taking your fraud risk management program to the …€¦ · management practices, resources, and...

©2012

TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL

The best time to deal with fraud, corruption, and misconduct is before they occur. The

consequences of fraudulent activity can go well beyond direct financial loss to include

damage to reputation, media embarrassment and loss of customers. Learn how to conduct a

fraud risk assessment to identify the vulnerabilities your organization faces and what you can

do to address them. In this interactive session, you will walk through the steps required to

conduct an effective fraud risk assessment.

DANIEL WILLIAMS, CFE, CGA, CIA, CAMS

Leader – Risk & Financial Crime Management

Deloitte

Vancouver, British Columbia

Canada

Daniel is a key member of Deloitte’s Financial Advisory Services practice, bringing

significant experience in risk management, compliance, investigations, information systems

audit, protection of information assets, business process reengineering, and internal audit

support. Daniel’s focus is working with Deloitte’s clients to prevent, detect, and investigate

fraud and wrongdoing through the implementation of effective anti-fraud programs and the

deployment of key investigative tools. Daniel has assisted many clients, of varying size, with

developing and implementing creative risk management solutions, corporate governance

frameworks, compliance programs, and business process reengineering. He has in-depth

experience and knowledge of public and private industry accounting, controls, and business

practices.

Daniel specializes in the design, implementation, and evaluation of strategic fraud risk

management programs that aid organizations with financial crime management and revenue

retention. He has assisted numerous organizations of various size and scope in improving

their ability to manage and respond to incidents of fraud and corruption by aiding clients in

adopting a comprehensive risk management programs tailored to support their specific goals

and objectives now and into the future. Daniel is a Certified Fraud Examiner, Certified

General Accountant, Certified Internal Auditor, Certified Information System Auditor,

Certified Anti-Money Laundering Specialist, and a Project Management Professional.

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the

ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of

this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without

the prior consent of the author.


2012 ACFE Canadian Fraud Conference ©2012 1

NOTES Introduction

Due to the significant impact of fraud, stakeholders expect

organizations to take a zero-tolerance attitude toward fraud

by identifying and addressing weaknesses in the operations

of the organization that expose it, and its stakeholders, to

undue risk. Organizations are also expected to respond to

incidents of fraud quickly, appropriately, and consistently

to prevent additional losses due to ongoing fraudulent

activity, investigation costs, or legal fees. Now more than

ever, organizations recognize the need to design and

implement a practical and comprehensive fraud risk

management program.

An effectively designed fraud risk management program

allows the organization’s leadership to consider specific

risks associated with key business, regulatory, and

marketplace drivers when developing anti-fraud programs

and controls. Once the risks are known, leadership can

determine the level of effort and resources required to

address each risk. Management will also be in a better

position to respond to incidents where a fraud risk is

realized. Certainly, the fraud risk management program

should not be developed in isolation of the various risk

management practices, resources, and tools that already

exist. In fact, if done effectively, a fraud risk management

program may help to augment legacy practices and enable

the organization to execute on these practices more

efficiently.

Background

High-profile fraud scandals in recent years have

brought renewed focus on the incidence of and

company-wide exposure to financial statement and

occupational fraud. These developments have resulted

in comprehensive legislation and Securities and

Exchange Commission (SEC) rulemaking concerning



NOTES corporate governance and internal controls. Among

regulations is the Sarbanes-Oxley Act of 2002, which

mandates that company management must file an

annual report of the adequacy of internal controls

related to its financial reporting. Controls, related to the

prevention and detection of fraud, are an integral part of

a company’s system of internal control.

Deficiencies in antifraud programs and controls are

serious. Such weaknesses could constitute significant

deficiencies or material weaknesses in internal control

over financial reporting. This might require public

reporting and could result in adverse consequences.

In addition to the legislative and regulatory

requirements for anti-fraud programs, there are sound

business reasons to implement them. Fraud can have

drastic effects on an organization, from loss of

stakeholder value to shareholder lawsuits to

reputational risk. Fraud prevention and detection makes

good business sense and might provide long-term cost

savings to organizations. Management should consider

the expectations associated with key business,

regulatory compliance, and marketplace drivers when

developing antifraud programs and controls.

