According to the Association of Certified Fraud Examiners 2020 Report to the Nations, organizations lose 5% of revenue each year due to fraud. Fraud is most likely happening at your organization, both internally and externally. COVID-19 introduced massive changes in consumer behavior, which necessarily changes your company’s customer interactions. Private companies have fewer statutory requirements related to fraud risk analysis and fraud reporting, and they might be less prone to undertake these activities as a result. That said, even public companies that follow more stringent anti-fraud requirements sometimes conflate regulatory compliance with fraud-risk mitigation.
The benefits of getting it right
Boards of companies engaging in thorough fraud-risk analysis and carrying out substantive fraud investigations will benefit from it in many ways. Some of these include:
- an increased trust in (and transparency into) the decisions made by management, as they are based on “pressure-tested” information
- a better “finger on the pulse” of emerging trends affecting the company (i.e., risks on the horizon)
- better insights into management’s ability to maximize returns/cost recovery
- greater confidence that management’s commitment to fraud detection will resonate positively with vendors, auditors, lenders, and insurance brokers
- strengthened positioning in M&A activities in terms of minimized fraud exposure
Five key questions to ask management
- Is there a thorough understanding of the organization’s complete risk universe? How is this understanding demonstrated to the board?
While the business must identify its risks, don’t try to boil the ocean. Instead, focus on identifying both the internal and the external risks most relevant to your organization. Document this information in a formal way as part of a fraud risk assessment.
- Is management contemplating fraud risk (both internal and external) within their periodic risk-assessment techniques?
Many organizations focus on perception-based questions as part of a fraud-risk assessment, but the reliability of such perceptions can differ. A better approach is to map out your organization’s objective risks and to design a set of information-based questions aimed at assessing the strength of controls to protect against those sources of risk.
- Has management involved the right people within the organization (from key domains of risk, based on the company profile)?
Organizations tend to keep their fraud risk assessment teams small or focused only on senior leadership. Building a risk-assessment team derived from various in-house functional areas can help you train stakeholders on fraud risk, on their role in fraud risk prevention and detection, and on why fraud risk management matters. It is important that management builds a sound foundation, making the team genuinely multi-disciplinary. This multi-disciplinary approach should begin with the risk assessment and should extend into the communication of outputs from the risk assessment.
- Is management using data analytics to detect, report on, and mitigate fraud?
As you conduct your fraud risk assessment, match your identified fraud risks to your identified anti-fraud controls. Once you assess and score risks, leverage this inventory to understand what controls are in place to combat a known risk and to understand how strong those controls are in practice. Far too many organizations fail to perform this risk-to-control mapping, and this results in controls that are not fit for their purpose and/or do not address specific kinds of demonstrable fraud risk.
- For identified risk areas, is management turning insight into action?
Your fraud risk assessment is a tool, one of many, and it should serve as the baseline for action — not be the end. The results of such an assessment should drive decisions, resource allocation, controls rationalization, and process improvements.
Grant Thornton library articles: Minimizing fraud and maximizing returns