Back to Fraud Information Articles
© March/April 2006
Association of Certified Fraud Examiners
At last, companies are listening
Fraud risk assessments
From the March/April issue of
Fraud Magazine
B
y
C
y
n
t
h
i
a
H
a
r
r
i
n
g
t
o
n
,
C
F
E
,
C
F
A
T
o the great satisfaction of CFEs, more businesses are assessing their risks. The changes increase the demand for anti-
fraud skills but possibly the greatest joy is now finally finding a receptive audience.
Michel Hagenaar, an executive at Kroll Inc., a risk consulting firm, tells the story of a client company's first attempts at
risk assessment. During a meeting, the client outlined the work it had previously completed. Hagenaar's team members
quickly realized that the client's accomplishments satisfied perhaps only 20 percent of what was needed. That meeting
began at noon and concluded at midnight. It wasn't until the end of the second day that the team had ironed out a
suitable risk assessment plan.
Any company's risk assessment process pleases anti-fraud professionals. The changes certainly increase the demand for
fraud detection, prevention, and deterrence skills. But for most fraud examiners, the greatest joy is just finding a
welcome audience that at long last realizes the need to assess its risk of fraud.
Watershed years
Before 2002, the only companies hot on the trail of fraud prevention were those who had been already victimized. "In the
past we'd try to sell our services on the preventive side and they'd look at us like we had two heads," says Pam Verick
Stone, director and national practice leader at Protiviti's Financial Investigations & Litigation Consulting practice in
Vienna, Va. "They thought that their systems weren't broke so why fix them."
Now big public companies are required to do a fraud assessment as part of their SOX-required risk assessment.
Widespread corporate fraud scandals as well as changes in the broader regulatory environment eased the way for more
companies to pay attention. "Corporate governance requirements, stock listing standards, the federal sentencing
guidelines and the audit standards changed in the last couple of years," says Stone. "The convergence of all of these
changed our work from a market perspective."
Accelerated filers all completed their year one requirements but the work isn't yet done. "Year one companies were happy
if they got done," says Hagenaar, director of forensic accounting, Sarbanes Oxley practice at Kroll Inc., in New York, N.Y.
"Ideally they ended up with an accurate, complete description of each process. Slowly but surely we're getting to year
two when we'd like to see management participate more formally in the fraud assessment, together with process owners
(those who have direct responsibility for specific areas), and personnel from finance, accounting, and operations."
In some companies, the fear is that the focus on SOX compliance actually diverts resources from broader installation of
fraud prevention programs. "Over the last couple of years we've found that unless a company was pressured by their
external auditors they weren't putting high emphasis on anti-fraud programs," says Larry A. Rosipajla, CFE, CPA, director
of Grant Thornton's Economic Advisory Services in Irvine, Calif.
In fact, the improvements include broader participation across company personnel as well as the methods of assessing
fraud risk. "It was an initial misconception of PCAOB requirements that management put an 'F' by items in the general
risk assessment that they'd be done," says Rosipajla. "But companies need to do an analysis on a scheme and scenario
basis too."
Wrong ways and right ways
Actually, despite the various requirements to do a fraud risk assessment, no single standard exists. Parts of the
requirements show up in the accounting or audit standards and others in the updated federal sentencing guidelines.
Companies, management and consultants struggle with methods to accomplish the assessment because there's no single
standard pointing the way. "There is no single way to do it right but lots of ways to do it wrong," says Stone.
One wrong way is for the person charged with completing the task to sit in the office alone and complete the whole thing
in a vacuum, according to Rosipajla. Another common mistake is to focus on risks at either the entity or the process level
but not both. "Some companies make the mistake of identifying risks at both levels but then skip the important step of
establishing ways to measure the risks," says Stone.
Some companies make the mistake of working backward from controls and then ease into fraud risk instead of identifying
the risk and then establishing controls to mitigate. "Until this process was required by the 2002 rule changes, every
company did it backward," says Stone.
Companies can do fraud risk assessments in several ways but there are certain common qualities of good methods. Good
assessments include clear methods of identifying and measuring fraud vulnerabilities. Obviously, companies whose
management is allowed to talk openly about the potential for fraud are more likely to have conducted good assessments.
