Attribute 3: Fraud Risk Assessment

The Need to Assess Fraud Risk

Management must decide how it wishes to manage the risks it faces. To do so effectively it must possess relevant information. Fraud risk assessment reviews establish the agency's risk profile and provide management with the information required to deal with fraud in a cost effective manner.

A specific exercise to gauge fraud risks had been undertaken in only 43% of agencies surveyed. Many managements are therefore working from a limited base of knowledge in attempting to address the issue of fraud.

Management must have up to date information concerning the risk of fraud.

Fraud Risk Assessment as a Management Practice

Fraud risk assessment is often regarded as an activity of the audit function. It is quite true that risk analysis and system/control reviews form a key part of the audit process for both internal and external auditors. Hence audit involvement with fraud risk assessments may be most valuable.

However, fraud risk assessment is an important management tool in the prevention and detection of fraud. Its relevance as a management practice has in fact grown in importance in view of such factors as:

• ongoing changes to the Corporations Law to make directors more responsible for the operations of the organisations they preside over. This principle applies to both the public and private sectors.
• trends for the devolution of responsibility and greater flexibility in decision making processes. In some cases this has given significant authority and discretion to employees who have not previously held such responsibility.
• a range of other management reforms which are contributing towards an environment involving potentially greater fraud risks. For example:
  • cost-cutting measures
  • drives for efficiency and productivity improvements
  • contracting out and out-sourcing
  • the exponential impact of technology
  • general trends towards workforce rationalisation
  • the acceptance of larger risk management parameters.

More than ever managements need to implement procedures to control fraud risk. Fraud risk assessment is a vital element of this. It is a management issue.

Both long term and annual internal audit plans were in place within the agency. External audit was also operative. However, a large fraud occurred. The chief executive had assumed that the auditors would have addressed all relevant risks and focused effort accordingly. It had not been understood that audit methodologies were designed for different purposes. Fraud risk was one of the factors employed in the audit assessment models. However, its relative weighting did not give the same specific focus which a dedicated fraud risk assessment would have done.

Management is responsible for ensuring that a current picture is maintained of the agency's fraud risk profile and hence that fraud countermeasures keep pace with this situation. As such periodic reviews of fraud risk will be required.

Except where an agency faces regular or very substantial change it would usually be expected that the initial review will involve the most effort. Subsequent reviews should report on the status of corrective action that has occurred since the last review. They may be able to limit the scope of their substantive analysis to a general review of the previous analysis and then to focus primarily on any new risks which may have developed and any new functions or units of the agency.

It is suggested that a fraud risk assessment review should be undertaken every three to five years. Sooner if the agency faces major changes in its environment.

The Conduct of Fraud Risk Assessments

Risk assessment may be undertaken in a number of ways, using a number of different approaches. However, it is imperative that the methodology employed meets a minimum standard of examining:

• both internal and external fraud risks (i.e. both employee and customer fraud).
• the potential for collusion from the dual perspectives of employee-employee and customer-employee (or vice versa as the case may be).

In some situations it may be quite appropriate for the assessment to be conducted in-house in a fairly simple fashion. For example, assessments could be carried out by management in conjunction with suitably qualified officers from the agency's fraud control, internal audit, internal review or financial units. Alternatively there are a wide range of firms providing consultancy services in this area.

There are numerous detailed references and sources of information on the conduct of fraud risk assessments. Indeed a profession has developed around this issue with a considerable body of expertise and literature behind it. It is neither possible nor appropriate for this Guide to specify which forms of review are the best. There are too many variables. Each agency must consider what is required, what it can do itself, what external support is available and what would ultimately be appropriate and represent good value-for-money.

The specific steps and detailed work involved in undertaking a fraud risk assessment will vary depending upon the particular approach or assessment methodology employed by the agency. However, it would normally be expected that the exercise would involve major elements or phases similar to the following:

• identifying the major functional areas of the agency.
• assessing and ranking the nature and extent of fraud vulnerability of each area.
• identifying the particular forms of fraud threat to each area.
• assessing the probability of occurrence of identified threats.

