|
Consultative Paper Issued by Basel Committee on Banking Supervision Covering Internal Audit in Banking Organisations
Issued: July 2000
Introduction
To many executives "risk" is a four-letter word. Managers with the temerity to speak of fraud and risk in the same sentence, face the withering and acerbic wrath of management and colleagues alike. The reasons for this, while simple to understand, mask complex corporate and inter-personal relationships and ethics. Fraud is insidious and strikes at the heart of business and business relationships. It is complex, contradictory and an anathema to good management. The doctrine that good managers and rigorous controls prevent fraud is widely touted and the foundation for much corporate complacency.
Fraud within retail markets is generally well controlled and managed across products as diverse as credit cards to mortgages and commercial lending to purchasing. It is seen as an inevitable component of doing business, a cost to be accepted, albeit grudgingly, provided tolerances and profit margins are maintained. It is an external attack on the company by clients, customers or 3rd parties.
Corporate fraud attacks the heart of a business. It is employees, trusted staff, often working in collusion with external parties stealing from their employer. It is this betrayal of trust and breach of the core fabric of our working and personal relationships, which management finds so difficult to discuss or accept. Many management teams still believe that to plan corporate fraud prevention strategies is tantamount to admitting distrust of their colleagues and staff.
For these reasons, many businesses do not manage corporate fraud risks proactively, developing their anti-fraud arrangements only in response to specific incidents. This is particularly true of global businesses, which include treasury and other payment and settlement operations. When major losses occur, investigators and recovery specialists are parachuted into the location, often unclear of business strategies and goals, resulting in unnecessary conflicts with line managers trying to limit credit exposure or maximise loss recovery, using their existing business framework. The results are internal confusion, lack of focus and mismanaged recovery.
Trends
The threat of catastrophic fraud loss within areas of high risk such as Treasury or other back office payment and settlement operations has increased significantly over the past 18 months with an alarming rise in successful attacks. Contraction and amalgamations, high turnover in critical staff and advances in end-to-end processing have significantly changed the fraud risk profile of back office operations.
While the traditional view of fraud trends shown in Figure 1 still holds true it will not be long before technical fraud overtakes documentary fraud as the primary target for crime gangs. The adoption by banks, finance companies and those associated with developing e-commerce businesses or business processes of data warehousing, electronic letters of credit and bills of lading as well as Internet payment processes, contribute significantly to changing the fraud paradigm. A change already occurring in Treasury where automated through processing of transactions has shifted the fraud risk profile, moving the risks traditionally associated with the middle and back office to the front office.
Awareness of corporate fraud amongst senior and line management is still low. Few businesses have mapped critical fraud risks, depending on traditional controls and segregation of duties for protection. Countermeasures that are easily identified and bypassed by professional criminals.
Fraud Programme
The primary aim of a corporate fraud programme is the prevention and detection of fraud and the recovery of undesired losses. A secondary aim is to help management achieve financial targets and corporate governance goals by assisting in reducing capital wastage, and by contributing to enhanced capital and shareholder value through improved (fraud resistant) systems, practices and procedures.
To achieve these goals, certain operating standards become critical and must be met by all staff. These standards include:
* organisation: roles, responsibilities and accountabilities for the prevention, detection and investigation of fraud and the recovery of losses must be clearly defined and communicated, both globally and at business levels,
* policy: policies and standards established for all fraud risks,
* improvement: the business must learn from mistakes,
* knowledge: transfer and dissemination of best practice,
* risk management: a complete and consistent process for measuring, controlling and reporting fraud risks as an integral part of the operating business,
* solutions: contact points for escalation of issues,
* culture: must promote fraud risk awareness by training, rewards and sanction,
* decisions: risks identified for assessment and decision by appropriate levels of management.
These standards form the foundation for the development of cost effective prevention programmes. It is critical that managers first understand the level of risk they face and more importantly, the appetite or tolerance which exists within the extended organisation for both the level of risk and the potential loss. This may include the views of directors and non-executive directors, institutional shareholders, regulators, rating agencies and major corporate clients as well as internal risk managers, compliance and line management.
Fraud Prevention
Prevention seeks to establish a series of physical, logical and procedural barriers to discourage fraudulent attacks, implementing cost effective countermeasures to prevent or reduce the impact of the threat identified by risk assessment.
At the heart of any programme to prevent fraud is the effective, efficient and secure management of information in any form. Information is a key asset and is the product of people interacting with processing systems, technology and raw data.
