Tag Archives: Enterprise Risk Assessment

From the Head Down

fishThe ACFE tells us that failures in governance are among the most prominent reasons why financial and other types of serious fraud occur.  Often the real cause of major corporate scandals and failures detailed in the financial trade press is a series of unwelcome behaviors in the corporate leadership culture: greed, hubris, bullying, and obfuscation leading to fantasy growth plans and decisions taken for all the wrong reasons; so, that old saying remains true, fish rot from the head down.

CFE’s find themselves being increasingly called upon by corporate boards and upper operating management to assist as members of independent, control assurance teams reviewing governance related fraud risk. In such cases, where a board has decided to engage a third party, such as a consulting firm or law firm, to assess the risk associated with certain governance processes and practices, a CFE member of the team can ensure that the scope of work is sufficient to cover the risk of fraud, that the team’s review process is adequate, and that the individuals involved can provide a quality assessment.  Thus, if the CFE has suggestions to make concerning any fraud related aspect of the engagement, these can be shared with the review team as a whole.

As the fraud expert on a review team identifying governance related risks, the ACFE recommends that the CFE keep an open mind. Even the best boards, with the most experienced and competent directors, can fail. Examples of red flag, fraud related governance risks to consider include:

–Organizational strategies are approved and performance monitored by executives and the board without reliable, current, timely, and useful information;
–There is too great a focus on short-term results without sufficient attention to the organization’s long-term strategy;
–Oversight by the board is limited by a lack of directors with the required business, industry, technical, IT, or other experience;
–The board’s dynamics do not include sufficient challenge and skeptical inquiry by independent directors;
–Oversight by the audit committee is limited by a lack of experience in financial reporting and auditing;
–There have been instances in the past of the external auditors having failed to detect material misstatements because part of their team lacked the necessary industry experience and understanding of relevant accounting standards;
–Board oversight of risk management is constrained by a lack of risk management experience;
–Strategies approved by the board are not linked to individual goals and objectives of managers in operating departments or over key business processes;
–IT priorities are not consistent with business and organizational priorities due to a lack of communication and alignment of goals and incentive programs;
–Employees do not understand the corporate code of business conduct because it has not been clearly communicated and/or explained to them.

Once the team has identified and assessed the principal governance-related risks, the first step is to determine how to address them. The review team should take each in turn and determine the best approach. Several options might be considered. Using generally accepted traditional control approaches, many governance-related risk areas (such as awareness of the corporate code of conduct, alignment of management incentive plans and organizational strategies, or the quality of information used by the executive leadership team and the board) can be addressed without too much difficulty.

Next, the CFE needs to consider which fraud risks to recommend to the team for periodic re-assessment in recurring risk assessment plans. It’s not necessary or appropriate to periodically assess every identified governance-related fraud risk, only those that represent the most significant on-going risk to the success of the organization and its achievement of its overall fraud prevention objectives.

In a relatively mature organization, the most valuable role for the CFE team member is likely to be that of providing assurance that governance policies and practices are appropriate to the organization’s fraud risk control and management needs – including compliance with applicable laws and regulations – and that they are operating effectively.  On the other hand, if the organization is still refining its governance processes, the CFE may contribute more effectively to the governance review team in an anti-fraud consulting capacity advising or advocating improvements to enhance the evolving fraud prevention component of the organization’s governance structure and practices.

Within the context of the CFE’s traditional practice, there will be times when the board or general counsel (which has so often historically directly engaged the services of CFEs) wants the assessment of a particular governance fraud risk area to be performed by the in-house counsel.  In such instances, the CFE can directly partner with the in-house staff, forming a relationship alternative to performance as a review team member with another type of assurance provider or outside consultant.  This arrangement can offer significant advantages, including:

–Ensuring that the CFE has the benefit of the in-house legal team’s subject-matter expertise as well as knowledge of the company;
–Allow more CFE control over the scope of work, the way the engagement is performed, the conclusions drawn, and over the final report itself; for example, some CFE’s might feel more confident about expressing an opinion on whether the fraud risk under review is managed effectively by the board with in-house counsel support.

A risk-based fraud prevention plan is probably not complete unless it includes consideration of the risks inherent in the organization’s governance processes. Selecting which areas of governance to review should be based on the assessed level of risk, determined with input from management and (in all likelihood) the board itself. Different governance risk areas with fraud impact potential may merit different CFE involved review strategies, but, whatever approach is taken, careful planning is always a must.