The basic goal is to define and describe the agency's fraud risk profile and to develop an analysis of risks against controls. Management is then able to determine what fraud countermeasures may be required and where. A brief outline of the process follows. Please note that this is a very simplistic description for overview purposes only.

• identify the major functional areas of the agency
  

This involves identifying the agency's major activity areas in terms of:

• product and service outputs and deliverables
• operational areas and locations
• revenue generation
• revenue collection
• expenditure
• supplies and inputs
• asset utilisation, acquisition and disposition
• customer/client records and support.
  

• assess and rank the nature and extent of fraud vulnerability
  

In the first instance, risk assessment criteria and an approach to rating risk have to be adopted. This will flow from the specific methodology adopted by the agency.

A rating has to be given to each of the areas identified in the previous step in terms of its potential vulnerability to both internal and external fraud. For example, areas of high liquidity or of a complex nature may rate highly. All areas should be ranked by their vulnerability factor and listed from the highest down to the lowest.

The design of the analysis framework and the form in which data is to be collected and stored are important matters to be determined prior to the study being commenced. As an illustration, some of the common criteria/factors used to make judgements about vulnerability (sometimes called "exposure" in the jargon) include:

• materiality
• the potential for fraud to flow into other areas
• stability of the industry
• economic indicators
• fraud history for the activity or function
• the last time the activity/function was reviewed
• concerns of management
• status of insurance premiums
• the nature of the industry
• staff attitudes and values
• management attitudes and values
• quality of management
• reputation of the company/industry
• internal control history for the area
• pace and extent of recent growth or change for the area
• future directions
• forward budgets
• management stability
• extent of effective reporting mechanisms
• internal and external audit risk assessment ratings for the area
• degree of operational complexity
• overall size, scope and value of activities
• impact of technology.
  

• identify the particular forms of fraud threat

A further layer/dimension can now be added to the vulnerability (or exposure) analysis to begin building up the agency's fraud risk profile in more sophisticated terms. Each area can be assessed in terms of particular forms of threats, such as:

• theft
• misappropriation of funds (expenditure or revenue) or assets
• fraudulent administration of contracts
• falsification of source records for improper advantage.

There are a great many possible forms of fraud. A selection of some of the most commonly encountered examples of fraudulent practices is provided at Appendix 2. Please note that there is no intention for such a listing to be regarded as complete or exhaustive, or to serve as a compulsory checklist in any way.

The agency should now have developed what is sometimes referred to as an "exposure profile"; meaning a rating of the areas in which it may face fraud threats and the types of threats it may face.

However, threats alone are too raw to be used for fraud control purposes. It is not cost effective to attempt to cover every possible threat situation. The likely occurrence of potential fraud must be assessed.

• assess the probability of occurrence of identified threats
  

Functional areas should be assigned a high, medium or low risk of occurrence for the fraud threats previously identified. This is sometimes described as converting threats/exposures into defined risks. An analysis of threats against compensating factors (such as internal controls) is a key part of this task.

The more extensive and effective the agency's system of internal control the more difficult it is for fraud to be perpetrated in the first place and to subsequently go undetected. This phase of the risk assessment seeks to determine the extent to which existing internal control practices of the agency are sufficient to counter the fraud threats which have been identified.

Regardless of whether the risk assessment methodology used represented something fairly simple or a highly complex technical study some form of risk analysis table, chart or matrix will need to be developed to effectively display the results of the exercise to management. This is sometimes referred to as a "fraud limitation matrix".

The matrix serves to summarise the results of perhaps extensive research and evaluation of internal controls against potential fraud risks for particular functional areas. It acts as a quick reference guide to the fraud risk an agency may be facing. Matrices may be required at various levels of the assessment. That is, working up from the micro level (an individual system or topic level within each particular functional area) through various stages of consolidation (by each functional area, by organisational region or division) to the macro level.

There are many ways to set up such a matrix or series of matrices. If a well established or proprietary risk assessment methodology is being used the form of such documentation will generally be specified as part of the method.

