How to conduct a fraud risk assessment
Seven steps to identifying and protecting your business against fraud
So, if your business wants to minimise risk but doesn't know where to begin, here's how to conduct an effective fraud risk assessment in seven steps.
Start by building your risk assessment team, making sure you include some senior people. Then, work together to set some goals, using SMART criteria (Specific, Measurable, Achievable, Relevant, Timely). Write down what your definition of success looks like and then communicate your intentions across the business.
When you're going through this initial process, make sure you take into account:
- the nature of your business
- the environment and jurisdictions you operate in
- your business culture and staff, and
- the effectiveness of existing internal controls.2
Next, establish the risks your organisation faces, making sure to cover three main areas:
- entity level: including bribery, gift policies and government relations
- process level: covering accounts and procurement
- transaction level: including such things as commissions, disbursements and entertainment allowances.3
If possible, let your staff help you identify all risks by involving staff through questionnaires and interviews. You could then even facilitate business-wide FAQ and feedback sessions on what you’re doing as well as what you’ve discovered. Many businesses find that they achieve the best results in identifying risks when they allow staff to report concerns anonymously via a hotline or online tool. Even small businesses on a tight budget should consider setting up an anonymous online form for reporting.
During this phase, be sure to consider:
- any incentives, pressures and opportunities employees and contractors face
- the risk of management overriding any controls
- fraudulent financial reporting
- asset misappropriation
- regulatory and legal misconduct
- reputational risk, and
- risk to information technology.
Once you’ve established the risks, it’s time to evaluate the potential damage they could cause. When you do, consider the likelihood of the risk happening (using a simple high, medium, low classification) as well as the potential loss.
To get an accurate picture, it’s vital that you take multiple outcomes into account and analyse reputational and commercial risk, not just financial risk. You should also perform a cost/benefit analysis on each risk. In other words, consider the likely loss if you do nothing when compared to the cost of implementing procedures and their likelihood of preventing fraud.4
Once you’ve done this, you can determine what procedures need to change and identify gaps in current procedures and protocols. Compile your findings into a matrix.
Now that you know what to do, it’s time to come up with a plan of attack for getting it done. Analyse where you need to act first, based on the likelihood of something happening as well as its impact to your business.2 Work out where you’re likely to have your easy wins, compared to which goals will take some time.
You should also immediately address any concerns that have a high probability of occurring, especially if they could lead to substantial loss.
Once you know what you’ll be doing to minimise risk, it’s time to compile a report on your findings and share it across the business. Let people know what your concerns are, as well as where you’ve uncovered deficiencies. Include an action plan and ask you staff for their input.
Now is also the time to develop a formal fraud policy and communicate it to all employees, contractors and other relevant people.
Put in place your procedures and controls, making sure to include preventative, directive and response procedures.
Preventative procedures: These stop fraud from occuring in the first place, through audits, codes of conduct, training and other procedures.
Detective procedures: These uncover fraud when it occurs, such as hotlines and reporting mechanisms.
Response procedures: These reduce harm and take corrective action through investigations, accountability and remedial action protocols.5
To give your risk assessment the best chance of success, it’s important that you track the measures you’ve implemented and analyse their effectiveness.6
Adopt a mindset of continuous improvement by holding quarterly meetings where you communicate your findings and report on your progress. You should also randomly but regularly analyse transactions to make sure that people understand your procedures and follow them in their day-to-day activities.
Finally, provide ongoing training to staff so that everyone’s skills and knowledge are kept up-to-date.
How to build an effective whistle-blower program
A robust whistle-blower program can help reduce loss from fraud. But to be effective, you should:
- make it easy to understand
- communicate it clearly across the business
- get the backing of your management
- respond quickly to complaints, and
- follow through promptly with any investigations.
An anonymous hotline, whether phone or internet-based, can give staff an easy way to report fraud. For small businesses this can be as simple as having an anonymous web form. However, because whistleblowers are often victimised for speaking out, it’s just as important that you allow them access to legal representation and psychological support services.4, 7
Unless stated otherwise, this information has been prepared by Macquarie Bank Limited ABN 46 008 583 542 AFSL and Australian Credit Licence 237502 and does not take into account your client’s objectives, financial situation or needs.
This information is provided for the use of licensed and accredited brokers and financial advisers only. In no circumstances is it to be used by a potential client for the purposes of making a decision about a financial product or class of products.