Fraud risk governance is crucial for ensuring that an organization effectively

identifies, manages, and mitigates fraud risks. Here’s a detailed look at the roles and
responsibilities within an organization, the Three Lines Model, and the essentials of a
robust fraud risk governance framework:

Roles and Responsibilities

a. Board of Directors
• Oversight: The Board is responsible for setting the tone at the top and
providing oversight on fraud risk management. They should ensure that
appropriate policies and controls are in place and that management is
effectively implementing them.
• Approval: The Board must approve the organization’s fraud risk management
policies and procedures.
• Review: They should review regular reports on fraud risk management and
any significant fraud incidents.
b. Audit Committee
• Monitoring: This committee monitors the effectiveness of the internal control
systems, including those designed to prevent and detect fraud.
• Reporting: It reviews and assesses the effectiveness of fraud risk management
and makes recommendations for improvements.
• Oversight: Ensures that there is an independent internal audit function that
evaluates the adequacy of fraud prevention and detection measures.
c. Senior Management
• Implementation: Senior management is responsible for implementing fraud
risk management policies and procedures.
• Culture: They should foster an ethical culture and ensure that employees are
aware of fraud risks and the mechanisms for reporting suspicious activities.
• Resources: Allocate necessary resources for effective fraud risk management
and internal controls.
d. Internal Audit
• Assessment: Internal auditors assess the effectiveness of the fraud risk
management processes and controls.
• Evaluation: They conduct audits to identify vulnerabilities and provide
recommendations to strengthen fraud prevention and detection.
• Reporting: Report findings and suggest improvements to senior management
and the Audit Committee.
e. Compliance Officer
 • Compliance: Ensures that the organization adheres to relevant laws and
regulations related to fraud.
• Training: Develops and delivers training programs on fraud awareness and
prevention.
• Monitoring: Monitors compliance with fraud-related policies and procedures.
f. Employees
• Reporting: Employees have a responsibility to report suspicious activities or
concerns about potential fraud.
• Compliance: They should adhere to the organization's policies and procedures
related to fraud risk management.
• Awareness: Engage in training and remain vigilant about fraud risks.

The Three Lines Model

The Three Lines Model is a framework designed to help organizations understand
and implement effective risk management and control processes. It consists of:
a. First Line: Operational Management
• Role: This line involves operational managers who own and manage risks
directly. They implement and maintain day-to-day processes and controls to
mitigate risks, including fraud.
• Responsibilities: Identify and assess risks, implement control measures, and
monitor their effectiveness.
•
b. Second Line: Risk Management and Compliance Functions
• Role: This line provides oversight and support to the first line, ensuring that
risk management and compliance practices are effective and aligned with the
organization’s objectives.
• Responsibilities: Develop and implement risk management frameworks,
provide guidance and support to operational management, monitor risk
management processes, and ensure compliance with laws and regulations.

c. Third Line: Internal Audit

• Role: The third line provides independent assurance to the Board and senior
management regarding the effectiveness of governance, risk management,
and internal controls.
• Responsibilities: Conduct audits to evaluate the effectiveness of controls, report
on the adequacy of risk management processes, and recommend
improvements.
Essentials of a Robust Fraud Risk Governance Framework

a. Strong Leadership and Culture

• Tone at the Top: Leadership must establish and communicate a strong
commitment to ethical behavior and integrity.
• Culture: Foster an organizational culture that discourages fraudulent activities
and encourages ethical behavior.
•
b. Comprehensive Fraud Risk Assessment
• Identification: Regularly identify and assess fraud risks across the
organization.
• Evaluation: Evaluate the likelihood and impact of identified fraud risks.

c. Effective Policies and Procedures

• Documentation: Develop and document clear anti-fraud policies and
procedures.
• Communication: Ensure that policies are communicated effectively to all
employees and stakeholders.

d. Training and Awareness

• Programs: Implement regular training programs on fraud awareness,
detection, and prevention.
• Updates: Keep training materials updated with the latest fraud risks and best
practices.

e. Reporting Mechanisms
• Whistle-blower Systems: Establish confidential and accessible reporting
mechanisms for employees and stakeholders to report suspected fraud.
• Follow-Up: Ensure that all reports are investigated thoroughly and in a timely
manner.

