You may have heard your auditor ask you in the past whether management is doing a fraud risk assessment on a regular basis. You may also have heard them ask how often the results of that assessment are being communicated to your board. In many of the governmental entities we’ve done fraud questionnaires with, it is evident that management is often too busy to remember to take a moment and have a formal discussion with staff regarding the weaker areas in their control structure, and where those areas could be taken advantage of in the case of fraud.
Fraud comes in all shapes and sizes. A few very basic broad categories of fraud are financial statement fraud, corruption and asset misappropriation. Management should take some time each year, or more often, to sit down together and with their staff to discuss areas that are susceptible to fraud in their financial statement reporting process, the management of their assets and possible corruption, say in procurement or accounts payable. This should be well documented and used as a guide to how the organization should proceed with addressing those risks. Documentation as to how management has decided to address those risks should also accompany that assessment. Maybe management wants to avoid them by adding additional controls. Maybe they want to transfer the risk by having insurances to cover any potential problems. Maybe they want to do a combination of actions to address the risk. In any case those risks, and the way management intends to address them should be assessed at least annually and documented. You may want to do this assessment every time a major change occurs in the organization, like a new hire, or a position change, or the addition of a new operation.
Lastly, and probably most importantly, this assessment should always be presented to your organizations board of directors or council. Whoever is charged with the governance of your organization needs to know what the efforts and actions of management is to address the risk of fraud at your organization, and have an opportunity to discuss those items with management. Far too often, this information is never communicated with those charged with governance. To help protect you and your organization, make sure this information is communicated from top to bottom, board to staff. This will help with not just your audits, but with some legal ramifications as well.
If you have additional questions concerning this topic, please feel free to contact us at Henry & Horne.
Brian Hemmerle, CPA, CFE