Fraud Risk Management Defined
Regarding the prevention of fraud and abuse, risk management the “umbrella” term used most often provides structure enabling organizations to create controls designed to prevent the fraud from occurring, detect the fraud as soon as it happens, and respond accordingly to such incidents when they are discovered.
Four components of risk management include:
Assessment: An assessment seeks to identify an organization’s potential risks of fraud and abuse from sources within and external to the organization. The assessment is designed to point out both the organization’s strengths and weaknesses through a coordinated approach using a proven fraud risk assessment tool.
Reduction: Policies and procedures established to prevent or detect fraud and abuse.
Transfer: The use of insurance or other means to transfer financial risk associated with a recognizable act of fraud.
Acceptance: By taking little or no action, the acceptance signals the level of financial exposure to fraud that an organization is willing to accept.
Risk management as it relates to fraud prevention addresses the following topics:
· Financial controls
· Nonfinancial systems
· Management oversight and behavior
Internal controls should be mentioned first. They are separate from the above-listed components are generalized or broad terms used by auditors and accountants and refers to set policies and procedures designed to prevent fraud and abuse throughout the organization with the primary goals being to ensure:
· Timely, accurate financial reporting
· The safeguarding of assets
· Compliance with laws and regulations
· Efficient utilization of the organization’s resources
Different from internal controls, financial controls can be either preventive or detective controls include:
· Recording revenue – Proper reporting, and disposition of deposits received
· Purchasing – The use of purchase orders or other methods to control spending
· Disbursement of funds – Practices used by the Accounts payable department
· Processing payroll – Setting procedures to report hours worked, verification and oversight
· Periodic reconciliations of account balances – Oversight and verification usually performed by someone other than the person writing checks.
Nonfinancial Systems include:
Nonfinancial systems differ from financial controls in that they refer to policies that control fraud and abuse in these specific areas.
· HR policies and procedures – restricting the disclosure and type of information
· IT technology systems – to include limiting access to and the security of data
· Physical security – limiting access to the property and the safeguarding of company assets
· Insurance – the transfer of risk should a fraudulent act be deemed to have occurred
Management oversight and behavior
Management oversight and behavior include actions taken by senior leadership that are mirrored throughout the organization as they relate to the prevention of fraud and abuse. In other words, senior leadership needs to not only ”Talk the talk, but walk the talk.” The policies set forth by leadership include:
· Setting the correct tone at the top and enforcing discipline as it relates to matters involving fraud
· Ensuring financial analysis will be used as a monitoring and fraud detection tool by internal and external audit teams
· Communicating throughout the organization that acts of fraud will not be tolerated and those who do will be met with severe consequences
· Setting forth responsibilities for those (such as middle management) in the organization to deter fraud
· Crisis management relating to actions taken should an act of fraud be discovered
Inspiration for the piece came from Gerard Zacks’ book, “Fraud and Abuse Prevention in Nonprofits” which is available on Amazon. While the source being a book written for fraud examiners of nonprofits, fraud professionals understand the tenets of fraud prevention and risk management are not restricted to a single genre, and can effectively apply to a variety of needs.