Managing the Business Risk of Fraud

As fraud examiners, we often suggest that organizations develop formal written procedures for preventing and detecting fraud and communicating ethics policies. "Managing the Business Risks of Fraud," a joint publication of three associations, provides the blueprint for indispensable anti-fraud planning.  

Susan works as bookkeeper for a small organization. She and the assistant bookkeeper, Meredith, totally control the accounting function except authorization of transactions. Susan supplies information directly to the outside auditors, prepares QuickBooks®, and receives the unopened bank statements. The boss doesn't understand computers, and everyone knows it. This is a ticking time bomb.

Susan begins slowly. She writes herself a couple of checks and forges the boss' name. Then she gets greedy. After all, her paycheck is small, her boyfriend just moved out, and she has double the living expenses. Susan discovers it's easy to steal from her company; she just pretends in QuickBooks that the checks she writes to herself are sent to vendors. No one detects her improprieties.

Susan then decides no one would notice a few extra charges to the company credit card. She opts to switch from paper to electronic credit-card invoices so no one but she will see them, and no one will even know the vendors aren't real. Susan then electronically transfers company funds from its bank account to pay the monthly credit card bill. She steals $25,000 in six months.

Her schemes are working well, but she doesn't want to wreck a good thing by getting caught. So Susan quits and plans to use her new methods to siphon revenue at a different company. She doesn't realize that Meredith, the assistant bookkeeper, has been watching and learning Susan's fraud techniques.

After Susan leaves, Meredith is promoted to bookkeeper and she begins to steal using Susan's techniques. After only three months in her new position, Meredith has stolen approximately $10,000.

Lucky for the boss, it's now January and the credit card company issues its year-end summary in print because the statements for part of the year were sent on paper. Meredith is on vacation with her family in Orlando, Fla., when the statement arrives. The boss opens the annual credit card summary and can't believe his eyes. Our company helps him see the ongoing fraud, and he realizes that Meredith is actually using the credit card while vacationing in Orlando! If the company had fraud prevention or detection procedures already in place, it wouldn't have lost $35,000.

As fraud examiners, we advise our clients and organizations to construct a fraud-risk plan. But if personnel at all levels - the board of directors, the audit committee, all management, staff, and internal and external auditors - isn't closely involved with the inception of the plan, then it will become just another three-ring binder sitting on the shelf. And the organization will still be vulnerable to huge losses of money, morale and reputation.

The 80-page "Managing the Business Risks of Fraud: A Practical Guide" was jointly released in July 2008 by the ACFE, the American Institute of Certified Public Accountants, and the Institute of Internal Auditors to motivate management and employees to devise a plan that will work.

The guide outlines five key principles for establishing effective fraud management:

1. Fraud-risk governance
2. Fraud-risk assessment
3. Fraud prevention and detection
4. Fraud investigation
5. Corrective action

Principle 1: As part of an organization's governance structure, a fraud-risk management program should be in place. It should include a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.  

Organizations now have heightened expectations for internal ethical behavior. Criminal penalties for fraud are increasing. Fraud governance processes are the foundation of an effective fraud-risk management program.

The program should consist of concise written policies and procedures designed by the board to manage fraud risks plus a method to communicate and evaluate their processes. A strong corporate culture includes solid business ethics in hiring, evaluation, promotion, and salaries, and in relationships with customers and vendors, shareholders, governmental entities, community organizations, and media.

Roles and Responsibilities 

The board should use organizational policies, job descriptions, and other corporate documents related to fraud-risk management to define roles and responsibilities.

Documentation should state those responsible for the governance oversight duties of fraud control and reflect management's responsibility for the design and implementation of the fraud-risk strategy. All segments of the organization must support fraud-risk management including not only risk management but also compliance, general counsel, the ethics office security, information technology, and internal auditing.

Key roles in an organization's fraud risk management program are held by the board of directors, the audit committee, management, staff, and internal auditing.

The board of directors sets the "tone at the top." It requires management to design an effective program and insists that high standards are met daily. To do this, the board must seek outside training and counsel, understand fraud risks and their components, and monitor management oversight.

The audit committee adequately assesses and responds to the risk of fraud, especially management fraud, because it typically involves override of internal controls. The audit committee should consist of independent board members with at least one financial expert, preferably with an accounting background. The committee should actively be involved in the oversight process and communicate with external auditors about discovered or suspected fraud.

Management, the most visible example within an organization, is responsible for the design and implementation of a fraud-risk management program. It must create that strong corporate culture - in words and actions - to prevent, detect, and deter fraud.

Management must implement adequate internal controls, and report suspicious activities, known frauds, and its successes and failures to the board. Often, a chief ethics officer is appointed to lead the fraud-risk program and report to the board.

