taking your fraud risk management program to the …€¦ · management practices, resources, and...
TRANSCRIPT
©2012
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
The best time to deal with fraud, corruption, and misconduct is before they occur. The
consequences of fraudulent activity can go well beyond direct financial loss to include
damage to reputation, media embarrassment and loss of customers. Learn how to conduct a
fraud risk assessment to identify the vulnerabilities your organization faces and what you can
do to address them. In this interactive session, you will walk through the steps required to
conduct an effective fraud risk assessment.
DANIEL WILLIAMS, CFE, CGA, CIA, CAMS
Leader – Risk & Financial Crime Management
Deloitte
Vancouver, British Columbia
Canada
Daniel is a key member of Deloitte’s Financial Advisory Services practice, bringing
significant experience in risk management, compliance, investigations, information systems
audit, protection of information assets, business process reengineering, and internal audit
support. Daniel’s focus is working with Deloitte’s clients to prevent, detect, and investigate
fraud and wrongdoing through the implementation of effective anti-fraud programs and the
deployment of key investigative tools. Daniel has assisted many clients, of varying size, with
developing and implementing creative risk management solutions, corporate governance
frameworks, compliance programs, and business process reengineering. He has in-depth
experience and knowledge of public and private industry accounting, controls, and business
practices.
Daniel specializes in the design, implementation, and evaluation of strategic fraud risk
management programs that aid organizations with financial crime management and revenue
retention. He has assisted numerous organizations of various size and scope in improving
their ability to manage and respond to incidents of fraud and corruption by aiding clients in
adopting a comprehensive risk management programs tailored to support their specific goals
and objectives now and into the future. Daniel is a Certified Fraud Examiner, Certified
General Accountant, Certified Internal Auditor, Certified Information System Auditor,
Certified Anti-Money Laundering Specialist, and a Project Management Professional.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 1
NOTES Introduction
Due to the significant impact of fraud, stakeholders expect
organizations to take a zero-tolerance attitude toward fraud
by identifying and addressing weaknesses in the operations
of the organization that expose it, and its stakeholders, to
undue risk. Organizations are also expected to respond to
incidents of fraud quickly, appropriately, and consistently
to prevent additional losses due to ongoing fraudulent
activity, investigation costs, or legal fees. Now more than
ever, organizations recognize the need to design and
implement a practical and comprehensive fraud risk
management program.
An effectively designed fraud risk management program
allows the organization’s leadership to consider specific
risks associated with key business, regulatory, and
marketplace drivers when developing anti-fraud programs
and controls. Once the risks are known, leadership can
determine the level of effort and resources required to
address each risk. Management will also be in a better
position to respond to incidents where a fraud risk is
realized. Certainly, the fraud risk management program
should not be developed in isolation of the various risk
management practices, resources, and tools that already
exist. In fact, if done effectively, a fraud risk management
program may help to augment legacy practices and enable
the organization to execute on these practices more
efficiently.
Background
High-profile fraud scandals in recent years have
brought renewed focus on the incidence of and
company-wide exposure to financial statement and
occupational fraud. These developments have resulted
in comprehensive legislation and Securities and
Exchange Commission (SEC) rulemaking concerning
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 2
NOTES corporate governance and internal controls. Among
regulations is the Sarbanes-Oxley Act of 2002, which
mandates that company management must file an
annual report of the adequacy of internal controls
related to its financial reporting. Controls, related to the
prevention and detection of fraud, are an integral part of
a company’s system of internal control.
Deficiencies in antifraud programs and controls are
serious. Such weaknesses could constitute significant
deficiencies or material weaknesses in internal control
over financial reporting. This might require public
reporting and could result in adverse consequences.
In addition to the legislative and regulatory
requirements for anti-fraud programs, there are sound
business reasons to implement them. Fraud can have
drastic effects on an organization, from loss of
stakeholder value to shareholder lawsuits to
reputational risk. Fraud prevention and detection makes
good business sense and might provide long-term cost
savings to organizations. Management should consider
the expectations associated with key business,
regulatory compliance, and marketplace drivers when
developing antifraud programs and controls.
Fraud Defined
The Public Company Accounting Oversight Board
(PCAOB) defines fraud as “an intentional act that
results in a material misstatement in financial
statements that are the subject of an audit. Two types of
misstatements relevant to the auditor’s consideration of
fraud include: misstatements arising from fraudulent
financial reporting and misstatements arising from
misappropriation of assets.”
