If I was going to audit our existing processes to look for vulnerabilities what would be the best way to start my assessment?
How does one conduct a fraud risk assessment?
Answers
Follow the money. That may sound simplistic, but fraud is going to occur anywhere there is value to be stolen. This includes, cash, fixed assets, product, raw materials, accounts payable, etc. Think of any way someone can divert assets to their personal use.
Here is a short list of things to look at:
1. Pay to play schemes for vendors
2. False/fake vendors
3. Poor controls over check stock and access to checking accounts.
4. Expense reports - false invoices, etc
5. Poor controls in accounts receivable and accounts payable
6. Poor segregation of duties in cash, A/R, A/P and inventory control
7. Employees living above their means. (example: extravagant spending on cars, trips, jewelry, parties, etc.)
8. Lack of or poor reconciliations and detailed review by
9. Poor physical security of assets (cash, inventories, fixed assets, vehicles, etc)
10. Poor password and network security.
11. Manual journal entries to accounts that should only have automated entries.
Finally, if you don't have a way for employees AND vendors to report issues to you in a confidential manner, you are not going to get an early warning of problems.
Also look for areas where a person who has information on wrong doing has been eliminated by the perpetrator. Example: An otherwise outstanding employee is suddenly fired by their boss for reasons that don't make sense given their past performance. Could be that outstanding employee wouldn't go along with the illegal or immoral activity and was eliminated.
By the way, there are computer programs and consulting companies that can help determine if there is potential fraudulent activity.
Scott's comments are spot on. Something else to consider is that there are usually three aspects that can lead to fraud:
1) Opportunity. As Scott detailed in his comments, if there are poor controls then that provides the individual with the access to commit the fraud.
2) Need. This is difficult to know unless the employee tells you directly that they need money. It is also subjective, as one person's want is another person's need. As Scott mentioned, look to see if anyone is living above their pay grade and evaluate if they have opportunity.
3) Rationalization. Again, this is subjective. Someone might feel they should be paid more, or that the company can afford the fraud, or that they dislike the company for whatever reason. Being aware of employee discontent is important, as in Scott's example.
Lastly, I have sometimes found that employees that never take a vacation or are very secretive about their work can be hiding something that they don't want anyone else to know about.
It is impossible to eliminate fraud 100%. If someone wants to steal they are going to do it. The trick is to make it difficult and to be able to find it as quickly as possible.
I agree with everything Chester and Scott have said.
I would also add that it is important to look at the strength of the existing control functions:
1) do the controllers have the right tool kit to identify fraud on an on-going basis?
2) do they understand the business well enough to be able challenge the people they are monitoring? Often, in my experience, controllers raise concerns about processes they only partially understand and then are fooled into accepting fairly superficial answers from the supposed 'experts' (who may have a vested interest in preserving malpractice).
3) look for evidence that when the controllers are conducting their investigations, they are applying appropriate due diligence and evidencing their work. Check some cases - does the evidence support their conclusions?
If these guys can get it right on a day-to-day basis, the chances of falling prey to fraud will be significantly reduced.
Scott,
Would elaborate more on these two?
1. Pay to play schemes for vendors - What does this mean?
2. False/fake vendors - what steps would you take to ensure a vendor is legit?
I agree with Charles, Chester, and Scott, but the Association of Certified Fraud Examiners say you should consider more than just asset misappropriation. Their fraud tree has two other branches: financial statement fraud and corruption & bribery. Their method suggests brainstorming your possible exposures in those three areas, assessing the likelihood and impact of those exposures, documenting the controls you have for those exposures, then assessing your residual