This month I will present at a conference a new approach to fraud risk assessment. It is the cumulation of my 40 years of experience in building the fraud audit model.
In recent blogs, I’ve talked about how fraud auditing is like looking behind the curtain. I’m continuing with that thought process but with a slight change. This week, we’re going to look behind new curtains.
The fundamental fraud risk assessment model has not changed in 40 years. identification, assessment, treatment and mitigation. Unfortunately, I believe our focus has been on documenting fraud risk rather than understanding fraud risk. That is my first new curtain. We need to refine our understanding of fraud risk, if we want to protect our organizations.
To me, the foundation of any fraud risk assessment is the identification phase. How we articulate the statement of fraud risk is what drives the entire process. While I believe there are many opportunities to improve the process, which I will discuss in future blogs, today I will only focus on one element.
In my opinion, the missing element of most fraud risk assessments is the absence of industry or trade knowledge. This is my second new curtain.
As an illustration, we’re going to look at another risk today: adverse publicity.
We can all agree that a basic tenant of risk assessment is to focus on high risk and high impact on our organization, and certainly adverse publicity ranks highly on that scale.
To illustrate the importance of trade/industry knowledge, I will use excerpts from the following article:
Human Cost of Fast Fashion: Who's Paying for Cheap Clothes?
6 March 2024 • Giada Nizzoli
The human cost of fast fashion ranges from sweatshops (yes, they still exist) to child labor and modern slavery conditions – and more.
To keep their prices so low, many fast fashion companies use sweatshops in developing countries.
According to several reports, this includes big household names like Adidas, ASOS, Gap, H&M, Nike, Primark, and Zara… and don’t get us started on ultra-fast fashion brands like SHEIN!
Barrons once stated:
The deadly consequences of fast fashion were spotlighted a decade ago after 1,138 people were killed when the nine-story Rana Plaza garment factory collapsed in Bangladesh.
High Risk and Risk Mitigation
If a fashion company appears on the Wall Street Journal, Financial Times, NY Times, Washington Post, etc. with allegations that their product is being produced in a “sweat shop” I think we would all call this adverse publicity.
They have reason to be interested in internal controls to prevent the sorts of abuses that would draw negative publicity.
A Look Behind the Internal Control Curtain with the Absence of Trade Knowledge
The fashion industry took many steps to respond to the abuses such as “Social Auditing”
According to the US Department of Labor:
Social compliance auditors can be internal auditors, external auditors, or independent auditors or monitors; audit professionals are accredited by institutions or mechanisms, such as trade or professional organizations.
Social compliance monitoring systems generally follow a continuous and circular process:
- Monitoring: Gathering data at the worker, supplier, and supply chain levels, with priority placed on the greatest risk areas
- Analyzing: Identifying compliance patterns across the supply chain and risk trends among workers
- Improving: Recommending and implementing specific changes to strengthen the entire supply chain’s compliance
- Addressing: Assigning accountability for addressing issues identified through monitoring, often in partnership with workers
That sounds impressive, but is it? What if we add Trade/Industry Knowledge?
Looking at Internal Controls with Trade Knowledge
To gain Trade Knowledge, you could read the Clean Clothes report issued by the Clean Clothes Campaign.
This report explains the flaws in the process and the various concealment techniques a company can use to create the illusion that it is on the right side.
The Clean Clothes Report: “Looking for a quick fix How weak social auditing is keeping workers in sweatshops.”
The report argues that the current system of social audits used by companies to monitor their supply chains for labor abuses is ineffective, often failing to identify serious violations and essentially allowing sweatshop conditions to persist by providing a false sense of compliance through superficial inspections.
These days there are several websites such as Fashion Revolution that produce an annual Transparency Ind Fashion ex reviewing 150 of the world’s biggest fashion brands. You can also use apps like “Good On You” to search for specific brands that have been rated based on factors like how they treat their employees, the impact they have on the environment and animals, and more.
Here are two important questions to ask about internal controls:
- Are the internal controls working as perceived by management?
- Are risk and exposure as minimal management perceived?
I would guess the fashion industry fraud risk assessment mitigates the risk and adverse reputational risk based on the internal control assessment and the reported effectiveness of the internal controls resulting from the “social audits”. Just my guess.
My Final Thought on This Subject
Sometime ago, I read in the HuffPost Business section the following excerpt, which I have used to evaluate adverse publicity risk.
First, assume your decision will become public: this is your assessment of fraud risk and mitigation decisions. Now evaluate decisions based on the following:
- Do you have “public defensibility”
- Do you have a personal conflict that is “impacting objectivity”
- Is your decision self-serving which may or may not create “legal and reputational harm”
- Lastly, is your decision “consistent with your company’s public policies and values?
I want to be clear; I am not picking on the fashion industry with this blog. With a little effort you can find similar stories regarding many industries and companies. What I am saying is without incorporating trade knowledge into your fraud risk assessment, your assessment is merely an academic exercise that probably provides little value to your organization beyond compliance with a standard.
You must ask this question: If the news media reports abuse by your company: Is your fraud risk assessment process defensible?
Fraud Trivia from the Clean Clothes Campaign
Audits are often rushed, rely heavily on factory management for information, and lack meaningful worker input, leading to a distorted picture of actual working conditions. True or False?
Companies prioritize appearing compliant with minimum standards rather than actively working to improve worker welfare. True or False?
Workers are often afraid to report issues due to fear of retaliation, and the auditing process does not provide adequate mechanisms for workers to raise concerns directly. True or False?
Even when problems are identified, companies often fail to adequately address them or ensure lasting improvements. True or False?
Trivia Answers from last month's blog:
Who is called the god of hackers? Eric Taylor, also known as "Cosmo the God", was a hacker who was arrested in 2012 as part of an FBI investigation into identity theft and credit card fraud
Which country is number one in cybercrime, according to PLOS ONE? Russia tops the list, followed by Ukraine, China, USA, Nigeria, and Romania
Which hacker inspired the movie War Games? David Scott Lewis, a young hacker from California, inspired the character David Lightman in the movie WarGames. Lewis was a model for the character and helped the writers focus on hacking, AI, and the influence of machines on society.
What is hacktivism? Is the act of hacking, or breaking into a computer system, for politically or socially motivated purposes.
What is the difference between Hackers and Hacktivism? Hacking means breaking into someone's computer. Activism refers to promoting a social perspective. “Hacktivism” is a combination of the two. Even though all hacktivist attacks are meant to further an ideology or counteract one the hacktivists see as a threat to their cause, the similarities often stop there.
