Use this guidance to create your own model fraud risk register, a fraud prevention policy as well as a training framework. We will also explain what entails a successful fraud response plan.
Model fraud risk register
A fraud risk register is a practical tool that allows organisations to document and monitor fraud risks in a structured manner. Below is a model example that accountants can adapt for their organisations or clients.
Each identified risk should be described in plain language, linked to the relevant fraud typology, assessed for likelihood and impact, and assigned to a risk owner. The register should also record existing controls, residual risk, and planned improvement actions.
Example entry:
- Risk description: Manipulation of revenue recognition to meet performance targets
- Fraud typology: False accounting / fraud by false representation
- Likelihood: Medium (driven by market pressure)
- Impact: High (reputational damage, regulatory sanctions)
- Existing controls: Revenue recognition policies, external audit, quarterly financial review
- Residual risk: Medium
- Risk owner: Chief Financial Officer
- Action plan: Enhanced use of analytics to identify unusual revenue patterns; staff training on accounting policies
A full register would typically contain 20–30 entries for a mid-sized organisation and should be reviewed quarterly by senior management.
Template fraud policy
A model fraud policy sets out the organisation’s commitment to preventing, detecting, and responding to fraud. It should be written in plain English, endorsed by the board, and accessible to all staff.
Extract from a model policy:
Our organisation has zero tolerance for fraud in any form. Fraud undermines trust, damages our reputation, and exposes us to legal and financial risk. All employees, contractors, and third parties associated with us have a duty to act honestly and with integrity.
We commit to:
- maintaining proportionate fraud prevention procedures;
- conducting regular fraud risk assessments;
- training staff in recognising and reporting fraud;
- investigating all suspicions promptly and fairly; and
- taking disciplinary and legal action against those who commit or facilitate fraud.
Policies should also include clear reporting mechanisms (such as a confidential hotline), disciplinary procedures, and responsibilities for managers and staff.
Training framework
Training is a cornerstone of the reasonable procedures defence. A tiered approach is a commonly utilised strategy, for example:
- All staff: Awareness training covering what fraud is, why it matters, and how to report concerns. Delivered through e-learning or workshops.
- Managers: Additional training on fraud risk management, control responsibilities, and handling reports of suspected fraud.
- High-risk roles: In-depth training tailored to procurement, finance, or client-facing functions. For example, procurement staff should learn how to spot bid-rigging and conflicts of interest.
A training log should be maintained as evidence of compliance. Staff should confirm completion of training annually.
Fraud response plan
Even the most robust fraud prevention procedures cannot guarantee that fraud will never occur. As such, every organisation must have a clear, well-documented, and rehearsed response plan that ensures any suspected or actual fraud is handled quickly, effectively, and consistently. A strong response plan not only mitigates financial loss but also demonstrates to regulators, boards, and auditors that the organisation takes its obligations under the failure to prevent fraud offence seriously.
An effective fraud response plan integrates detection, triage, investigation, escalation, remediation, and communication into a coherent and practiced framework as outlined below. By embedding these steps into the organisation’s governance and operational procedures, boards and management can respond decisively to incidents, protect the organisation, and demonstrate compliance with the failure to prevent fraud offence. For accountants, leading the design, implementation, and ongoing testing of such a plan is a critical responsibility, reinforcing both legal compliance and the organisation’s ethical standards.
Detection
The response begins with detection. Fraud may come to light through routine controls, internal audit reviews, whistleblowing reports, or external notifications. Employees must feel confident in raising concerns, and whistleblowing channels should be clearly communicated and independently monitored. Early detection is critical: the sooner a potential issue is identified, the faster it can be contained, investigated, and resolved.
Triage
Once a potential fraud is detected, the organisation must conduct a triage assessment to determine the seriousness, scope, and potential impact. A designated officer, often the Head of Risk, Compliance Director, or equivalent, should evaluate the initial information, prioritise response actions, and decide whether external support is required, such as forensic accountants, legal counsel, or law enforcement engagement.
Investigation
The investigation phase is central to the response plan. Investigations should be conducted methodically, preserving evidence and maintaining confidentiality to protect both the organisation and any individuals involved. This process typically includes reviewing documentation, interviewing relevant personnel, and analysing financial and operational data. In complex or high-value cases, external forensic accountants can provide specialist expertise to ensure that findings are credible and defensible.
Escalation
Following investigation, the organisation must escalate appropriately. Serious incidents should be reported to the board, the audit committee, and, where required, regulatory authorities. In some cases, legal obligations may necessitate reporting to law enforcement or statutory bodies such as the FCA or SFO. Clear escalation protocols ensure that all stakeholders understand their responsibilities and that decisions are made at the appropriate level of authority.
Remediation
Once the facts are established, remediation actions must be implemented. This may include disciplinary measures against individuals involved, restitution of misappropriated funds, strengthening of internal controls, retraining of staff, and updating policies and procedures to prevent recurrence. A feedback loop is essential: lessons learned from each incident should inform updates to risk assessments and preventive measures, thereby embedding continuous improvement into the organisation’s culture.
Communication
Finally, communication is a critical element of any fraud response. Boards must decide what information to share with staff, clients, regulators, and, where appropriate, the public. Transparency should be balanced with legal and reputational considerations, ensuring that communications are accurate, consistent, and carefully managed. Chartered accountants often provide essential guidance in preparing communications, ensuring that financial and operational information is presented clearly and responsibly.
Failure to prevent fraud
With the offence now in force, read guidance on the legislation and practical steps for compliance.
Home Office guidance
Home Office official guidance is the only guidance with statutory weighting. While ICAEW provides practical advice on fraud prevention, it is for information purposes only. ICAEW will not be liable for any reliance you place on the information in this material. Home Office guidance and independent advice should always be consulted.
Failure to prevent fraud
With the offence now in force, read guidance on the legislation and practical steps for compliance.
Read now