Fraud risk assessment is alleged to be an essential part of protecting a company, but is it just an academic exercise?
Recent Posts
Please be advised, I will not be providing a job description of a Fraud Auditor. Rather, the thought process that is necessary to find the right person, with the right skill set.
I know this is a good technical question, but I do not know if there is a good technical answer. With that said, my suggestion to the CAE’s of the world would be to look for someone with the “Passion for the subject knowledge of fraud risk.” The passion would be for both the science of fraud risk and the passion for the practical application of fraud auditing. I say this because, with any new profession, the person must have the passion to create, build, and polish the fraud audit approach. I am sure that this person will get pushback from the traditional auditor. I know I have.
Words have power, but words can also create confusion.
One of my personal complaints about the professional literature regarding terms used to describe fraud risk. We use so many terms interchangeably that I believe it creates confusion. Let’s try to cut through that confusion by implementing better definitions.
For instance, what is the difference between a fraud scheme, a fraud scenario, a fraud risk statement and a fraud risk?
And, is the phrase “fraud scheme” the correct phrase for our profession? I raise this question because the new standards use the phrase “fraud scheme”.
Before I start, let me explain that in this blog I will not provide any answers to the phrase “Deeper Understanding of Fraud Schemes.” Rather, I will only raise questions regarding the phrase. To be honest, If I was a CAE, I am not sure what the profession wants me to do.
With that said, I praise the profession in recognizing the importance of gaining a deeper understanding of fraud schemes facing our companies. Maybe, I am talking out of both sides of my mouth. Remember, my blogs are designed to make you think.
So, think about this: Fraud is not predictable as to when it will occur but is fairly straight forward as to how it will occur.
Many years ago, the IT auditor was created. In fact, I was an IT auditor in 1979. For the last 40 years, however, I have been a fraud auditor. Unfortunately, unlike IT, the profession does not recognize the title of fraud auditor.
In my opinion, it is time for the title of Fraud Auditor to be created and recognized by the profession. Auditors are not born with fraud risk or fraud audit knowledge or fraud skills. I suspect that college courses are not designed to provide this knowledge. If the profession is serious about a “more proactive approach to fraud detection” it is time to recognize that this will require auditors to develop and gain a new set of skills. I recommend that every audit department invests in human fraud risk intelligence.
Current audit standards call for us to use a mitigation standard when it comes to audits This means that unless you want to be an outlaw, your assessment will end with mitigate. However, the question I want you to ask yourself is, right now do we have enough information to properly assess the mitigate question?
Let me introduce a new model for assessing fraud risk mitigation. Before you read my blog, remember sarcasm is good, if it makes you think. Remember our theme, to look behind the curtain. The curtain is the current professional audit standards.
We're continuing with my thought process of looking behind curtains in fraud risk, but with a slight change. This time, we're looking behind a new curtain.
This month I will present at a conference a new approach to fraud risk assessment. It is the cumulation of my 40 years of experience in building the fraud audit model.
Businesses face a growing threat of account take over attacks as fraudsters become more sophisticated and take advantage of advances in technology. This week, we're pulling back the curtain to take a closer look at them and how to add this to your fraud protection strategy.
Fraud Trivia: Phishing
Phishing is a prevalent type of social engineering that aims to steal data from the message receiver. Typically, this data includes personal information, usernames and passwords, and/or financial information. Phishing is consistently named as one of the top 5 types of cybersecurity attacks.
