By Yves Nadeau
Illustration: Baiba Black
When it comes to managing fraud risk in an organization, there’s no easy solution. It’s all about being on guard
A key question for many organizations is who is actually responsible for managing fraud risk? Obviously, the managers in place are, but how much responsibility belongs to players such as internal auditors, external auditors and risk managers?
Reducing the risk of fraud requires the input of many stakeholders within an enterprise. Each is a key player in a process that must be organized and structured. And the effectiveness of any activity involving many players may be undermined unless responsibility is clearly defined and communicated.
Who are the players and how can they be motivated to take responsibility without distracting them from management’s strategic and organizational goals?
Gone are the days when management could claim that external auditors were responsible for detecting fraud. Although they may consider fraud risk within the scope of their work, detecting fraud is not their primary responsibility; it is management’s responsibility. Management must develop and implement reliable and effective internal control systems.
Internal auditors may also be asked to step in during their assignments. The risk management group may be required to look into fraud risk as well, especially if it has been identified as one of the organization’s material risks. Lastly, the financial compliance group (52-109 or SOX certification) also has to consider fraud risk, specifically the risk of financial fraud.
Types of fraud
Understanding the types of fraud that can arise is a prerequisite to effective fraud management. Financial fraud comes to mind first; but fraud is a much broader concept that can refer to corruption, theft of data, assets or personal information, forgery, overbilling, fictitious invoices and the like.
How is it possible to protect an organization when so many types of fraud can affect so many people? Who within an organization can make a difference when it comes to preventing and detecting fraud?
When numerous players say they consider fraud risk in their work, it might give the impression that risk is fully covered. Is it? Is the coverage commensurate with management’s needs? If it isn’t, the audit committee may be lulled into a false sense of security.
In fact, fraud risk is often poorly understood and under-discussed at audit committee meetings.
The internal auditor’s role
This situation is of great concern because isn’t the internal auditor supposed to keep the audit committee up to date on the matter? The internal auditor must persevere and periodically include fraud risk as an item on meeting agendas.
The auditor may ask such questions as has the organization compiled an itemized fraud risk inventory? Has the organization identified its most significant fraud risks? Are mechanisms in place to remedy these risks? Has the organization performed vulnerability analyses?
Types of fraud and the inherent risks must be thoroughly analyzed. Internal audit is typically responsible for cataloguing types of fraud and fraud risks, either by using fraud simulation techniques (fraud scenarios) or performing vulnerability analyses.
Another strategy is to hold cross-sector management workshops to identify potential types of fraud, measure risks and determine which prevention mechanisms to implement. To increase accountability for material risks, the risk manager could present the risk he or she oversees to the audit committee and explain how he or she intends to limit that risk. Don’t underestimate the time and energy needed to sensitize the organization to fraud risk. Reminders are required to raise awareness among managers affected by this risk.
Considering that an organization may lose 5% to 7% of its revenue to fraud (according to the 2008 and 2010 Global Fraud Study by the Association of Certified Fraud Examiners), the issue is worth studying, particularly in a time of economic instability when headlines are brimming with corruption scandals and influence peddling.
It won’t happen to us
Interestingly, senior management, for the most part, often mistakenly believes that its organization won’t fall prey to fraud, that it only happens to others. However, news-making cases of fraud involve big organizations with strict internal controls and policies. What’s more, according to statistics, most fraud is committed internally by employees or managers. Fraud isn’t in someone else’s backyard; it happens stealthily within the walls of the organization.
Internal auditors in charge of convincing management that fraud risk is a concern must persevere if they want to see their recommendations pay off. Statistics show that the risks are real, as French writer Nicolas Boileau noted, “Hurry slowly, without lapsing into gloom; rework what you’ve made 20 times on the loom.”
Although fraud must be prevented at many levels within an organization, senior management must set the tone. It needs to have an understanding of psychology, because the motives for fraud are often personal: revenge, feeling exploited or feeling a sense of injustice.
It’s important to work on the organization’s corporate culture, ensure that employees are treated fairly, communicate openly and implement employee-assistance and staff-leadership programs to overcome employee negativity.
Code of ethics
A code of ethics is essential. Drafting a standard code and posting it on the company intranet is not enough. It should clearly state what is ethical for the organization and explain which behaviours are tolerated and acceptable, using examples. For instance, the code might put a reasonable price limit on supplier gifts or define the behaviour expected by the organization. Such concepts should not be left open to interpretation. The code of ethics should be substantiated with examples. Many organizations have even developed intranet capsules for employees.
And remember, employees must know who to ask if they are unsure about how to interpret the code of ethics. Posting general interest questions and answers on the intranet is a sound practice. A clear code of ethics is a step in the right direction, but it’s only the first step — it has to be communicated and enforced.
Constant reminders, posters and messages are also useful. An organization must ensure that employees are complying with the code by performing spot audits. The internal audit function can play a role in this area.
Management must also convey the company’s values, setting an example by its behaviour. How can an organization claim to instill rules of ethics if its managers transgress those very rules? Management’s tone will pave the way to success.
Sound internal control system
Preventing fraud also means communicating clear policies and procedures and setting up internal control systems, which are an excellent way to keep fraudsters at bay.
In today’s economic climate, organizations are cutting costs by downsizing or reorganizing, neglecting certain internal controls in the process. There should be a sharp focus on segregation of duties in any organizational change, because a deficiency in this area can often be the source of fraud.
Although management is the chief watchdog over internal controls, the internal auditor, who has expertise in the area, is a key player. There’s nothing like an internal audit in a sensitive or vulnerable sector to keep everyone on their toes. Internal audit techniques have grown more sophisticated. Many are automated and can detect patterns of fraud. These high-performance tools can process a large volume of data in next to no time.
The ultimate fraud fighter, the most effective weapon in the arsenal is whistleblowing. It’s still the best way to detect fraud within an organization. According to the 2008 and 2010 Global Fraud Study, almost half of all fraud was detected through whistleblowing. This process within any organization should therefore be flawless.
How often have audit committees said that there was no whistleblowing in the last quarter? Although many organizations may see this as a healthy state of affairs, it may be the opposite. Employees often refrain from whistleblowing because they do not believe their anonymity will be assured or they feel threatened or intimidated. Often, this ethical recourse is managed internally, which is an effective way to keep informants quiet.
Taking time to properly assess a company’s whistleblowing process is vital. Outsourcing it to a neutral and independent party is another way to go and there could be surprises in store for many organizations.
Organizations hold a false sense of security when it comes to managing fraud risk, and no organization can claim to be immune. Thought should be put into clearly defining and understanding this risk. Fraud awareness should be raised within an organization and appropriate safeguards should be implemented.
Unfortunately, there is no quick and easy fix for fraud. It’s best to be on your guard. After all, can your organization afford to lose 5% to 7% of its revenue?
Yves Nadeau, CA, CPA, is partner, assurance and risk management group, with RSM Richter Chamberland in Montreal. He is also CAmagazine’s technical editor for Assurance