"We don't have a lot of fraud." This unrealistic, and in my experience common, sentiment can lead to costly and disastrous outcomes. The fact is, organizations don't know how much fraud they have because fraud is invisible until they discover it. If you assume you have very little fraud, you'll pay for it. The ACFE's 2016 Report to the Nations estimates the typical organization loses 5 percent of its annual revenues to fraud. However, the range of fraud loss can run far higher. Where your organization lies in that range depends in large part on the kind of business you're in and how seriously you manage your fraud risk. The more fraud-aware your organization is, the stronger your anti-fraud controls, and the less fraud you're likely to experience.
You can address fraud either reactively or proactively. While proactively dealing with fraud through preventive efforts is the more effective approach, surprisingly few organizations take a proactive approach to fraud risk management. This is because fraud feels like a back-burner issue — something to help your P&L statements at the margins, if at all. However, organizations and government agencies that have experienced large and embarrassing fraud events will be the first to tell you that if they could've prevented the event in the first place, they would've. If your organization's name becomes synonymous with fraud, you aren't just hit with burdensome financial costs — you'll also have a public relations nightmare.
You might work for an organization that has been looking for ways to prevent fraud for years. You also might have been trying to persuade management to learn the techniques of fraud examination. CFEs and C-suite executives (and all those in between) can glean practical fraud risk assessment insight using the following tools and methods.
How should organizations consider their fraud risk exposure?
In September 2016, the ACFE and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) jointly issued the
Fraud Risk Management Guide, which provides a framework for a proactive fraud risk management approach. (See Figure 1 below.) The guide describes five phases of following a fraud risk management program:
Figure 1: Ongoing, comprehensive fraud risk management process (from the
Fraud Risk Management Guide).
- A governance structure with top-level commitment to anti-fraud efforts.
- The formal assessment of fraud risks.
- The development of mitigating control activities aimed at the highest risk areas.
- A fraud reporting process and an approach for investigating fraud.
- An oversight and monitoring function to ensure controls are functioning properly and new fraud schemes are considered.
The U.S. Government Accountability Office (GAO) also issued its
Framework for Managing Fraud Risks in Federal Programs in July 2015, which describes a similar, four-phased approach for agency program managers to develop robust anti-fraud programs.
Fraud risk assessment done right
Fraud risk assessment, which has gained momentum in recent years, is no longer confined to financial statement audits. C-level executives of large organizations are getting ahead of their fraud problems by increasingly charging senior executives with fraud risk management responsibilities and conducting comprehensive, enterprise-level fraud risk assessments.
A fraud risk assessment can take many forms. Here are some important keys to success.
Information-based, rather than perception-based, can yield better results. A common way to assess fraud risk is to survey staff across an organization to gauge their perceptions about the likelihood of fraud. When you ask employees to rank likelihood and impact on a five-point scale, you'll get back specific numbers from them. But the reliability of those numbers can vary widely depending on the clarity and context of the survey questions. For example, if you ask respondents to rank the risk posed by the exposure of personally identifiable information (PII), they might interpret the risk as large-scale cyberattacks or employees inadvertently leaving hard copies of sensitive information on printers. The likelihood of those two events occurring are very different. Hence, some risk-assessment methodologies can provide limited value.
A better approach is to map out potential entry points for fraud across your organization (such as the product types and channels) and design a set of questions aimed at assessing the strength of controls to protect those entry points. If you standardize the questions, you can easily convert the results into a scoring rubric that will yield a quantitative risk score for each business function. You can then prioritize risk areas across your organization.
Scenario-based risk assessment can be more effective. Identify risks by developing a common set of fraud scenarios to which your organization might be vulnerable. A fraud scenario library can be a useful artifact. Write fraud risk questions based on these vetted scenarios. Regularly update the library as fraud schemes evolve.
Facilitated fraud risk workshops are vital. Any passive risk-assessment process, no matter how well-designed, will only get you so far. The results can provide a baseline, but you should then conduct in-depth fraud risk workshops with key stakeholders to discuss specific risks and controls. These sessions allow participants to think like fraudsters and consider how they could perpetrate schemes with existing controls. Participants often have "aha!" moments when they see likely circumvented controls. Fraud risk workshops can be time-consuming, so it's best to start with a structured interview process and use the results to target the highest risk areas for facilitated workshops.
Consider the environment. Risk assessment is more successful in organizations that are comfortable talking about risk. If your organization believes risk is a menacing word, the stakeholders involved in the process might be less inclined to provide honest assessments and less likely to consider the possibility that fraud could occur. When stakeholders feel assured the organization won't point its finger at them when they identify weak or nonexistent controls, they're more likely to provide honest feedback. You can mitigate this by writing survey questions that reduce bias.
For example, instead of asking, "How effectively do you verify self-reported information?" you can ask, "Do you verify self-reported information when adjudicating applications? If yes, how many databases do you check when you verify this information? Do you verify the information using internal or third-party data? Have there been any known reliability concerns with the data you use to verify information?" By asking process-specific questions, the responses will be more reliable — staff will be less likely to say everything is working great when they're forced to simply describe their process — which provides a better sense of the risk. It also helps to explain the process as a collaborative effort to identify and mitigate the organization's vulnerabilities.
Likewise, staff often assume customers, vendors and colleagues have the best intentions. This optimism limits staffs' skepticism — a crucial aspect of effective anti-fraud efforts. As you develop a more risk-aware culture, be sure to discuss fraud schemes during regular anti-fraud training to build awareness of fraud potential.
Success is iterative. See the first fraud risk assessment as a baseline and include lessons learned in the next assessment. Fraud risk assessment is more art than science and will be more effective at some organizations than others.
Effectively managing your organization's fraud risk can be a long process. In the beginning, any assessment is better than none. Build a fraud scenario library, initiate anti-fraud training to enhance the organizational buy-in and design a structured survey to collect information from staff and stakeholders within your organization. Once you've established a baseline, subsequent steps will help your organization raise awareness about fraud lurking in the shadows.
Linda Miller leads the fraud risk practice at Grant Thornton. She was the principal author of the GAO's "Framework for Managing Fraud Risks in Federal Programs," and she served on the task force for the COSO/ACFE Fraud Risk Management Guide. Her email address is: linda.s.miller@us.gt.com.