FRAUD RESPONSE PLAN

INTRODUCTION

It is imperative for the managers and all entities involved to be aware of what to do in the event

of a fraud so that the needed actions can be taken without any delay. The Fraud Policy covers the

required actions in case of suspicion of a fraud and also identifies to whom the fraud should be

reported.

POLICIES

The anti-fraud policy of the company should clearly state the commitment of the organization to

investigate all allegations of fraud. The policy should also indicate that appropriate action shall

be taken against the fraudsters. The presence of fraud policy helps to raise awareness amongst

the staff that, to manage and minimize the damage caused by any fraudulent actions, a response

plan has been devised1. The policy defines the actions explicitly that constitute fraud to ensure

that all employees and third parties are fully aware of what is acceptable.

The purpose of this document is to help those who have to deal with suspected cases of fraud.

This document provides a framework to respond to and seek advice in case of the need for

investigation arises. It is the duty of all managers and supervisors to familiarize themselves with

any possible irregularity that might occur in their area and to remain alert 2.

FRAUD
1
Deloitte., 2020. Fraud policies: Why you need one and what it should look like. [online] Available at:
<https://www2.deloitte.com/nz/en/pages/finance/articles/fraud-policies-why-you-need-one.html>
[Accessed 31 May 2020].

2
Forte, D., 2009. Can a fraud prevention plan be really effective?. Computer Fraud & Security, 2009(3),
pp.18-20.
Fraud is defined as obtaining an advantage dishonestly, evading an obligation or working to

cause a loss to another party3. Fraud refers to activities like extortion, theft, conspiracy, deception

or embezzlement and may involve manipulation, alteration or falsification of data. The willful

destruction of assets including cash and omission of transaction records to mislead information is

also referred to as fraud.

FRAUD RESPONSE PLAN

The Fraud Response Plan provides a direction to how and by whom the suspicion of fraud will

be examined, testified and closed. The plan is a formal setting of the arrangements that are made

to deal with any suspected or detected cases of fraud4. It provides a checklist of the required

actions and acts as a guide to follow in an event of suspected fraud. The presence of the Plan

ensures that the company is able to:

 Avoid any further losses

 Find and secure the necessary evidence to conduct the disciplinary action

 Assign duties to the personnel involved in investigation of the incident

 Identify the need to involve the police

REPORTING A SUSPECTED FRAUD

3
Collier, P. and Agyei-Ampomah, S., 2006. Management Accounting - Risk and Control Strategy. Oxford:
Elseveir Ltd., p.341.
4
Pickett, K., 2004. The Internal Auditor At Work. Hoboken, NJ: John Wiley & Sons, p.85.
In order to help in the prevention and detection of a fraud, the employees, managers and the third

parties should play a role by reporting any suspicions regarding a fraud. All suspected cases of

theft, fraud, or any improper use of organization’s resources or misappropriation of the power

should be directly reported to the Head of Internal Audit, who shall notify the Director of the

area in which the suspected fraud occurred. The suspected fraud should be recorded in the Fraud

Register and must be updated regularly during as the investigation progresses.

Employees:

In case of any suspicion of fraud or corruption, the matter should be reported urgently to the

relevant line manager. If it does not seem appropriate, then the manager must directly report to

the Head of Internal Audit on immediate basis. The Finance Director holds the duty of Head of

Internal Audit in the organization.

Managers:

Managers and supervisors have the position to detect any irregularity or fraud in their respective

area. They must be provided with a list of contacts containing the telephone numbers and details

regarding reporting a fraudulent incident. If the manager is informed by an employee regarding

any suspected fraud or finds out oneself, then it is their duty to:

 Patiently listen to employee concerns without any bias while treating them with

confidentiality and seriousness;

 Acquire as much information as possible regarding the outline of events, and the

involvement of concerned people and resources while gaining access to any available

evidence;

 Make sure that any available evidence is kept secure and is not interfered with;
  Report the issue immediately to the concerned parties and not make any attempt to

investigate the matter personally.

Director of Finance/Head of Internal Audit

In large organizations, a fraud officer is chosen to take responsibility to initiate and manage all

investigations regarding any fraud, and for implementing the fraud response plan. For a mid-

level organization, the Director of Finance, who is also the Head of Internal Audit will bear the

responsibility for the response of the organization to fraud. It will also include the duty to

coordinate with other concerned parties involved in the investigation and to ensure that the fraud

response plan is updated on regular basis. The finance director will manage all internal

investigations and have a master copy of the fraud response plan. The finance director will:

 Conduct the investigation as quickly as possible, while ensuring that everything takes

place according to the Disciplinary Policy devised by the Human Resource Department

 Gather and acquire the facts, and secure any available evidence

 Conduct interviews with the relevant staff members

 Form a liaison with the HR department and the legal service team to gain guidance when

needed

 Report to the involved managers

 Provide evidence at a Disciplinary Hearing in case a disciplinary action is finalized.

