Companies must address the challenge of effective fraud risk management, says audit firm KPMG.
With fraud running at near-record levels in the UK (over £650m in the first six months of 2006 alone, according to KPMG’s ‘fraud barometer’), businesses are acutely aware that they must address fraud and fraud-prevention initiatives — whether because regulations require it or their organisation’s survival depends on it. Yet, implementing a comprehensive and integrated approach to fraud risk management across the enterprise remains a significant challenge, says a new white paper by KPMG International.
Effective fraud risk management provides an organisation with tools to manage fraud and misconduct risk in a manner that meets regulatory requirements, as well as the entity’s business needs and marketplace expectations, according to the KPMG white paper, Fraud Risk Management: Developing a Strategy for Prevention, Detection, and Response.
What they say
“Companies need to take a strategic approach to fraud risk management by aligning corporate values with performance,” said David Luijerink, director in KPMG Forensic. “Fraud risk management must become part of the corporate culture. The board, senior management, internal audit, in fact all employees, have a role to play to ensure that the company is enacting and achieving ethical and responsible business practices.”
“Moreover, fraud prevention cannot be a one-off event. Companies need to view fraud risk management as an ongoing process and should continuously evaluate the effectiveness of their risk strategy and controls, particularly in light of developments in the market or regulatory environment,” David Luijerink said. “An effective, business-driven fraud and misconduct risk-management approach has three primary objectives—prevention, detection and response,” David Luijerink added. “The challenge for companies is to adopt a comprehensive and integrated approach that enables all of the organization’s control criteria in these three areas to work together.” The following outlines some of the key issues addressed in the KPMG white paper.
Prevention
Fraud and misconduct risk assessment: When performed across an entire organization, this assessment helps management understand their business’s unique risks, identify gaps or weaknesses in their controls and develop a plan for targeting the right resources and controls to reduce fraud and misconduct risk.
Code of Conduct: A well-written code of conduct is one of the most important mechanisms to communicate with employees about acceptable business standards. A good code of conduct sets the organization’s tone on control culture, raises awareness of management’s commitment to integrity and provides the resources to help employees achieve management’s compliance goals.
Employee and third-party due diligence: An important part of an effective fraud and misconduct prevention strategy is using appropriate due diligence in the hiring, retention and promotion of employees, agents, vendors and other third parties. Such due diligence becomes especially important for those employees with authority over the financial-reporting process.
Communication and training: Raising employee awareness of their obligations concerning fraud and misconduct control begins with communications and training. While many organisations take an ad hoc approach, careful planning behind this effort can help send employees a clear message to take their control responsibilities seriously.
Detection
Hotlines: Hotlines can provide employees and third-parties a way to report possible fraud and misconduct and to seek advice when the appropriate course of action is unclear. A hotline is usually intended for when the normal channels of informing a supervisor, human resources or compliance officer are impractical or ineffective.
Audit and monitoring: Since it is impossible to monitor every fraud and potential misconduct risk, management should develop a comprehensive auditing and monitoring plan that is based on the organization’s fraud risk assessment process. Such a plan would give higher-risk issues priority.
Proactive forensic data analysis: Many indicators of fraud and misconduct reside within an organization’s financial, operational and transactional data. Proactive data analysis tools — such as sophisticated analytic testing, computer-based cross matching, and non-obvious relationship identification — can help identify potential fraud and misconduct that otherwise would remain unnoticed by management, possibly for years.
Response
Internal investigation protocols: When information relating to actual or potential fraud or misconduct is uncovered, management should conduct a comprehensive internal investigation, addressing the situation and potentially lessening the likelihood of a government inquiry.
Enforcement and accountability protocols: A consistent disciplinary system is key to effectively deterring fraud and misconduct. By mandating meaningful discipline, management can send a signal that it considers managing fraud and misconduct risk a top priority.
Disclosure protocols: Although it may be embarrassing to an organization, management may consider public disclosure of fraud and misconduct potentially to combat or preempt negative publicity, demonstrate good faith and assist in putting the matter to rest.
Remedial action protocols: Once fraud and misconduct has been discovered, management may take the following steps when appropriate:
Voluntarily disclose the results of the investigation to a regulator or other relevant body
Remedy the harm caused
Examine the causes of the breakdowns to help ensure that risk is mitigated
Discipline those involved as well as to those in management positions who failed to prevent or detect such events
Communicate to employees that management took appropriate, responsive action.
Faced with an increasing array of frameworks and standards governing business conduct, many worldwide organizations continue to struggle with how to mitigate the innumerable risks posed by fraud and misconduct. The development of an integrated fraud risk management program will not only help support compliance with regulatory mandates but also may assist an organization protect its assets, including its reputation.
About KPMG Forensic
KPMG Forensic includes a European fraud investigation and dispute advisory team of over 500 people, including ex-police officers, forensic accountants, expert witnesses, data mining consultants and fraud risk management specialists. It investigates and advises on suspicions of fraud and deception including, for example, procurement, treasury, payments and revenue fraud and accounts manipulation, besides giving expert evidence in commercial disputes. Its casebook ranges from matters of less than £50,000 to major international scams or disputes with sums at risk in excess of $1 billion.
