Assessing the Risk of Fraud in Your Organization
Don’t be a Victim of Fraud
Fraud can affect virtually any organization and fraud costs can be far more than just monetary losses. The author discusses the recent Wells Fargo fraud investigation and shares her views regarding what makes for an effective risk identification program. The effects of fraud can go beyond simple dollar losses and include harm to the organization’s reputation, employee morale, legal costs, and erosion of confidence by investors among other negative effects.
[su_pullquote align=”right”]Resources:
Introduction To Fraud Risk Management
Fraud Risk Assessment and the Internal Control Framework
Fraud Deterrence and Fraud Detection
[/su_pullquote]
Fraud can affect virtually any organization and fraud costs can be far more than just monetary losses.
The Association of Certified Fraud Examiners (ACFE) conducts surveys of its Certified Fraud Examiner (CFE) members every two years and reports findings from these surveys in a publication entitled Reports to the Nations. In its 2016 Report to the Nations, the ACFE estimates that the typical organization loses five percent of their revenues to fraud every year.  The effects of fraud can go beyond simple dollar losses and include harm to the organization’s reputation, employee morale, legal costs, and erosion of confidence by investors, among other negative effects.
Consider the Wells Fargo fraud that received extensive media coverage in the fall of 2016. Wells Fargo negotiated a $185 million settlement with regulators including the Consumer Financial Protection Bureau and will also pay refunds to customers. The basis for the action was the opening of fee-generating accounts not authorized by customers. In the aftermath of the publicity, Wells Fargo started its own public relations campaign, taking out large ads to apologize to its customers and attempt to restore customer trust. The bank also devoted part of its own website to publishing for customers about actions it is taking to “make things right.”  In March 2017, Wells Fargo agreed in principle to the terms to settle a class-action lawsuit by affected customers for a reported $110 million. The Office of the Comptroller of Currency imposed tighter controls on the bank, including a requirement that changes in executive leadership for the bank be approved by this regulatory body.
One of the lessons from the Wells Fargo matter that should be considered by all organizations’ management is the importance of anti-fraud programs. According to Managing the Business Risk of Fraud: A Practical Guide, a publication sponsored by the Institute of Internal Auditors (IIA), the American Institute of Certified Public Accountants (AICPA) and the ACFE, “Only through a diligent and ongoing effort can an organization protect itself against significant acts of fraud.” The guide goes on to state five principles for establishing managed fraud risk. One of these principles is that, “Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.”
A fraud risk assessment is not a one-size-fits-all exercise. An effective fraud risk assessment needs to be structured and address the specific risks that apply directly or indirectly to the organization. The fraud risk assessment can be part of the assessment of overall risks to the organization, or it may be conducted separately.
The key elements of a fraud risk assessment are:
- Identification of risks
- Assessment of the likelihood of the risk
- Assessment of the significance of the risk
- Development of a risk response
An effective risk identification process will involve an analysis of the incentives, pressures, and opportunities for fraud. Using the Wells Fargo matter as an example, management would have considered the pressures that front-line employees experienced from senior management to meet customer quotas. A fraud risk assessment surrounding the account opening process would take into consideration the tie between compensation of individual employees and the opening of fee-generating accounts, as this compensation could become the incentive to commit fraud.  The next consideration would be an evaluation of whether an opportunity would exist to open an account without the customer’s explicit approval.
In designing a fraud risk assessment process, it is helpful to remember the definition of fraud and attempt to anticipate the behavior of the potential fraudster. Although several definitions of fraud exist, this one, found in Managing the Business Risk of Fraud: A Practical Guide, is one that helps set the proper mindset for the fraud risk assessment:
“Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.”
This broad definition is helpful because it allows organizations to consider deceptive practices that may harm a variety of victims or enrich the perpetrator in less than obvious ways. In considering “victims”, a proper fraud risk assessment should consider that the initial victim could be the organization that employs the potential fraudster or it could be the customers of that organization, or others who do business with the potential fraudster’s organization. Harm to an organization’s reputation must not be overlooked when considering fraud risks, nor is it acceptable to overlook the severe consequences that could result from regulatory noncompliance associated with deceptive practices.