Protection may include one or more of the following elements:
* confidentiality: protecting sensitive information from disclosure
* integrity: safeguarding the accuracy, completeness and source of the information
* availability: ensuring information and services are available to users
* accountability: ensuring users are properly authorised and can be shown to be accountable for their actions
* auditability: ensuring actions can be reconstructed and connected to a specific user or action, that compliance with key controls is verifiable and systems can be interrogated to confirm correct operation.
The weight attached to each of these elements will vary depending on the resource being protected and the threat.
Robust physical, environmental and corporate security controls are an integral part of information protection. They are also a primary measure in detecting and preventing theft and other losses and a key element in establishing acceptable standards of corporate care.
Fraud Detection
Detection aims to identify losses or attempts to cause loss at the earliest possible opportunity and limit the amount of capital wastage. It includes:
* using a range of tools or techniques to pro-actively identify fraud such as:
* filtering or data mining of accounting and procurement data
* fraud reviews (focused on specific risk areas)
* risk mapping and assessment
* intelligent or knowledge based systems
* employee hot-lines and confidential reporting systems
* personnel security (including pre-employment screening and re-screening of existing employees, particularly those holding sensitive positions)
Investigation And Recovery
Recovery seeks to cost effectively and efficiently manage losses and other undesired incidents. A product of the recovery process is also to learn from mistakes and identify weakness, in terms of people, processes or procedures and to develop effective countermeasures to prevent or reduce the likelihood of re-occurrence. Recovery includes:
* overt and covert investigations, interviews and management of external professional support,
* management of internal and external reporting relationships, including regulators,
* management of staff and internal corporate issues, including crisis management,
* preparation of corporate response to enquiries from media, shareholders or other external parties,
* presentation of findings to Board and senior management, and where appropriate, external regulators or other agencies,
* identification of procedural weaknesses or differences in policies and practices, developing action plans to mitigate these issues,
* transferring knowledge (and best practice learning points from the incident) through training and awareness programmes.
Key Implementation Goals
The following paragraphs describe some of the key goals in implementing a fraud risk management programme. They suggest a strategic aim and the critical elements needed for success. Not all the elements are required and businesses should pick and choose from the templates to suit their own needs, dependent on the risks they face.
Countermeasures, which already exist in most companies, should be realigned to achieve these goals, providing robust protection and best value for money. Continuous review, assessment and adjustment should become the norm rather than the exception for businesses wishing to maintain competitive advantage.
Organisation
Goal: To establish management responsibility for the prevention and detection of fraud and recovery of losses and to ensure appropriate resources are available to effectively correct irregularities.
Achieved by: Developing an enterprise wide matrix for the management and reporting of fraud and other major losses or irregularities, identifying specific levels of responsibility and reporting.
Critical success factors include:
* roles, responsibilities and accountabilities clearly defined and communicated
* reporting mechanisms and escalation procedures established and enforced
* consistent processes for controlling and managing incidents
* awareness and ownership of issues by key managers.
Policy Documents
Goal: To set clear direction and demonstrate firm support from Senior Management for the prevention and detection of fraud and other irregularities and the recovery of losses by the issue of precise and explicit policies.
Achieved by:
* Establishing policies, standards and guidelines for the business, ensuring consistent management of fraud and other irregularities
* Producing policy statements and guidelines for specific user groups, enabling them to develop good practice and consistent understanding of management requirements
* Producing the information in three broad categories: strategic management policy, technical standards for specific user groups and guidelines written in plain language.
Risk Assessment, Measurement and Review
Goal: To provide a common framework of tools for the assessment and measurement of fraud risk throughout the business, encouraging staff to manage exposure in a systematic and comprehensive way.
Achieved by:
* Adopting a qualitative and proven risk management model capable of supporting operational and business risk needs
* Identifying assets that are of specific value to the business and which could be targeted or manipulated by fraudsters, these assets include:
* information: databases, electronic data transmissions, data files, on-line user manuals, operating procedures and continuity or fallback arrangements
* paper documents: contracts, valuable securities, company mandates and documentation, signature records
* software: application software, system software, development tools and utilities
* physical assets: computer and communications equipment, magnetic tapes and disks
* people: personnel, customers, subscribers
* company reputation
* Identifying the threats (who and what causes the threat) to the assets identified as critical to the business taking account of:
* threat frequency: how often it might occur, based on experience and available statistic and records
* deliberate threats: the capabilities and resources available to fraudsters and the attractiveness of the target to them
* accidental threats: geographical and environmental factors, human errors and equipment malfunction
* Identifying and assessing weaknesses within business critical assets that could be exploited by a threat to cause an unwanted incident or loss, examples include:
* misuse or abuse of passwords
* unprotected connection to an external network
* insufficient security training
* lack of appropriate physical protection
It is important to assess how severe the vulnerabilities are (how easily they could be exploited) and they should be rated against a simple scale, for example: Almost certain; Probable, Moderate, Unlikely, and Rare.
