Identify and map existing controls. Management of the organization is required to identify and differentiate between the preventive and detective internal controls. Preventive controls are built and implemented in the departments and processes to prevent the occurrence of fraud, whereas detective controls are controls that detect fraudulent activities.
Identify And Map Existing Controls: Step 5 In Fraud Risk Management
Management also identifies the general controls and differentiates these controls from the process-specific controls which are built into the processes to prevent the occurrence of frauds. General controls are designed and implemented to support the organization, such as establishing IT processes to ensure that all departments use technology to perform their duties.
On the other hand, process-specific controls include sales controls which are built into the sales system to ensure that all actual sales are recorded correctly and on a timely basis, to avoid the over or under-recording in financial statements. Other examples of process-specific controls include purchase controls built into the purchase process to ensure that all purchases are authorized as per limits.
Management develops the policies and procedures for each department and core processes to ensure that all process-specific controls are documented for reference of employees working in different departments.
Once all the controls are documented in the form of policies and procedures, the identified fraud risks are related to the process-specific and general controls. This interrelation helps identify gaps and weak controls to mitigate the fraud risks. On identifying weak internal controls, the initiatives are taken by relevant departments to design and establish robust controls necessary to mitigate the fraud risks.
For example, in the purchase process, if the authorization controls are not built-in, then there are chances that employees may misuse the purchase process for their advantage. The purchasing department needs to design authorization limits for different purchases to control this fraud risk and ensure their implementation.
Such authorization limits will require approval of purchases from a manager or departmental head, which reduces the risks of fraud by the employees.
Why Do People Commit Fraud?
There is no single cause of fraud, and any explanation must take into account a variety of factors. From the perspective of the fraudster, the following factors must be considered:
- potential offenders’ motivation
- conditions in which people can rationalize their potential crimes
- opportunities for criminal activity (s)
- Targets’ perceived suitability for fraud
- The fraudster’s technical ability
- The expected and actual risk of being discovered after the fraud has been committed
- anticipations of discovery’s consequences (including non-penal consequences such as job loss and family stigma, proceeds of crime confi scation, and traditional criminal sanctions)
- actual outcomes of discovery
The Fraud Triangle is a common model that combines many of these elements. This model is based on the assumption that fraud is most likely caused by a combination of three factors: motivation, opportunity, and rationalization.
Simply put, motivation is typically driven by greed or need. According to Stoy Hayward‘s (BDO) most recent FraudTrack survey, greed is still the leading cause of fraud, accounting for 63 percent of cases in 2007 where a cause was cited. Other causes mentioned included debt and gambling issues. Many people are given the opportunity to commit fraud, but only a small percentage of the greedy and needy take advantage of it.
Personality and temperament, as well as people’s fear of the consequences of taking risks, play a role. Some people with good objective principles can get caught up in bad company and develop a taste for the fast life, which tempts them to commit fraud. Others are only tempted when they are facing ruin.
Fraud is more likely in companies with a weak internal control system, poor security over company property, little fear of exposure and likelihood of detection, or unclear policies regarding acceptable behavior. According to research, some employees are completely honest, while others are completely dishonest, but many are swayed by opportunity.
Many people follow the law because they believe in it and/or are afraid of being humiliated or rejected by people they care about if they are caught. However, some people may be able to justify fraudulent behavior as follows:
- necessary – particularly when done for business
- Because the victim is large enough to absorb the impact, it is completely harmless.
- justified – either because ‘the victim deserved it’ or ‘I was mistreated.’
Establish A Risk Management Group
And Set Goals
A risk management group should be formed to facilitate and coordinate the overall risk management process. A chief risk officer, a non executive director, a finance director, an internal auditor, heads of planning and sales, a treasurer, and operational staff are all possible members of the group. The risk management group may take the form of a committee that meets on a regular basis, depending on the size and nature of the organization.
Identify Risk Areas
Each risk in the overall risk model should be investigated to determine how it might evolve within the organization. To facilitate further analysis, it is critical to ensure that the risk is precisely defined and explained.
Analytical techniques include:
- interviews and workshops
- mapping of processes
- comparisons with other companies
- discussions with colleagues
Risks are potential events that may have an impact on an organization’s ability to achieve its goals. Understanding the nature of such events and making positive plans to mitigate them is what risk management is all about. Fraud is a major risk that endangers the company’s financial health as well as its image and reputation.