Fraud Defined

The Public Company Accounting Oversight Board

(PCAOB) defines fraud as “an intentional act that

results in a material misstatement in financial

statements that are the subject of an audit. Two types of

misstatements relevant to the auditor’s consideration of

fraud include: misstatements arising from fraudulent

financial reporting and misstatements arising from

misappropriation of assets.”



NOTES There are additional types of fraud that should also be

considered when designing and implementing anti-

fraud programs and controls. These include improper or

unauthorized expenditures, such as bribery, self-

dealing, and other improper payment schemes.

Examples of this are kickbacks and violations of laws

and regulations, such as those that expose the company

or its agents to regulatory or criminal actions, for

example, violations of Sarbanes-Oxley (SOX), the

Foreign Corrupt Practices Act, Canada’s Corruption of

Foreign Public Officials Act, the UK Bribery Act, the

False Claims Act, and various anti-money laundering

provisions. Although these types of fraud may not have

a material impact on the company’s financial

statements, they may result in loss of company assets,

reputational risk, and increased exposure to criminal

and civil liability.

For this reason, effective anti-fraud programs tend to

encompass a wide range of activities and policies,

including corporate governance, compliance with laws

and regulations, internal controls, and training and

education. They are also highly effective when aligned

with other risk management programs found within the

organization.

Managing Fraud

The best time to deal with fraud and misconduct is

before it occurs. The consequences of fraudulent

activity can go well beyond direct financial loss to

include damage to reputation, media embarrassment,

and loss of customers. It is now more important than

ever for leadership to identify the vulnerabilities an

organization faces and what can be done address them.



NOTES Although many organizations possess some

components of an effective anti-fraud program, they

may lack completeness, a comprehensive framework

for assessment and evaluation, and adequate

documentation.

To address this, we encourage a holistic approach

where the fraud risk assessment is used to enhance the

organization’s risk management practices as they relate

to a variety of risks rather than just fraud. Applying a

holistic approach to fraud risk management tends to

result in the optimization of internal controls,

strengthening of the control environment, enhanced

engagement of employees in risk awareness, and

improvement of operational efficiency within the

organization.

An Effective Fraud Risk Management Program

As an organization grows and matures, so must its

operations. The processes and controls must adapt to

support the changes in operations and ensure that tasks

are carried out efficiently, effectively, and with minimal

risk to the organization. An organization’s ability to

effectively manage fraud is contingent upon its Fraud

Risk Management Program (FRMP). An effective

FRMP involves:

Developing a proactive, cost-effective fraud risk

management strategy

Creating a clear action plan to execute on this

strategy

Identifying fraud risk scenarios inherent to the

organization

Applying best-practice tools and templates to

manage risks and encourage collaboration

Leveraging and aligning with the organization’s

existing risk and compliance frameworks



NOTES Effectively assessing the control environment from

an anti-fraud perspective

Ensuring sufficient and appropriate oversight and

execution of the program

While there are a number frameworks and approaches

to implementing an effective FRMP, most

organizations utilize the Committee of Sponsoring

Organizations (COSO) of the Treadway Commission’s

Internal Control—Integrated Framework. Below are the

five components, derived from COSO’s Internal

Control—Integrated Framework, that management may

consider with respect to their responsibilities for anti-

fraud programs and controls:

Performing fraud risk assessments

Creating a control environment

Designing and implementing anti-fraud control

activities

Sharing information and communication

Monitoring activities



NOTES COSO is the most common framework, allowing an

organization to effectively evaluate and benchmark its

FRMP against widely accepted standards and practices.

Understanding COSO

Performing Fraud Risk Assessments

The first step in addressing fraud is the fraud risk

assessment. Fraud risk assessments are designed to

identify and evaluate fraud risk factors that could

enable fraud to occur within the organization. Every

organization has inherent fraud risks that arise from

internal and external conditions relative to the entity’s

industry, operations, geographical locations, size,

organizational structure, and general economic

conditions.

Most organizations have at some level already

addressed risks of theft. Fraud risk assessments are

more than a process to identify risks of theft and should

also address other frauds, including fraudulent financial

reporting, corruption, and other misappropriations of

assets. The fraud risk assessment involves an expanded

focus on considerations of where fraud risk factors may

exist within the entity and the potential fraud schemes

that could be perpetrated.

Management has the primary responsibility for

performing fraud risk assessments. The audit committee

should have an active role in the oversight of process,

understand identified fraud risks, and evaluate

management’s implementation of anti-fraud measures.