Management should train staff to have a basic understanding of fraud, be aware of red flags that contribute to a fraudulent act, and understand their roles within the internal-control framework.

The Committee of Sponsoring Organizations of the Treadway Commission has identified five components of this framework: control environment, risk assessment, control activities, information and communication, and monitoring.

The staff should be required to read and understand company materials such as the fraud policy, code of conduct, whistle-blower policy, and operational policies and procedures. They must sign a statement that they have read the materials and know of no violations. They also must report suspicious behavior and cooperate in investigations.

The internal auditing department provides objective assurance to the board and management that controls are sufficient, appropriate, and functioning effectively.

The board and management should communicate their commitment to managing fraud risks to all employees, vendors and customers through short letters, Web sites, newsletters, video, and other media. They should also communicate expectations, define and describe fraud and fraud risks, and provide examples of what could occur.

Here are other components of the roles and responsibilities' tenets:

Affirmation process: In addition to staff members, directors, contractors and other service providers must acknowledge that they've read, understood and complied with the code of conduct, fraud control policy, and other documentation.

Conflict disclosure: Directors, employees and contractors must disclose potential or actual conflicts of interest. Management then reviews this information to determine if there's a risk or if there's a potential for conflict of interest, and then implements constraints or imposes actions to resolve the issue.

Fraud-risk assessment: The organization should regularly assess fraud risk and study potential fraudulent acts based on those risks, then use those schemes and scenarios as learning tools for all employees. This process can deter possible perpetrators.

Reporting procedures and whistle-blower protection: The organization should publicize its zero tolerance for fraud, require that suspected fraud be reported immediately, and clearly define the appropriate procedures for doing so. It should provide on its Web site fraud-reporting resources, whistle-blower hotline information, and whistle-blower protection.

Investigation process: The board and management should have a written process that outlines who should conduct investigations, the rules of evidence, chain of custody, reporting mechanisms, regulatory requirements, and legal action.

Corrective action: As a deterrent, policies must consistently show the consequences - including termination and reporting to authorities - of committing or allowing fraudulent activity to occur.

Quality assurance: The organization should document ongoing process evaluation and improvement procedures, which could include the need for measurements and analysis of statistics, benchmarks, resources, and survey results.

Continuous monitoring: The organization should continuously review and update the fraud-risk management program and adequately fund, staff, and train the independent internal audit function.

Principle 2: The organization should periodically assess fraud-risk exposure to identify specific potential schemes and events that the organization needs to mitigate.  

The fraud-risk assessment, specifically designed for the organization's size, complexity, industry and goals, should include, at a minimum, risk identification, risk likelihood and significance assessment, and risk response.

Risk Identification 

An organization can identify risk after obtaining information from regulatory bodies, industry sources, key guidance-setting groups, and professional organizations. Internal efforts should include interviews and brainstorming with a broad spectrum of personnel, review of whistle-blower complaints, and analytical procedures.

Assess the pressures, opportunity, and rationalization to commit fraud, and consider the potential override of controls by management. Place an increased focus in areas for which controls are weak or there's no segregation of duties.

Risk Likelihood 

The likelihood of fraud risk is based on the vulnerability of the organization, what has occurred in the past, the industry, number of transactions, complexity, and number of employees. Classify fraud-risk likelihood as remote, reasonably possible, or probable.

Risk Response 

An organization should have a structured approach to monitoring actual fraud exposure and should design fraud-evaluation procedures to manage fraud risk. These procedures should include developing and executing oversight duties and responsibilities and mitigating controls.

The assessment of fraud-risk exposure, which can play a crucial role in developing and maintaining effective anti-fraud programs, is an integral component of a larger enterprise risk-management effort. It's rooted in identifying potential fraud schemes and perpetrators inside and outside the organization. Preventive controls must be supplemented with detective controls because collusion negates the control effectiveness of segregation of duties.

Risk-assessment Team 

Before conducting a risk assessment, management should appoint a team of employees throughout the organization with diverse knowledge, skills, and perspectives. The team should include financial and nonfinancial personnel and individuals from the departments of risk management, legal and compliance, and internal audit, as well as management from accounting, sales, purchasing and operations. Consider both internal and external people.

This risk-assessment team should brainstorm to identify the organization's fraud risks in financial statement fraud, bribery and corruption, and misappropriation of assets. The discussion should include employees' pressures, opportunities, and rationalizations that could lead them to commit fraud; the risk of management override of controls; and the fraud risks relevant to the organization.

The team should use strategic reasoning to anticipate the suspected behavior of a potential fraudster and how that person can exploit weaknesses, circumvent internal controls, and conceal activities.

