Want to Fight Fraud in Your Organization?

Want to Fight Fraud in Your Organization?

Start by telling people they shouldn’t steal from you.

By Todd Kilb, CFE

Do me a favor.  Get your latest policies and procedures manual or employee handbook.  Now, go to your company’s fraud policy.  Wait, what?!?  Your company doesn’t have a fraud policy?  Without a fraud policy (sometimes called an anti-fraud policy), you can’t tell employees, vendors, contractors, and everyone else that they shouldn’t steal from you.  You also don’t let your stakeholders know how to report fraud.  Without a fraud policy, you may be ignoring an important element of the “tone at the top.”

To draft a fraud policy, I recommend starting at the Association of Certified Fraud Examiners website, www.ACFE.com, where you can request several “Fraud Prevention Resources,” including a “Sample Fraud Policy.”  The AICPA provides the same sample fraud policy on their “Forensic Accounting” interest area website.   See ACFE and AICPA hyperlinks at the end of this article to view the sample policy.  This sample policy is wide-ranging, well-organized, and something to aspire to.  However, in establishing your first fraud policy, I suggest starting with the essential items below, realizing  that the policy can be expanded over time according to your business needs.

Essential Elements for a New Fraud Policy:

Begin by Answering These Questions: Consider the Following:
Who does the policy apply to? Include all employees, stockholders, and contractors.  Also consider adding vendors, suppliers, and consultants.  The sample fraud policy from the ACFE/AICPA suggests including any party with which you have a “business relationship.”
What is fraud? Provide a definition or description.  I prefer the FBI’s description from its website:  fraud is a crime that typically includes “deceit, concealment, or violation of trust” in order to secure financial gain (https://www.fbi.gov/investigate/white-collar-crime).  Provide schemes common to your industry or market.  (For help in identifying schemes, check out the ACFE’s “Fraud Tree” at http://www.acfe.com/fraud-tree.aspx).  Finally, leave the definition open-ended; if you provide a list of schemes or actions, note that the list is not exhaustive.
How is fraud reported? Establish and publicize a reporting channel (or channels).  Establish the obligation to report fraud, especially for employees.  Emphasize anonymity and confidentiality.  The sample policy provides excellent guidance here: “[Investigations] will not be disclosed or discussed with anyone other than those [with] a legitimate need to know.”
Who investigates fraud? You don’t have to identify the person or team, but it should be clear that someone in your company will investigate fraud.  As the sample policy explains:  make it clear that the investigator will have unrestricted access to company records and company areas.  Also emphasize that those reporting fraud should not attempt to personally conduct investigations or interviews.


Your new fraud policy can be concisely written in about one page.  Like any new policy, it should be carefully reviewed- perhaps by your human resources department or legal counsel.  Over time, the policy should evolve to meet your business needs, and ideally would be included as part of your periodic risk assessment process.  Finally, it is also a good practice to require employees to review and affirm their understanding of the policy at least annually.

The “Sample Fraud Policy” mentioned above can be found at the following links: