Improving fraud risk controls is crucial for organizations to bolster their defense against potential fraudulent activities and ensure a secure operational environment. Fraud risk monitoring and improvement is a continuous process, and require identification and differentiation between the preventive and detective fraud risk management controls.
Fraud risk monitoring is performed by the fraud risk management team, under the supervision of the chief risk officer (CRO) and the chief compliance officer (CCO). The purpose of monitoring is to assess the operating effectiveness of implemented fraud controls, and specifically test the preventive and detective fraud management controls.
Preventive fraud controls: They are built and implemented in the departments, processes, digital onboarding & delivery channels, supply chain system, complaint handling system, integration of systems with vendors tools, etc. to prevent the occurrence of frauds.
Detective fraud controls: They are controls that detect the occurrence of fraudulent activities in various processes, systems, products, services, and digital channels.
Management identifies the general fraud controls and differentiates these controls from the process or channel-specific fraud controls, which are built into the processes and applications, to prevent fraud.
General fraud controls implementation and monitoring aim to support the organization as a whole such as the establishment of IT processes, compliance reviews, transactions monitoring, and audit mechanism. These general controls are made part of the employees’ day-to-day roles and responsibilities.
Process-specific or application fraud controls include cybersecurity controls, data protection controls, data access rights, use of antivirus, and other software or cloud management-specific fraud controls.
Management develops the fraud identification and prevention policies and procedures for each department and core processes, to ensure that all general and application-specific fraud controls are documented for compliance purposes.
Improving Fraud Risk Controls
Once all the fraud controls are documented in the form of policies and procedures, they are implemented at all levels, and periodically monitored to test the operating effectiveness of documented controls.
On identification of weak fraud identification and prevention controls, the initiatives are taken by relevant departments, to bring improvements or design new fraud management controls, to avoid risk incidents and reputational losses. The operating effectiveness and efficiency of internal controls are significant parameters in assessing the risk of fraud in any organization. One may have a view about the organization, by understanding their internal controls and their operating effectiveness.
For example, in the purchase process, if the authorization controls are not built-in then there are chances that employees may misuse the purchase process to their advantage. To control this fraud risk, the purchasing department needs to design authorization limits for different purchases and ensure their implementation.
Such authorization limits will require approval of purchases from a manager or departmental head, which reduces the risks of fraud by the employees.
It is not only necessary to design and implement the internal controls, but the main point is to ensure the operating efficiencies and effectiveness of the controls. The effectiveness of controls means how much the chances of occurrence of fraud are reduced or how many fraud risks are identified with the help of implemented controls.
To evaluate the operating effectiveness and efficiency of controls, the policies and procedures are reviewed to check their accuracy and coverage. Procedures are required to cover all aspects and steps which form the overall process. The risk of overriding controls is also assessed. If the management finds that controls are easily overridden, then it means that the chances of occurrence of fraud are also increased.
Management needs to take immediate steps to ensure that robust controls are designed and implemented with no chance of being overridden. To build robust controls, organizations use technology and artificial intelligence, which eliminates the chance of overriding controls by employees or outsiders.
To assess the operating effectiveness of the fraud controls, management, and employees are also interviewed. During the interview process, the interviewer assesses the risks of fraudulent activities or related intentions. Interviewing the right people, cross-questioning, and emphasizing on right issues, help in the identification and assessment of fraud risks in different processes and departments of the organization.
Activities of the employees are observed to identify any weaknesses in the process or the possibility of an employee breaching the controls. There may be situations in which employees are not well trained or educated about the controls, which is identified through observation of the employees while performing their duties.
Fraud investigators test the transactions on a sample basis as well, to identify those transactions where frauds occur or which may identify the fraud risks. Walkthroughs of transactions and processes are also performed, to ensure that internal controls are operating effectively and efficiently.
Audit reports of the departments and processes especially internal audit reports also help in assessing the fraud risks and breaches of controls. Internal auditors review the processes and transactions of different departments and compare the activities with the approved policies and procedures. Internal auditors perform a test of internal controls and verify transactions.
In case of deviations and breaches of internal controls by the employees and departments, internal auditors report such issues in the form of audit observations. Therefore, audit reports also serve as the reference point to identify the weak processes and controls, which expose the organization to fraud risks and incidents.
Internal auditors also perform fraud investigations. Reasons for the occurrence of frauds are identified and the facts are discovered as to why fraud incidents have occurred despite the implementation of internal controls. Review of fraud investigation reports by internal auditors also helps in assessing the weak internal controls and gaps, which caused the particular fraud to occur.
As the internal audit reports and fraud investigation reports are shared with Board Audit Committee (BAC), therefore, the board is updated about the fraud risks and fraud incidents that occurred and are reported within the organization. BAC issues guidance regarding internal controls and a roadmap is provided to management to ensure that frauds do not occur in the future.
The operating effectiveness of the Internal controls is assessed by allotting “Control Risk Ratings”, such as:
5 – for Very Effective controls,
4 – for Effective control,
3 – for Moderately Effective control,
2 – for Marginally Effective control and
1 – for Not Effective control.
Final Thoughts
Effective fraud risk monitoring and continuous improvement are essential for organizations to stay vigilant against fraudulent activities. By implementing preventive and detective controls, organizations can reduce the occurrence of fraud and promptly detect any fraudulent incidents. Regular evaluation of control effectiveness, coupled with robust policies and procedures, strengthens the overall risk management framework. Through diligent observation, interviews, and audit reports, organizations can identify weaknesses, rectify control breaches, and enhance their fraud prevention strategies. By prioritizing fraud risk management, organizations can safeguard their assets, maintain trust, and uphold their reputation in the face of evolving threats.