This article first appeared on RadicalCompliance May 4, 2023.
Auditors and other anti-fraud professionals have fresh guidance this week on how to manage fraud risk, with an emphasis on data analytics, internal reporting hotlines, and discussion of how effective fraud risk management can deter fraudsters from trying their schemes in the first place.
Said guidance comes from COSO and the Association of Certified Fraud Examiners, who released the document earlier this week. Rather blandly named “Fraud Risk Management,” it’s an update to previous anti-fraud guidance the two groups published in 2016.
“It is impossible to eliminate all fraud in all organizations. However, effective leaders address fraud risk as they do any risk – they manage it,” ACFE president Bruce Dorris said in a statement about the guide. “There is no ‘one size fits all’ approach to managing fraud risk, but by applying the guidance in the updated guide, an organization can create a custom-fitted program tailored to its specific needs.”
One can certainly understand the need for new fraud guidance given all the pressures that have piled onto corporations in recent years: the rise of cryptocurrency, new methods of cyber-based frauds, remote and hybrid work models, greenwashing and other ESG frauds, and then the gusher of pandemic-related government spending to boot. Fraud risks are everywhere, and these days they can look quite different from what we’ve seen historically.
The complete guide is for sale through ACFE, the Institute of Internal Auditors, and the American Institute of Certified Public Accountants for $79. You can also download a 20-page executive summary for free, which of course I did because I’m cheap, and even that abbreviated document has a few important themes worth unpacking.
Management Leads to Deterrence
The first major theme is that fraud risk management, done correctly, can serve as a powerful deterrent against fraud. Or as the COSO guidance puts it, “Organizations that implement a rigorous fraud risk management program will further strengthen fraud deterrence by making it known that potential fraud perpetrators face a significant likelihood of getting caught and being punished.”
Obviously that principle makes sense, but think about what must exist in your ethics and compliance program to put that idea into practice.
- Employee training to explain various types of fraud, especially for frauds that don’t involve the direct theft of funds (say, greenwashing claims to secure ESG investors, or financial statement fraud to boost earnings).
- Policies for documenting and approving financial transactions.
- Testing of those policies, to confirm that documentation is being submitted and approvals are happening according to the rules.
- Analysis of account balances and transaction records to detect any frauds that might be happening anyway.
- Mechanisms for employees to report suspected frauds.
- Investigations teams, including experts in forensics or cybersecurity as needed, to follow up on those reports.
- A strong commitment from management to hold fraudsters accountable, whether that means disciplinary action or referring the perpetrators to law enforcement.
- A communications team that tells the workforce about frauds that have been intercepted, so employees can see that management takes this seriously.
That’s a lot of stuff that needs to happen for vigorous fraud risk management. It also cuts across various management functions: accounting, legal, HR, internal audit, senior management, and others. A successful anti-fraud program will have one person who coordinates all those efforts. Typically that leader will be the head of internal audit, but he or she won’t succeed without a clear, public show of support from senior management and the board.
Challenges in Fraud Risk Assessment
Another theme in the guidance is the importance of effective fraud risk assessment. It defines three basic steps that your assessment of internal controls should follow:
- Identifying existing control procedures related to each identified inherent fraud risk;
- Assuring that the controls have been implemented and are working as designed; and
- Assessing whether the controls are adequate to address the fraud risks that have been identified
An important point to remember here is that you need to assess a control’s ability to address fraud risk in addition to the control’s financial reporting purpose. That is, you might have a control that works perfectly well for your financial reporting needs, but not as a control to prevent fraud.
For example, you might have controls that accurately document when sales and refunds are recorded; but those controls won’t necessarily alert you that someone is recording a sale at the end of one quarter and then a refund of the sale two days into the next one.
Assessing each control for its anti-fraud potential, above and beyond its financial reporting purpose, is important because that tells you what your residual fraud risk is. Then you can implement additional, fraud-specific controls as necessary. (In our above example about round-trip revenue schemes, you might then use data analytics to find sales and refunds that happen at the turn of each quarter.)
Anyway, this is all just to say that assessing your anti-fraud controls is crucial, but also complicated – especially for modern frauds, which are far more sophisticated than the example I gave above. The COSO/ACFE guidance does walk through those challenges in detail, and buyers of the complete book can also access an ACFE database of frauds and how they work.
Fraud Is Having a Moment
I also can’t help but notice that this is the third significant statement about fraud that the compliance and audit community has seen in recent months. First we had the SEC’s chief accountant publishing a statement last fall urging auditors to do better at fraud risk assessment; then the PCAOB published its list of priorities for 2023 inspections of audit firms, and fraud was at the top of the list. Now we have this guidance that anyone can use, corporation or auditor alike, to sharpen your anti-fraud program.
It’s almost like the powers-that-be are telling us something. I suggest we listen.