Fraud Happens

Posted by: Carrie Minnich

All organizations are subject to fraud risks. To help protect itself from fraud, an organization should understand the specific risks that apply to that organization. A fraud risk assessment should be performed by the organization and updated periodically. The risk assessment process identifies risks and the organization's response to the risks. While preventive measures such as this do not prevent fraud from occurring, they do reduce the possibility of fraud within the organization.

What is risk? Risk is anything that prevents the organization from accomplishing its mission and can be found in every area of an organization - income, expenses, fixed assets, personnel, etc. A risk assessment includes looking at the incentives, pressures and opportunities to commit fraud within the organization. The assessment should also consider areas where controls are weak or there is a lack of segregation of duties, and the possibility of override of controls by management.

Who's responsible? The board of directors, management, and staff are all responsible for managing risk. The board of directors is responsible for making sure management designs effective risk policies. They need to understand the organization's risks and set the appropriate tone at the top for ethical behavior. Management is responsible for designing and implementing controls to address the identified risks of the organization. Staff are responsible for reading and understanding policies and to have a basic understanding of fraud in order to report instances.

The Plan. Most organizations have already started addressing risks within the organization by performing background checks on new employees and implementing codes of conduct and whistle-blower policies. A risk assessment should be a part of the organization's plan to deter fraud. An effective plan evaluates the organization's risks, develops a strategy for dealing with the risks, and provides for continual monitoring of the plan. Some questions to ask to get started are:

• What areas are susceptible to fraud?
• What areas are susceptible to other types of risks (natural disasters, loss of funding, loss of volunteers, etc.)?
• Is the organization willing to accept any of these risks?
• What controls are in place to deter fraud from occurring?
• If an instance of fraud is alleged, how will it be addressed?
• What punishment will be issued to the wrongdoer?

No system can provide absolute assurance against fraud but a risk assessment can reduce the likelihood of fraud occurring by reducing the opportunity for it. In spite of everything, fraud happens.