Getting Started
A proper fraud risk assessment starts with assembling the correct team. The most effective risk assessments are generated when people with differing knowledge, skills, and perspectives are part of the team. The team may include external sources, particularly those well versed in anti-fraud programs. The organization’s external financial statement auditors may be involved as well. Internally, the team should be drawn from the following departments:
- Business units/operations
- Risk management
- Legal and compliance
- Accounting and finance
- Internal audit
- Sales and marketing
- Human resources
It goes without saying that the team should have the full support of senior management, and management at all levels should be involved in the process, as ultimately, management is accountable for the anti-fraud program. To be effective, a fraud risk assessment must be systematic and recurring. Therefore, communication and effective working relationships among the team members is vital to the success. Brainstorming about potential risks is an essential part of the process, so setting the right tone for the work of the assessment team is another key success factor. The “tone at the top” should be one that conveys a strong commitment to preventing and detecting fraud and adherence to a code of ethics. A skeptical, questioning mindset on the part of the team is critical, but senior management, in establishing the tone at the top, must convey its respect for the mindset and welcome the opportunity to engage with the team in assessing risks.
The ACFE makes available to its members fraud assessment tools that can be used for information gathering and analysis. Including, a CFE as part of your team can be invaluable not only for the fraud insights, but also for his or her access to the various resources offered by the ACFE. Likewise, members of the IIA have access to a variety of resources, and their independence from operating departments and from the accounting and reporting functions enables internal auditors to provide valuable assistance in assessing fraud risk. A qualified internal auditor will be skilled at interviewing and may recommend some ideal techniques for organizing interview questions. While including CFEs and internal auditors in the risk assessment is very helpful, it is important to recognize that management is responsible for the anti-fraud program as a whole and the involvement of various members of the organization will be critical to the success of the fraud risk assessment.
Some of the key questions to be answered are: How might a person exploit a weakness in the system of internal controls? Could a perpetrator override or circumvent controls? How? What might a perpetrator do to conceal the fraud? Addressing these questions requires that skeptical, questioning mindset, and discourages the kind of thinking that says: “fraud can’t happen here.”
Choosing and Using a Framework
An effective fraud risk assessment involves a structured and documented approach. As stated above, the first step is to identify fraud risks, but that is only the beginning. The organization needs to assess the likelihood and significance of the fraud risk and develop a response to the risk. In order to be effective, some type of written tool must be employed. The actual tools used will vary according to the complexities of the operations, but a possible chart like the one shown below, found in Managing the Business Risk of Fraud: A Practical Guide, may be effective:
Identified Risk | Likelihood | Significance | People/ Department |
Existing Controls | Effectiveness of Controls | Residual Risks | Fraud Risk Response |
 The first column, identified risks, should be the product of brainstorming on the part of the risk assessment team. The population of risks to consider would include financial statement manipulation, asset misappropriation, and corruption, which would include bribery, kickbacks, and unauthorized gratuities, and could also include aiding and abetting fraud on the part of others such as customers or vendors. One of the reasons for including members with different backgrounds, skill sets, and from different departments and disciplines is the sheer breadth of possible fraudulent activities that could occur within an organization.
The next two columns, likelihood and significance, should be the product of discussions amongst the team members based upon their knowledge of pressures, incentives, and opportunities. It is critical that the team consider the strategy and goals of the organization and the kinds of pressures that may exist to conceal the true state of affairs. For example, consider the pressures to manipulate financial results. Is the long-term achievability of goals dependent upon meeting short-term financial goals and concealing specific aspects of the financial picture? Are individual department heads concerned about possible elimination or cutbacks if goals are not met?
The team will also want to consider carefully the kinds of incentive plans that may exist and how those plans may encourage potential fraudsters to engage in unethical behaviors to earn those incentives. Even absent a specific incentive plan, the team must consider the more subtle effects of performance metrics that drive decisions about personnel retention.
The team will likely need to gather additional insights through interviews with persons in various departments in order to develop their understanding of incentives, pressures, and opportunities.
Likelihood can be assessed based on past occurrences within the organization, industry information, frequency of transactions, and other factors. The categorization can take different forms, but three different categorizations should be sufficient of most organizations. One three-category system might encompass “remote”, “reasonably possible”, and “probable.”