* Developing a simple method to assess and measure the level of fraud risk in each business area. Taking into consideration the asset, threat, vulnerability and impact or value at risk.
* Establishing which level of management is responsible for each level of risk and prepare guidelines on managing and reducing those risks, taking into consideration existing and planned security controls. Figure 6 outlines the type and level of management response required by each level of risk.
Protecting Information
Goal: To provide a framework of generally accepted and effective information security management practices; ensuring the confidentiality, integrity and availability of information in any form.
Achieved by:
* Building a control framework for the protection of information and related technology by writing and implementing key control policies, technical standards and guidelines covering the use of information, in any form, and all related technology. Key controls include:
* asset classification and control, including safeguarding original records
* information security policy and associated technical standards clearly defining responsibility
* physical and environmental security
* personnel security
* controlling logical access to systems and information
* computer and network management
* system development and maintenance
* business continuity management
* virus control
* Commencing on-going and systematic technical security reviews of all legacy systems
* Developing specific training programmes for the IT environment and key staff within IT Department.
Protective Security
Goal: To ensure effective physical barriers and other countermeasures to protect key assets (people, property and information), and deter fraud.
Achieved by: -
* Reviewing existing security measures and establishing a rolling programme integrating electronic fire, surveillance, access control and intrusion detection systems, supported by high quality guarding
* Raising the scope and quality of guarding elements to provide emergency first response as well as watch and ward services
* Ensuring adequate protection of personnel, including incident response
* Ensuring appropriate levels of pre-employment screening and re-validation of checks on existing staff holding sensitive positions.
Fraud Awareness
Goal: To ensure personnel are aware of fraud threats and concerns, and are able to support policies, standards and guidelines in the course of their work.
Achieved by:-
* Designing a focused awareness programme targeting critical fraud issues that can achieve early changes in staff awareness and culture, examples may include:
* identifying critical issues during fraud reviews and/or the production of policies and guidelines
* focusing awareness campaigns on one subject each year, for example money laundering
Fraud awareness and change management programmes use the full range of modern multimedia, sales and marketing and communications concepts to deliver messages in a refreshing and innovative manner. Similar techniques are recommended for this programme to ensure maximum impact and value.
Fraud Training
Goal: To ensure appropriate training to enable staff to prevent, detect and where appropriate, correct fraud or other irregularities.
Achieved by:-
* Introducing a range of training courses that cover general audiences as well as those staff requiring specialist technical skills,
* Building a series of in-house fraud training programmes which may include:
* fraud identification and detection,
* fraud prevention,
* computer crime.
* Making available a range of technical and specialist courses for key staff. These may include:
* managing a fraud incident, including simulated exercises,
* investigating fraud,
* interviewing.
Crisis Management
Goal: To ensure an appropriate response by senior managers dealing with major incidents of fraud or other irregularities.
Achieved by:-
* Reviewing and if appropriate further developing corporate crisis management structures, including Incident Management Teams, critical response plans and training for key staff,
* Identifying which levels of management are appropriate to deal with a variety of threats,
* Establishing trigger-points and escalation procedures to ensure incidents are dealt with consistently and by an appropriate level of management, this includes developing core immediate action steps to guide initial responses,
* Developing outline contingency plans,
* To train members of the Incident Management Team in:
* crisis management,
* communication,
* handling the press and media ,
*
personal and corporate security.
Reporting Incidents and Investigations
Goal: To minimise the impact from unwanted incidents and other deficiencies or irregularities, including fraud, theft and other losses, and to learn from such incidents.
Achieved by:-
* mandatory incident reporting
* an independent investigation and review programme
* appropriate internal skills
* within management
* within external specialist functions, such as IT, Investigations and Audit
* links with external specialist support
* open communication and support for this process from regulators and other bodies such as external auditors and lawyers
* review and knowledge transfer mechanisms, to ensure the business learns from incidents.
References
This document takes reference from:-
* British Standard 7799 - A Code of Practice for Information Security Management
* Australian and New Zealand Standard 4360:1995 - Risk Management
* Association of Certified Fraud Examiners
* Information Systems Audit and Control Foundation - Governance, Control and Audit for Information and Related Technology (CobiT - 2nd edition)
* Business Continuity Institute (UK) - Certification Standards.
Top of page
|
|