"We look to see that the company has provided an open forum to discuss the possibilities and has heard from middle
managers, employees, control owners, and the board," says Stone. "These groups have to provide their input for the
process to be complete as well as for them to take ownership of the process."
After analyzing transactions and company walkthroughs, Hagenaar and his team consider all the places and steps in
which misstatements or other types of fraud could occur. They sit down and discuss possibilities for fraud with process
owners and other company personnel. The final goal is a brainstorming session with employees familiar with the affected
processes. Everyone attending the session is asked to review the research and ask questions prior to the physical
meeting. "We go through step by step by step to see what might go wrong," says Hagenaar. "We ask them to forget
about what they know and look at what they don't know."
The method is time-consuming but designed to have people close to the processes think differently about what they see
every day. "No matter how well we document the processes, there are always nuances," says Hagenaar. "We ask them to
take a step back and ask what might happen if a person had access to a particular system and acted to commit a fraud."
Rosipajla's team of fraud experts within Grant Thornton shows up and participates in the initial engagement planning
stage. "We help the external auditors plan the audit work plan," he says. "We try to lighten up the 'F' word in the
corporate environment."
Best practices or simple compliance
The quality of fraud risk assessment efforts ranges from simple compliance to embracing fraud risk assessment as a tool
to support company-wide fraud risk management programs. At the top end of the scale, companies that put certain
elements in place show their commitment to best practices. "Companies that put in true programs commit to quality
whistleblower hotlines, for instance," says Rosipajla. "Those who are committed believe that if they can detect and
prosecute fraud that they create an awareness in the public that the company believes their own accounting methods."
At the other end of the spectrum, companies do the bare minimum just to comply with SOX. These companies largely
consider fraud risk only as part of the financial controls. They're often companies that are financially conservative and
don't expect to use the fraud risk assessment for any purpose other than satisfying the regulation. Many companies fall
somewhere in between the two ends. "In the middle, companies assess fraud as a precautionary measure to protect their
reputations or enterprise value."
Tone at top
Assessing the tone at the top remains a particularly challenging part of a risk assessment. "This part of the assessment
takes a lot of judgment," says Hagenaar. "Assessing risks based on management's attitudes is not a straightforward
process." Certain characteristics raise red flags. An imperial CEO who rules with an iron fist probably indicates that no one
would challenge him or her. Match that with no hotline or one that's not well administered and the risk of fraud increases.
"A horrible tone at the top means even well- designed controls can be overridden," says Hagenaar.
CFEs employ a variety of methods to conclude the quality of the tone at the top. They interview management and other
company personnel. They look at the interactions and the way information flows between management and the audit
committee of the board. They assess the openness and independence of the audit committee. They scour the disclosures
to assess the way that management talks about the control environment. "After a company experiences a fraud event or
reports weaknesses, the real question is what they do about remediation," says Hagenaar. "Management also reveals
how they think if they just talk about controls at the process level."
The evaluation begins at the point of incentives, according to Hagenaar. "We first look to see if incentives exist for
management to create opportunities to defraud the company," he says. "We don't need to go through much detail at the
process level if we note that incentives aren't built into the system."
The fraud risk assessment landscape may shift again. Regulations may require all smaller public companies to comply,
and private and not-for-profit companies may seek broader protections by applying these principles. Even companies that
already complied may find their involvement deepen with the consideration of fraud risks. "The key point is that fraud risk
assessment is not a one-time event," says Stone. "A company's fraud risk changes with new products and new key
managers. The assessment must be a dynamic, sustainable process built into a fraud practice and the internal audit
programs."
Cynthia Harrington, CFE, CFA, is a contributing writer for Fraud Magazine. Her e-mail address is: cynharrington@mindspring.com.
The Association of Certified Fraud Examiners assumes sole copyright of any article
published in Fraud Magazine. Fraud Magazine follows a policy of exclusive publication.
Permission of the publisher is required before an article can be copied or reproduced.
Requests for reprinting an article in any form must be e-mailed to:
FraudMagazine@ACFE.com.