The audit committee’s evaluation and oversight not

only ensures that management fulfills its responsibility,

but also can serve as a deterrent to management who

themselves could engage in fraudulent activities. The



NOTES audit committee, together with management, should

also consider the potential risk of management’s

override of controls or other inappropriate influence

over the financial reporting process.

Finally, the organization may wish to engage internal

audit or other independent bodies with the appropriate

skill sets to evaluate the organization’s fraud risk

assessment and determine if all risks have been

appropriately identified and assessed.

The fraud risk assessment should be performed without

consideration of the existence or effectiveness of

internal controls, and should be updated periodically to

include changes in operations and revisions to fraud

risks identified during monitoring activities of anti-

fraud programs.

Creating a Control Environment

For any type of risk management program, emphasis

should be placed on the entity’s control environment as

it influences the tone of the entire organization. It is the

foundation for all other components of internal control

and provides discipline and structure. Control

environment factors include the integrity, ethical

values, and competence of the entity’s management and

employees and have a pervasive effect on how business

activities are structured and executed. The control

environment allows an entity to develop an ethical

framework that should address fraudulent financial

reporting, misappropriation of assets, corruption, and

other fraud issues.

The control environment should set the proper “tone at

the top,” which includes a culture and work

environment that promotes open communication,



NOTES consultation, and ethical behaviour. The control

environment should be pervasive throughout the

organization in actions as well as words. A strong

control environment:

Sets an appropriate tone for the entity’s attitude

towards fraud and fraud prevention

Ensures that roles and responsibilities for the

management of fraud are clearly defined and

communicated

Promotes the efficient design and execution of risk

management practices to prevent, deter, and detect

fraud

Ensures that appropriate incident response protocols

are in place and executed timely and consistently

The proper design and the effectiveness of the control

environment are critical. Having controls by themselves

is not sufficient to mitigate fraud risks. For example, if

no employees have been disciplined for violations of

the company’s code of conduct or ethics, the code is

likely to be ineffective.

An organization’s leadership can leverage a strong

control environment to stress that it takes a zero-

tolerance approach to fraud. It does this through both

words and actions.

Designing and Implementing Anti-fraud Control

Activities

After fraud risk assessments are performed and fraud

risks are identified, management should address each

identified fraud risk by determining whether control

activities exist and mitigate the risks. Control activities

are policies and procedures designed to address risks

and help ensure the achievement of the entity’s



NOTES objectives. Control activities occur throughout the

organization, at all levels and in all functions.

Anti-fraud control activities can be preventive or

detective in nature. Preventive controls are designed to

mitigate specific fraud risks and can deter frauds from

occurring, while detective control activities are

designed to identify fraud if it occurs. Detective

controls can also be used as a monitoring activity to

assess the effectiveness of anti-fraud controls and may

provide additional evidence of the effectiveness of anti-

fraud programs and controls. Some of these control

activities may by automated in nature and include

information technology (IT) systems.

Where control activities are not already present,

management should design and implement additional

controls to specifically address the identified fraud

risks.

Special consideration should be given to the risk of

override of controls by management. This particular

risk may be effectively mitigated through:

Ongoing and active oversight of an independent

committee (usually and audit committee or fraud

risk management committee)

The use of internal audit or other independent

assurance function

The use of data analytics to identify, evaluate, and

report on unusual trends or behaviours in data

Effective ongoing education of employees coupled

with an effective whistleblower program and system

to receive and investigate concerns raised



NOTES Sharing Information and Communication

Effective communication is an important element of all

phases of the implementation of an FRMP. The

organization’s philosophy on fraud management should

be clearly communicated throughout the organization

so that employees are aware of anti-fraud activities,

have a clear understanding of what is expected of them,

and know that the organization takes the risk of fraud

seriously. These communications should emanate from

all levels of the organization and should include

communications with external parties when appropriate

(including customers, suppliers, and agents).

A company’s code of conduct and ethics is often the

first line of communication concerning its philosophy

on fraud prevention. However, other communication

methods should be used to create awareness and

understanding of how the organization deals with fraud.

In particular, fraud policies are becoming an important

part of an organization’s overall communication

strategy.

