Fraud risk management programs:are they really effective?
The Board and senior management cannot ignore fraud any more, given the personal liability they face under the Companies Act, 2013. To help understand fraud risk management and their organization’s preparedness to tackle fraud, the Boards must endeavor to question and ascertain facts presented.-BY ROHIT MAHAJAN AND VEENA SHARMA
Organizations today are increasingly concerned about the risk of corporate fraud, given the severe and long lasting legal, economic, and reputational consequences. The Companies Act, 2013, and the revised corporate governance norms of the Securities Exchange Board of India (SEBI) for listed companies, have recognized fraud as a key risk and placed accountability for fraud risk management on the Board of Directors (the Board), audit committee and senior management.
For the Board and senior management to formally govern a fraud risk management program and monitor its effectiveness, there needs to be greater understanding of the fraud risks facing the organization, as well as the gaps in the current measures employed to manage fraud risks.
An effective fraud risk management program calls for a continuous improvement process that requires annual measurements of where the organization is in terms of effectively deterring, detecting and preventing fraud, and where it needs to be.
The Board’s predicament today in understanding fraud risk management
The Board’s exposure to fraud is largely limited to the reports shared by the risk, compliance and internal audit teams. Typically these teams are assigned fraud risk management and compliance responsibilities. They monitor processes and transactions and report their findings annually to the Board and audit committee for review and feedback. In theory, the measures put in place to mitigate fraud risks and the reporting processes to notify the Board seem adequate. But in reality, how can the Board ascertain the effectiveness of these measures?
Our experience indicates that Boards in India don’t challenge the outcomes of fraud risk management programs as often as they should. This can be largely attributed to three factors.
a) Fraud risk is not yet on top of the Board’s agenda. In the past, corporate India has viewed fraud as an unavoidable cost of doing business. Losses due to fraud were considered insignificant to impact the company’s financial performance and little importance was given to fraud risk management. However, large corporate frauds unearthed in India over the last decade, have shown that fraud can destabilize companies and bring their operations to a halt. Further, research studies have estimated fraud losses to be worth at least 5 percent of annual revenues . About one-fifth of the respondents to the Deloitte India Fraud Survey 2014 indicated that they
had lost between 10 Lakh and 1 Crore to fraud over the last two years. Further, 23 percent said they were unable to quantify fraud losses. Unless the Board and senior management become aware of this reality, fraud risk will continue to be at the bottom of the Board’s agenda.
b) Inordinate reliance on Internal Audit teams to manage fraud risks. The Board and senior management has traditionally believed that internal audit teams would provide assurance for fraud risk assessment and detection. But this is undergoing a change. Globally, less than 3 percent of frauds are detected via Internal Audit reviews . The majority of frauds are detected through tips, whistleblower hotlines and IT controls. In India too we are observing a rise in the use of these other channels such as whistleblower hotlines and IT controls/ Data Analytics to detect fraud . The Board needs to become aware of these changes and direct the fraud risk management teams to include these measures in the existing fraud risk management program.
c) Unsure about what constitutes an effective fraud risk management program. A majority of respondents to the Deloitte India Fraud Survey, released in 2014, indicated ‘lack of efficient internal controls and compliance systems’ as the top-most reason contributing to fraud. Inability to identify fraud risks and put the necessary safeguards in place could render any fraud risk management program ineffective. Unless the Board periodically questions the effectiveness of existing controls, it cannot propel the organization towards improvement. Helping the Board
understand fraud risk management and effectively govern such practices
A structured approach to fraud risk management can help Boards ask the right questions and understand the organization’s outlook on fraud. It can also help set the appropriate agenda for fraud risk management and measure tangible outcomes from the existing program.
