This post was originally published on November 30, 2017. It was updated on January 17, 2019.
Fraud risk threatens firms of all sizes, and managing that risk starts at the top.
The median loss from a single case of occupational fraud is $130,000, with 22% of cases resulting in losses of $1 million or more, according to the 2018 ACFE Report to the Nations on Occupational Fraud and Abuse published by Association of Certified Fraud Examiners. The global fraud study also found that the median damage was six times worse when owners or executives committed fraud than when it was employees.
To effectively manage fraud risk, it’s important to maintain a proper corporate governance structure along with effective policies and procedures for fraud risk assessment, fraud prevention, fraud detection, and fraud investigation.
Managing fraud risk
Role of board of directors
A proper corporate governance structure begins with the board of directors, whose job is to:
- implement an effective business ethics program;
- understand fraud risks;
- maintain oversight of fraud risk assessment;
- monitor management fraud and control-related activities;
- oversee internal controls established by management;
- set the appropriate tone at the top;
- have the ability to retain and pay outside experts; and
- provide to external auditors evidence of active involvement.
Achieving these objectives requires a strong commitment, fraud awareness, an affirmation process, disclosure of conflicts of interest, active and ongoing fraud risk assessment, fraud reporting procedures (e.g., hotlines) and whistleblower protection, corrective actions, ongoing process evaluation and improvement, and continuous monitoring.
Role of audit committee
In larger firms, the board typically delegates its fraud risk management responsibilities to the audit committee. The audit committee should comprise independent board members, include at least one financial expert (preferably an accountant), and meet regularly alone with the internal auditor and out of the presence of management.
The audit committee must be proactive in overseeing fraud risk management to minimize risk. It must have a good, open dialog with the external auditor, especially with respect to fraud issues and risks. It should also have good, open lines of communication with legal counsel with whom it should consult when fraud is suspected.
Role of firm management
Although the audit committee serves as the overseer, management is responsible for designing and implementing the fraud risk management program. As part of this task, management must, to minimize risk, set the correct tone at the top for the organization, implement adequate internal controls, and report to the board regarding fraud management policies and procedures to evaluate their effectiveness. In many companies, one representative of management (e.g., a chief ethics officer) reports to the board of directors regarding fraud risk management efforts.
All levels of management (and staff) should:
- understand fraud and its red flags;
- understand their roles in the internal control framework;
- read and understand policy and procedure manuals;
- participate as required in creating and designing a strong control environment;
- participate in monitoring activities;
- report suspicions or incidences of fraud; and
- cooperate in investigations.
Role of internal auditor
The role of the internal auditor is especially important. The internal auditor should provide assurances to the board (via the audit committee) that fraud controls are sufficient for the risks and are functioning effectively. As part of accomplishing this task, the internal auditor should review the adequacy of identified risks, especially risks relating to management override.
The internal auditor’s role and responsibilities should be expressed in a written charter approved by the board. This charter should spell out in detail the internal auditor’s roles and responsibilities for fraud risk management, including those in relation to investigations, monitoring whistle-blowing reports and processes, providing ethics training, and maintaining a code of conduct.
Smaller firms may not have the resources of larger firms to design and implement policies and procedures to minimize fraud risk. The board or managers of such firms can design a system that weighs the trade-offs of costs and benefits of a fraud management system. If a firm does not have internal resources to assess the trade-offs and implement a system, an outside firm with risk and forensic advisory expertise can assist.
Fraud risk assessment
Given a strong governance structure, the focus should be on effective processes for fraud risk assessment (which, in turn, must be followed by a focus on fraud prevention, fraud detection, and fraud investigation). Fraud risk assessment must be considered within the larger context of enterprise risk management.
The three key elements of fraud risk assessment are 1) identifying inherent fraud risk (i.e., the risk of frauds), 2) assessing the likelihood and significance of each inherent fraud risk, and 3) responding to likely and significant inherent risks.
Management should appoint a risk assessment team that includes accounting and finance personnel, legal counsel, risk management personnel, internal audit staff, and any other persons who may be helpful. The team should brainstorm to identify fraud risks. In order to accomplish this task, the team must understand the population of fraud risks as such risks relate to fraudulent financial reporting, misappropriation, and corruption.
When surveying the population of fraud risks, the team should consider the following:
- Incentives, pressures, and opportunities
- The risk of management override of controls
- Information technology as it relates to fraud risk
- Regulatory, legal, and reputation fraud risks
When assessing the likelihood and significance of identified inherent fraud risks, the fraud risk assessment team should consider the following:
- The past history of the fraud in the organization
- The incidence of the fraud in the industry
- The complexity of the risk
- The risks for particular individuals or departments
- The number of people and transactions involved
When estimating significance, the team should consider significance to the organization’s operations, brand value, reputation, and legal liability (criminal, civil, and regulatory). An adequate procedure is to assign one of three likelihoods to each identified inherent risk: remote, reasonably possible, or probable. Alternatively, one could assign more than three likelihoods to each risk.
The team should discuss with management and the board the appropriate responses to residual risks(i.e, risks that remain with a set of controls). Options include accepting residual risks based on their perceived likelihood and significance or increasing the level of controls to compensate.
The team’s fraud risk assessment should be documented using a structured framework, and the team should discuss its findings with the audit committee. The entire process should be iterative and ongoing, with a focus on continuous improvement. An outside risk advisory professional can assist in the assessment if the firm does not have adequate resources in-house.
NOTE: This material is adapted from the following text:
Essentials of Forensic Accounting, Michael A. Crain, William S. Hopwood, Carl Pacini, George R. Young, Copyright 2015. American Institute of Certified Public Accountants, Inc. All rights reserved. Reprinted with permission.