A fraud policy is an effective way to communicate an

organization’s approach to fraud. Essentially, it defines

how fraud will be managed and who is responsible for

each key element of the FRMP. If implemented

appropriately, a fraud policy can serve to augment the

organization’s code of conduct and ethics as well as its

whistleblower policy.

Information on the FRMP may be communicated

through employee handbooks (either printed or online),

in company newsletters, company intranet sites,

training, and through presentations or discussions led

by management. Management’s anti-fraud programs

and controls should also be documented to provide



NOTES reasonable support for its assessments on the design and

operating effectiveness of the controls. This type of

documentation serves as a way to provide assurance to

both internal and external stakeholders.

Statistics have shown that organizations with effective

programs in place are more effective in minimizing the

risk of fraud and the cost of a fraud incident. Further,

those organizations typically receive greater chances for

successful business relationships as they are able to

demonstrate to stakeholders that they are able to

mitigate and manage the risk of fraud to the

organization and its stakeholders.

Monitoring Activities

Management and other appropriate parties across the

organization should monitor the quality and

effectiveness of anti-fraud programs and controls on an

ongoing basis. Monitoring activities and assessments

consist of procedures that include independent

evaluations of antifraud controls that may be performed

by internal audit or other groups, such as business

process owners, and other ongoing monitoring activities

that are built into normal recurring operating activities.

Ongoing monitoring procedures are built into normal

recurring operating activities and can often be more

effective than separate evaluations because they take

place in real time. Examples of ongoing monitoring

activities include:

Conducting detailed reviews and reconciliations of

operating and financial reports

Regular communications with internal and external

parties (including annual affirmation of the code of

conduct and ethics and frequent awareness training)



NOTES Encouraging regular audits of anti-fraud controls

from the organization’s internal audit function in

order to continuously improve the FRMP

Engaging independent practitioners, with the

relevant expertise, to assist with the evaluation and

enhancement of the FRMP on a frequent basis

Engaging employees to solicit feedback on whether

the risk management practices in place are effective

Reviewing the fraud risk assessment in response to

an upcoming change in operations to determine if

there are emerging risks

Analyzing whistleblower complaints and findings

of investigations to identify any trends that may

indicate that weaknesses exist with fraud risk

management practices in certain areas of operations

Consulting various external sources, such as

industry data and professional publications, to

identify and respond to emerging risks in a

proactive manner

Developing an enterprise fraud risk management

dashboard allowing leadership to monitor key risk

indicators and metrics and respond when metrics

indicate that a tolerable threshold has been

exceeded

Executing data analytics to identify and analyze

emerging risks that require an enhancement to

current risk management practices

Independent evaluations of controls vary in scope and

frequency, and are commonly performed by internal

audit or another qualified, independent function.

Separate evaluations may involve implementing

detective activities. For example, internal audit may

design tests to specifically look for instances of early

revenue recognition to ensure that existing controls for

revenue recognition are operating effectively. Detective



NOTES controls are essential to anti-fraud programs because

they provide an additional indication of the

effectiveness of preventive control activities and can

identify additional fraud risk factors that should be

included in management’s fraud risk assessment. Some

monitoring activities can be automated in nature and, as

such, may involve IT systems.

The evaluation of anti-fraud programs and controls is

part of management’s overall assessment of internal

control. Management should assess the design and

operating effectiveness of antifraud programs and

controls and provide sufficient documentation of its

programs, assessments, and conclusions including the

identification of any deficiencies. As with other internal

control deficiencies, management and the auditor

should evaluate the significance of their deficiencies.

When evaluating an organization’s FRMP, the design

and operating effectiveness is evaluated by examining

the following key elements:



NOTES

ResponseDetection

• Good governance

• Code of conduct and related

standards

• Fraud and misconduct risk

assessment

• Employee and third party due

diligence

• Communication and training

• Process-specific fraud risk

controls

Prevention

• Hotlines and whistleblower

mechanisms

• Auditing and monitoring

• Quality assurance

• Proactive data analysis

• Timely and consistent response

mechanisms

• Comprehensive internal

investigation protocols

• Comprehensive Enforcement

and accountability protocols

• Disclosure protocols

• Remedial action protocols

Elements of an Effective Fraud Risk Management Program

Deterrence

Augmenting the Fraud Risk Management Program

The concept of an FRMP has been around for quite some

time now with many professionals well aware of the

essential elements of an effective program. Management is

beginning to understand that the consequences of

fraudulent activity can go well beyond direct financial loss

to include damage to the organization’s reputation, legal

fines or sanctions, disruption of operations, unwanted

media attention, and loss of customers. Adding the cost of

investigation, legal fees, and remediation to an already

hefty bill explains why the best time to deal with fraud is

before it occurs.

