Fraud Risk Management
Fraud is all around us, grabbing the headlines every single day. Fraud is a high-impact, low-probability risk with the potential to destroy a firm’s integrity and reputation very quickly. Many firms focus on the low-probability nature of fraud, and consequently fail to employ both resources and structure to address this risk. In our present climate, Fraud risk has been elevated and new types of fraud typology have evolved in concert with both cyber and money laundering.
Given the high correlation between its two half-sisters cyber and money laundering: it beholds the proactive and forward-thinking organization to combine these risks and adopt an inclusive approach. An all-inclusive fraud risk management framework therefore includes the following components: governance, assessment, strategy and evaluation.
Let’s take a look at four steps a firm can take to develop and maintain an effective fraud risk management program which incorporates cyber and money laundering, any references to fraud therefore assume the assimilation of cyber and money laundering risks
1. Create a dedicated governance structure to manage fraud risk.
The first requirement is to build an organizational culture to combat fraud at all levels of the firm. This should demonstrate a senior-level commitment and set an anti-fraud tone that permeates the culture. To oversee all fraud risk management activities requires the development of an anti-fraud department) that, among other things, will:
- Serve as the repository of knowledge on fraud/cyber and money laundering risks and controls
- Manage the risk assessment process
- Lead or assist with trainings and other fraud awareness activities
- Coordinate anti-fraud/cyber/money laundering initiatives across the program.
- Educate and train personnel. Anecdotally the more qualified Certified Information Systems Security Professionals (CISSP) an organization has , the better the ability the organization has to mitigate and prevent cyber attacks.
2. Create a fraud risk assessment.
The next stage is to plan regular fraud risk assessments that are tailored to the fraud risk management program. To further this goal, the firm should identify specific tools, methods and sources for gathering information about fraud risks, including data on fraud schemes and trends from monitoring and detection activities. Buy‐in involves relevant stakeholders in the assessment process, including individuals responsible for the design and implementation of fraud controls.
- The identification and assessment of risks to determine the program’s fraud risk profile, starting with inherent fraud risks affecting the program
- An assessment of the likelihood and impact of inherent fraud risks, with the consideration of the nonfinancial impact of fraud risks, including impact on reputation and compliance with laws, regulations and standards
- Determining the firm’s fraud risk tolerance, examining the suitability of existing fraud controls and prioritizing residual fraud risks
- Documenting the program’s fraud risk profile
3. Design and implement an anti-fraud strategy with specific control activities.
Based on its fraud risk profile, a firm should develop, document and communicate an anti-fraud strategy to employees and stakeholders that describes the program’s activities for preventing, detecting, responding, monitoring and evaluating. The following questions can be used to guide the firm’s resource allocation in response to fraud:
- What is the program doing to manage fraud risks?
- When is the program implementing fraud risk management activities?
- Where is the program focusing its fraud risk management activities?
- What are the specific control activities to prevent and detect fraud?
- How is the suitability of existing risk controls assessed and how is residual risk prioritized?
- How does the program respond to identified risks?
- Why is fraud risk management important?
4. Conduct risk-based monitoring and evaluate all components of the framework.
Collection and analysis of data — including data from reporting mechanisms and instances of detected fraud — is a must in the monitoring of fraud trends and in the identification of potential control deficiencies. Moreover, it is important to evaluate the effectiveness of preventive activities, fraud risk assessments, anti-fraud strategy, fraud controls and response efforts.
A risk-based approach to monitoring should also be implemented. This approach should consider internal and external factors (e.g., organizational changes and emerging risks) that can influence the control environment. which provides both understanding of what constitutes a system of internal control and insight into when internal control is applied effectively. For more on COSO and internal controls read Don’t be Vulnerable - Properly Assess the Risks in Your Business.
Every fraud risk management program can be further enhanced by fraud awareness training and by communicating results — for example, instances of fraud that have been identified and corrective actions that have been taken — to employees.
Following these four steps will help to prevent, but not eliminate, fraud. Most fraud can be staved off by a comprehensive risk management program, but as criminals and morally compromised people concoct new forms of deceit, businesses must remain vigilant in the battle against fraud.
Not a member-scholar yet? Join our financial community here!
Identify your path to CFO success by taking our CFO Readiness Assessmentᵀᴹ.
For the most up to date and relevant accounting, finance, treasury and leadership headlines all in one place subscribe to The Balanced Digest.