The risk-assessment team:

• Assesses the likelihood and significance of identified fraud risks and schemes
• Maps them to people and/or departments and to relevant internal controls
• Evaluates and tests controls
• Identifies residual risks
• Develops fraud-risk response
• Shares results with the board

Principle 3: Establish prevention techniques, where feasible, to avoid potential key fraud risk events to mitigate possible impacts on the organization.  

An organization prevents fraud through a structure of policies, procedures, awareness, training, and ongoing communication. Enforced preventive controls can be strong deterrents. Though not all fraud can be prevented (and sometimes it's not worth the money to try), prevention is always the most proactive fraud-fighting measure.

Two elements of fraud prevention are human-resources procedures and appropriate authority limits. Human resources personnel should perform background investigations on new employees and those promoted into positions of trust and authority.

The organization should vet new and existing suppliers, customers, and business partners. All investigations should comply with the Fair Credit Reporting Act; obtain permission when appropriate.

Human resources should provide employees initial anti-fraud training on red flags and subsequent education on the fraud risk-management program, tone at the top, and their responsibilities. If human resources managers don't properly handle employee behavior, performance, recognition, and feedback programs, employees might feel they can justify fraudulent conduct.

Compensation policies shouldn't be based on short-term performance or employees might be encouraged to fabricate financial results for personal gain. Authority limits should be commensurate with responsibility.

The human resources department also should conduct exit interviews to uncover problems with management's integrity or conditions conducive to fraud.

The business-risk guide has a fraud prevention scorecard that identifies if controls are unacceptable, marginal, or strong in fraud prevention areas. Those areas include tone at the top, code of conduct, COSO Integrated Framework assessment, internal control strengths and weaknesses, third-party and related-party relationships, audit committee and internal audit functions, human resources, financial reporting, business partners, and fraud training.

Principle 4: Establish detection techniques to uncover fraud events when preventive measures fail or unmitigated risks are realized.  

Effective viable detection controls can also be strong deterrents to fraudulent behavior. The controls are based on the previously mentioned fraud risks.

Fraud is mostly detected from anonymous tips, so an organization must have a whistle-blower hotline. Hotlines can also reduce fraud because individuals might fear getting caught and having their crimes reported. Organizations must protect hotline callers' anonymity because they can't be afraid of retaliation, or they won't call.

An organization should document its fraud detection techniques including hotlines, data analysis, auditing techniques, and technology tools. Describe in detail the elements of each technique and the individuals and departments responsible for designing, implementing, planning, and monitoring them.

Train those who are responsible for receiving and responding to tips and complaints, investigating allegations of fraud, and communicating information about suspected and confirmed fraud.

Communicate the fraud detection plan throughout the organization, but protect confidential activities. "Managing the Business Risks of Fraud: A Practical Guide" also contains a fraud-detection scorecard, which is structured like the fraud-prevention scorecard.

Principle 5: Construct a reporting process to solicit input on potential fraud, and use a coordinated approach to investigation and corrective action to help ensure a potential fraud is addressed appropriately and timely.  

An organization learns of potential fraud in many ways. The board should establish processes to evaluate allegations, investigate cases, and maintain confidentiality.

Individuals assigned to investigations should have the authority and skills to evaluate allegations and determine appropriate courses of action including maintaining a tracking or case management system. This can help the organization mitigate losses, manage risk, and improve its chances of loss recovery.

The organization should consistently handle all alleged fraudsters whether they're top executives, middle management, or line employees.

Stock the investigation team with legal counsel, fraud examiners, internal and external auditors, accountants, financial forensic specialists, human resources personnel, security and loss prevention personnel, information technology, computer forensics specialists, and management. Investigations generally include interviews, evidence collection, computer forensic examinations and evidence analysis. The team periodically reports its findings to those overseeing the investigation.

After the investigation is completed, the organization must determine its actions such as criminal referral to law enforcement; civil action to recover funds; or disciplinary action resulting in termination, suspension, demotion, or warning. An insurance claim might be filed to recover losses. The organization should analyze the case to determine the root causes and remove the opportunities for similar future frauds.

NO DUSTY PLANS ON THE SHELF 

As fraud examiners, we often suggest that organizations develop formal written procedures to prevent and detect fraud and communicate company-wide ethics policies. "Managing the Business Risks of Fraud: A Practical Guide" provides a comprehensive framework to assist any organization that has found plans useless but thoughtful planning indispensable.

Grace B. Ghezzi, CFE, CPA/PFS, AEP, is vice president of Benefit Consulting Group Inc. in Syracuse, N.Y.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.