The Merriam Webster dictionary defines fraud as “intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.” Historically, one of the more common types of fraud is theft and unfortunately, many organizations unknowingly allow opportunities for theft to occur in the course of operations. The good news is that organizations can attempt to find fraud risk by performing a risk assessment which, in its most basic form, is a review of an organization’s operations to find opportunities for fraud. Many organizations view a risk assessment as a meaningless administrative task, but in reality it can be used to better understand operations and recognize and improve inefficiencies that are not readily apparent to management.
A risk assessment starts by gaining a complete understanding of the way an organization operates. Once this is established, fraud risks, if any, are easier to see. For example, a payment process that allows the executive director to approve his or her own expense reports may be discovered. This self-review by executive director provides an opportunity for fraud because the payment of personal expenses using corporate funds could occur. While this is a very simple example, the concept can be applied to complex transactions as well.
Along with gaining an understanding of how the organization operates, it is important to consider employees’ overall attitude. In many situations, an individual will commit fraud to meet a personal need or “fairly” compensate him or herself. These rationalizations can be strong enough to enable an otherwise honest individual to commit theft or fraud. As management reviews the controls in place it is important to determine if any employee believes they are underpaid or have significant personal financial stress. These factors, combined with opportunity, could result in theft of an organization’s assets.
Many tools are available to facilitate the performance of a risk assessment. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided a framework for the evaluation of internal controls. Additionally, the AICPA has published Managing the Business Risk of Fraud: A Practical Guide.
Performing risk assessment may sound like a pointless and time-consuming task, but it could provide the opportunity to prevent expensive fraud by finding risk in operations. Because of this, we find it to be powerful.