Fraud can affect virtually any organization and fraud costs can be far more than just monetary losses.
The Association of Certified Fraud Examiners ("ACFE") conducts surveys of its Certified Fraud Examiner (CFE) members every two years and reports findings from these surveys in a publication entitled Reports to the Nations. In its 2016 Report to the Nations, the ACFE estimates that the typical organization loses 5% of their revenues to fraud every year. The effects of fraud can go beyond simple dollar losses and include harm to the organization's reputation, employee morale, legal costs, and erosion of confidence by investors among other negative effects.
Consider the Wells Fargo fraud that received extensive media coverage in the Fall of 2016. Wells Fargo negotiated a $185 million settlement with regulators including the Consumer Financial Protection Bureau and will also pay refunds customers. The basis for the action was the opening of fee-generating accounts not authorized by customers. In the aftermath of the publicity, Wells Fargo started its own public relations campaign, taking out large ads to apologize to its customers and attempt to restore customer trust. The bank also devoted part of its own website to publishing for customers actions it is taking to "make things right." In March 2017, Wells Fargo agreed in principle to the terms to settle a class-action lawsuit by affected customers for a reported $110 million. The Office of the Comptroller of Currency imposed tighter controls on the bank, including a requirement that changes in executive leadership for the bank be approved by this regulatory body.
One of the lessons from the Wells Fargo matter that should be considered by all organizations' management is the importance of anti-fraud programs. According to Managing the Business Risk of Fraud: A Practical Guide, a publication sponsored by the Institute of Internal Auditors ("IIA"), the Association of International Certified Professional Accountants ("AICPA") and the ACFE, "Only through a diligent and ongoing effort can an organization protect itself against significant acts of fraud." The guide goes on to state five principles for establishing managing fraud risk. One of these principles is that, "Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate."
A fraud risk assessment is not a one-size-fits-all exercise. An effective fraud risk assessment needs to be structured and address the specific risks that apply directly or indirectly to the organization. The fraud risk assessment can be part of the assessment of overall risks to the organization, or it may be conducted separately.
The key elements of a fraud risk assessment are:
1. Identification of risks
2. Assessment of the likelihood of the risk
3. Assessment of the significance of the risk
4. Development of a risk response.
An effective risk identification process will involve an analysis of the incentives, pressures and opportunities for fraud. Using the Wells Fargo matter as an example, management would have considered the pressures that front-line employees experienced from senior management to meet customer quotas. A fraud risk assessment surrounding the account opening process would take into consideration the tie between compensation of individual employees and the opening of fee-generating accounts, as this compensation could become the incentive to commit fraud. The next consideration would be an evaluation of whether an opportunity would exist to open an account without the customer's explicit approval.
In designing a fraud risk assessment process, it is helpful to remember the definition of fraud and attempt to anticipate the behavior of the potential fraudster. Although several definitions of fraud exist, this one, found in Managing the Business Risk of Fraud: A Practical Guide is one that helps set the proper mindset for the fraud risk assessment:
"Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain."
This broad definition is helpful because it allows for organizations to consider deceptive practices that may harm a variety of victims or enrich the perpetrator in less than obvious ways. In considering "victims", a proper fraud risk assessment should consider that the initial victim could be the organization that employs the potential fraudster or it could be the customers of that organization, or others who do business with the potential fraudster's organization. Harm to an organization's reputation must not be overlooked when considering fraud risks, nor is it acceptable to overlook the severe consequences that could result from regulatory noncompliance associated with deceptive practices.
A proper fraud risk assessment starts with assembling the correct team. The most effective risk assessments are generated when people with differing knowledge, skills and perspectives are part of the team. The team may include external sources, particularly those well-versed in anti-fraud programs. The organization's external financial statement auditors may be involved as well. Internally, the team should be drawn from the following departments:
1. Business units/operations
2. Risk management
3. Legal and compliance
4. Accounting and finance
5. Internal audit
6. Sales and marketing
7. Human resources
It goes without saying that the team should have the full support of senior management, and management at all levels should be involved in the process, as ultimately, management is accountable for the anti-fraud program. To be effective, a fraud risk assessment must be systematic and recurring. Therefore, communication and effective working relationships among the team members is vital to the success. Brainstorming about potential risks is an essential part of the process, so setting the right tone for the work of the assessment team is another key success factor. The "tone at the top" should be one that conveys a strong commitment to preventing and detecting fraud and adherence to a code of ethics. A skeptical, questioning mindset on the part of the team is critical, but senior management in establishing the tone at the top must convey its respect for the mindset and welcome the opportunity to engage with the team in assessing risks.
The Association of Certified Fraud Examiners makes available to its members fraud assessment tools that can be used for information gathering and analysis. Including a CFE as part of your team can be invaluable not only for the fraud insights a CFE, but also for his or her access to the various resources offered by the ACFE. Likewise, members of the IIA have access to a variety of resources, and their independence from operating departments and from the accounting and reporting functions enables internal auditors to provide valuable assistance in assessing fraud risk. A qualified internal auditor will be skilled at interviewing and may recommend some ideal techniques for organizing interview questions. While including CFEs and internal auditors in the risk assessment is very helpful, it is important to recognize that management is responsible for the anti-fraud program as a whole and the involvement of various members of the organization will be critical to the success of the fraud risk assessment.
Some of the key questions to be answered are: How might a person exploit a weakness in the system of internal controls? Could a perpetrator override or circumvent controls? How? What might a perpetrator do to conceal the fraud? Addressing these questions requires that skeptical, questioning mindset and discourages the kind of thinking that says: "fraud can't happen here."
