Conducting a fraud risk assessment is an important step for internal auditors who are evaluating an organization’s internal control environment. As part of these assessments, practitioners can use surveys, focus groups, and workshops with employees to take the organization’s ethical temperature and determine its ethical baseline.
Conducting a fraud risk assessment is similar to an internal audit risk assessment exercise carried out during the audit planning process, but the focus is specifically on fraud risk. The most successful fraud risk assessments are conducted in small brainstorming sessions with the operational management of the area under discussion. Facilitated by a fraud professional such as a Certified Fraud Examiner or internal auditor with appropriate fraud training, these assessments look at typical fraud schemes found in various areas of the organization and identify the internal controls designed to mitigate each of them. At a high level, this analysis examines internal controls and the internal control environment, as well as resources available to prevent, detect, and deter fraud.
A Different Assessment
A fraud risk assessment evaluates areas of potential fraud to determine whether the current control structure and environment are addressing the fraud risk at a level that aligns with the organization’s risk appetite and risk tolerance. Therefore, it is important during the development and implementation of the risk management program to specifically address various fraud schemes to establish the correct levels of control. The Association of Certified Fraud Examiners’ Fraud Risk Assessment Tool provides a structured approach to identifying key fraud schemes.
Fraud risk assessments emphasize possible collusion and management overrides to circumvent internal controls. Although an internal control might be in place to prevent fraudulent activity, the analysis must consider how this control could be circumvented, manipulated, or avoided. This evaluation can help the fraud risk assessment team understand the actual robustness and resilience of the control and the control environment, and estimate the potential risk to the organization.
One challenge at this point in the process is ensuring that the analysis assesses not just roles, but specific individuals who are responsible for the controls, as well. Sometimes employees will feel uncomfortable contemplating a fellow employee or manager perpetrating fraud. This is where an outside fraud expert can help facilitate the discussion and ensure that nothing is left off the table. To ask the right questions, the facilitator should keep in mind:
- Fraud entails intentional misconduct designed to avoid detection.
- Risk assessments identify where fraud might occur and who the potential perpetrators might be.
- Persons inside and outside of the organization could perpetrate such schemes.
- Fraud perpetrators typically exploit weaknesses in the system of controls, or may override or circumvent controls.
- Fraud perpetrators typically find ways to hide the fraud from detection.
The Ethical Baseline
It’s important to evaluate whether the organization’s culture promotes ethical or unethical decision-making. Unfortunately, many organizations have established policies and procedures to comply with various regulations and guidelines without committing to promoting a culture of ethical behavior. Simply having a code of conduct or an ethics policy is not enough. What matters is how employees act when confronted with an ethical choice; this is referred to as measuring the organization’s ethical baseline.
Organizations can determine their ethical baseline by conducting either an online survey of employees from various areas and levels within the organization, or through workshop-based surveys using a balloting tool that can keep responses anonymous. The broader the survey population, the more insightful the results will be. For optimal results, surveys should be short and direct, with no more than 15 to 20 questions that should only take a few minutes for most employees to answer. An important aspect of conducting this survey is ensuring the anonymity of participants, so that their answers are not influenced by peer pressure or fear of retaliation.
The survey can ask respondents to rate questions or statements on a Likert scale, ranging from 1–Strongly Disagree to 5–Strongly Agree. Sample statements include:
- Our organizational culture is trust-based.
- Missing approvals are not a big deal here.
- Strong personalities dominate most departments.
- Pressure to perform outweighs ethical behavior.
- I share my passwords with my co-workers.
- Retaliation will not be accepted here.
- The saying “Don’t rock the boat!” fits this organization.
- I am encouraged to speak up whenever needed.
- Ethical behavior is a top priority of management.
- I know where I can go if I need to report a potential issue of misconduct.
Interpreting the Results
The ethical baseline should not be measured on a point system, nor should the organization be graded based on the survey results. The results should simply be an indicator of the organization’s ethical environment and a tool to identify potential areas of concern. If done over time, the baseline can help identify both positive and negative trends.
The results of the ethical baseline survey should be discussed with management as part of a broader fraud risk assessment project. This is especially important if there are areas with a lack of consensus among the survey respondents. For example, if the answer to a question is split down the middle between strongly agree and strongly disagree, this should be discussed to identify the root cause of the variance. Most questions should be worded to either show strong ethical behaviors or to raise red flags of potential unethical issues or inability to report such issues promptly to the correct level in the organization. For example, if the answer to question 10 is heavily skewed toward Disagree, this could be an area that would need to be discussed to find the root cause. Strong ethical cultures would want a channel for reporting potential issues.
By obtaining a clear snapshot of the organization’s ethical temperature at a point in time, internal auditors can re-assess the evaluation of controls beyond purely their design and effectiveness. Instead, they can consider areas that may need additional review.
Bringing It All Together
The results of the fraud risk assessment and ethical baseline survey can help internal auditors determine areas of risk and control that should be considered for upcoming audit projects. For example, fraud risk schemes that are heavily dependent on controls that can be easily overridden may require more frequent assurance from internal audits than those schemes that are mitigated by system-based controls. And an organization with a weak ethical baseline may require more frequent auditing of detective control procedures than one with a strong ethical baseline, which might rely on broader entity-level controls. By measuring their organization’s ethical temperature, internal auditors will be turning up the heat on fraud.