At least twice every week, a seminar participant will ask about how to conduct a useful fraud risk assessment. Here’s why.
Starting with the Sarbanes-Oxley Act in 2002, regulatory initiatives have suggested or required organizations to perform a ‘fraud risk assessment’. Unfortunately, there’s minimal guidance out there on exactly what’s involved and how far to go. Result: the large consulting and accounting firms push for efforts and documentation that go far beyond what was intended or needed. Bonus revenue for them; extra low-value results for organizations.
Fraud Risk Assessment should ask and answer the simple question, “What Could Go Wrong?” Answers should specifically include these five major categories of
• Misappropriation or theft of both hard and soft assets, including proprietary business and personal information
• Intentional misrepresentation of financial information, whether used internally for analysis and decisions or released externally to investors, partners, regulators, lenders and others
• Intentional misrepresentation of non-financial information, including program results, product safety, market conduct, or any other important non-financial information used by decision makers or those responsible for oversight
• Corruption and Shadow Deals, including any ‘corruption’ of relationships with third parties like vendors, suppliers, contractors, agents, partners or others through kickbacks, bribes, extortion, collusion or other wrongful non-transparent actions
• Exposures unique to the organization, such as cyber-crime involving medical records, product formulas, key employee data, marketing plans, customer lists, technology code, research results and any other information stored in electronic form
Step one in any meaningful fraud risk assessment is framing what’s to be included in answering the core question of what could go wrong at the entity, operating and transaction level.
Easy enough to say, but just how do you do it? Read on!
Here the path often splits into two possible directions.
Formal Brainstorming Teams
If you prefer to assemble a formal team to handle the bulk of the risk brainstorming, here’s who should be on the team.
1. Finance & Accounting experts
2. Business & Operations experts
3. Risk Management experts
4. Legal & Compliance experts
5. Information technology security experts
6. Auditing experts
7. Fraud and Loss Prevention experts
Increasingly, the position of The Chief Risk Officer is being added to the roster of C-level leaders. This position is often required in financial services, insurance, investments, technology and other industries. If your organization has designated a Chief Risk Officer, this person should not only be on your Fraud Risk Assessment team, they should be leading it!
Informal Brainstorming Teams
Many organizations choose a less formal approach to brainstorming fraud risks. Here, brainstorming occurs at the work team level. Discussions are held in staff meetings and one-on-one between supervisors and subordinates. Emphasis is on department and transaction level exposures employees might see in their daily work. Informal lists of what could go wrong are the result.
Work-group brainstorming usually results in surfacing dozens of risks that formal high-level teams miss. First-level employees and supervisors who are down in the trenches have the potential to identify the nitty-gritty fraud schemes.
The challenge is the potential for inconsistent quality simply because brainstorming is delegated to dozens or perhaps thousands of work-group teams. And then there needs to be a formal mechanism for collecting and collating risk lists. Clear instructions from on high can help. But as with any mandated initiative, consistency of execution in brainstorming, documenting and summarizing risks will vary widely.
Blended Brainstorming Efforts
The best brainstorming results come from a blend of formal and informal efforts. A formal team is identified and charged with coordinating the fraud risk assessment efforts. This team develops and provides instructions and training for work-group level teams to use as they brainstorm and record fraud risks. The combination of formal high-level and informal work-group and transaction level brainstorming provides the best one-two punch combination needed to ensure a meaningful and comprehensive result.
Regardless of how formally you organize your fraud risk assessment efforts, one key action accelerator is essential. All involved must ‘think like a thief’. Here’s what
A thief (or fraudster, if you prefer) looks at controls as something to be defeated. They view management oversight, analysis, monitoring and approval as steps to be circumvented. They are constantly looking for ways to scam the system for their own benefit. They consider how to commit wrongful acts, convert their actions to what they need, and conceal what they have done. They are willing to lie verbally and in the records. Thieves think through the paperwork trail, consider how to fool approvers, and even what general ledger account to charge with their schemes.
This is an area where audit, loss prevention and external experts can really help because they are already familiar with the weaknesses in the control environment.
Thinking like a thief is not just a suggestion – it’s the instruction that is at the very core of fraud risk assessment efforts. Thinking like an honest person won’t do it. Honest people can come up with a hundred different reasons why fraud won’t occur and go undetected on their watch. Thieves think in exactly the opposite manner. They believe it can occur and that they will get away with it.
Brainstorming fraud risks is based on assuming that fraud can, will or already has occurred. Controls and behaviors to plug those opportunities come next.
John J. Hall, CPA, is an author, speaker and results expert who presents around the world at conventions, corporate meetings and association events. Throughout his 35-year career as a business consultant, corporate executive and professional speaker, John has helped organizations and individuals achieve measurable results. He inspires audience members in corporations, not-for-profit organizations and professional associations to step up, take action and “do what you can.”