IIA April 2010.pdf - UAE IAA

By: Santosh Noronha
Fraud Risk
Assessment:
The Human
Element
Today fraud is a key buzzword among
corporations (big and small) and compliance
professionals alike. Recent large fraud
cases are often used to build a business
case for spending large amounts of money
in implementing a Control Framework.
Surveys such as the ACFE 2008 Report
to the Nation show that implementation
of a control framework has a measurable
impact on the organisation’s exposure
to fraud. The survey revealed that
organisations that implemented anti-fraud
controls suffered much lower losses than
organisations without anti-fraud controls.
Though many Control Frameworks
were developed and propagated over
the years, the most commonly applied
Control Framework is the one developed
in the early nineties by the Committee Of
Sponsoring Organisations of the Treadway
Commission, better known as the COSO
Framework (“COSO”). COSO identifies
5 components, which when integrated
and operating in all business units, will
help establish an effective internal control
framework. These 5 components are:
i) Control Environment, which sets
the moral tone of the organisation,
influencing the control consciousness of
the organisation and is the foundation
upon which all other components are
built.
ii) Risk Assessment involves identifying
and assessing risks involved in achieving
an entity’s objectives.
iii) Control Activities are the policies and
procedures that enforce management’s
directives.
iv) Information and Communication, which
allows the exchange of information in
the right quantities and to the right
persons across the organisation.
v) Monitoring is the process that assesses
the quality of the Framework over a
period of time.
Generally, Corporations build their Anti-
Fraud controls on the principles of the
COSO framework. To do so, organisations
first identify fraud risks and prioritize
them according to risks that matter the
most. Prioritization is generally done
by assessing the impact and likelihood of
an inherent risk. Impact is the extent to
which the risk, if realized, would impact the
organisation. Likelihood is the probability
of a risk occurring over a pre-defined time
period, which is generally the organisation’s
planning horizon.
While prioritizing risks on impact and
likelihood, it is generally assumed that
individuals will honour their fiduciary
responsibilities to the organisation. In
other words, people entrusted with
the execution of controls will do so
responsibly and to the best of their
ability. While this assumption may be
correct during an internal control risk
assessment, it does not hold good while
assessing fraud risks.
An individual breaching his fiduciary
responsibilities is an Occupational Fraud!!
A key differentiator between Internal
Controls and Anti Fraud Controls is the
Human Element. Failure to assess the
Human Element can cause frauds to
happen in organisations that otherwise
seem to have a robust and comprehensive
internal control framework.
Before addressing how to prioritize fraud
risks, let’s understand why do people
commit fraud?
One of the best theories on why people
commit fraud was given by Donald Cressey
in his book “Other People’s Money”. As
per this hypothesis, fraud occurs when an
individual has:
a. A non sharable financial problem.
b. Perceives an opportunity to resolve
the situation.
c. Has the ability to rationalize his misdeed
even before committing them.
In other words for an individual to commit
fraud, he should be under pressure from
a financial problem which the individual
perceives cannot be solved through other
means. These problems often manifest
themselves into behaviour patterns or
red flags, which if spotted in time, could
prevent a fraud from happening. As per
the ACFE 2008 Report to the Nation, the
most commonly cited behavioral red flags
were perpetrators living beyond their
apparent means or experiencing financial
difficulties at the time of the fraud.
Even if an individual has the motive,
2
Real or Perceived
Opportunity
Weak controls / Employees in
positions of trust
Incentive or Pressure
Financial, personal, unrealistic
corporate objectives, etc.
FRAUD
he cannot perpetrate the fraud unless
presented with an opportunity.
Opportunities could arise due to a number
of factors within the organisation such as
high turnover of management in key roles,
lack of segregation of duties or a complex
1
Traditional Risk Assessment Criteria
Fraud Risk Assessment Criteria
organisation structure.
Rationalization of the act is the last element
in understanding why people commit
fraud. Most people believe themselves
as good and need to convince themselves
that their actions were justified. Some of
these justifications are:
• I was going to pay it back
• Everybody does it
• I am not hurting anyone
• I was helping my family
• This is nothing compared to what xyz did...
To sum up, when this individual under
pressure is presented with an opportunity
and is able to rationalize his planned actions,
fraud occurs. Over the years this hypothesis
is better known as the Fraud Triangle.
To be able to effectively prioritize fraud
risks, organisations should evaluate the
Human Element to the fraud risk. This
can be achieved by applying the principles
3
Attitude or
Rationalization
Beliefs such as “The activity is
not criminal,” “Everybody is
doing it,” etc.
of the Fraud Triangle to the traditional risk
assessment criteria of Impact and Likelihood.
This is illustrated in the table below:
For example, in an organisation where
an individual performs a number of key
controls – if this individual’s personal
integrity and values are high, the chances
of fraud happening is significantly lower
than when the individual’s personal
integrity is low. Understanding the people
who manage key internal controls in an
organisation, their values and attitude could
go a long way in minimizing the incidence
of fraud and help build effective anti-fraud
deterrents within an organisation.
To sum up, it is important for organisations
to consider the human element while
prioritizing its key fraud risks. Besides, there
are a number of cost effective measures
that can assist in improving the anti-fraud
environment within an organisation. These
are as under:
• Establish a Code of Ethics and clearly
communicate expectations to all
stakeholders.
• Develop Fraud Policies which clearly
describe company policies and
procedures relating to fraud.
• Invest in a communication and training
program on fraud and corporate fraud
policies for all employees.
• Ensure proper segregation of duties for
key activities and functions.
• Set up appropriate recruitment
procedures to select the right
candidates.
• Set up policies for rotation of staff
duties and forced vacations.
• Know your key fraud risks and controls.
Monitor them regularly.
• Set up a whistle blower hotline.
About the Author:
Santosh Noronha is a Manager with Ernst & Young Dubai working
in the Fraud Investigation and Dispute Services Practice. Opinions
expressed in this article belong solely to the author, and do not
necessarily represent the views of Ernst & Young. To comment on
this article, feel free to email the author at
santosh.noronha@ae.ey.com
6 April 2010 7 April 2010