FORMING A FRAUD RESPONSE TEAM

The Head of Internal Audit or the Finance Director must immediately arrange a meeting to form

a fraud response team. The team may depend upon the severity of the fraud but it will include:
  Human Resource Director

 Director of the concerned area

 Director of Finance

All the team members will agree and sign the Fraud Response Plan.

For a smaller and less complex fraud, the team will involve the staff in the area of the suspected

fraud to conduct the investigations while maintaining liaison with the team members. For

investigation, the team will assign personnel from the internal or external auditors or a

combination of both according to the situation.

The team will determine:

 The need for investigation

 Who shall lead the investigation based on the alleged fraud

 Any additional resources required to make investigation

 The need for the involvement of police

 The need to involve external parties in the investigation

 The need to suspend the employees

 The need to involve legal advisors

Human Resources:

It is the duty of the Human Resource Department to ensure that the internal disciplinary

procedures are aligned to the fraud response plan. The HR is directly involved in devising

strategies for personnel management, and keeping a record to the employment histories of the

individuals while it is also the responsibility of the HR to advice in matters related to equal
opportunities and employment law. The Human Resource Head shall decide the actions with

regards to suspension of the staff and will meet with the Fraud Response Team on regular basis

to discuss the progress of the case. If the allegation involves a manager or an employee, the HR

will decide to suspend their role during the investigation.

Internal Auditors:

The investigation will involve the team of internal auditors in the organization. Since, the HR

department is directly involved in the suspected fraud, so, the involvement of an inexperienced

team may jeopardize the results of the investigation. Only specific auditors who have been

trained as fraud specialists, having the necessary skills and knowledge to accomplish the task

should be included. If required, a qualified Financial Investigator will be used under the Proceeds

of Crime Act 2002.

INVESTIGATION

If the suspected fraud does not indicate any criminal act, then it would result in an internal

investigation to identify the facts, and consider the necessary actions that need to be taken

against the involved parties. The investigation will also determine the needed actions to recover

the incurred loss and identify how to improve the internal controls of the system so that such a

recurrence can be prevented in the future.

SECURING EVIDENCE

To gather evidence, the property or premises should be thoroughly inspected with proper

witnesses and a list of the contents be made and signed by the witnesses and the officer

investigating it5.
5
Todd, K., 2019. Inside Job: How to Create a Fraud Response Plan. business.com, [online] Available at:
<https://www.business.com/articles/fraud-response-plan/> [Accessed 31 May 2020].
The evidence obtained must be secured based on the assumption that it may be presented in the

court when necessary. To ensure that the evidence is not changed or tampered with until the

investigation is concluded, the evidence should have limited access to only those who are

involved in investigating the matter.

 If the evidence involves paperwork, then original documents must be acquired and

retained securely so that they are not marked. The documents should be put in a

protective folder and responsibility to be assigned of one person to keep and handle the

documents.

 If the evidence is on hard drive of the computer, then the computer will be secured and

the data will be handled only by personnel having suitable skills and training like an IT

specialist. If required, legal or police advice will also be taken into consideration.

 It might be preferable to leave the original documents and take photocopies instead, but

they must be signed, dated and certified.

 If the information is suspected to be on a camera system, then it is imperative to liaise

with the team for Information Management to make sure that the relevant policies are

being complied with while data is accessed.

 If required, a written consent should be obtained before removing any items from the

relevant department manager.

INTERVIEWS

The management has the authority to interview the staff with regards to any suspicion. When

deemed appropriate, the individual shall be subjected to formal investigation by trained

personnel. The information obtained during interviews should be saved in detailed notes and

even recorded via tapes.

If a witness is willing to give a written statement, then the document should be signed by the

witness6. The statements from the suspects should be taken with the involvement of the trained

investigators and if required, police.

CONCLUSION OF INVESTIGATION

The conclusion of the investigation along with the evidence should be given to the Head of Audit

in the company by the investigating officer. The conclusions must be drawn solely on the basis

of the acquired evidence. Head of relevant department, Head of Internal Audit and Head of Legal

Services will agree on the recommended sanctions and then decide the disciplinary outcomes

according to the disciplinary policy devised by the Human Resource Department of the

company7.

Head of Internal Audit will review the outcomes to make sure that the action taken is appropriate

to deal with frauds and provide recommendations to modify and enhance the effectiveness of the

controls.

The results of the investigation shall only be shared and discussed with those who have the

authentic right.

