Best defense is a good offense

Fraud is happening all the time and at every organization. In our experience, many organizations think they’re immune to fraud. They might say, “We’ve hired good people and have very strong internal controls, so fraud isn’t a problem here.” It’s probably not news to you, but the fraud problem is normally bigger than organizations think. One organization we worked with found this out the hard way. A well-respected senior leader had been caught embezzling in excess of $1 million over more than 10 years. It started with his perceived need for extra money to pay bills that were piling up, but once he started, he couldn’t stop. Through the investigation, the organization found that many employees had seen behavioral red flags — like living beyond his means — for years but hadn’t reported it because they believed it was impossible that this well-respected leader was doing anything nefarious. This example and many others like it showcase the bottom line: Good people do bad things, and controls fail.

Fraud is like the proverbial iceberg. The bulk of fraud risk is unidentified and lurking beneath the surface. Organizations can and should take steps to proactively reduce their risk and minimize the impact when fraud does slip through the cracks. An effective fraud risk management (FRM) program enables organizations to know where they are vulnerable and how to take control.

Why we developed the Playbook

The ACFE/Committee of Sponsoring Organizations of the Treadway Commission (COSO) Fraud Risk Management Guide is a tremendous resource for helping organizations establish a strong fraud risk framework. The 2016 guide is designed to serve as best-practice guidance for organizations to follow in addressing COSO’s 2013 Internal Control – Integrated Framework fraud risk assessment Principle 8. However, implementing all the best practices in the guide can be daunting.

The ACFE and Grant Thornton published the Anti-Fraud Playbook (also see ACFE.com/fraudrisktools) to provide the fraud-fighting community and organizations across the globe with practical, actionable guidance. The Playbook draws on insights from the Fraud Risk Management Guide and seeks to clarify and operationalize its concepts.

The Anti-Fraud Playbook provides easy-to-use tools and templates to help your organization no matter your efforts. Whether your organization is just beginning its anti-fraud journey or if you’re looking to enhance your fraud risk management (FRM) practices, the Anti-Fraud Playbook can help.

Phases and Plays

The Anti-Fraud Playbook includes 10 Plays, organized into five phases that align to the ACFE/COSO guide’s five key principles, detailed in Figure 1. This article explores those Plays and how you can use them to improve an FRM program. We begin each section with the underlying principle from the Fraud Risk Management Guide.

Figure 1: Anti-Fraud Playbook Phases and Plays

Understand where you are and where you want to be

The vital backbone of an effective FRM program is a strong strategic plan that will help you make the correct decisions and ensure you focus your resources on your areas of highest impact and priority. Many organizations don’t take the time to develop strategies for their FRM programs. Often, an organization will hastily create a program as a response to a major fraud event. Or it will decentralize FRM efforts so it doesn’t have broad “enterprise view” decision-making.

Just this year, an organization we worked with experienced a multimillion-dollar fraud event and then called for help to conduct a fraud risk assessment and build a more comprehensive FRM program. It could’ve avoided this fraud event or caught it sooner if it had taken these actions proactively.

The first step in this process is to conduct a “maturity assessment” to understand where your program is today. Once you understand your current state, you can identify your long-term vision and goal state. This process will allow you to develop a road map for the future and focus on gaps you need to address to propel efforts from the current to the goal state and ensure resources are effectively used in areas of high impact and high priority.

Create a culture

Promoting fraud awareness throughout your organization from the top down is vital to creating a strong anti-fraud culture, enhancing fraud awareness and encouraging employees to discuss fraud risks openly and thoughtfully. We’ve all seen and heard of scandals resulting from bad cultures. A 2015 independent investigation discovered Toshiba had been inflating profits over a number of years. “A corporate culture existed at Toshiba whereby employees could not act contrary to the intent of their superiors,” the investigation report stated.

Fortunately, you have many ways to promote and enhance fraud awareness and an anti-fraud culture at your organization. At a minimum, organizations should:

• Develop a comprehensive fraud risk policy.
• Construct an enterprisewide, anti-fraud training program, including staff and third parties.
• Conduct a culture assessment.

Figure 2: Enterprise Anti-Fraud Maturity Assessment Model©

We place a heavy emphasis on conducting culture assessments because they help organizations understand how their current efforts are lacking, identify potential vulnerabilities that might lead to internal pressures to commit fraud and highlight areas where fraud might be slipping through the cracks. Some of the most important areas to explore during a culture assessment include:

• The stated and unstated values that govern daily decision-making.
• Tone heard from the top and perceptions of senior leaders’ integrity.
• Perception that supervisors set good examples and encourage ethical behavior.
• The extent to which peers support each other in “doing the right thing.”
• Rate of reporting of misconduct, recipients of reports and perceptions of the reporting process.

