Your Risk Management Magazine
Fraud risk management: part II

Font size : + -

email print

As discussed in part one, where directors do want to introduce an effective fraud risk management strategy (when they don’t a code of conduct and fraud and corruption policy is likely to be full extent of fraud risk management) there is a chicken and egg situation at the top of most organisations as far establishing the fraud risk appetite in that:

• an accurate fraud risk analysis is very difficult if using self assessment methodologies

• the risk assessment does not usually include the Executive Directors.

For example, those organisations affected by Sarbanes Oxley (“SOX”) are expending a great deal of effort on process mapping and evaluating controls effectiveness in order to enable the CEO and CFO to sign the required management representations.

Yet this does not seem to have addressed the principal reason why SOX was brought into being i.e. fraudulent behaviour by dishonest board executives.

To our knowledge, very few organisations have profiled the frauds which a dishonest chairman, CEO or CFO could commit should they be acting solely or in collusion.

Clearly, directors should be included in the fraud profiling exercise by ranking the different methods which they could use. For example:

Method Likelihood Worst Case $ Loss

The CEO and CFO collude to acquire a “strategic” company at an inflated price, in exchange High $50 millionfor a kickback to an offshore bank account.

Experience has shown that when looked at from this point of view, most organisations that think they have low fraud risks usually find exactly the opposite, particularly when the question is asked of the executive directors.

Performing an assessment based on methods which have in fact been used on many occasions by fraudsters provides a practical evaluation of fraud risks.

After listing the likelihood and worst case monetary loss in a fraud profile, senior managers can evaluate the consequence based on the effect on reputation and loss of market share, and the legal and regulatory impact according to a standard risk matrix as shown below.

Based on the likelihood and impact, an overall risk rating can then be assigned to each individual fraud risk according to the matrix and listed in the fraud profile as shown below:

Risk Reduction

Once the risks have been ranked in the fraud profile, additional controls can be identified to reduce those risks that the business does not want to carry.

Some controls can be implemented quickly, but others may require board decisions on strategic policy changes or significant capital expenditure. It is vital for these issues to be included in a risk register and reported at the board level, for example, to the audit committee.

Fraud risks should also be re-evaluated whenever major change initiatives are introduced, for example, new or re-engineered products or processes.

It is important that where line managers believe that a change initiative has created unacceptable fraud risks, that there is a mechanism for them to report their concerns.

Proactive Fraud Detection

An important realisation for senior management is that however much they try and promote an honest, ethical culture throughout the organisation, they have little or no control over personal factors which may motivate an employee to commit a fraud. These can range from gambling or drug addiction, financial difficulties or resentment against the employer.

The other problem is that even if strong controls are in place, fraudsters are very plausible and can convince honest employees to bypass controls in the belief that they are assisting the “customer”.

An organisation can significantly reduce the chances of large losses as a result of corporate fraud by putting in place a detection program either to prevent it succeeding in the first place or to catch it in its infancy.

There are some sound business reasons to embark on a proactive fraud detection program:

The longer a fraud is allowed to run undetected, the larger the losses which build up. For example, there have been at least three recent cases where managers who were addicted to gambling stole relatively small amounts each week, but which built up over a number of years to total losses of $22 million, $19 million and $10 million respectively. Stakeholders are now aggressively seeking answers from senior management as to why frauds were allowed to run unchecked. The knowledge that there is active detection program is a very good deterrent to someone thinking of committing a fraud. Actively looking for fraud may expose potential loopholes which have been overlooked.

An active detection program comprises two elements, red flags and proactive fraud detection.

Red Flags

There are occasions when the behaviour of an individual, or something about the look of a document or transaction, raises a question mark in the mind of an employee. Depending on how astute or alert the person is, the incident may either be ignored and quickly forgotten, or followed up, sometimes to expose a potentially serious problem.

Many frauds have been prevented because an employee noticed something and reported the suspicion. Unfortunately, many more frauds succeed because of a reluctance by employees to report their suspicions and because organisations have tended to discourage reporting and to punish whistleblowers.

Employees are adverse to the personal risks associated with reporting fraud. Some positive initiatives are being taken to reduce the risks. For example, most publicly listed companies are introducing whistleblowing policies and procedures to provide a safe route for employees to report suspicions of potential fraudulent or corrupt behaviour.

However, having a whistleblowing policy is one thing; training employees in what to look for and encouraging them to look is quite a different matter –this requires an understanding of red flags.

Red flags can include changes in a person’s behaviour, discrepancies or anomalies in the process or transactions, and alarms and warnings from systems monitoring.

All employees should be provided with fraud awareness training on potential red flags, how to respond to them.

Detection Routines

Once fraud risks have been identified, detection routines can be developed, comprising manual and automated tests. The internal auditor is ideally placed to develop such routines and integrate them into the audit program.

If there are 20-30 different methods in the fraud profile, then only the top 3 or 4 should be selected initially for proactive active detection. Any more than that and the internal auditor risks losing sight of the normal audit program.

The enhancements outlined in this paper are based on practical experience across a wide variety of organisations in Australia, UK and Scandinavia. They should contribute towards a stronger fraud risk management strategy for any organisation.

Martin Samociuk is a director of Hibis Consulting and the author of several books on fraud risk management. Visit www.riskmanagementmagazine.com.au to read part I

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.