Questions to Ask About Internal
Fraud: A Bank Director’s Guide
By Troy M. La Huis, CAMS, and Thomas M. Paar, CFE
Among the many threats to shareholder value that bank
directors must address, the risk of internal fraud is
among the most challenging. Virtually all bank directors
recognize their obligation to actively oversee the way the
bank monitors its employees to mitigate the risk of fraud,
but most directors also understand the need to avoid
micromanaging day-to-day operations.
Treading the fine line between oversight and overstepping can be difficult. Often
it means learning to ask the right questions of the right people, particularly of the
bank’s senior management team.
Because every bank’s risk profile is unique, no single list of questions can fit every
institution. Nevertheless, it is possible to outline some broad principles and useful
questions within three general areas of strategic, board-level concern.
Corporate Governance
Major corporate governance elements related to internal fraud comprise management
and oversight of the organization, including the bank’s published code of conduct,
written ethics policy, fraud policies and procedures, and loss reporting practices.
Board members should exercise direct and active oversight of these components and
be prepared to ask management a broad range of questions, including:
■■ How frequently are our code of conduct and ethics policies reviewed and updated?
■■ In addition to introducing our ethics policies during new employee training, how
else – and how often – are these policies communicated and reinforced?
■■ How are fraud losses identified, tracked, and reported to the board? Are board
members and executives regularly briefed on current fraud issues and trends by
the appropriate managers?
■■ Are employees able to report suspicious behavior outside the day-to-day management
structure, or are they able to report it only through their immediate superiors?
www.crowehorwath.com
1
Crowe Horwath LLP
■■ Has the bank established a whistleblower hotline that allows employees to report
suspected fraud anonymously?
■■ How is hotline activity measured and tracked? How is the program’s effectiveness
measured and evaluated?
■■ How often is the whistleblower hotline publicized and reinforced in regular
employee communications?
The Control Environment
The next broad area of board concern, the control environment, addresses the
various tools, processes, and other components that implement the fraud policies
prescribed by corporate governance. Issues of strategic-level concern in this area
tend to revolve around training, accountability, and equitable treatment, as well
as the effectiveness, efficiency, and reliability of fraud reporting practices. Useful
control environment questions for board members to ask include:
■■ How is fraud awareness training being provided throughout the organization? Is
awareness training tailored to each line of business?
■■ Beyond awareness, do employees receive training on ethics, fair service, and
honest dealing?
■■ Are employees being trained on specific anti-fraud practices and controls? Once
trained, are they held accountable?
■■ Are fraud policies implemented and enforced consistently and fairly? Are seniorlevel or revenue-producing personnel subject to the same enforcement as junior
or administrative staff members?
■■ Are anti-fraud controls consistently monitored and tested as part of the internal
audit function?
■■ Do employees know how to report fraud?
Incident Management and Response
The board of directors has primary responsibility for seeing that there is a defined
structure and process for responding to fraud-related incidents and issues, including
clearly defined roles and responsibilities. It is important that incident response
protocols are applied consistently across the institution, rather than allowing each
line of business to pursue its own course. To carry out this responsibility, directors
should be prepared to ask questions such as:
2
Questions to Ask About Internal
Fraud: A Bank Director’s Guide
■■ Is there a high-level, organizationwide policy regarding incident management? Does
it set forth adequate protocols, including all relevant legal, reporting, and regulatory
requirements? Is the policy regularly reviewed and updated?
■■ Who is the designated management-level employee with the authority to manage
and administer fraud investigations and responses?
■■ Has management taken adequate steps to support this employee with an appropriate
team involving legal, human resources, internal audit, IT, and other departments?
■■ Is there adequate oversight to allow fraud inquiries to proceed without interference
from the affected lines of business?
■■ Does the board receive regular briefings on material issues of fraud or fraud
management?
■■ How does the organization learn and evolve based on industry events and previous
large incidents of fraud?
The scope of a director’s responsibility extends far beyond these three general areas
alone, but starting with these broad topics can help board members maintain their
focus at the strategic level while still posing challenging questions. In addition to
establishing the appropriate “tone from the top,” such questions can help guide the
management team toward more active and effective management of internal fraud risk.
www.crowehorwath.com
3
Contact Information
Troy La Huis is a principal with
Crowe Horwath LLP and can be
reached at +1 616 233 5571 or
[email protected].
Tom Paar is with Crowe and can
be reached at +1 630 575 4324 or
[email protected].
This article was published by Bank
Director in December 2015 and is
reproduced with permission.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction.
© 2015 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure
www.crowehorwath.com
FS-16003-153A
4