An Overview of Today’s Fraud Game
Dedication
I’d like to extend my deepest thanks to our 立信 team Didier Lavion and Evan Lieberman , my friends at the Association of Certified Fraud Examiners (ACFE) and everyone who participated in the Executive Roundtable yesterday. Your insights, experiences, and dedication to advancing our understanding of fraud risk management and organizational resilience inspired me to put this piece together. This article is a reflection of our shared commitment to fostering stronger governance, risk management, and compliance practices. Thank you for sparking the ideas that have brought this work to life.
The Risk of Fraud in Organizations
Fraud is a significant concern for organizations of all types—public corporations, private enterprises, and governmental bodies alike. A single instance of fraud can lead to substantial financial losses and lasting reputational damage. This writing highlights the importance of creating a fraud-resilient enterprise by integrating governance, risk management, and compliance (GRC) into a cohesive framework that safeguards against both internal and external threats.
The foundation of a strong fraud risk management program lies in good governance, which drives effective risk management. When governance and risk management are properly aligned, compliance naturally follows as a byproduct, rather than being an end goal. This proactive approach helps organizations avoid the pitfalls of a check-the-box compliance culture, where the focus is on meeting regulatory requirements rather than addressing real underlying risks. By fostering a culture of accountability and ethical behavior, organizations can move from mere compliance to achieving lasting resilience against fraud.
This writing reintroduces the concept of continuous monitoring, a critical tool for real-time detection and fraud prevention. By leveraging data analytics and automated systems, organizations can stay ahead of emerging risks, constantly validating the effectiveness of their internal controls. Furthermore, the role of the board and committees is emphasized, highlighting their fiduciary duty to provide oversight and financial support to ensure these fraud risk management strategies are fully implemented and effective.
Ultimately, the goal is to create a risk-resilient enterprise—one that anticipates, mitigates, and responds to evolving risks, whether internal or external. With strong governance, proactive risk management, and robust compliance, organizations can not only protect themselves from fraud but also foster a culture of integrity and responsiveness, positioning themselves for long-term success in an ever-changing risk environment.
Governance, Risk and Compliance
In the world of Governance, Risk, and Compliance (GRC), it’s critical to recognize that these three concepts are interconnected, forming a waterfall: Good governance forms the foundation, ensuring there is a framework that establishes accountability, oversight, and ethical behavior. Thus?strong governance should drive an effective risk management process, identifying and mitigating risks. In turn, a well-implemented risk management framework should drive compliance. When governance and risk management are strong, compliance naturally follows as an outcome. In other words, compliance is not the goal, but the byproduct of a well-governed and risk-managed organization.
Moreover, focusing solely on compliance as the end goal can lead to several pitfalls for organizations, such as the creation of superficial controls that meet regulatory requirements but fail to address the underlying risks. When compliance is treated as a checklist, organizations can become reactive rather than proactive, leading to compliance fatigue among employees and a narrow focus on avoiding penalties instead of mitigating broader risks. Additionally, this approach can stifle innovation, as organizations may become overly risk-averse, fearing regulatory breaches rather than balancing necessary risk-taking with compliance.
Strong governance and risk management should be the true drivers of compliance. Governance sets the ethical tone and direction, fostering a culture of accountability, while risk management ensures that organizations are identifying and addressing both internal and external risks. When governance and risk management are integrated, they provide a holistic view of risks that go beyond mere regulatory compliance, aligning efforts with the organization’s strategic objectives. This approach ensures that compliance is not seen as a burden but rather as a byproduct of a well-governed, risk-aware organization.
Continuous monitoring further strengthens this alignment by enabling organizations to proactively track the effectiveness of their controls and stay ahead of emerging risks. By building a system where compliance follows naturally from ethical governance and informed risk management, organizations avoid the dangers of a checkbox culture and instead create sustainable compliance that supports resilience, adaptability, and long-term success.
The ultimate objective is to create a risk-resilient enterprise that can anticipate, mitigate, and respond to both internal and external risks - including fraud risks. This resilience ensures that the organization can effectively manage its operational risks while addressing broader external threats such as regulatory changes, market disruptions, emerging technologies, and potential reputational damage. A risk-resilient enterprise adapts swiftly to evolving threats and remains proactive rather than reactive, positioning itself to not only survive but thrive in an unpredictable environment.
Fraud Risk is Different
The Evaluation of Corporate Compliance Programs (ECCP) highlights that organizations should periodically assess the effectiveness of their compliance programs and whether their controls are functioning in practice. This assessment helps to prevent financial loss and minimize reputational damage.
