IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
By: Santosh Noronha<br />
Fraud Risk<br />
Assessment:<br />
The Human<br />
Element<br />
Today fraud is a key buzzword among<br />
corporations (big and small) and compliance<br />
professionals alike. Recent large fraud<br />
cases are often used to build a business<br />
case for spending large amounts of money<br />
in implementing a Control Framework.<br />
Surveys such as the ACFE 2008 Report<br />
to the Nation show that implementation<br />
of a control framework has a measurable<br />
impact on the organisation’s exposure<br />
to fraud. The survey revealed that<br />
organisations that implemented anti-fraud<br />
controls suffered much lower losses than<br />
organisations without anti-fraud controls.<br />
Though many Control Frameworks<br />
were developed and propagated over<br />
the years, the most commonly applied<br />
Control Framework is the one developed<br />
in the early nineties by the Committee Of<br />
Sponsoring Organisations of the Treadway<br />
Commission, better known as the COSO<br />
Framework (“COSO”). COSO identifies<br />
5 components, which when integrated<br />
and operating in all business units, will<br />
help establish an effective internal control<br />
framework. These 5 components are:<br />
i) Control Environment, which sets<br />
the moral tone of the organisation,<br />
influencing the control consciousness of<br />
the organisation and is the foundation<br />
upon which all other components are<br />
built.<br />
ii) Risk Assessment involves identifying<br />
and assessing risks involved in achieving<br />
an entity’s objectives.<br />
iii) Control Activities are the policies and<br />
procedures that enforce management’s<br />
directives.<br />
iv) Information and Communication, which<br />
allows the exchange of information in<br />
the right quantities and to the right<br />
persons across the organisation.<br />
v) Monitoring is the process that assesses<br />
the quality of the Framework over a<br />
period of time.<br />
Generally, Corporations build their Anti-<br />
Fraud controls on the principles of the<br />
COSO framework. To do so, organisations<br />
first identify fraud risks and prioritize<br />
them according to risks that matter the<br />
most. Prioritization is generally done<br />
by assessing the impact and likelihood of<br />
an inherent risk. Impact is the extent to<br />
which the risk, if realized, would impact the<br />
organisation. Likelihood is the probability<br />
of a risk occurring over a pre-defined time<br />
period, which is generally the organisation’s<br />
planning horizon.<br />
While prioritizing risks on impact and<br />
likelihood, it is generally assumed that<br />
individuals will honour their fiduciary<br />
responsibilities to the organisation. In<br />
other words, people entrusted with<br />
the execution of controls will do so<br />
responsibly and to the best of their<br />
ability. While this assumption may be<br />
correct during an internal control risk<br />
assessment, it does not hold good while<br />
assessing fraud risks.<br />
An individual breaching his fiduciary<br />
responsibilities is an Occupational Fraud!!<br />
A key differentiator between Internal<br />
Controls and Anti Fraud Controls is the<br />
Human Element. Failure to assess the<br />
Human Element can cause frauds to<br />
happen in organisations that otherwise<br />
seem to have a robust and comprehensive<br />
internal control framework.<br />
Before addressing how to prioritize fraud<br />
risks, let’s understand why do people<br />
commit fraud?<br />
One of the best theories on why people<br />
commit fraud was given by Donald Cressey<br />
in his book “Other People’s Money”. As<br />
per this hypothesis, fraud occurs when an<br />
individual has:<br />
a. A non sharable financial problem.<br />
b. Perceives an opportunity to resolve<br />
the situation.<br />
c. Has the ability to rationalize his misdeed<br />
even before committing them.<br />
In other words for an individual to commit<br />
fraud, he should be under pressure from<br />
a financial problem which the individual<br />
perceives cannot be solved through other<br />
means. These problems often manifest<br />
themselves into behaviour patterns or<br />
red flags, which if spotted in time, could<br />
prevent a fraud from happening. As per<br />
the ACFE 2008 Report to the Nation, the<br />
most commonly cited behavioral red flags<br />
were perpetrators living beyond their<br />
apparent means or experiencing financial<br />
difficulties at the time of the fraud.<br />
Even if an individual has the motive,<br />
2<br />
Real or Perceived<br />
Opportunity<br />
Weak controls / Employees in<br />
positions of trust<br />
Incentive or Pressure<br />
Financial, personal, unrealistic<br />
corporate objectives, etc.<br />
FRAUD<br />
he cannot perpetrate the fraud unless<br />
presented with an opportunity.<br />
Opportunities could arise due to a number<br />
of factors within the organisation such as<br />
high turnover of management in key roles,<br />
lack of segregation of duties or a complex<br />
1<br />
Traditional Risk Assessment Criteria<br />
Fraud Risk Assessment Criteria<br />
organisation structure.<br />
Rationalization of the act is the last element<br />
in understanding why people commit<br />
fraud. Most people believe themselves<br />
as good and need to convince themselves<br />
that their actions were justified. Some of<br />
these justifications are:<br />
• I was going to pay it back<br />
• Everybody does it<br />
• I am not hurting anyone<br />
• I was helping my family<br />
• This is nothing compared to what xyz did...<br />
To sum up, when this individual under<br />
pressure is presented with an opportunity<br />
and is able to rationalize his planned actions,<br />
fraud occurs. Over the years this hypothesis<br />
is better known as the Fraud Triangle.<br />
To be able to effectively prioritize fraud<br />
risks, organisations should evaluate the<br />
Human Element to the fraud risk. This<br />
can be achieved by applying the principles<br />
3<br />
Attitude or<br />
Rationalization<br />
Beliefs such as “The activity is<br />
not criminal,” “Everybody is<br />
doing it,” etc.<br />
of the Fraud Triangle to the traditional risk<br />
assessment criteria of Impact and Likelihood.<br />
This is illustrated in the table below:<br />
For example, in an organisation where<br />
an individual performs a number of key<br />
controls – if this individual’s personal<br />
integrity and values are high, the chances<br />
of fraud happening is significantly lower<br />
than when the individual’s personal<br />
integrity is low. Understanding the people<br />
who manage key internal controls in an<br />
organisation, their values and attitude could<br />
go a long way in minimizing the incidence<br />
of fraud and help build effective anti-fraud<br />
deterrents within an organisation.<br />
To sum up, it is important for organisations<br />
to consider the human element while<br />
prioritizing its key fraud risks. Besides, there<br />
are a number of cost effective measures<br />
that can assist in improving the anti-fraud<br />
environment within an organisation. These<br />
are as under:<br />
• Establish a Code of Ethics and clearly<br />
communicate expectations to all<br />
stakeholders.<br />
• Develop Fraud Policies which clearly<br />
describe company policies and<br />
procedures relating to fraud.<br />
• Invest in a communication and training<br />
program on fraud and corporate fraud<br />
policies for all employees.<br />
• Ensure proper segregation of duties for<br />
key activities and functions.<br />
• Set up appropriate recruitment<br />
procedures to select the right<br />
candidates.<br />
• Set up policies for rotation of staff<br />
duties and forced vacations.<br />
• Know your key fraud risks and controls.<br />
Monitor them regularly.<br />
• Set up a whistle blower hotline.<br />
About the Author:<br />
Santosh Noronha is a Manager with Ernst & Young Dubai working<br />
in the Fraud Investigation and Dispute Services Practice. Opinions<br />
expressed in this article belong solely to the author, and do not<br />
necessarily represent the views of Ernst & Young. To comment on<br />
this article, feel free to email the author at<br />
santosh.noronha@ae.ey.com<br />
6 <strong>April</strong> 2010 7 <strong>April</strong> 2010