24 Jul Risk Assessments Help Find Vulnerabilities — Before They Are Exploited
Privately owned businesses are under no legal obligation to conduct risk assessments. Nevertheless, it is in your company’s best interest to have a fraud expert scrutinize your organization for vulnerabilities — before dishonest employees exploit them.
Looking for opportunities
A fraud expert will look at your business’ internal controls in the same way a fraud perpetrator would — they will try to find fraud opportunities where there is relatively little risk of exposure. One of the primary ways to find weaknesses is by interviewing key executives and managers. They can provide a first glimpse of potential risk areas. In addition, these conversations help an expert determine whether company leaders are setting the ethical ‘tone at the top’ that is essential to fraud prevention.
An expert also will identify the number and names of employees who handle or review accounting functions such as reconciling bank statements and making bank deposits and ask how much vacation time accounting employees are required to take. The fewer employees involved in financial functions, and the less time off they take, the greater your company’s risk for fraud.
Most major functions of your business — from purchasing to shipping, information technology (IT) to human resources — will be reviewed for risk. A fraud expert also is likely to ask about your:
- Key performance indicators. When management sets aggressive performance goals, employees may feel they need to do anything, including cheating, to meet them.
- Fraud-risk management budget. Compliance training, internal controls monitoring, and on-going risk reviews take time and money and should be included in your annual budget.
Acting on results
When you receive the results of your assessment, concentrate on the greatest risks specific to your business. For example, a manufacturer that regularly purchases parts inventory may have more risk of procurement fraud.
Next, consider less-critical areas. Typically, you should have one key control for each risk. So, if payment authorization is a vulnerability, you could require multiple approvals for expenditures over a certain amount.
Be sure to assess all the risks associated with processes, too. For example, you have probably surrounded your IT system with protections from outside invaders, but are you guarding against intrusion from inside the fence? Finally, businesses that do not have a fraud hotline are usually encouraged to establish one.
Regardless of what your fraud risk assessment reveals, you need a strong anti-fraud policy. We can help assess your business and create internal controls that address your business’ unique risks.