Incident reporting

This control targets both internal and external fraud risks.

Examples

Examples of this control include:

reporting of financial breaches, e.g. failure of an employee to reconcile a credit card on time
reporting of system security incidents and breaches
employees reporting lost, stolen or damaged assets
employees reporting security incidents, e.g. loss of classified documents.

A lack of reporting on incidents and breaches can lead to:

disorganised or inconsistent practices and decision making
less transparency over actions and outcomes
poor management of performance, decision making and risk
less action and accountability to prevent, detect and respond to fraud and corruption
poor workplace culture that fails to identify or report fraud or corrupt activity
fraud or corruption going unnoticed or unchallenged.

Methods to evaluate the effectiveness of this control include:

confirming that the reporting requirements for incidents are appropriate
confirming that reports are actually produced and used
reviewing a sample of reports to determine if they are clear, relevant and would help someone detect fraud
confirming that documents outlining the process for reporting incidents are easy to locate and use
confirming the options for reporting incidents are clearly communicated
reviewing statistics related to reports to identify how many incidents are reported and how often
confirming that incident reports go to the most appropriate employees or team
reviewing who has access to incident reports
checking what other reporting occurs, e.g. if executives review reports during committee meetings.

Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:

Types of behaviour this control is designed to mitigate:

Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.