fraud control policy
FRAUD CONTROL POLICY
Contents
Fraud Control Policy
1
Leadership Message
1.1 Purpose
1.2 Definitions
1.3 Policy Objectives and Scope
4
4
4
4
2
Governance and Professional Ethics Statement
2.1 Code of Ethics
2.2 Roles and Responsibilities
2.3 Tone at the Top
5
5
5
6
3
Fraud Prevention
3.1 Tone at the Top
3.2 Fraud Risk Assessment
3.3 Fraud Prevention Control
8
8
8
8
4
Fraud Detection
4.1 Fraud Detection Procedures
4.2 Fraud Reporting Process
9
10
10
5
Fraud Response
5.1 Examples of Items to be reported
5.2 Response to Concerns, Complaints or Reported Breach
5.3 Investigation Process
10
10
10
11
6
Reporting the Results
6.1 Retention of Concerns, Complaints or Reported Breach
6.2 Recovery of the Proceeds of Fraudulent Activities
6.3 Corrective Actions
12
12
12
13
7
Review of Fraud Control Policy
13
Appendix A - Fraud Control Policy Decision Matrix
14
Appendix B - Declaration
15
FRAUD
CONTROL
POLICY
Fraud Control Policy
1
•
•
•
•
Leadership Message
Tawazun and all of its Subsidiaries ‘The Group’ is an organization with strong values.
We are governed by the values of Performance Excellence, Integrity, Professionalism,
Teamwork and a Non-Bureaucratic Environment. Our Code of Ethics contains general
guidelines for conducting business with the highest standards of ethics.
The Group is committed to an environment where open, honest communications are
the norm, not the exception. We want everyone to feel comfortable in approaching
their supervisor or management in instances where they believe violations of policies
or standards have occurred.
The Group is committed to an
environment where open, honest
communications are the norm,
not the exception
Maintain integrity of The Group;
Secure The Group’s businesses;
Protect the reputation of The Group and its employees; and
Maintain the highest level of services to the community and individuals.
The Policy has been established to outline the requirements for the development of
controls that will assist in the detection, prevention and response to Fraud. It is the
intention of The Group to promote consistent organizational behavior by providing
guidelines, assigning responsibility for the development of controls and conducting
investigations when necessary.
This Policy must be applied to any Fraud, or suspected Fraud, involving any member of
the Boards of Directors, the Chief Executive Officers, the Management teams or staff of
The Group, as well as minority shareholders and those who conduct business with The
Group, such as third party agents and representatives, including consultants, contractors,
suppliers, vendors, subcontractors and agents (hereafter referred to as “Stakeholders”).
Investigations shall be conducted
irrespective of the individuals’
position or tenure with The
Group.
1.1Purpose
This document outlines The Group’s policy concerning fraud and provides guidelines
for the implementation and enforcement of The Group Fraud Control Policy referred
to hereafter as the ‘Policy’. This policy and any future amendments are subject to the
Board of Directors’ approval.
1.2
Definitions
Fraud can take many forms that are normally characterized by some form of
deliberate deception to facilitate or conceal the misappropriation of assets; whereas
corruption involves a breach of trust in the performance of official duties. Additionally,
misconduct is a broad concept, generally referring to violations of law, regulations and
internal policies and procedures.
For the purpose of this Policy, fraud, corruption and misconduct will be encompassed
into the word ‘Fraud’ (hereafter referred to as “Fraud”) and shall be used to refer
to all dishonest, irregular or illegal acts of: fraud; breach of trust; misappropriation;
wasting; embezzlement; or bribery, which is characterized by a deliberate intent at
concealment or false representation and causing or which might cause harm to The
Group or affect the financial interest of The Group.
The Group defines Fraud as a dishonest, unethical, irregular or illegal act or practice,
characterized by deliberate intent at concealment of a matter of fact - whether by
words or conduct - or false representation, which may result in a financial or nonfinancial loss to The Group.
1.3
Policy Objectives and Scope
The Policy is designed to encompass the following:
• Maintain the highest standard of ethics, professional conduct and fiduciary
duty & responsibility;
• Protect The Group’s funds and other assets;
4
2
Governance and Professional Ethics Statement
The Group is committed to the highest ethical and moral standards, openness, and
accountability. All employees across all levels are expected to share the same commitment
and to lead by example in ensuring adherence to appropriate regulations, procedures,
practices, and codes of ethics. The Group expects individuals and organizations with whom
it does business with to act with honesty and at the highest standards.
The Group is committed to
promote honesty. The message is
clear: Fraud will not be tolerated
or perpetuated.