A whitepaper on Demystifying Fraud Risk Management for the Board, recently released by Deloitte Forensic in collaboration with the Bombay Chamber of Commerce and Industry, highlights a model that involves four key areas that the Board and senior management can consider in their efforts to improve the effectiveness of fraud risk management practices:
a) The Board’s oversight of fraud risk management: Typically, fraud risk management practices in an organization start with the Board and senior management setting
the right tone at the top through an enforceable corporate ethics policy. To demonstrate strong oversight of anti-fraud activities, the Board ought to go beyond mere review, to ensure that the organization has implemented an effective ethics and compliance program, and whether that has been periodically tested. For example, the Board can ascertain how strong the tone at the top is by looking at historical evidence of past fraud to see how unethical behavior has been dealt with.
The Board can also encourage an ethical business environment in the organization by aligning the rewards system with the core values of the organization. For example, including ethical behavior as part of employee work performance can demonstrate a zero tolerance culture to malpractice and fraud. Further, ethical audits can be initiated to monitor compliance with the code of conduct and ethics policy. Ethical audits can help identify:
- Areas where the employee is not getting adequate training about the code of conduct
- Areas where senior management is overlooking suspected/ actual ethical breaches as a result of performance/ result pressures.
- Any disconnect between the Board/ senior leadership’s stand on ethics, and the practices at various employee levels.
- b) Developing the fraud risk management program: Although, many organizations have identified ways to implement and improve their current fraud risk management program, they continue to struggle with capability skill gaps, particularly in the area of investigations, data analytics, and third party due diligence. Boards can therefore consider:
- i. Appointing a fraud risk management champion who can periodically apprise the Board about the effectiveness of fraud risk management processes and controls in the organization
ii. Undertaking whistleblower system assessment and benchmarking to help identify an underperforming whistleblower system, signaling the need for remediation.
iii. Directing teams to regularly undertake comprehensive fraud risk assessment, including self- assessment based risk ratings, to understand emerging fraud risks and the preparedness to deal with them.
iv. Establishingprotocolsand making resources available to manage fraud investigations, particularly expertise in areas such as data analytics, third party due diligence and forensic investigations.
c) Establishing a formal fraud control policy/ strategy: Currently organizations rely mainly on the code of business conduct and ethics policy to manage fraud. However, in reality, these documents do not discuss the protocols for tackling fraud. Boards can direct organizations to create a document that sets out responsibilities and investigation procedures to be followed upon the detection of fraud. The document must include the following key elements:
i. An explicit definition of fraud and what actions, conduct or behavior constitutes fraud
ii. Designated personnel responsible for the overall management of fraud incidents, within and outside the company (including managing the media, regulatory bodies and law enforcement agencies) iii. Formal procedures to be followed by employees in case of a fraud incident
iv. Encouragement to employees to report concerns about unethical behavior, actual or suspected fraud or violation of the company's code of business conduct and ethics policy
d) Effective functioning of an inter-departmental team to address fraud risk management: Many companies, in our experience, are struggling to determine who will be responsible, to proactively identify fraud risks on an ongoing basis, and manage fraud investigations. The findings of the Deloitte India Fraud Survey, released in 2014, indicate that organizations believe anti-fraud to be the responsibility of one designated function alone, such as internal audit or compliance. In reality, this is unlikely given the scope of the activities managed as part of fraud risk management. An inter- departmental team of key representatives can
address fraud risk management efforts on an ongoing basis, and periodically update the Board. On its part, the Board needs to ensure that the team does not face the following challenges that can impede its effectiveness:
-Lack of clearly defined roles and responsibilities for each team member
-Deficiency in knowledge sharing amongst team members
- Lack of regular training for team members on specific risks, such as those arising from new technologies or business models.
The Board and senior management cannot ignore fraud any more, given the personal liability they face under the Companies Act, 2013. To help understand fraud risk management and their organization's preparedness to tackle fraud, the Boards must endeavor to question and ascertain facts presented.
A structured approach to fraud risk management can be a starting point for the Board members wanting to be better involved in their organization's efforts, which also serves to set the organizational tone regarding governance practices and ethics.
Thanks for reading! :) If you enjoyed it, hit that heart button below or share and help other people see the story.
To read more, please subscribe to www.humancapitalonline.com