Moving toward a best-in-class fraud risk assessment
Fraud risk assessment is an art, not a science. There is no one-size-fits-all approach, and not all fraud risk assessments are equally effective. A best-in-class fraud risk assessment is a comprehensive program that constantly takes the pulse on current and emerging risks, and provides a clear path to mitigation, monitoring and reporting across the enterprise. Too many organizations treat their fraud risk assessment as a one-and-done activity, putting it back up on the shelf after completion and only returning to it every few years. These organizations are missing out on the true value that an effective fraud risk assessment program offers. Some organizations really want to institute a meaningful fraud risk assessment program but lack the knowledge and skills to conduct one effectively. Others simply want to upgrade their current fraud risk assessment program.
10 ways to strengthen your fraud risk assessment
- Understand your complete risk universe.
- Narrow your focus.
- Employ the right risk-assessment techniques.
- Focus on facts, not perceptions.
- Involve the right people.
- Dive deep.
- Build a strong foundation.
- Break out of your silos.
- Focus on a broad range of controls.
- Turn insight into action.
Here are 10 ways you can strengthen your fraud risk assessment to move toward best-in-class:
- Understand your complete risk universe. Identifying the full range of internal and external fraud schemes that could affect your organization is vital to an effective fraud risk assessment. Many organizations skip this step altogether, focus too heavily on either internal or external fraud, or don’t put enough effort into this process to ensure it results in an effective tool to assess risks across the organization. Remember that risks evolve, so you should periodically review your risk universe to ensure that you stay ahead of emerging threats.
- Narrow your focus. While you must identify your risks, don’t go overboard or try to boil the ocean. More is not always better. Instead, focus on identifying the internal and external risks most relevant to your organization. Your organization might have a multitude of fraud risks and not know where to start with the massive list. This translates to analysis paralysis. You don’t have to conduct an enterprise-wide fraud risk assessment right out of the gate. If you have limited resources, you can start small and expand over time as you gather lessons learned and as resources allow.
- Employ the right risk-assessment techniques. Risk assessments and risk-assessment techniques are not all equally effective. Many organizations rely heavily on surveys to assess risks. However, surveys alone are not optimal since they can be subject to biased, perception-based responses and there is no way to ensure everyone is responding within the right context. Surveys are generally most appropriate in the early stages of your risk assessment. They should be followed by interviews or workshops for deeper analysis. A mature risk-assessment process should employ multiple techniques including surveys, interviews and workshops.
- Focus on facts, not perceptions. Many organizations focus on perception-based questions as part of fraud risk assessment — for example, “How would you rate the strength of controls?” The reliability of such perceptions can vary widely. A better approach is to map out your risks and design a set of information-based questions aimed at assessing the strength of controls to protect those entry points.
An expense reimbursement fraud example
A common control is supervisory review of expense reimbursement requests. Ask, “Are supervisors required to review and approve all reimbursement requests?” or “Have there been audit or other findings on the supervisory approval process?” Such information-based questions will help limit reliance on perceptions and provide a wealth of data to use in targeting follow-up interviews or workshops on potentially higher risk areas.
- Involve the right people. Organizations tend to keep their fraud risk assessment teams small or focused only on senior leadership or management. Aim for a broader set of perspectives from the business staff on the front lines. They actually understand how controls are implemented and where you have potential gaps or vulnerabilities. Building a broader risk-assessment team can help you train stakeholders on fraud risk, on their role in fraud risk prevention and detection, and on why fraud risk management matters.
- Dive deep. Dig beneath the surface. Your assessment should dive deep enough to understand your top risks, the controls in place, and the key gaps and vulnerabilities across your organization. You will not get this insight in a 30-minute interview or a 10-15-question survey. Best-in-class risk assessments take time, both to develop the methodology and to implement across your organization.
- Build a strong foundation. It is difficult for a fraud risk assessment to be effective if you do not have a solid fraud risk management foundation in place. This foundation should include a strong and documented governance structure; and defined roles, responsibilities and reporting mechanisms for your fraud risk management program. This foundation will ensure there is an underpinning strategy and governance structure in place so that you can be certain the assessment itself and the results have a clear path, priorities and reporting structure.
- Break out of your silos. Fraud risk assessment should not be conducted in a silo. Strategically integrate with other functions at your organization as you conduct the assessment and relay results. It is especially important to communicate results to relevant business lines to help inform decision-making and communicate lessons learned that should be incorporated to strengthen current controls and mitigation activities.
- Focus on a broad range of controls. As part of the risk-assessment process, you should identify existing anti-fraud controls and appraise their effectiveness. Often, organizations either do not fully understand their existing anti-fraud controls or rely on perceptions of effectiveness instead of working to understand actual effectiveness. This is where a control inventory comes in. As you begin to conduct your fraud risk assessment, match your identified fraud risks to your identified anti-fraud controls. Once you begin to assess and score risks, leverage this inventory to understand what controls are in place to combat a risk and to work to understand how strong controls are in practice. You can leverage audit findings, controls testing results or other sources of data to help, and you can talk to front-line staff implementing these controls to understand what they are doing and how that might differ from the design of the control.
- Turn insight into action. If you are not using the insights gathered during your fraud risk assessment to take meaningful action, you are not alone. But you also are not making full use of your assessment. Your fraud risk assessment is a tool. The results should drive decisions, resource allocation, and business and process improvements.
Do something, start somewhere
Effectively managing your organization’s fraud risk is a long-term journey. Any assessment is better than none; a useful mantra is “Do something, start somewhere.” You might want to either institute an enterprise-wide fraud risk assessment methodology or start in one business area and build out the program slowly over time. Either way, fraud risk assessment is not a one-and-done activity. You should iterate to include lessons learned in subsequent assessments. If you already have a fraud risk assessment in place, dive deep to determine where you might be able to improve current processes to increase the effectiveness and usefulness of your current program. If you are starting from scratch, pick one area to focus on first, then leverage best practices and leading guidance to build a methodology that is tailored for your organization.
Don’t know where to start? Check out the newly released Anti-Fraud Playbook, which outlines leading guidance and best practices for developing a leading fraud risk management program. See Plays 3 and 4 for guidance on developing a fraud risk map and conducting an effective fraud risk assessment.
Our featured risk, compliance and controls insights
No Results Found. Please search again using different keywords and/or filters.