Fraud Risk Assessments
The Annual Audit Does not Identify Operational and Financial Risks
According to the Association of Certified Fraud Examinersâ€™ (ACFE) 2014 Report to the Nations on Occupational Fraud and Abuse, an estimated 5% of revenues each year are lost to fraud. What processes can management put in place to identify financial and operational risks? In this article, the author shares his experience and thoughts on that question.
In order to protect their company and its owners, management should fully understand and identify their susceptibility and risk for organizational fraud.Â As trusted business advisors, we should be talking to our clients about fraud risk and mitigation strategies.Â That conversation can flow very naturally from a business valuation engagement, where part of the analysis is the companyâ€™s management depth (many times a hot bed for fraud risks) and operational and financial risks.
Starting a conversation with a client about fraud can be difficult. Â Many companies think fraud will not happen to them.Â It is unfortunate, but it is a fact of doing business that many companies will, at some point, be faced with a fraud, whether it is an internal fraud (occupational fraud) or external fraud.
According to the Association of Certified Fraud Examinersâ€™ (ACFE) 2014 Report to the Nations on Occupational Fraud and Abuse, an estimated 5% of revenues each year are lost to fraud.Â According to the same study, the median loss caused by fraud is $145,000; 22% of fraud cases involved losses of at least $1 million.Â For the most part, occupational fraud does not occur as a one-time event, it is a slow and methodical pilfering of an organizationâ€™s assets.Â Therefore, frauds typically will go unnoticed for weeks, months, or even years.Â The longer the fraud occurs, the greater the amount of the fraud is likely to be.
Some companies believe that because they have an annual audit they cannot have fraud.Â However, financial statement audits account for only 3% of all fraud detections; fewer than the 7% detected accidently. Â Internal audits account for 14% of detections; almost three times as many detections as by external audits.Â Tips resulted in the most fraud detections; 40% of all cases in the ACFE study were detected by a tip.
When a fraud is uncovered, the most frequent type is misappropriation of assets. Â The next most common type of occupational fraud is fraudulent financial reporting.Â Fraudulent financial reporting is less frequent and is often perpetrated for a specific reason.Â Oftentimes, it is related to the financial performance of an organization.Â When an organization or individual is facing financial trouble, there is often pressure on management or certain employees to perform to a certain level.Â Enron is a good example of this type of case. Â These pressures are often related to compensation of that individual and are tied directly to cash flowâ€”either cash flow of the organization or the individual.Â Understanding these pressures will help a consultant assess and determine the potential method, scheme, or scenario that is likely to be used in committing a fraud.
Fraud risks can be identified through either an internal initiative or it can be an external initiative in which an outside firm or consultant is retained. Â Typically, engagements are a hybrid, with the company completing some steps and the consultant directing the engagement and completing other steps.Â The fraud risk assessment is often performed as a one-time, standalone service or initiative and is often in response to an incident (i.e., a theft of corporate resources occurs and the company reacts with a fraud risk assessment).Â However, a periodic, routine review of the fraud risk of an organization leads to better results and a stronger mitigation strategy. Â The best fraud risk programs are those that involve a long-term plan covering different areas each year and ensuring complete coverage of all process areas every three to five years.
Whether conducted internally, externally, one time, or as part of a long-term plan, at a minimum, the assessment should include: (1) a review and identification of susceptible areas; (2) an assessment of the likelihood of the risk coming to fruition; and (3) the companyâ€™s planned response.Â An often overlooked aspect of any risk assessment is the planned response.Â Knowing how or if an organization is equipped to respond to fraud risk is a key component in fully understanding and assessing the companyâ€™s overall fraud risk.
Fraud risk assessments begin with a comprehensive review of management and controls in place, and can include analytical procedures, a review of industry information, organization charts, interviews, and walk-throughs where you follow the process with the employees.Â Included in the review of controls is a review of proper segregation of duties.Â This is often one of the areas fraught with fraud risk in smaller organizations and therefore, special attention should be paid.Â Often, smaller organizations do not have the personnel to have proper segregation of duties, and too frequently, there is one key individual with unlimited access to accounts, records, and information.Â Any individual that has custody or control of assets, can enter information in a system, and change that information as well as approval ability, is a high risk.
Reviewing technology and software security access can also identify potential risks.Â The increase in organizations using software to run their day-to-day operations has created a greater need for access to certain records and information; as a result, users are sometimes given permission to access or change data creating potentially unnecessary risks.
Fraud risk assessments are a valuable tool to identify if there is a weakness in your system that has created a fraud risk; unfortunately for many companies, it is also a great tool to determine the extent of a fraud that has already occurred.
 The use of oneâ€™s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organizationâ€™s resources or assets.
Paul Fullerman, CPA, CVA is Manager of Forensics and Dispute Advisory Services with GBQ Consulting, a Central Ohio accounting and consulting firm. Mr. Fullermanâ€™s broad range of experience has taught him to appreciate a variety of industries and companiesâ€”which serves him well at GBQ. After beginning his decade-long accounting career learning the ropes in a one-man shop, he completed his internship at a major corporation. Mr. Fullerman has worked for more than eight years in public accounting for several CPA firms.
Mr. Fullerman can be reached at: (614) 947-53420 or by e-mail at PFullerman@gbq.com.