Fraud Risk Management #5 – Moving Forward with Monitoring

Our fourth article discussed Principle 4: Fraud Investigative and Corrective Action and its relation to the Control Environment and its three underlying COSO principles. Our fifth and final article takes a look at Fraud Risk Management Principle 5: Fraud Risk Management Monitoring Activities.

Principle 5: Fraud Risk Management Monitoring Activities

“The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.”

Fraud risk management monitoring activities corelate to COSO principles 16 and 17, or more broadly, the Internal Control Component Monitoring. As with the other four principles, there are several areas of focus that should be considered.

What evaluations and benchmarks should be considered?

First, organizations should consider a mix of ongoing, while separate, evaluations of the fraud risk management program to ensure the program is functioning as designed. This should be a risk-based approach and should evaluate all five principles of fraud risk management. Internal audit can be an extremely useful party in evaluating the effectiveness of the program during these ongoing evaluations; however, other parties in the organization can perform the evaluations, or third-party vendors can be engaged as well.

As part of the ongoing and separate evaluations, the scope and frequency of the evaluations needs consideration. Organizations should evaluate the need for continuous monitoring for anomalies and trends due to the fact that fraud risks constantly change over time, as well as the business environment in which the business operates. A snapshot fraud risk assessment may not be adequate depending on the changing business and fraud risk landscape. If a fraud risk assessment is conducted more frequently than annually, this exercise could help mitigate the need for continuous monitoring; however, it should still be considered as a viable component of the organization’s fraud risk management program. Each successive periodic evaluation may alter the scope and frequency of subsequent evaluations, depending on the outcome of the prior evaluation.

Measurement criteria are also important for management to monitor and improve fraud prevention and detection. These criteria should be supplied to senior management on a periodic and ongoing basis, and may include some of the following:

• Length of time to detection of fraudulent activity
• Number of allegations received via the organization’s hotline (or by other means)
• Number of percentage of vendors and customers who have or have not signed the organization’s ethical behavior requirements

Using benchmarks from fraud surveys and studies, along with regulatory compliance, can assist an organization in determining the most appropriate measurement criteria for their business.

Compliance-focused guidance can also be used to ensure that the fraud risk management program aligns with regulations and relevant legal requirements. Some of these may include:

• The U.S. Sentencing Guidelines for Organizations
• The U.S. Department of Justice (DOJ) Guidance for Evaluation of Corporate Compliance Programs
• The U.S. Foreign Corrupt Practices Act
• COSO’s Compliance Risk Management Guide

Known fraud schemes are paramount to consider when reviewing the organization’s fraud risk assessment. Management can ascertain whether a recently discovered fraud scheme would be detected or prevented by current existing control activities. This aids the organization in remaining up to date in the face of emerging fraud risks.

What areas of the organization should be involved?

Coordination with other areas of the organization that are risk and/or compliance-focused should be considered as well for fraud risk management monitoring. As mentioned before, internal audit is a valuable resource for providing independent and objective assurance of the effectiveness of the fraud risk management program, but other areas such as compliance, enterprise risk management and corporate security are valuable partners as well. By partnering with all of the areas, the effectiveness of the fraud risk management program is reinforced and reduces gaps in the program.

As mentioned in earlier articles, a senior member of management should be assigned the overall responsibility for the fraud risk management program, but may delegate certain responsibilities to other members of management to carry out specific functions of the program. This senior member of management should provide the evaluations of the program to senior management and the board of directors on a regular basis. The evaluations should include identified deficiencies, remediation activities of those deficiencies, as well as further actions taken if applicable. Ultimately, the ongoing evaluations should demonstrate that management is actively involved in oversight of the fraud risk management program, ensuring the plan for monitoring the program is adequate for its future success.

For more information about implementing an effective fraud risk management program at your organization, contact your Windham Brannon advisor today, or contact Matt Stelzman.

Sources:

COSO, Internal Control – Integrated Framework (May 2013)

COSO & ACFE, Fraud Risk Management Guide 2^nd Edition (2023)

ACFE, Occupational Fraud 2022: A Report to the Nations (2022)