When talking about fraud risk assessment, we remember that regulatory compliance today is an important part of business, not only in terms of penalties imposed on organizations in case of non-compliance, but also in terms of offering security to customers, investors and others. stakeholders, creating uniformity in the market. This is how the term came about compliance, the need to discipline compliance with standards within an organization to evolve in an ethical and responsible manner.
Aiming to ensure that companies comply with standards and laws, over the years, the compliance created major pillars of support, seeking to adopt a preventive stance against illegal acts and consequently, including in the companies' values: transparency, integrity and ethics. We can cite as an example the continuous monitoring of organizational operations, which helps to mitigate risks and develop improvement solutions for company activities.
Communication and the definition of standards of conduct have become critical success factors for compliance and risk prevention programs. According to experts in compliance, simply defining a code of conduct is not enough. It is also necessary to carry out frequent presentations and remind those involved of the content that the code establishes. It therefore becomes extremely valuable to search for innovative ways of raising people's awareness regarding the expected form of conduct, as well as demanding and monitoring compliance with the code in the internal and external spheres of organizations.
Taking into account that to train conscientious employees, companies rely on frequent training, it is worth highlighting the importance of collecting information from all departments of the company before creating the code of conduct, in addition to the commitment of management and acceptance of the standards. The creation of reporting channels and risk management areas are also listed in most expert recommendations. A good policy is not enough compliance, if it is little recognized by senior management and is not kept alive through effective internal actions.
Given the current situation our country is experiencing, it is essential for companies to ensure that the rules of compliance established with partners are fulfilled. Not only aiming at the main objective, which is to combat corruption, fraud and conflict of interests, but also to guarantee greater integrity and credibility to contractual relationships, including demonstrating to the market the company's concern for valuing ethics and compliance.
Adopt a system or procedure for compliance goes far beyond the protection of the Anti-Corruption Law. It also brings benefits to companies that do not need special licenses from public authorities or do not intend to participate in tenders, being useful for the effective management of an organization.
Aspects about fraud detection
Different fraud schemes can have a significant impact on a company's financial operation, cash flow and public reputation. Most fraudsters do not start their illegal ventures with the intention of getting caught. They are generally fully aware of the consequences of their actions and the risks they are placing on their careers, reputations and, in some cases, freedom. However, given the circumstances, the perceived rewards of financial gain and status outweigh the risks of getting caught.
Studies show that there is a paradigm known as the fraud triangle. The paradigm consists of three key elements that are generally present for a fraudster to commit their illicit act – opportunity, pressure and rationalization. Typically in occupation fraud schemes, the perpetrator has the pressure and opportunity to commit the fraud, all they hope for is a reason to get them to act. The reasons can be based on many factors – need for additional income, financial hardship, pursuit status, addiction (drugs or gambling), or some other form of rationalization and validation that they are doing the wrong thing for the right reasons.
From a detection perspective, the 'why' and 'when' are often less important than the 'how'. Of course, discovering fraud can be a very difficult process, as initially the perpetrator is the only one aware that fraud has occurred and generally has no intention of turning himself in. Therefore, from the outside, it is not only necessary to discover that there is fraud, but also how it is occurring and who is responsible for it. While organizations may be vigilant in trying to prevent or detect fraud in its earlier stages, attackers often manipulate information aggressively and use various techniques to cover their trail.
So the question becomes: “How is occupational fraud discovered and how can it be prevented”? And the answer isn't exactly what most people would expect or want to hear.
Contrary to popular belief, most occupational fraud schemes are not detected as a result of work performed by internal or external auditors. Instead, they are usually discovered through tips. Typically, these tips come from other employees within the organization, but it is not uncommon for people outside the organization, such as customers, suppliers, shareholders, and even the organization's own competitors, to leave a helpful tip.
One of the main problems for those who report a suspected occurrence of occupational fraud is who should also report it when they suspect and/or discover the fraud. The answer is – it depends. Most people tend to communicate information to their direct supervisor because they are often the first resource they turn to when they have a problem. However, depending on the department in which the fraud is discovered, the organizational level of the employee committing the fraud, and several other variables involved in the fraudulent activity, it may be inappropriate to convey the information to your direct supervisor.
As with any other aspect of business, there are risks and occupational fraud is no different. Therefore, from an organizational perspective, the question becomes: How much risk is your organization willing to take and what can you do to minimize that risk?
The main consideration in assessing fraud risk is that the longer occupational fraud continues undiscovered, the greater the risk and size of a financial loss. It is important to know how occupational fraud is detected and reported as it helps design and strengthen an organization's anti-fraud controls. It is also useful to design, review, and update organizational policies and procedures related to detecting occupational fraud within an organization. Organizations that are proactive can reduce the risk of occupational fraud and the resulting financial loss. Additionally, they may be able to stop and detect fraud schemes more quickly than organizations that are reactive to adapt their controls, policies and procedures to the ever-changing business world.
When to conduct a fraud risk assessment
There are several reasons why a company may choose to carry out a fraud risk assessment. Here are some reasons why your business or nonprofit organization would hire an experienced forensic accountant to perform a fraud risk assessment:
Establish a fraud monitoring program
An assessment can be an effective first step in the design and implementation of any fraud risk management program, such as oversight of integrity monitoring. For example, a fraud risk assessment will identify areas of inherent risk, assess the likelihood that a particular fraud scheme could be carried out, and identify improvements to internal controls.