Reviews of fraud risk related to corporate governance are never easy, and they often carry political risk. However, they are clearly important and should be given strong consideration as a component of every fraud prevention effort – not just because they are required by professional assurance standards, but because governance process failures can contribute so devastatingly to financial frauds of all kinds.

Is There a Doctor in the House? Your Annual ERM Checkup

NutcrackerI’ve been working these last few weeks helping a consulting client review this year’s performance of its Enterprise Risk Management System (ERM); the system was extended a few years ago beyond the company’s financial business processes to all 150 of the remaining business processes of the enterprise.  This “annual physical” is as important for the maintenance of the health of a risk management system as it is for the physical health of your doctor’s patients, since both represent on-going, process dependent,  projects.  There are many well-documented benefits of performing such an annual project review across all your client’s ERM component business processes, including enterprise wide integration of updated risk evaluation, review standardization, enhanced fraud prevention, and the streamlined reporting of review results to upper management.

The annual ERM health check typically features interviews with key business process owners and a review of ERM documentation to determine if key related controls are functioning as intended, whether project related tasks are being completed on time and within budget, if ERM objectives are being achieved and if the risks related to those business processes critical to the ongoing success of the business are being managed effectively.

Your review should also determine if key annual prerequisites have been defined for the ERM project (e.g., business ownership, governance, and project definition).  Has the organization identified a single point of accountability for its ERM project…the answer to this questions often isn’t obvious…I’ve found that precise, overall responsibility for the ERM project is often fragmented,  constituting a significant control weakness for the organization.

You should also look for a quality assurance process for the ERM project; what mechanisms are in place to ensure that on-going risk updates and related items of critical documentation are of consistent quality; this can only be determined by some kind of consistently occurring, concurrent,  quality assurance process.

Are the right people, devoting the right amount of time, to work involving the ERM project?  Often, by necessity, the on-going completion of ERM related tasks is assigned as one or more collateral projects to business process owners whose primary jobs are something else; that’s fine if the product is ultimately reviewed by some higher level of management.  I look for some kind of competency frame-work to assure that those working on ERM related assignments represent the best human capital the company can muster given the risk expertise related requirements of the assignments.

Is there evidence that the enterprise even manages change well enough generally to be able to identify changing risks to its business processes?  Change management is a professional discipline and risk assessment is a major component of that discipline.  The discipline of change management is now well established and must be somehow integrated into your client’s ERM project by someone having authority with both the ERM project team and with senior levels of client management; this is critical for the success of the project.

With the foregoing as general background, your annual check-up of the health of your client’s (or employer’s) ERM project might include getting answers to the following (or similar) general questions:

–Is the ERM project properly sponsored by the highest levels of management?
–Is there a business case and defined budget for ERM?
–Is there a documented, formal approach to manage ERM included risks, risk scenarios, fraud scenarios and related issues and communications?
–Is there a detailed ERM annual work plan that is actively monitored by business process owners and by compliance professionals like internal auditors, fraud examiners and fiscal controllers?
–Are ERM human resource related roles and responsibilities defined clearly?
–Is the ERM project delivering what was requested of it by management at its inception?
–Is infrastructure in place to support daily project operation?
–Have all ERM project milestones been achieved to date?

When the check up is complete, be sure to evaluate the performance of the check-up itself by performing and documenting a short check-up critique.  This step is important since, hopefully,  you’ll being doing another check up next year.  What went well with the check up and thus could be leveraged to improve the process in the future?  What process related issues were encountered and how were they resolved?

Your annual ERM checkup will provide independent  corporate governance oversight to help keep the ERM project on track and, ultimately, could make the difference between long term ERM project success or failure.

Privacy Impact Analysis

WrenchesI was a participant in a security forum last week in Northern Virginia on the topic of data privacy in general and its implications for fraud examination specifically.   One of my fellow speakers made a very forceful case for the performance of privacy impact analysis by any corporation holding large amounts of customer data.  Her argument was that a privacy impact analysis should be a key component of every corporate security management program.  The objective of this type of assessment is to ensure that the risk of exposing personally identifiable information is contained at every level of  the organization… every business process composing the enterprise needs to be separately assessed for its vulnerability to privacy threats, not just the business functions directly related to information management.

