Our team at Compliance Mitigation offers the following as a template:
- Our company (the “Company”) has a commitment to high legal, ethical and moral standards. We expect all members of staff to share this commitment. The Board of Directors tries to ensure that a risk (and fraud) awareness culture exists in this organization. Fraud is an ever-present threat and hence must be a concern to all members of staff. Our Company views fraud as an extremely serious matter and is committed to the promotion of an Anti-Fraud Culture throughout the organization.
- We created this document to provide direction and help to those who find themselves having to deal with suspected cases of theft, fraud or corruption. This document gives a framework for a response, advice and information on various aspects and implications of an investigation. It is not intended to provide direction on prevention of fraud.
- This Policy applies to any irregularity, or suspected irregularity, involving employees as well as consultants, vendors, contractors, customers and/or any other parties having a business relationship with the Company. Any investigative activity required will be conducted without regard to any person’s relationship to this organization, position or length of service. All managers and supervisors have a duty to familiarize themselves with the types of improprieties that might be expected to occur within their areas of responsibility and to be alert for any indications of irregularity.
2. DEFINITIONS–WHAT IS FRAUD?
- We define Fraud as “dishonestly obtaining an advantage, avoiding an obligation or causing a loss to another party.” The term “fraud” commonly includes activities such as theft, corruption, conspiracy, embezzlement, deception, bribery and extortion. It may involve:
- manipulation, falsification or alteration of records or documents;
- suppression or omission of the effects of transactions from records or documents;
- recording of transactions without substance;
- misappropriation (theft) or willful destruction or loss of assets including cash; and
- deliberate misapplication of accounting or other regulations or policies.
- The criminal act is the attempt to deceive, and attempted fraud is therefore treated as seriously as accomplished fraud.
- Computer fraud arises where information technology equipment has been used to manipulate programs or data dishonestly (for example, by altering, substituting or destroying records, or creating spurious records), or where the use of an IT system was a material factor in the perpetration of fraud. Theft or fraudulent use of computer time and resources is included in this definition.
- Some illustrations of incidents which would be classified as fraud are contained in Appendix A to this Policy.
3. PURPOSE OF THE FRAUD RESPONSE PLAN
- The purpose of the Fraud Response Plan (the “Plan”) is to ensure that effective and timely action is taken in the event of a fraud. The Plan aims to help minimize losses, reduce liability and increase the chances of a successful investigation.
- The Plan defines authority levels, responsibilities for action, and reporting lines in the event of a suspected fraud or irregularity. It acts as a checklist of actions and a guide to follow in the event of fraud being suspected. The Plan is designed to enable the Company to:
- prevent further loss;
- establish and secure evidence necessary for criminal, civil and/or disciplinary action;
- determine when to contact the police and establish lines of communication;
- assign responsibility for investigating the incident;
- minimize and recover losses;
- review the reasons for the incident, the measures taken to prevent a recurrence, and determine any action needed to strengthen future responses to fraud.
4. COMPANY RESPONSIBILITIES
- The company will undertake fraud investigations where there is suspected fraud and take the appropriate legal and/or disciplinary action in all cases where that would be justified. Whether there is fraud (proven or suspected), the Company should make any necessary changes to systems and procedures to prevent similar frauds from occurring in the future. The Company should establish systems for recording and subsequently monitoring all discovered cases of fraud (proven or suspected).
- Responsibility for exercising disciplinary actions rests with the Director of Human Resources [or the Director of Compliance, for a company large enough to have independent compliance personnel], although this should be done in consultation with other Executives where appropriate.
5. MANAGING THE RISK OF FRAUD – RESPONSIBILITIES
- The Executives (CEO and CFO) of the Company are responsible for establishing and maintaining a sound system of internal controls that support the achievement of Company policies, aims and objectives. The system of internal controls is designed to respond to and manage the whole range of risks that the Company faces. Managing fraud risk will be seen in the context of the management of this wider range of risks.
- Overall responsibility for managing the risk of fraud has been delegated to front line managers and an internal auditor (whose duties are defined below). Their responsibilities include:
- developing a fraud risk profile and undertaking a regular review of the fraud risks associated with each of the key organizational objectives in order to keep the profile current;
- designing an effective control environment to prevent fraud from happening;
- establishing appropriate mechanisms for:
- reporting fraud risk issues,
- reporting significant incidents of fraud to the CFO and Human Resources [or the Compliance Department].
