Steve C. Morang (email@example.com) is President of the San Francisco Chapter of the Association of Certified Fraud Examiners. Steven Morang IV (firstname.lastname@example.org) is Senior Associate at Honey Badger Consulting in San Francisco, California, USA.
Since the introduction of the fraud risk assessment (FRA) in the Committee of Sponsoring Organizations of the Treadway Commission’s 2013 Internal Control — Integrated Framework, organizations have relied upon a variety of approaches to perform and document their FRA review each year. The new risks and challenges placed on organizations during the COVID-19 pandemic have made this process increasingly important yet more difficult. In this article, we will discuss some of the challenges, obstacles, and solutions to perform a high-value FRA for your organization during these challenging times.
Conducting the FRA
Although there are many frameworks available for conducting an FRA, the most common framework used is provided by the Association of Certified Fraud Examiners, which provides templates and checklists for the most common fraud schemes. This allows the practitioner to have a prepopulated universe of fraud risks as a starting point. One key drawback to frameworks is that fields such as fraud are dynamic, meaning that the modus operandi of fraudsters changes quicker than templates are updated. In addition, most templates only cover a specific sector or industry, disallowing a universal FRA framework. Therefore, these frameworks should only be leveraged as a base, and they need substantial enhancement during the actual project.
Our methodology consists of breaking your FRA project into three major steps:
Create an ethical baseline survey to get an overview of the organization’s ethical temperature.
Conduct multiple interviews with key stakeholders and members of the general population to confirm findings from the ethical baseline survey, and to confirm your understanding of the various fraud risks facing the organization.
Hold targeted working sessions with multiple focus groups to discuss potential threats and fraud risks to the organization.
Upon completion of the three steps listed above, you will be able to not only provide management with a snapshot of the current ethical environment of the organization, as well as any direct fraud risks, but you will also have a starting point to use for comparison in future periods. Let’s take a closer look at each of the major steps.
The ethical baseline
Most organizations pride themselves on not only being profitable in nature, but also being outstanding members of society. Organizations understand the social responsibility they—and their employees—carry. In other words, they frown upon illegal, unethical, or otherwise harmful behaviors. Even with a proper approach by an organization, assurance of management’s vision, ideology, and transparency may falter. Recent examples by Wells Fargo, Uber, and Theranos have shown us the dire consequences of ethical missteps. Therefore, it is imperative to survey members of the organization about the ethical climate in a simple, safe, and anonymous way (i.e., the ethical baseline survey). Use straightforward questions that will allow you to determine environmental factors that are tied closely to fraud, such as:
The perception of management’s opinion on the importance of ethical business practices;
The level of comfort around speaking up versus the fear of retaliation;
An evaluation of pressures perceived in the organization to hit targets and reach goals;
Whether there is an underlying culture of responsibility, trust, and respect in the organization; and
Any other major concerns people might have with regard to governance, compliance, and ethics.
Once you have conducted this brief survey using 10–20 questions, you can apply the results to shape the interviews that you will conduct in the next step.
Although surveys were conducted using online tools before the pandemic, the number of surveys being sent to remote and/or hybrid employees increased dramatically during the pandemic. We have therefore experienced an increased amount of survey burnout, which has led to lower rates of participation compared to prior periods. Therefore, it is important to make the survey as simple and relevant as possible while coordinating with other survey distributors to make sure the timing is right. For example, one approach is to take the required questions and incorporate them into a regular employee survey being done monthly or quarterly by the human resources or people teams. This reduces the amount of emails in the inbox and also will likely lead to a higher participation. This approach, however, should only be used if these surveys are trusted by the employees and they receive a high rate of response. Otherwise it might be better to conduct a standalone survey.
Depending on the scope of the project, you should select interviewees based on their positions, as well as their seniority and geographic location, while covering the main areas where you think fraud could occur at the organization. For example, speak to someone from finance, accounts payable, or treasury to discuss potential fraud scenarios to get an understanding of the organization’s internal controls.
The interviewer’s line of questioning should be conducted in a private, confidential setting and should focus on any known past incidents of fraud or unethical/questionable behavior, as well as any current concerns regarding potential fraud, waste, or abuse. Furthermore, building trust with the interviewee is key, as the interviewer wants to avoid being perceived as an interrogator and be viewed instead as someone who is only interested in helping the organization become stronger and safer—with the interviewee’s help. If the interviewer can achieve this level of rapport, the information they receive during these interviews can be fundamental in understanding the true risks to the organization.
Using virtual meeting platforms can have multiple impacts on the interview—and on building rapport and trust with the interviewee—due to physical separation, time zones, connection quality, and other factors. Consider making the background setting of the interviewer’s video (real or virtual) welcoming to the interviewee, and conduct the interview in an environment that is clearly private. Do not perform interviews at a local coffee shop with random people walking through the background! Also, take care to ensure that the audio and video quality is the best it can be to make the conversation comfortable. Keeping these simple steps in mind will allow the interviewee to relax and for you to gain their acceptance and trust.
Traditionally, the final step in the FRA process is to have workshops to facilitate brainstorming on how an insider (or outsider) could commit fraud against the organization. Of course, this requires the participants to understand the purpose of the workshop, trust the setting and privacy of the meeting, and communicate in real time with one another. Putting on the “fraud goggles” without fear of retaliation or judgment is key to a successful workshop. Once potential fraud schemes are identified in the workshops and potential gaps are exposed, the organization can react as appropriate.
Similar to the interview stage, moving workshops from in-person to virtual and/or hybrid poses significant challenges. The lack of personal intimacy with the other participants can restrict the level of trust and rapport between the participants, as well as with the facilitator. Consider starting the workshop with a fun activity to introduce the various participants and lower some of the personal inhibitions that are normal when discussing fraud. One way to do this is by introducing yourself and sharing a personal story, such as your most embarrassing moment or favorite vacation memory, and then asking the next person to do the same. Such seemingly insignificant actions can aid in ensuring the most effective and efficient workshop.