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 3
NOTES There are additional types of fraud that should also be
considered when designing and implementing anti-
fraud programs and controls. These include improper or
unauthorized expenditures, such as bribery, self-
dealing, and other improper payment schemes.
Examples of this are kickbacks and violations of laws
and regulations, such as those that expose the company
or its agents to regulatory or criminal actions, for
example, violations of Sarbanes-Oxley (SOX), the
Foreign Corrupt Practices Act, Canada’s Corruption of
Foreign Public Officials Act, the UK Bribery Act, the
False Claims Act, and various anti-money laundering
provisions. Although these types of fraud may not have
a material impact on the company’s financial
statements, they may result in loss of company assets,
reputational risk, and increased exposure to criminal
and civil liability.
For this reason, effective anti-fraud programs tend to
encompass a wide range of activities and policies,
including corporate governance, compliance with laws
and regulations, internal controls, and training and
education. They are also highly effective when aligned
with other risk management programs found within the
organization.
Managing Fraud
The best time to deal with fraud and misconduct is
before it occurs. The consequences of fraudulent
activity can go well beyond direct financial loss to
include damage to reputation, media embarrassment,
and loss of customers. It is now more important than
ever for leadership to identify the vulnerabilities an
organization faces and what can be done address them.
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 4
NOTES Although many organizations possess some
components of an effective anti-fraud program, they
may lack completeness, a comprehensive framework
for assessment and evaluation, and adequate
documentation.
To address this, we encourage a holistic approach
where the fraud risk assessment is used to enhance the
organization’s risk management practices as they relate
to a variety of risks rather than just fraud. Applying a
holistic approach to fraud risk management tends to
result in the optimization of internal controls,
strengthening of the control environment, enhanced
engagement of employees in risk awareness, and
improvement of operational efficiency within the
organization.
An Effective Fraud Risk Management Program
As an organization grows and matures, so must its
operations. The processes and controls must adapt to
support the changes in operations and ensure that tasks
are carried out efficiently, effectively, and with minimal
risk to the organization. An organization’s ability to
effectively manage fraud is contingent upon its Fraud
Risk Management Program (FRMP). An effective
FRMP involves:
Developing a proactive, cost-effective fraud risk
management strategy
Creating a clear action plan to execute on this
strategy
Identifying fraud risk scenarios inherent to the
organization
Applying best-practice tools and templates to
manage risks and encourage collaboration
Leveraging and aligning with the organization’s
existing risk and compliance frameworks
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 5
NOTES Effectively assessing the control environment from
an anti-fraud perspective
Ensuring sufficient and appropriate oversight and
execution of the program
While there are a number frameworks and approaches
to implementing an effective FRMP, most
organizations utilize the Committee of Sponsoring
Organizations (COSO) of the Treadway Commission’s
Internal Control—Integrated Framework. Below are the
five components, derived from COSO’s Internal
Control—Integrated Framework, that management may
consider with respect to their responsibilities for anti-
fraud programs and controls:
Performing fraud risk assessments
Creating a control environment
Designing and implementing anti-fraud control
activities
Sharing information and communication
Monitoring activities
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 6
NOTES COSO is the most common framework, allowing an
organization to effectively evaluate and benchmark its
FRMP against widely accepted standards and practices.
Understanding COSO
Performing Fraud Risk Assessments
The first step in addressing fraud is the fraud risk
assessment. Fraud risk assessments are designed to
identify and evaluate fraud risk factors that could
enable fraud to occur within the organization. Every
organization has inherent fraud risks that arise from
internal and external conditions relative to the entity’s
industry, operations, geographical locations, size,
organizational structure, and general economic
conditions.
Most organizations have at some level already
addressed risks of theft. Fraud risk assessments are
more than a process to identify risks of theft and should
also address other frauds, including fraudulent financial
reporting, corruption, and other misappropriations of
assets. The fraud risk assessment involves an expanded
focus on considerations of where fraud risk factors may
exist within the entity and the potential fraud schemes
that could be perpetrated.
Management has the primary responsibility for
performing fraud risk assessments. The audit committee
should have an active role in the oversight of process,
understand identified fraud risks, and evaluate
management’s implementation of anti-fraud measures.
