Proactive fraud risk assessment is lacking, recent survey finds

Many companies are not well positioned to prevent corporate fraud, nor conduct investigations, creating a significant potential liability to their executives and shareholder value, according to a recent joint study by Protiviti and Utica College’s Economic Crime and Justice Studies Department.

The report, titled ‘Taking the best route to managing fraud and corruption risks’, is based on responses from more than 270 C-level executives, board members, audit directors, and risk managers who were surveyed last summer about corporate crime and the ways in which management handles white collar crime, third party corruption, fraud, corruption, and misconduct. Most of the respondents work in North American organizations across a variety of industries.

When organizations fail to address corporate fraud, it creates potential liability for C-level executives, says Donald Rebovich, chair of economic crime and justice studies at Utica College, ‘The conventional wisdom is that executives are obligated to do everything possible to protect against victimization by fraud. This can include vulnerability inventories to determine potential points of compromise that can be taken advantage of to commit fraud.’ If executives don’t take action, they could be held legally responsible, so it behooves them to weigh the hardship of the costs and efforts involved against the hazard of doing nothing, he adds.

The report reveals that almost half of the companies (48 percent) surveyed don’t conduct fraud risk assessments at least annually, while 27 percent have never performed one. And only six percent of respondents reported ‘a high level of confidence in their organization’s vendor fraud and corruption risk oversight.’ Comparing the latest findings to those in Protiviti’s prior fraud risk survey in 2008 wouldn’t yield meaningful insights because the methodology and questions were much different from the latest survey.

Since the typical organization loses about five percent of its annual revenue to fraud, it’s important that organizations adopt proactive, preventative approaches to fraud risk management and work to establish fraud risk assessment programs.

To combat corporate crime, companies should conduct fraud risk assessments at least annually, says Scott Moritz, a managing director and global lead of Protiviti’s investigations and fraud risk management practice. ‘I think that once a year is ideal, absent some type of triggering event such as a major fraud, an acquisition, joint venture, entering a new market, or the launch of a new product or service.’ The best fraud risk management programs are proactive, always looking for ways to improve their fraud detection processes.

Among the other survey findings are that:

• 37 percent of respondents cite a lack of proactive fraud risk management
• 22 percent say their organization doesn’t have a senior management person designated to deal with fraud risk management
• 18 percent report that the Chief Financial Officer is responsible, while 13 percent believe the Chief Risk Officer is responsible and 14 percent say nobody in senior management is in charge of fraud risk management

One best practice an organization can undertake to establish a fraud risk assessment program, Rebovich suggests, is a vulnerability inventory that can help detect and prevent fraud. ‘The best advice is to have an outside, reputable firm perform such an inventory. Appointing a chief risk officer is valuable, but the inventory should not be delayed,’ he says.

Board members can be involved in either establishing or performing fraud risk assessments in several ways, Moritz says. ‘In the majority of instances when the board is properly engaged in fraud risk management, [it is] involved at the outset in establishing a fraud risk management program, responding to a fraud incident, mapping to the COSO 2013 framework or simply embarking down a path to take a more proactive approach to truly ‘managing’ [the company’s] fraud risk.’ 

Unfortunately, boards are more likely to take a hands-on approach to fraud risk assessment only after they see how vulnerable their companies are to such risks, he adds. He cites a global manufacturer whose Western Europe operations were targeted in an executive impersonation email scam while the company was considering hiring Protiviti to do a fraud risk assessment in conjunction with the company’s transition to the revised 2013 COSO framework.

‘It did create a level of board engagement that you don’t often see,’ Moritz says. ‘Our fraud risk assessment project became a top priority of the board and has become an annual process since. This example is emblematic of a lot of boards when it comes to expending resources prophylactically.’