f. Monitoring and Testing

• Ongoing Monitoring: Continuously monitor fraud risk management processes
and controls.
• Testing: Regularly test the effectiveness of fraud prevention and detection
measures through internal and external audits.

g. Response and Remediation

 • Incident Response: Develop and implement a fraud response plan that outlines
how to handle fraud incidents.
• Remediation: Take corrective actions to address identified vulnerabilities and
prevent recurrence of fraud.
By defining clear roles and responsibilities, adhering to the Three Lines Model, and
ensuring the essentials of a robust fraud risk governance framework are in place,
organizations can effectively manage and mitigate fraud risks.

FRAUD RISK MANAGEMENT PROGRAM (FRMP)

A comprehensive strategy designed to identify, assess, prevent, detect, and respond to
potentially fraudulent activities within an organization.
It is a critical component of corporate governance and risk management, ensuring that
organizations are prepared to mitigate the risks associated with fraud.

The key components and processes

1. Understanding Fraud Risk
The first step is to identify and assess the specific fraud risks the organization faces. This
involves understanding where and how fraud might occur within different processes and
departments. Fraud involves intentional acts of deception for personal or financial gain. It can
occur in various forms, including
• financial statement fraud,
• asset misappropriation,
• corruption,
• cyber fraud, and more.

2. Governance and Oversight

Senior management and the board of directors must establish a strong anti-fraud culture. This
involves
• Setting clear expectations for ethical behavior and
• Demonstrating commitment to integrity.
A formal policy should outline the organization’s stance on fraud, including definitions,
reporting procedures, and disciplinary actions. It serves as a guiding document for employees
and management.
Fraud Risk Management Committee: This committee, often composed of members from various
departments such as finance, legal, compliance, and internal audit, is responsible for
overseeing the implementation and effectiveness of the FRMP.

3. Fraud Prevention
 Strong internal controls are the first line of defence against fraud. This includes
• segregation of duties,
• authorization processes,
• reconciliations, and
• access controls to prevent unauthorized activities.
Employee Training and Awareness: Regular training programs should be conducted to educate
employees about
• the risks of fraud,
• how to recognize suspicious activities, and
• the importance of ethical conduct.
Organizations should also assess the fraud risks associated with vendors, contractors, and
other third parties, implementing appropriate controls to manage these risks.

4. Fraud Detection
Continuous monitoring of transactions, behaviours, and systems can help in detecting unusual
patterns or anomalies that may indicate fraud.
Advanced data analytics and forensic tools (Splunk, Palantir Foundry, IBM i2 Analyst’s
Notebook, Forensic Toolkit, SAS Analytics, etc) can be used to identify red fl ags and potentially
fraudulent activities by analyzing large volumes of data for inconsistencies.
Whistle-blower Mechanisms: Establishing confidential reporting channels, such as hotlines or
anonymous reporting systems, encourages employees and others to report suspicious
activities without fear of retaliation.

5. Fraud Investigation
When potential fraud is detected, it’s crucial to have clear protocols in place for conducting
investigations. This includes defining
✓ the roles and responsibilities of investigators,
✓ securing evidence, and
✓ maintaining confidentiality.
Depending on the findings, appropriate legal actions and disciplinary measures should be
taken against those involved in fraudulent activities. This may involve coordination with law
enforcement agencies.

6. Fraud Response and Recovery

Crisis Management: In the event of a significant fraud incident, a crisis management plan
should be activated. This includes communication strategies, damage control, and maintaining
business continuity.
Loss Recovery: Efforts should be made to recover any losses incurred due to fraud, which may
involve legal proceedings, insurance claims, or asset recovery actions.
7. Continuous Improvement
The FRMP should be regularly reviewed and updated to adapt to
• new fraud risks,
• changes in the organization’s operations, and
• lessons learned from past incidents
Periodic internal audits should be conducted to assess the effectiveness of the fraud risk
management processes and controls, ensuring that they are functioning as intended.

