1. Identifying key risks
The first step in conducting a fraud risk assessment is to identify the key risks that the organisation faces. This involves understanding the organisation’s operations, financial transactions, and internal controls. It is important when identifying key risks that organisations refer to historical information (such as previous fraud issues or complaints that have been raised and investigated) as well as emerging trends and patterns in the market.
For example, during the Covid-19 pandemic, a fraud risk assessment identified that the various support schemes in place were susceptible to fraud due to the speed in which they needed to be issued, and the time available to design effective controls. Although the new offence focuses on failure to prevent fraud when the organisation is a beneficiary of the fraud, this example highlights the importance of identifying risks early on to mitigate future instances of potential fraud.
Public sector organisations need to ensure that they are updating and undertaking fraud risk assessments with the new failure to prevent fraud offence in mind. This means identifying the risks that the organisation faces whereby someone associated with the organisation may commit fraud which will ultimately result in the organisation benefitting from the fraud.
Practical example 1 |
In a public health organisation, key risks could include fraudulent claims, misuse of funds, or data breaches. If reasonable procedures are not in place and these risks are not adequately managed, the organisation could potentially be held liable under the failure to prevent fraud offence if fraud occurs, which ends up benefitting the public health organisation. |
2. Assessing the likelihood and severity of each risk
Once key risks have been identified, the next step is to assess the likelihood and severity of each risk. This involves evaluating the potential impact of each risk on the organisation and the probability of its occurrence. It may be most beneficial to plot these identified fraud risks on a risk matrix, to allow for effective prioritisation of taking mitigating action in relation to each one.
We have included an indicative example risk matrix to demonstrate how a typical risk matrix may look. Please note that the metrics and definitions for assessing the severity and likelihood of the various identified risks should be determined internally at the organisation in advance of plotting the risks on the matrix.
This risk matrix should be periodically refreshed to ensure that the risks are being treated appropriately and the risk of occurrence or level of severity is not being mistreated. For example, with phishing or similar fraud attacks, the risks to an organisation may be growing at present with the advent of widespread AI tool adoption, with fraudsters even using voice cloning tools to impersonate public figures or senior members of staff to pressure finance staff to process inappropriate payments.
Practical example 2 |
In a social services agency, a risk of fraudulent benefit claims might be high in likelihood but less severe in terms of outcome, while the risk of a data breach might be low in likelihood but high in severity. If reasonable procedures are not in place to mitigate the risks, potentially staff at the agency could fraudulently manipulate claimant details in order for the organisation to access a higher level of funding that it is not entitled to, possibly falling foul of the offence. |
3. Engaging people in all areas of your organisation
The success of a fraud risk assessment depends on the active participation of people from all areas of your organisation. This ensures that all risks are identified, and that the assessment reflects the realities of your organisation’s operations.
To engage people in the process, organisations can:
- Communicate the importance of the assessment: Explain why the Fraud Risk Assessment is being conducted and how it will benefit the organisation.
- Involve staff in the identification of risks: Encourage staff to share their insights and experiences, as they may be aware of risks that are not immediately apparent to management.
- Provide training: Equip staff with the knowledge and skills they need to identify and assess risks. It is worthwhile considering engaging third party experts for this, who have deep sector expertise and can steer participants on the best training options for their organisation.
By following these steps, public and social sector entities can conduct a thorough fraud risk assessment, helping them to prevent fraud, protect their resources, and not fall foul of the new offence.
Inviting comment on organisational risk matrices from staff of all levels can deliver further assurance to organisation leaders that risks have been assessed and plotted correctly.
4. Take action to mitigate risks
Taking action to mitigate risks is one of the most important aspects of the fraud risk assessment – putting into practise the learnings of the assessment and putting in place controls and systems to protect the organisation from the aforementioned risks. This is part of organisations taking adequate steps to prevent fraud, protecting them from liability under the new Failure to Prevent Fraud Offence.
This can include the following:
1. Implement Prevention Measures:
- Prevention is the most effective way to address fraud and corruption. This involves creating systems and procedures that make it difficult for fraud to occur. This can effectively minimise the opportunity to commit fraud, one of the three elements of the fraud triangle.
- Sensitively consider introducing additional controls, reviews and sign-offs, to ensure effective segregation of duties and effective, robust approval of actions and fund movements. This must be done collaboratively with staff in relevant departments, to not create arduous unwieldly processes which take away from the efficiency service delivery.
2. Conduct Fraud Control Testing:
- This involves testing the existing controls to identify their effectiveness and limitations, and understanding the organisation's exposure to fraud risk.
- This should be done periodically and may be best to do on an unannounced basis, to ensure that the controls are being tested as in practice, rather than giving any staff a chance to review and backdate it.
3. Establish a Risk, Threat and Prevention Service:
- This involves setting up a dedicated service within the organisation to manage and mitigate risks and threats related to fraud.
- This can be through leveraging existing resources and expertise, designating roles and counter fraud monitoring responsibilities, and training staff as required.
4. Follow Professional Standards and Guidance:
- Adhere to the professional standards and guidelines set for conducting fraud risk assessments. This ensures the assessment process is robust and reliable.
- The organisations should work with reference to the Government Functional Standard GovS 013: Counter Fraud.
5. Continuous monitoring and review
Fraud Risk Assessments should be looked at as an on-going process rather than a one-off activity. The anticipated guidance from the Government on the new failure to prevent fraud offence is likely to be principle driven which emphasises the need for reasonable procedures to be embedded into fraud risk management processes rather than being one-off tick box exercises.
Best practice is to ensure that the steps outlined above are performed in a continuous cycle on a regular basis to ensure organisations stay on top of their fraud risks, and then have adequate prevention measures in place to counter emerging risks. The importance of carrying out this process on a regular basis is due to the fluid and dynamic nature of fraud. New risks can appear, the impact or the severity of the risk may change, or new processes or programmes may be implemented that have not been assessed previously.
It is important to ensure that governance structures are put in place to assist with the continuous monitoring of the risks identified from a fraud risk assessment. Ensuring that this responsibility is delegated to a relevant committee or board (such as the Audit & Risk Committee) will make sure that any decisions or actions that are taken in relation to the risks are documented and followed up.
6. Engaging experts if required
Fraud risk assessments are intricate processes that involve evaluating vulnerabilities, identifying potential threats, and assessing the likelihood of fraudulent activities within an organisation. These assessments require a deep understanding of financial accounting and reporting systems, internal controls, and risk management. They can be complex in nature and can often be susceptible to biased evaluation if undertaken internally, with staff members possibly under-assessing risk in areas in which they have control or responsibility for. Organisations may find it beneficial to engage third-party subject matter experts to collaborate on, review, or undertake the completion of a Fraud Risk Assessment.
How we can help
At Forvis Mazars, we have a team of experts who have specialist knowledge and extensive experience of conducting these engagements for clients who may not have the requisite in-house skillset, or available staff resource. Please do get in touch if you wish to discuss any information included within this article, or in relation to the failure to prevent fraud offence, in more detail.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.