By Pete Miller, CPA, CFE
Fraud represents a risk to every business: public or private, for-profit or not-for-profit, large or small. And a simple truth is this: most organizations overlook an essential fundamental process to designing a comprehensive fraud prevention program– the risk assessment process.
Over the past several months, worried business owners, advisors, and managers have called to inform me that they suspect they have been victimized by fraud. As is usually the case, the specific circumstances that allowed the fraud to begin and continue were quite unique, the perpetrator’s reasons were private and distinct, and the length and magnitude of the fraud were varied.
However, in every case, the fraud left management feeling confused, stressed about next steps, befuddled that they didn’t have the right processes in place to catch it, and left without critical financial resources needed to carry out their mission.
Our economy has just started to make its way out of a time of significant financial hardship. The recession experienced over the past few years certainly was the source of a lot of financial stress and need for many. At its heart, fraud, particularly occupational fraud, is a means to an end. People have a private financial need and may believe that the only relief available to them is to commit a fraud against their employer.
You may be wondering, in the face of economic recovery, why the instances of fraud are increasing. According to the 2012 Report to the Nations on Occupational Fraud and Abuse published by the Association of Certified Fraud Examiners, the average duration of occupational fraud is between 12 and 36 months. The schemes that are now coming to light likely started when the recession was at its strongest.
Another useful publication designed to help organizations mitigate fraud risks was recently revised and distributed. The Committee on Sponsoring Organizations, or COSO, published an updated integrated-framework on internal control this past May. The framework is available for purchase and has become the standard by which organizations demonstrate their adherence to effective internal control.
With an elevated awareness of the risks associated with ongoing frauds and the release of a revised “best practice guide,” now is the time for organizations to revisit their internal controls. And not just a review of controls and processes as they relate to the revised COSO framework, but a fresh review of all the risks that those controls are meant to mitigate.
Oftentimes, a particular internal control is followed because it is an activity that’s “always been done” or may be an activity that is “supposed to be done”. While true, internal controls should be implemented and followed because they respond to a specific risk. Without an honest assessment of risks facing an organization – as they relate to both the financial reporting processes as well as other processes – the control system will likely be disjointed and somewhat ineffective.
An honest assessment will need to include both activity-level controls and entity-level controls. Control activities, as they are described in the COSO framework, are the things that most people think of when discussing internal controls, but they are only a small portion of the puzzle. The other components of the framework are equally, and at times, more important. Those other components are the control environment, communication, monitoring, and the risk assessment.
The risk assessment component of the COSO framework is often overlooked, but it can be the most critical. It relates to risks facing (1) the financial reporting mechanism of an organization (2) the operations of an organization and (3) the enterprise level.
A risk assessment is an exercise that identifies a variety of risks, determines how significant of an impact each risk would have on the organization, and also how likely the risk is to occur. This helps an organization prioritize its risks and develop appropriate safeguards for mitigation. Without a thorough understanding of risks impacting an organization and its finances, it is easy for certain risks to go unchecked, slip through the cracks, and leave the organization vulnerable. Additionally, the risk assessment process is a continual “wash, rinse, and repeat” process. As change impacts an organization – such as turnover in personnel, new program opportunities, and fluctuations in market conditions –new risks appear that will need to be considered by the risk assessment.
In my experience, the risk assessment process always surfaces some new material that may not have been considered in the past. It is an extremely valuable exercise that can be galvanizing for those participating in the process and is a worthwhile endeavor for any organization.
For a closing consideration, I wanted to share a few of the more interesting revelations that my clients have reached as a result of conducting a risk assessment.
Tone at the Top
Many companies and organizations I speak to are aware that a proper tone at the top is an essential quality for a successful operation. However, they don’t realize the impact that a good or bad tone at the top can have on an organization. For example: Executive Director J. Doe and her board of directors lead with conviction and integrity, have a “do it right” attitude (and probably a “do it right the first time” attitude), and treat employees, vendors, customers, and regulators with respect, forthrightness, transparency, and honesty. They use a trust-but-verify management style. Their attitude trickles down to other key executives and managers and proliferates throughout the organization. Hiring practices and retention experience show that people with that same attitude and values gravitate to like-minded organizations. J. Doe’s chances that a person would perpetrate a fraud are lower; however, she trusts but verifies all the same. Trust-but-verify is a means of prevention and serves as a means of measuring performance
On the other hand, Executive Director J. Anonymous is secretive about financial information, withholds information from key vendors, is not forthcoming and honest with customers, and talks about employees behind their backs; therefore, she has a higher chance of employees not coming forward with critical information about an error or a fraud, or turning the other way when they see something they might not think is right and potentially going down the slippery slope of fraud themselves. In this kind of environment, controls are needed far and wide.
Positions of Trust
Many of the longer-lived frauds were perpetrated by people in positions of trust. These individuals typically have greater access to information, systems, and financial assets than others. Their duties typically come with less monitoring and oversight as well. As is the case with most employees, when these individuals are hired, one of the common steps is to complete a background check and, potentially, a credit check. I wholeheartedly believe these are important steps to making sure you are hiring the right person. However, with that in mind, the Report to the Nations notes that only 15% of occupational fraud was perpetrated by repeat offenders.
The moral here is that the private financial need I mentioned earlier is something that may develop over time and very well may not exist when someone is hired. Someone may have a clear history and credit evaluation when you hire them; however, there is no guarantee that they will stay that way for their entire employment.
For people in positions of trust, these checks should be updated from time to time (e.g., 3-5 years) to make sure that nothing has changed in their lives that may trigger their motivation. Before implementing check updates, I would encourage you to get the employee’s permission (i.e., write it into their employment agreement or include in the initial consent for credit/background checks that you reserve the right to repeat this every 3-5 years, etc.) and consult with your employment law advisors first.
Threat of Detection
Organizations have an endless menu of internal controls they can deploy in their efforts to fight fraud. The Report to the Nations has found that controls providing a perception to employees that they could get caught are very effective tools in fraud prevention. This variety of controls typically consists of someone either stepping into the shoes of another employee to perform his/her job for a period of time or directly completing a detailed review of his/her work. Examples of these controls are mandatory vacations, job rotations/cross-training, internal audit functions, and surprise audits by management. The perception that a perpetrator may get caught can be enough to prevent the fraud from starting.
This has been an area that has grown in frequency and magnitude over the years. More frauds are perpetrated today by targeting expense reimbursement practices than was the case 6 to 8 years ago, and these frauds are growing in financial impact. The frauds are typically very small for each individual occurrence and, as a result, can last for a very long time before the perpetrator is caught. The risk assigned to the improper use of an expense reimbursement policy is often underweight, which allows frauds to slip through the cracks.
© Clark Nuber PS, 2013. All Rights Reserved