Other Ways to Assess Fraud Risk
In my last article we discussed there are various ways to have a Fraud Risk Assessment (FRA) other than a resource intensive one.
Examples to consider include:
1. Include a Fraud Risk Questionnaire in Internal Audit planning and share with the auditee for their input. The questions should cover:
a. Last time they reported suspicious activity and to who?
b. Their knowledge of how and where to report suspicious activity (Hotline, Compliance, Internal Audit, Legal, etc.).
c. Fraud Awareness (aka: Policy Compliance and Employee Poor Choices) training. This is always fun because for the most part they do it, just do not realize they are. An example on timecards/card scan is each employee does their own card/scan. Consequences for punching in or scanning in another employee is generally termination and just like that they realize that is fraud awareness training. You can cover other areas like expense reports, corporate or P-card use, Accounts Payable, asset inventory order/check in/document, etc. This opens up a line of discussion and future education and collaboration.
d. Ethics education, compliance, Hotline use, and who to contact for questions.
e. Offer to share sample questionnaire upon request
2. Quarterly meeting with representatives from some/all for HR/Employee Relations, Cybersecurity, Ethics/Compliance, Security, Legal, and Internal Audit/Suspicious Financial Activity Unit. My luck with these meetings was to share the investigations each was working on, their status, if administrative action(s) planned hearing the allegation and investigation results could also lead to additional investigation from Internal Audit team if possible unrecognized financial fraud potential not part of the initial team’s investigation. Internal Audit would generally work in an advisory capacity with the initial team retaining control. The meeting was an exchange of each team’s work and if assistance or guidance was needed from another team or if the investigation should be transferred or if there were two or more investigations of different allegations involving the same person or department and how best to proceed with just one team taking control or forming a task force.
3. Form a Dirty Dozen Fraud Committee of department subject matter experts and hold periodic (quarterly) discussions/meetings for updates and insights on potential fraud risks in their areas. Additionally use them as a resource as needed for investigations.
4. Other ideas that help spread fraud awareness include:
a. Communication via organization intranet with high level and redacted information on relevant fraud investigations that show the policy(s) violated, if relevant control(s) in place and violated, in some instances how the case was reported, and the consequences to the employee and the control reviewer if they consistently failed to use the control that resulted in the fraud going on more than 2 or 3 review cycles. Z
This lets organization employees know there are policies and controls, and they are expected to be followed, there is a reporting process, and it is acted upon because there is zero tolerance for fraud.
b. Continuous Monitoring is always a great idea. A suggestion is to not label it as Fraud Monitoring, because fraud is determined after an investigation, not before. The monitoring identifies anomalies that need investigation to determine if there is:
i. Poor/Inadequate:
1. communications,
2. policies,
3. controls,
4. training,
ii. Employee arrogance to do it their way and not the policy/control directed way,
iii. Yes there are also intentional acts to circumvent the controls for employee personal gain.
The first 5 are policy non-compliant, but areas for management to address and mitigate. It is the sixth one that is fraud and needs referral to the appropriate investigations team for detailed follow-up.
I hope this provides some background on other ways to assess fraud risk.
Other resources to consider on this topic can be found on:
Association of Certified Fraud Examiners - https://www.acfe.com/search?s=ethics
Institute of Internal Auditors - Global Resources in Internal Audit | The IIA
Please let me know if I can help or be a resource for your questions / comments on the content of this article. If you would like clarification on this or related articles, please connect with me and I can share / comment on any you would like. My fraud risk assessment experiences have included healthcare and manufacturing environments.
George
In my last article we discussed there are various ways to have a Fraud Risk Assessment (FRA) other than a resource intensive one.
Examples to consider include: 1. Include a Fraud Risk Questionnaire in Internal Audit planning and share with the auditee for their input. The questions should cover: a. Last time they reported suspicious activity and to who? b. Their knowledge of how and where to report suspicious activity (Hotline, Compliance, Internal Audit, Legal, etc.). c. Fraud Awareness (aka: Policy Compliance and Employee Poor Choices) training. This is always fun because for the most part they do it, just do not realize they are. An example on timecards/card scan is each employee does their own card/scan. Consequences for punching in or scanning in another employee is generally termination and just like that they realize that is fraud awareness training. You can cover other areas like expense reports, corporate or P-card use, Accounts Payable, asset inventory order/check in/document, etc. This opens up a line of discussion and future education and collaboration. d. Ethics education, compliance, Hotline use, and who to contact for questions. e. Offer to share sample questionnaire upon request
Quarterly meeting with representatives from some/all for HR/Employee Relations, Cybersecurity, Ethics/Compliance, Security, Legal, and Internal Audit/Suspicious Financial Activity Unit. My luck with these meetings was to share the investigations each was working on, their status, if administrative action(s) planned hearing the allegation and investigation results could also lead to additional investigation from Internal Audit team if possible unrecognized financial fraud potential not part of the initial team’s investigation. Internal Audit would generally work in an advisory capacity with the initial team retaining control. The meeting was an exchange of each team’s work and if assistance or guidance was needed from another team or if the investigation should be transferred or if there were two or more investigations of different allegations involving the same person or department and how best to proceed with just one team taking control or forming a task force.
Form a Dirty Dozen Fraud Committee of department subject matter experts and hold periodic (quarterly) discussions/meetings for updates and insights on potential fraud risks in their areas. Additionally use them as a resource as needed for investigations.
Other ideas that help spread fraud awareness include: a. Communication via organization intranet with high level and redacted information on relevant fraud investigations that show the policy(s) violated, if relevant control(s) in place and violated, in some instances how the case was reported, and the consequences to the employee and the control reviewer if they consistently failed to use the control that resulted in the fraud going on more than 2 or 3 review cycles. Z
This lets organization employees know there are policies and controls, and they are expected to be followed, there is a reporting process, and it is acted upon because there is zero tolerance for fraud.
b. Continuous Monitoring is always a great idea. A suggestion is to not label it as Fraud Monitoring, because fraud is determined after an investigation, not before. The monitoring identifies anomalies that need investigation to determine if there is:
i. Poor/Inadequate:
1. communications,
2. policies,
3. controls,
4. training,
ii. Employee arrogance to do it their way and not the policy/control directed way,
iii. Yes there are also intentional acts to circumvent the controls for employee personal gain.
The first 5 are policy non-compliant, but areas for management to address and mitigate. It is the sixth one that is fraud and needs referral to the appropriate investigations team for detailed follow-up.
I hope this provides some background on other ways to assess fraud risk.
Other resources to consider on this topic can be found on:
Association of Certified Fraud Examiners - https://www.acfe.com/search?s=ethics
Institute of Internal Auditors - Global Resources in Internal Audit | The IIA
Please let me know if I can help or be a resource for your questions / comments on the content of this article. If you would like clarification on this or related articles, please connect with me and I can share / comment on any you would like. My fraud risk assessment experiences have included healthcare and manufacturing environments. George
Read more