- making sure that all staff are aware of the Company’s attitude to fraud and know what their responsibilities are in relation to combating fraud;
- developing skill and experience competency frameworks;
- ensuring that appropriate anti-fraud training and development opportunities are available to appropriate staff in order to meet the defined competency;
- ensuring that vigorous and prompt investigations are carried out if fraud occurs or is suspected;
- taking appropriate disciplinary action against supervisors where supervisory failures have contributed to the commission of fraud;
- taking appropriate action to safeguard the recovery of assets;
- ensuring that appropriate action is taken to minimize the risk of similar frauds occurring in the future.
- Line Managers are responsible for:
- ensuring that an adequate system of internal controls exists within their areas of responsibility and that controls operate effectively;
- preventing and detecting fraud;
- assessing the types of risk involved in the operations for which they are responsible;
- regularly reviewing and testing the control systems for which they are responsible;
- ensuring that controls are being complied with and their systems continue to operate effectively;
- implementing new controls to reduce the risk of similar fraud occurring where frauds have taken place.
- The Internal Auditor is responsible for:
- delivering an opinion to the CFO and Audit Committee on the adequacy of arrangements for managing the risk of fraud and ensuring that the Company promotes an anti-fraud culture;
- assisting in the deterrence and prevention of fraud by examining and evaluating the effectiveness of controls commensurate with the extent of the potential exposure/risk in the various segments of Company’s operations;
- assisting management in conducting fraud investigations.
- Every member of staff bears responsibility for:
- acting with propriety in the use of Company resources and the handling and use of Company funds whether they are involved with cash or payments systems, receipts or dealing with suppliers or customers.
- being conscious to the possibility that unusual events or transactions could be indicators of fraud;
- reporting details immediately through the appropriate channel, if they suspect that a fraud has been committed or see any suspicious acts or activities;
- co-operating fully with whoever is conducting internal checks, reviews or fraud investigations.
6. FRAUD DETECTION
- Line Managers should be alert to the possibility that unusual events or transactions could be symptoms of fraud or attempted fraud. Fraud may also be highlighted as a result of specific management checks or be brought to management’s attention by a third party. Additionally, irregularities occasionally come to light in the course of audit reviews.
- The factors which gave rise to the suspicion should be determined and examined to clarify whether a genuine mistake has been made or an irregularity has occurred. An irregularity may be defined as any incident or action which is not part of the normal operation of the system or the expected course of events.
- Preliminary examination may involve discreet enquiries with staff or the review of documents. It is important for staff to be clear that any irregularity of this type, however apparently innocent, will be analyzed.
7. ACTION FOLLOWING DETECTION
- When any member of staff suspects that a fraud has occurred, he/she should notify his/her Line Manager or Internal Auditor immediately. Speed is of the essence and this initial report can be verbal and must be followed up within 24 hours by a written report addressed to the Line Manager/Internal Auditor which should cover:
- The amount/value if established.
- The position regarding recovery.
- The period over which the irregularity occurred, if known.
- The date of discovery and how the suspected fraud was discovered.
- Whether the person responsible has been identified.
- Whether any collusion with others is suspected.
- Details of any actions taken to date.
- Any other information or comments which might be useful.
- Before completing the report above, line management may want to undertake an initial inquiry to ascertain the facts. This enquiry should be carried out as speedily as possible after suspicion has been aroused: prompt action is essential. The purpose of the initial enquiry is to confirm or negate, as far as possible, the suspicions that have arisen so that, if necessary, disciplinary action including further and more detailed investigation may be initiated. The Internal Auditor is available to offer advice on any specific course of action which may be necessary.
- As the gravity of each irregularity might be different, a reporting member of staff may wish to act in accordance with the “Policy on Reporting and Investigating Allegations of Suspected Improper Activities.”
8. CONSULTATION AND REPORTING WITHIN THE COMPANY
- On verbal notification of a possible fraud the Line Manager/Internal Auditor must immediately contact the CFO. He/She will inform and consult with the CEO (General Director) in cases where the loss is potentially significant or where the incident may lead to adverse publicity.
- The CFO will maintain a log of all reported suspicions, including those dismissed as minor or otherwise not investigated. The log will contain details of actions taken and conclusions reached and will be presented to the Audit Committee for inspection annually. Significant matters will be reported to the Board of Directors as soon as practical.
- Where a member of staff is to be interviewed or disciplined, the CFO and/or Internal Auditor will consult with, and take advice from, the Director of Human Resources [or Director of Compliance]. He will advise those involved in the investigation in matters of employment law, Company policy and other procedural matters (such as disciplinary or complaints procedures) as necessary.
9. INVESTIGATION / FURTHER ACTION
- If it appears that a criminal act has not taken place, an internal investigation will be undertaken to:
- determine the facts;
- consider what, if any, action should be taken against those involved;
- consider what may be done to recover any loss incurred; and
- identify any system weakness and look at how internal controls could be improved to prevent a recurrence.