While the increased attention on FRMPs is a good thing, all

too often management treats it as a one-time exercise

without considering how to integrate the program with the

organization’s other compliance and risk management

programs (such as SOX and Enterprise Risk Management).



NOTES This may lead to inefficiencies, inconsistencies, duplicative

efforts, and a lack of communication because those

responsible for risk management practice will operate

independent of each other and not in a coordinated way.

Effective Fraud Risk Management Relies on Effective

Governance

A holistic FRMP starts with having an appropriate,

enterprise-wide governance model that clearly defines

roles and responsibilities for risk management

throughout the organization. Formalized roles and

responsibilities tend to ensure that governance and risk

management practices are standardized across the

organization. A formal enterprise model encourages

open communication and collaboration among the

forums and functions charged with risk management.

Many organizations currently struggle with having

clearly defined roles and responsibilities for their

FRMP. In fact, nearly half of respondents to the 2010

Ernst & Young Global Fraud Survey said that their

organizations didn’t have well-defined roles for

different groups (internal audit, compliance, risk, and

legal) when responding to reports of possible fraud.

Many organizations struggle to determine who is

responsible for managing fraud. Often a company might

not designate one person as the “owner” of its anti-

fraud efforts. As a result, confusion can reign, causing a

lack of trust in the proactive anti-fraud program for

management and employees, a dangerous deficiency in

sharing of knowledge, and inefficient responses to

fraud.

Organizations also struggle to engage the right people

at the right level at the right time. FRMPs are at their



NOTES weakest when they fail to encourage collaboration

across various areas of operation. Fraud may be more

likely to occur when risk management roles and

responsibilities are diffused across reporting lines,

sectors and regions, or divisions.

This is why it is so important to establish a good

governance model for ownership, oversight, and

execution of the FRMP. Governance forums and

functions should be established and formalized at the

enterprise level based on need. Collaboration should be

encouraged through standardization of practices and

tools across the organization. Most important, a cross-

functional group should be leveraged to ensure that

those responsible for fraud risk management possess

diverse skill sets to address the complexities of fraud

cases and proactive fraud risk initiatives. Ideally, the

FRMP should be supported by:

The audit committee

Compliance

General counsel

Executive management

Internal audit

Accounting and finance

Investigations

Human resources

Information technology

While these groups should provide ongoing input into

all aspects of the FRMP, best practice suggests that

there should ultimately be an individual or group, at the

enterprise level, accountable for the program itself and

to “shepherd” the other groups, forums, and functions.

A proper FRMP deals with both fraud prevention and

response. It is important to have clear ownership of



NOTES roles and responsibilities for fraud prevention to

address confusion, inefficiencies, and redundancies in

fraud risk management practices. It is essential to

ensure clear ownership of roles and responsibilities for

fraud response to minimize losses to the organization

and its stakeholders as well as to limit the exposure of

reputation and legal risk an organization faces as a

result of an incident (to essentially stop the bleeding

before the case is terminal).

For an effective fraud response plan to work, it has to

communicate those who’ll work on specific tasks from

the moment the allegation is identified to the point of

reporting the results. This is where a good fraud policy

comes in handy. It outlines the organization’s disaster

response plan when a fraud occurs. It provides

assurance to leadership that the right team will be in

place when an incident occurs and that this team is

qualified to minimize the exposure to the organization

and its stakeholders. A good fraud policy specifies who

is responsible for reviewing the allegations and then

determining, based on their assessment, who should get

involved, and to whom the results should be reported.

The response protocols in the fraud policy help guide

the organization toward a documented, consistent

process for recognizing, responding to, and remediating

fraud.

Whether preventing or responding to incidents of fraud,

a holistic approach demands efficiency and a level of

synergy among those charged with oversight and

execution of risk management practices. This can be

achieved through a strong, centralized function that

formalizes roles and responsibilities, standardizes

processes/protocols, and encourages collaboration



NOTES among the groups, forums and functions responsible for

governance and risk management practices.