RECOMMENDATIONS

In order to mitigate the risk associated with fraud, the owners and organization leaders should

focus on two key dimension of the fraud system: fraud prevention and fraud detection. The

6
D. Forte, 2009. Ibid.
7
P. Collier and S. Agyei-Ampomah, 2006. Ibid.
presence of a fraud response strategy allows the firms to make better investigations and in a

timely manner8. The companies without a fraud response plan, tend to react in a chaotic manner

to fraud identification. The companies that have a coherent fraud response plan are able to offer

their leaders a guideline to follow while saving both time, internal resources and high costs

required for investigation by external professionals. The plan also covers how to involve the

employees and senior officials in the information related to fraud, when external professionals

need to be contacted for investigation.

Preventing fraud is the best but since it is not always possible to prevent fraud, early detection

allows to minimize the losses. Hence, a proper system of fraud detection is imperative to help

identify errors, and minimize the losses9. For fraud prevention, preventive controls should be

implemented internally through a standardized information security management system that

must be continuously monitored to ensure optimal effectiveness. The controls for fraud

prevention include modification of the human resource procedures including background

investigations of the job applicants, provision of anti-fraud training, implementing programs to

evaluate the employees and their compensation10. Furthermore, proper documentation, along

with continuous monitoring and improvement of the program along with complete integration

into the organizational efforts to manage frauds will ensure the success of the program. In order

to mitigate the risk, the company must have a strong corporate governance program in place.

CONTACTING THE REGULATOR

8
Gengler, B., 2002. PayPal’s anti-fraud team. Computer Fraud & Security, 2002(3), p.5.
9
Giles, T., 2009. How To Develop And Implement A Security Master Plan. Boca Raton: CRC Press/Taylor &
Francis.

10
K. Todd, 2019. Ibid.
Although it is generally perceived that for fraud claims, the regulators should be contacted, but it

is not the best option when a corporate malfeasance is being reported. Revealing internal

misconduct has its own risks and it is wise, to choose carefully. According to Daniel Westman,

an employment lawyer at Morrison & Foerster, says that before going to a regulator, the

employees should feel a responsibility to report the fraud internally11. As the case says, the

regulator had not been involved earlier, but since the case already involved fraudulent activity

going on in the HR department and that too, with the signature of the senior officials, it seems

that contacting the regulator would have been the best choice in this fraud. Reuban Guttman, a

director at Grant & Eisenhofer, supports contacting the regulator in the case of internal fraud. He

says, “It’s not black and white like that. If the wrongdoing is pervasive, internal compliance

programs are not going to be helpful”12. When the issue has serious implications for the

company, it is advisable to notify the regulators. If the company had earlier contacted the

regulator, and rather than making some quick-fixes, a proper investigation had taken place, the

losses would have been minimized and the issues would have been resolved. The involvement of

the finance manager as well as the HR department in the case indicates the need to get the

regulator involved to resolve the issue. The lack of proper supervision of the procedures, and the

malfunctioning of the payroll system, and recruitment process portray a huge issue that cannot be

resolved with quick fixes as the internal system is the issue itself. The lack of standardized and

properly monitored HR system requires complete investigation of the problem, so that the

required changes can be made. While deciding to report to the regulators, it is important to take

into consideration the terms or references, the significance and sensitivity of the information to

11
Segarra, M., 2014. The Whistleblower’s Trilemma. CFO, [online] Available at:
<https://www.cfo.com/fraud/2014/03/whistleblowers-trilemma/> [Accessed 31 May 2020].
12
Ibid.
the company, and also whether the release of information could result in reputational damage to

the company or any kind of monetary penalty.

Part (b)

It is the responsibility of the company to make any necessary changes to the procedures and

systems to ensure that the occurrence of frauds can be prevented in the future. It is imperative for

the company to establish systems that record and monitor all identified cases of fraud, both

proven and suspected. Director of Human Resources, in consultation with the Director of

Finance holds the responsibility to exercise disciplinary actions where appropriate.

Although fraud remains the same throughout years, but the risk has grown based on the size and

complexity due to the evolution of technology and the ease in moving, sharing, and exposing

corporate assets. In order to reduce the opportunities for employee fraud, a control environment

should be designed and implemented.

