Current audit standards call for us to use a mitigation standard when it comes to audits This means that unless you want to be an outlaw, your assessment will end with mitigate. However, the question I want you to ask yourself is, right now do we have enough information to properly assess the mitigate question?
This blog continues our discussion on fraud risk assessment. Let’s talk about the end result.
I recently searched on “new IIA standards and fraud responsibilities summary” and here is what the AI provided:
The new IIA (Institute of Internal Auditors) Global Internal Audit Standards place a significant emphasis on internal auditors actively assessing and mitigating fraud risk within an organization, requiring them to take a more proactive approach to fraud detection and incorporate a deeper understanding of potential fraud schemes into their audit planning and execution; this aligns with the broader responsibility of the internal audit function to support strategic objectives and contribute to the organization's overall success beyond just financial controls.
I want to take a closer look at what this means for our profession. This month, we will discuss the concept of “mitigating fraud risk”. In February we will discuss the concept of taking a more “proactive approach” to fraud detection. In March, we will delve into a “deeper understanding of potential fraud schemes”, and in April we’ll look at the term “Fraud Risk.” Finally, in May, we’ll consider what is the Fraud Auditor.
What is Risk Mitigation?
In order to understand what we’re expected to accomplish, we need to have an understanding of the objective. Let’s start with defining risk mitigation. When I searched “risk mitigation”, I found these definitions in an article published by IBM, published May 27, 2024.
Risk mitigation is one of the key steps in the risk management process. It refers to the strategy of planning and developing options to reduce threats to project objectives often faced by a business or organization.
Risk mitigation is a culmination of the techniques and strategies that are used to minimize risk levels and pare them down to tolerable levels. By taking steps to negate threats and disasters, an organization is going to be in a strong position to eliminate and limit setbacks.
But we’re talking about something more specific. So, I changed my search to “fraud risk mitigation”. This is what I found through Google AI.
Fraud mitigation is just another way to say fraud prevention; it's the steps that your company can take to deter fraudsters and reduce the effects of any fraud attempts. It goes hand in hand with detecting fraud. Fraud mitigation is important because it helps to create an actionable strategy against fraud.
So, what does all this word spaghetti mean? More importantly, do these concepts work in the real world or just in the textbooks? Based on what I’ve seen in practice, I have concerns about the process that I have seen in organizations, articles, and guides issued by the multitude of organizations.
Challenging Your Thought Process Around Fraud Risk Mitigation
In my opinion, the risk assessment process commonly described does not mirror the reality of how fraud risk statements occur in the real world. If I am right, then we must ask ourselves, are most fraud risk assessments merely an academic exercise to meet the standards or is the process truly effective? With that question, let me challenge your thought process regarding fraud risk assessment as you know it.
1. How individuals commit fraud risk statements is ever-changing. How fraud is committed is not static. How many of you worried about AI 10 years ago?
2. Fraud risk statements assume that all perpetrators have the same skill level at committing and concealing the scheme. However, there is a huge difference between a first-time offender and an organized crime group attacking your business systems. Just look at the unemployment fraud that occurred during Covid.
3. I have been told this countless times: Chief auditors do not want too many fraud risk statements in their corporate fraud risk statement documents. This effectively dumbs down the thought process.
4. Fraud risk assessments tend to be limited to the big three: asset misappropriation, corruption and financial reporting is this limiting? Fraud risk is much greater than the big three, which is why I have discussed the concept of the fraud risk universe.
5. Most, if not all, fraud risk statements describe the fraud risk at such a high level that it’s not clear to me whether the risk manager understands how the statement of fraud the risk statement will harm their organization.
6. Our profession has a disconnect between documenting fraud risk and understanding fraud risk. In my opinion, you can’t know at what level to document until you fully understand the risk.
7. The IIA competency framework attempts to articulate a level of fraud knowledge that an auditor should have. But how many fraud risk experts do you know?
8. Most, if not all fraud risk statements do not include the elements of fraud in the risk statement. If this is true, are we really performing a fraud risk assessment? Please, read the legal definition of fraud and make your own assessment.
9. Instead of the phrase “fraud risk assessment” should we use phrases like Asset Misappropriation Schemes or Corruption Schemes, etc.? Remember, words are powerful.
10. What is the difference between a statement of fraud risk and a fraud scenario? Two words: What & How!
11. Should your fraud risk assessment be based on statements of fraud risk or fraud scenarios? I have recently started experimenting with AI to create fraud risks. The outcome was a mix of statements and scenarios. This told me all I needed to know. Most assessments assume that fraud prevention controls are the cornerstone of fraud risk mitigation. New guidance recognizes the concept of deterrence.
12. Does your organization start with an overall strategy on how to manage fraud risk mitigation? Most that I see tend to jump into the process of matching the fraud risk statement to internal control.
13. What is your overall internal control strategy: Prevention, detection, or deterrence? Please do not say all!
14. I know for a fact, that certain statements of fraud risk can occur and comply with all of your internal controls. If true, how do we ever achieve low residual fraud risk?
15. Is it wrong to have a high-impact statement of fraud risk with a high residual risk? This is a discussion for another day. But right now, I would say truth should be the guiding light.
16. So, is the right word "mitigate"? Or is the right word "manage"?
Okay, I know that I have rambled on. But with every blog, my goal is to make you think! Please read each proceeding question and reflect upon your own fraud risk assessment process. If you study the professional guidance issued over the last twenty years, you will see the change in thinking.
I believe the right strategy for every organization is first to build internal fraud risk competency, which means understanding fraud risk. Then, companies need to document that fraud risk based on the level of impact. The greater impact, the greater the documentation. It is that simple.
This leads to a vital question: Do you have enough information to determine if fraud risk is as minimal as indicated by your fraud risk documents?
If the profession wants to be more proactive (next month’s blog) then the profession will need to make a greater commitment to understanding fraud risk from an occurrence perspective rather than a testing internal controls perspective.
Rudolph the Red-Nosed Reindeer Trivia
This year is the 60th anniversary of the show, which originally aired on NBC.
1. When Rudolph nose gets brighter, why is this a fraud indicator? Believe or not your nose has the highest density of blood capillaries. So, when you are being deceitful, your blood pressure tends to go up. When this happens your skin colorization becomes red.
2. Who created the story of Rudolph? Robert L May
3. In what year was it created? 1939
4. What department store was responsible for creating the story? Montgomery Ward.
5. Why was the story created? The store that wanted to create it owned a coloring book for Santa gifts.
6. What was the budget for creating the Rudolph movie? $500,000.
Etymology of the word Fraud
1. What is the earliest known use of the noun “fraud”?
2. Oxford English dictionary's earliest evidence for fraud is from around_____?
3. Who was the person who first used the word fraud per the Oxford English dictionary?
4. What was his occupation?
5. How many synonyms can you name for the word: fraud?
6. There are nine meanings listed in OED's entry for the noun fraud, one of which is labeled obsolete. Which is obsolete? Remember, I told you first that fraud is an ever-changing body of knowledge.
