Anti-fraud controls 925

  • Another basic question from me, please.
    It seems fairly obvious yet I’m beginning to wonder whether I really know what an anti-fraud control is. Im looking at a series of controls for a particular process (premiums collection for an insurance company) and somehow all the controls in one way or another help to prevent fraud. I would appreciate some examples of what is and what is not an anti-fraud control.
    For example a bank reconciliation - if the balances on the system total less than the balances on the bank statement and the difference is not due to timing or any other valid explanation then it could be that money is being siphoned out illicitly. Therefore a bank reconciliation could detect fraud. What are your views on this please?

  • As a starting point for discussion -
    We have struggled a bit with this, too as our external auditor is required to perform it’s own testing of any fraud controls and cannot rely on management testing of these controls.
    I would suggest eliminating any back-end or ‘detect’ types of controls from your fraud controls list and only include those controls designed to prevent fraud.
    I don’t believe that we are required to identify separate controls that are intended to prevent fraud, but rather to label those financial controls already identified as also being a control that prevents fraud.

  • Fraud is a tricky one as you need not have specific control objectives nor specific controls to address fraud - the requirement of the SOXA is not that specific.
    Most projects I’ve worked on have addressed fraud in a far more generic way. Sometimes by describing the inherent fraud risk in significant accounts e.g. High for cash and describing how these inherent risks are addressed e.g. segregation of duties plus relevant prevent AND detect controls. Other projects have justified that the exisitng control objectives and process documentation sufficiently address fraud risk without making it explicit.

Log in to reply