Review of Fraud Week Definition of fraud The Chartered Institute of Management Accountants defines fraud as using deception to dishonestly

make a personal gain for o neself and/or create a loss for another. An alternative definition is found in ASA 240, which defines fraud as referring to an intentional act by one or more indivi duals among management, those charged with governance, employees or third parties, involving the use of deception to obtain an unjust or illegal advantage. Fraud risk management process Context Internal context: Internal environment, key transactions, policies, products, policies More important as fraud tends to arise internally. Thus, greater scrutiny of the internal context and environment is critical External context: External relationships, counterparties, industry environment, stakeholders Identify fraud risk Determine area and type of fraud that can / is likely to happen using the CIMA2009 model. Asset misappropriation Fraudulent statements Corruption Top to bottom Cash Financial (financial statement) Conflict of interest involvement in Non-cash Non financial (credentials) Bribery / extortion (kickbacks) fraud risk identification Determine why people commit fraud using the Fraud Triangle Model. Note that the 3 elements can be affected by internal and process external influences. Motivation / Pressure Opportunity Rationalisation Greed: Personality and May be most important factor. Tempts Necessity when done for business temperament of employees (seldom totally dishonest) Harmless company wealthy employee Weak internal control system / poor security enough to absorb impact Need: Background check measures / likelihood of detection and Justified deserve the money or declare personal debts exposure I was mistreated Analyse fraud risk Evaluate fraud risk Treat fraud risk (KPMG Model) Audit Committee/Risk Committee to spearhead Determine effectiveness of current internal controls. This includes (1) preventive; and (2) detective measures Determine risk level using likelihood consequence model Determine if current risk level is within acceptable risk level target Prioritise risks for treatment Prepare Fraud Risk Action Plan to treat / mitigate fraud risk, and to further improve current controls Preventive Leadership and governance o Board - Tone at the top / ensure institutional support / monitor and review anti-fraud controls o Senior management Develop process based on ground experience. Assume responsibility for risk o Internal audit Support senior mgmt. in preventing, detecting and responding Establish code of conduct o Set tone regarding attitude to wards fraud o Raise awareness of mgmts commitment to integrity, and inform employees of available resources with respect to mitigating fraud risk Hiring process o Due D important when hiring, retaining and promoting employees to sensitive positions o Due D starts at beginning of employment, and is a continuing process Communication and training Detective Audit and monitoring. Should be tailored according to nature and degree of fraud risk o Factors include: (1) key procedure / position (2) history of fraud / misconduct Fraud hotlines that ensure: confidentiality / anonymity / availability / real time assistance / follow up (ensuring no retaliation) / audit committee notification Response (upon fraud risk materializing) Investigation To have credible assessment of violation so as to take appropriate course of action Enforcement and accountability Signal to both internal and external parties that company is serious about fraud risk o Sanctions should be (1) progressive (2) consistently applied Corrective action Exact nature depends on fraud event. Includes: o Voluntary disclosure to regulatory authority o Remedy harm caused (Pay money / restore property) Continuing process ensures fraud risk management process is relevant because avenues / ways of carrying out fraud always evolves o IE: Nature of business / business environment (economy, industry, competitor business) Regular reports to senior management and Board Key stakeholders should be informed (IE regulatory bodies, shareholders, staff, counterparties) Establish reporting protocol. (Chain of command / anonymity / follow up)

Monitoring and Review Incorporate as part of ERM Fraud reporting