By identifying vulnerabilities throughout the entire book of business processes constituting its enterprise, an organization can significantly reduce the possibility of identity theft occurring at different stages of its business cycle and safeguard the client information entrusted to its care.  My colleague argued that a privacy impact assessment creates a structured process for analyzing non-technical and technical privacy requirements and compliance with relevant regulation, all of which can be dovetailed neatly into the organization’s enterprise risk management (ERM) effort.

For the risks identified by the privacy impact analysis found to be above an acceptable level, our speaker recommended three additional steps. First, conduct the necessary research and fully, not partially, implement appropriate prevention techniques, tools and corporate policy changes.  Second, make sure that there’s a sound, tested recovery plan in place in case of a successful attack involving loss of personal information. Third, develop an effective incident response plan well in advance of an actual attack.  Those of you involved in ERM will be familiar with each of these steps; taken together they demonstrate due diligence and should lessen legal liability somewhat should an unpreventable  breech occur.  This is important because customers and investors alike quickly lose confidence in proportion to any negative corporate news but especially when it’s perceived that the due diligence required to safeguard customer information was absent.  A major event can cause a corporation to lose credibility and business to a competitor  This obviously effects share price which in turn can lead to a sell-off by investors.  Such an occurrence can be devastating to a corporation , possibly to the extent that it cannot recover.

Public policy, embodied in current law, requires that organizations must notify their customers and clients when privacy breeches occur.  These notifications are usually accompanied by a year of free credit bureau oversight or credit watch services so customers can monitor their credit reports for evidence of identity theft; all this remediation is costly and embarrassing and just the sort of situation the privacy impact analysis is designed to prevent.

A final point has to do with employees.  Knowledge is power.  If employees are aware of how identify theft of customer data occurs and succeeds, they can take many steps, as part of their routine daily duties, to prevent it.  So don’t exclude the privacy awareness level of the work force as a critical score element from the privacy impact analysis; if there are identified privacy related weaknesses involving corporate staff, don’t hesitate to address them and quickly.  The ACFE has emphasized in study after study that work force fraud awareness training is one of the most effective fraud deterrence tools there is.

The Fraud Examiner and Compliance Identification Teams

CrapsTableOver the past decade, the practice Standards of most professional organizations like the Institute of Internal Auditors (IIA) and the American Institute of Certified Public Accountants (AICPA) have been revised to focus, laser-like, on the control of risk.   Internal control structures are  now viewed as essential elements whose primary purpose is to control the risk that organizational objectives might not be achieved.   The extension and expansion of the COSO based Enterprise Risk Management (ERM) model has accelerated this process by providing a framework for the organizational management of the risk inherent in strategic (critical) business  processes.

Risks and, by extension, the processes by which to control them, lurk in almost every business process of the organization and that fact means fraud examiners and the  assurance professionals, like internal and external auditors, with whom we closely work are engaged in a daily battle to assess them, develop controls to mitigate them and then to provide assurance that the controls work as expected.

This cycle is not news to fraud examiners and forensic accountants; the bad news for all the professional types involved in the struggle is that risks change, often dramatically and with great suddenness.  And the steps taken to mitigate newly identified risks may themselves be new, requiring yet another steep climb up a learning curve for all the reviewers who must assist management by determining what challenges the organization will face tomorrow and what controls can be implemented today or in the near term to prevent those challenges from becoming roadblocks to organizational success.

A number of large organizations are beginning to address this issue by adding a new level of expertise to their ERM support staffs through development of what is called compliance identification.  Compliance identification is focused on identifying evidence of control environment degradation using statistically based tools like data mining and  normal process modeling.  Compliance identification teams look for outliers in normal business process events and make adjustments to those processes in response.   Over time, compliance professionals will evolve tests of entire critical process flows, making it possible for the fraud examiner and internal auditor to design and test various fraud scenarios against historical data and, for example,  edit/adjust payment systems on the front end to preclude fraudulent financial transactions from even processing.

