The word fraud understandably rings alarm bells. It is, after all, associated with high risks and the potential for financial, reputational, legal and other consequences that may in a worst-case scenario lead to closure of the business.
Despite this, organisations often fail to apply the attention required to prevent or minimise opportunities for fraud. According to the Association of Certified Fraud Examiners’ 2020 survey report, a single case of fraud costs an organisation an average of US$1.5m, and each year approximately 5% of organisational revenue is lost to fraud.
Yet, in the majority of organisations, the general attitude towards fraud is reactive and detective. Rather than adopting preventive measures, acting proactively to identify fraud risks and addressing concerns by improving the anti-fraud framework, organisations often ignore fraud risk unless or until they are forced to address it.
One way to proactively identify and manage fraud risk is to carry out a comprehensive assessment exercise. Traditionally organisations perform these to identify risks within their existing operations and framework and map them against the relevant controls. However, such exercises are not primarily focused on fraud-related risks and controls, so fraud risk is often overlooked.
As the name suggests, fraud risk assessment involves identifying inherent fraud risks within the organisation, determining relevant control measures to address such risks, and devising the appropriate risk management strategy to respond to the residual risk.
In the majority of organisations, the general attitude towards fraud is reactive and detective rather than proactive and preventive
How to add value
- Identify the fraud risks at an early stage and devise appropriate controls to reduce the fraud risk to an acceptable level
- Improve the internal control system
- Create a control environment that is unfavourable to fraud
In conducting an assessment, the following four-step approach is useful.
Identify the inherent fraud risk. Analyse key departments and processes to identify inherent fraud risks to the organisation’s operations, controls and business model. Categorise the fraud risks into relevant categories for ease of identification. Such categories might include asset misappropriation, bribery and corruption, misreporting, financial statement fraud, etc. Rate the inherent risks as high/medium/low, in accordance with the risk profiling approach.
Map controls. Perform walkthroughs to identify the design of controls which address the relevant inherent risks, and rate the controls according to their design effectiveness.
Identify and manage residual risk. Keeping in view the inherent risk rating and the design effectiveness of controls, it is possible to identify the residual risk. Organisations should then devise the appropriate risk management strategy – ie avoid, accept, reduce or transfer, according to the risk appetite and management approach – to address those residual risks.
Test and continuously improve. Operational testing of the controls should be carried out on a regular basis to ascertain their effectiveness. If required, the control ratings should be adjusted, and the residual risk response revised accordingly. Organisations should keep on updating their fraud risk register to fully benefit from this exercise.
A fraud risk assessment of the procurement process, for example, may identify the following risks:
- the procurement team disclosing confidential information to benefit certain service providers
- the intentional marking of certain vendors in the system as unqualified for various products so that a request for proposal will not be sent to them, benefiting other specific vendors
- those in charge of approving purchase orders having an interest, direct or indirect, in the service provider
Factors at play
The following factors are critical to a successful fraud risk assessment exercise.
Perception of employees. It is important to ensure that employees do not consider this exercise as evidence of a general lack of trust in them on the part of management. If the organisation is not able to appropriately communicate the purpose, requirement and process of this exercise to its employees, staff morale and trust may be adversely affected.
Skillset. It is imperative to ensure that people with the right skillset are on the team managing or carrying out this project. While the process and approach may seem similar to a normal risk assessment exercise, the skillset required to carry out a fraud risk assessment exercise effectively is subtly different.
Continuous improvement. Once the initial assessment has been successfully completed, the controls put in place should be tested at regular intervals and fraud risk registers updated to reflect the changing operations, style, structure and business model of the organisation.
While the probability of fraud risk is not high, a single case of fraud can shake up the entire organisational system, adversely impact management and employees, and subsequently affect the overall functioning of the organisation. It is high time that organisations change their approach to fraud risks and play a more active role in fraud risk management to safeguard their employees, assets and reputation.