News & Blogs

Fraud Risk Assessments, Is There a Need or Is It Just Hype?

Global · · linkedin.com

In previous articles we discussed the need for Fraud Risk Management (aka: Antifraud) Programs. In this series of articles, we will discuss the need for Fraud Risk Assessments.
My opinion is they are both needed, complement each other, and are interrelated. Each is a risk road map:
• Fraud Risk Management Program (FRMP) shows in document form the current steps (actual and holistic) the entity takes to identify, prevent, investigate, educate, and address fraud risk. An important part of the program is a Fraud Risk Assessment, which is essentially a map of the current and projected potential fraud risks the entity faces. It is difficult to protect yourself and show others you are, if there is no map or document.
• Fraud Risk Assessment (FRA) is an active process that obtains input from management and employees on current processes and controls that are actually used to identify and prevent fraud risk. Once the risks are identified they are prioritized as to likelihood (estimated frequency) and impact (financial and reputation cost/pain per incident). These steps help prioritize the risks and provides guidance to the entity on which ones to address:
o As quickly as possible – High to Medium High Risk
o As time and resources allow – Medium Risk
o No affirmative action as the entity decides it is the cost of doing business and assumes the risk. They may have controls in place and feel they are adequate at this time.
So why are they needed? Is an FRA a frivolous use of limited resources and just an intellectual exercise to say it has been done? Absolutely not. It is difficult to defend against/ prepare for an opponent you do not know who they are, where, or how they will come after you. FRA helps to proactively identify current and potential weaknesses, prepare effective and realistic documented controls. Both of these are with the goal of protecting the entity’s financial resources, brand/reputation, and stay compliant with relevant regulatory requirements. These are all helpful to ensure the entity will remain a going concern.
Some additional reasons for an FRA:
Proactively:
Identify current and potential vulnerabilities. Allows you to determine their likelihood and impact
to permit prioritizing the critical vs medium risks.
Update/Upgrade weak existing controls to meet the enhanced and new fraud risks the existing
controls were not initially designed to meet.
Timely develop needed controls or other mitigation strategies. With the risks identified you can
develop the needed controls/strategies for the selected risks, thereby efficiently utilizing
limited resources.
Protecting Entity Assets and Reputation by safeguarding:
Assets now that you know what is at risk and how to protect them.
Reputation and stock price by ensuring you are aware of and updated/implemented relevant
controls to prevent and detect significant and medium-high risks. These actions help with a
positive image of actively protecting the brand and assets.
Helping with Compliance and Mitigate Potential Legal Consequences:
For business sectors with stringent regulatory requirements, an FRA not only prepares you to
address the fraud risks, but it also documents your actions to the regulators.
These actions can also help mitigate/avoid potential legal and/or regulatory actions, fines, or penalties should you experience a significant and public fraud. It is not a guarantee, but it can help or at least provide relevant discussion points.
I hope this provides some background on the need for and importance of FRAs. In the following articles I will share ideas on what may work as an FRA and that one size does not fit all entities at any given time.

Other resources to consider on this topic can be found on:
Association of Certified Fraud Examiners - https://www.acfe.com/search?s=ethics
Institute of Internal Auditors - Global Resources in Internal Audit | The IIA
Please let me know if I can help or be a resource for your questions / comments on the content of this article. If you would like all the articles, please let me know at gwmullin@yahoo.com and I will share. My ethics experience has included interim Ethics Director, reporting, policy development, and investigations.
George


In previous articles we discussed the need for Fraud Risk Management (aka: Antifraud) Programs. In this series of articles, we will discuss the need for Fraud Risk Assessments. My opinion is they are both needed, complement each other, and are interrelated. Each is a risk road map: • Fraud Risk Management Program (FRMP) shows in document form the current steps (actual and holistic) the entity takes to identify, prevent, investigate, educate, and address fraud risk. An important part of the program is a Fraud Risk Assessment, which is essentially a map of the current and projected potential fraud risks the entity faces. It is difficult to protect yourself and show others you are, if there is no map or document. • Fraud Risk Assessment (FRA) is an active process that obtains input from management and employees on current processes and controls that are actually used to identify and prevent fraud risk. Once the risks are identified they are prioritized as to likelihood (estimated frequency) and impact (financial and reputation cost/pain per incident). These steps help prioritize the risks and provides guidance to the entity on which ones to address: o As quickly as possible – High to Medium High Risk o As time and resources allow – Medium Risk o No affirmative action as the entity decides it is the cost of doing business and assumes the risk. They may have controls in place and feel they are adequate at this time. So why are they needed? Is an FRA a frivolous use of limited resources and just an intellectual exercise to say it has been done? Absolutely not. It is difficult to defend against/ prepare for an opponent you do not know who they are, where, or how they will come after you. FRA helps to proactively identify current and potential weaknesses, prepare effective and realistic documented controls. Both of these are with the goal of protecting the entity’s financial resources, brand/reputation, and stay compliant with relevant regulatory requirements. These are all helpful to ensure the entity will remain a going concern. Some additional reasons for an FRA: Proactively: Identify current and potential vulnerabilities. Allows you to determine their likelihood and impact to permit prioritizing the critical vs medium risks.
Update/Upgrade weak existing controls to meet the enhanced and new fraud risks the existing controls were not initially designed to meet. Timely develop needed controls or other mitigation strategies. With the risks identified you can develop the needed controls/strategies for the selected risks, thereby efficiently utilizing limited resources. Protecting Entity Assets and Reputation by safeguarding: Assets now that you know what is at risk and how to protect them. Reputation and stock price by ensuring you are aware of and updated/implemented relevant controls to prevent and detect significant and medium-high risks. These actions help with a positive image of actively protecting the brand and assets.
Helping with Compliance and Mitigate Potential Legal Consequences:
For business sectors with stringent regulatory requirements, an FRA not only prepares you to address the fraud risks, but it also documents your actions to the regulators. These actions can also help mitigate/avoid potential legal and/or regulatory actions, fines, or penalties should you experience a significant and public fraud. It is not a guarantee, but it can help or at least provide relevant discussion points.
I hope this provides some background on the need for and importance of FRAs. In the following articles I will share ideas on what may work as an FRA and that one size does not fit all entities at any given time.

Other resources to consider on this topic can be found on: Association of Certified Fraud Examiners - https://www.acfe.com/search?s=ethics
Institute of Internal Auditors - Global Resources in Internal Audit | The IIA Please let me know if I can help or be a resource for your questions / comments on the content of this article. If you would like all the articles, please let me know at gwmullin@yahoo.com and I will share. My ethics experience has included interim Ethics Director, reporting, policy development, and investigations. George


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →