Fraud Risk Assessment: Proactive Solutions for Managing the Risk of Fraud
Avoiding the â€śWhy Meâ€™sâ€ť: Easy-to-Implement Steps to Mitigate Fraud Risk
Financial fraud can be devastating and fiscal, legal, and developmental repercussions can impede the operations of a business for years after an incident. Paul E. Zikmund takes us through his four-step process to actively deter fraud within an organization.
I investigated an embezzlement of approximately $900,000 in 2008, whereby the office manager and her financial analyst misappropriated funds from a medical practice. One year later, both are facing criminal trials and the insurance company denied payment of the employee dishonesty claim because the application was completed improperly. The money has not been repaid to the practice. I recall our meeting with the client to discuss the findings and suggested methods to seek recovery of funds. I remember two of the physicians asking our senior partner on the account, â€śHow could this have happened to us and what could we have done to prevent this mess?â€ť
The victims of fraud schemes rarely recover all of their lost assets and are often left asking â€śhow this happenedâ€ť and â€śwhy me?â€ť at the conclusion of an investigation. Many times these frauds are perpetrated by trusted employees who misuse their position of trust for personal gain to the detriment of their employer. Forensic accountants and fraud examiners are often called to perform the reactive task of investigating allegations of fraudÂ There is, however, real value in conducting a more proactive engagement aimed at preventing or reducing the risk of fraud within the organization.Â The events of September 11, 2001 caused a major change in our worldâ€™s approach to security. This cataclysmic event changed our view and appreciation for physical security to a point where most organizations invested heavily in technology, biometrics, and other security measures designed to fortify and protect their facilities, employees, and products. None of these organizations spent money on physical security measures without conducting security vulnerability checks and risk assessments. They spent wisely on their efforts to secure their assets. Similarly, organizations seeking to reduce their risk of fraud should aim to ensure their control environment is effective, operational, and properly designed to prevent loss attributed to fraud and misconduct. The ideal way of providing this assurance is by conducting a proactive fraud risk assessment.
A fraud risk assessment is a detailed analysis of all areas and processes within an organization and seeks to uncover specific risks related to fraud schemes and scenarios. Consultants undertake a comprehensive review of the organization to develop and understanding of how the organization operates now and evaluate plans to ensure fraud strategies remain relevant. The output from the fraud risk assessment will be a comprehensive report and a presentation to the company on the findings of the assessment. The report includes documentation of the risks identified and offers practical recommendations on ways to mitigate these fraud risks. The following steps provide a suggested methodology for conducting a fraud risk assessment in an effective and efficient manner in order to provide the client with the greatest return on their investment.
Step 1: Evaluating the Organizationâ€™s Fraud Risk Factors
The consultant should consider ways to identify factors that increase the risk of fraud within the organization.
These include the following:
- Analysis of industry and business operations
- Discussions with management
- Review of any previous frauds committed against the company
- Review of business performance to identify potential pressures to commit fraud
- Evaluation of other frauds occurring at competitorsâ€™ organizations
The consultant should be able to perform this step without scope restrictions and be afforded complete access to all records, personnel, and company locations. The consultantâ€™s ability to maximize his or her knowledge of the organization helps ensure the compilation of a comprehensive list of risk factors impacting the organization. During extensive interviews with members of senior management, process owners, audit committee and board members, and Â employees (including human resources, legal, finance, and operations), the consultant should gather specific information related to fraud risk factors by geographic area, function, and nature of business operations.
For example, a human resources manager may provide insight about employee morale or the impact of a planned downsizing at a company plant. A purchasing manager might shed light on decentralized procurement processes that enable employees to circumvent controls. A review of historical frauds occurring within the organization provides a wealth of information when assessing fraud risk.
Many companies do not record fraudulent events; however, those who possess this critical information should make all records available to the consultant. If, for example, a company experienced incidents of embezzlement, the consultant should consider these events when assessing the degree of risk in those areas or functions. Â If the organization faced a significant number of frauds the consultant should consider this as insight into possible management apathy or a weakness of overall internal controls. The consultant benefits from a review of company performance since this provides insight into the possible pressures facing the organization.
The risk of financial statement fraud is higher if the organization is performing poorly while the industry, as a whole, is doing well. The consultant should also consider the opposite situation when reviewing company performance. A highly profitable company amidst poorly performing competition is also, in some cases, indicative of earnings manipulation. The information obtained from these discussions and research will serve as the foundation for identifying key fraud risk factors associated with the business. Once the consultant completes the organizational and industry review they should compile a comprehensive list of fraud risk factors. These risk factors are required for the completion of Step 2.
Step 2: Identify Possible Fraud Schemes and Scenarios
The consultantâ€™s knowledge of fraud schemes and scenarios will determine his or her ability to identify specific schemes related to the identified fraud risk factors from Step. 1. It may be helpful to involve fraud specialists such as forensic accountants, certified fraud examiners, (CFEs) and certified fraud deterrence analysts since they possess specialized knowledge of fraud detection and investigation. The identification of as many fraud schemes and scenarios as possible is critical in order to fully determine the risks present within the organization.