2.1
Code of Ethics
The Code of Ethics establishes clear guidelines that define the organization’s
culture and standards of ethical behavior and reflects the Board of Directors, the
Chief Executive Officer and the Executive Management’s (hereafter referred to as
“Management”) expectations. All employees and Stakeholders are required to adhere
to the standards set out in the Code of Ethics policy.
2.2
Roles and Responsibilities
The policies, job descriptions, charters and delegations of authority shall define roles
and responsibilities related to Fraud Risk Management.
5
Fraud Control Policy
2.3
Tone at The Top
2.3.1 Code of Ethics
The Group and each Subsidiary Board of Directors shall ensure that the relevant
Management implements and communicates effective Fraud Risk Management Process
to empower employees and encourage ethical behavior among employees, customers,
and vendors and to meet these standards every day. The Group and each Subsidiary
Board shall:
• Set appropriate “tone at the top” through the Chairman of the Board of
Directors, senior management, and Code of Ethics;
• Obtain a clear understanding of existing Fraud Risks;
• Maintain oversight of Fraud Risk management;
• Receive and monitor the Fraud risk reports, policies, and control activities;
• Approve the policy and any subsequent changes to it;
• Oversee the internal control function established by management for
preventing, detecting and responding to Fraud;
• Ensure that management has adequate resources at its disposal to enable The
Group to achieve its Fraud Risk Management objectives; and
• Issue a statement to be acknowledged by all employees, vendors and customers,
stressing the importance of the Fraud risk mitigation, acknowledging the
potential vulnerability to Fraud and establish the responsibility for each person
within The Group to support Fraud Risk Management.
2.3.2
Audit Committee
The Audit Committee Shall:
• Adopt a proactive approach to Fraud Risk Management;
• Assess, monitor, and influence the tone at the top by reinforcing a zerotolerance policy on Fraud;
• Establish procedures for employees and others to report concerns about Fraud
and unethical behavior (on the Tawazun Ethics Line (TEL) website or by phone)
• Oversee the Tawazun Ethics Review Committee (TERC) function which is
responsible for responding to Fraud;
• Maintain an active role in the oversight of The Groups’ assessment of Fraud risks,
• Meet frequently (and with sufficient preparation) to reasonably assess and
respond to Fraud risks;
• Appoint legal, accounting and other professionals when deemed necessary;
• Seek the advice of internal and/or external counsel whenever dealing with
issues of Fraud allegations; provide specific consideration and oversight of this
exposure when reviewing the work of Management and require them to be alert
for and report any such exposure as they carry out their duties;
• Receive regular reports on the status of reported or alleged Fraud; and
• Provide insight and guidance on implementing and strengthening the antifraud
measures.
2.3.3 Chief Executive Officer
The Group and each Subsidiary’s Chief Executive Officer shall take overall relevant
responsibility for the prevention, detection and response to Fraud.
6
2.3.4
Management
The Management shall be responsible for the development and implementation of the
Fraud Risk Management Plan, including each manager and employee’s responsibility
for detecting Fraud or related dishonest activities in their areas of responsibility.
The Group and the Subsidiaries Management shall:
• Establish and implement adequate internal controls, by designing and
implementing Fraud
control activities, to prevent and detect Fraud;
• Understand the Fraud risks associated in their function or which might occur in
their area and be alert to them;
• Create a culture through actions and words where it is clear that Fraud is
not tolerated, any such behavior is dealt with swiftly and decisively, and that
whistleblowers will not suffer reprisal;
• Report to the relevant Board on what actions have been taken to manage
Fraud risk and regularly report on the effectiveness of the Fraud Risk
Management Plan. This includes reporting any remedial steps that are needed,
as well as reporting actual Fraud; and
• Ensure that background checks on new and existing suppliers, customers,
and business partners to identify any issues of financial health, ownership,
reputation, and integrity that may represent an unacceptable risk to the Group.
2.3.5
Staff
All levels of staff, including Management, shall:
• Understand their roles within the internal control framework and how their
job procedures are designed to manage Fraud risks and how non-compliance
may create an opportunity for Fraud to occur or go undetected;
• Have a basic understanding of Fraud and is aware of the red flags;
• Read and understand policies and procedures (e.g. the Fraud Policy, Code of
Ethics, disclosure procedures, and other relevant policies and procedures);
• Participate in the process of creating a strong control environment, design and
implement fraud control activities, as well as participate in monitoring such
activities;
• Cooperate with the Investigation Team;
• Act with propriety in the use of The Group’s resources and in the handling and
use of funds whether they are in cash or payment systems and when dealing
with contractors, suppliers or customers;
• Report immediately if they suspect or believe that there is evidence of irregular
or improper behavior or that an incident of Fraud may have occurred;
• Refrain from further investigating the incident reported, confronting the
alleged violator, or further discussing the incident with anyone unless
requested to by the Audit Committee, Internal Audit, Legal Affairs and/or law
enforcement personnel; and
• Take into consideration the employee’s right to report any Fraud or suspected
Fraud cases.
