How to conduct a fraud risk assessment

Start by building your risk assessment team, making sure you include some senior people. Then, work together to set some goals, using SMART criteria (Specific, Measurable, Achievable, Relevant, Timely). Write down what your definition of success looks like and then communicate your intentions across the business. In uncertain times, it’s even more important to ensure your employees are alert to potential risks early, even if your risk strategy hasn’t been formalised.

When you're going through this initial process, make sure you consider:

• the nature of your business
• the environment and jurisdictions you operate in
• your business culture and staff, and
• the effectiveness of existing internal controls.¹

Next, outline the risks your organisation currently faces, making sure to cover three main areas:

• entity level: including bribery, gift policies and government relations
• process level: covering accounts and procurement
• transaction level: including such things as commissions, disbursements and entertainment allowances.²

Make sure you include your staff in the process - those on the front line may be more familiar with the risks inherent in the systems and processes they use on a day to day basis. Many businesses find they achieve more thorough risk identification when they allow staff to report concerns anonymously via a hotline or online tool. Even small businesses should consider setting up an anonymous online form for reporting.

During this phase, be sure to consider:

• any incentives, pressures and opportunities employees and contractors face
• the risk of management overriding any controls
• fraudulent financial reporting
• asset misappropriation
• corruption
• regulatory and legal misconduct
• reputational risk, and
• risk to information technology

Once you’ve established the risks, it’s time to evaluate the potential damage they could cause. When you do, consider the likelihood of the risk happening (using a simple high, medium, low classification) as well as the potential loss.

To get an accurate picture, it’s vital that you take multiple outcomes into account and analyse reputational and commercial risk, not just financial risk. You should also perform a cost/benefit analysis on each risk. In other words, consider the likely loss if you do nothing, when compared to the cost of implementing procedures and their likelihood of preventing fraud.³

Once you’ve done this, you can determine what procedures need to change and identify gaps in your current procedures and protocols. Compile your findings into a risk matrix.

Now that you know what to do, it’s time to come up with a plan of attack for getting it done. Prioritise changes to systems and processes based on the likelihood of the risk, as well as its impact to your business.¹ Work out where there are ‘easy wins’, versus the changes that will take more time. Understanding risk changes on a value versus effort matrix may also be important when prioritising.

You should also immediately address any concerns that have a high probability of occurring, especially if they could lead to significant financial, reputational and/or commercial losses.

Once you have a plan in place to minimise risk, it’s time to compile a report on your findings and share it across the business. Let your people know what your key focuses are and communicate any deficiencies you’ve uncovered in current processes. Include an action plan and ask your staff for their input.

Now is also the time to develop a formal fraud policy and communicate it to all employees, contractors and other relevant stakeholders.

Put in place your procedures and controls, making sure to include preventative, directive and response procedures.

Preventative procedures: These stop fraud from occurring in the first place, through audits, codes of conduct, training and other procedures.

Detective procedures: These uncover fraud when it occurs, such as hotlines and reporting mechanisms.

Response procedures: These reduce harm and take corrective action through investigations, accountability and remedial action protocols.⁴

To give your risk assessment the best chance of success, it’s important that you track the measures you’ve implemented and analyse their effectiveness.⁵

Adopt a mindset of continuous improvement by holding quarterly meetings where you communicate your findings and report on your progress. You should also randomly but regularly analyse transactions to make sure that people understand your procedures and follow them in their day-to-day activities.

Finally, provide ongoing training to staff so that everyone’s skills and knowledge are kept up-to-date.