Fraud risk assessments have been shown to prevent occupational fraud and limit losses for victimized organizations. These tools have become more prevalent in recent years, according to “Occupational Fraud 2022: A Report to the Nations” published by the Association of Certified Fraud Examiners (ACFE). But although almost 50% of businesses perform fraud assessments, many owners and managers may be unaware of the value of these procedures and how the assessment process works.
When and why?
Fraud risk assessments generally are conducted by internal auditors, either on a standalone basis or as part of a comprehensive enterprise risk management program. You may want to conduct assessments annually or whenever there have been major organizational changes or disruptions.
The COVID-19 pandemic, when many businesses closed temporarily and many employees started working from home, may provide the impetus to conduct a fresh fraud risk assessment. For example, workers could have used unsecured Wi-Fi connections to log in to your network while working from home, your accounting department may have temporarily stopped rotating duties or employees tasked with overseeing certain antifraud activities may have left your organization.
Typically, a fraud risk assessment starts in the areas where fraud is most likely to happen — such as accounts payable, purchasing and IT. But it’s important not to stop there. If you close a door in only one department, those bent on fraud will find openings elsewhere.
You must review your organization’s internal controls in the same way a dishonest employee would — as opportunities that pose relatively little risk of exposure. Employees might exploit weak internal controls via:
- Fraudulent financial reporting, such as improper revenue recognition and overstatement of assets,
- Misappropriation of assets, including embezzlement or theft,
- Improper expenditures, such as bribes, and
- Fraudulently obtained revenue and assets, including tax fraud.
Some schemes, such as payroll or purchasing fraud, can involve external people in addition to employees. Fraud may be limited or widespread and affect everything from individual accounts to entity-wide processes. So your business’s controls should address all levels — including owners and executives — every department and all types of fraud.
Interviewing key executives and managers is critical. They’ll provide you with a first glimpse of potential risk areas. Perhaps more important, these conversations will help you judge whether company leaders are setting the ethical “tone at the top” that’s integral to fraud prevention.
Next, identify the number and names of employees who handle or review accounting functions. How many, for example, reconcile bank statements or are authorized to make bank deposits? Spreading accounting and banking duties across multiple employees — or shouldering some of the review processes yourself — provides segregation and oversight that are essential to deterring fraud. If segregation of accounting duties was suspended during the COVID-19 lockdown and never reinstated, make sure you activate it immediately. A combination of job rotation and mandatory vacation has been shown to reduce fraud losses in victimized organizations by 54%, making it the most effective antifraud control.
Also consider your company’s key performance indicators. Fraud risks, for example, can show up in the performance of sales goals or in inventory management. And review antifraud spending. Compliance training, internal controls monitoring and ongoing risk reviews should be included in your business’s budget.
The final step is to adjust your controls (and, possibly, introduce new ones) to address any fraud risks you’ve discovered. What if your small business doesn’t have the internal resources to conduct a fraud risk assessment? (Only 17% of businesses with fewer than 100 employees perform risk assessments.) If so, engage a professional fraud expert to do the job. It’s too important a tool to leave in the box.