Like most things in FRM, a one-size-fits-all model for promoting fraud awareness doesn’t exist. Tailor your efforts to be relevant to your organization’s fraud risks and the strategic goals of your FRM program.

Think like a fraudster

Organizations, without consistent fraud taxonomies, struggle to speak the same language, which makes oversight, aggregation of underlying data and reporting difficult or impossible. Many times, organizations focus only on schemes they already know about without considering unknown or emerging schemes. And often, organizations fail to think through their specific controls and how a motivated fraudster might circumvent or take advantage.

Put on your “fraudster hat” to ensure an effective risk identification process. (See Figure 3 below.) Brainstorm fraud scenarios that are specific to your processes and controls to identify your key risks, gaps and vulnerabilities. We reiterate: Good people do bad things, and controls fail. Don’t get stuck focusing only on what you’ve seen. Think outside the box. If someone was motivated to commit fraud, how would they do it? What processes or controls would they circumvent? Who’d be most likely to perpetrate the fraud and why? Thinking like a fraudster will help you in your risk-identification process, which will serve as a key insight in your fraud risk assessment. Don’t forget to consider both internal and external fraud, and think beyond just financial losses.

Figure 3: Think like a fraudster

Discover what you don’t know

A fraud risk assessment should be dynamic and iterative, aimed at identifying and assessing fraud risks relevant to an organization. A best-in-class fraud risk assessment is a comprehensive program with a constant pulse on current and emerging risks, and a clear path to mitigation, monitoring and reporting across the enterprise.

Ineffective risk assessments might rely solely on surveys to assess likelihood and impact rather than a mix of qualitative risk assessment techniques, which is ineffective and puts the emphasis on perceptions of risk. For example, we worked with an organization who’d previously relied solely on surveys to ascertain the likelihood and impact of fraud risks. We found that most people took little time to respond to the survey and had little understanding of how the organization was using the information, which resulted in erroneous scores. Unfortunately, senior management relied on that misleading data to make its decisions.

After we educated stakeholders and facilitated meaningful dialogue on how fraud risks and specific controls and processes at the organization interrelate, we conducted in-depth fraud risk workshops. The risk scoring and prioritizations ended up looking very different, including the identification of new key risks and a clear picture on gaps and vulnerabilities in current processes.

To achieve an effective risk assessment, develop a mix of quantitative and qualitative risk assessment techniques, including interviews, surveys and workshops. (See Figure 4 below.) It’s important to understand when to use each technique so you can garner the most actionable information and use stakeholder time efficiently.

Figure 4: Qualitative risk assessment techniques

Study your documentation and interview stakeholders to identify anti-fraud controls, assess their effectiveness and understand how your organization carries out these controls in practice. You also can look at current and past findings from either internal or external audit, or other oversight functions.

You should then map controls identified to your identified risks. This will showcase areas that are well-controlled and highlight key gaps, which will help meaningfully determine likelihood, and impact scores and inform risk response. With risk scoring and prioritization, remember that understanding what’s relatively more likely to occur is more important than perfecting a numerical score.

If you already have a fraud risk assessment in place, dive deep to determine where you might be able to improve current processes to increase effectiveness and usefulness. If you’re starting from the beginning, pick one area to focus on first. Then leverage best practices and leading guidance to build a methodology that’s tailored for your organization.

Use data to uncover fraud

It’s probably not news to you that data analytics is a powerful tool. The ACFE’s 2020 Report to the Nations found that organizations that implemented proactive data monitoring and analysis experienced a 33% reduction in the median loss and duration of fraud schemes compared to organizations that didn’t. You can easily implement many anti-fraud analytics tests with basic spreadsheet software or — on the other end of the spectrum — use robotics, machine learning and artificial intelligence to combat fraud. Each of the many analytic techniques brings unique benefits and insights. However, not all analytic techniques are equal; certain techniques are better suited for certain objectives or analyses than others. Figure 5 (below) outlines analytic techniques ranging from simple to more advanced. Of course, this isn’t a comprehensive listing.

Figure 5: Examples of analytic techniques

Data analytics is critical for elevating your organization’s FRM program. When in doubt, start small with a pilot approach to reduce initial investment and gain quick wins.

Knowledge is power

Earlier, we covered the need to develop and deploy mandatory enterprisewide anti-fraud training. However, training shouldn’t stop there. Implementing targeted role-based training helps employees better connect the message of the training to their daily responsibilities.

This type of anti-fraud training also helps your employees identify suspicious activity and feel empowered to act against potential fraud. Focus on real-life examples and provide on-the-job tools, such as red flag lists or job aids. Include interactive sessions, such as role-playing exercises, to keep participants engaged and help them practice thoughts and behaviors demonstrated in the training materials. Employees who’ve practiced their fraud prevention and detection skills and behaviors in a simulated environment will be more likely to use them effectively in their daily work.

