Fraud in some form is perpetrated in organizations of all types and sizes from all industries. Whether it is in the form of corruption, asset misappropriation or financial statement fraud, all organizations are susceptible to the threat of fraudulent acts being committed against them.
Recognizing this ever-present and growing threat, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated model for evaluating internal controls in May of 2013 (“the framework”). COSO identified seventeen guiding principles and matched them to the five governing components of its model internal control framework listed below:
- Control environment;
- Risk assessment;
- Control activities;
- Information and communication; and
- Monitoring activities.
One of the principles identified and matched to the “Risk Assessment” governing component is a company’s need to assess fraud risk. COSO’s identification of assessing fraud risk as a specific principle in its framework makes it clear that for any organization to comply with the framework, it needs to specifically consider fraud risk as part of any enterprise risk assessment it performs.
It’s Not Just About COSO
Even with COSO’s acknowledgement and articulation that the assessment of fraud risk is an integral piece of a model internal control framework, organizations should be inherently motivated from a financial perspective to consider and assess such risks. If a fraudulent act is committed against a company it can result in a significant economic loss especially if the duration of the fraud has been perpetrated for any extended duration. The occurrence of fraud is so impactful it is projected that the total global fraud losses suffered by organizations could approximate $4 trillion on an annual basis. Those total approximated global losses could equal as much as roughly 5 percent of an organization’s annual revenues.
Fraud Risk Assessments are Key
So how can organizations fight the threat of fraud and mitigate any potential fraud losses? One proactive anti-fraud approach organizations can implement is the use of fraud risk assessments, which is when an organization undertakes a self-review to identify and mitigate the areas of its business that are more susceptible to fraud risk. Organizations which execute a fraud risk assessment experience a reduction in both the dollar amount of fraud losses and the duration for which any potential fraud may occur. Organizations which execute fraud risk assessments experience both a 38 percent reduction in losses attributable to fraudulent acts, and a 50 percent reduction in the duration of any fraudulent acts perpetuated against the organization.
Below is some guidance and direction regarding how to conduct an effective fraud risk assessment:
1. Involve All Relevant Stakeholders Throughout the Organization: Organizations, in deciding who to include internally in the fraud risk assessment process, should be sure to include not only practitioners from traditional accounting and finance areas (such as internal audit and financial reporting) but also consider including practitioners from other organization practice areas, such as legal, compliance and human resources. The more variance in points of view, experiences and industry knowledge incorporated into the fraud risk assessment, the more comprehensive and useful the results of the assessment are likely to be to the organization. Points of emphasis which should be communicated to all stakeholders include:
- Background on the fraud risk assessment process;
- Explanation of why they were asked to participate in the fraud risk assessment process; and
- The goals the organization hopes to achieve with their participation in the fraud risk assessment process.
2. Brainstorm: The most critical aspect of the fraud risk assessment is obtaining feedback and opinions from all the organization stakeholders participating in the assessment. Stakeholders possess the most inherent knowledge regarding an organization and are in the best position to contribute meaningful insight into where any fraud risks exist. Stakeholders should be encouraged to voice all ideas regarding potential fraud risks regardless of how remote or unlikely they seem to be. It works best to obtain this feedback from stakeholders through interviews or live facilitated group sessions; but questionnaires, surveys and document reviews are other means by which information can be effectively gathered.
In collecting information from stakeholder participants, information should be collected on both entity-level controls down to the more detailed transaction levels. Relevant entity-level information to collect, assuming its available, would include such information as the following:
- Policies, such as those for gift and entertainment policies and anti-bribery, including any specific to other countries the business operates in;
- Employee training requirements and materials; and
- Compliance resources and monitoring initiatives.
More specific transaction level data and information to collect for relevant operating categories of the business would include the following:
- Travel and entertainment;
- Vendor selection, contracting, and payment;
- Charitable contributions;
- Agent and broker commissions; and
- Advertising, marketing, and promotion expenses.
3. Evaluate Results Using a Risk-Based Approach: The fraud risks identified from the information collection and brainstorm with organization stakeholders should be evaluated in the following key areas:
- Assess both their likelihood and potential financial impact on the organization;
- Assess whether the fraud risk can be mapped to an internal control which presently exists in the organization to remediate the risk; and
- Assess the effectiveness of any existing internal controls to remediate the identified fraud risks, including potentially performing any sample testing of these controls to assess their effectiveness.
Using the information collected and assessed in these key areas a comprehensive summary which risk ranks the fraud risks according to these factors should be created. The risk ranked summary allows an organization to prioritize its identified fraud risks and to focus on those most likely and potentially impactful to the organization.
4. Remediation: Remediation of identified fraud risks is the next step in the fraud risk assessment process. Priority in remediating any of these identified risks should be given to those fraud risks with the highest risk ranking. The remediation plan developed by the organization should be documented, detailed and include at least the following action steps:
- Description of how the organization intends to remediate the risk;
- The individuals in the organization responsible for executing the plan to remediate the risk; and
- The timeline for executing the plan to remediate the risk.
5. Forward Looking Proactive Monitoring: Once an organization completes the remediation of identified fraud risks, its work is not complete. Incorporating on-going, proactive monitoring as a component of its fraud risk management plan is a necessary action an organization needs to take to implement an effective plan. The proactive monitoring implemented by an organization should consist of internal controls which are designed to continuously test the areas of the business considered to be most susceptible to fraud risk with the objective of raising any red flags from these testing results to the designated individuals within the organization responsible for monitoring these risks. The continuous monitoring allows organizations to identify and investigate any potential fraud related issues earlier, thereby providing an organization the opportunity to remediate the risk and reduce fraud related losses.
Continuous Monitoring Ensures Continued Benefit
These guiding principles provide a framework and direction for the performance of a fraud risk assessment, but ultimately, they are just a guide and should be used to lay a foundation to a customized approach which is molded to the attributes and structure which best fits your organization. If an organization takes these steps and invests in the process to conduct an effective fraud risk assessment, the assessment will deliver results that will benefit the business regardless of the type, size or industry. To ensure continued benefits, fraud risk assessments should typically be performed on a periodic basis (annually or biennial) to capture the changing and emerging risks both inside and outside the organization. The business and the market in which it operates are constantly evolving and, as a result, the company’s fraud risk assessment needs to keep pace with these changes in order to deliver continued benefits to the business.