There are three conditions (that are in line with the ACFE Fraud Triangle) that are present where fraud exists - incentives, opportunities, and rationalizations. These breakdown as:
- Incentives - Perpetrator is under pressure or receives a benefit from action (ex: default mortgage)
- Opportunity - Capability to execute fraud (ex: low possibility of detection, no controls, no monitoring)
- Rationalize - Fraudulent Action is acceptable (For example: “everybody” cheats on expense reports)
Taken together these provide an enhanced likelihood of a fraud occurring and the size of the impact rises equally given the combination of each condition. Of course, all do not need to exist for a fraud to occur, but portions of these conditions must be present for a fraud to be impactful. SAS 99 highlights that professionals must maintain “professional skepticism” and should never accept less-than-persuasive evidence provided by respondents.
General recommendations highlighted (certainly not a complete accounting) in SAS 99 include:
- Team should brain storm to determine possible areas of fraud
- Open queries should be conducted to determine if fraud has been reported (to hotlines, managers, HR, or the Audit Committee)
- Using a risk approach, the audit team should consider risk in areas where the capability of fraud is highest
- Good assessments include clear methods of identifying and measuring fraud vulnerabilities.
- Establish an open, collaborative, and cross-organizational forum identifying fraud risks
There are numerous areas at risk of fraud in an organization, but as in any risk the organization faces it is important to include the conditions that contribute to likelihood and impact of a fraud. Organizations must merge these fraud considerations with the information governance program across the enterprise. Check out SAS 99 for a great start for an organization, and consider a CFE accredited professional or designated team within your enterprise.
Additional resources:
NSW Audit Self Assessment Checklist (old but still relevant 1998)
NSW Better Practices for Fraud Control Improvements
Best,
James DeLuccia IV
2 responses so far ↓
1 How does Fraud and PCI go together? « Payment Card Security & IT Controls Explained // Dec 17, 2007 at 6:21 am
[...] data and expand on what core controls of PCI are beneficial for preventing Fraud. There is also a richer breakdown on SAS 99 at IT Compliance and Controls for those [...]
2 Majority of VISA Merchants are Compliant as of Jan. 22, 2008 « Payment Card Security & IT Controls Explained // Jan 23, 2008 at 9:13 am
[...] In addition, I found a study released showing that those organizations that are PCI Compliant have a lower instance of fraud, as a result. This is in line with my earlier article here and here at IT Compliance and Controls. [...]
Leave a Comment