This occasional column reviews basic fraud examination tenets for the practitioner regardless of age or experience. Send potential material to FraudMagazine@ACFE.com.
These days, there’s much talk and study about “managing the business risk of fraud.” And, indeed, we need to keep it in the forefront. The Sarbanes-Oxley Act (SOX) enforces stricter assessment of internal controls, but it doesn’t adequately cover anti-fraud controls. Although public companies, in compliance with SOX, have been successful in assuring that financial statements are fairly presented, the effectiveness of controls in preventing and detecting fraud remain to be proven.
But sometimes we can over-think our situations and devise complicated plans that are difficult to implement. I present here a simple, step-by-step method of fraud-risk assessment (FRA) that, as an internal auditor, I’ve found to be reliable and time- and cost-effective.
KNOW YOUR ENEMIES
Everyone knows that fraud risks are out there, but not everyone is equipped to recognize and reduce the impact of fraud. In my experience as a CFE, I’ve found that the best way to prevent and detect the threat of fraud is to know your enemy.
Knowing your enemy means recognizing the threats of fraud that are relevant to your organization. In addition, it’s important not only to identify the risks that are relevant specifically to your internal business environments, but also potential threats that can come from outside your business. Mapping these risks to your business cycle and corporate functions is the key to creating an efficient FRA.
The process of discerning fraud risk can be broken down into these steps:
1. Identification: Create a single repository of relevant fraud risks. The single repository of fraud risks will be the foundation of your FRA. Build a fraud-risk database that’s unique to your environment. For example, misappropriation of inventory is more of a concern in a manufacturing environment than it would be for a company that sells a service. At this stage, we’re only compiling a list of relevant risks regardless of their likelihood to occur; we’ll evaluate actual risk (likelihood and significance) at the assessment stage.
2. Description: Link risks with schemes and scenarios. Map your fraud risks into possible schemes and scenarios so you can determine which of those risks have the highest relevance to your company and could potentially take root. Move from a generic to a more specific perspective for a realistic analysis.
For example, let’s take a fraud risk that’s common to all businesses: check fraud. In Figure 1, check fraud risk can be identified with multiple scenarios; an employee might alter the amount of a paycheck or forge endorsement of a payment.
We’ll then link the schemes and scenarios with different business processes. Check fraud, for example, not only belongs to the payable cycle, but it might also be applicable to the payroll cycle. Therefore, members involved in different business processes would have to assess the risk of check fraud. You’ll need to consider dividing your risk universe into different business cycles.
3. Division: Map risks to business cycles and corporate functions. Divide fraud risks into different business cycles such as payroll, accounts receivable, accounts payable, billing, and into certain corporate functions, such as treasury, intellectual property, and information technology.
As shown in Figure 2, check fraud is a scenario that can be identified within payroll or purchasing.
RECRUIT YOUR TROOPS
Recruit your troops carefully because each assessor’s input will directly impact the overall relevance and quality of your assessment. The internal audit department and/or an external accounting firm can help to build the FRA, but, first of all, it’s important to identify participants within the organization who are able to provide the most accurate input. Make sure you sign up a wide variety of individuals who are in the areas that you predict will be affected by various fraud risks.
All levels of management should be involved in FRAs, but middle management is ideal because they have a closer view of the business environment than top executives and a less limited view than clerks. An accounting background is an asset for understanding breaches in business processes, but picking participants with a good understanding of the business operation is even better.
For example, to better assess fraud risks under the human resources and payroll functions, request collaboration from those who are closely involved with the processing of payroll checks. Their input would be valuable because they have an intimate knowledge of that area.
There are two ways to perform the assessment. Combining both methods produces a more informative assessment.
1. Self assessment
Members are asked to assess the vulnerabilities of their practices against identified fraud risks. They can do this by using IT tools ranging from Excel to online Web surveys.
Advantages: This is a low-cost, time-effective, user-friendly way of collecting participants’ assessments.
Disadvantages: It’s difficult to draw a conclusion that can be applied generally because self- assessment is based on an individual’s interpretation.
2. Assessment via workshop
Selected participants in a group, with diverse expertise and points of view, can give a more objective and detailed assessment.
Advantages: The workshop method can yield participants’ agreement on a common evaluation of the fraud risks and quality results.
Disadvantages: It can require difficult coordination of meetings especially if the enterprise operates in different geographical, political, and legal environments. It needs to be led by a skilled individual with a good understanding of the business. Plus, it’s more difficult to report and analyze.
We need to categorize and rank the most-threatening fraud risks. After we’ve identified the fraud risks, we ask participants to name effective and properly executed controls that already are in place to prevent or detect the fraud risk in question. The next step is to identify the residual risks – those that aren’t fully covered by the controls in place.
The most common way to assess a specific fraud risk is to measure the likelihood of occurrence and significance of the risk. These could be rated on a scale from 1 (low) to 5 (high).
The likelihood of occurrence, of course, will depend on your organization. For example, when you’re assessing the check-fraud risk, you’ll find a higher likelihood if all checks are printed and mailed instead of deposited automatically or transferred by wire.
Some of the major factors that need to be considered when assessing significance include (but aren’t limited to):
- Financial loss
- Market confidence
These and other factors are interrelated and affect each other. Therefore, returning to our example of check fraud, let’s consider how these factors would impact our assessment of significance in two situations: A low-ranking employee has committed a check fraud for a value of $5,000. But then your chief financial officer has committed a check fraud for the same amount. The value is the same, so is the significance equal? The answer is clearly no; if we consider the above factors, the latter case has a more damaging impact.
Your fraud-risk assessment will yield two values: one for the significance and one for the likelihood of each risk. With these values you can begin to prioritize risks. As shown in figure 3 on page 66, our example (check fraud) results in 3 for likelihood (medium risk) and 2 for significance (low risk) on a scale of 1 to 5.
I suggest identifying three levels of risk: high, medium and low. Each of these levels corresponds to a recommended action. For example, as indicated in red in Figure 4, high-risk would require immediate implementation of mitigating actions to reduce the exposure to the risk.
Medium-level risk (yellow) would require monitoring actions to ensure the level of risk doesn’t change. While low-level risk (green) doesn’t represent a significant or immediate threat, it should remain part of your risk universe. In our example of check fraud, as charted in Figure 3, the assessment (3 in likelihood and 2 in significance) would rank the risk in the medium (yellow) level.
Now, don’t let your fancy colorful charts fool you; assessments are always dynamic. Risks will always change. Reassess yearly or even quarterly.
PRESERVE STAKEHOLDERS’ TRUST
In an era dominated by financial scandals that have shaken our trust in the safety of institutions, we’ve seen more controls and regulations. We have to be diligent in managing the risk of fraud in our organizations so we will preserve (or restore) stakeholders’ trust.
This simple fraud-risk assessment is a tool, among others, that you can use to control the risk of fraud. Of course, it won’t give you 100 percent assurance that you’ll be fully protected against fraud. But it has helped me identify weaknesses and focus efforts on high-risk areas.
Olivier Beauregard, CFE, CGA, is an internal auditor for CGI in Montreal, Quebec, Canada.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.