All of the work thus far in the risk assessment exercise has been to provide a specific base of information concerning fraud risks. This is often referred to as the agency's fraud risk profile. However, the profile is not in any way an end in itself. It is merely a means. Now that a proper base of well organised information exists management is in a position to make properly informed judgements and decisions.

Risk assessment is not an end in itself. It facilitates informed decisions about specific actions necessary to address the agency's key fraud risks.

Implementing the Fraud Risk Assessment

Having completed the fraud risk assessment exercise the agency must now determine specifically what to do. It must consider what additions or modifications to the agency's operational practices, procedures, systems or controls may be required to deal with the fraud risks it faces.

There are two basic questions to be addressed. Firstly, is ANY action required? Secondly, if so, WHAT action should be taken? Depending on the level of detail in the fraud risk assessment specific decisions may not be able to be made immediately. Further detailed studies in specific areas may be necessary. However, management should now at least be able to identify and target such areas.

In making final decisions on specific actions to take as a result of the risk assessment one of the principal factors to be considered will be the relative effectiveness and costs of different options. Management must have information concerning what the alternatives are and their relative cost-benefit before informed decision making can begin.

A system is required to monitor and follow up the implementation of specific actions determined by management. A detailed timetable should be established for each item requiring action.

The full history of the fraud risk assessment exercise should be properly recorded. This can be of great assistance to future revisions and updates of the agency's fraud control strategy. It also provides an important accountability device.

The Limitations of Fraud Risk Assessment

Some fraud risk assessment methodologies tend to be systems and control oriented in their approach. As such fraud countermeasures to be considered in implementing the risk assessment may also tend to be control-based in their nature. For example the introduction of additional rules or internal controls; improving administrative systems; tightening security arrangements for computer systems; improving or increasing checking, inspection and auditing practices; and so on.

This is why risk assessment is only one of the attributes of fraud control within the model proposed by this Guide. Agencies which rely on a risk assessment exercise alone to determine their response to fraud control may find their strategy falling short of the standard they would wish. A wide range of other non-systems oriented actions will also need to be implemented before any agency can regard its approach to fraud control as comprehensive.

Agencies should not rely solely upon a fraud risk assessment exercise in developing their fraud control strategy.

Information Analysis (fraud database)

For strategic information purposes agencies should establish a fraud database.

The primary concern of such a database is with strategic information. The database is a tool that can have many uses in the prevention and detection of fraud and the management of the agency's fraud control strategy. It can be of particular value to the chief executive; the fraud control committee; the fraud prevention manager; and internal audit.

The compilation of fraud reports and statistics stored on the database can be used to:

• assess the level of risk being faced.
• assess the adequacy of resources applied to addressing
• the problem of fraud.
• review incidents of fraud to identify patterns which could indicate system weaknesses which should be addressed.
• ascertain and advise promptly whether a particular allegation had been addressed and follow-up the outcome of particular allegations.
  

The results of a recent fraud investigation were entered into the agency's fraud database. Ongoing analysis of the database and associated follow-up by the Fraud Prevention Manager uncovered an identical fraud in another region within the agency.

It is suggested that the database would be of maximum strategic value if both actual and suspected or alleged fraud situations were included and if at least the following details were recorded in respect of each fraud situation:

• unique identifying reference number (linking to relevant physical records).
• status (i.e. closed, still active (and if so at what stage).
• relevant date, dates or period during which the fraud occurred.
• estimate of the financial value of the fraud, and of the overall significance or impact of the fraud on the agency's operations or performance.
• physical/geographic location of the fraud.
• nature/focus of the fraud.
• outline of the means of perpetrating the fraud (i.e. practices involved).
• investigation action taken (if any).
• results of investigation (if undertaken).
• disciplinary action, restitution and/or prosecution action effected (if any).
• estimated costs to investigate and resolve to conclusion.
• actions taken to prevent recurrence (if any).
  

In physical terms the database can take one of several possible forms. It can be computerised, or comprise various manual records organised and summarised in a variety of ways. Depending on circumstances, needs and resources something as simple as a manual register may suffice depending on organisational complexity and the level of fraud activity or risks.