(RISK from 21) Good news here: An organization
doesn’t need to develop a fraud risk governance policy from scratch. Te “Fraud Risk Management Guide” contains a sample control policy framework and a sample fraud risk management policy that can be adapted to any organization.
2. Assess fraud risk. Tis step is the most important fraud risk management step, because it establishes the baseline for succeeding steps. Assembling a fraud risk assessment team comprising employees from all parts of the organization —not just financial management and accounting personnel but also operations personnel—is important. Te fraud risk assessment team then meets to carry out a comprehensive brainstorming process. Te goal is to think of every potential way that fraud could happen to or within the organization. Effective brainstorming requires energy, imagination and creativity. Numerous meetings held over several weeks enable participants to maintain high levels of these characteristics, which will promote comprehensive results. Te fraud risk assessment documentation chart can help you organize the results of your brainstorming sessions.
Te goal is to fill the first column with a thorough, comprehensive list of potential fraud vulnerabilities and schemes. Keep brainstorming until that list is complete. During this process, participants inevitably will discuss fraud cases at other organizations, and you’ll ask, “Could that happen to us?” Check to see if you’ve addressed those same frauds in your initial fraud risk assessment. More good news here: Te new guide contains a comprehensive list of the most common fraud schemes as good starting points for the risk assessment process. After the team members complete the first column in the fraud risk assessment documentation chart, they assess each potential fraud scheme from the perspectives of likelihood (What are
the chances this might happen?) and significance (If this happens, how much damage would it cause?). In assessing significance, don’t think just in monetary terms. Reputational damage is often a greater consideration, especially for tax-exempt, academic and governmental organizations.
Te team then creates a heat map that plots the likelihood of occurrence and significance of specific frauds. Te numbers represent identified fraud risks in an organization. Organizations often use employee surveys, facilitated sessions and other data-gathering techniques to gain a more reflective perspective on fraud risks. Every organization has its own tolerance
for risk. One organization might decide that it can ignore low-likelihood, low- significance potential frauds (and thus not put preventive controls in place), while another might want controls for every possible fraud.
Completing the fraud risk assessment documentation then entails: • Identifying who might be involved in each possible fraud scheme or exposure;
• Identifying any existing fraud control procedures already in place with respect to each fraud scheme or exposure;
• Assessing the effectiveness of each existing fraud control procedure;
• Determining the residual risk after considering the effectiveness of existing controls; and
• Deciding on the fraud risk response where residual risk exists.
• Te fraud risk responses column in the fraud risk assessment documentation chart is the trigger for the next steps in the process. Wherever the team finds residual risks, it considers additional prevention and detection controls.
3. Design and implement fraud control activities. Fraud prevention control activities are designed to stop a fraud
Reprinted with permission.
May/June 2018 CPAFOCUS 25
before it happens. Tese activities can include such elements as segregating duties, requiring higher-level approvals and incorporating better physical security over assets. Prevention control activities don’t need to be complex or expensive to be effective. Te key in designing prevention control activities is to work from the fraud risk assessment documentation and to carefully and methodically devise the most cost-effective controls that should prevent each type of fraud. Internal auditors can be effective at designing these controls. And if the organization is too small to have an internal audit staff, it can retain an accountability professional such as a Certified Fraud Examiner to help in that part of the process. Fraud detection control activities are designed to identify any frauds that happen as soon as possible after they happen. If an organization detects frauds quickly, the crimes are unlikely to grow to become catastrophic. If an organization does a great job designing prevention controls, does it need detection controls? Good question. Tere are two reasons for detection control activities. First, it’s simply impossible to think of every fraud scenario that might occur. Fraud perpetrators are clever, resourceful and sometimes desperate enough to take foolish chances. Second, and perhaps more importantly, prevention controls can come with a cost—not just the cost of the procedures themselves but also the cost of operational disruption.
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32
