Before we start on this journey, I need to explain the premise of my blog. I want to explore whether there is business value in an organization incurring the cost of preparing a comprehensive fraud risk assessment.
To start our journey, I decided to research and read the various publications on fraud risk assessment and the broader topic of fraud risk management. I also reviewed the various professional standards regarding fraud risk assessment. As part of my continuing education I think it is important to reflect on what you think you know and to learn what everybody else knows. So, today I am reflecting on the value of preparing a comprehensive fraud risk assessment. FYI, as we get older, we do seem to reflect more!
As you may be aware, the 8th principle in the COSO framework states: The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Also of note, the very first report fraud risk management states: “the organization performs a comprehensive fraud risk assessment to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.”
So, it seems that everyone is saying companies should prepare a comprehensive fraud risk assessment. But wait!
In my research, I found things such as the stated benefits of preparing a fraud risk assessment, that there seems to be a lot of people willingly to help me prepare a fraud risk assessment, statistics on how much fraud costs an organization, and how to detect fraud, etc. However, I could not find one statistic to provide me guidance on the cost of preparing a comprehensive fraud risk assessment. I think this is a problem. A basic premise of internal control is the cost benefit principal. Right?
“Cost-benefit principle dictates that the costs of internal controls must not exceed their benefits. The bottom line is that managers must establish internal control policies and procedures with a net benefit to the company.” Source Quizlet.
If there are no studies, no reports, and no statistics on the cost of preparing a fraud risk assessment, then how does my profession know that preparing a fraud risk assessment is cost effective? Is it possible that the cost of preparing and maintaining a comprehensive fraud risk management program actually exceeds the cost of fraud? To be clear, this is a question not a statement.
Continuing our journey, what is the business value of preparing a comprehensive fraud risk assessment?
To continue my research journey, I looked to alternative sources for the answer to my value question.
We can consider The Federal Sentencing Guidelines, a set of standards that govern the sentences federal judges impose on organizations convicted of federal crimes. These guidelines are designed to further two key purposes of sentencing: “just punishment” and “deterrence.”
Under the “just punishment” model, the punishment corresponds to the degree of blameworthiness of the offender, while under the “deterrence” model, incentives are offered for organizations to detect and prevent crime.” Source: An Overview of the Organizational Guidelines.
Basically, the federal government recognizes that fraud risk management is something that good companies do.
The guidelines state, “Organizations, like individuals, can be found guilty of criminal conduct, and the measure of their punishment for felonies and Class A misdemeanors is governed by Chapter Eight of the sentencing guidelines. While organizations cannot be imprisoned, they can be fined, sentenced to probation for up to five years, ordered to make restitution and issue public notices of conviction to their victim and exposed to applicable forfeiture statutes.”
Most literature discusses the value of preventative and fraud detection controls. However, I would suggest that fraud deterrence controls are an integral component of an organizations anti-fraud program. The tone at the top is viewed by many anti-fraud professionals as the key to having an effective anti-fraud program.
An effective compliance program is one of the keys for determining mitigation under the sentencing guidelines. Compliance programs have seven key criteria. A risk assessment is one of them.
While I am not an attorney, nor am I providing legal advice, it seems pretty clear that a fraud risk assessment program is one component of the compliance program.
I also looked at other guidelines: Guidelines Dept. of Justice Opinion Release -04-02; UK Bribery Act: Guidance on Internal Controls and OECD: Good Practice Guidance on Internal Controls, Ethics and Compliance. Each of these guidelines discusses the importance of a fraud risk assessment. Each standard indicates that an organization should have an effective compliance program, which includes comprehensive fraud risk assessment.
It seems to me that the answer to my value question is esthetical, which means concerning or characterized by an appreciation of beauty or good taste. So, is comprehensive fraud risk assessment a fundamental part of being a good steward of organizational assets? Or simply good taste?
So, what is a good Steward?
Boards, as stewards, should ensure the careful and responsible protection and management of the assets, the reputation, and the long-term functioning of the organization. Source: Governance Guiding Principals
A blog written by the Law firm Kessler Topaz “Stewardship policies are generally seen as beneficial because they: Promote greater overall transparency and accountability. Foster a culture of responsibility. Increase long-term profitability, which is attractive to both investors and the public.”
Great boards “create a climate of trust and candor,” Jeffrey A. Sonnenfeld writes in a Harvard Business Review blog, titled What Makes Great Boards Great In reality a fraud risk assessment is not about achieving a low residual risk rating but rather an honest assessment of where intentional problems can occur, open dialogue about how to manage fraud risk, and not keeping secrets in the closet. Remember last month’s blog about damaging secrets?
Aah! The business value in preparing an organizational wide fraud risk assessment is…
Value is an interesting word that can be measured in many ways. My accountant friends would focus on cost benefit. My auditor friends would focus on residual risk. Marketing might look at the increased likelihood a customer would choose your product or service or what makes you different from competitors. So, what would my good corporate citizens say?
“A good corporate citizen is one that demonstrates its good faith and genuine value to all stakeholders by acting transparently,” says Dirk Olin, Editor-in-Chief of CR Magazine. “There is always, and must be, a place for confidentiality and proprietary trade information. But a presumption of openness shows all those affected by corporate behavior, whether internally or externally, that the company in question has, in aggregate at least, nothing to hide.”
So finally the answer to my question: A comprehensive fraud risk is a critical tool to help organizations to be transparent about their risks and exposures. It not about the money but rather about being a good corporate citizen. Board members, officers and all employees have an obligation to be a good corporate citizen. It is simply a matter of good taste. That my friends is the value!