Choosing and Using a Framework
An effective fraud risk assessment involves a structured and documented approach. As stated above, the first step is to identify fraud risks, but that is only the beginning. The organization needs to assess the likelihood and significance of the fraud risk and develop a response to the risk. In order to be effective, some type of written tool must be employed. The actual tools used will vary according to the complexities of the operations, but a possible chart like the one found in Managing the Business Risk of Fraud: A Practical Guide, may be effective:
The first column, "identified risks", should be the product of brainstorming on the part of the risk assessment team. The population of risks to consider would include financial statement manipulation, asset misappropriation and corruption, which would include bribery, kickbacks and unauthorized gratuities and could also include aiding and abetting fraud on the part of others such as customers or vendors. One of the reasons for including members with different backgrounds, skill sets and from different departments and disciplines is the sheer breadth of possible fraudulent activities that could occur within an organization.
The next two columns, "likelihood" and "significance" should be the product of discussions amongst the team members based upon their knowledge of pressures, incentives and opportunities. It is critical that the team consider the strategy and goals of the organization and the kinds of pressures that may exist to conceal the true state of affairs. For example, consider the pressures to manipulate financial results. Is the long-term achievability of goals dependent upon meeting short-term financial goals and concealing specific aspects of the financial picture? Are individual department heads concerned about possible elimination or cutbacks if goals are not met?
The team will also want to consider carefully the kinds of incentive plans that may exist and how those plans may encourage potential fraudsters to engage in unethical behaviors to earn those incentives. Even absent a specific incentive plan, the team must consider the more subtle effects of performance metrics that drive decisions about personnel retention.
The team will likely need to gather additional insights through interviews with persons in various departments in order to develop their understanding of incentives, pressures and opportunities.
"Likelihood" can be assessed on the basis of past occurrences within the organization, industry information, frequency of transactions, and other factors. The categorization can take different forms, but three different categorizations should be sufficient of most organizations. One three-category system might encompass "remote", "reasonably possible" and "probable."
"Significance" of a particular risk should consider not only the monetary impact of possible potential frauds, but also any impact the fraud might have on financial reporting, operations, organizational reputation and compliance requirements. Criminal, civil and regulatory liability all need to be factored in. The significance also needs to be weighed in light of the impact on other parties. For example, if fraudulent expense reporting or unauthorized purchases of supplies occur in a manufacturing company where there is no billing to customers for the expenses, the impact is largely on the company's own bottom line. However, if these same expenses are instead passed along to a customer, the customer relationship is jeopardized. Consideration also needs to be given to the regulatory oversight the organization is subject to. Severe fines or loss of privileged licenses may also be a risk in some industries.
As with the categorization of likelihood, three levels are typically enough and may be expressed in qualitative language. One set of terms could be "inconsequential", "more than inconsequential" or "material." The initial assessment of the likelihood and significance of a given risk should be based upon what is referred to as "inherent risk." That is, the risk of something occurring without any known controls. This allows for the team to better identify all the relevant risks and systematically evaluate controls in light of those risks.
The next column, which might be labeled "People/Departments" can be used to outline the various people and departments that may be involved. For example, in addressing the risk that the company is engaging in fraudulent activities related to sales, it may be appropriate to list both the sales and the shipping department. Identifying the people and departments helps the team to consider more specifically the kinds of pressures, incentives and opportunities that may exist. The identification of affected departments and people will also help the team analyze the controls that may mitigate the risks.
Existing controls that mitigate, or were designed to mitigate, those risks are then identified and recorded in the next column, which can be labeled "Existing Controls".
The effectiveness of controls is then assessed, and placed in a separate column "Effectiveness of Controls". One of the key elements to completing this column is an understanding of whether the controls are evaluated to ensure that the control is functioning as designed and that it is actually effective in mitigating the specified risk. This column should explicitly identify who tests the controls. Controls may be either preventive (that is, they are designed to deter fraudulent acts from happening) or detective (that is, they are designed to identify fraud when it occurs).
In assessing controls, it is important to recognize the potential for management override of controls. An anti-fraud control that is easily overridden by management is ineffective.
"Residual risk" would then be the next column, and this is the risk that remains after consideration of the internal controls in place. Management override of controls is a common factor in residual risk..
The final column in the table would be labeled "Fraud Risk Response." The response to residual risk is highly dependent on the organization's tolerance for risk. Those charged with governance must consider a broad range of stakeholders, and risk appetites can vary widely. While some companies have a "zero-tolerance" for fraud once it is discovered, it is important to understand that controls can be expensive and time-consuming, and some controls also tend to slow business operations. Therefore, the organization must thoughtfully balance its tolerance for fraud risk with the cost of preventing and detecting fraudulent activity.
Some of the responses residual fraud risk include accepting the risk given the likelihood and significance of the risk, adding internal controls to further mitigate the risk, or designing internal audit procedures to address the risk.
Performing and documenting a fraud risk assessment on an iterative basis is a crucial component of an organization's anti-fraud program. While the task may seem daunting, a systematic approach such as the one described here will make the process manageable with the selection of the right team, the right mindset and the support of management at all levels.
Managing the Business Risk of Fraud: A Practical Approach, Sponsored by the Institute of Internal Auditors, the Association of International Certified Professional Accountants and the Association of Certified Fraud Examiners, undated.
The Fraud Resistant Organization, a publication of the Anti-Fraud Collaboration, undated.
2016 Report to the Nations on Occupational Fraud and Abuse, Association of Certified Fraud Examiners.
© 2017 McGovern & Greene LLP All rights reserved.
Questions or comments?