulent or illegal means (inflated invoices, customer deception, fictitious sales, and other schemes);
- reducing expenses or liabilities through illegal actions (tax violations, misrepresentation of payroll data, providing false information to regulators);
- the occurrence or increase of expenses and liabilities due to illegal actions (bribery of representatives of commercial and government entities, kickbacks);
- other forms of abuse (conflicts of interest, insider trading, discrimination, illegal use of trade secrets, violations of antitrust and environmental laws).
The Role of Internal Audit
The internal audit system of a modern organization plays a key role in combating fraud. It supports management in preventing, detecting, and responding to fraudulent activities and abuses.
In particular, internal audit is responsible for:
- planning and evaluating the scope and effectiveness of anti-fraud measures;
- assisting management in identifying and analyzing fraud risks, as well as developing measures to mitigate them;
- informing the audit committee of the results of audits, internal control system assessments, investigations, and other related activities.
Fraud Risk Assessment
Every organization faces a specific set of fraud and abuse risks. Assessing these risks allows management to identify specific threats, identify weaknesses in existing control systems, and develop a practical mitigation plan.
The assessment should cover the entire organization, including key divisions, business processes, and relationships with customers and counterparties. While management is directly responsible for conducting the assessment and analyzing its results, the audit committee typically oversees this process.
The audit committee reviews the results of the risk assessment, monitors its regularity, and communicates relevant information to the independent auditor.
Management Oversight and Responsibility
The Board of Directors plays a critical oversight role and is responsible for establishing an effective control system aimed at mitigating the risks of fraud and abuse. Working with executive management, it ensures that the appropriate tone from the top is established and that ethical values and standards of business practice are upheld.
To perform these functions, the Board of Directors may delegate authority to a specialized committee, most often an audit committee, which:
- reviews issues identified during the fraud risk assessment;
- discusses the quality of control programs and systems with internal and external auditors;
- determines the procedure for handling incidents affecting financial and accounting information.
The Role of Senior Management
The effectiveness of the anti-fraud system depends largely on the involvement of the company’s senior management. The CEO has a significant influence on the formation of the corporate culture, sets the ethical benchmark, and promotes standards of integrity.
Executive management should lead by example, allocate the necessary resources to combat fraud, and hold divisional managers accountable for any violations identified. Many organizations appoint a dedicated official—the Chief Compliance Officer—to coordinate fraud prevention, detection, and response efforts in collaboration with internal audit and relevant specialists.
If necessary, a cross-functional committee led by the Chief Compliance Officer may be established. Its responsibilities include:
- Coordinating risk assessments;
- Developing and implementing policies and standards of business conduct;
- Monitoring the implementation of anti-fraud programs;
- Reporting to the Board of Directors and/or the Audit Committee.
Code of Conduct and Employee Training
A code of conduct is one of the key tools for informing employees of acceptable behavior standards. A well-developed and communicated code fosters corporate culture, confirms management’s commitment to ethical principles, and explains available support mechanisms and compliance mechanisms to employees.
A key element of the fraud prevention strategy is thorough due diligence of employees during hiring, promotion, and renewal, as well as when selecting agents, suppliers, and other third parties. Particular attention should be paid to employees who influence the preparation of financial statements. The scope and depth of due diligence depend on the risk level, the position held, and legal requirements.
For the control system to function effectively, it is necessary to regularly inform employees of current regulations and conduct training. A lack of a systematic approach and regular training may lead employees to mistakenly believe that fraud prevention is of low importance.