Documented Antifraud Programs – Value-Add or Waste of Time/Resources?

As I reflect over my career in fraud investigations, I recall discussions with business professionals on their perception of what an Antifraud Program (AFP) is and whether they have/need one. Mostly what I heard was unsettling:

• We have it covered in our Sarbanes Oxley (SOX) controls
• We are an ethical company and only hire the best and most honest employees
• We have a process in place, and I know what it is. Besides everyone knows what to do. We don’t need to document it
• It is only for the really big companies
• It takes a lot of time to develop
• It takes a lot of resources to manage and use
• We will deal with it should it ever happen

?These and other similar type responses always seemed funny to me since they have great plans for revenue generation, but nothing or limited resources devoted to retaining that hard earned revenue.

?If any of the above sound familiar, let me share some of my experiences in the development and implementation of an AFP.

?Two questions to start are:

?1. Is there is a company/agency need?

Internally, the best personnel backgrounds or periodic trainings are limited for preventing frauds. Many frauds start due to an inordinate amount of trust in an employee who has the ability to circumvent real or imagined (documented controls that are not used) controls. The employees who commit fraud range from an eager and overly helpful administrative assistant to a struggling senior level manager with financial difficulties. In many cases abuse of trust or a lack of timely and consistent use of existing controls help the frauds continue for long periods of time. The Association of Certified Fraud Examiners note in their 2024 Report to the Nation the average fraud lasts 12 months. Over the course of a year, it makes you wonder where the controls, monitoring, and oversight were or were they being used by properly trained and motivated employees. ?

Externally, for publicly traded companies, with some sections also applying to privately held companies, there is SOX, Section 404. This section shows management must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls and procedures to ensure their effectiveness. Many view one of the main purposes of SOX is to reduce the possibility of corporate fraud by strengthening internal controls and procedures for financial reporting. Effective testing requires documented controls should be identified as fraud preventative/detective.

There are other regulations, but SOX is generally considered primary. ?

?2. Selling it to decision makers?

Regulators for SOX consider senior management responsible for all aspects of the controls that protect the company and investors, and they must sign off on the testing and effectiveness of the controls.

For privately held companies and non-profits, some lenders may want assurance their loaned money has effective protections in place to help minimize the risk of fraud.

A documented AFP will help demonstrate management’s action plans for fraud prevention and detection. It should also show the escalation and update processes. The AFP is the road map for leadership to show and follow without having to guess at the next steps. What happens if a significant fraud is detected and during the investigation, it is disclosed to social media or a regulator? It can be beneficial to show you have a documented plan (AFP) and follow the outlined processes to their conclusion.

Other resources to consider on this topic can be found on the Association of Certified Fraud Examiners website - acfe.com/fraud-resources/fraud-risk-tools---coso/tools

Please let me know if I can help or be a resource for your questions / comments on the content of this article. I have developed, implemented and managed AFPs for companies as part of a proactive approach and in reaction to civil and criminal investigations. ?Trust me when I say you really want to use the proactive approach where you have the luxury of time, and you are in control. ?

George