The audit committee’s evaluation and oversight not
only ensures that management fulfills its responsibility,
but also can serve as a deterrent to management who
themselves could engage in fraudulent activities. The
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 7
NOTES audit committee, together with management, should
also consider the potential risk of management’s
override of controls or other inappropriate influence
over the financial reporting process.
Finally, the organization may wish to engage internal
audit or other independent bodies with the appropriate
skill sets to evaluate the organization’s fraud risk
assessment and determine if all risks have been
appropriately identified and assessed.
The fraud risk assessment should be performed without
consideration of the existence or effectiveness of
internal controls, and should be updated periodically to
include changes in operations and revisions to fraud
risks identified during monitoring activities of anti-
fraud programs.
Creating a Control Environment
For any type of risk management program, emphasis
should be placed on the entity’s control environment as
it influences the tone of the entire organization. It is the
foundation for all other components of internal control
and provides discipline and structure. Control
environment factors include the integrity, ethical
values, and competence of the entity’s management and
employees and have a pervasive effect on how business
activities are structured and executed. The control
environment allows an entity to develop an ethical
framework that should address fraudulent financial
reporting, misappropriation of assets, corruption, and
other fraud issues.
The control environment should set the proper “tone at
the top,” which includes a culture and work
environment that promotes open communication,
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 8
NOTES consultation, and ethical behaviour. The control
environment should be pervasive throughout the
organization in actions as well as words. A strong
control environment:
Sets an appropriate tone for the entity’s attitude
towards fraud and fraud prevention
Ensures that roles and responsibilities for the
management of fraud are clearly defined and
communicated
Promotes the efficient design and execution of risk
management practices to prevent, deter, and detect
fraud
Ensures that appropriate incident response protocols
are in place and executed timely and consistently
The proper design and the effectiveness of the control
environment are critical. Having controls by themselves
is not sufficient to mitigate fraud risks. For example, if
no employees have been disciplined for violations of
the company’s code of conduct or ethics, the code is
likely to be ineffective.
An organization’s leadership can leverage a strong
control environment to stress that it takes a zero-
tolerance approach to fraud. It does this through both
words and actions.
Designing and Implementing Anti-fraud Control
Activities
After fraud risk assessments are performed and fraud
risks are identified, management should address each
identified fraud risk by determining whether control
activities exist and mitigate the risks. Control activities
are policies and procedures designed to address risks
and help ensure the achievement of the entity’s
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 9
NOTES objectives. Control activities occur throughout the
organization, at all levels and in all functions.
Anti-fraud control activities can be preventive or
detective in nature. Preventive controls are designed to
mitigate specific fraud risks and can deter frauds from
occurring, while detective control activities are
designed to identify fraud if it occurs. Detective
controls can also be used as a monitoring activity to
assess the effectiveness of anti-fraud controls and may
provide additional evidence of the effectiveness of anti-
fraud programs and controls. Some of these control
activities may by automated in nature and include
information technology (IT) systems.
Where control activities are not already present,
management should design and implement additional
controls to specifically address the identified fraud
risks.
Special consideration should be given to the risk of
override of controls by management. This particular
risk may be effectively mitigated through:
Ongoing and active oversight of an independent
committee (usually and audit committee or fraud
risk management committee)
The use of internal audit or other independent
assurance function
The use of data analytics to identify, evaluate, and
report on unusual trends or behaviours in data
Effective ongoing education of employees coupled
with an effective whistleblower program and system
to receive and investigate concerns raised
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 10
NOTES Sharing Information and Communication
Effective communication is an important element of all
phases of the implementation of an FRMP. The
organization’s philosophy on fraud management should
be clearly communicated throughout the organization
so that employees are aware of anti-fraud activities,
have a clear understanding of what is expected of them,
and know that the organization takes the risk of fraud
seriously. These communications should emanate from
all levels of the organization and should include
communications with external parties when appropriate
(including customers, suppliers, and agents).
A company’s code of conduct and ethics is often the
first line of communication concerning its philosophy
on fraud prevention. However, other communication
methods should be used to create awareness and
understanding of how the organization deals with fraud.
In particular, fraud policies are becoming an important
part of an organization’s overall communication
strategy.
A fraud policy is an effective way to communicate an
organization’s approach to fraud. Essentially, it defines
how fraud will be managed and who is responsible for
each key element of the FRMP. If implemented
appropriately, a fraud policy can serve to augment the
organization’s code of conduct and ethics as well as its
whistleblower policy.
