These phases and the underlying plays are the building blocks of an effective fraud risk management program. Whether you are beginning your anti-fraud journey or are looking to enhance current fraud risk management practices, the Anti-Fraud Playbook provides a benchmark for what a good fraud risk management program looks like. Armed with this insight, internal auditors can understand its organization’s fraud risk management strengths, its opportunities for improvement, and can translate those insights into informed, actionable findings to help foster effective fraud risk management across the organization.
Tip: fraud risk management should be tailored to the unique needs of the organization and its individual business units. Not every organization or business unit requires the same level of fraud risk management. For example, business units with limited fraud exposure or those that are willing to accept more fraud risk might not need the same level of fraud risk management as others.
#2: Learn to think like a fraudster
To understand your organization’s fraud risk landscape and identify red flags, internal auditors first must define what type of fraud they should be looking for. This requires a concept we call ‘thinking like a fraudster’. Brainstorm fraud scenarios that are specific to your organization’s processes and controls. Don’t just focus on what you’ve already seen. Think outside the box. If someone wanted to commit fraud, how could they do it? What processes or controls would they circumvent? Who would be most likely to perpetrate the fraud and why? Consider both internal and external fraud and think beyond just financial losses.
Thinking like a fraudster can help internal auditors identify risks and better evaluate and align controls to them. Once the internal auditor has a clear picture of the risk landscape, they can deploy analytics to target specific risks, as shown in the expense reimbursement example. This can help facilitate continuous risk identification and monitoring; further fostering proactive fraud risk management at the organization.
For example, consider expense reimbursements, a common area for fraud. What analytic tests could IA implement to identify employees who are fraudulently trying to claim personal expenses as business expenses?
- Identify business travel with departures on Friday or Saturday.
- Compare travel location and expense-incurred location.
- Isolate even-dollar amounts from unexpected sources (hotels, car rentals, etc.).
- Review expenses that always end in round numbers or with consistent amounts.
- Stratify expenses by employee and job title/roles to identify outliers or inconsistencies.
Tip: Where fraud has occurred, internal audit should understand how the controls failed and identify opportunities for improvement. It should consider the probability of further errors, fraud, or noncompliance across the organization and reassess the cost of assurance in relation to potential benefits.
#3: Monitor progress
Monitoring almost always comes last when organizations build fraud risk management programs. However, monitoring and periodic evaluations provide vital insight into the effectiveness of fraud risk management activities and help identify areas for improvement. Business unit owners should be responsible for ongoing monitoring and periodic evaluations that provide vital insight into the effectiveness of their fraud risk management activities. This helps identify areas for improvement.
Internal auditors can help ensure monitoring and evaluations are effective by focusing on two key questions:
- Do monitoring and evaluation activities cover the full spectrum of fraud risk management activities? When looking at the monitoring and evaluation activities put in place, IA should ensure that they cover the full spectrum of fraud risk management activities. Internal audit should also ensure that the business focuses on outcomes versus outputs— focus on the effectiveness of fraud risk management activities rather than the number of activities taking place. For example, when looking at a fraud risk assessment, instead of focusing on the number of fraud risk assessments performed (output), the business should measure the change in likelihood and impact scores from one assessment to the next to measure how risk responses are impacting scores (outcome).
- Are the results of monitoring and evaluations being used to drive continuous improvement? Let’s say the business surveyed employees within a specific function to determine the effectiveness of recent antifraud training and the results were lower than expected. Internal audit could push the business to improve the training to achieve the desired outcome.
Fraud risk management is a journey with no final destination. It is not a one-and-done activity. Fraud risks are always evolving. What works today may not work tomorrow. IA provides the independent, objective assurance that your organization has the fraud risk management program and activities needed to combat current and emerging fraud threats.
Download the Anti-Fraud Playbook today to help your organization move from theory into practice.