Fraud Risk Management – Assessment and Confidence Building
In today’s risk landscape, organisations must navigate uncertainties in the external and internal environment.
The average revenue organisations lose to fraud each year.
*According to the Association of Certified Fraud Examiners’ (ACFE) 2020 Global Fraud Study.
More alarmingly, poor internal controls and an inadequate fraud risk management framework to prevent fraud contribute to nearly a third of global fraud cases.
In the fast-changing environment, where the risk of fraud is increasing and fraudsters are adopting new ways to scam, the importance of firms maintaining robust frameworks to detect and prevent material fraud from occurring is ever more apparent. There is also an increased focus and desire to strengthen the responsibility and accountability of those charged with governance of the prevention and detection of fraud by their respective organisations, the authorities and the regulators.
Against this backdrop, organisations are now increasingly considering how they can gain comfort over their fraud risk assessment and fraud risk frameworks to help protect against future financial loss and reputational damage.
This article will provide insights into the drivers for the increased appetite for effective fraud risk management and how to create increased levels of confidence over fraud risk frameworks, exploring the following areas:
Expectations of Boards and senior management on fraud risk management
In the current evolving economic climate, organisations may be more susceptible to fraud risk both internally and externally. This may be due to a desire to improve financial results in the aftermath of the COVID-19 pandemic or to the organisation using increasing levels of technology which fraudsters are seeking to exploit.
Against the backdrop of a constantly increasing number of fraud cases, higher focus on fraud by stakeholders and broader regulatory expectations for greater transparency in respect of fraud risks and mitigating controls, many organisations still lack adequate formal fraud risk management frameworks and are exposed to significant potential losses and regulatory scrutiny. However, the responsibilities of those charged with governance and management in relation to prevention and detection of fraud have not changed. The FCA handbook (Financial Crime Guide) states that the FCA expects (i) senior management to take clear responsibility for managing financial crime risks, which should be treated in the same manner as other risks faced by the business, and (ii) a firm to consider the full implications of the breadth of fraud risks it faces, which may have wider effects on its reputation, its customers and the markets in which it operates.
The FCA’s regulatory requirements are also supported by other guidance such as the COSO Fraud Risk Management Guide. Senior management has overall responsibility for the design and implementation of a Fraud Risk Management Programme, including setting the tone at the top that creates the culture for the entire organisation. The board establishes policies and procedures which explain how the board provides oversight, including defining expectations about integrity and ethical values, transparency, and accountability for the implementation and operation of the Fraud Risk Management Programme.
Key facts behind recent fraud cases
The risk of fraud is driven by a diverse set of factors. These include the risks inherent in the business model, the complexities of judgements in accounting, the employee mindset and incentives, as well as the exposure of business data to internal and external attacks.
The culture of the organisation, especially the tone at the top, is also a critical influencing factor for the fraud risk environment, as are the reinforcement of values through middle management and the robustness of the internal control environment.
The following are examples of different types of fraud recently perpetrated by fraudsters:
- Employee fraud against employers
– payroll fraud; bribe and kickback, falsifying expense claims; thefts of cash, assets or intellectual property (IP); false accounting.
- Crimes by businesses against investors, consumers and employees
– accounting/financial statement fraud; selling counterfeit goods as genuine ones; not paying over tax or National Insurance contributions paid by staff.
- Crimes against financial institutions
– using lost and stolen credit cards; cheque fraud; fraudulent insurance claims.
- Crimes by professional criminals against major organisations
– major counterfeiting rings; mortgage fraud; advance fee fraud; corporate identity fraud; money laundering.
- E-crime by people using computers and technology to commit crimes
– phishing; spamming; copyright crimes; hacking; social engineering frauds.
In the figure below we present some key thematic root causes of fraud based on a range of recent cases.
Why do people commit fraud?
There is no single underlying reason behind fraud. A useful model is the fraud triangle which is based on the premise that fraud is likely to result from a combination of three factors: motivation, opportunity, and rationalisation.
- Motivation: Typically based on greed or need, e.g. financial stress, meeting targets.
- Opportunity: Where there are weak internal controls, lack of oversight, little fear or lower likelihood of detection.
- Rationalisation: Some may rationalise fraudulent actions as necessary, especially when considered relatively harmless to the business, or justified because the perpetrator has a sense of grievance.
One of the most effective ways to tackle fraud is to adopt methods that will reduce the motivation and the opportunity. Rationalisation is personal to the individual and harder to combat although a strong organisational ethical culture and values can help. These methods and principles are covered later in the article.
Who commits fraud?
Fraudsters often fall into one of three categories:
Pre-planned fraudsters start out from the outset intending to commit fraud. These can be short-term players, like many of those who use stolen credit cards or false personal identification numbers (e.g. social security); or can be longer-term, such as bankruptcy fraudsters and those who execute complex money laundering schemes.
Intermediate fraudsters start off being honest but turn to fraud when times get hard or when life events, such as irritation at being passed over for promotion or the need to pay for care for a family member, change the normal course.
Slippery-slope fraudsters simply carry on trading even when, objectively, they are not in a position to pay their debts. This can apply to ordinary traders or to senior business managers.
In 2007, KPMG carried out research on the Profile of a Fraudster (KPMG survey) which highlighted the following characteristics in relation to fraudsters:
most fraudsters are aged between 36 and 55
median fraud losses caused by men are twice as high as those caused by women
losses caused by managers are generally more than double those caused by employees
longer term employees tend to commit much larger frauds
the majority of frauds are committed by men
a high percentage of frauds are committed by senior management (including owners and executives)
average losses caused by owners and executives are nearly 12 times those of employees
fraudsters most often work in the finance department, operations/sales or as CEO.