Information on the FRMP may be communicated
through employee handbooks (either printed or online),
in company newsletters, company intranet sites,
training, and through presentations or discussions led
by management. Management’s anti-fraud programs
and controls should also be documented to provide
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 11
NOTES reasonable support for its assessments on the design and
operating effectiveness of the controls. This type of
documentation serves as a way to provide assurance to
both internal and external stakeholders.
Statistics have shown that organizations with effective
programs in place are more effective in minimizing the
risk of fraud and the cost of a fraud incident. Further,
those organizations typically receive greater chances for
successful business relationships as they are able to
demonstrate to stakeholders that they are able to
mitigate and manage the risk of fraud to the
organization and its stakeholders.
Monitoring Activities
Management and other appropriate parties across the
organization should monitor the quality and
effectiveness of anti-fraud programs and controls on an
ongoing basis. Monitoring activities and assessments
consist of procedures that include independent
evaluations of antifraud controls that may be performed
by internal audit or other groups, such as business
process owners, and other ongoing monitoring activities
that are built into normal recurring operating activities.
Ongoing monitoring procedures are built into normal
recurring operating activities and can often be more
effective than separate evaluations because they take
place in real time. Examples of ongoing monitoring
activities include:
Conducting detailed reviews and reconciliations of
operating and financial reports
Regular communications with internal and external
parties (including annual affirmation of the code of
conduct and ethics and frequent awareness training)
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 12
NOTES Encouraging regular audits of anti-fraud controls
from the organization’s internal audit function in
order to continuously improve the FRMP
Engaging independent practitioners, with the
relevant expertise, to assist with the evaluation and
enhancement of the FRMP on a frequent basis
Engaging employees to solicit feedback on whether
the risk management practices in place are effective
Reviewing the fraud risk assessment in response to
an upcoming change in operations to determine if
there are emerging risks
Analyzing whistleblower complaints and findings
of investigations to identify any trends that may
indicate that weaknesses exist with fraud risk
management practices in certain areas of operations
Consulting various external sources, such as
industry data and professional publications, to
identify and respond to emerging risks in a
proactive manner
Developing an enterprise fraud risk management
dashboard allowing leadership to monitor key risk
indicators and metrics and respond when metrics
indicate that a tolerable threshold has been
exceeded
Executing data analytics to identify and analyze
emerging risks that require an enhancement to
current risk management practices
Independent evaluations of controls vary in scope and
frequency, and are commonly performed by internal
audit or another qualified, independent function.
Separate evaluations may involve implementing
detective activities. For example, internal audit may
design tests to specifically look for instances of early
revenue recognition to ensure that existing controls for
revenue recognition are operating effectively. Detective
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 13
NOTES controls are essential to anti-fraud programs because
they provide an additional indication of the
effectiveness of preventive control activities and can
identify additional fraud risk factors that should be
included in management’s fraud risk assessment. Some
monitoring activities can be automated in nature and, as
such, may involve IT systems.
The evaluation of anti-fraud programs and controls is
part of management’s overall assessment of internal
control. Management should assess the design and
operating effectiveness of antifraud programs and
controls and provide sufficient documentation of its
programs, assessments, and conclusions including the
identification of any deficiencies. As with other internal
control deficiencies, management and the auditor
should evaluate the significance of their deficiencies.
When evaluating an organization’s FRMP, the design
and operating effectiveness is evaluated by examining
the following key elements:
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 14
NOTES
ResponseDetection
• Good governance
• Code of conduct and related
standards
• Fraud and misconduct risk
assessment
• Employee and third party due
diligence
• Communication and training
• Process-specific fraud risk
controls
Prevention
• Hotlines and whistleblower
mechanisms
• Auditing and monitoring
• Quality assurance
• Proactive data analysis
• Timely and consistent response
mechanisms
• Comprehensive internal
investigation protocols
• Comprehensive Enforcement
and accountability protocols
• Disclosure protocols
• Remedial action protocols
Elements of an Effective Fraud Risk Management Program
Deterrence
Augmenting the Fraud Risk Management Program
The concept of an FRMP has been around for quite some
time now with many professionals well aware of the
essential elements of an effective program. Management is
beginning to understand that the consequences of
fraudulent activity can go well beyond direct financial loss
to include damage to the organization’s reputation, legal
fines or sanctions, disruption of operations, unwanted
media attention, and loss of customers. Adding the cost of
investigation, legal fees, and remediation to an already
hefty bill explains why the best time to deal with fraud is
before it occurs.