8. Regulatory Compliance
The program should comply with relevant Laws, Regulations, and Industry Standards related
to fraud risk management. This may include requirements set by regulatory bodies .
Organizations must be aware of any reporting obligations related to fraud incidents, both
internally and to external stakeholders, including regulators, shareholders, and the public.

9. Documentation and Reporting

Fraud Risk Register: Maintain a detailed register of identified fraud risks, including the
assessment of their likelihood and impact, as well as the controls in place to mitigate them.
Reporting to Management and the Board: Regular reports should be provided to senior
management and the board on
• the status of fraud risk management activities,
• findings from investigations, and
• the effectiveness of controls

10. Culture and Ethical Environment

A key aspect of fraud prevention is fostering an organizational culture where ethical behavior
is valued and reinforced. This involves leadership demonstrating ethical conduct, recognizing
and rewarding ethical behavior, and encouraging open communication.

Benefits of a Fraud Risk Management Program

1. Reduced Financial Losses
Effective management of fraud risk can significantly reduce the financial impact of
fraudulent activities on the organization.
2. Enhanced Reputation
A strong anti-fraud stance enhances the organization's reputation with stakeholders,
including customers, investors, and regulators.
3. Compliance with Laws and Regulations
An FRMP ensures that the organization meets regulatory requirements, avoiding legal
penalties and fines.
4. Improved Operational Efficiency
 By identifying and mitigating fraud risks, organizations can improve overall operational
efficiency and reduce the likelihood of disruptions.

FRAUD RISK ASSESSMENT

Fraud Risk Assessment is the process of systematically identifying, evaluating, and prioritizing
potential fraud risks within an organization. The goal is to understand
• where fraud is most likely to occur,
• how it could impact the organization, and
• what can be done to prevent, detect, and respond to it.
The purpose of a Fraud Risk Assessment is to proactively identify and manage potential fraud
risks before they materialize into actual incidents, thereby protecting the organization from
financial loss, reputational damage, legal consequences, and operational disruptions.

Elements of Fraud Risk Assessment :

1. Identification of Fraud Risks
Recognizing specific areas, processes, or activities within the organization that are
susceptible to fraud. This involves looking at different types of fraud, such as financial
statement fraud, asset misappropriation, or corruption.
2. Evaluation of Likelihood and Impact
Assessing how likely each identified fraud risk is to occur (likelihood) and the potential
consequences if it does happen (impact). This helps the organization understand which
fraud risks are most critical and need the most attention.
3. Prioritization of Risks
Based on the likelihood and impact, fraud risks are ranked in order of importance. This
allows the organization to focus its resources on the most significant risks.
4. Documentation and Reporting
Recording the findings of the assessment and reporting them to relevant stakeholders, such
as senior management or the board of directors, to inform decision-making and risk
management strategies.
5. Action Planning
Developing and implementing strategies to mitigate the identified risks, which may include
strengthening internal controls, enhancing monitoring systems, or providing employee
training.

1. Identify Fraud Risk Scenarios

This involves recognizing specific situations or conditions within the organization that
could lead to fraud. These scenarios can be based on past experiences, industry trends, or
known weaknesses in the organization's processes. Common fraud risk scenarios include:
 • Financial Statement Fraud: Manipulation of financial records to present a false view of
the company’s financial health. This can include inflating revenues, understating
liabilities, or misrepresenting expenses.
• Asset M isappropriation: Theft or misuse of an organization’s assets, such as cash,
inventory, or fixed assets. Examples include embezzlement, skimming revenues, and
fraudulent expense reimbursements.
• Corruption: Involvement in dishonest or unethical behavior, such as bribery, kickbacks,
or conflicts of interest. This can occur in procurement processes, contract awards, or
negotiations.
• Vendor and Supplier Fraud: Fraudulent activities involving third-party vendors or
suppliers, such as billing for goods or services not provided, overbilling, or providing
substandard products.
• Payroll Fraud: Manipulation of payroll systems to create ghost employees, inflate wages,
or claim overtime not worked.
• Expense Reimbursement Fraud: Employees submitting false or inflated claims for
reimbursement of expenses, such as travel or entertainment.
• Procurement Fraud: Manipulation of the procurement process to favour certain suppliers
or to gain personal benefits, often involving bid rigging or false invoicing.
• Cyber Fraud: Fraud committed through cyber means, such as phishing, hacking, or
unauthorized access to sensitive information.
• Intellectual Property Theft: Stealing or misusing an organization’s intellectual property,
such as trade secrets, patents, or proprietary information.