However, it is imperative to note that while the ECCP stresses the importance of a general risk assessment, it is equally important to conduct a separate fraud risk assessment that specifically conforms to the COSO Fraud Risk Management Guide. Fraud risk is unique and requires dedicated attention. An organization cannot simply rely on a broad risk assessment to capture all the nuances and specificities of fraud. A targeted fraud risk assessment allows organizations to zero in on potential vulnerabilities related to fraud schemes, employee misconduct, or financial manipulation, ensuring these risks are addressed effectively.
Vulnerability to Fraud
Fraud occurs when certain conditions are present, and COSO expands upon the traditional understanding of fraud risk by introducing the Fraud Pentagon. This model highlights five critical factors that enable fraud to occur: pressure, opportunity, rationalization, competence, and arrogance.
The ECCP emphasizes the importance of conducting a thorough risk assessment to identify the specific risks facing the organization. The adequacy of the organization’s compliance program is tied to whether it addresses its unique risk profile and evolving threats, such as new and emerging technologies, which should be assessed for risks such as the misuse of artificial intelligence (AI).
As mentioned earlier, while an overall risk assessment is important, a separate fraud risk assessment is non-negotiable. This fraud-focused evaluation, as described in the COSO Fraud Risk Management Guide, allows an organization to assess the likelihood and impact of specific fraud schemes that might affect its operations. This targeted assessment ensures that internal controls are adequately designed to detect and prevent fraud-specific risks.
Additionally, developing a risk-resilient enterprise goes beyond traditional risk management. It means understanding both the internal control environment and the external landscape in which the organization operates. This includes assessing external risks such as geopolitical factors, changes in regulation, and potential threats from new technologies. Risk resilience requires an organization to have strategic foresight—to anticipate not only what could go wrong within the organization but also how external forces could impact its operations and governance structures.
How Fraud Occurs and Why
Fraud schemes can affect any organization, regardless of its mission or focus. Common schemes include embezzlement, ghost employees, fictitious vendor schemes, expense fraud, and outright theft of cash or assets. ECCP supports the importance of a risk-tailored compliance program, urging organizations to focus on high-risk areas like billing schemes, fictitious vendors, and other complex schemes.
Further, ECCP stresses the need for a robust third-party management process, as vendors or external partners can often be involved in fraud schemes. Organizations should maintain proper due diligence and ongoing monitoring of third-party relationships.
Warning Signs and Red Flags
Fraudulent behavior often leaves a trail of red flags that can indicate potential wrongdoing. By understanding and recognizing these red flags, organizations can identify fraud risks early and take corrective action. Some common red flags related to fraud schemes include:
1. Data
2. Documents
3. Lack of Controls
4. Behavioral Red Flags
领英推荐
I recommend that these red flags be assessed as part of the risk assessment process, ensuring that organizations periodically review how their fraud detection controls perform in practice. This includes documenting investigative processes and ensuring proper escalation of red flags.
The Role of Internal Controls in Preventing Fraud
Internal controls are vital for detecting and preventing fraud. However, as COSO notes, internal controls only provide reasonable assurance, not absolute protection against fraud. Effective fraud risk management requires a combination of preventive controls (such as segregation of duties and authorization procedures) and detective controls (such as audits, reviews, and monitoring).
The ECCP recommends that compliance programs incorporate periodic control testing to ensure that internal controls remain effective. Additionally, the tone from the top, as noted in both COSO and ECCP, is critical in fostering an ethical environment where employees feel empowered to report issues.
The Importance of Continuous Monitoring
One key concept emphasized in the ECCP is continuous monitoring. Continuous monitoring refers to the ongoing review and analysis of internal control processes to ensure they are functioning as intended. This process allows organizations to identify risks in real time, ensuring that any issues are caught early, well before they can lead to more significant problems.
Continuous monitoring is a proactive approach to fraud detection. Instead of relying solely on periodic audits or after-the-fact reviews, continuous monitoring uses data analytics, automated systems, and regular review processes to provide constant oversight. The purpose of continuous monitoring is to:
By implementing continuous monitoring, organizations can stay ahead of fraud risks, constantly validating the effectiveness of their control environments. The ECCP notes that this process should be part of an organization’s broader compliance and risk management strategy, ensuring that monitoring and detection efforts evolve with changing technologies, regulations, and fraud schemes.