While the increased attention on FRMPs is a good thing, all
too often management treats it as a one-time exercise
without considering how to integrate the program with the
organization’s other compliance and risk management
programs (such as SOX and Enterprise Risk Management).
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 15
NOTES This may lead to inefficiencies, inconsistencies, duplicative
efforts, and a lack of communication because those
responsible for risk management practice will operate
independent of each other and not in a coordinated way.
Effective Fraud Risk Management Relies on Effective
Governance
A holistic FRMP starts with having an appropriate,
enterprise-wide governance model that clearly defines
roles and responsibilities for risk management
throughout the organization. Formalized roles and
responsibilities tend to ensure that governance and risk
management practices are standardized across the
organization. A formal enterprise model encourages
open communication and collaboration among the
forums and functions charged with risk management.
Many organizations currently struggle with having
clearly defined roles and responsibilities for their
FRMP. In fact, nearly half of respondents to the 2010
Ernst & Young Global Fraud Survey said that their
organizations didn’t have well-defined roles for
different groups (internal audit, compliance, risk, and
legal) when responding to reports of possible fraud.
Many organizations struggle to determine who is
responsible for managing fraud. Often a company might
not designate one person as the “owner” of its anti-
fraud efforts. As a result, confusion can reign, causing a
lack of trust in the proactive anti-fraud program for
management and employees, a dangerous deficiency in
sharing of knowledge, and inefficient responses to
fraud.
Organizations also struggle to engage the right people
at the right level at the right time. FRMPs are at their
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 16
NOTES weakest when they fail to encourage collaboration
across various areas of operation. Fraud may be more
likely to occur when risk management roles and
responsibilities are diffused across reporting lines,
sectors and regions, or divisions.
This is why it is so important to establish a good
governance model for ownership, oversight, and
execution of the FRMP. Governance forums and
functions should be established and formalized at the
enterprise level based on need. Collaboration should be
encouraged through standardization of practices and
tools across the organization. Most important, a cross-
functional group should be leveraged to ensure that
those responsible for fraud risk management possess
diverse skill sets to address the complexities of fraud
cases and proactive fraud risk initiatives. Ideally, the
FRMP should be supported by:
The audit committee
Compliance
General counsel
Executive management
Internal audit
Accounting and finance
Investigations
Human resources
Information technology
While these groups should provide ongoing input into
all aspects of the FRMP, best practice suggests that
there should ultimately be an individual or group, at the
enterprise level, accountable for the program itself and
to “shepherd” the other groups, forums, and functions.
A proper FRMP deals with both fraud prevention and
response. It is important to have clear ownership of
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 17
NOTES roles and responsibilities for fraud prevention to
address confusion, inefficiencies, and redundancies in
fraud risk management practices. It is essential to
ensure clear ownership of roles and responsibilities for
fraud response to minimize losses to the organization
and its stakeholders as well as to limit the exposure of
reputation and legal risk an organization faces as a
result of an incident (to essentially stop the bleeding
before the case is terminal).
For an effective fraud response plan to work, it has to
communicate those who’ll work on specific tasks from
the moment the allegation is identified to the point of
reporting the results. This is where a good fraud policy
comes in handy. It outlines the organization’s disaster
response plan when a fraud occurs. It provides
assurance to leadership that the right team will be in
place when an incident occurs and that this team is
qualified to minimize the exposure to the organization
and its stakeholders. A good fraud policy specifies who
is responsible for reviewing the allegations and then
determining, based on their assessment, who should get
involved, and to whom the results should be reported.
The response protocols in the fraud policy help guide
the organization toward a documented, consistent
process for recognizing, responding to, and remediating
fraud.
Whether preventing or responding to incidents of fraud,
a holistic approach demands efficiency and a level of
synergy among those charged with oversight and
execution of risk management practices. This can be
achieved through a strong, centralized function that
formalizes roles and responsibilities, standardizes
processes/protocols, and encourages collaboration
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 18
NOTES among the groups, forums and functions responsible for
governance and risk management practices.