Develop a robust fraud risk management framework
As can be evident from the factors highlighted in the above root cause diagram, fraud risk can arise in a variety of ways, hence requiring a robust fraud risk management framework to protect organisations. With a constantly evolving fraud risk landscape in mind, organisations should ensure they have a fraud risk framework that:
a is integrated with enterprise risk management framework
b is embedded and visible within all areas of the organisation
c develops a culture which supports the prevention, detection, and deterrence of fraudulent behaviour.
d is regularly assessed, with controls redesigned where vulnerability to fraud is identified.
e is integrated with enterprise risk management framework
The above considerations are all important to enable the board and senior management to protect and sustain the business, discharge their duties, be alert to risks, intervene with strong controls, and adapt to changes in regulatory requirements.
Based on our experience, an effective framework should contain different components and the right mix of people, process, and technology. This is illustrated in the diagram below. Organisations should continually evaluate how their current framework is designed and operating in practice within a dynamic and evolving fraud risk environment.
Key steps for building confidence in fraud risk management
Both the government and regulators are placing increasing focus on fraud risk management. The current environment makes it an even greater priority for organisations to gain assurance over their fraud risk management frameworks.
Increasing confidence levels in the framework will better enable senior management to discharge their duties and be ready to respond to increased regulatory and stakeholder scrutiny in relation to fraud risk management. In the remainder of the article, we outline key steps for increasing levels of confidence over an organisation’s fraud risk management framework and how we (Xcina Consulting) can help organisations develop a robust fraud risk management framework.
Whilst we do not discuss the different approaches which organisations may ultimately use to gain assurance over their fraud risk management framework, we identify three main focus areas which organisations may consider focusing on namely, (i) framework review and assessment, (ii) framework development/enhancement and (iii) framework testing and maintenance.
These are briefly examined below.
– Identify, understand, and evaluate the company’s business, its strategy, and operating environment along with the pressures that exist.
Fraud risk assessment
– Assess whether the environment exposes the organisation to new fraud risks or increases the threat of existing fraud risks.
Business operations and locations
– Consider whether the fraud risk assessment is consistently applied across all business areas and locations.
Likelihood of Occurrence
– Assign the probability of relevant fraud risks from remote to almost certain.
Assessment of Control Effectiveness
– Assess and classify controls as ineffective to very effective.
– Determine who will implement controls and mitigation efforts.
Fraud Risk Response
– After identifying a fraud risk, determine corrective action activities or additional controls that should be implemented.
– Establish monitoring activities that will be conducted and how frequently they will occur.
– Understand the reporting that senior management receives on fraud risk management to enable informed decision making and to facilitate oversight and challenge. This exercise is a key step for identifying any (i) vulnerability to fraud, (ii) significant gaps in the control environment and (iii) suspicions of fraud incidence.
Develop / enhance the control framework
A review and assessment of the fraud risk management framework will provide a refreshed analysis of the adequacy of the control framework in terms of mitigating any heightened areas of fraud risk. This phase is critical as it reinforces the foundations of an adequate fraud risk management framework. The steps outlined below will help organisations in responding to gaps and enhancing the effectiveness of the framework. Organisations should involve different business areas and control functions when considering the following aspects:
- Prioritisation – Identify which control gaps require immediate attention or expose the organisation to higher fraud risk.
- Technology – Understand whether any smart technology, Machine Learning /Artificial Intelligence or other tools can be deployed to support fraud detection and prevention.
- Plan – Evaluate the time required to address the gaps, implement new technologies and complete fraud-related investigations.
- Subject matter specialists – Consider the need for a dedicated team specialising in fraud risk management or support from external specialists.
- Communication & training – Assess how changes will be communicated and what training is needed to ensure that all staff are equipped and committed to fraud deterrence.
- Evidence – Documentation of all existing and new products, processes and controls including an assessment of any new technological solutions relied upon to prevent and detect fraud.
- Sustain – Assess the methods that should be used to embed the enhanced framework into the heart of the business and maintain it going forward. It is crucial that the control framework is consistently and accurately documented across the organisation, including a clear view of fraud risks and the preventative and detective controls in place.
Test and maintain the fraud risk framework continuously
Perpetrators’ tactics continually change; they become more sophisticated and find new methods to commit fraud. Hence, organisations should not become complacent after they have made what they consider to be the necessary improvements to their fraud risk framework. As fraudsters’ methods evolve, businesses should frequently assess where they may have vulnerabilities and address them, using internal control functions and external specialist teams to continuously monitor the performance of the framework and identify any gaps or ineffective processes.
Fraud will not simply go away. Organisations need to tackle it strategically and will benefit from being proactive rather than reactive, by preventing fraud before it can succeed. Furthermore, with new legislation and more intense public and regulatory scrutiny, it is essential for management to act now to ensure that fraud risk is appropriately identified, assessed, mitigated and reported, enabling the organisation to demonstrate how that its fraud risk management framework functions effectively.
Our Fraud Risk professionals are skilled in fraud risk advisory and assurance. Xcina Consulting supports organisations on their journey to develop and to gain assurance over their fraud risk management framework and fraud risk assessments. For more information or to set up a discussion with one of our specialists, please contact us at email@example.com.
Fraud Risk Management
Will your organisation benefit from support with risk and regulatory compliance challenges?
GET IN TOUCH WITH US