Establish an ethical culture
A fraud risk assessment can be used to establish a company-wide culture that promotes best practices in fraud prevention and detection. For example, a fraud risk assessment can create an environment for employees to speak with management and co-workers about detecting potential wrongdoing without the threat of punishment or repercussions. It can also promote better communication channels and workflow among employees.
Identify areas for further investigation
When investigating suspected fraud, a fraud risk assessment of the areas or departments affected by the fraud can be used to identify fraud schemes that are most likely to be carried out in those areas or departments of the company. An experienced forensic accountant can tailor the scope of the investigation based on previously identified fraud schemes and the current control environment in the relevant areas or departments.
Proactive approaches to fraud prevention
Fraud prevention is a heavily researched topic, and for good reason. Business owners want to keep their organizations safe and secure. They want to be able to trust their employees. They don't just want to react to fraud, they want to be proactive and prevent it.
When talking about fraud, there always needs to be a disclaimer that there is no 100% fraud prevention method out there. If you have an employee determined to steal from your company, he will probably find a way to do it eventually. But you can make it harder to commit fraud (or another crime) and certainly make it easier to detect and respond to an incident.
So while there may not be a way to completely prevent fraud, there are ways your organization can be proactive and minimize your risk. Below are four recommended ways to help prevent or deter fraud:
1. Perform an internal audit and/or internal control assessment
An internal control assessment happens when third parties evaluate your organization's risk areas. Once these primary areas are identified, they walk through the gaps in your internal controls, provide examples of how someone could exploit these specific gaps, and then create a resolution program to fill these gaps.
Third parties also assist in implementing additional controls and perform regular testing to help ensure controls are adhered to. You may be surprised to discover the seemingly minor risks employees take without realizing the potential consequences.
We often see blank checks on top of files, inventory that has not been locked or access to financial systems has not been secured. Payroll is another big area of risk, especially in small organizations. If the payroll clerk pays payroll for everyone, including himself, he will be able to manipulate his own salary.
Applying segregation of duties, significant management review, or even access controls on bank websites is suggested, as internal controls can provide the necessary oversight to help prevent misappropriation.
2. Use data analysis tools
One of the quickest ways to see if something is happening in your organization is to use data analytics. TATICCA uses tools to examine an entire population of transactions for its clients. It also uses information created by the organization in the normal course of business, which is more effective than sample testing because it uses 100% of the data, even in large environments.
Data can come from different systems or be in different formats and can be analyzed to help identify errors and process failures as well as fraud. For example, if you want to investigate whether any of your employees have registered as suppliers and paid for services not performed, the tools can obtain a list of employee names, addresses and reconcile them with your list of suppliers. Or if you want to see if any of your salespeople are pushing sales at the end of the month to meet sales goals, the TATICCA You can use tools to examine the complete sales ledger and identify the date and seller of any potentially suspicious transactions to guide further investigation.
3. Perform insurance reviews
A great way to be proactive is to ensure you have adequate insurance coverage. We often see that organizations have an insurance policy, but when it comes to renewal, they don't closely examine whether it still meets their needs.
If you experience fraud or other business-interruption-level disasters, your insurance carrier may be able to reimburse you for income lost while you are down. However, if your business has grown significantly since the first time you purchased your insurance policy, you may not receive what you deserve. Your loss will be measured based on the policy coverage limit currently in effect. If this limit isn't high enough to cover your current sales volume, your payment may be lower than it should be. Additionally, in the event that fraud occurs within your organization, there is insurance coverage, such as employee theft coverage, that can help you recover some or all of what was taken.
However, the limits of these policies also need to be reviewed because once the policy limits are reached, there is a low probability that you will be able to recover additional funds from the fraudster. Without reviewing your coverage in advance and analyzing the worst-case scenarios you may face, you could find yourself undervalued when disaster strikes.
Don't forget that extra expenses may occur due to losses, which may or may not be reimbursed. If your place of business burned down, would you need to obtain temporary space and start paying a second rent payment? Will you continue paying your employees so that you still have them when you reopen? These are the types of considerations to look at when deciding whether you need extra coverage.
4. Perform contract compliance audits
Are your suppliers adhering to the terms of your contract? A contract compliance audit may be discovered if suppliers are not charging at or above agreed rates.
A TATICCA Allinial Global Brazil frequently reviews payment applications and supplier invoices to determine contract compliance. Contract compliance is especially a concern for companies with million-dollar contracts in place.
While these companies may or may not have the time or manpower to audit contract compliance, they certainly want to ensure they are paying/receiving what they should, according to what they signed. We have an experienced, multidisciplinary team that can verify compliance with your contract.
Please contact TATICCA Allinial Global Brazil, which operates with integrated audit, internal audit, accounting, taxes, corporate finance, financial advisory, risk advisory, technology, business consultancy and training services, for more information, at www.taticca.com.br or email taticca @taticca.com.br and find out more. Our company has certified methodologies for carrying out activities.