Fraud risk management is crucial to an organization’s reputation and economic well-being. While recent industry statistics indicate that organizations lose approximately 7 percent of annual revenues to fraud,1 the true cost is likely much more, as effects ripple across financial statements, operations and brand value. An effective fraud risk management (or anti-fraud) program is an essential element of management’s strategy to protect the organization from fraud and other illegal acts.
Management must confirm a strong framework is in place to evaluate, mitigate and monitor the risk of fraud and misconduct. Often this is driven by either Sarbanes-Oxley compliance requirements or fiduciary responsibility to stakeholders such as shareholders or donors. While external auditors consider fraud risk and management’s assessment of its anti-fraud program and controls during the course of their work, The Institute of Internal Auditors’ Standard 2120. A2 requires internal auditors not only to evaluate the potential for the occurrence of fraud within the organization, but also how the organization manages its fraud risk.
Components of an anti-fraud program and corresponding fraud controls vary by organization. Some basics elements include (but are not limited to):
- Fraud control policy
- Code of conduct/ethics and affirmation process
- Conflicts disclosure
- Due diligence
- Fraud awareness (communication and training)
- Fraud risk assessment
- Reporting procedures and whistleblower protections
- Investigative process
- Remediation and corrective action
- Continuous monitoring (preventive/detective controls)
Challenges and Opportunities
There is no “one size fits all” or “checklist” approach to fraud risk management. A balanced, cost-effective approach should be the objective of both management and the board of directors, and can be achieved through careful consideration of fraud risk within the context of the organization’s internal control structure. It is therefore critical for management and the board to understand both the likelihood and impact of potential fraud risk prior to committing resources — physical and financial — in their fight against fraud.
Similarly, no one person stands on the front lines of fraud risk management. Once the organization’s priorities for managing fraud risk are established, roles and responsibilities for the oversight and coordination of the anti-fraud program — as well as ownership of corresponding fraud controls — should be defined clearly, assigned, and communicated across all levels of the organization. By doing this, everyone within the organization is enrolled in fraud mitigation activities.
Our Point of View
Management’s anti-fraud program and controls should be as dynamic as the risk that endangers the organization, evolving with changes to policy, processes and people both inside and around the organization.
Given the sensitive nature of fraud, organizations may have a difficult time addressing it. However, risk arising from fraud and other illegal acts threatens an organization’s reputation and bottom line. There is no question that management must consider and confront fraud risk explicitly. In addition, as part of its fraud risk governance mandate, the board of directors must confirm that management has created an efficient and effective infrastructure to prevent, deter and detect both fraud and misconduct.
The best time to act against fraud is before it happens. By embracing fraud risk management proactively, organizations can better protect themselves against the incentives, pressures, opportunities and rationalization that lead people to commit fraudulent and other illegal acts.
How We Help Companies Succeed
Protiviti helps organizations address fraud risk proactively by understanding where it can occur and implementing strategies to combat it. As a result, our clients protect their reputations, improve their bottom lines and achieve their fiduciary and regulatory responsibilities. Our services include:
- Fraud Risk Management or Anti-Fraud Program and Control Audit – We plan and perform procedures to confirm that the fraud risk management process is consistent with management’s and the board of directors’ expectations, and that employees comply with associated policies and procedures. We also report potential problems and recommend solutions to enhance an organization’s antifraud program and controls.
- Fraud Risk Assessment – We assist management in the identification and prioritization of fraud risk in highly collaborative projects that promote knowledge and skill transfer to the organization’s personnel. Each fraud risk assessment is tailored to meet the specific needs and culture of an organization. Utilizing Protiviti’s Common Fraud Scenarios, we develop and document a sustainable process, enabling the organization to refresh the identification and rating of key fraud and misconduct risks on a periodic and ongoing basis.
- Anti-Fraud Program and Control Assessments – Utilizing Protiviti’s proprietary consulting methodology, we compare an organization’s existing anti-fraud program and controls in the context of authoritative guidance and leading practices. This provides management with an actionable roadmap to help strengthen its fraud risk evaluation, mitigation and monitoring activities.
- Fraud Audit and Fraud Risk Testing Plans – We assist management in the development of fraud audit and fraud risk testing plans to complement — and supplement — existing monitoring activities undertaken within the organization.
- Protiviti collected key documents and interviewed relevant employees of a financial services organization to help management assess its anti-fraud program and controls. As a result, we made several recommendations to define and document responsibilities, enhance fraud risk assessment activities, and monitor for fraud indicators. The client is now undertaking a phased approach to strengthening these aspects of its fraud risk management program.
- Protiviti performed an assessment of an energy company’s anti-fraud programs and controls at both the entity and process level. The project included a comparison of the company’s fraud prevention, deterrence and detection capabilities in the context of authoritative guidance and leading practices. Areas of concentration included tone at the top, communication to employees, and integration of management’s philosophy into company processes. Under the guidance of the audit committee, management has taken steps to realign and strengthen its fraud risk management program.
- A global transportation company had no documented fraud risk management program or anti-fraud policy. Protiviti facilitated the identification of existing policies and procedures to establish the foundation of an antifraud program and drafted a fraud control policy. This policy was distributed to all employees with a cover letter from the CEO, heightening fraud awareness and fostering a positive “tone at the top.” Subsequently, with our assistance, the client expanded components of its fraud risk management program and developed a fraud risk assessment methodology.