News & Blogs

Fraud Risk Assessments, Oh Yes there is a Need

Global · · linkedin.com

In the last article we discussed whether a Fraud Risk Assessment (FRA) was a need or a waste?

My opinion is there is a need, and they are most assuredly a value add. We spend enormous amounts of time and money to hire, train, equip, and retain employees, not to mention the sums spent to advertise and entice customers or the lengths we go to find and groom suppliers and vendors. So why would we not spend a small portion to ensure our controls are sufficient to prevent or detect the tried and true as well as the newest fraud scenarios?

So, what kind of FRAs are available? Many people feel there is only one kind of FRA, a full-fledged assessment covering the entire organization with:
• Surveys to numerous managers and employees
• in-person and virtual interviews and brainstorming sessions involving executive, senior, and mid-level management and selected senior employees
• Scenario development
• Controls analysis across the organization for their consistency or not
• Development of a heat map showing the low to high fraud risks based on their impact and likelihood
Whew, I am tired just thinking and writing about one.
While a full FRA is certainly a great idea and needed at times such as:
• Recent merger or acquisition to determine new additional fraud risks
• Significant fraud loss
• Fraud loss by a senior management official
• Expansion to country that requires an FRA
• Company significantly expands into geographic area with high fraud risk
• Company significantly expands into a service or function they have no prior experience/expertise in

There are other less resource rich and more nimble ways to keep your fingers on historical, current, and future fraud risks in between a full FRA.

I will outline the ones I have used over the years and found them to be helpful and timely in educating the management and employee populations as well as detecting and preventing fraud risks and control gaps and weaknesses.

They are:
• Enhance the current or Add a section on Fraud Risk to the Annual Risk Assessment.
• Include 2 to 4 unscheduled reviews, time, and resources available, in Annual Audit Plan. Quarterly review of management requests, audits from previous 6 to 12 months, and/or Annual Risk Assessment rankings for unscheduled review candidates.
• Include a Fraud Risk Questionnaire in Internal Audit planning and share with the auditee for their input.
• Quarterly meeting with department representatives involved in investigations for fraud, ethics, cyber, and administrative violations. The goal is learning about respective current investigations for crossover, duplications, and department/function process education.
o Example: HR Employee Relations investigating management timecard misuse but felt funny. Internal Audit Investigations follow up review determined manager not misusing from lack of training but colluding with employee and intentionally abusing timecard for kickbacks.
• Form a special committee from selected departments to advise on current/potential fraud risks they are concerned about. Suggested areas are Finance, Accounting, Supply Chain, Sales, Marketing, Security, Ethics, Legal, HR/ER.

What we need to remember for any FRA is the goal is to not only make sure we identify and mitigate known and potential fraud risks, but also to educate our front-line defenders, the managers, and employees. They know the job, the area, and what is and is not suspicious; they just need education, guidance, and an escalation process. They are the tip of the spear to identify anomalies and suspicious activities and understand who to report to, their job is then done, except to provide support during the follow-on investigation.

I hope this provides some ideas on the different kinds of FRAs. In the next two articles I will share examples that have worked for me in various companies, and I hope they will provide templates for your use. Please remember that one size FRA does not fit all entities at any given time.

Other resources to consider on this topic can be found on:
Association of Certified Fraud Examiners - https://www.acfe.com/search?s=ethics
Institute of Internal Auditors - Global Resources in Internal Audit | The IIA

Please let me know if I can help or be a resource for your questions / comments on the content of this article. If you would like clarification on or related articles, please connect with me and I can share any you would like. My fraud risk assessment experiences have included healthcare and manufacturing environments.
George


In the last article we discussed whether a Fraud Risk Assessment (FRA) was a need or a waste?

My opinion is there is a need, and they are most assuredly a value add. We spend enormous amounts of time and money to hire, train, equip, and retain employees, not to mention the sums spent to advertise and entice customers or the lengths we go to find and groom suppliers and vendors. So why would we not spend a small portion to ensure our controls are sufficient to prevent or detect the tried and true as well as the newest fraud scenarios?

So, what kind of FRAs are available? Many people feel there is only one kind of FRA, a full-fledged assessment covering the entire organization with: • Surveys to numerous managers and employees • in-person and virtual interviews and brainstorming sessions involving executive, senior, and mid-level management and selected senior employees • Scenario development • Controls analysis across the organization for their consistency or not • Development of a heat map showing the low to high fraud risks based on their impact and likelihood Whew, I am tired just thinking and writing about one. While a full FRA is certainly a great idea and needed at times such as: • Recent merger or acquisition to determine new additional fraud risks • Significant fraud loss • Fraud loss by a senior management official • Expansion to country that requires an FRA • Company significantly expands into geographic area with high fraud risk • Company significantly expands into a service or function they have no prior experience/expertise in

There are other less resource rich and more nimble ways to keep your fingers on historical, current, and future fraud risks in between a full FRA.

I will outline the ones I have used over the years and found them to be helpful and timely in educating the management and employee populations as well as detecting and preventing fraud risks and control gaps and weaknesses.

They are: • Enhance the current or Add a section on Fraud Risk to the Annual Risk Assessment. • Include 2 to 4 unscheduled reviews, time, and resources available, in Annual Audit Plan. Quarterly review of management requests, audits from previous 6 to 12 months, and/or Annual Risk Assessment rankings for unscheduled review candidates. • Include a Fraud Risk Questionnaire in Internal Audit planning and share with the auditee for their input. • Quarterly meeting with department representatives involved in investigations for fraud, ethics, cyber, and administrative violations. The goal is learning about respective current investigations for crossover, duplications, and department/function process education. o Example: HR Employee Relations investigating management timecard misuse but felt funny. Internal Audit Investigations follow up review determined manager not misusing from lack of training but colluding with employee and intentionally abusing timecard for kickbacks. • Form a special committee from selected departments to advise on current/potential fraud risks they are concerned about. Suggested areas are Finance, Accounting, Supply Chain, Sales, Marketing, Security, Ethics, Legal, HR/ER.

What we need to remember for any FRA is the goal is to not only make sure we identify and mitigate known and potential fraud risks, but also to educate our front-line defenders, the managers, and employees. They know the job, the area, and what is and is not suspicious; they just need education, guidance, and an escalation process. They are the tip of the spear to identify anomalies and suspicious activities and understand who to report to, their job is then done, except to provide support during the follow-on investigation.

I hope this provides some ideas on the different kinds of FRAs. In the next two articles I will share examples that have worked for me in various companies, and I hope they will provide templates for your use. Please remember that one size FRA does not fit all entities at any given time.

Other resources to consider on this topic can be found on: Association of Certified Fraud Examiners - https://www.acfe.com/search?s=ethics
Institute of Internal Auditors - Global Resources in Internal Audit | The IIA

Please let me know if I can help or be a resource for your questions / comments on the content of this article. If you would like clarification on or related articles, please connect with me and I can share any you would like. My fraud risk assessment experiences have included healthcare and manufacturing environments. George


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →