The IaS Fraud Risk Management Framework shows how we identify internal and external fraud risks and the effectiveness of controls. Fraud risk is the risk of various types of fraud an organization could face from internal and/or external sources. Fraud is an intentional act by one or more individuals among employees, management, those charged with governance (internal), or third parties (external) involving the use of deception to obtain an unjust or illegal advantage.
The three primary categories of internal fraud are corruption, asset misappropriation, and financial statement fraud. The following are examples of fraud:
Employees misusing influence in transactions for benefit (internal)
Vendors billing for goods/services not received (external)
Employees accepting bribes or benefits to act (internal)
Employees providing sensitive information to outside parties for gain (internal)
Part 1 of the framework consists of the governance over fraud risks, which involves a governance structure that sends a message that fraud is not tolerated:
1.1: Oversight
1.2: Internal Specialist, Values and Ethics
1.3: Values and ethics code
1.4: Conflict of interest and post-employment guidance
1.5: Risk-based internal audit plan
1.6: Process to investigate fraud allegations
1.7: Fraud Prevention Policy
Part 2 consists of the fraud risk assessment, which is a process to identify and address vulnerabilities to internal/external fraud:
2.1: Conduct a Fraud Risk Assessment that includes best practices
2.1.1: Identify fraud risks without considering controls (that is, inherent)
2.1.2: Assess likelihood and impact of identified fraud risks
2.1.3: Map controls that mitigate the identified risks (preventive/detective)
2.1.4: Evaluate whether controls are working effectively
2.1.5: Evaluate residual fraud risks
2.1.6: Considering risk tolerance, respond to residual fraud risks
2.1.7: Periodically review the Fraud Risk Assessment
Part 3 consists of controls to prevent and detect fraud, which involves the design and implementation of processes, procedures, and activities to address identified fraud risks:
3.1: Fraud prevention
3.1.1: Training on values, ethics, and conflicts of interest, and targeted fraud training, delivered on time
3.1.2: Conflict of interest (COI): Mitigate conflicts of interest
3.1.2.1: Effective management of the declarations of COI
3.1.2.2: Employee declarations done whether or not employees have a conflict of interest
3.1.2.3: Service standards to respond to declared conflicts of interest
3.1.2.4: Reporting
3.1.3: Controls designed to prevent fraudulent activities
3.2: Fraud detection
3.2.1: Mechanism to report fraud (see Section 4.1)
3.2.2: Controls designed to detect fraudulent activities
Part 4 consists of investigations of fraud allegations, which involves a thorough approach to manage fraud allegations and investigations:
4.1: Mechanism to report fraud
4.2: Formal approach to address allegations of fraud
4.2.1: Assessment of the allegations of fraud
4.2.2: Investigation of the allegations of fraud
4.2.3: Monitoring of the allegations of fraud
4.2.4: Corrective actions
Part 5 is the continuous improvement of the Fraud Risk Management Framework.