For a truly risk-resilient enterprise, continuous monitoring becomes a critical tool, ensuring that internal risks are being detected and addressed immediately. It also plays a key role in helping organizations respond to external threats, such as changes in regulations or shifts in industry practices, by continuously assessing and adjusting internal controls.
How Fraud Schemes are Detected
Fraud can be difficult to detect, as fraudsters often go to great lengths to conceal their actions. The most common method of detecting fraud is through tips. COSO highlights the importance of having clear reporting channels, such as a whistleblower hotline, where employees or external parties can report suspicious activity anonymously and without fear of retaliation.
According to the ECCP, organizations must ensure that they have confidential reporting mechanisms that are well-publicized and trusted by employees. Moreover, the ECCP emphasizes the importance of tracking reports and investigating thoroughly. Organizations should analyze patterns in reports and continuously monitor the effectiveness of reporting mechanisms.
With continuous monitoring, organizations also gain an additional layer of fraud detection. Real-time data analysis can alert management to unusual patterns or transactions that might indicate fraud. This continuous review process is particularly useful in high-risk areas like cash flow management, vendor relationships, and employee expenses.
Anti-Fraud Principles for Organizations
To effectively manage fraud risk, COSO recommends that organizations adopt the following principles:
Establish an empowered audit committee
The audit committee should be independent from management and authorized to hire external counsel when necessary. The committee should oversee the fraud risk management process and ensure that management is held accountable for implementing controls and monitoring fraud risks.
ECCP highlights that the audit committee must also engage in periodic review of high-risk areas and ensure that lessons learned from prior issues are incorporated into the organization’s ongoing risk assessments.
Implement a system of effective controls
Controls should be tailored to address specific fraud risks. Preventive measures, such as segregation of duties and authorization limits, should be combined with detective measures, such as transaction monitoring and internal audits.
The ECCP emphasizes that organizations should continuously update their risk assessment processes, incorporating new risks such as the use of AI and other emerging technologies.
Furthermore, the integration of continuous monitoring into this system ensures that controls are functioning as intended and adapting to new risks in real time. Continuous monitoring adds a layer of agility to the organization’s ability to respond to internal and external threats. By continuously assessing risk data, organizations can make real-time decisions, quickly adjusting their control mechanisms to maintain resilience.
A Combination of Deterrence, Detection, and Risk Resilience
Fraud risk management is about balancing deterrence, detection, and ultimately building a risk-resilient enterprise. While no organization can completely eliminate the risk of fraud, it can take steps to minimize that risk. By establishing an environment of ethical behavior, closing gaps in internal controls, and developing a robust fraud detection and response program, organizations can significantly reduce the likelihood and impact of fraud.
A risk-resilient enterprise is not just one that can respond to fraud after it occurs but one that actively anticipates risks, both internal and external. This resilience involves a forward-looking approach that uses continuous monitoring, evolving risk assessments, and strategic foresight to stay ahead of emerging fraud threats, regulatory changes, and external disruptions.
The ECCP also highlights that continuous improvement of the compliance program is essential. Organizations should periodically review their fraud prevention efforts, test controls, and ensure that their compliance programs are adapting to the ever-changing risk environment. Data analytics can be leveraged to measure the effectiveness of fraud controls and to identify potential weaknesses before fraud occurs.
By building resilience through continuous monitoring, strong governance, and a culture of integrity, organizations can ensure that they are equipped to withstand the evolving landscape of fraud and other external risks. With this strategy, fraud deterrence and detection become part of a broader framework that enhances the organization’s ability to thrive in a volatile and complex environment.
Summary
As you work to build a risk-resilient enterprise, understand that this doesn’t happen overnight. Everyone is on their own timeline—it’s an evolutionary process, not a revolutionary one. Achieving this resilience requires patience, continuous effort, and, most importantly, the right resources to support your objectives. Continuous monitoring must be woven into your framework, enabling real-time detection and stronger fraud prevention.
It’s also crucial for the board and committees to recognize their role in providing oversight, which is central to their fiduciary duty. This includes the duty of care, ensuring they fully understand these risk management strategies and support them. And support isn’t just talk—it means providing the financial resources necessary to put these strategies into action. Governance, risk management, and compliance (GRC) isn’t about ticking boxes; it’s about ensuring your organization stays resilient in an ever-changing risk landscape. With the right strategies and resources in place, you’ll not only protect your organization from fraud but also foster a culture of integrity and responsiveness that is essential for long-term success.
I look forward to your thoughts and comments.
Best!