Establishing a Fraud Risk Management Program — Beyond Checking the Boxes
By Ali Wagner, MACCT, CFE, REDW Financial Forensics & Litigation Services Analyst
Fraud is big business across the globe—and is likely happening at some level in your organization. You just don’t know it yet. Perhaps you’ve had your suspicions, but aren’t sure how pervasive the problem is, how to enhance your current fraud risk management practices, or even where to begin. According the ACFE 2020 Report to the Nations, Certified Fraud Examiners (CFEs) estimate that organizations lose 5% of their revenue to fraud each year. With that in mind, there’s no time like the present to initiate or ramp up anti-fraud efforts in your organization.
Some key ideas to keep in mind as you set out on your anti-fraud journey:
Anti-fraud professionals know that, while it is best to catch fraud as soon as possible, it is even better to prevent fraud before it happens.
Active fraud prevention is a critical part of anti-fraud strategies for organizations of any size.
Organization leaders may fear raising the topic of fraud, believing that increasing awareness will inspire employees to attempt to commit fraud, or to assume that a large fraud has occurred within their company. However, discussing fraud openly with employees is a proven way to help prevent it.
The Fraud Risk Management Guide
To provide guidance on fraud prevention best-practices, in 2016 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) partnered with the Association of Certified Fraud Examiners (ACFE) to create the Fraud Risk Management Guide. The joint report is designed to aid organizations in effectively establishing an overall Fraud Risk Management (FRM) program.
As the need for a more or less robust fraud risk management program varies, FRM should be right-sized and tailored for the unique needs of each organization. For example, organizations that already have strong ethical culture, governance, policies, procedures, and internal controls in place (or those that are willing to accept more fraud risk) might not need to aim for the highest level of FRM confidence or security.
In the ACFE/COSO Fraud Risk Management Guide, FRM is broken down into five principles:
- Fraud Risk Governance
- Fraud Risk Assessment
- Fraud Control Activities
- Fraud Investigation and Corrective Action
- Fraud Risk Management Monitoring Activities
Combatting fraud is an ongoing challenge, but in this five-part blog series that will address each of these principles in order, trusted advisors at REDW are determined to help you discover, assess and strategize methods to stay ahead of the fraud game in your organization.
Fraud Risk Governance
Assessing Where You Are & Where You Want to Be
Each assessment phase or principle builds on the previous one, laying the groundwork for a robust anti-fraud program. The steps listed below are designed to help your organization conduct a Fraud Risk Management assessment and develop a roadmap for the future.
- Identify your current state: Where Things Are
Evaluate you organization’s current anti-fraud efforts and identify your current state, both overall and across each of the five FRM principles.
- Identify your goal state: Where Things Should Be
Identify your organization’s goal state both overall and across each of the five FRM principles.
- Develop a comprehensive FRM strategy and roadmap.
Referencing the five FRM principles, pinpoint and prioritize gaps between your current level of confidence or security compared to that of your goal state. Your strategy and roadmap should align to bridging gaps and remedying deficiencies between your current and goal state, and structure both short- and long-term plans to carry out your objectives.
When establishing a goal state and roadmap for an FRM program, be sure to align the plan with broader organizational objectives.
Advanced fraud controls may not be tolerated by the organization if they create excessive complexity or impede core business processes.
Creating a Culture
Promoting fraud awareness from the top down in your organization is vital to creating a strong anti-fraud culture that enhances fraud awareness and encourages employees to discuss fraud risks openly and thoughtfully. Fortunately, there are many ways to promote and enhance fraud awareness at your organization, including:
- developing a comprehensive fraud risk governance policy,
- developing an organization-wide anti-fraud training program,
- hosting fraud awareness events or activities periodically, and
- communicating roles and responsibilities related to FRM across all levels of the organization.
There is not a one-size-fits-all model when it comes to promoting fraud awareness. It is important for every organization to tailor these efforts to be relevant to specific fraud risks and strategic goals of the FRM program. The key to the success of these efforts is framing a strong, strategic, and consistent message that can translate fraud awareness into action.
