Now that the initial wave of Sarbanes-Oxley Act compliance is becoming a distant memory and companies are well versed in the regulations, many would assume that organizations would be far along with implementing their comprehensive fraud risk management (FRM) strategies. However, research by Protiviti reveals that a surprisingly high number of companies still have much room for improvement when it comes to evaluating, mitigating and monitoring fraud risk.
Executives at Fortune 1000 companies and large, not-for-profit organizations were asked a range of questions designed to gauge how they're addressing FRM and the maturity of related efforts. Following are some of the highlights from the research findings and what they mean for organizations.
How Firms Define FRM
Most executives surveyed were on the same page when it came to several key components of FRM. The vast majority cited financial processes as crucial to FRM, with three-quarters also naming operational processes and compliance with laws and regulations. Many update their fraud risk assessment processes at least once a year; however, notably, only one-quarter of companies do this periodically. This indicates that a substantial number of organizations may be relying on outdated FRM practices.
Where Companies Are With FRM
When it comes to dealing with FRM, companies appear to be amazingly casual in the wake of Sarbanes-Oxley. Only 49 percent of executives said their strategies for addressing fraud risk are very well defined: Fraud risks are identified proactively, with anti-fraud programs and controls agreed upon, monitored and measured regularly by a board and senior management. The results weren't much better at Fortune 1000 companies, with only 52 percent reporting that they have very well defined FRM strategies. Most companies and nonprofits polled said their efforts are defined, with anti-fraud programs and controls under the watch of the board and senior management, although there is no formal strategy in place.
Less than half of executives surveyed said their organizations define the fraud risk assessment process at both the entity and process levels. Since companies should be using a "top-down" approach to fraud risk assessment as recommended in authoritative guidance, this finding may highlight a notable opportunity for improvement at many companies.
Commonly, fraud risk assessment is included within other initiatives, such as internal audit planning or Sarbanes-Oxley compliance. However, Protiviti's work with clients has found that when companies use this strategy, fraud risk can get buried within other categories of risk, can fail to be adequately or explicitly considered or can be overlooked entirely. Only 18 percent of executives said fraud risk assessment is included within enterprise risk management (ERM) modules - well below anticipated survey results.
The research also found that nearly 20 percent of organizations are not actively monitoring or identifying anti-fraud controls at the process level or don't know what is being done. Those who are taking action with anti-fraud controls are inclined to bundle their activity within Sarbanes-Oxley or internal audit testing activities, use computer-assisted audit techniques (CAATs), or manually review documents such as spreadsheets or reports. Approximately 40 percent of Fortune 1000 companies surveyed aren't routinely using CAATs to uncover potential fraud indicators. This represents another improvement opportunity area.
Companies tend to rely on hotlines, electronic mailboxes and designated members of senior management to handle the reporting of allegations of potential fraud and misconduct. Once a report is made, many organizations seem unclear on what to do next. One-third of Fortune 1000 executives polled said their firms have no documented investigative policies or procedures, and one-half have no incident response plan. Approximately 60 percent don't use escalation or "decision" trees to address complaints or concerns.
How Employees ReceiveFRM Guidance
One of the keys to effective FRM efforts is making sure everyone in the company is educated on related issues. The survey found that one in four organizations is not providing any fraud awareness training, and even those that are providing training aren't always doing so on a frequent basis.
Also notable - and shocking - is that while 72 percent of companies require all employees to attend ethics and fraud awareness training, the people who play the greatest role in FRM activities - audit committees and board members - are rarely required to attend the training.
The majority of Fortune 1000 companies offering ethics and fraud awareness training rely on online programs rather than in-person sessions. But the training provided often has notable gaps, with many failing to address fraud detection or prevention techniques, general fraud awareness or the code of conduct.
Also, there is concern that some employees are not being provided with FRM materials they can understand. While all organizations surveyed said they have adopted a code of ethics or a code of conduct, many have not translated the related documents into foreign languages. This raises some red flags for companies at which multiple languages are spoken, either here in the United States or at overseas locations.