After proper investigation, the Company will take legal and/or disciplinary action in all cases where leaders consider further action appropriate. There will be consistent handling of cases without regard to position or length of service of the perpetrator.
- Where an investigation involves a member of staff and it is determined that no criminal act has taken place, the CFO will liaise with the Director of Human Resources [or Director of Compliance] and appropriate Line Manager to determine which of the following has occurred and therefore whether, under the circumstances, disciplinary action is appropriate:
- gross misconduct (i.e. acting dishonestly but without criminal intent);
- negligence or error of judgment was seen to be exercised; or
- nothing untoward occurred and therefore there is no case to answer.
- Where, after having sought legal advice, the CFO judges it cost effective to do so, the Company will normally pursue civil action in order to recover any losses. The CFO will refer the case to the Company’s legal advisers for action.
- Where initial investigations point to the likelihood of a criminal act having taken place, the Executives (CEO or CFO) will contact the police (or appropriate Federal agency, as the case may be) and the Company’s legal advisers at once. The advice of the police will be followed in taking forward the investigation.
- The investigations described above will also consider whether there has been any failure of supervision. Where this has occurred, appropriate disciplinary action will be taken against those responsible for this failure.
10. RECOVERY OF LOSSES
The recovery of losses should be a major objective of any fraud investigation. To this end, the quantification of losses is important. Repayment of losses should be sought in all cases. Where necessary, the Company will seek external advisors and legal advice on the most effective actions to secure recovery of losses.
11. MANAGERS’ DUTY OF CARE
- Managers conducting initial enquiries must be conscious that internal disciplinary action and/or criminal prosecution may result. If such action is later taken, then under proper procedure the member of staff concerned has a right to representation and may have the right to remain silent. Utmost care is therefore required from the outset in conducting enquiries and interviews.
- In addition, in order to protect the Company from further loss and damage from destruction of evidence, it may be necessary to suspend the member of staff concerned immediately after the allegation has been made or following the submission of the Manager’s initial verbal report. Specific advice should be sought from Human Resources [Compliance] before proceeding.
12. PROTECTION OF EVIDENCE
If the initial examination confirms the suspicion that a fraud has been perpetrated, then to prevent the loss of evidence which may subsequently prove essential for disciplinary action or prosecution, the person heading up the investigation (“Head of Investigation”) should:
- take steps to ensure that all original evidence is secured as soon as possible;
- be able to account for the security of the evidence at all times after it has initially been secured, including keeping a record of its movement and signatures of all persons to whom the evidence has been transferred. For this purpose, all items of evidence should be individually numbered and descriptively labeled;
- not alter or amend the evidence in any way;
- keep a note of when investigators came into possession of the evidence. This will be useful later if proceedings take place;
- remember that all memoranda relating to the investigation must be disclosed to the defense in the event of formal proceedings against an employee, so it is important to carefully consider what information needs to be recorded. Particular care must be taken with phrases such as “discrepancy” and “irregularity” when what is really meant is fraud or theft;
- ensure that electronic evidence is appropriately handled by certified specialists.
13. HEAD OF INVESTIGATION
13.1 Executives of the Company will nominate in writing the Head of Investigation on a case by case basis depending on the gravity of issues and potential losses involved. The Internal Auditor will oversee and control the subsequent investigation; therefore, for this purpose, the Head of Investigation will report to the Internal Auditor.
- The Terms of Reference should be agreed between those involved in the investigation. The Head of Investigation should arrange for an action plan to be put in place with, as far as is possible, a set timeframe and regular reviews. He should call on the assistance of various sources of help at all stages (technical assistance, personnel, external audit, attorneys, etc.) but ultimate responsibility and accountability in progressing the case should remain with the Head of Investigation.
- The Head of Investigation should have the necessary authority (i.e. the appropriate rank and experience) to enable him/her to properly discharge these duties. Depending on the volume of work to be performed and the issues involved, this person might be released from his/her main duties in the Company on a temporary basis.
- The Head of Investigation should also be independent from the matter in question. It is the responsibility of the Head of Investigation to keep the Internal Auditor abreast of developments and report all material developments promptly to facilitate onward reporting to the Executive Team and Audit Committee.
14. LEARNING FROM EXPERIENCE
Following completion of the case, the Internal Auditor should prepare a summary report on the outcome and lessons learned circulating it to all other interested parties who must take the appropriate action to improve controls to mitigate the scope for future recurrence of the fraud. Where a fraud has occurred, Management must make any necessary changes to systems and procedures to minimize prospects for similar acts of fraud.