Fraud is a significant threat to any organization, especially a complex global organization operating with multiple businesses and geographies. According to the Association of Certified Fraud Examiners’ 2012 Report to the Nations, organizations typically lose 5 percent of revenues to fraud annually.
In addition to the lasting impact on operations and profitability, fraud can cause significant reputational damage. Internal audit can lead the fight against fraud at their organization by developing a comprehensive fraud mitigation program (FMP) as an effective response to such risks.
In June 2010, a small internal audit project team at Hewlett-Packard (HP) began exploring the elements that were needed to establish a successful FMP. Internal audit drove the program development, with guidance and oversight from a steering committee comprising the corporate controller, chief ethics and compliance officer, and chief audit executive. Other stakeholders — executives of the financial reporting, global security, and compliance organizations — provided additional input. The program development stages included:
- Initial research – June 2010.
- Program model development – July 2010 to January 2011.
- Program components identification – January 2011 to June 2011.
- Pilot assessments – June 2011.
- Risk assessment methodology refined – January 2012.
- First fraud-awareness communication launched – June 2012.
- Ongoing assessment cycles commenced – October 2012.
- Fraud mitigation policy and framework released – February 2013.
- Program refinement and improvement – ongoing.
Based on its initial research, the team determined that the most suitable approach was to develop the FMP based on five elements of The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s)
Internal Control–Integrated Framework: control environment, communication and information, monitoring, risk assessment, and control activities (see “The FMP Framework” below). The team identified which of these elements were already operating within the organization, mapped process owners to those elements, and assumed ownership of the other elements that required further development. For each of the COSO elements, the team identified the components necessary to construct an effective mitigation program (see “Program Building Blocks” below).
Once the project team had established its program model, it turned to developing the risk and controls assessment methodology through a series of pilot assessments. At the outset, the team envisioned that the business units would conduct self-assessments and be responsible for any resulting mitigation plans. Moreover, they expected those assessments to address both fraud risks and mitigating controls.
As precursors to the pilot assessments, the team created the fraud risk register and risk universe. The risk register defines fraud risks aligned to four major categories of fraud: asset misappropriation, corruption, fraudulent reporting, and external frauds. The fraud risk universe contains various fraud schemes populated from a variety of sources, including previous investigations of compliance with HP’s Standards of Business Conduct, and also maps specific risks to business processes and known controls.
The pilot assessments taught valuable lessons for formulating the ongoing assessment methodology. For example, rather than self-assessments, the project team learned it was more efficient for the team to manage the process on behalf of the business and provide additional guidance and training to the business assessment team for first-time assessments. Also, identifying and verifying subject-matter experts to bring the right team together was essential to the efficiency and effectiveness of the assessments.
As with similar programs, there was a learning curve and period of change management during which the businesses understood the new process. This enabled business units to rationalize the mandate to conduct fraud assessments in addition to the assessments completed by other risk management functions. Increased communication identified how the FMP activities fit with other risk and compliance assessment activities throughout the company. Moreover, the internal audit project team worked with the steering committee to adopt a formal assessment notification process that made communication uniform and consistent. Finally, the team refined its initial tools and templates throughout the pilot assessments to make them more effective, user-friendly, and aligned with those used by HP’s ethics and compliance office.
Risk Assessment Methodology
Following the pilot assessments, the internal audit project team prepared to begin regular assessments. Based on the pilot results, team members formulated a methodology to efficiently address fraud risks by assessing the functions that supported high-risk processes across all of the organization’s businesses.
To identify those functions, the project team devised an annual assessment planning process that ranked functions according to risk. The ranking considered factors such as past fraud events, past audit issues, exposure to management override, level of third-party interaction, dollars spent, and previous fraud risk and control assessments. The team ranked the functions for likelihood and impact of inherent fraud risks, and
generated a heat map (printable .jpg) that highlighted the key areas of focus.
The resulting methodology enables the project team to evaluate fraud risks and controls in the highest-ranked functions. The process consists of:
Scoping. Identify key business processes and inherent generic risks associated with them.
Assembling the risk assessment team. Identify subject-matter experts on the in-scope processes.
Inherent risk assessment. Identify specific fraud risks and scenarios, their impact, and probability.
Mitigating controls. Identify controls that mitigate identified risks.
Residual risk assessment. Evaluate residual risk for impact and probability.
Key controls assessment. Conduct a managed self-assessment of key mitigating controls that were not assessed by internal audit, Sarbanes-Oxley compliance, or other assurance providers.
Fraud mitigation plan (if required). Classify residual risk as mitigated, unmitigated within tolerance, or response required. Develop a mitigation plan for residual risks needing a response and track its implementation.
The project team also developed a standard risk assessment worksheet to document each step of an assessment, including identified inherent fraud risks, fraud schemes, risk ratings, mitigating controls, risk response, and a mitigation plan. The team also developed risk-rating guidelines in conjunction with the ethics and compliance office; these guidelines drive greater consistency with ratings generated by other risk assessment programs. As a final step, where necessary, the project team assists in the preparation and tracking of a fraud mitigation plan, which the business units are responsible for implementing.
The internal audit project team collaborated with the ethics and compliance office to develop a plan for raising fraud awareness through a combination of risk assessment training and companywide communications. Messages sent to employees through HP’s internal communications portal detail the impact fraud can have on various businesses and functions and why fraud mitigation must be every employee’s responsibility.
Policy and Framework
Publishing HP’s fraud mitigation policy and framework was an important milestone. The policy defines the fraud-related responsibilities of employees and management and requires all employees to comply. The framework summarizes how HP approaches fraud mitigation through prevention, detection, reporting, and response. Its objectives are:
- Protecting HP’s reputation and assets and maintaining integrity in the workplace by mitigating fraud.
- Providing a clear statement that fraud will not be tolerated.
- Making employees and management aware of their responsibilities to prevent, detect, and respond to fraud, and helping build a culture that supports employees and others in reporting suspected fraud.
- Making employees and management responsible for implementing controls and procedures to prevent and detect fraud.
- Ensuring HP’s ethics and compliance office takes appropriate action when fraud is detected.
The FMP has become an integral part of HP’s risk management structure, helping the organization demonstrate that it identifies and responds to fraud risks systematically. The program also can identify fraud risks that are pervasive across multiple business units, which allows the remediation of enterprisewide issues effectively and focuses senior management’s attention on high-impact areas. As internal audit developed and directs the FMP, the program’s charter calls for it to be reviewed periodically by an independent party.
The internal audit project team currently is enhancing the program’s capabilities in three areas:
- Launching an update assessment process, in which the business will conduct ongoing annual fraud risk self-assessments. The team currently is developing analytics that can be used for continuously monitoring some controls in certain processes, and it plans to consult with business units to address their queries during update assessments.
- Adapting the risk and control assessment methodology to perform country or high risk-specific anti-corruption assessments in conjunction with the ethics and compliance office and other internal audit teams. These assessments will be conducted by extended multidisciplinary teams that include representatives from HP’s legal and global security groups as well as in-country resources.
- Expanding the program sponsorship to include the global security group, to expand its insight into various types of fraud.
Just as fraud evolves, the FMP is an evolving model. Internal audit’s project team constantly monitors improvements to the methodology and other ways the program can continue to contribute to the organization’s risk mitigation environment and internal audit assurance model.