Fraud is an extremely complex issue, and an oversight

committee—such as an anti-fraud program oversight

team—that’s committed to a common goal is often the

best method to deal proactively and reactively with

these complexities. The team’s anti-fraud program can

then become the channel for the dissemination of

messages from the top of the organization to all

employees. This new environment will help reinforce

an atmosphere of constant integrity throughout the

company that will allow the company to more

effectively deal with fraud.

Understanding the True Cost of Fraud

In conducting a fraud risk assessment Management is

required to assess the likelihood of a fraud risk being

realize, and the impact to the organization should it

come to fruition. The challenge lies in management’s

ability to quantify the true impact (or cost) of a

particular fraud risk.

Recall that impact is considered by identifying both

qualitative and quantitative factors. Quantitative factors

represent the amount of potential financial loss to the

organization and/or its stakeholders. Qualitative factors

represent the non-financial losses to the organization or

its stakeholders (such as reputation risk—the risk of

losing the ability to compete, due to perceptions that the

organization does not deal fairly with its stakeholders or

know how to manage its business).

Many find it challenging to determine the true cost of

fraud. This is especially true when there is incomplete

information available on how particular fraud scenarios



NOTES impact the organization. The cost of fraud is often

considered to be the amount stolen from the

organization and/or its stakeholder (the direct financial

loss). What is often missed is the indirect loss that

comes in the form of:

Investigation and recovery costs

Legal fees

Civil litigation and fines

Criminal litigation and prosecution

The implementation of compliance and/or

monitoring programs in response to the incident

The diversion of organizational resources to

respond to the incident

Once these additional factors are taken into

consideration, it makes it much easier to assign a true

cost to the fraud risk.

It is also possible to improve an organization’s ability

to assess the likelihood of each risk. Better monitoring

through the use of dashboards and the development/

application of Key Risk Indicators (KRI) enable

Management to identify when a risk has been realized

or is about to be realized. The establishment and

monitoring of KRI also allow Management to define

clear thresholds that, if exceeded, prompt an immediate

response. Finally, it is possible for an organization to

monitor how well it is managing each risk as well as

enabling the organization to identify emerging risks.

To better assess the likelihood and impact of fraud,

organizations are turning more and more to data

analytics. Everyday reliance upon technology makes it

possible for so many fraudulent schemes to unfold. As

we become more reliant on information technology to

support our businesses, we increase the likelihood of IT



NOTES fraud; that is, where a financial loss or malicious

damage has been sustained by an organization, which

has been facilitated by the use of IT in some way.

Technology presents so many opportunities for fraud to

occur; fortunately it also offers many capabilities for

combating fraud.

Data analytics are becoming more widely used due to

our increasing dependence on technology and the

relatively low cost of implementing analytical tools.

Data analytics is the conversion of collected data into a

format appropriate for detailed analysis, modeling and

drawing conclusions. Typically, 100 percent of the

electronic records are analyzed (as opposed to manual

sampling methods) to provide complete data coverage

providing the ability to identify trends that may indicate

fraud and the ability to drill down to the individual

record level for further investigation and analysis.

Data analytics allow organizations to discern

characteristics and/or relationships among transactions

that would not otherwise have been identified using

traditional detective methodologies and tools. These

tools are useful for fraud risk management, as well as

other risk management and compliance practices,

because they allow organizations to better quantify risk

and even monitor the performance of its risk

management/ compliance program. Key analytical

metrics for an effective FRMP include the following:

NOTES



Loss/Damage Quantification Trends/Weaknesses Exploited

Performance Response and Recovery

Total customer losses to be reimbursed.

Customer attrition costs due to experiencing a fraud incident.

Total effort expended per incident and the related costs.

Total incidents for each period.

Average legal fees per incident.

Number of employee hours diverted to incident response.

Cross-Channel losses resulting from incidents originating in a

specific department/division.

Successful bypass of internal controls – what controls are getting

targeted and bypassed the most?

Incidents of management override of controls.

Attack volume.

Incident by type and transaction.

Incident by geographic location.

Trends – time of day most attacks occur.

Trends – types of businesses targeted.

Total effort required to respond to each incident.

Response time for each incident.

Timeliness of investigation and wrap up.

Total funds recovered in a period.

Cost-benefit analysis as it relates to cost of recovery versus actual

funds recovered.

