During this episode of my latest “Fraudcast” series, I spoke alongside my good friend Stephen King—who I assume you’re well acquainted with by now—about understanding vulnerability to fraud.
The segment centered on risk assessment, the “R” in the five-layer CRIME framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). With their founding ideas, Steve and I utilized The CEO’s Guide to Reducing Fraud, Steve’s publication and a helping hand to lead you through the defense process. As usual, we did our best to make considerably frightening subjects more approachable.
Content seriesView full content series
Many people don’t always realize that combatting corporate fraud is a joint initiative. As Steve argued, it doesn’t matter what size organization you’ve got when we’re all employing similar protective systems within the realm of business
In 1985, corporations and larger companies needed extra security due to high risk of fraud. But in 2019, concepts such as business ethics, internal control, and financial reporting aren’t just relevant for the big guys. If there is a form of currency involved, there is risk. Thus, risk exists in every single business level. It’s a timeless dilemma.
With the evolution of technology, it’s become easier for small businesses and nonprofits to have significant control. Steve praised the assistance of the CRIME assessment, mentioned in chapter four of The CEO’s Guide. The COSO framework details protective measures against fraud. Separating duties and safeguarding account information are among the control systems we went over in the first episode of the series.
These resources can dramatically lessen your chances of getting ripped off. Enacting changes in security is often surprisingly simple and valuable long-term. Reminder: fraudsters cause an average of $200,000 in losses and can take up to 18 months to catch.
An example of a risky situation within a business is when each employee uses the same password for company access. In that case, there is no clear administrator and no definitive way to tell who has been logging in.
Avoid this interconnection to hold everybody accountable, deterring fraudulent behavior. Another strong move is writing down policies and procedures. Document the step-by-step setup in place so that your system can continuously function how you designed it. Tools like Rev and Temi allow you to save voice records, minimizing effort in the future.
Not implementing any control activities is an open invitation for fraud. To do an effective risk assessment, consider the following questions for your clients:
- What are your goals?
- How do you prioritize those goals?
- What are the risks in your business?
A million-dollar organization has a lower risk tolerance than a 20-million-dollar organization. The former is likely to notice thousands of dollars missing, whereas stolen money can disappear discreetly from the latter.
Have clients look at their own business, internally and externally, to determine the odds of falling victim to fraud. Then ask:
- How much exposure do they have?
- Where is the risk going to come from?
- What is unique in their industry?
According to Steve, with every 10 million dollars, the game changes. In my experience performing risk assessments, people feel reluctant to invest time and money into thoroughly protecting their companies.
Trust me when I say that one bad situation has the power to put you out. And, I believe controls can only function successfully if those in charge address potential risk areas. Admitting a problem is the first stepping stone on the path to recovery, right?
Scammers always seek opportunity, so don’t get too comfortable. Hard work is unraveled daily. Why should it be yours?