Our AC3 Framework begins with an assessment that is designed to identify and evaluate fraud risk factors. Every organization has inherent fraud risks that arise from internal and external conditions relative to the entity’s industry, geographic location, organizational structure, and general economic climate. The assessment should be undertaken without consideration of the existence of effectiveness of internal controls and should be updated periodically to include changes in operations and revisions to fraud risk.
Tone at the top
Emphasis should be placed on the entity’s control environment, as it influences the entire organization. The control environment starts with the “tone at the top.” The control environment should:
• Create and maintain a culture of honesty, high ethical standards, and behavior
• Provide discipline for violations of the code of conduct/ethics
• Set an appropriate tone for the entity’s attitude towards fraud and fraud prevention
• Promote controls to prevent, deter, and detect fraud
Designing & Implementing AC3 Framework
Determining whether control activities exist to mitigate risk is a key determinate on how effective current controls are in the organization. Control activities occur throughout the organization, at all levels and in all functions.
Effective communication between organizational function is an integral component of all phases of implementation of the AC3 framework. The organization’s intention to implement strong, effective controls in place must be clearly articulated throughout the organization.
Organization’s code of conduct or ethics is the first line of communicating the concerns of fraud prevention. Management’s control should be documented to provide reasonable support for its assessments on the design and operating effectiveness of the controls.
Management should be monitoring the quality and effectiveness of their AC3 framework. Monitoring activities and assessments consist of procedures that include independent evaluations of fraud risk controls that may be performed by internal audit or other groups.
Ongoing monitoring are built into normal reoccurring operating activities and can often be more effective than separate evaluations because they take place in real time.