Fraud has well-known financial and reputational ramifications. But if your organization is like many others, “It can’t happen here” is a pervasive belief. When held by leadership, there’s no chance that risk management will be taken seriously. Significant fraud avoidance and mitigation are built on top-level awareness and commitment, and effective assessment to direct risk management activities.
Ignoring the potential for fraud is expensive. According to the Report to the Nations,
released in 2016 by the Association of Certified Fraud Examiners (ACFE), a typical organization loses 5% of its annual revenues to fraud. Losses can mount much higher.
The five phases of fraud management:
Commit to fraud risk management from the top
- Establish governance with top-level anti-fraud commitment
- Create a formal fraud risk assessment process
- Develop control activities aimed at the highest fraud risk areas
- Implement fraud reporting and investigation procedures
- Ensure oversight and monitoring of internal controls and new schemes
While it’s easy to acknowledge that fraud prevention is the most cost-effective approach, proactivity isn’t always on the agenda. Too often awareness comes as a hard lesson. Avert such lessons by raising awareness to the level of a C-suite priority.
C-suite executives getting ahead of issues by charging senior executives with fraud risk management responsibilities. This commitment is the first of the five phases of a productive fraud risk management program. Direction for all the phases can be found in the Fraud Risk Management Guide,
issued jointly in 2016 by the ACFE and the Committee of Sponsoring Organizations of the Treadway Commission. A similar approach to anti-fraud programming is described in Framework for Managing Fraud Risks in Federal Programs,
the U.S. Government Accountability Office guide issued in July 2015.
The overarching phase — second only to commitment — is a comprehensive, enterprise-level fraud risk assessment.
Assess your fraud risk exposure, current and future
Your staff and stakeholders, who know the day-to-day workings of the organization, are the best source of a realistic fraud risk assessment. Structure a process to capture their on-the-ground experiences, perceptions and risk fears.
At the start of the assessment process, describe common fraud scenarios to which your organization might be vulnerable. Write fraud risk questions to determine the likelihood of the scenarios becoming reality, as well as impacts that could be anticipated. Then launch the collection procedure.
The initial fraud risk assessment is a baseline. Incorporate subsequent assessments to continuously raise awareness of and commitment to fraud in its many forms.
Help staff and stakeholders buy into assessments
Explain assessment as a collaboration to identify and mitigate vulnerabilities. Make fraud risk a comfortable subject to discuss. When “risk” is not a menacing word, stakeholders are more inclined to consider the possibilities of fraud. They’re also more likely to provide honest feedback if they feel safe from accusations when pointing out weak or missing controls.
Reduce trepidation through survey questions that minimize room for negative interpretation. Ask process-specific rather than personal-responsibility questions. Instead of “How effectively do you verify self-reported information?” ask, “Do you verify self-reported information in applications? If so, how many databases do you check? Do you use internal or third-party data? Have there been reliability concerns with verification data?” Responses will be more reliable because respondents will be less tempted to say all is fine.
Reliability will also hinge on the clarity of questions. Asking about risk likelihood and impact on a five-point scale will yield only a number from 1 to 5. For example, a question might ask for ranking exposure of personally identifiable information. Some respondents might interpret the risk as large-scale cyberattacks and some as printouts mistakenly left on a desk. The two events are very different. A better approach is to pose narrow, standardized questions. You could ask about the strength of controls to protect potential entry points, e.g., product types and channels. Answers can be converted into a rubric, with a quantitative risk score for each function. Results will identify the most crucial risk areas.
Facilitate fraud risk workshops
Address crucial risk areas with regular anti-fraud training. Keep in mind that people often assume best intentions. This tendency can skew the ability to make unbiased judgments. To nurture a fraud risk–aware culture, encourage healthy skepticism. Make sure that every training session promotes critical thinking and reports on internal or external events of any size.
A practical component of training is a schedule of facilitated workshops. In your workshops, assign participants the role of fraudster and prompt them to describe how they might perpetrate schemes. Allow time for open discussion of questionable activities and other possible warning signs. Note detected and emerging threats for updating your fraud scenario library.
Back your fraud risk management program with awareness throughout the organization, starting with commitment at the top, and assessment that directs the next phases of fraud prevention and mitigation.
Director, Public Sector
Leader, Fraud Risk Practice, Grant Thornton
: +1 571 444 1990