Principle
| |
Member Organisations should define, approve and implement Counter-Fraud roles and responsibilities across the three lines of defence and all relevant stakeholders should have an adequate level of understanding of the expectations related to their role.
| |
Control Requirements
| |
| a. | Member Organisations should define, approve and implement Counter-Fraud roles and responsibilities for all relevant stakeholders and ensure they have been communicated and understood.
| |
| b. | The Board should be accountable for:
| |
| | 1. | The establishment of a Counter-Fraud Programme.
|
| | 2. | Setting the tone from the top to establish a Counter-Fraud culture through a Code of Conduct (or equivalent).
|
| | 3. | Ensuring that a robust Fraud Risk Management framework is established and maintained to manage fraud risks.
|
| | 4. | Ensuring that sufficient budget for Counter-Fraud is allocated, utilised, and monitored.
|
| | 5. | Approving the CFGC charter.
|
| | 6. | Endorsing (after being approved by the CFGC):
|
| | | a. | The roles and responsibilities of Senior Management accountable for the Counter-Fraud Programme.
| |
| | | b. | The Counter-Fraud Strategy.
| |
| | | c. | The Counter-Fraud Policy.
| |
| | | d. | The output of the Fraud Risk Assessment.
| |
| | | e. | Fraud Risk Appetite.
| |
| c. | The Head of Counter-Fraud should be accountable for:
| |
| | 1. | Developing, implementing, and maintaining:
|
| | | a. | Counter-Fraud Strategy.
| |
| | | b. | Counter-Fraud Policy.
| |
| | | c. | Fraud Risk Assessment.
| |
| | | d. | Fraud Risk Appetite.
| |
| | | e. | KRIs for fraud.
| |
| | 2. | Reinforcing and maintaining the tone from the top to deliver a culture of compliance with the Code of Conduct.
|
| | 3. | Developing a risk-based Counter-Fraud Programme that addresses people, process, and technology, including adequate systems to prevent, detect and respond to fraud.
|
| | 4. | Ensuring that detailed Counter-Fraud standards and procedures are established, approved, and implemented.
|
| | 5. | Ensuring that Counter-Fraud systems and controls remain effective in light of evolving threats identified through Intelligence Monitoring.
|
| | 6. | Periodically informing CFGC on the latest developments on Counter-Fraud strategic initiatives and implementation status.
|
| | 7. | Establishing a Counter-Fraud Department that is adequately resourced and has responsibility for the requirements outlined in sub-domain 3.5.
|
| | 8. | Collating and overseeing organisation-wide Management Information reporting produced in relation to Counter-Fraud risks and performance.
|
| | 9. | Promptly notifying Saudi Central Bank of new fraud typologies and significant fraud incidents in line with the Supervisory Notification requirements included in sub-domain 3.7.
|
| | 10. | Taking action when a notification is received of any significant fraud incidents, investigations or breaches of Counter-Fraud policy or standards, and reporting to the Board or CFGC as required.
|
| | 11. | Defining the organisation’s ongoing fraud awareness programme in coordination with relevant departments (e.g., operations, Communications, Human Resources (HR)).
|
| d. | At a minimum, Senior Management should be accountable for:
| |
| | 1. | Ensuring that employees are compliant with the Code of Conduct and CounterFraud policies, standards, and procedures.
|
| | 2. | Ensuring that employees receive training in line with the requirements of the fraud training and awareness programme.
|
| | 3. | Developing and reviewing regular Management Information reporting to monitor Counter-Fraud risks and performance.
|
| | 4. | Notifying the CFGC where escalation is required (e.g., adverse internal findings relating to Counter-fraud controls or fraud risk appetite is exceeded).
|
| | 5. | Managing fraud losses through processes and controls in own area of accountability within the organisation’s agreed Fraud Risk Appetite.
|
| | 6. | Maintaining appropriate systems and controls to prevent, detect and respond to fraud.
|
| e. | Manager(s) accountable for fraud operations (e.g., managing fraud alerts, responding to reported fraud and dealing with fraud cases) should be responsible for:
| |
| | 1. | Ensuring that all suspected fraud, including system alerts and manual employee and customer referrals are adequately prioritised, investigated and the outcome is appropriately recorded.
|
| | 2. | Taking immediate steps to prevent further exposure and corrective action(s) when a fraud is identified.
|
| | 3. | Notifying relevant external parties (e.g., law enforcement).
|
| f. | The Internal Audit function should be responsible for:
| |
| | 1. | The identification of a comprehensive set of auditable areas for fraud risk.
|
| | 2. | Assessment and prioritisation of fraud risks during audit planning.
|
| | 3. | Performing fraud audits and producing independent objective reports.
|
| g. | All Member Organisation employees should be responsible for:
| |
| | 1. | Complying with applicable Counter-Fraud policies, standards, and procedures.
|
| | 2. | Reporting any suspicions of fraud in a timely manner.
|
| h. | Member Organisations should ensure that suspected or actual cases of internal fraud are investigated by individuals of appropriate seniority (e.g., if the fraud involves a manager, an individual of higher seniority should take responsibility for the oversight and approval of the investigation); and independence (e.g., internal audit or an equivalent control function should conduct the investigation with the investigators free from potential conflicts of interest).
| |
| i. | Member Organisations should periodically review the roles and responsibilities of employees with fraud related responsibilities to ensure they reflect best practice, address trending fraud typologies and are aligned with the fraud landscape and business model.
| |
| j. | Member Organisations should develop a formal Counter-Fraud succession plan in coordination with the HR Department taking into consideration the reliance on key Counter-Fraud employees having critical roles and responsibilities.
| |