 Independent and Empowered Audit Committee

An audit committee should be made that is completely independent of management. The

audit committee should be given a fraud risk training so that awareness is raised regarding

fraud risk. The audit committee should be fully aware of the exposure to fraud risk and also

of the steps that are required to monitor and mitigate these risks. The audit committees

conduct their annual and quarterly reviews to identify any uncorrected misstatements and

then, with the authority given to them, the committee should have a dialogue with the

management and if required, the external auditors, discussing the wrong adjustments in the

statements13. The audit committee should also be aware of all the accounting practices and
13
Vollmer, S., 2016. How audit committees can help deter fraud. Financial Management, [online]
Available at: <https://www.fm-magazine.com/news/2016/jan/how-audit-committees-can-help-deter-
 policies in the company and by continuously being in touch with the management, they must

be able to identify any significant unusual transactions taking place in the company. The

audit committee should also review the level of confidentiality given to employees when they

report any suspected wrongdoings in the company, and it is the duty of the committee to

ensure that the follow-up action is objective, independent and involves appropriate

investigation14. In case, the suspicion involves as executive member of the company,

particularly the finance or HR director, then the case should be directly reported to the

chairperson of the committee. Even the internal audit will be continuously reviewed by the

audit committee to ensure that no negligence is taking place.

 Tools for Effective Reporting and Appropriate Training:

It is imperative to establish procedures that allow for reporting of any complaints or

suspicious activities. For this purpose, the company may use an internal system of reporting

or get help from an external agency to manage the process of reporting while ensuring

confidentiality. But, this can only be possible when the employees are completely aware of

what constitutes fraud or misconduct against the company15. For this purpose, the company

should introduce periodic training to ensure that the employees are able to distinguish and

identify fraudulent behavior and suspicious activities. Employees are the best line of defense

against fraud and so, they need to be fully trained so that they can ensure the safety of the

company. Employees should be taught about both internal and external sources of fraud and

fraud-201613688.html> [Accessed 31 May 2020].

14
Erick-Bell, 2010. Internal Control Checklist: 5 Anti-Fraud Strategies to Deter, Prevent and Detect
Fraud. Corporate Compliance Insights, [online] Available at:
<https://www.corporatecomplianceinsights.com/internal-control-checklist-deter-prevent-detect-
fraud/> [Accessed 31 May 2020].
15
Bartow, J. and Biegelman, M., 2013. Executive Roadmap to Fraud Prevention and Internal Control.
Hoboken, N.J.: Wiley, p.381.
 it is advisable to have multiple employees keep the books, and manage the payrolls so that a

check and balance system is developed16. Employees should be fully aware of company

policy regarding fraud and they must be trained to comply with the policy.

EXTERNAL WHISTLEBLOWER HELPLINE

It is not possible to completely prevent fraud from occurring in the company, so, there must be

an effective system to detect fraud as they occur. Fraud is mostly uncovered by employees in a

company, and most of the time, before reporting to regulators, the whistleblowers report

internally. A whistleblowing helpline refers to a system that enables employees and third party

suppliers to report any unlawful activity, unethical behavior, or any suspected malpractice in the

workplace. The presence of whistleblowing helplines allows the employees to feel safe while

raising issues that they might not feel comfortable discussing in person17. Through the helpline,

the employees can expose significant issues and disclose information/concerns. Employees are

best source of information in the company, but due to the fear of facing consequences of internal

reporting, they might not report any corrupt and illegal behavior that they detect in the company.

In this case, since the finance manager and the HR manager seem to be involved in the fraud,

nobody would dare to report directly to the internal system as HR system is wrong in itself and

by whistleblowing internally, the employees cannot remain anonymous at all. Hence, the

presence of an external whistleblowing helpline is the best option in the company. The external

whistleblowing helpline would give a voice to the employees, suppliers, contractors and all

stakeholders involved18. It leads to creating and promoting a culture of openness and

16
Ibid.
17
Erick-Bell, 2010. Ibid.
18
Fox, T., 2019. Advantages of Whistleblower Hotline Reporting Systems: Understanding the Impact of
Internal v. External Reporting. [Blog] NAVEX Global, Available at:
<https://www.navexglobal.com/blog/article/advantages-of-a-whistleblower-hotline-reporting-systems-
understanding-the-impacts-of-internal-v-external-reporting/> [Accessed 31 May 2020].
transparency in the company while demonstrating that there shall be serious consequences for

any kind of malpractice as the company would seriously deal with any kind of fraudulent activity

taking place. In contrast to an internal system, the presence of an external whistleblower helpline

would allow confidentiality and anonymity during the interaction between the investigator and

the reporter19. Furthermore, the external system would also help the regulators in making

decisions regarding the company problems in an efficient manner. Whistleblower helplines are

only effectively utilized when the employees work in an environment where they feel free to

speak up when they suspect a wrongdoing20. Specially, when the employees feel the need to

establish a complaint against the internal control systems, or the involvement of managers, it is

better to have an external whistleblowing helpline available where the employees do not fear the

consequences and can openly report a fraud.

19
Iwasaki, M., 2018. Effects of External Whistleblower Rewards on Internal Reporting. SSRN Electronic
Journal.
20
T. Fox, 2019. Ibid.