Fraud is a constant and growing threat faced by organizations of all sizes. This may be common nomenclature for some, but we all must recognize that fraud, unlike the workforce, failed to stay home during the pandemic. In fact, and as a result of remote and hybrid workplace models, fraud has taken on many new forms. Properly updating your fraud risk management program can help protect your organization from these emerging fraud risks.

Hypothetical Workplace Scenario

Emily C. is the head of internal audit for a midsize medical device company. Two years ago (i.e., pre-pandemic), Emily was instrumental in establishing and co-leading the company’s fraud risk management program. As with most companies during the pandemic, many employees at Emily’s company worked remotely. As a result of the continued success and many cost benefits the company realized in having a remote work environment, the company has decided to not return all of its employees to the office full-time. Instead, the company is giving many of its employees the option to continue working remotely, return to the office part-time or return to the office full-time. Although Emily C. welcomes this change, she quickly realized that the company’s fraud risk management program will likely be impacted. Emily knows that if the company does not assess its fraud risk management program in the near term, it may have gaps in internal controls (or internal controls that are no longer effective), leading to an increased risk of fraud.

Fraud, Hybrid Workplace Models and Fraud Risk Management Components

The framework utilized by many organizations to assess their fraud risk management programs is the Fraud Risk Management Guide[i] that was jointly published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Association of Certified Fraud Examiners (ACFE) in 2016. This guide correlates and builds upon the COSO 2013 Internal Control – Integrated Framework,[ii] which is widely utilized around the world by companies and auditors to evaluate a company’s internal control environment. The five key components of a comprehensive fraud risk management program are: (1) fraud risk governance, (2) fraud risk assessment, (3) fraud control activity, (4) fraud investigation and corrective action, and (5) fraud risk management monitoring activities. Although many companies have already implemented several of these components into their fraud risk management program, it is important to remember that implementing a fraud risk management program is not a one and done exercise. In fact, what separates a good fraud risk management program from a great one is continuous evolution, particularly during a time of significant change, business interruption or the identification of fraud. One significant change many organizations now face is a shift toward a remote and hybrid workforce. Below are a few examples of changes that may be required to maintain an effective fraud risk management program in a post-pandemic environment.

Fraud Risk Governance

According to the ACFE Report to the Nations, tips are the primary source of fraud identification and detection.[iii] Further, median fraud losses were nearly doubled at organizations without hotlines compared to those with hotlines.[iv] Therefore, it is not only important that companies ensure they have a hotline or similar reporting mechanism, but also ensure that employees know how to access and utilize this critical tool.

In a post-pandemic environment, traditional methods of maintaining awareness of reporting tools, such as hanging posters or holding in-person trainings, may no longer be effective. However, simple changes, such as the method of communication (e.g., email reminders and notices on intranet sites) and virtual trainings may now be more effective. Additionally, and perhaps more importantly, the actions taken by the company to evolve its fraud risk governance demonstrate the organization’s commitment to integrity, ethical values and zero tolerance for fraud, and set a proper tone at the top.

Fraud Risk Assessment

According to the COSO integrated framework and further reiterated by the Fraud Risk Management Guide, a formal risk assessment is a critical component of a comprehensive fraud risk management program and strong internal control environment. A fraud risk assessment is a process whereby a company performs a self-review to, in part, identify locations, departments, business units and processes that are more prone to fraud risks, and maps those risks to existing internal controls. Like most components of a fraud risk management program, it is best practice to periodically review and update the fraud risk assessment to capture current schemes, emerging risks and any mitigating internal controls.

In a post-pandemic business environment, it is important to consider whether there are any additional fraud schemes or risks associated with processes or procedures that are now performed remotely. Examples of IT risks associated with employees include connecting to unsecured Wi-Fi, the utilization of personal devices to conduct business activities and employee data theft concerns. It is also important to consider whether there have been changes or should be changes to the organization’s internal control environment to better align with a remote or hybrid workplace model. For example, risks may arise with changes to invoice or payment approvals (e.g., virtual versus manual signoffs), changes to vendor selection and onboarding processes, changes to account reconciliation processes and changes in segregation of duties. After these changes have been identified, it is imperative that the company update its fraud risk assessment to determine if there are any gaps or weaknesses in the internal control environment.

Fraud Control Activity

According to the Fraud Risk Management Guide, a fraud control activity is an action established through policies and procedures that helps ensure that management’s directives to mitigate fraud risks are carried out. An organization’s fraud control activities can be preventative or detective and sometimes are created as a result of the company’s fraud risk assessment process.

In a post-pandemic environment, it is important that companies test their fraud control activities to ensure that they continue to function properly and as intended. Such testing is critical because the now remote or hybrid work environment may have caused the organization to change its processes and procedures, and existing fraud controls may now be ineffective or irrelevant.

Fraud Investigation and Corrective Action

Although a formal fraud risk assessment and strong internal controls are critical in reducing an organization’s fraud risk, it is not possible to eliminate all fraud risk. Alan Greenspan, former chair of the Federal Reserve, once stated, “Corruption, embezzlement, fraud, these are all characteristics which exist everywhere. It is regrettably the way human nature functions, whether we like it or not. What successful economies do is keep it to a minimum. No one has ever eliminated any of that stuff.” Therefore, organizations should continually assess their investigation and corrective action/remediation approach and determine whether it is equipped to handle any allegations or instances of fraud that may arise.

Post-pandemic, certain normal procedures such as interviews may now need to be handled via video conference or, less preferably, via phone. Likewise, remediation processes are equally important in the investigation approach. Remediation of a fraud is not as simple as removing the perpetrating employee(s). Rather, remediation should also include a comprehensive review of the incident to understand how the fraud was able to be perpetrated and to determine whether there are any gaps in the internal control environment. For example, it may be necessary to determine if other employees (or even customers or vendors) were involved in the fraud or if other company departments have vulnerabilities similar to the department that experienced the fraud. This critical step helps the company avoid similar frauds from reoccurring in the future. Further, a company’s response to an allegation or incidence of fraud is typically scrutinized by involved regulatory authorities, with credit and leniency typically given to organizations that can demonstrate a solid, functioning and up-to-date fraud risk management program.

In summary, a simple kick of the tires of your fraud risk management program may not be sufficient in a post-pandemic environment. Now, more than ever, companies should complete a more detailed and thorough review of their fraud risk management program to consider new schemes, emerging risks and/or changes to internal controls as a result of a shift toward a remote or hybrid workforce. Just because your company took its work home doesn’t mean fraud is going to stay home too.

[i] https://www.coso.org/pages/purchase-guide.aspx.

[ii] https://www.aicpa.org/cpe-learning/publication/internal-control-integrated-framework-executive-summary-framework-and-appendices-and-illustrative-tools-for-assessing-effectiveness-of-a-system-of-internal-control-3-volume-set.

[iii] ACFE 2020 Report to the Nations, p. 19.

[iv] Ibid., p. 21.