Sample – Fraud Risk Universe
In addition to establishing an ethical environment, board members and management must also take the lead in implementing and maintaining a formal fraud risk management program. One key element of such a program is a fraud risk assessment, which should be updated annually at a minimum or more frequently if conditions warrant. Recall that GRC means, Governance, Risk, and Compliance because it’s a waterfall concept – meaning that good governance includes risk management, and risk management should be driving the compliance initiative or program. Why? Because how can you design an effective compliance program to deter fraud, including bribery and corruption unless you understand the risks your organization faces.
The risk assessment, which some say is easy and I disagree, should identify fraud schemes and the acts that could potentially occur, possible concealment strategies that could be used by the fraudster to avoid detection, possible conversion tactics, the individuals or gatekeepers who pose the highest risk of committing fraud, controls that are in place to deter or detect fraud and a list of warning signals or “red flags” that are useful in many ways, including assessing the design of controls.
The success of the fraud risk assessment process hinges on how effectively the results are reported and what the organization then does with those results – in other words as Tom Fox and Jay Rosen say, “How is it operationalized”? – See Practice Pointer below.
Here is my recipe..
- Identify, understand, and evaluate the company’s operating environment and the pressures that exist.
- Understand the strategy and objectives put forth. This helps with assessing pressure and possible override.
- Evaluate and determine your Fraud Risk Universe (See graphic above)
- Identify the business processes and consider differences across the organization.
- Review prior Frauds and Fraud Experience for the process being evaluated.
- Consider at a minimum audit results, investigations, results of root cause analysis, recent litigation or settlements, compliance complaints, employee claims, industry enforcement trends, and the existence and sufficiency of policies covering an area.
- Identify the Process Owner for each Process.
- Identify how Fraud may occur (fraud schemes) in each process and at each location through interviews and meetings.
- Look at the potential fraud manifestations (scenarios) within each process and location.
- Identify the parties and profile (not stereotype) the individuals who have ability to commit the potential fraud. Process Owners, Gatekeepers, etc. , who are competent and arrogant enough to possibly override controls, if they exist, and misbehave.
- Evaluate the likelihood that each of the identified frauds could occur and be significant as well as the persuasiveness of the potential fraud without considering controls and possibility of management override of those controls.
- Consider the strategy to commit and conceal the fraud and the conversion to determine the effort / controls required to prevent, detect and deter the fraud
- Identify red flags by reviewing the fraud schemes, scenarios, concealment strategy, and conversion. This helps in evaluating the controls that are or should be in place and the design.These “red flags” can be organized into four general categories:
• Transactions conducted at unusual times of day, on weekends or holidays or during a season when such transactions normally do not occur;
• Transactions that occur more frequently than expected — or not frequently enough;
• Accounts with many large, round numbers or transactions that are unusually large or small; and
• Transactions with questionable parties, including related parties or unrecognized vendors.
• Missing or altered documents;
• Evidence of backdated documents;
• Missing or unavailable originals;
• Documents that conflict with one another; and
• Questionable or missing signatures.
Lack of Controls
• Unwillingness to remediate gaps;
• Inconsistent or nonexistent monitoring controls;
• Lack of clear management position about conflicts of interest;
• Inadequate segregation of duties;
• Lax rules regarding transaction authorization; and
• Failure to reconcile accounts in a timely manner.
• Rationalization, changes in behavior, contradictory behavior or recurring negative behavior patterns;
• Lack of stability;
• Inadequate income for the individual’s lifestyle;
• Resentment of superiors and frustration with job;
• Emotional trauma in home or work life; and
• Undue expectations from family, company or community.
14.Determine the appropriate audit response and investigate the characteristics of potential fraud manifestations within each process identified, where “Residual Fraud Risk” exists.
15.Remediate fraud risk by designing control activities or exiting/ending the activity, relationship, etc.
16.Harmonize. Make sure the fraud risks identified are evaluated similarly and are in sync with your Enterprise-wide Risk Assessment and other risk assessments you have done. A savvy regulator will pick up on this and could conclude that from a governance perspective your risk management program is deficient – siloed.
Practice Pointer – Compliance, internal audit, legal, and the organizations stakeholders can use the results of, or operationalize, the fraud risk assessment, which includes the identified “red flags” to fine tune controls, policies, procedures, training, and testing strategies/programs.
Please reach out to me if you have any comments or questions.
Have a great weekend!
Attribution – My former firm Crowe and the ACFE