Phishing – time from notification to take down.

Phishing – success rate of take down.

Number of compromised customers in a period.

Number of repeat offences against a customer in a period.

Number of incidents identified by the organization compared to

incidents identified by the customer.

Number of fraudulent attacks denied versus successful attempts.

Total false positives recognized in a period.

Total incidents in a period.

Total incidents by theme.

Impact of remediation efforts on total incidents.

Once the “true cost” of a fraud risk/scenario is known,

it is then re-evaluated in the fraud risk assessment. In

most cases, Management is surprised to find that their

initial assessment of the fraud risk was inaccurate;

further, Management may find that the “true cost” of

the fraud risk justifies the need for increased risk

management practices that would have otherwise been

perceived as being too costly.

Finally, trend analysis will show Management where

they need to strategically enhance their FRMP. For

example, monitoring an increasing trend of social

engineering of employees may encourage the

organization to increase awareness training.

Integration and Alignment with Existing

Risk/Compliance Programs

An FRMP does not have to stand alone. There’s

nothing to say that an organization cannot leverage its

current risk management practices within an



NOTES organization to help build its FRMP; in fact, this is

encouraged as it helps strengthen the current

governance and risk management practices in place

rather than building new ones. Such an approach helps

to refine the organization’s risk management practices

and capabilities.

Alignment can occur throughout the entire compliance/

risk management framework. For example, certain

organizational process assets (such as the internal audit

charter, code of conduct and ethics and various policies

and procedures) can be enhanced to support fraud risk

management. For example training materials can be

enhanced to include information on fraud awareness.

The code of conduct/ethics can also include a fraud

policy.

An effective way to support the FRMP with the

organization’s existing risk management and

compliance infrastructure is through its whistleblower

program.

A whistleblower program is a tool that allows

employees to report fraud and other misconduct without

fear of retaliation. Many organizations have such

programs to ensure that employees feel comfortable

about reporting incidents of fraud and wrongdoing.

Some organizations also have whistleblower policies in

place to encourage their employees to speak up about

other problems in the company.

A whistleblower program has been proven time and

again to be highly effective and beneficial for an

organization as employees are most likely the ones to

notice and report problems early on which could

become serious issues if they are not addressed. A



NOTES whistleblower program is also an integral part of any

organization’s fraud risk management program.

Due to their effectiveness, if designed and implemented

sufficiently and appropriately, organizations are

increasingly turning to internal whistleblower programs

to discover and correct improper activities.

An organization can help to ensure that its

whistleblower program is effective by ensuring that the

program is supported by six critical elements:

Oversight—the organization should have a

centralized authority charged with oversight of the

whistleblower program from an enterprise-wide

perspective and to enforce policies and procedures

to ensure that the program is being carried out with

sufficient rigor.

Stakeholders—the organization should ensure that

the program is made available to all key

stakeholders. It is important that the organization

understand the threats faced by the organization and

which stakeholders need to be involved to help

mitigate and manage such threats.

Communication—for any whistleblower program to

be effective, the stakeholders must know it exists.

Stakeholders should also understand how and when

to use the program.

Reporting mechanisms—employees and other

stakeholders should be able to contact the program

operators inexpensively and with as few

complications as possible. It is often recommended

that several reporting mechanisms be made

available as different people prefer different

methods of communication.

Administration—management must carefully

consider how the program will be administered to



NOTES ensure that sufficient and appropriate resources are

available to provide confidence to all stakeholders

that claims will be heard and processed consistently,

professionally and confidentially.

Response protocols—the organization should

ensure that there are sufficient and appropriate

protocols in place for responding to incidents

including collection, compilation, analysis,

investigation, enforcement, communication and

remediation.

A successful whistleblower program ensures that:

All stakeholders are aware that the program exists.

Stakeholders have a requirement to report.

The claimant has reasonable assurance of

anonymity.

The claimant has reasonable assurance that she/he

will not be disciplined or harassed for reporting.

Appropriate action will be taken to respond to the

claim.

Whistleblower programs can be highly effective in

fighting fraud and even provide opportunities to

enhance the FRMP. Not only can they be leveraged to

generate tips into misconduct, they are also very good

at spotting trends. Tracking whistleblower complaints

may provide insight into where weaknesses lie in your

antifraud program. For example, frequent

whistleblower complaints coming from the

procurement department may drive Management to

review the effectiveness of internal controls in that area.