Enter, the Integrity Triangle. Serving as the counterbalance to the Fraud Triangle, as shown below, the Integrity Triangle emphasizes the values that encourage people to do what is right for the organization. It gives them actions to focus on, rather than to avoid—which frames the strategy as more advantageous and attainable. No matter where someone is within an organization, the Integrity Triangle applies to their role—that is, it defines how they do their job.
The three elements of the Integrity Triangle are responsibility, accountability, and authority.
When a person understands and appreciates that they have a responsibility to their organization, that they are accountable to its mission, and that they have the authority to affect positive change, a culture unaccepting of improper or inappropriate conduct, such as fraud, is more likely to succeed.
The foundation of this concept is awareness. Promoting awareness among your employees about both the threat of fraud and their power to combat it is essential for cultivating an anti-fraud culture and can be a vital tool to curb fraud in your organization.
Key Directives in Building Anti-fraud Culture
The items below are key organizational movements for consideration to help build a strong anti-fraud culture—establishing a robust anti-fraud governance structure and implementing targeted fraud awareness efforts.
- Develop a comprehensive FRM policy
The specific content and language of your policy should be tailored to your organization’s objectives, environment, and risk profile.
- Define roles and responsibilities for your FRM program
Roles and responsibilities of all personnel should be formally documented – this includes the Board of Directors, audit committee, senior management, business-enabling functions, risk and control personnel, legal and compliance personnel, and all other employees, as well as other parties interacting with your organization, such as contractors and customers.
- Maintain and communicate a continuous focus on FRM
Implement mandatory, organization-wide fraud training. Embed periodic fraud awareness events to encourage discussion across all levels of your organization. Demonstrate FRM leadership by taking fraud matters seriously, adhering to controls and policies, and taking corrective action when others fail to do so.
- Assess and track organizational comprehension
This might include conducting an annual employee survey to assess how knowledgeable employees are about the FRM program, covering topics such as:
- employee knowledge of how to report ethical concerns or observed misconduct,
- any observed misconduct (and whether such misconduct was reported),
- the effectiveness of the organization’s responses to verified or proven unethical behavior, and
- employee ability to report unethical behavior or practice without the fear of retaliation.
- Assess the effectiveness of organization-wide fraud training
After implementing mandatory, organization-wide training, compare current standings against your stated learning objectives using an established methodology, such as pre- and post-training surveys, to compare the level of understanding before and after a seminar. Adjust the training approach and materials based on the results.
- Adapt your organization’s mandatory fraud training periodically
Adjust periodic fraud training seminars to address new fraud schemes, fraud risks, regulations, policies, etc.
How REDW Can Help
For questions or assistance in assessing and structuring your organization’s fraud risk management program or if you have concerns that fraud has occurred within your organization, contact REDW Financial Forensics & Litigation Services Analyst Ali Wagner, or REDW Principals Ed Street or Jessica Bundy.
Our professional team maintains specialized training and credentials in the area of fraud examination and maintains considerable experience performing thorough analyses of indicators and allegations of fraud for both private and government organizations. We respect client concerns and conduct examinations in a discreet manner to minimize the disruption of operations.
Learn more about our commitment to integrity and objectivity in fraud examination.
Stay tuned for Part 2 in REDW’s #InternalAuditAwarenessMonth series – Fraud Risk Assessment: Discover What You Don’t Know.
Sources of Information:
ACFE 2020 Report to the Nations. Copyright 2020 by the Association of Certified Fraud Examiners, Inc.
ACFE The Anti-Fraud Playbook: The Best Defense Is a Good Offense. Copyright 2020 by the Association of Certified Fraud Examiners, Inc.
Fraud Risk Management Guide Executive Summary. Copyright 2016 by the Committee of Sponsoring Organizations of the Treadway Commission and the Association of Certified Fraud Examiners, Inc.
Cyber-attacks are increasing. How is your firm managing business risk? Participate in our Risk Management Survey.