Fraud Risk Management (FRM) Instructions

The Governance, Risk Assessment, Control Activities, Investigation-Corrective Action, and Monito
Focus (POF) and provide space for brief documentation of how the organization has responded to e
 Fraud Risk Governance Points of Focus an

Points of Focus
Makes an Organizational Commitment to Fraud Risk Management— The board of directors and
senior management initiate the fraud risk management process by establishing an organizational
commitment to deter, prevent, and detect fraud.

Supports Fraud Risk Governance— The board of directors and senior management make an
organizational commitment to fraud risk management as a key element of corporate governance.

Establishes a Comprehensive Fraud Risk Management Policy— The board of directors and senior
management provide a solid foundation of fraud risk management by establishing a
comprehensive fraud risk management policy.
Establishes Fraud Risk Governance Roles and Responsibilities throughout the Organization— The
board of directors and senior management identify the roles and responsibilities of all personnel
as they relate to fraud risk governance.
Documents the Fraud Risk Management Program— The board of directors and senior
management ensure that the fraud risk management program is thoroughly documented and
updated on a regular basis.

Communicates Fraud Risk Management at all Organizational Levels— The board of directors and
senior management support the ongoing effectiveness of the fraud risk management program by
maintaining and communicating a continuous focus on fraud deterrence, prevention, and
detection throughout the organization.
nance Points of Focus and Our Organization's Response

Our Organization's Response Including Cross-References to Other Material and Documentation

 Fraud Risk Assessment Points of Focus an

Points of Focus
Involves Appropriate Levels of Management—The fraud risk assessment team includes
appropriate levels of management.
Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels—The fraud risk
assessment team recognizes that frauds can happen at any level or component of the
organization.
Analyzes Internal and External Factors—The fraud risk assessment team considers both internal
and external factors and their impact on the achievement of objectives.
Considers Various Types of Fraud—The fraud risk assessment team considers a wide range of
possible fraud schemes and exposures.

Specifically Considers the Risk of Management Override of Controls—The fraud risk assessment
team understands that catastrophic frauds have been perpetrated by senior members of
management overriding existing and otherwise effective controls and focuses on these risks.

Estimates the Likelihood and Significance of Risks Identified—The fraud risk assessment carefully
evaluates the probability that each particular fraud could occur and the potential effects on the
organization if that particular fraud occurs.
Assesses Personnel or Departments Involved and All Aspects of the Fraud Triangle—The fraud
risk assessment team focuses on incentives and pressures, opportunities, and attitudes and
rationalizations to commit fraud.
Identifies Existing Fraud Control Activities and Assesses Their Effectiveness—The fraud risk
assessment team identifies and evaluates existing controls for effectiveness to determine residual
fraud risks that require mitigation.
Determines How to Respond to Risks—The fraud risk assessment team’s ultimate goal is to
formulate effective and appropriate responses to all fraud risks.
Uses Data Analytics Techniques for Fraud Risk Assessment and Fraud Risk Responses—The
organization uses data analytics to improve the effectiveness and results of the fraud risk
assessment.

Performs Periodic Reassessments and Assesses Changes to Fraud Risk—The organization repeats
the risk assessment process periodically and considers changes affecting the organization—
including changes in the external environment, operations, personnel, and leadership—that can
affect fraud risk.

Documents the Risk Assessment—The organization understands that the risk assessment serves
as the central element of the fraud risk management process and ensures that it is carefully and
thoroughly documented.
ment Points of Focus and Our Organization's Response

Our Organization's Response Including Cross-References to Other Material and Documentation

 Fraud Risk Control Activities Points of Focus

Points of Focus
Promotes Fraud Deterrence through Preventive and Detective Control Activities— The
organization addresses its fraud deterrence as a process of eliminating factors that may cause
fraud to occur and understands that deterrence results from having effective preventive and
detective fraud control activities in place.
Integrates with the Fraud Risk Assessment— The organization ensures that the design and
implementation of fraud control activities link directly to the fraud risk assessment.

Considers Organization-Specific Factors and Relevant Business Processes— The organization

ensures that the design and implementation of fraud control activities consider a range of factors,
including factors unique to the organization, its industry, and its operating environment.

Considers the Application of Control Activities to Different Levels of the Organization— The
organization ensures that fraud control activities exist throughout the organization at all
appropriate organizational levels.
Utilizes a Combination of Fraud Control Activities— The organization ensures that fraud control
activities include a range, variety, and mix of preventive and detective controls.
Considers Management Override of Controls— The organization includes fraud control activities
that consider and address the ability of senior management personnel to circumvent or override
internal control activities, including fraud control activities.
Uses Proactive Data Analytics Procedures— The organization implements a well-designed,
rigorous system of data analytic processes and procedures that can identify anomalous
transactions or events for further investigation.

Deploys Control Activities through Policies and Procedures— The organization ensures that fraud
control activities are thoroughly documented and implemented through organizational policies.
Activities Points of Focus and Our Organization's Response

Our Organization's Response Including Cross-References to Other Material and Documentation

 Fraud Investigation and Corrective Action Points of

Points of Focus
Establishes Fraud Investigation and Response Protocols— The organization establishes, formally
documents, and maintains a process for the receipt, evaluation, and treatment of communications
of potential fraud.

Conducts Investigations— The organization undertakes investigations of potential fraud, giving

due consideration to the scope, severity, credibility, and implications of the communicated matter.

Communicates Investigation Results— The investigation team communicates the results of the
investigation to the appropriate internal authority and, when necessary, to external third parties.

Takes Corrective Action— The organization selects discipline, remediation, asset recovery, or
other activities to address the findings of the investigation.
Evaluates Investigation Performance— The organization performs evaluations periodically to
provide objective feedback on the effectiveness of the investigation process.
rrective Action Points of Focus and Our Organization's Response

Our Organization's Response Including Cross-References to Other Material and Documentation

 Fraud Risk Management Monitoring Points of Fo

Points of Focus
Considers a Mix of Ongoing and Separate Evaluations— Management includes a combination of
ongoing and separate fraud monitoring evaluations to determine whether each of the five
principles of fraud risk management is present and functioning.
Considers Factors for Setting the Scope and Frequency of Evaluations— Management considers
changes in the organization, its operating environment, and its control structure to determine the
appropriate scope and frequency of its fraud monitoring activities.

Establishes Appropriate Measurement Criteria— Management establishes appropriate

measurement criteria to assist in the objective evaluation of its fraud risk management program.

Considers Known Fraud Schemes and New Fraud Cases— Management considers known fraud
schemes and newly discovered or reported frauds in other organizations and assesses the
likelihood of occurrence in the organization.

Evaluates, Communicates, and Remediates Deficiencies— Management and the board of

directors assess the results of ongoing and separate fraud monitoring evaluations; communicate
deficiencies to those responsible for corrective action; and determine that appropriate
remediation is implemented in a timely manner.
t Monitoring Points of Focus and Our Organization's Response

Our Organization's Response Including Cross-References to Other Material and Documentation