As discussed above, a fraud policy is another

organizational process asset which can help enhance the

organization’s fraud risk management practices. Other

enhancements include the introduction of anti-



NOTES corruption and anti-bribery policies as well as

disciplinary protocols.

Sometimes, Management conducts a fraud risk

assessment without leveraging current compliance

and/or risk management practices throughout the

organization. This is unwise as it often leads to

redundancies and duplication of effort. For example,

Management may identify the need for an anti-fraud

control when a SOX control, if slightly modified or

optimized will suffice.

As noted above, most organizations use the COSO

framework to implement its FRMP. Consider that

COSO is also recognized as a best practice framework

for implementing an organization’s Enterprise Risk

Management Framework, SOX program, and even an

organization’s anti-corruption and compliance and

ethics program. This means that, should an organization

already have one or more of these programs, there is an

opportunity to leverage the current:

Risk assessments

Control environment

Control activities

Information and communication

Monitoring activities

An existing risk assessment is a good place to start.

Though a SOX risk assessment, for example, may be

more focused on error than fraud, many of the risk

scenarios, if slightly modified to include malicious

intent, could easily become fraud risk scenarios.

Leverage existing information to seek out

vulnerabilities and loopholes in current operations and

in the control landscape. Try to look afresh at well-

established and familiar processes, practices, and



NOTES relationships as if you are standing in a criminal’s shoes

to determine what weaknesses a fraudster would see

hidden amid the workaday routine. Further, determine

if new vulnerabilities have been opened up by changes

in legislation, regulation, reporting standards,

operations, IT infrastructure or relationships with

strategic suppliers. Bitter experience shows that when

organizations think they have low fraud risks they have

often been looking for them in the wrong places.

Once existing risk assessments are leveraged and

revised to incorporate fraud risk scenarios, begin to

evaluate the control activities mapped against each risk.

Determine if the control is appropriately designed to

serve its original purpose and, if not, whether it can be

modified to also prevent and detect fraud. This type of

internal control optimization will ultimately lead to

increased efficiencies as current control activities are

enhanced resulting in the new for fewer new activities

to address fraud.

Summary

More and more organizations are beginning to appreciate

the value of having an effective FRMP. Management is

now in the process of making it more efficient by refining

the approach to fraud risk management and the elements

that make it what it is.

This can be done primarily through adopting an enterprise

governance model as doing so may assist with:

Encouraging cross sharing of leading practices and

collaboration among those charged with governance to

encourage and enable standardization of risk

management practices

Ensuring that there is a centralized and holistic view of

how risks are addressed across the enterprise by better



NOTES defining roles and responsibilities as part of the fraud

risk governance model

If the need for a new governance forum or function is

identified, ensuring that the objectives are understood at

the enterprise level prior to genesis to maintain

alignment with the organization’s standard risk

management practices

Augmenting communication channels and tools in order

to facilitate greater collaboration and integration of risk

management efforts

This can also be done by leveraging the significant amount

of data found in the organization to help value the true cost

of fraud. Data can also be used to determine the likelihood

of risks being realized and even identify trends in

fraudulent activity enabling the organization to respond in a

strategic and timely manner. With the right metrics,

organizations are able to evaluate the performance of its

FRMP and make changes that will allow it to be more

efficient and effective (e.g., ensuring that the investigations

department doesn’t spend $50,000 to recover a $10,000

fraud).

Finally, taking a holistic approach to fraud risk

management means leveraging and enhancing the current

compliance and risk management frameworks in place

rather than starting from scratch. This approach focuses on

viewing current organizational risks with a different lens

and augmenting existing controls to manage a variety of

risks rather than just meet one or two objectives.

At the end of the day, there are opportunities to turn an

organization’s fraud risk management program from a cost

center to a revenue retention center; that it, the cost of the

FRMP is covered by the potential lost revenue it saves and

then some.



NOTES Contact

Daniel J. Williams

CGA, ACCA (UK), CFE, CIA, CISA, CAMS, PMP

Senior Manager

Forensic & Dispute Services

Phone: 604-640-3286

Mobile: 604-351-5567

[email protected]

mailto:[email protected]

taking your fraud risk management program to the …€¦ · management practices, resources, and...

Documents