Fraud Auditing, Detection, and Prevention Blog

A Different Way to Think About Fraud Risk Management

May 23, 2022 8:24:28 AM / by Leonard W. Vona

On which day of the year are online dates most vulnerable to fraud schemes?

Valentine’s day -- the heart wants what the heart wants! Does this make us vulnerable?

In the USA alone, romance swindles cost how many millions of dollars in one year?

Romance frauds resulted in losses of over $300 million in the US in 2021.

How does the sophistication of fraud concealment, apply to online dating fraud?

The romance scammer uses techniques to make you believe that their love for you is real. Fraudsters, also use techniques to make fraudulent transactions look real!

So, why are these important questions for the auditing profession?

Your fraud risk management system is designed to mitigate fraud from occurring in your organization. Fraudsters know when to strike, where you are vulnerable, and how to create the illusion that the activity conforms with your internal controls. While online dating fraud may seem different than an asset misappropriation scheme, is it really?

Just a Different Way of Thinking About Fraud Risk Management

In my most recent blogs, we have discussed the IIA competency framework. This month I was inspired by a Sixty-Minute segment, in which someone cited a quote from Donald Rumsfeld:

“We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know.”

You may or may not have heard me discuss the concept of the fraud universe. It is a methodology to identify and manage all the fraud risks facing an organization. It is the cornerstone of every fraud risk management system. So, here is the million-dollar question, is your fraud risk management team discussing the concept of the unknown unknowns, or are you simply content discussing and managing the known fraud risks?

In my opinion, the mega losses are from fraud risks that organizations never thought about. Most likely, these losses are perpetrated by the best of the best or, simply stated organized crime groups that target the vulnerabilities of our known internal control systems. However, we must also consider senior management, internal employees, external parties, and everyone else motivated to attack our internal controls.

What is Fraud Risk Management?

Fraud risk management, simply put, is the process of assessing fraud risks within your organization and then developing an anti-fraud program that stops any fraudulent activity before it happens. (Source: Mitek Systems) Most papers on fraud management discuss a framework for fraud risk management, highlighting the different components.

My goal in this blog is not to suggest a new framework but rather a unique way of thinking about fraud risk mitigation. Remember the phrase “knowledge is power”. FYI is often attributed to Francis Bacon, from his Meditationes Sacrae (1597).

By educating our employees about fraud risk, they should be better at identifying suspicious transactions. If the fraud trivia on money laundering is correct, we really need to ask ourselves whether our current approach is effective or just compliant. There’s an important distinction there. You can be completely compliant and entirely ineffective. So, let’s think out of the box and add a few innovative ideas on how to better manage the fraud risk facing our organization.

Think Tank Approach

A think tank, or policy institute, is a research institute that performs research and advocacy concerning topics such as social policy, political strategy, economics, military, technology, and culture. Think tanks publish articles, studies, or even draft legislation on matters of policy or society. Source Wiki

Whether the think tank is a professional organization, industry trade group, or management team within an organization, it is time we started discussing how and where perpetrators will next attack our organization.

Within your company, develop a team from a diversity of multi-lines of businesses, departments, occupations, and experiences. Have this team write a position paper on how and where your organization is vulnerable to the unknown unknowns. The goal is not to say you have weak internal controls, but to better understand where and how someone will attempt to violate your system of defense.

Fraud Risk Statement Approach

In the fraud risk statement approach, we focus on “where” the fraudsters will attack your organization. Using the fraud risk statement methodology, we can identify all the permutations of fraud risk statements.

We must ask ourselves; can we manage what we do not know? Clearly, the answer is no! Right now, what we do is respond to the event, in an after-the-fact manner. At this point, your organization has suffered losses.

The fraud risk statement is a logic-based approach to identifying all the unknown unknowns. Remember, fraud risk statements are the “what” not the how. But, what is a logical starting point.

Vulnerability Approach

Fraud risk management focuses on known fraud risks and internal controls that are designed to mitigate the fraud from occurring. These controls are widely known to fraudsters.

In the vulnerability approach, we should focus on the “how” the fraudsters will violate our defense system of internal controls. This is not saying our controls are weak, however gaining an understanding of “how" someone can defeat or circumvent our internal controls. I guess you could say this thinking like a thief, but I believe it’s more of a structured approach built around internal control vulnerability rather than opportunity.

Concealment Approach

In the concealment approach, we focus on the methods that perpetrators use to create the illusion that the transaction or event looks like a legitimate transaction.

By better understanding what a fraudulent transaction looks like, we have a better ability to identify one. In my last blog, I mentioned that 95% of system-generated alerts against money laundering resulted in false positives. But could it be that the transaction actually is a money-laundering transaction but the perpetrator was more sophisticated than the person making the judgment?

Knowledge is Power!

Traditional fraud risk management is based on the concept of “identify and mitigate”. I am suggesting that we enhance the model with these slogans: “understand; know; see and predict,” which will lead us to better fraud risk management. Information sharing is so important in battling fraud.

Fraud Trivia

What are the 10 most common sources of food fraud? Hint: Identify the food item.

Why is this important to the audit profession?

The answers will be revealed in the next blog.

Demystifying Fraud eBook CTA

Topics: Fraud Auditing, Concealment Strategies, Fraud Detection

Leonard W. Vona

Written by Leonard W. Vona

Leonard W. Vona has more than 40 years of diversified fraud auditing and forensic accounting experience. His firm, Fraud Auditing, Inc., advises clients in areas of fraud risk assessment, fraud data analytics, fraud auditing, fraud prevention and litigation support.