For example, a decentralized procurement function increases the risk for a variety of procurement frauds, including fictitious vendors, overbilling schemes, and product substitution frauds. The consultantâ€™s evaluation should emphasize higher risk areas and include a segregation of duties review.
An average fraud risk assessment identifies 80 to 100 different fraud schemes, such as schemes related to financial statement fraud, misappropriation of assets, and corruption.
The consultant should populate a database of all fraud schemes and scenarios identified during the fraud risk assessment. Clients maintain possession of the database at the conclusion of the engagement; however, the consultant also retains the database, which should grow after each engagement. For example, a fraud risk assessment of a bank produces different fraud schemes than a risk assessment of a manufacturing company. As the database grows, the consultant is able to offer identification of more schemes in future engagement.
Iâ€™ve often found that clients arenâ€™t always able to identify many schemes that are applicable to their business. They do not possess the knowledge to do so. A previously populated database helps generate discussions with management and adds to the value of the engagement.
Step 3: Prioritize Identified Fraud Risks
The risk of fraud is significant and one that should not be ignored by any organization. However, businesses are not always able to manage every fraud risk. The residual risk for some frauds might be higher than others. Therefore it is important for the consultant to work with management and identify the frauds that pose the greatest risk for the organization.
The ability to prioritize these risks permits better concentration of efforts to determine if the necessary controls are in place to reduce the highest risks. The following factors should be considered when the consultant prioritizes the identified fraud risks:
- Financial impact to the organization
- Reputation risk if fraud occurs
- Business disruption loss
- Legal liability imposed on the organization
- Loss of company assets
The consultant must include management when prioritizing and determining the importance for each identified fraud scheme. For example, the CFO may not perceive the risk of intellectual property loss as significant while the Director of Research and Development may believe this risk is significant to the business. I once interviewed the owner/operator of a small retailer who perceived the risk of loss of minor tools and equipment as a normal business expense. The managers of the installation department, however, were doing their best to implement controls to make it very difficult to steal.
The consultant should not use only the monetary impact of fraud as a method to prioritize the fraud schemes. The impact to the organizationâ€™s reputation, regulatory sanctions, and disruption of business operations should also be considered when prioritizing fraud schemes. There is no standardized methodology for prioritizing fraud schemes. The consultant should exercise discretion and include managementâ€™s comments during this step of the process. This is not much different than a traditional risk assessment.
Step 4: Evaluating Mitigating Controls
The last step of this process involves the identification and testing of mitigating controls to determine if the risks have been mitigated by the organization. Sometimes the client chooses to perform this step since they often understand their business controls and it does reduce the cost of the engagement. If the consultant is retained for this step he or she must test the existence and operational effectiveness of internal controls.
The controls designed to prevent the high-priority frauds must be reviewed to determine if they are designed effectively and working properly. In procurement, for example, the segregation of controls preventing one person from ordering, paying and recording the purchase of materials will help reduce the risk for fraud. However, this control is not operating effectively when the person procuring the materials is also authorizing payment because another employee is on vacation.
A company with a high risk of bribery and corruption may develop anti-corruption training for employees and review all expense reports looking for suspicious payments and fees. The consultant should review the training course contents and identify the methodology for delivering the course. He or she should also determine if a policy for gifts and entertainment is present within the organization and has been communicated to company employees. If the training does occur and managers fail to perform reviews of expenses, the risk may not be reduced. In essence, the control is present but is not operationally effective.
Focusing specifically on fraud schemes and scenarios provides the best result for identifying those schemes that have the highest probability of impacting the organization. The consultant must inform management about the results of the risk assessment, who in return should make process owners accountable for reducing the risk within the organization.
If, for example, the consultant identifies revenue recognition as a risk, he or she must communicate this risk to the business process owner and the senior finance person overseeing the business impacted by this risk. They are then held accountable for implementing controls to reduce the risk. The individuals responsible for implementing controls are provided with a remediation plan to ensure timely reduction of the risk within a prescribed period. This action plan should be included with the final assessment report and communicated to senior management.
The risk of fraud has grown tremendously over the past few years. The combination of downsizing, weakened internal controls, and financial pressures created the perfect storm for the risk of fraudulent activities. Organizations that fail to properly identify fraud risk are, in some instances, leaving the barn door open. Only those organizations that adopt and execute a well-designed plan can ensure identification of fraud risk, which, if left unchecked, can ultimately result in the loss of the organizationâ€™s assets.
Paul E. Zikmund, MAcc, MBA, CFE, MAFF, is Director Global Ethics and Compliance with Bunge Limited in White Plains, NY.Â He may be contacted atÂ email@example.com.Â This article first appeared in the December 2009 edition ofÂ National Litigation Consultantsâ€™ ReviewÂ (NLCR.)