Fraud Risk Management: Is Your Company Proactive?
The fictional character Fleet Walker provides real world advice
Assessing, improving and monitoring anti-fraud programs are key elements of an effective internal control structure. Many companies have a long way to go to address the challenges of fraud and corruption. In this brief article, Professor Crumbley suggests that as a starting point, we consider the steps taken by Fleet Walker (a fictional character of his novels).
Ernst & Young found that organizations that had not performed fraud vulnerability reviews were almost two-thirds more likely to have suffered a fraud within the past 12 months. An organization’s profile of business risks should be comprehensive and include consideration of fraud. Appropriate accounting systems need to be in place to effectively manage the risks. Risk assessment services should identify and assess primary potential risks faced by the business, independently assess risk identified by an entity and evaluate an entity’s systems for identifying and limiting risks. Possible ways to mitigate risks should be identified, such as installation of risk-reduction systems and processes, transferring or sharing of the risks, and avoidance of the risks.
A fraud risk assessment should include three key elements:1
- Identify inherent fraud risk. Â Gather information to obtain the population of fraud risks that could apply to the organization. Included in this process is the explicit consideration of all types of fraud schemes and scenarios; incentives, pressures and opportunities to commit fraud; and IT fraud risks specific to the organization.
- Assess likelihood and significance of inherent fraud risk. Assess the relative likelihood and potential significance of identified fraud risks based on historical information, known fraud schemes and interviews with staff (including business process owners).
- Respond to reasonably likely and significant inherent and residual fraud risks. Decide what the response should be to address the identified risks and perform a cost-benefit analysis of fraud risks over which the organization wants to implement controls or specific fraud detection procedures.
A forensic accounting novel explains the various types of risks in an organization as many small risks, some moderate risks, and one or two huge risks. The “Big R” can destroy an organization (e.g., Arthur Andersen, WorldCom, Enron). Risks can be classified as operational, financial reporting and compliance. Fleet Walker, an imaginary internal auditor for the New York Yankees, gives this description of his risk assessment.2
Fleet [Walker] realized the importance of risk assessment. Resources are scarce in any organization and especially in the internal auditing department. They must be spent wisely where they will do the most good. Risk assessment allows the internal auditor to identify the parts of the organization that are the most risky and to then allocate precious audit resources to ensure the risk associated with those areas is addressed. Fleet annually broke down the Yankee organization into “auditable units” and then ranked each unit in terms of riskiness. Fleet measured risk using several “risk factors” such as “impact on operations and customer satisfaction,” “legal impact,” “degree of computerization,” “recent organizational or technological change,” and “time since last audit.” Audits were placed on the audit schedule based on their total ranking. Fleet was proud of this system because he had purposely designed the risk factors to measure operational and compliance risks.
As forensic accountants, we must recognize that fraud remains a very real risk in the current environment. The need to identify vulnerabilities is driven by regulatory requirements for robust anti-fraud programs. As a result of both increasing acts of fraud and heightened regulatory environment, board members, independent auditors, and other stakeholders are asking executive management pointed questions regarding these risks and regulations. Fleet Walker provides a brief glimpse of what we should consider to measure operational and compliance risks.
1 IIA, AICPA, ACFE, MANAGING THE BUSINESS RISK OF FRAUD: A PRACTICAL GUIDE (2008), http://www.cafe.com/documents/managing-business=risk.pdf, p.20.
2 D. L. Crumbely, D.E. Ziegenfuss, and J.J. O’Shaughnessy, THE BIG R: A FORENSIC ACCOUNTING ACTION ADVENTURE, (Durham, N.C.: Carolina Academic Press 2008), p. 75Â
[author] [author_image timthumb=’on’]http://business.lsu.edu/includes/Faculty_Staff/Images1/Crumbley_Larry_250x350.JPG[/author_image] [author_info]D. Larry Crumbley is a KPMG Endowed Professor at Louisiana State University and co-author of the Forensic & Investigative Accounting textbook published by Commerce Clearing House. He is the author of 13 novels, most having the main character a forensic accountant. He can be contacted at dcrumbl@lsu.edu.[/author_info] [/author]