Information Sources for Identifying Fraud Risks

To identify fraud risk scenarios, organizations can rely on several sources of information:
• Internal Audit Reports : Previous audit findings that highlight areas of concern.
• Industry Reports : Trends and common fraud schemes within the industry.
• Employee Feedback: Insights from employees who are aware of potential weaknesses.
• Whistle-blower Complaints : Past complaints that have revealed vulnerabilities.
• Regulatory Requirements: Areas highlighted by regulators as being high-risk for fraud

2. Assessment: Likelihood and Impact

Once fraud risk scenarios are identified, the next step is to assess the likelihood of these
risks occurring and the potential impact on the organization. This helps prioritize risks and
allocate resources effectively.

Likelihood Assessment
• High: The risk is likely to occur.
• M edium: The risk is possible to occur.
• Low: The risk is unlikely to occur.
 This step involves estimating the probability of each identified fraud risk scenario
occurring. Factors to consider include:
• Historical Occurrence: Has this type of fraud occurred before within the organization or
industry?
• Nature of the Business: Is the organization’s industry particularly prone to certain types
of fraud (e.g., financial services, retail)?
• Complexity of Processes: Are the processes involved in the scenario complex, making it
difficult to monitor and control?
• Level of Internal Controls: Are there existing controls that can effectively prevent or
detect the fraud? The absence or weakness of controls increases the likelihood.
• Fraud Triangle Factors: Consider the factors of pressure, opportunity, and rationalization
that could lead individuals to commit fraud.

3. Risk Rating and Prioritization

• High: The potential financial loss or damage to reputation is significant.
• M edium: The potential financial loss or damage to reputation is moderate.
• Low: The potential financial loss or damage to reputation is minimal.
After assessing the likelihood and impact of each fraud risk scenario, combine these two
factors to determine the overall risk rating.
• Critical Risks: Require immediate attention and action, as they pose a significant threat
to the organization.
• High Risks : Should be addressed promptly to reduce the likelihood or impact.
• M edium Risks: Should be monitored regularly and managed through existing controls.
• Low Risks : Require periodic review but may not need immediate action.

4. Documentation and Reporting

The results of the fraud risk assessment should be documented thoroughly and
communicated to relevant stakeholders, including senior management and the board of
directors. This documentation typically includes:
• Risk Scenarios Identified
• Likelihood and Impact Ratings
• Overall Risk Rating
• Recommended Actions: For mitigating high-priority risks, including strengthening
controls or implementing new preventive measures.
• Ongoing Monitoring Plans: To track the effectiveness of fraud risk management efforts
and adjust as necessary.

Fraud Risk Mitigation

Fraud risk mitigation involves implementing strategies and controls to reduce the likelihood
and impact of fraud within an organization. Effective fraud risk mitigation typically includes
a combination of preventive controls, detective controls, leveraging technology, and identifying
red flags.

1. Preventive Controls
Preventive controls are measures designed to prevent fraud from occurring in the first place
by reducing opportunities and dissuading potential fraudsters. Key preventive controls
include:
• Segregation of Duties: Ensuring that no single individual has control over all aspects of
a financial transaction (e.g., authorization, recording, and custody of assets). This
minimizes the risk of fraud by requiring collusion for fraud to occur.
• Authorization and Approval Processes: Establishing clear authority levels and requiring
approvals for financial transactions, contracts, or other critical decisions to ensure that
multiple layers of oversight are in place.
• Access Controls: Limiting access to sensitive systems, data, and assets based on an
individual’s role and responsibilities. Implementing strong passwords, encryption, and
physical security measures can help prevent unauthorized access.
• Employee Background Checks: Conducting thorough background checks on new hires,
especially those in sensitive positions, to reduce the risk of hiring individuals with a
history of fraudulent behavior.
• Training and Awareness Programs: Regularly educating employees about the
organization’s code of conduct, anti-fraud policies, and the importance of ethical
behavior. Training can also cover how to recognize and report suspicious activities.
• Anti-Fraud Policies: Developing and enforcing policies that clearly communicate the
organization’s stance on fraud, including consequences for fraudulent behavior. Policies
might include conflict-of-interest declarations, gift policies, and whistle-blower
protections.

