Fraud Risk Assessment as Part of an Effective Fraud Prevention Strategy

“Fraud prevention is easy”, said no person, ever.  An effective fraud prevention strategy is multi-faceted, requiring everyone in an organization to be on board – from the C-Suite to boots on the ground.  For an organization to manage fraud risks and the inherent financial or reputational losses, it needs to know what the risks are, where the risks are, who may exploit any weaknesses, and what the ultimate cost to the organization might be if fraud occurs.  The most effective and comprehensive way to identify such risks is via a fraud risk assessment.  This process seeks to proactively identify and address the organization’s vulnerabilities to internal and external fraud and determine how the organization will respond to these risks.

Not all organizations engage in the fraud risk assessment process.  Leaders may not understand the importance of the exercise, may not know how to go about it, or they may not be willing to devote the necessary resources to do it.  This can be a costly miscalculation, making an organization vulnerable to fraud and placing it in a reactive position, only capable of dealing with fraud after it occurs. 
 
Preparing for the Fraud Risk Assessment
 
To be effective, the fraud risk assessment should fit within the culture of the organization.  Leaders should embrace it as an important and valuable process, and everyone should be openly encouraged to participate.  Those leading the process should be objective and given independence in conducting the work.  Management must be willing to hear the good, the bad, and the ugly.
 
Appoint a facilitator experienced in interview techniques.  Select an individual(s) within the organization or hire someone from outside the organization who is an experienced interviewer with a good working knowledge of the business.  This person will lead discussions where a process is explored in detail.  They will also need to facilitate difficult conversations where those being interviewed will need to “think like a fraudster”.  This is harder than it sounds, as it’s difficult for honest people to think this way.  In fact, many large-scale frauds that have occurred would have been deemed unthinkable by people closest to the events.  
 
Select a specific process for assessment.   It may be best to start with a process already perceived as “high risk” or perhaps, a process where new elements are being considered, such as a new distribution system for an existing product. 
 
Select individuals or groups to be interviewed.  The first inclination is often to interview the manager of the process.  However, it is most effective to engage those closest to the day-to-day processing.  A skilled facilitator can help the employees feel at ease in sharing their experiences and freely offering up what they may see as vulnerabilities in the process.  Brainstorming may include:

• Incentives, pressures, and opportunities to commit fraud
• Risk of management’s override of controls
• Risks from external actors (vendors, customers, hackers, etc.)
• Opportunities for collusion

 
Fraud Risk Assessment Framework
 
It’s helpful to use a framework for capturing information and reporting the results of the work.  Results can be analyzed and reported both qualitatively and quantitatively.  The framework should be tailored to the needs and culture of the organization to ensure that no important factors are missed and insignificant information is not included.  When assessing multiple processes, it can be helpful to develop a matrix (e.g., Excel spreadsheet) which may incorporate elements to assist in prioritizing processes by level of risk.
 
Identify the Type of Risk.  Is the identified risk financial, regulatory, reputational, or a combination of these?
 
Likelihood and Significance.   How likely is the fraud to occur?  What is the potential cost or significance to the organization?
 
Possible Perpetrators.  Who is likely to commit the fraud?  What methods might they use?
 
Existing Mitigation.  Are there controls in place?  Preventive – controls that prevent the activity?  Detective – controls that identify the activity after-the-fact?  Are the controls working effectively and efficiently?  Can they be overridden?
 
Responding to Identified Risks
 
What risks remain as the result of ineffective or non-existent controls?  How will the organization respond?

• Add new controls
• Change the process or procedure
• Monitor the process or procedure
• Do nothing and hope for the best

 
Because it’s not possible to eliminate all fraud risk, management must establish an acceptable level of risk based on business objectives and risk tolerance, i.e., its “risk appetite”.  This will drive the organization’s response to the risks identified during the fraud risk assessment.  Risks should be prioritized by the likely cost of the risk and likelihood that they will occur. 
 
Next Steps
 
A fraud risk assessment is a living document.  People, processes, products, distribution systems, and fraud schemes are subject to change.  Therefore, the fraud risk assessment process requires continual monitoring in order to respond to these changes.  A fraud risk assessment mindset should be built into the launch of any new process, product, or distribution system. 
 
By incorporating a formal fraud risk assessment, an organization will have a clear view of the areas in which it is susceptible to fraud and the controls implemented to address its vulnerabilities.  It will have the ability to monitor the performance of key controls.  This proactive awareness will enable more rapid correction to any deficiencies and minimize the impact if fraud is perpetrated against the organization.
 
The ICA, in its support of fraud prevention, will be launching a fraud education course in the near future.  Stay tuned!