How to Perform a Current State Assessment for Fraud Risk Management

Any business-focused organization is vulnerable to the effects of fraud. How do you avoid the losses resulting from wrongdoing, theft, and outright fraud? You implement a fraud risk management plan, which starts with a current state assessment. 

The Role of Current State Assessment in Fraud Solutions

As a working auditor with over 45 years of experience in auditing, process improvement, and fraud risk management, as well as an instructing auditor delivering auditor-focused CPE technical and soft skills training programs (3,500 live training programs delivered to date), I have the business fraud solution down to six key actions.

By bringing this fraud risk solution to your management or client team, you can be the auditing hero who solved a problem, saved huge untracked costs, and added materially to the bottom line. It might quite possibly be the single most important finding and recommendation of your entire career.

So, where do you start?

Step one takes barely five minutes. It’s what you and I call current state assessment.

This assessment plays a major role in developing your plan to prevent fraud. It shows you…

• What your current anti-fraud efforts look like
• Whether anti-fraud skills training is prioritized or not
• Where each employee fits into your plan
• Where there are gaps in your risk management response
• How to make improvements for better results

In short, it’s the first step—and not one you can afford to skip. 

6 Questions to Answer in a Current State Assessment

By performing a current state assessment, you can figure out where you are right now. That way, you can determine what you need to do to get to where you want to be—your future state. Let’s see where your organization stands by answering the following questions. 

1. Has senior, middle, and first-level management been visible and vocal in setting expectations for every employee in fighting fraud? 

If your answer isn’t a resounding “yes” but instead settles in at “Well, it depends on the manager, location, division…” or a hundred other variables, you have a problem. When the tone at the top isn’t clear, you have a problem. And when there exists a disconnect between that tone at the top and the reality of the tone and related actions in the middle and lower management levels, you have an even bigger problem. 

So, are anti-fraud expectations communicated to every employee—“yes” or “no”?

2. Are those expectations stated in writing?

For example, can you point to any specific written policy that states the four responsibilities below?

• Every manager is responsible for being aware of fraud and related risks in their areas of responsibility.
• Every manager is responsible for best faith efforts through controls and their team’s daily behaviors to prevent or deter these risks from causing damage.
• Every manager is responsible for best faith efforts through controls and their team’s daily behaviors to detect wrongdoing, theft, and fraud acts that slip through prevention efforts.
• Every manager is responsible for speaking up immediately and reporting both suspicions and actual fraud events.

So, “yes” or “no,” are these four responsibilities memorialized in writing?

3. Does effective fraud risk brainstorming take place right down to the department level?

Again, if your answer is “It depends…” you have a problem. Department-level brainstorming is a must because it looks at what can go wrong in each department—not just the organization as a whole. The more granular you can get, the better. 

So, does every department take part in fraud risk brainstorming? Do individual groups consider the documents, transactions, and relationships they handle?

4. In your opinion, is the formal internal control environment sufficiently strong to manage fraud risks? 

Having solid internal control procedures is crucial to fraud risk management. There need to be clear policies and access limitations. And those controls should meet your standards. 

As you perform your current state assessment, don’t overthink this one. Just answer “yes” or “no.”

5. Are the humans in your control environment sufficiently trained to fight fraud exposures “on their watch”? 

It’s not just about training, either. You also need to ask if these individuals are interested in doing so. Do they have the supervisor and peer group support required to respond effectively to anything they would label as strange, odd, and curious in their work in real time? 

Just answer “yes” or “no.”

6. Have employees, especially first-level supervisors and middle-level managers, been adequately trained in fraud prevention and detection as it relates to their jobs? 

I’m not just talking about awareness sessions. This should include in-depth skills-based prevention and detection of what comes across their desks and screens each day. Those in your organization should know how to address fraud in their day-to-day work.

Again, a simple “yes” or “no” answer is all that is required. 

What to Do After Performing Your Assessment

Once you’ve performed your current state assessment, it’s time to add it up. Hopefully, it’s obvious: the more “yes” answers, the better. But any “no” answer needs attention right now.

Jot down every question you answered “no” to. Then, make it a priority to address those areas. 

Remember—fighting business fraud is a campaign. It’s not an occasional one-time effort of the day. It needs to become part of every manager’s muscle memory so that reaction is automatic at the critical anti-fraud moments that exist every single day.

Get on the path to better fraud prevention by downloading our 6-Step Fraud Prevention Guide today!