Fraud Risk Management

Fraud, by definition, is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.

Fraud and financial misconduct are an unpleasant reality in today's global marketplace.Large frauds have led to the downfall of entire organizations, massive investment losses, significant legal costs, incarceration of key individuals, and erosion of confidence in capital markets. Publicized fraudulent behavior by key executives has negatively impacted the reputations, brands, and images of many organizations around the globe. Reactions to recent corporate scandals have led the public and stakeholders to expect organizations to take a “no fraud tolerance” attitude.

Good governance principles demand that an organization’s board of directors, or equivalent oversight body, ensure overall high ethical behavior in the organization, regardless of its status as public, private, government, or not-for-profit; its relative size; or its industry. The board’s role is critically important because historically most major frauds are perpetrated by senior management in collusion with other employees.Vigilant handling of fraud cases within an organization sends clear signals to the public, stakeholders, and regulators about the board and management’s attitude toward fraud risks and about the organization’s fraud risk tolerance.

In addition to the board, personnel at all levels of the organization including every level of management, staff, and internal auditors, as well as the organization’s external auditors have responsibility for dealing with fraud risk. Particularly, they are expected to explain how the organization is responding to heightened regulations, as well as public and stakeholder scrutiny; what form of fraud risk management program the organization has in place; how it identifies fraud risks; what it is doing to better prevent fraud, or at least detect it sooner; and what process is in place to investigate fraud and take corrective action.

Key principles for proactively establishing an environment to effectively manage an organization’s fraud risk include:

Principle 1:

As part of an organization’s governance structure, a fraud risk management program6should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.

Principle 2

Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.

Principle 3

Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.

Principle 4

Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.

Principle 5

A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.

Fraud Risk Governance

Organization stakeholders have clearly raised expectations for ethical organizational behavior. Meanwhile, regulators worldwide have increased criminal penalties that can be levied against organizations and individuals who participate in committing fraud. Organizations should respond to such expectations. Effective governance processes are the foundation of fraud risk management. Lack of effective corporate governance seriously undermines any fraud risk management program. The organization’s overall tone at the top sets the standard regarding its tolerance of fraud.

The board of directors should ensure that its own governance practices set the tone for fraud risk management and that management implements policies that encourage ethical behavior, including processes for employees, customers, vendors, and other third parties to report instances where those standards are not met. The board should also monitor the organization’s fraud risk management effectiveness, which should be a regular item on its agenda. To this end, the board should appoint one executive level member of management to be responsible for coordinating fraud risk management and reporting to the board on the topic.

While each organization needs to consider its size and complexity when determining what type of formal documentation is most appropriate, the following elements should be found within a fraud risk management program:

• Roles and responsibilities.
• Commitment.
• Fraud awareness.
• Affirmation process.
• Conflict disclosure.
• Fraud risk assessment.
• Reporting procedures and whistleblower protection.
• Investigation process.
• Corrective action.
• Quality assurance.
• Continuous monitoring.

Fraud Risk Assessment

To protect itself and its stakeholders effectively and efficiently from fraud, an organization should understand fraud risk and the specific risks that directly or indirectly apply to the organization. A structured fraud risk assessment, tailored to the organization’s size, complexity, industry, and goals, should be performed and updated periodically. The assessment may be integrated with an overall organizational risk assessment or performed as a stand-alone exercise, but should, at a minimum, include risk identification, risk likelihood and significance assessment, and risk response.

An effective fraud risk identification process includes an assessment of the incentives, pressures, and opportunities to commit fraud. Employee incentive programs and the metrics on which they are based can provide a map to where fraud is most likely to occur. Fraud risk assessment should consider the potential override of controls by management as well as areas where controls are weak or there is a lack of segregation of duties.

The speed, functionality, and accessibility that created the enormous benefits of the information age have also increased an organization’s exposure to fraud. Therefore, any fraud risk assessment should consider access and override of system controls as well as internal and external threats to data integrity, system security, and theft of financial and sensitive business information.

Assessing the likelihood and significance of each potential fraud risk is a subjective process that should consider not only monetary significance, but also significance to an organization’s financial reporting, operations, and reputation, as well as legal and regulatory compliance requirements. An initial assessment of fraud risk should consider the inherent risk of a particular fraud in the absence of any known controls that may address the risk.

