What We’ve Learned About Fraud Risk Assessment After a Year of the Pandemic
/GUEST BLOGGER
Mustafa Yusuf-Adebola, CFE, CPA, CIA
It’s been a year since the pandemic began and changed the way we work and live. As we all know, one of the key changes to organizations was the migration to remote work. Remote work was not new, but when global health concerns overtook other matters, the virtual world became the go-to solution, thus putting enormous pressure on the existing system of work.
Quite a number of people and organizations were not prepared for this shift, but work had to go on safely. As the migration occurred, fraud did not retire neither did fraudsters take a pandemic vacation – from phishing to hacking to invasion of meetings.
In reviewing organizations, one of the interesting revelations I have come across is how insightful Fraud Risk Assessment (FRA) can be in managing fraud risks. If prevention is better than cure, why wait for issues to occur before acting? Anti-fraud professionals should understand fraud risks and march forward through the following.
Do not wait for sanctions
When an FRA is performed, it helps assess risks as they emerge. As we’ve learned throughout the past year, there is no foolproof way to eradicate fraud completely, but conducting FRAs is an important tool when making business decisions, especially in a tumultuous, ever-changing environment. Some organizations may see risk and compliance objectives as a checklist, and if there were no regulations, they would probably not invest in having a department to assess fraud risks.
However, the benefits of compliance can outweigh the costs of noncompliance. Rather than react to sanctions, anti-fraud professionals should study emerging trends within and outside of the industry to predict how some of these events pose an internal or external threat to their present and future operations. This will place organizations one step ahead of regulatory updates.
Awareness
The importance of creating fraud risk awareness cannot be overemphasized. Why? This goes in line with the old saying: You are only as strong as your weakest link.
With the move to remote work, providing relevant fraud awareness training can prove more difficult, but agility requires playing within the new space. Just as the environment plays a key role in interviewing, sometimes you may get the most interesting revelations from staff when they are in a relaxed environment. Whether it is a tea break on Zoom or brief Teams call, these conversations can open new avenues of fraud awareness.
Providing training and awareness sessions from a top-down perspective where the anti-fraud team is regurgitating textbook concepts to staff may not be impactful when compared to sourcing activities that occur in real life within the organization. This is because people learn more through experiences. What may not be considered a fraud risk at first glance may be revealed as such when the staff is interacting in a less formal setting.
Lastly, what contributions does your anti-fraud team play within you learning and development units? Have you identified trainings that will be relevant to certain departments where you have spotted gaps and fraud risks to raise their risk consciousness?
The psychology of fraud
Every year, the ACFE, in its biannual Report to the Nations, examines the profile of a fraudster. While this is important, do we also know why our colleagues do what they do? What is the thought process behind what staff do when they take certain actions? What behaviors and trends can be observed within our environment? Are staff or third parties also ticking the box? Do they take actions because they understand the impact or is it their instinct making the decision on behalf of the organization? This is not to prevent initiative and involvement of human thought, but during the initial stages of the pandemic with people working from home, some cyberattacks or phishing attempts were prevented simply because of the decisions of staff and third parties.
When real-life scenarios emerge, it is the foundation and awareness that has been built into an organization’s overall risk awareness that makes a staff or third party escalate to appropriate authorities.
Data analysis
Data Analytics has been a buzz word for a couple of years now, but beyond gathering data and analyzing the results, organizations should strive to have a proper understanding of what data is used for. Numbers can also be misleading, depending on how they are presented. Thus, if you have a team of data scientists working within your department, make sure they understand what the end goal is and what outliers you are looking for. For instance, 2020 year was an outlier year — the changes in the way we worked, lived and communicated will largely influence the consumer behavior and, thus, the data captured. If you are performing a 10-year review or trend analysis, clearly indicate events which may have influenced the numbers.
Due to a fraud examiner’s background, some important numbers or trends which are important to an anti-fraud professional may not be flagged by someone unfamiliar with the profession. To prevent false positives, errors and misleading information, review the entire process from source to validation to analysis and have the individuals involved in each of these stages understand what you are looking for. Otherwise, your data will not provide useful insights in fighting fraud. You can take a cue that actors in global corporate scandals have played with the numbers in financial statement frauds.
Backup plan
If 2020 taught us anything, it taught us the importance of having backup plans. It also taught us that what may be planned for temporarily could easily extend. Before the pandemic, agility had largely been a business concept, but now it applies to everyone. Likewise, FRAs also plan for fraud risks that could occur when there are temporary changes. Business Continuity Risks are not just theoretical. You can imagine the worst that could happen to an organization and make sure that, through uncertain times, there are backup plans in place to pivot and thrive through such times.
When fraud risk management is not a priority, organizations will spend more time on detection rather than timely prevention. To play a leading role in reducing fraud worldwide, anti-fraud professionals should be proactive, not reactive in contributing to their respective industries as fraud risks emerge.