Fraud examiners need to be aware of the processing power that compliance assessment groups can increasingly bring to bear on the challenge of controlling fraud in their client organizations.  This is where fraud examiners can assist compliance identification teams by providing a level of expertise to the team about exactly how frauds work, thereby  making the whole team effort more accurate and persuasive to management… meaning that compliance assurance groups  need initial guidance from fraud examiners to know just what needs to be done to control certain categories of fraud.   Once this knowledge is baked into on-going, repetitive compliance tests, a foundation has been built for more fraud scenario testing and for a subsequent lowering of associated fraud related risk for the entire organization.

Internal Control Performance Reviews & the Fraud Risk Assessment

It’s vital to the fraud prevention effort of every private and governmental entity that the performance of its internal control system be monitored.  Fraud examiners, working for management as part of the control team, should assist in the assessment of the organization’s control performance with sufficient frequency to meet the needs associated with fraud  risk assessment update.  Such monitoring includes reviews of regular supervisory activities and of other actions entity personnel take in performing their day- to- day duties.

Errors, irregularities, frauds and internal control deficiencies should be reported to top management (you can’t manage what you can’t see or are unaware of) and to the audit committee of the board of directors.

On-going monitoring  of internal controls for weaknesses that facilitate irregularities helps ensure that key  anti-fraud controls continue to operate effectively and maintain a risk score sufficient to reassure management that the risk of irregularities remains low.  Fraud examiners and other auditors should insist that…

—operating managers compare internal reports and published financial statements with their in-the-trenches knowledge of what’s actually happening in the business;

–customer complaints of amounts billed are analyzed;

–vendor complaints of amounts paid are analyzed;

–if a governmental entity or a regulated private entity, that regulatory reports to the business or agency on compliance with laws and regulations  are reviewed by management and any reported issues promptly addressed;

–accounting managers supervise the accuracy and completeness of transaction processing;

–recorded amounts are periodically compared to actual assets and liabilities;

–external and internal auditors report on control performance and give actionable recommendations for improvement which management follows-up on and with which it complies;

–training sessions for management and employees heighten awareness of the importance of fraud control.

These elements of the monitoring process of key fraud prevention controls have a great deal in common with the steps to assess the on-going  performance of managerial or operating controls but require additional emphasis in performance review reports to management.  Significant instances of non-compliance and abuse that were found during or in connection with the performance review should be highlighted and their impact on the fraud risk assessment clearly stated.  In some extreme circumstances involving governmental entities, the examiners  should report illegal acts directly to parties external to the auditee entity (i.e.,  to governing boards, legislative auditors or entity counsel).

The Risk Officer, the Internal Auditor and the Fraud Examiner

Prior to about fifteen years ago, the risk management function in most enterprises (if it existed at all),  was fragmented  between various business processes of the organization like insurance, legal, regulatory compliance and physical security.  That’s exactly how the operational aspects of the function were handled at the bank holding companies I worked for many years ago.  This pattern continued until around the late eighties and early nineties when management increasingly turned to internal audit shops to first conduct risk assessments of  financial systems under development and then of all enterprise business processes deemed high risk.  But having the internal audit division conduct non-audit related risk functions for the entire organization posed independence problems for the auditors.

Today the various elements comprising the global risk management function are increasingly consolidated under one risk management business process headed by a Corporate Risk Officer (CRO); this is because management has come to realize that dealing with the risks associated with the ever increasing complexity of its market environment necessitates the kind of constant attention that only a dedicated risk professional can bring to the task.

The objective of the Office of Risk Management is to integrate risk management activities across the entire organization.  The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management Framework defines enterprise risk management  as a process designed to identify potential events that might affect the entity, and manage risks to be within its risk appetite, and then to provide reasonable assurance regarding the achievement of entity objectives.

When asked to evaluate fraud risk for any enterprise, the first question I ask is, “Is there an internal audit function?” and the second is, “Is there a Chief Risk Officer?”  If the answer to either or both questions is yes, I know that each of  these assurance functions will be a rich source of information for my work.  I immediately open a dialogue with these professionals to gauge the organization’s risk appetite and then engage them to help develop probability models for the eventuality of a range of fraud scenarios given their views of their organization’s credit, market and operational risk.

Given the post-2008 financial crisis environment in which we currently operate, Fraud Examiners will increasingly be called upon to evaluate the probabilities of fraud scenarios only made possible by the massive gaps in both the understanding and communication of company risk  appetite and exposure that brought on the crisis.  The fraud examiner has two invaluable allies in this evaluative process, the internal auditor and the chief risk officer.  Don’t overlook them.