2.3.6
Legal Affairs
The Legal Department shall:
• Provide guidance to the Investigation Team;
• Advise Management on other matters that may impact The Group’s Fraud or risk
7
Fraud Control Policy
activities including - but not limited - to conducting proper due diligences and/or
background checks when dealing with third parties; and
• Provide advice on the legal position in case of pursuing the accused fraudster to
recover assets stolen or a breach of trust for damages.
2.3.7 Internal Audit
Internal Audit shall:
• Coordinate the Fraud Risk Assessment process;
• Coordinate compliance with the annual reviews of Fraud Mitigation Strategies
in addition to the Fraud Risk Assessment by management;
• Review the comprehensiveness and adequacy of the risks identified by
Management — above all with regards to Management’s override of controls;
• Consider the Fraud Risk Assessment when developing the Annual Audit Plan
and review Management’s Fraud Risk Assessment and capabilities periodically;
• Spend adequate time and at tention evaluating the design and operation of
internal controls related to Fraud Risk Management;
• Act independently and have adequate access to the Audit Committee;
• Register and compare Fraud incident reports by maintaining a log of the
reported Fraud cases;
• Supervise and conduct investigations of the alleged or suspected Fraud cases;
• Assist Fraud investigators in collecting and preserving evidence as well as
providing management on the appropriate detective and preventive fraud
controls.
3
Fraud Prevention
Management must adopt a preventative approach for identifying, analyzing and
managing the risk of Fraud that could prevent The Group from achieving its business
objectives or strategies.
3.1
Tone at The Top
Tone at the Top is set at an appropriate zero tolerance to Fraud; starting with the
Chairman of the Board of Directors and each member of the Executive Management
team.
3.2
Fraud Risk Assessment
A Fraud Risk Assessment shall be performed on a systematic and recurring basis,
involve the appropriate personnel, consider relevant Fraud scenarios, and map those
Fraud scenarios so that steps can be taken to prevent or mitigate the risks of Fraud.
Fraud may occur in areas with no history of Fraud; thus, past instances or history is not
an indication of whether the area is susceptible to Fraud or not.
3.3
Fraud Prevention Control
Preventive controls are designed to assist The Group reduce the risk of Fraud from
happening.
8
3.3.1 Affirmation Process (Declaration)
All employees shall acknowledge they have read, understood, and will comply
with the Code of Ethics and Fraud Control Policy to support the Group’s Fraud Risk
Management. Disciplinary action will apply for refusal to sign-off and apply such
actions consistently. See Appendix B for Acknowledgement Form.
3.3.2 Disclosure of Conflict of Interest
All employees and Stakeholders must disclose any personal or outside interest,
relationship or responsibility (financial, professional or otherwise) held by the
employee with respect to any potential or actual transaction, agreement or other
matter which is or may be presented to management for consideration - even if
such interest, relationship or responsibility has otherwise generally been disclosed.
The relevant management has to be informed through the employee’s immediate
superior or the Board of Directors if the person is a member of the Board. This should
be documented in accordance with the requirement of the Code of Ethics, and any
constraints placed on the situation must be monitored.
3.3.3 Human Resources Procedures
The relevant Human Resources Department (HR) shall:
• Perform background checks, document verification to verify employees’
credentials and competence, match skills to the job requirements, and be
aware of any issues of personal integrity that may impact their suitability for
the position;
• Obtain confirmation of work history and education presented on a job
application or CV;
• Evaluate performance and compensation programs for all employees and take
into consideration work-related competence, behavior and performance as per
this Policy;
• Conduct exit interviews for all employees leaving The Group as they may have
information regarding possible Fraud existing within The Group.
3.3.4 Authority Limits
All employees are required to follow Delegation of Authority Matrices established across
The Group. As a process-level control, individuals working within a specific function must
be assigned limited IT access which will enable them to perform their duties.
3.3.5 Fraud Awareness and Training
Training and seminars on Fraud awareness will be provided to all employees on a
regular basis. HR will maintain records of annual attendance in each employee file.
4
Fraud Detection
The relevant Management must have detective procedures in place to increase their
ability to detect and prevent Fraud, control costs and protect revenue. Detective
controls are designed to uncover Fraud as it happens.