Significance of a risk should consider not only the monetary impact of possible potential frauds, but also any impact the fraud might have on financial reporting, operations, organizational reputation, and compliance requirements. Criminal, civil, and regulatory liability all need to be factored in. The significance also needs to be weighed in light of the impact on other parties. For example, if fraudulent expense reporting or unauthorized purchases of supplies occur in a manufacturing company where there is no billing to customers for the expenses, the impact is largely on the company’s own bottom line. However, if these same expenses are instead passed along to a customer, the customer relationship is jeopardized.  Consideration also needs to be given to the regulatory oversight the organization is subject to. Severe fines or loss of privileged licenses may also be a risk in some industries.
As with the categorization of likelihood, three levels are typically enough and may be expressed in qualitative language. One set of terms could be “inconsequential”, “more than inconsequential”, or “material.”
The initial assessment of the likelihood and significance of a given risk should be based upon what is referred to as “inherent risk.” That is, the risk of something occurring without any known controls. This allows the team to better identify all the relevant risks and systematically evaluate controls in light of those risks.
The next column can be used to outline the various people and departments that may be involved. For example, in addressing the risk that the company is engaging in fraudulent activities related to sales, it may be appropriate to list both the sales and the shipping department.  Identifying the people and departments helps the team to consider more specifically the kinds of pressures, incentives, and opportunities that may exist. The identification of affected departments and people will also help the team analyze the controls that may mitigate the risks.
Existing controls that mitigate, or were designed to mitigate, those risks are then identified and recorded in the next column. The effectiveness of controls is then assessed. One of the key elements to completing this column is an understanding of whether the controls are evaluated to ensure that the control is functioning as designed and that it is actually effective in mitigating the specified risk. This column should explicitly identify who tests the controls.  Controls may be either preventive (that is, they are designed to deter fraudulent acts from happening) or detective (that is, they are designed to identify fraud when it occurs).
In assessing controls, it is important to recognize the potential for management override of controls. An anti-fraud control that is easily overridden by management is ineffective.
Residual risk is the risk that remains after consideration of the internal controls in place. Management override of controls is a common factor in residual risk.
The response to residual risk is highly dependent on the organization’s tolerance for risk. Those charged with governance must consider a broad range of stakeholders, and risk appetites can vary widely. While some companies have a “zero-tolerance” for fraud once it is discovered, it is important to understand that controls can be expensive and time-consuming, and some controls also tend to slow business operations. Therefore, the organization must thoughtfully balance its tolerance for fraud risk with the cost of preventing and detecting fraudulent activity.
Some of the responses residual fraud risk include: accepting the risk given the likelihood and significance of the risk, adding internal controls to further mitigate the risk, or designing internal audit procedures to address the risk.
Performing and documenting a fraud risk assessment on an iterative basis is a crucial component of an organization’s anti-fraud program. While the task may seem daunting, a systematic approach such as the one described here will make the process manageable with the selection of the right team, the right mindset, and the support of management at all levels.
References
Managing the Business Risk of Fraud: A Practical Approach, Sponsored by the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners, undated.
The Fraud Resistant Organization, a publication of the Anti-Fraud Collaboration, undated.
2016 Report to the Nations on Occupational Fraud and Abuse, Association of Certified Fraud Examiners.
This article is reprinted with permission from the author as previously published on McGovernGreene.com.
Lynda L. Hartzell is a Certified Fraud Examiner, as well as, a Certified Public Accountant, and Certified Internal Auditor and is employed as Managing Director of Forensic Accounting and Consulting with McGovern & Greene LLP’s Las Vegas Office. She received her undergraduate degree in accounting from Northern Arizona University and has provided a variety of forensic accounting and consulting services to a wide spectrum of clients, with a special emphasis on the gaming and hospitality industry. Ms. Hartzell provides internal audit services and trains auditors in effective auditing processes. Her practice also involves litigation-related services.
Lynda L. Hartzell can be contacted at (702) 818-1168 or by e-mail to Lynda.Hartzell@mcgoverngreene.com.