acfe fraud prevention check-up - BKD

Other RisksRegulatory and Legal MisconductRegulatory and legal misconduct includes a wide range of risks, such as conflicts of interest, insider trading, theft ofcompetitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations inareas of import/export. Depending on the particular organization and the nature of its business, some or all of theserisks may be applicable and should be considered in the risk assessment process.Reputation RiskReputation risk is evaluated differently by different individuals, either as a separate risk or the end result of otherrisks (e.g., operational, regulatory, or financial reporting). Fraudulent acts can damage an organization’s reputationwith customers, suppliers, and the capital markets. For example, fraud leading to a financial restatement damagesan organization’s reputation in the capital markets, which could increase the organization’s cost of borrowing anddepress its market capitalization. Because the board is responsible for the longevity of the organization and hasresponsibilities to multiple stakeholders, it should evaluate its performance regularly with respect to reputation risksand ensure that consideration of reputation risk is part of the organization’s risk assessment process.Assessment of the Likelihood and Significanceof Identified Inherent Fraud RisksAssessing the likelihood and significance of each potential fraud risk is a subjective process. All fraud risks arenot equally likely, nor will all frauds have a significant impact on every organization. Assessing the likelihood andsignificance of identified inherent risks allows the organization to manage its fraud risks and apply preventive anddetective procedures rationally. It is important to first consider fraud risks to the business on an inherent basis,or without consideration of known controls. By taking this approach, management will be better able to considerall relevant fraud risks and design controls to address the risks. After mapping fraud risks to relevant controls,certain residual risks will remain, including the risk of management’s override of established controls. Managementmust evaluate the potential significance of those residual risks and decide on the nature and extent of the fraudpreventive and detective controls and procedures to address such risks.Likelihood — Management’s assessment of the likelihood of a fraud risk occurring is informed by instances ofthat particular fraud occurring in the past at the organization, the prevalence of the fraud risk in the organization’sindustry, and other factors, including the number of individual transactions, the complexity of the risk, and thenumber of people involved in reviewing or approving the process. Organizations can categorize the likelihood ofpotential frauds occurring in as many buckets as deemed reasonable, but three categories are generally adequate:remote, reasonably possible, and probable.Significance — Management’s assessment of the significance of a fraud risk should include not only financialstatement and monetary significance, but also significance to an organization’s operations, brand value, andreputation, as well as criminal, civil, and regulatory liability. For example, two different organizations may havesimilar amounts of expenses charged via employee expense reports, but one organization is a professionalservices firm that charges those expenses to clients. Although the likelihood of the risk of fraudulent expense28