Fraud is an extremely complex issue, and an oversight
committee—such as an anti-fraud program oversight
team—that’s committed to a common goal is often the
best method to deal proactively and reactively with
these complexities. The team’s anti-fraud program can
then become the channel for the dissemination of
messages from the top of the organization to all
employees. This new environment will help reinforce
an atmosphere of constant integrity throughout the
company that will allow the company to more
effectively deal with fraud.
Understanding the True Cost of Fraud
In conducting a fraud risk assessment Management is
required to assess the likelihood of a fraud risk being
realize, and the impact to the organization should it
come to fruition. The challenge lies in management’s
ability to quantify the true impact (or cost) of a
particular fraud risk.
Recall that impact is considered by identifying both
qualitative and quantitative factors. Quantitative factors
represent the amount of potential financial loss to the
organization and/or its stakeholders. Qualitative factors
represent the non-financial losses to the organization or
its stakeholders (such as reputation risk—the risk of
losing the ability to compete, due to perceptions that the
organization does not deal fairly with its stakeholders or
know how to manage its business).
Many find it challenging to determine the true cost of
fraud. This is especially true when there is incomplete
information available on how particular fraud scenarios
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 19
NOTES impact the organization. The cost of fraud is often
considered to be the amount stolen from the
organization and/or its stakeholder (the direct financial
loss). What is often missed is the indirect loss that
comes in the form of:
Investigation and recovery costs
Legal fees
Civil litigation and fines
Criminal litigation and prosecution
The implementation of compliance and/or
monitoring programs in response to the incident
The diversion of organizational resources to
respond to the incident
Once these additional factors are taken into
consideration, it makes it much easier to assign a true
cost to the fraud risk.
It is also possible to improve an organization’s ability
to assess the likelihood of each risk. Better monitoring
through the use of dashboards and the development/
application of Key Risk Indicators (KRI) enable
Management to identify when a risk has been realized
or is about to be realized. The establishment and
monitoring of KRI also allow Management to define
clear thresholds that, if exceeded, prompt an immediate
response. Finally, it is possible for an organization to
monitor how well it is managing each risk as well as
enabling the organization to identify emerging risks.
To better assess the likelihood and impact of fraud,
organizations are turning more and more to data
analytics. Everyday reliance upon technology makes it
possible for so many fraudulent schemes to unfold. As
we become more reliant on information technology to
support our businesses, we increase the likelihood of IT
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 20
NOTES fraud; that is, where a financial loss or malicious
damage has been sustained by an organization, which
has been facilitated by the use of IT in some way.
Technology presents so many opportunities for fraud to
occur; fortunately it also offers many capabilities for
combating fraud.
Data analytics are becoming more widely used due to
our increasing dependence on technology and the
relatively low cost of implementing analytical tools.
Data analytics is the conversion of collected data into a
format appropriate for detailed analysis, modeling and
drawing conclusions. Typically, 100 percent of the
electronic records are analyzed (as opposed to manual
sampling methods) to provide complete data coverage
providing the ability to identify trends that may indicate
fraud and the ability to drill down to the individual
record level for further investigation and analysis.
Data analytics allow organizations to discern
characteristics and/or relationships among transactions
that would not otherwise have been identified using
traditional detective methodologies and tools. These
tools are useful for fraud risk management, as well as
other risk management and compliance practices,
because they allow organizations to better quantify risk
and even monitor the performance of its risk
management/ compliance program. Key analytical
metrics for an effective FRMP include the following:
NOTES
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 21
Loss/Damage Quantification Trends/Weaknesses Exploited
Performance Response and Recovery
Total customer losses to be reimbursed.
Customer attrition costs due to experiencing a fraud incident.
Total effort expended per incident and the related costs.
Total incidents for each period.
Average legal fees per incident.
Number of employee hours diverted to incident response.
Cross-Channel losses resulting from incidents originating in a
specific department/division.
Successful bypass of internal controls – what controls are getting
targeted and bypassed the most?
Incidents of management override of controls.
Attack volume.
Incident by type and transaction.
Incident by geographic location.
Trends – time of day most attacks occur.
Trends – types of businesses targeted.
Total effort required to respond to each incident.
Response time for each incident.
Timeliness of investigation and wrap up.
Total funds recovered in a period.
Cost-benefit analysis as it relates to cost of recovery versus actual
funds recovered.
Phishing – time from notification to take down.
