Preventing and Detecting Fraud

What Type of Risk Is Fraud?

There is no universally correct way of including fraud within a risk classification system. Some organizations categorize fraud as a compliance risk, while others consider it a financial risk or an operational risk. There is one universally incorrect approach, however: completely omitting the risk of fraud from the organization’s risk management process. Unfortunately, many risk management professionals tend to underestimate the role of fraud in – or even exclude fraud risks from – the scope of their professional duties.

Fraud Risk Management

As management teams increase their focus on risk, they should take the opportunity to consider, enact, and improve measures to detect, deter, and prevent fraud. This comprehensive approach – looking at fraud from a holistic perspective that includes proactive measures to assess the risk and address it before, during, and after it occurs – is embodied in the concept of fraud risk management. It’s the natural evolution from fragmented programs that have focused on reacting to discovered incidents and ad hoc prevention programs based on past frauds.

The Fraud Risk Management Guide, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in collaboration with the Association of Certified Fraud Examiners (ACFE), describes fraud risk management as a process that involves five overarching principles:

1. Establish a fraud risk management policy as part of organizational governance.
2. Perform a comprehensive fraud risk assessment.
3. Select, develop, and deploy preventive and detective fraud control activities.
4. Establish a fraud reporting process and coordinated approach to investigation and corrective action.
5. Monitor the fraud risk management process, report results, and improve the process.

When taken together, these five principles form a comprehensive framework for managing an organization’s fraud risks.

Fraud and Internal Controls

As noted in the third principle in the COSO-ACFE fraud risk management framework outlined earlier, a significant part of an effective anti-fraud program is a system of internal control activities designed and implemented specifically to address the organization’s fraud risks.

One of the most comprehensive definitions of internal control is found in the COSO Internal Control – Integrated Framework:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

According to this definition, the design of internal controls should be to assist management in meeting the following three categories of objectives:

1. Operations objectives, which pertain to the effectiveness and efficiency of the organization’s operations
2. Reporting objectives, which pertain to the reporting of financial and nonfinancial information to internal and external parties
3. Compliance objectives, which pertain to the organization’s adherence to applicable laws and regulations

Fraud risk can affect each of these categories of objectives. Thus, an effective system of internal controls can and should greatly reduce an organization’s vulnerability to fraud. No system of internal controls can fully eliminate the risk of fraud, but well-designed and effective internal controls can deter the average fraudster by reducing the opportunity to commit fraud.

Preventive versus Detective Controls

There are two main types of internal controls: preventive controls and detective controls. When designing internal controls, both types are needed in any organization since they attack errors and fraud from different perspectives.

Preventive controls are manual or automated processes, systems, policies, and procedures that are designed to prevent fraud before it occurs. Examples of these controls include:

• Employee fraud awareness training
• Background checks on employees (where permitted by law)
• Hiring policies and procedures
• Segregation of duties
• Dual authorization on transactions
• Security measures to limit access to physical assets or company data

Detective controls are designed and implemented to identify fraud that is occurring.

Examples of detective controls include:

• A confidential reporting system, such as a whistle-blower helpline
• Independent account reconciliations, process reviews, and physical inspections and counts
• Data analysis and continuous monitoring techniques
• Surprise audits