Fraud prevention strategy
To help ensure that an organisation responds to suspicious fraud-related activity efficiently, management should have a fraud prevention strategy in place that outlines how to respond to such issues. When evidence of misconduct arises, management must respond in an appropriate and timely manner. During the initial response, time is critical.
A fraud prevention strategy outlines the actions that members of an organisation will take when suspicions of fraud have arisen. Because every fraud is different, the fraud prevention strategy should not outline how a fraud examination should be conducted. Instead, fraud prevention strategy should help organisations manage their responses and create environments to minimise risk and maximise the potential for success.
Additionally, a fraud prevention strategy will allow management to respond to suspected and detected incidents of fraud in a consistent and comprehensive manner. By having a fraud prevention strategy in place, management will send a message that it takes fraud seriously.
More specifically, the fraud prevention strategy should guide the necessary action when potential fraud is reported or identified.
Also, a fraud prevention strategy should not be unduly complicated; for a response plan to work in high-pressure and time-sensitive situations, it must be simple to understand and administer.
While the appropriate response will vary based on the event, management should include a range of scenarios in the fraud prevention strategy.
Organisations without a fraud prevention strategy might not be able to respond to issues properly, and will likely expend more resources and suffer greater harm than those that have such a plan in place. Conversely, having a fraud prevention strategy puts an organisation in the best position to respond promptly and effectively.
The elements of a fraud prevention strategy include:
- Reporting protocols
- A response team responsible for conducting an initial assessment
- Factors used to decide on the course of action
- Litigation hold procedures
- Principles for documenting the response plan
- A template or form to report fraud incidents
Reporting Protocols :
One of the first steps when developing a fraud prevention strategy is to establish reporting protocols for tips, matters, allegations, and other indicators of improper activity. Reporting protocols are necessary to ensure that designated individuals are notified immediately to enable a prompt response.
Reporting protocols should outline notification principles and escalation triggers that vary depending on the nature and severity of the allegations. That is, they should indicate how to communicate the incidents to the appropriate level of management. For example, a fraud prevention strategy might instruct employees to report suspicions of fraud to their manager (if possible), a designated human resources (HR) or compliance officer, or the head of audit and enforcement.
Next, the issue should be reported to the party or parties responsible for conducting an initial assessment to determine how to respond and whether a full investigation is necessary.
Additionally, organisations should provide multiple channels for reporting concerns about fraud.
A Response Team :
No single person can effectively address every fraud-related issue. Therefore, the fraud prevention strategy must identify key individuals who might be required to respond to a particular fraud. The response team members will vary depending on the facts and the potential severity of the suspected fraud, but the team might include:
- Legal counsel
- A representative of management
- A Fraud Examiner
- The finance director
- General counsel
- A representative of internal audit
- Audit committee members
- A C-level executive
- Information technology (IT) personnel
- A representative of human resources (HR)
Factors Used to Decide on the Course of Action :
Again, the response team should determine the appropriate course of action when fraud is suspected. In general, if an allegation of fraud-related misconduct arises, management should conduct an investigation, but there are other courses of action it might decide to take. To help decide the best course of action, management should identify a list of factors it will use to make this decision. Identifying such factors will help the response team determine whether to escalate an incident into an investigation.
Each organisation will have different criteria for deciding whether allegations/suspicions qualify for a formal investigation, but common ones include:
- Credibility of the allegation
- Type of incident
- The subject of the allegation
- The business purpose of the activity at issue
- Seriousness or severity of the allegation
- Potential negative impact
- Likelihood that the incident will end up in court
- The ways in which prior, similar incidents were handled
Litigation Hold Procedures :
If an organisation does not already have litigation hold procedures in place, management should institute them immediately. A litigation hold refers to the steps an organisation takes to notify employees to suspend the destruction of potentially relevant records when the duty to preserve information arises.
Litigation hold procedures are necessary to ensure that potentially responsive documents are not destroyed once evidence of misconduct arises. The failure to preserve relevant evidence could have several adverse consequences, including, but not limited to, the government’s questioning of the integrity of any fraud investigation, monetary fines and sanctions, adverse inference jury instruction sanctions, or dismissal of claims or defences.
To establish litigation hold procedures, management should:
- Identify the scope of litigation hold procedures (i.e., the locations that the litigation hold procedures will cover).
- Examine how information moves through the organisation.
- Determine how to identify relevant documents.
- Develop a process to ensure such information is preserved.
Litigation hold procedures should apply to individual communications (e.g., email, chat messages, voice recordings), data on shared devices (e.g., network folders), system backup files, and archived data.
In general, litigation hold policies should be developed so the organisation can:
- Promptly notify employees who might possess relevant documents.
- Issue a preliminary hold order to all individuals and employees who might possess relevant information.
- Promptly notify information technology (IT) personnel and get their involvement if electronic data is at issue.
- Notify employees and IT personnel of their duty to preserve.
- Suspend any deletion protocols.
- Prohibit the destruction, loss, or alteration of any potentially relevant documents.
- Prohibit employees from destroying, hiding, or manipulating documents.
- Alert employees as to the risk to the company and the employees if they fail to heed the litigation hold request.
Moreover, establishing litigation hold procedures will help those involved in an investigation identify the relevant sources of information quickly, and it will help them understand the technology options available for searching, analysing, and reviewing data.
Even though litigation holds should apply to both electronic data and physical documents, electronic data contains certain attributes that make executing a timely litigation hold more difficult. Specifically, electronic data might only be available for a temporary period, business practices are often designed to free up storage space by deleting this type of information, electronic data can reside in numerous locations, and identifying relevant electronic data within today’s large and complex data systems can be challenging and costly.
Moreover, if an organisation operates internationally, it is more difficult to execute a timely hold. In such cases, management should consider retaining an outside expert to help with the data search and preservation.
A key objective of a litigation hold is to stop any automatic document deletion programmes or rules that might be in place.