2. Detective Controls
Detective controls are mechanisms that help identify fraud if it occurs, allowing for timely
intervention and response. These controls include:
• Internal Audits: Conducting regular and surprise audits to examine financial
transactions, processes, and records. Audits can detect discrepancies, irregularities, or
patterns indicative of fraud.
• Reconciliations: Performing regular reconciliations of accounts, such as comparing bank
statements with accounting records, to identify any discrepancies that may indicate
fraud.
 • Data Analytics and Continuous M onitoring: Using data analytics tools to monitor
transactions and financial data for unusual patterns, trends, or anomalies that could
suggest fraudulent activity. Continuous monitoring provides real-time detection of
potential fraud.
• Surveillance and M onitoring Systems: Implementing surveillance measures such as
video monitoring in sensitive areas (e.g., cash handling) and tracking employee activity
in critical IT systems to detect unauthorized actions.
• Whistle-blower Hotlines: Establishing confidential reporting mechanisms (e.g., hotlines,
online portals) that allow employees, customers, or third parties to report suspected
fraud anonymously. Whistle-blower reports can provide early warning signs of fraud.

3. Leveraging Technology
Technology plays a crucial role in both preventing and detecting fraud. By leveraging
advanced tools and software, organizations can enhance their fraud risk mitigation efforts:
• Fraud Detection Software: Utilizing specialized software that uses algorithms and
machine learning to detect suspicious transactions or behaviours in real time. These
tools can analyze large datasets to identify patterns associated with fraud.
• Automated Controls: Implementing automated workflows and approval processes to
ensure compliance with policies and reduce the risk of manual errors or manipulation.
• Blockchain Technology: Using blockchain for transactions to ensure transparency,
immutability, and traceability. Blockchain can reduce the risk of fraudulent alterations
to records.
• Artificial Intelligence (AI) and Machine Learning: Applying AI and machine learning to
detect unusual patterns or behaviours in data that may indicate fraud. These
technologies can also adapt and improve over time, becoming more effective at
identifying potential fraud.
• Digital Identity Verification: Using biometric authentication, two-factor authentication,
and other digital identity verification tools to prevent unauthorized access and reduce
the risk of identity fraud.

4. Identifying the Red Flags

Red flags are warning signs that may indicate the presence of fraud or the potential for
fraud to occur. Being vigilant and responsive to these signs is essential for effective fraud
risk mitigation:

• Behavioural Red Flags:

✓ Living Beyond Means: Employees who exhibit a lifestyle that significantly exceeds
their salary may be funding it through fraudulent activities.
 ✓ Unusual Financial Transactions: Sudden changes in spending patterns, frequent large
transactions, or unusual account activity.
✓ Reluctance to Share Information: Employees who are unusually secretive or defensive
about their work, or who resist audits and oversight.
• Process Red Flags:
✓ M issing Documentation: Incomplete or missing supporting documentation for
financial transactions or inventory.
✓ Unexplained Accounting Adjustments: Frequent or large adjustments to financial
statements without a clear explanation.
✓ Excessive Voids or Credits: A high volume of voided transactions, refunds, or credit
notes, particularly if concentrated with a specific employee or department.
• Operational Red Flags:
✓ Rapid Employee Turnover: High turnover rates, especially in finance or procurement,
may indicate underlying issues such as fraud.
✓ Vendor and Supplier Anomalies: Frequent changes in suppliers, or a concentration of
business with a few vendors, may indicate favouritism or kickbacks.
✓ Inconsistent Inventory Levels: Discrepancies between recorded and actual inventory
levels may suggest theft or fraud.

Conclusion
Mitigating fraud risk requires a comprehensive approach that combines preventive and
detective controls, leverages advanced technology, and remains vigilant for red flags. By
implementing these strategies, organizations can significantly reduce the likelih ood of
fraud and minimize its impact when it does occur.