Phishing – success rate of take down.
Number of compromised customers in a period.
Number of repeat offences against a customer in a period.
Number of incidents identified by the organization compared to
incidents identified by the customer.
Number of fraudulent attacks denied versus successful attempts.
Total false positives recognized in a period.
Total incidents in a period.
Total incidents by theme.
Impact of remediation efforts on total incidents.
Once the “true cost” of a fraud risk/scenario is known,
it is then re-evaluated in the fraud risk assessment. In
most cases, Management is surprised to find that their
initial assessment of the fraud risk was inaccurate;
further, Management may find that the “true cost” of
the fraud risk justifies the need for increased risk
management practices that would have otherwise been
perceived as being too costly.
Finally, trend analysis will show Management where
they need to strategically enhance their FRMP. For
example, monitoring an increasing trend of social
engineering of employees may encourage the
organization to increase awareness training.
Integration and Alignment with Existing
Risk/Compliance Programs
An FRMP does not have to stand alone. There’s
nothing to say that an organization cannot leverage its
current risk management practices within an
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 22
NOTES organization to help build its FRMP; in fact, this is
encouraged as it helps strengthen the current
governance and risk management practices in place
rather than building new ones. Such an approach helps
to refine the organization’s risk management practices
and capabilities.
Alignment can occur throughout the entire compliance/
risk management framework. For example, certain
organizational process assets (such as the internal audit
charter, code of conduct and ethics and various policies
and procedures) can be enhanced to support fraud risk
management. For example training materials can be
enhanced to include information on fraud awareness.
The code of conduct/ethics can also include a fraud
policy.
An effective way to support the FRMP with the
organization’s existing risk management and
compliance infrastructure is through its whistleblower
program.
A whistleblower program is a tool that allows
employees to report fraud and other misconduct without
fear of retaliation. Many organizations have such
programs to ensure that employees feel comfortable
about reporting incidents of fraud and wrongdoing.
Some organizations also have whistleblower policies in
place to encourage their employees to speak up about
other problems in the company.
A whistleblower program has been proven time and
again to be highly effective and beneficial for an
organization as employees are most likely the ones to
notice and report problems early on which could
become serious issues if they are not addressed. A
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 23
NOTES whistleblower program is also an integral part of any
organization’s fraud risk management program.
Due to their effectiveness, if designed and implemented
sufficiently and appropriately, organizations are
increasingly turning to internal whistleblower programs
to discover and correct improper activities.
An organization can help to ensure that its
whistleblower program is effective by ensuring that the
program is supported by six critical elements:
Oversight—the organization should have a
centralized authority charged with oversight of the
whistleblower program from an enterprise-wide
perspective and to enforce policies and procedures
to ensure that the program is being carried out with
sufficient rigor.
Stakeholders—the organization should ensure that
the program is made available to all key
stakeholders. It is important that the organization
understand the threats faced by the organization and
which stakeholders need to be involved to help
mitigate and manage such threats.
Communication—for any whistleblower program to
be effective, the stakeholders must know it exists.
Stakeholders should also understand how and when
to use the program.
Reporting mechanisms—employees and other
stakeholders should be able to contact the program
operators inexpensively and with as few
complications as possible. It is often recommended
that several reporting mechanisms be made
available as different people prefer different
methods of communication.
Administration—management must carefully
consider how the program will be administered to
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 24
NOTES ensure that sufficient and appropriate resources are
available to provide confidence to all stakeholders
that claims will be heard and processed consistently,
professionally and confidentially.
Response protocols—the organization should
ensure that there are sufficient and appropriate
protocols in place for responding to incidents
including collection, compilation, analysis,
investigation, enforcement, communication and
remediation.
A successful whistleblower program ensures that:
All stakeholders are aware that the program exists.
Stakeholders have a requirement to report.
The claimant has reasonable assurance of
anonymity.
The claimant has reasonable assurance that she/he
will not be disciplined or harassed for reporting.
Appropriate action will be taken to respond to the
claim.
Whistleblower programs can be highly effective in
fighting fraud and even provide opportunities to
enhance the FRMP. Not only can they be leveraged to
generate tips into misconduct, they are also very good
at spotting trends. Tracking whistleblower complaints
may provide insight into where weaknesses lie in your
antifraud program. For example, frequent
whistleblower complaints coming from the
procurement department may drive Management to
review the effectiveness of internal controls in that area.
