FRAUD RISK MANAGEMENT – ARE YOU FULLY PREPARED?
What is fraud?
The word “fraud” is firmly entrenched in the mainstream consciousness given the multitude of corporate frauds that have occurred in the recent past. However, there is no single commonly accepted definition, across legal jurisdictions, of what constitutes a “fraud”. Broadly speaking, it can be interpreted as an intentional act or omission designed to deceive others with the intention of causing loss to the victim and obtaining an unfair advantage. Unlike other crimes which may be witnessed, fraud, by its very nature necessitates concealment by its perpetrators. It is obvious that all fraud has the common denominator of a “perpetrator” or person committing the fraud. Examples of fraud include incorrect financial reporting, embezzlement of cash, issuing fake invoices, inflation of purchase invoices, payment of kickbacks and bribes, conflict of interest, procurement fraud, etc.
Dr. Donald Cressey , an eminent criminologist, determined there are three factors which are common in all fraud cases. The elements, which he sets out as components of a fraud triangle, are Motivation (pressure), Opportunity (scope) and Rationalization (attitude).
Motivation, also referred to as the “need or greed” factor, is the source which drives an individual towards committing fraud. A person may be motivated by needs such as the desire for a better lifestyle, project oneself to a higher social status, tide over a family pressure, etc.
In order to notice tell-tale signs of motivation element, one needs to look out for “red flag markers” as an early warning mechanism. E.g. employee lifestyle is inconsistent with their position in the company. A useful way to pick-up such symptoms is to develop potential “red flag situations” and communicate with employees the need to keep a watch for such behavioral trends.
Whilst a red flag does not necessarily mean there is a problem, it indicates that a follow-up action should be put in place to in order to confirm or refute the existence of a potential issue.
The opportunity to create fraud can be either industry-specific or company-specific factors or a combination of both. This creates an enabling environment for an individual to fulfill the desire that drives the individual to commit fraud. Examples of industry-specific factors are large volume cash transactions, high rate of rejections, commission payouts to customers and vendors, etc. Company-specific factors include operating from remote locations, weak internal controls, complex legal structures, pressure to satisfy customer demand, performance-linked incentives, irrational cost control, significant promotional activities, etc. The employee uses his / her position of trust to deceive and manipulate the system.
The third element of fraud is rationalization – a factor that allows fraudsters to convince themselves that their actions are justified. Rationalization can operate at the individual level, which may be a reflection of a different value or belief system. Rationalization may also reflect the corporate culture – there is no “tone at the top,” there is a lack of understanding about what is acceptable, a tolerance of petty wrongdoing or a lack of business principles.
Setting the principles
A plethora of laws and regulations have been instituted by governments as a response to counteract corporate scandals and fraudulent practices, and make organisations self-governing. As organisations tend to be in compliance with these laws and regulations, none of these are, however, prescriptive on the design of controls to prevent the fraudulent acts. Therefore, increasingly management’s attention is focused on understanding fraud risk that can undermine their business objectives and how to reduce exposure to corporate liability and achieving high level of business integrity through corporate governance, internal controls and transparency.
Anti-fraud measures to manage fraud risk in an organisation should be centered around the following principles:
|Fraud risk governance||There should be a fraud risk management program in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.|
|Fraud risk assessment||Fraud risk exposure should be assessed periodically by organization to identify specific potential threats and events that the organization needs to mitigate.|
|Prevention||Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.|
|Detection||Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.|
|Investigation and corrective action||Reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.|
Assessment of maturity level to manage fraud risk
It will be useful to carry out a self-assessment exercise in order to determine, on a maturity scale, how optimal the processes are to manage fraud risk. Such an assessment will help management to priortize the areas that need to be improved upon in order to prepare the organisation to respond to risk of fraud more proactively.
Development of broad-ranging fraud risk management program is a starting point in managing this challenge. Identifying known risk and steps to mitigate them is an important first step
Then they can perform a gap-analysis and prioritize activities that will help them to build an effective fraud risk program.
(This article is written by our Associate Partner, Mr. Shajan Abraham, who heads our Risk Advisory Division.)