More than ever, organizations of all sizes need to assess, manage and monitor risk. According to the Association of Certified Fraud Examiners’ (ACFE) 2016 Global Study on Fraud, a typical organization loses 5% of revenues in any given year as a result of theft. The longer a fraud lasted, the greater the loss to the organization. Large frauds have led to the downfall of entire organizations, significant legal costs and erosion of customer confidence in your organization. The challenge of an organization is to detect and mitigate the fraud. Therefore, an effective risk assessment program is increasingly important to promote the success of any business.
Why do you need a risk assessment?
A risk assessment is a mechanism for identifying areas of vulnerability and opportunities for improvement within an organization. A risk assessment will provide management with valuable information that:
- reduces the potential of fraud within the organization;
- create efficiencies and cost savings in financial operations;
- provides reasonable assurance to management, ownership, vendors looking to do work with the organization, or potential buyers of the organization about the entity’s risks and vulnerabilities; and
- provide additional assurance to customers, government regulators, and rating agencies, i.e. insurance companies.
Only through diligent and ongoing efforts can an organization protect itself against significant acts of fraud. The ACFE, The American Institute of Certified Public Accountants and The Institute of Internal Auditors have laid out the key principles for proactively establishing an environment to effectively manage an organization’s fraud risk. Those principles include:
Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.
Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.
Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.
Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.
Who is responsible for minimizing risk?
Management is ultimately responsible for effectively managing organizational risk and ensuring identifiable areas of vulnerability are adequately addressed. In the event problems emerge, governing bodies, regulators, and even law enforcement will look to see what proactive measures were taken by management to assess, control and mitigate the risk inherent in the problem area. Whether it is setting tone at the top, adequately training staff, or establishing effective internal controls, management is ultimately responsible and accountable.
Why use an outside professional?
During tough economic times, organizations tend to eliminate or downsize internal audit and internal control functions, despite the fact that organizational risks historically increase when pressures to succeed intensify. In response to this dilemma, more and more organizations are outsourcing various aspects of internal controls and risk assessment. In addition to realizing cost-savings, outsourcing provides management with a professional, independent, and objective appraisal of the organization’s risks and vulnerabilities. In addition, “best practice” recommendations for mitigating risks are part of the assessment.
Professionals work with management throughout the risk assessment process by:
- gaining an understanding of the organization’s business mission, goals, objectives and control environment;
- performing a rigorous vulnerability risk assessment tailored to the organization’s specific accounting and business systems and identifying events that could adversely affect these systems;
- providing feedback on the risks identified and recommending reasonable, cost-effective remediation measures based on industry “best practices”; and
- assisting in the implementation and follow-up assessment of the suggested remediation measures.
Organizations tend to not talk about fraud. The reality is that most organizations experience fraud to some degree. Keep in mind that a proactive approach to managing fraud risk is one of the best steps organizations can take to mitigate exposure to fraudulent activities. The combination of effective fraud risk governance, a thorough fraud risk assessment, strong fraud prevention and detection (including specific antifraud control processes), as well as coordinated and timely investigations and corrective actions, can significantly mitigate fraud risks. Organizations that vigorously interpret and act on the results of their risk assessment are better positioned to capitalize on future opportunities and direct the business toward measurable success.