Still not convinced that you need this type of training? Consistently, one of the top ways organizations identify fraud is via tips. The Report to the Nations found that organizations with fraud awareness training for employees were more likely to get tips through formal reporting mechanisms — 56% compared to 37%. That translates to more effective hotlines and the potential to catch fraud sooner, which reduces the loss and impact to your organization.

Don’t know where to start implementing role-based training? Leverage the results of your fraud risk assessment. Focus on areas where your risks are higher or where you’ve identified major gaps or vulnerabilities.

Lay the groundwork for investigations

You must have mechanisms in place to conduct thorough investigations. This should include a plan for determining and understanding the root causes of fraud and the process for implementing corrective actions to address them.

Most sizable organizations have some type of fraud investigation function in place. However, they vary greatly in effectiveness. For example, you might have many investigative bodies spread throughout your organization. This lack of centralization leads to missed opportunities for synergies, trend identification and aggregate reporting, and departments are handling investigations differently across the board.

Another common pitfall is a lack of mechanisms to assess investigative performance. As Figure 6 (below) shows, that’s one of the key elements in a solid investigation foundation. Without it, your team won’t understand how investigations are perceived. If stakeholders feel the organization isn’t managing their concerns or not handling their complaints appropriately, they’ll be less likely to report similar concerns in the future. They might also tell colleagues not to share their negative experiences or perceptions. This would be detrimental because, as we highlighted above, tips are one of the most common ways that fraud is detected. Those tips will stop coming in if employees lose faith in the system.

Figure 6: Key elements to lay the groundwork for investigations

If you already have a fraud investigation function in place, dive deep to determine where you might be able to improve processes to increase effectiveness. If you’re starting from the beginning, use the Anti-Fraud Playbook, the ACFE/COSO guide and other leading guidance to build a solid foundation for your fraud investigations function.

Conduct investigations

Investigations are a critical component of uncovering not only fraud within your organization, but also other corporate crimes, such as money laundering, corruption and bribery. Investigations also act as an effective fraud deterrence practice that showcases the organization’s commitment to high ethical standards and creating the perception of detection.

If you have a solid foundation, as highlighted in the previous Play, then this should be a well-defined process. Key steps you should perform following the conclusion of an investigation include communicating investigation results, taking corrective action and, finally, evaluating investigation performance.

Monitor your progress

Monitoring almost always comes last when organizations build FRM programs — sometimes even as an afterthought. However, monitoring and periodic evaluations provide vital insight into the effectiveness of FRM activities and help identify areas for improvement. Monitoring should cover the full spectrum of an FRM program and should focus on the effectiveness of activities in place. For example, focus on measuring outcomes instead of outputs. When looking at a fraud risk assessment, instead of focusing on the number of fraud risk assessments performed (output), measure the change in likelihood and impact scores from one assessment to the next to measure how awareness and understanding has improved since the previous assessment (outcome).

Finally, use the results to drive continuous improvement. For example, let’s say you were evaluating the level of fraud awareness within a particular area after conducting targeted anti-fraud training using a survey, and the results were lower than expected. This would indicate that the outcome of the training wasn’t adequately achieved, and you should improve the training to achieve the desired outcome.

Report on your progress

Communicate the outcomes of your FRM program to all levels of your organization to increase awareness and showcase your accomplishments. You should be communicating informally to all parties along the way, but periodically report outcomes, insights and lessons learned. Tailor the information for each audience. Senior executives and board members might be most interested in key performance indicators and executive summaries while front-line management might be most interested in detailed feedback on processes and controls.

As part of your report development, consider all factors, such as the results of your fraud risk assessment and anti-fraud training — both individually and together. You might be surprised to see new insights when you look at the information as a whole rather than only looking at the individual factors.

Next steps

The fraud risk journey looks different for every organization. One size doesn’t fit all. As the first Play suggests, customize fraud risk management to meet the unique needs of your organization. A strong fraud risk management program has relevance and context to match the culture and broader objectives of the enterprise. And fraud risk management is not a set-and-forget exercise. Plan continuous improvement to your fraud risk program as you face a constantly evolving fraud risk landscape.

Use this Anti-Fraud Playbook as the foundation to develop a custom fraud risk management approach for your organization and move from theory into practice.

Sophia Carlton, CFE, is manager, fraud risk mitigation & analytics, at Grant Thornton LLP. Contact her at sophia.carlton@us.gt.com.

James Ruotolo, CFE, is senior manager, fraud risk mitigation & analytics, at Grant Thornton LLP. Contact him at james.ruotolo@us.gt.com.