Another common problem is that many companies appear uncertain about what to include in written anti-fraud or FRM policies. As a result, they offer broad information rather than the necessary specifics. Less than half of the organizations polled cover key issues in written materials, such as providing an anti-fraud program overview, a definition of fraud, roles and responsibilities regarding FRM, "tolerance" toward fraud and misconduct, and anti-fraud program concepts.
Challenges Affecting FRM Efforts
So, why aren't companies further ahead with their fraud risk management initiatives? Protiviti asked executives what their greatest obstacles were to proactively managing fraud risk. Most pointed to insufficient support from senior management: fraud and misconduct not being considered a high risk within the organization; a "no fraud here" mentality; availability and alignment of internal resources (meaning they are decentralized or focused on other corporate priorities); adequacy of funding for anti-fraud programs and initiatives; and the laws and regulations or cultural norms in non-U.S. locations. A smaller percentage said their companies had no proactive fraud risk management, there was no unified FRM strategy or that no member of senior management was designated with ownership and responsibility for FRM.
In addition, it appears that only 53 percent of organizations are informing their audit committee of all allegations and investigations involving accounting, auditing and internal control matters. At one-third of companies, the audit committee is informed of only the most important allegations and investigations. This raises questions about management's interpretation and execution of their audit committee's procedures to receive, retain and treat concerns or complaints related to such matters. There are likely inconsistencies in the way these companies share concerns and complaints, prioritize, provide timely notification, and maintain the independence of those managing the process.
Another factor that may be undermining the success of FRM initiatives at some organizations is that fraud prevention often is not used as a performance or management metric. Just 54 percent of organizations hold management accountable for the actions of employees, clearly define accountability for fraud prevention in job descriptions or roles and responsibilities, or incorporate ethics or fraud prevention goals within performance management.
Who's in Charge?
Having one person in senior management overseeing FRM efforts can lead to a more coordinated effort with fewer redundancies. However, 39 percent of executives polled said no single person has been assigned this role within their organization. In cases where multiple people are in charge, their level of seniority appears to be less than in cases where there is a single owner.
Sixty percent of respondents report that their audit committees have oversight of fraud risk. Our client experience indicates this is not explicit in the charter, and audit committees are still working through how best to handle it. Meanwhile, 35 percent assign fraud risk leadership to C-level executives and 31 percent look to their board of directors.
Fraud risk assessments usually are handled by internal audit (56 percent) or the Sarbanes-Oxley compliance team (25 percent), according to the report. This means key risks may be overlooked, since these groups tend to focus on certain types of financial fraud that may result only in a material misstatement of the financial statement.
What Should Organizations Do?
There are a number of key differences between companies with more well defined FRM capabilities, and organizations with less mature strategies. First, the role of the board of directors is likely to be more active and defined. Further, they define the risk management process at both the entity and process levels, and are more likely to have a "standalone" FRM process. They also provide more thorough FRM training to employees, and use both manual methods and CAATs to monitor anti-fraud controls at the process level. Finally, companies with more mature FRM strategies are better about communicating the code of conduct and providing staff with fraud reporting mechanisms.
While many leading organizations have excellent FRM strategies, there is no single fraud risk standard stating exactly how companies should manage their FRM initiatives. The best organizations customize fraud prevention, deterrence and detection programs to align with their unique fraud risks.
What is certain is that it is crucial for companies to have a top-down approach to FRM, with corporate executives leading the way in accepting the potential for fraud risk and embracing programs that help to manage those risks. Broad support from management can be critical to the success of FRM efforts, as it sets an example for employees throughout the organization.
It is also important to remember that FRM is not a one-time event. Fraud risk is dynamic - and strategies to evaluate, mitigate and monitor that risk should evolve. Modifications should be made over time to keep the program relevant to the company's people and processes. With this in mind, organizations can ensure they are on the right track and doing all they can to minimize fraud risk.
Published March 1, 2008.