As discussed above, a fraud policy is another
organizational process asset which can help enhance the
organization’s fraud risk management practices. Other
enhancements include the introduction of anti-
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 25
NOTES corruption and anti-bribery policies as well as
disciplinary protocols.
Sometimes, Management conducts a fraud risk
assessment without leveraging current compliance
and/or risk management practices throughout the
organization. This is unwise as it often leads to
redundancies and duplication of effort. For example,
Management may identify the need for an anti-fraud
control when a SOX control, if slightly modified or
optimized will suffice.
As noted above, most organizations use the COSO
framework to implement its FRMP. Consider that
COSO is also recognized as a best practice framework
for implementing an organization’s Enterprise Risk
Management Framework, SOX program, and even an
organization’s anti-corruption and compliance and
ethics program. This means that, should an organization
already have one or more of these programs, there is an
opportunity to leverage the current:
Risk assessments
Control environment
Control activities
Information and communication
Monitoring activities
An existing risk assessment is a good place to start.
Though a SOX risk assessment, for example, may be
more focused on error than fraud, many of the risk
scenarios, if slightly modified to include malicious
intent, could easily become fraud risk scenarios.
Leverage existing information to seek out
vulnerabilities and loopholes in current operations and
in the control landscape. Try to look afresh at well-
established and familiar processes, practices, and
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 26
NOTES relationships as if you are standing in a criminal’s shoes
to determine what weaknesses a fraudster would see
hidden amid the workaday routine. Further, determine
if new vulnerabilities have been opened up by changes
in legislation, regulation, reporting standards,
operations, IT infrastructure or relationships with
strategic suppliers. Bitter experience shows that when
organizations think they have low fraud risks they have
often been looking for them in the wrong places.
Once existing risk assessments are leveraged and
revised to incorporate fraud risk scenarios, begin to
evaluate the control activities mapped against each risk.
Determine if the control is appropriately designed to
serve its original purpose and, if not, whether it can be
modified to also prevent and detect fraud. This type of
internal control optimization will ultimately lead to
increased efficiencies as current control activities are
enhanced resulting in the new for fewer new activities
to address fraud.
Summary
More and more organizations are beginning to appreciate
the value of having an effective FRMP. Management is
now in the process of making it more efficient by refining
the approach to fraud risk management and the elements
that make it what it is.
This can be done primarily through adopting an enterprise
governance model as doing so may assist with:
Encouraging cross sharing of leading practices and
collaboration among those charged with governance to
encourage and enable standardization of risk
management practices
Ensuring that there is a centralized and holistic view of
how risks are addressed across the enterprise by better
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 27
NOTES defining roles and responsibilities as part of the fraud
risk governance model
If the need for a new governance forum or function is
identified, ensuring that the objectives are understood at
the enterprise level prior to genesis to maintain
alignment with the organization’s standard risk
management practices
Augmenting communication channels and tools in order
to facilitate greater collaboration and integration of risk
management efforts
This can also be done by leveraging the significant amount
of data found in the organization to help value the true cost
of fraud. Data can also be used to determine the likelihood
of risks being realized and even identify trends in
fraudulent activity enabling the organization to respond in a
strategic and timely manner. With the right metrics,
organizations are able to evaluate the performance of its
FRMP and make changes that will allow it to be more
efficient and effective (e.g., ensuring that the investigations
department doesn’t spend $50,000 to recover a $10,000
fraud).
Finally, taking a holistic approach to fraud risk
management means leveraging and enhancing the current
compliance and risk management frameworks in place
rather than starting from scratch. This approach focuses on
viewing current organizational risks with a different lens
and augmenting existing controls to manage a variety of
risks rather than just meet one or two objectives.
At the end of the day, there are opportunities to turn an
organization’s fraud risk management program from a cost
center to a revenue retention center; that it, the cost of the
FRMP is covered by the potential lost revenue it saves and
then some.
TAKING YOUR FRAUD RISK MANAGEMENT PROGRAM TO THE NEXT LEVEL
2012 ACFE Canadian Fraud Conference ©2012 28
NOTES Contact
Daniel J. Williams
CGA, ACCA (UK), CFE, CIA, CISA, CAMS, PMP
Senior Manager
Forensic & Dispute Services
Phone: 604-640-3286
Mobile: 604-351-5567