Individual organizations will have different risk tolerances. Fraud risks can be addressed by establishing practices and controls to mitigate the risk, accepting the risk but monitoring actual exposure or designing ongoing or specific fraud evaluation procedures to deal with individual fraud risks. An organization should strive for a structured approach versus a haphazard approach. The benefit an implemented fraud risk management program provides should exceed its cost. Management and board members should ensure the organization has the appropriate control mix in place, recognizing their oversight duties and responsibilities in terms of the organization’s sustainability and their role as fiduciaries to stakeholders, depending on organizational form. Management is responsible for developing and executing mitigating controls to address fraud risks while ensuring controls are executed efficiently by competent and objective individuals.

Fraud Prevention and Detection

Fraud prevention and detection are related, but are not the same concepts. Prevention encompasses policies, procedures, training, and communication that stop fraud from occurring, whereas, detection focuses on activities and techniques that promptly recognize timely whether fraud has occurred or is occurring.

While prevention techniques do not ensure fraud will not be committed, they are the first line of defense in minimizing fraud risk. One key to prevention is promoting from the board down throughout the organization an awareness of the fraud risk management program, including the types of fraud that may occur.

One of the strongest fraud deterrents is the awareness that effective detective controls are in place. Combined with preventive controls, detective controls enhance the effectiveness of a fraud risk management program by demonstrating that preventive controls are working as intended and by identifying fraud if it does occur. Although detective controls may provide evidence that fraud has occurred or is occurring, they are not intended to prevent fraud.

Every organization is susceptible to fraud, but not all fraud can be prevented, nor is it cost-effective to try. An organization may determine it is more cost-effective to design its controls to detect, rather than prevent, certain fraud schemes. It is important that organizations consider both fraud prevention and fraud detection.

Investigation and Corrective Action

No system of internal control can provide absolute assurance against fraud. As a result, the board should ensure the organization develops a system for prompt, competent, and confidential review, investigation, and resolution of instances of noncompliance and allegations involving potential fraud. The board should also define its own role in the investigation process. An organization can improve its chances of loss recovery, while minimizing exposure to litigation and damage to reputation, by establishing and preplanning investigation and corrective action processes.

The board and the organization should establish a process to evaluate allegations. Individuals assigned to investigations should have the necessary authority and skills to evaluate the allegation and determine the appropriate course of action. The process should include a tracking or case management system where all allegations of fraud are logged. Clearly, the board should be actively involved with respect to allegations involving senior management.

If further investigation is deemed appropriate as the next course of action, the board should ensure that the organization has an appropriate and effective process to investigate cases and maintain confidentiality. A consistent process for conducting investigations can help the organization mitigate losses and manage risk associated with the investigation. In accordance with policies approved by the board, the investigation team should report its findings to the appropriate party, such as senior management, directors, legal counsel, and oversight bodies. Public disclosure may also need to be made to law enforcement, regulatory bodies, investors, shareholders, the media, or others.

If certain actions are required before the investigation is complete to preserve evidence, maintain confidence, or mitigate losses, those responsible for such decisions should ensure there is sufficient basis for those actions. When access to computerized information is required, specialists trained in computer file preservation should be used. Actions taken should be appropriate under the circumstances, applied consistently to all levels of employees (including senior management), and taken only after consultation with human resources (HR) and individuals responsible for such decisions.

Consulting legal counsel is also strongly recommended before undertaking an investigation and is critical before taking disciplinary, civil, or criminal action. As a matter of good governance, management and the board should ensure that the foregoing measures are in place.

Concluding Remarks

A proactive approach to managing fraud risk is one of the best steps organizations can take to mitigate exposure to fraudulent activities. Although complete elimination of all fraud risk is most likely unachievable or uneconomical, organizations can take positive and constructive steps to reduce their exposure. The combination of effective fraud risk governance, a thorough fraud risk assessment, strong fraud prevention and detection (including specific anti-fraud control processes), as well as coordinated and timely investigations and corrective actions, can significantly mitigate fraud risks.

Although fraud is not a subject that any organization wants to deal with, the reality is most organizations experience fraud to some degree. The important thing to note is that dealing with fraud can be constructive, and forward-thinking, and can position an organization in a leadership role within its industry or business segment. Strong, effective, and well-run organizations exist because management takes proactive steps to anticipate issues before they occur and to take action to prevent undesired results. Implementation of this guide should help establish a climate where positive and constructive steps are taken to protect employees and ensure a positive culture. It should be recognized that the dynamics of any organization require an ongoing reassessment of fraud exposures and responses in light of the changing environment the organization encounters.