9
Fraud Control Policy
4.1
Fraud Detection Procedures
• Effective automated systems must be used to identify potential red flags within
the financial transactions. Data analysis, continuous monitoring, and other
such tools shall be used to effectively detect Fraud activities, where applicable.
• Employees shall ensure the greatest possible transparency of transactions;
• A reporting mechanism for Whistleblowing through the Tawazun Ethics Line
(TEL, website or phone) is available to all employees and Stakeholders for the
purpose of reporting unethical or inappropriate events, behavior or practices
as well as any breaches of policies.
This mechanism shall provide anonymity. The Group preserves the confidentiality
of the Whistleblower and provides assurance to employees that they will not be
penalized for reporting their suspicious of wrongdoing in good faith including
reporting wrongdoing by their superiors.
4.2
Fraud Reporting Process
• Each employee has the responsibility to report Fraud. Reports may be made
directly through the TEL channels or to the Chief Audit Executive in accordance
with the Whistleblowing Procedures.
• In case the employee reported the Fraud to his/her supervisor, the supervisor
shall inform the Chief Audit Executive and/or Higher Management.
• There may be circumstances, because of the nature of the investigation or
disclosure, or where it may be required under law or regulation, when it will
be necessary to disclose the identity of the Whistleblower. This may occur in
connection with associated disciplinary or legal investigations or proceedings.
If, in the company’s view such circumstances exist, the company will inform the
Whistleblower that his/her identity is likely to be disclosed. The organization
confirms that reports made in good faith will not result in adverse action to the
Whistleblower. Any malicious allegations may lead to appropriate disciplinary
action.
5
Fraud Response
Response controls are designed to take corrective action and to correct fraudulent
events caused by the fraudster.
5.1
Examples of Items to be Reported
The Group requires all persons to report - in good faith - any dishonest, unethical,
irregular, or illegal act or practice including, but not limited to:
• Unlawful and/or illegal conduct such as theft, fraud, and external or internal
corruption;
• A deliberate concealment of information;
• Failure to comply with The Group’s policies & procedures;
• Failure to comply with applicable laws and regulations;
• Potential, perceived, or actual conflict of interest; and
• Any conduct which may cause harm (financial, reputational or otherwise) to The
Group or any of its employees.
5.2
Response to Concerns, Complaints or Reported Breach
The Fraud response plan is a step by step process of the procedures that should be
considered by the Chief Audit Executive/Investigation Team when a material incident
of Fraud occurs.
10
Actions to be taken when a Fraud is suspected:
• Assess the facts reported (preliminary review) in order to understand the
possible level (internal/external, level of the internal staff involvement, etc.) and
the extent of any potential breach, as well as the severity of the case reported.
• Inform TERC members and agree on any action to be taken, and if necessary,
request comments/feedback from the Audit Committee;
• Decide whether further action is necessary and whether an investigation should
be carried out.
• Commence an investigation, with the initial aim of establishing the scale of the
Fraud and the degree of contamination within The Group.
5.3
Investigation Process
In matters deemed necessary for investigation, the Chief Audit Executive will select and
identify properly qualified and placed individuals to conduct the investigation (i.e. the
Investigation Team). Matters may require consultation with the Head of Legal, Head of
HR, and/or the Board of Directors or one of its committees (i.e. Audit Committee). In
certain cases, the Board or one of its committees may oversee an investigation.
The Investigator or TERC may hear the statement of the complainant or inform and
collect evidence under the supervision of Legal and HR.
5.3.1 Investigation Procedures
The procedures to be undertaken in each investigation are dependent upon the nature
of the concern, complaint or reported breach and circumstances of the situation as it is
presented. Examples of procedures that may be followed:
• Obtain copy of concern /complaint or reported breach;
• Identify, secure and gather data in whatever form, including the changing of
locks and system access (where necessary and/or applicable);
• Obtain and analyze documents;
• Conduct initial validation of the information received to understand whether or
not the claims are valid versus trivial and baseless and out of malice;
• Perform data analytics on structured/unstructured data;
• Interview relevant internal and external individuals, document the interview
and obtain their acknowledgement on the facts;
• Secure documents and relevant evidence related to the suspected Fraud, such
as contents of the suspect’s office or workstation, personal computer, diary and
files including all personal documents, where possible/applicable; and
• Document the minutes of meeting with people involved and acknowledges their
acceptance of the findings, where possible, and drafts a report.
