---

When a company asks who should own the anti-fraud program, the question usually sounds like an org chart question. Should compliance own it? Internal audit? Finance? Cybersecurity? A committee that includes all of them?

The better starting point is the risk.

Fraud is not one thing. Accounting fraud, sales fraud, procurement fraud, employee expense fraud, candidate identity fraud, credit card fraud, and customer data fraud all require different expertise, controls, monitoring strategies, and escalation paths. A program that tries to answer the ownership question before identifying the fraud risks most relevant to the business will likely create confusion, duplicate work, or leave gaps where no one feels truly accountable.

That is why the most practical answer is also the most compliance answer: anti-fraud program ownership should follow the organization’s fraud risk profile. Once the company understands the types of fraud it is most exposed to, it can decide which function is best positioned to lead the effort, and which functions need to be part of the coalition around that lead.

The owner depends on the fraud you are trying to prevent

For some companies, anti-fraud ownership will naturally sit close to finance, internal controls, and internal audit. That is especially true when the most relevant exposure involves financial reporting, accounting practices, sales incentives, revenue recognition, or other risks tied closely to the company’s books and records. In that environment, finance understands the transaction flows, internal audit can test control design and operating effectiveness, and compliance can help connect the program to broader ethics, reporting, discipline, and governance expectations.

In another organization, the highest-risk scenario may look very different. A staffing company, for example, may worry most about employment fraud, candidate misrepresentation, or identity-related risks in the hiring process. That points the program toward HR, talent acquisition, screening providers, and workforce compliance. A retailer or payments-heavy business may need cyber, IT, data privacy, payments, and fraud operations much closer to the center of the program. A company with a complex supplier ecosystem may need procurement, accounts payable, finance, audit, and compliance aligned around vendor master data, conflicts of interest, third-party due diligence, and payment controls.

The point is not that one function always owns fraud. The point is that the lead owner should be the function best positioned to prevent, detect, and respond to the fraud risks that matter most to the organization.

Ownership does not mean isolation

Clear ownership matters, but fraud prevention is not a solo function.

One department may need to hold the pen. One executive may need to be accountable for the roadmap, cadence, and reporting. One team may need to make sure the program does not stall. But an effective anti-fraud program depends on coordination among the functions that see different parts of the risk.

Finance sees payments, approvals, reconciliations, and financial anomalies. Internal audit tests whether controls actually work. Cybersecurity sees access patterns, system misuse, and data threats. HR sees employee lifecycle issues, screening processes, and disciplinary patterns. Procurement sees supplier onboarding, vendor concentration, conflicts indicators, and unusual buying activity. Compliance sees speak-up data, investigation themes, policy awareness, training effectiveness, and culture signals.

Any one of those functions can see part of the picture. Together, they can identify patterns that no single team would catch alone.

That is why the right model is usually accountable leadership plus cross-functional execution. The company should know who leads the anti-fraud program, but it should also know who contributes data, who tests controls, who investigates, who remediates, who reports to leadership, and who decides when a risk requires escalation.

A strong coalition needs more than a standing meeting

Many companies solve cross-functional risk by creating a committee. That can help, but a committee is only useful if it has the discipline to turn coordination into action.

At a minimum, an anti-fraud coalition should clarify five things:

1. The risk universe: Which fraud scenarios are most plausible for the business, and which could create the greatest legal, financial, operational, or reputational harm?
2. The control map: Which controls are supposed to prevent or detect those scenarios, and who owns each control?
3. The data map: Which teams have relevant indicators, such as payment anomalies, hotline reports, access logs, vendor changes, expense patterns, or investigation outcomes?
4. The escalation model: When does an issue move from routine control testing to investigation, disclosure analysis, or leadership reporting?
5. The learning loop: How do teams share what they are seeing so the program can strengthen controls before small problems become enterprise risks?

Without that structure, the committee becomes a forum for updates. With it, the committee becomes an operating model.

Fraud is also a chance to prove program value

For ethics and compliance teams, fraud prevention can feel like one more risk in an already crowded portfolio. But it can also be one of the clearest opportunities to show tangible business value.

Many areas of compliance require programs to prove a negative. It can be difficult to show the bribery scheme that did not happen, the retaliation that was prevented, or the conflict of interest that was avoided because someone asked the right question early. Fraud can be different, especially when a company starts with areas where the data is concrete.

Travel and entertainment fraud, gifts and entertainment abuse, procurement fraud, invoice fraud, and vendor conflicts can often be tested with available information. A company may be able to compare employee addresses against vendor records, identify duplicate payments, review unusual approval patterns, analyze expense receipt anomalies, or spot questionable supplier relationships. As AI-generated documents become easier to create, companies may also need to revisit how they validate receipts, invoices, approvals, and other supporting documentation.

That kind of work can produce visible outcomes: money recovered, payments stopped, controls improved, schemes disrupted, and training adjusted. For newer compliance programs, those early wins matter. They help the function build credibility with finance, audit, procurement, HR, cybersecurity, and business leaders. They also help show that compliance is not simply asking the business to slow down or check boxes. It is helping protect enterprise value.

Regulators are raising the stakes

The ownership question has become more urgent as regulators focus more closely on fraud prevention and corporate accountability. In the UK, the Economic Crime and Corporate Transparency Act has sharpened attention on failure-to-prevent-fraud expectations for large organizations. The practical message for companies is clear: it is no longer enough to respond to fraud after it happens. Companies need to understand where fraud could occur, whether the business could benefit from it, and whether existing controls are reasonable for the risk.

That regulatory shift makes anti-fraud governance a board and leadership issue, not only a control issue. Senior leaders should be able to explain why the program is structured the way it is, which risks drove that design, who owns the program, how functions coordinate, and how the company learns from issues as they arise.

What compliance should do next

For many organizations, compliance will not own every part of anti-fraud work. That is fine. The bigger risk is allowing fraud prevention to become everyone’s responsibility in theory and no one’s responsibility in practice.

Compliance can add value by helping the organization ask the right questions:

• What fraud risks are most relevant to our business model?
• Which functions are closest to those risks?
• Who should be accountable for the program overall?
• Which teams need to participate in governance, monitoring, investigations, remediation, and reporting?
• What data should those teams share regularly?
• Where do we have controls on paper but not enough testing in practice?
• How will we know whether the program is improving?

Those questions move the conversation away from turf and toward effectiveness. They also give compliance a practical way to strengthen relationships with finance, audit, HR, cyber, procurement, legal, and the business.

The most effective anti-fraud program is not necessarily the one with compliance at the center of every process. It is the one where the organization understands its risk, assigns clear accountability, connects the right functions, and uses what it learns to improve.

Someone needs to lead. Everyone with relevant visibility needs to contribute. The risk should tell you who belongs in each role.

---

For BELA members: If your team is revisiting anti-fraud governance, consider using the BELA Member Hub to benchmark how peers structure cross-functional risk ownership, document fraud risk assessment practices, and connect anti-fraud controls to broader E&C program governance. BELA members can also submit questions through the BELA Concierge service for practical guidance and relevant resources.