Stay Vigilant in Fraud Risk Management – Beyond Compliance

“Fraud risk management isn’t just about logic—it’s about experience. While data, controls, and frameworks provide structure, real deterrence comes from understanding the nuances of human behavior, business pressures, and the ways fraud occurs. That’s where expertise matters. My role, and BDO’s role, isn’t just to apply best practices but to draw from deep, real-world experience—learning from past cases, anticipating emerging threats, and guiding organizations beyond theoretical compliance to real risk mitigation.” Jonathan T. Marks

Engaging with fellow professionals at the 40th White Collar Crime Institute in Miami has reinforced a critical insight, and after hearing the remarks by Ketanji Brown Jackson, Associate Justice, in my personal opinion, effective fraud risk management cannot rely solely on regulatory mandates. While regulations provide a framework, they often lag behind emerging threats. Proactive measures—such as cultivating a culture of integrity, conducting regular risk assessments, and implementing robust internal controls—are essential to stay ahead of potential fraudsters.

Fraud Doesn’t Pause with Regulations

Fraud doesn’t pause just because regulations do. Staying vigilant in fraud risk management is essential, regardless of government mandates. Even if compliance rules loosen or enforcemnt is put on pause, organizations cannot afford to drop their guard. Bad actors are always watching for gaps, ready to exploit any weakness or lapse in oversight. In today’s environment, fraud risk may be higher than ever, driven by economic pressures and new opportunities that emerging situations create.

Bad Actors Thrive on Opportunity

Fraudsters often thrive when they see opportunity, and challenging times create more opportunities for misconduct. Recent trends underscore this point: for example, during the COVID-19 pandemic, fraud spiked, and with a potential recession on the horizon, fraud risk could worsen—fraud is often a crime of opportunity, exacerbated by the economic climate. In other words, when the environment is tough (e.g., economic downturns, rapid change, or reduced oversight), the temptation and chances to commit fraud multiply.

No organization is immune. Complacency is dangerous—assuming that strict laws or periodic audits will catch wrongdoing can lead to blind spots. When external auditors or regulators uncover a scheme, the damage is usually already done. Management should avoid complacency and not assume that if fraud occurs, ‘the auditors will catch it.’ An annual audit is a good and sometimes necessary exercise, but if it finds fraud, it’s usually too late to prevent financial and reputational damage. Simply put, bad actors move faster than bureaucracy. They will seize any chance if they believe no one is watching closely.

The Fraud Pentagon: Opportunity’s Critical Role

One concept that illustrates why vigilance matters is the Fraud Pentagon, a model I created to expand upon the classic fraud triangle (pressure, opportunity, rationalization) by adding two human factors—competence and arrogance. This expanded model reminds us that fraud is not just about circumstances but also about the fraudster’s mindset and abilities. Crucially, opportunity remains at the heart of fraud risk. If would-be fraudsters perceive an opening—weak oversight, poor controls, or a distracted organization—they’re far more likely to act.

“Opportunity: weak controls provide the opportunity for a person to commit fraud.”

In the Fraud Pentagon, opportunity is the one element we can directly control by strengthening our internal defenses. People who are competent and arrogant enough to commit fraud will look for any chance where controls are weak or absent. Eliminating those opportunities through strong internal controls, active oversight, and a culture of accountability is therefore one of the most powerful ways to deter fraud. We can’t always change a person’s pressure or motivation, but we can tighten the environment around them so that even a motivated bad actor has no easy way to commit or conceal wrongdoing.

Strengthen Internal Controls and Risk Frameworks

Given the above, organizations should double down on internal controls and robust fraud risk management frameworks—regardless of what any regulator requires. Internal controls are our first line of defense. They limit opportunities to commit fraud and can even discourage all but the most determined (or most arrogant) fraudsters. Common control measures like segregation of duties, approval checks, access restrictions, and monitoring mechanisms create hurdles that make fraud more difficult. Importantly, studies have shown that organizations with a strong array of anti-fraud controls suffer lower losses and quicker fraud detection than those without such controls. In short, controls cut down the “fraud window” of opportunity.

A strong fraud risk management framework goes beyond individual controls. It means having an integrated approach to prevent, detect, and respond to fraud. Key elements include:

• Tone from the Top and Culture: Leadership must set a clear expectation for ethics and model zero tolerance for fraud. A culture of integrity and openness empowers employees to speak up, which extends oversight beyond what formal controls alone can do.
• Regular Fraud Risk Assessments: Proactively identify where your organization is vulnerable. Conditions change, so update these assessments periodically (at least annually, or more often if needed). This helps you adapt controls to new risks before issues occur.
• Fraud Awareness Training: Ensure employees at all levels understand fraud risks and red flags. Heightened fraud awareness across the organization helps employees remain vigilant for signs of fraud and respond appropriately. When staff know what to look for and feel responsible for reporting concerns, fraud is more likely to be spotted early.
• Incident Response Plans: Have a plan for what to do if suspicions arise. This includes investigation protocols and steps to mitigate damage. Being prepared to act fast can limit losses if a fraud incident does slip through.

Above all, maintain a mindset of skepticism and vigilance. Trust is a professional hazard; if you do not verify information, you could become a victim. Keeping a healthy level of professional skepticism doesn’t mean assuming the worst of everyone—it means verifying and monitoring as a rule, not an exception. Encourage your teams to ask questions and double-check anomalies, even if things seem fine. It’s far better to prevent fraud than to react after the fact.

Insights on Fraud Vigilance and Controls

Through my experience as a fraud investigator/consultant, thought leader, teacher, and collaboration with my teammates and colleagues, I’ve observed valuable insights about staying vigilant and proactive against fraud.

Here are a few key takeaways that reinforce the need for heightened awareness and strong anti-fraud measures:

• Management’s Responsibility, Not Regulators: The ultimate responsibility for fraud risk management lies with an organization’s leadership. Management should take ownership of identifying control gaps and implementing fixes—not rely on external auditors or regulators to catch fraud. If fraud happens, don’t assume “the auditors will catch it”—by then it’s usually too late to prevent serious damage. Leaders should continually ask tough questions about their controls and actively foster an environment of vigilance. Boards and audit committees must also be engaged, asking probing questions and ensuring that management is not merely paying lip service to fraud risk management.
• Continuous Improvement: Fraud schemes evolve, and so should our defenses. Regularly update your fraud risk management strategies to address new threats. This includes leveraging technology for monitoring and analytics, as well as staying informed about emerging fraud trends.
• Employee Empowerment: Employees are the eyes and ears of an organization. Empower them to speak up by establishing confidential reporting mechanisms and protecting whistleblowers. When employees feel safe to report concerns, potential fraud can be detected and addressed more swiftly.

In conclusion, the fight against fraud requires unwavering vigilance and a proactive stance. Having the right epertise is critical. By understanding the dynamics of fraud, strengthening internal controls, fostering a culture of integrity, and empowering employees, organizations can effectively mitigate fraud risks. Remember, compliance is the baseline; true protection comes from a commitment to go beyond mere compliance and actively safeguard against fraud.

A Risk Resilient EcoSystem is where organizations who do be striving to be!

I welcome your thoughts and opinions.

?Best! Jonathan M. ??

Resource: ?https://www.coso.org

?

?