Define program objectives. Fraud risk management should be right-sized and tailored to the organization’s unique needs because not every organization needs to require the same level of fraud risk management framework. For example, organizations with limited fraud exposure or those willing to accept more fraud risk might not need to aim for the highest level of fraud risk management maturity; instead, these organizations might be willing to adopt initial levels as the objectives for fraud risk management.
Define Program Objectives: Step 1 In Fraud Risk Management
Tailoring objectives to the organization’s specific goals and needs is important to define the fraud risk management program. Management must be clear about what the organization wants to achieve. These objectives must be clearly defined and documented by the senior management with the approval of the Board of Directors.
After defining and knowing the actual objectives and goals, management needs to assess the fraud risk appetite levels for the organization. Every organization has a different risk appetite. Management needs to address the fraud about risk appetite.
Defining appetite levels indicate the level of fraud risks the management is willing to accept. Risk appetite level serves as a boundary in financial terms, which are always referred to when the fraud risk assessment programs are defined.
The management establishes the need for fraud risk controls based on particular objectives and fraud risk appetite levels. Accordingly, budgets are allocated for the investment in anti-fraud controls. Anti-fraud controls aim to prevent the occurrence of fraud incidents at the organization levels and in the departments. Cost-benefit analysis is performed while deciding to invest in anti-fraud controls to ensure that cost does not exceed the fraud risk appetite level.
To define the fraud risk assessment program, a distinction must be made between the risk appetite and tolerance levels.
Tolerance level is the level of risk that an organization might accept per individual risk, depending on the business’s size, nature, and complexity.
Risk tolerance is related to the outcomes of the fraud risk, if it occurs, having the right controls and resources in place to tolerate the particular fraud risk. It defines the level of fraud exposure that the organization absorbed after its occurrence.
Fraud incidents may also have a non-monetary impact, such as fraud, which causes reputational loss for the organization in addition to financial losses. Reputational losses and risks are related to the organization’s brand image and result in a decline in market share and profitability. Examples include the cyber-attack on the core application system of the organization, causing financial losses as well as reputational losses due to becoming public media news. The customers and general public, after hearing such news, will lose confidence in the company, causing financial losses.
In establishing the context of fraud risk management, external and internal context is considered. Internal fraud risks identification is equally important as external fraud risks.
Internal Fraud Risks
Internal fraud risks are mostly related to employee fraud, which is caused due to weal controls or the controls being overridden by the employees. Such internal and external context distinctions must be identified and documented for reference and application of robust internal controls. Internal frauds may include the embezzlement of funds by the employee handling the company’s cash, or there might be theft of the assets and infrastructure of the organization.
The intensity and severity of fraud depend on the size and nature of the organization’s operations. Large organizations with many expensive assets and infrastructure are more prone to fraud because of difficulties in performing appropriate assets reconciliations by the finance and administration departments. However, management must be able to define the level of fraud, which may be borne by the organization, in case any fraud occurs and go undetected.
These fraud acceptance levels are defined considering past fraud incidents and the controls in place before the occurrence of fraud incidents. In case the built-in controls are found weak and complex, then management may need to define the level of acceptable fraud risks accordingly. But in an ideal situation, the management must ensure that robust controls are defined and implemented in the organization and departments.
Questions To Address
Management must understand the reasons for the occurrence of past frauds and should address questions, such as:
- Were fraud risks not fully understood
- Were controls insufficient and weak in design and operation
- Were controls overridden
- Were any fraud warnings missed by the system
Addressing these questions help in finding the route cause of fraud incidents and enable organization to rectify the gaps in the processes, through the application of more robust fraud preventive and detective controls.
A fraud risk assessment is designed to address a company’s vulnerabilities to internal and external fraud. Though fraud types vary by business line, internal frauds include embezzlement and asset misappropriation, while external frauds include hacking and theft of proprietary information.
Internal control weaknesses are frequently used by perpetrators to commit fraud. A fraud risk assessment, when used to understand these weaknesses and the risk environment, can assist management in developing a mature risk management plan.