5.3.2 Documentation of Investigation
The Investigation Team will objectively evaluate the results of its work steps to identify
and present the facts in a clear and concise manner. The format and delivery dates of
reports and other deliverables should be determined by supervising stakeholders in
conjunction with the Investigation Team during initial planning and scoping of the
investigation. However, adjustments to reports or deliverables may be warranted as an
investigation develops. Interim deliverables may also be required.
Work papers are considered to be any electronic, manual or other records created in
support of an investigation other than a report or deliverable by the Investigation
11
Fraud Control Policy
Team. Examples of work papers that should be maintained include:
• Documentation of testing procedures;
• Tests and/or reconciliations of financial data records of interviews;
• Data analysis, investigation planning and completion checklists;
• E-mails related to the investigation; and
• Any consultation memo.
TERC will formally review the investigation report in accordance with the initial scope
provided to the Investigation Team. The Board, or one of its committees, may review the
investigation report, particularly if they directed the Investigation Team to begin with.
Following review of the investigation report, Management, the Board or one of its
committees will determine whether additional investigations or corrective actions are
warranted.
6.3
Corrective Actions
After the investigation has been completed, TERC will request from the concerned
department an implementation status of the recommendation made.
7
Review of Fraud Control Policy
This Policy shall be reviewed and approved by the Board of Directors on recommendations
from the Audit Committee and updated when deemed necessary.
5.3.3 Investigation Consideration
During Investigations, consideration should be given to the following:
• Confidentiality – information gathered must be kept confidential and its
distribution limited to those who have a legitimate need to know. This is
important so as to avoid damaging the reputations of persons suspected but
subsequently found innocent of wrong-doing and to protect The Group from
potential civil liability.
• Legal & HR Involvement – legal counsel & HR representatives must be involved
early in the process or, in some cases, leading up to the investigation, in order to
safeguard work papers and to ensure employee rights are not violated.
• Securing evidence – documents/evidence must be protected so that nothing is
destroyed and so that they are admissible in legal proceedings.
• Objectivity – the Investigation Team must review all the facts in order to conduct
an objective assessment.
• Goals – the investigation must minimize disruption to The Group operations,
where possible.
6
Reporting the Results
The Investigation Team shall report its findings and recommendations to the party
overseeing the investigation, TERC.
• Review the report with TERC members and agree on action plans, inform the
Audit Committee and CEO;
• Designate someone to deal with media publicity, if applicable or deemed
necessary;
• Issue the report to management and request implementation of the
recommendation.
6.1
Retention of Concerns, Complaints or Reported Breach
Internal Audit will maintain a log of concerns, complaints or reported breaches. This log
should be updated on a regular basis.
6.2
Recovery of the Proceeds of Fraudulent Activities
All reasonable steps (including the institution of criminal or civil proceedings) shall be
taken to recover property of The Group that has been misappropriated or otherwise
been obtained as a result -either directly or indirectly- of Fraud.
12
13
Fraud Control Policy
Appendix (A) Fraud Control Policy Decision Matrix
Exec
Mgmt.
Action Required
1
Controls to Prevent Fraud
Line
Mgmt.
1
1
2
Internal
Auditing
Finance
3
2
3
3
2
2
2
1
1
2
Incident Reporting
2
Investigation of Fraud
2
4
Referrals to Law Enforcement
1
5
Recovery of Monies Due to
Fraud
6
Recommendations to Prevent
Fraud
2
7
Handle Cases of a Sensitive
Nature
1
8
Publicity/Press Releases
2
2
9
Civil Litigation
2
1
10
Corrective Action/
Recommendations to Prevent
Recurrences
2
11
Monitor Recoveries
3
12
Proactive Fraud Auditing
13
Fraud Education/Training
14
Risk Analysis of Areas Of
Vulnerability
15
Case Analysis
16
Disclosure procedure
1
Human
Marketing and
Resources communication
3
3
1 = (Primary Responsibility)
2
Legal
Mgmt.
Appendix B – Declaration
2
2
1
2
1
2
2
3
3
2
2
2
1
3
1
1
1
2
2
2
2
2
2
1
3
2
2
2
2
2
2
2 = (Shared Responsibility)
Name of the Group Department:..............................................................................
Job Title: ...............................................................................................................
3
2
2
3 = (Secondary Responsibility)
Name of the Employee:...........................................................................................
Employee No.: .......................................................................................................
2
2
1
3
Date of joining:......................................................................................................
1
2
2
I,……………………………………….. [Employee Name], hereby confirm that I have read,
understood, and acknowledge to adhere to the content of the Fraud Control Policy and
further confirm that I will comply fully to the extent that it is written.
Date:
Name:
Signature:
14
15
16
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement