Spring Cleaning – Fraud Style
By Kyle Corum, Principal, CPA, CFE
As we approach spring time, and everyone likes to do a little “spring cleaning.” We accumulate so much stuff. Our garages, storage buildings, and closets just need to be cleaned out. We develop bad habits of keeping things we no longer need or just aren’t going to get back to. The same goes for our businesses or departments that we run and manage. We keep processes in place way too long, and they create a mess at times. Take some time to clean up old, outdated processes and replace them with updated ones that will make a difference in your business.
Performing a fraud risk assessment now will clean up old processes that are exposing you and your organization to higher risks than you would like. Sit back for a few moments and think about how people can steal from you, and see if you are willing to give up that much money. And if you think they won’t do it because you trust them, do a quick Google search or watch your local news.
A fraud risk assessment is different for each organization. Many factors play a role in this, such as industry, management team, software, data, etc. The first step is to define your scope to ensure that all critical aspects of the business are included and the right people are included in the assessment. Having the right scope is critical in ensuring that the data and important areas of your business are evaluated.
The next step is to identify the risks of fraud and the factors influencing these risks. Factors that influence risk are existing controls, existing personnel, software capabilities, third-party access and integration, culture of the organization, etc. Each of these factors is important. In addition, each risk should have a corresponding risk rating. A risk rating will allow you to quickly assess the cost/benefit of implementing certain procedures and how much effort is exhausted in mitigating that risk. For example, a risk of someone stealing pencils is a risk, but it may be rated very low because the dollar amount of any theft would be negligible to the bottom line. Accordingly, we may not put a lot of effort in monitoring that like we would larger items like inventory. You will also develop the organization’s risk tolerance, which is the amount of risk that is willing to be assumed by doing nothing to address the risk.
The third step is to analyze the risks and identify the controls that can be put into place to mitigate risk. Some controls will be preventive and some will be detective. Each scenario will be unique, but careful analysis will allow you develop procedures that mitigate the risk. There may not be direct controls or processes for some risks, but there may be mitigating controls or compensating controls in other areas that can reduce the risk to an acceptable level.
The last step in this process is to implement these controls. The worst thing you can do is to go through this process only to have upper management or you not follow the recommendations that have come out of this process.
In closing, do something. Performing this fraud risk assessment will help you and the business identify and protect its most important assets. It may not seem like a fun task to do among the million other things you have going on, but you will appreciate the process and outcomes when you are done.
Kyle Corum Partner, CPA, CFE
Kyle Corum is a Partner with BRC and is the leader of the Firm’s Advisory Services practice, which includes a variety of different types of engagements including: Cybersecurity Due diligence for mergers and acquisitions Fraud and Forensic Investigations Agreed upon procedures Internal control reviews and analysis Outsource CFO and Controller duties Litigation support Shareholder […]