The Fraud Examiner and Compliance Identification Teams

CrapsTableOver the past decade, the practice Standards of most professional organizations like the Institute of Internal Auditors (IIA) and the American Institute of Certified Public Accountants (AICPA) have been revised to focus, laser-like, on the control of risk.   Internal control structures are  now viewed as essential elements whose primary purpose is to control the risk that organizational objectives might not be achieved.   The extension and expansion of the COSO based Enterprise Risk Management (ERM) model has accelerated this process by providing a framework for the organizational management of the risk inherent in strategic (critical) business  processes.

Risks and, by extension, the processes by which to control them, lurk in almost every business process of the organization and that fact means fraud examiners and the  assurance professionals, like internal and external auditors, with whom we closely work are engaged in a daily battle to assess them, develop controls to mitigate them and then to provide assurance that the controls work as expected.

This cycle is not news to fraud examiners and forensic accountants; the bad news for all the professional types involved in the struggle is that risks change, often dramatically and with great suddenness.  And the steps taken to mitigate newly identified risks may themselves be new, requiring yet another steep climb up a learning curve for all the reviewers who must assist management by determining what challenges the organization will face tomorrow and what controls can be implemented today or in the near term to prevent those challenges from becoming roadblocks to organizational success.

A number of large organizations are beginning to address this issue by adding a new level of expertise to their ERM support staffs through development of what is called compliance identification.  Compliance identification is focused on identifying evidence of control environment degradation using statistically based tools like data mining and  normal process modeling.  Compliance identification teams look for outliers in normal business process events and make adjustments to those processes in response.   Over time, compliance professionals will evolve tests of entire critical process flows, making it possible for the fraud examiner and internal auditor to design and test various fraud scenarios against historical data and, for example,  edit/adjust payment systems on the front end to preclude fraudulent financial transactions from even processing.

Fraud examiners need to be aware of the processing power that compliance assessment groups can increasingly bring to bear on the challenge of controlling fraud in their client organizations.  This is where fraud examiners can assist compliance identification teams by providing a level of expertise to the team about exactly how frauds work, thereby  making the whole team effort more accurate and persuasive to management… meaning that compliance assurance groups  need initial guidance from fraud examiners to know just what needs to be done to control certain categories of fraud.   Once this knowledge is baked into on-going, repetitive compliance tests, a foundation has been built for more fraud scenario testing and for a subsequent lowering of associated fraud related risk for the entire organization.

Comments are closed.