APPENDIX 4: LIST OF SCHEDULE 1 OFFENCES 270
4.4 KPMG FRAUD RISK MANAGEMENT MODEL
4.4.1 Fraud Prevention
The model shown in Figure 4.7 below has been adapted for this study from the KPMG Fraud Risk Management model (2006:8). The constructs and sub-constructs are explained below:
Figure 4.7: Adapted from the Fraud Risk Management model
Source: KPMG (2006:8)
4.4.1.1 Leadership and Governance
According to KPMG (2006:8), leadership and governance requires emphasises to be placed on four aspects. These are board or audit committee oversight, senior management oversight, Internal Audit function, and fraud and misconduct risk assessment.
Firstly, directors of a board (in the case of universities, the members of Council) play an essential role in overseeing the implementation of internal controls intended to mitigate fraud risks. In some instances, such an oversight role is delegated to the audit committee by the board. Directors should ensure that internal controls are adequate and effective. Setting the tone for ethical behaviour in an organisation is the joint responsibility of the board and management.
Secondly, senior management should be responsible for oversight of the fraud risk management interventions that are implemented. Their oversight should be primarily on prevention, but detection and response to fraud should not be overlooked. The chief executive officer (in the case of universities, the Vice-
Chancellor) is best placed to set an appropriate ethical culture within the organisation. S/he is able to lead by example and direct the effort with assistance of the senior management team. The chief executive officer should hold members of the senior management team accountable for non-compliance to policies and procedures. This message should permeate the organisation and serve to consolidate an ethical culture within. It is suggested by KPMG (2006:9), that a leader in a senior management position be tasked with oversight of all interventions that are aimed at combating fraud. Such a leader should be responsible for the prevention, detection and response to fraud risks. This leader should:
o Coordinate the fraud risk assessments within the organisation;
o Design and implement policies and procedures for ethical business practices;
o Ensure oversight of the fraud risk management initiatives and controls, and o Provide a report to the board or the audit committee about the results of the
anti-fraud initiatives.
Thirdly, the Internal Audit department should participate in combating fraud and move away from their traditional role of testing for the effectiveness of internal controls. It is suggested that the internal audit department should be held responsible for:
o Evaluating the design and effectiveness of internal controls intended to prevent or detect fraud;
o Assisting in the fraud risk assessment process and advising on the adequacy and effectiveness of mitigating controls, and
o Reporting to the audit committee about its findings in this regard.
Fourthly, fraud risk assessments assist management in identifying the unique fraud risks faced by the organisation, deficiencies in the current internal controls and designing appropriate mitigation strategies and controls to address the weaknesses.
Fraud risk assessments should take place throughout the organisation and not in selected areas of operation. The audit committee plays an oversight role in this process and ensures that the assessments are an ongoing effort. A typical fraud risk assessment process is depicted in Figure 4.8 below as a four-step process:
Figure 4.8: Fraud Risk Management Process
Source: KPMG (2006:10)
The four-step risk assessment process should:
o identify the areas of risk that require assessment;
o list and categorise the risks;
o rate the risks, and
o mitigate the risk by enhancing internal controls.
4.4.1.2 Code of Conduct
As suggested by KPMG (2006:11), a code of conduct is an essential tool with which an organisation communicates its standards of ethical conduct to employees. This should include communication to clients, suppliers and stakeholders. Such a code sets a strong tone within the organisation about the commitment of management to a sound ethical culture. In order for this tone from the top to permeate throughout the organisation, it requires that employees are made aware of the code and the commitment of management to a culture of integrity. KPMG (2006:11) proposes that a code of conduct should include the following aspects:
high level support and commitment to the code from senior management;
language used should be easily understandable;
provide guidance for compliance to relevant policies and procedures;
provide guidance to employees on predicted areas of risk;
code should be displayed in an aesthetically appealing format to encourage readership;
provide employees with readily available tools to assist them to make ethically acceptable decisions, and
provide an appropriate reporting mechanism which employees could use to report or request guidance about concerns, without prejudice to themselves.
A code of conduct is essential to ensure that all employees commit to a single standard of high ethical culture within an organisation, without any double standards and selective application.
4.4.1.3 Employee and Third Party Due Diligence
A requisite aspect of maintaining a sound ethical culture is ensuring that an organisation employs people of high integrity. This would include conducting business with suppliers and clients who are also committed to operating in an environment of high integrity. According to KPMG (2006:12), conducting due diligence on potential employees, suppliers, clients and other stakeholders is an integral part of a fraud prevention strategy. Due diligence should be undertaken at the commencement of an employment or business association process. The prevailing conditions under which employees achieved their performance targets should be scrutinised in order to ensure that the results were achieved within the ethical standards of the organisation. This would send a clear message to employees that the organisation is cognisant not only the results but how they were achieved (KPMG; 2006:12). As the old adage goes “the end should not justify the means”: in fraud prevention, this must be understood.
4.4.1.4 Communication and Training
KPMG (2006:12) suggests that it is essential for employees to be made aware of their responsibility in respect of internal controls that are designed to combat fraud. Communication and training should be provided to employees in a planned and prioritised manner in order ensure that the importance of their responsibilities in this regard is emphasised. It is suggested by KPMG (2006:13) that the communication and training initiatives in respect of fraud awareness should be:
all inclusive, taking into consideration the responsibilities of a job and the area of risk;
included, where possible, with other training and communication initiatives;
conducted using various media and techniques, and
ongoing, targeting employees where potential risks exists.
Providing continuous communication and training to employees to create awareness about fraud, serves to inculcate a culture of high integrity and compliance within an organisation.
Such a process also serves to equip employees to be able to identify fraud within their work environment, and to be aware how to report such suspicion.