Fraud Risk Assessment: Common Pitfalls

Background

Risk assessments are part of the discipline of?risk management, where enhanced frameworks and techniques have emerged. Risk management comprises the identification, assessment, and prioritization of risks, followed by the coordinated and efficient use of resources to monitor, minimize, and otherwise control the organization's risks.

Risks arise in many forms and range from uncertainty in financial markets, operational failures, natural disasters, political unrest, and pandemics and can cause legal liabilities and reputational harm.

Why Conduct a Fraud Risk Assessment? A Deeper Dive

Conducting a fraud risk assessment is of utmost importance for most as it enables the proactive identification of both external and internal threats that can have a substantial impact on a company's reputation, subject it to criminal or civil legal responsibility, or put its assets in danger. Through the implementation of a fraud risk assessment, firms can gain insight into their comprehensive risk landscape and lay the groundwork for a robust fraud risk management initiative.

Additionally, a fraud risk assessment aids in the company's compliance with industry-specific legislation and standards, such as anti-money laundering (AML) requirements, data protection regulations, or healthcare compliance standards.

Furthermore, a properly executed evaluation of fraud risk is a crucial component for upholding sound corporate governance.

• Fraud is a significant business risk (financial, reputational, and moral).
• Every organization has inherent fraud risks arising from internal and external conditions.
• Fraud risk assessment helps to identify and manage these risks.
• The assessment helps identify and prioritize fraud risks inherent to the business.
• Fraud risk assessment is an essential component of the Committee of Sponsoring Organizations (COSO) integrated antifraud programs and controls framework.
• Reduce the residual risk of fraud

Here are some general protocol issues relating to risk assessments.

Understand the difference between Inherent and Residual Risk

An Example:

• ABC conducts thousands of credit card transactions and “inherently” faces a high likelihood of security risk of lost or misappropriated credit card data. Not because controls are good or bad, but because they inherently have a high daily transactional volume of this data.
• As a counter-example to the above, XYZ only collects cash as payment, thus carries a low “inherent” likelihood of credit card data security risk. They don’t receive this kind of data, so they can’t take this kind of risk.
• ABC has cutting-edge encryption technology, highly sophisticated firewall protections, and tightly administered manual controls around credit card transactions and data maintenance to ensure that the likelihood of this risk happening is greatly minimized.

Therefore, ABC believes their “residual” risk is low.

Inherent risk?is the risk that exists in an environment without the benefit of controls. In other words, what is the risk that an event or activity could materially impact the company if management did not have activities in place to manage the risk? ?

Understand Risk Factors

• Fraud Risk Factors are those events or conditions that indicate incentives or pressures to perpetrate fraud, opportunities to carry out the fraud, attitudes or rationalizations to justify a fraudulent action, the arrogance to not care, and/or the competence to socially control the situation.
• Fraud Risk Factors do not necessarily indicate the existence of fraud; however, they are often present in circumstances where fraud exists.

Does the Risk Assessment Take into Account One or More of the Following Areas?

• Code of conduct?
• Other risk assessments?
• Historical and ethical violations and their root causes?
• Investigation results?
• Reporting systems and trends?
• Organizational culture: differences and perceptions?
• External environment (i.e., the economy, political unrest, corruption perception index, sanctions, etc.)?
• Internal Policies/Procedures?
• Employee awareness of standards?
• Propensity to engage in wrongdoing?
• Tone and conduct from the Top?
• Tone from the Middle?
• Training and communication?
• Vendor/third-party agent compliance?
• SEC/DOJ/other enforcement trends?
• Industry trends?
• Hiring/background check systems?
• Disciplinary Systems?
• Feedback from others?
• Information gathered from exit interviews?

Next is a list of questions that a prosecutor might ask and that require you to defend your risk assessment.

• What resources were appropriated?
• How do I know the risk assessment was objective?
• Were risks in the C-suite and boardroom addressed?
• How was risk examined at the vendor/agent level?
• If the raw work product was not retained, does the final report provide sufficient detail on methodology?
• Was culture and attitude evaluated (tone and conduct from the top)?
• Was knowledge assessed?
• Was anyone terminated or disciplined as a result of the risk assessment?
• Who among the governing authorities of the corporation received the final report or was briefed on the outcome?
• How were the risk assessment outcomes used?

The following list contains some of the common pitfalls I have seen in risk assessments and the overall process.

• Carrying forward old assumptions and ratings.
• Risk ratings are not harmonized.
• Believing people are honest in brainstorming sessions.
• Ignoring the human element.
• Expectations (unclear, undefined, unrealistic).
• Unrealistic deadlines.
• Lack of resources.
• There is no true ownership.
• Poor coordination.
• Lack of objectivity and credibility.
• Qualitative skew.
• Narrow and deep vs. shallow and wide.
• Document availability (e.g., policies).
• Too much focus is placed on the perceived “priority” risks.
• Lack of follow-through.
• One-time event: "Set it and forget it."
• Failure to communicate the actual results.

If you have a common pitfall that is not included above, send it to me, and I will add it to the list.

Be safe and stay well,

Jonathan