Enhancing Organisational Integrity through a Fraud Risk Maturity Assessment (FRMA)
Enhancing Organisational Integrity through a Fraud Risk Maturity Assessment (FRMA)
In an era where both financial and non-financial misconduct can significantly impact an organisation’s operations, bottom line and reputation, conducting a Fraud Risk Maturity Assessment (FRMA) becomes crucial. The Association of Certified Fraud Examiners (ACFE) provides a structured approach to evaluating and strengthening an organisation’s fraud risk management framework.
The ACFE estimates that organisations lose approximately 5% of their revenue to fraud each year. Alarmingly, nearly half of these losses could be avoided if proper internal controls were in place or existing ones were not bypassed. The impact of fraud extends beyond businesses to their customers as well. In 2023, the Federal Trade Commission revealed that consumers in the US lost $10 billion to fraudsters.
Understanding FRMA
An FRMA is an in-depth review that gauges an organisation’s readiness and capability to prevent, detect, and respond to fraudulent activities. This assessment goes beyond surface-level checks, delving into the effectiveness of existing controls and the overall maturity of fraud risk management practices.
Core components
According to ACFE, a robust FRMA examines the following five key areas:
1. Fraud Risk Governance:
Fraud Risk Governance provides a framework that helps organisations identify, assess, and manage the risk of fraud through a structured approach. It includes setting a strong tone at the top, establishing a fraud risk policy, enabling regular risk assessments and effective internal control system and reporting channels for fraud. Key elements involve also monitoring of fraud, maintaining response plans for incidents, and ensuring continuous improvement of processes. Strong leadership commitment to ethical behaviour and zero tolerance for fraud is essential to fostering a culture of transparency and prevention.
2. Fraud Risk Assessment:
Fraud Risk Assessment is a regular process that helps organisations identify and evaluate the potential risks of fraud within their operations. It involves analysing areas susceptible to fraud, assessing the likelihood and impact of various fraud schemes, and prioritising risks accordingly. Key components include identifying vulnerabilities, evaluating existing controls, and considering factors such as financial pressures or opportunities for misconduct. Regular assessments help organisations proactively address risks, strengthen internal controls, and adapt to emerging threats, ensuring a robust fraud prevention strategy.
3. Fraud Control Activities:
Fraud Control Activities are measures implemented to prevent, detect, and respond to fraud within an organisation. They include internal controls such as segregation of duties, approval processes, reconciliations, and monitoring mechanisms to reduce opportunities for fraud. Key activities involve employee training in fraud awareness, conducting regular audits, and using data analytics to detect anomalies. By establishing robust controls and continuously monitoring their effectiveness, organisations can minimise fraud risks, detect suspicious activities early, and take prompt action to address potential issues.
4. Fraud Investigation and Corrective Action:
Fraud Investigation and Corrective Action involves responding to suspected fraud by conducting thorough investigations and implementing measures to address the issue. This process includes gathering evidence, interviewing involved parties, and determining the scope and impact of the fraud. Once the investigation is complete, corrective actions may involve disciplinary measures, process improvements, and legal proceedings if necessary. The goal is to resolve the incident, recover losses, and strengthen controls to prevent future occurrences. Effective handling of investigations and corrective actions helps maintain organisational integrity and reinforces a culture of accountability.
5. Monitoring and Reporting:
Monitoring and Reporting encompasses a strategic review process that evaluates the robustness, adaptability, and effectiveness of an organisation's overall fraud risk management programme. Key elements include monitoring fraud-related metrics, benchmarking against evolving best practices, and conducting in-depth reviews of the programme’s capacity to prevent, detect, and respond to risks in dynamic environments. Reporting provides actionable insights of the programme’s efficacy and its readiness to address emerging fraud risks, enabling timely adjustments, resource optimisation, and sustained development of a resilient fraud management culture.
Assessment process
An organisation can evaluate maturity of its fraud risk management system internally or engage an external expert to obtain an independent view benchmarking with similar organizations in the industry. The auditor evaluates the organization's fraud risk practices across the five key areas and determines its position on the following maturity scale:
- Ad Hoc: Reactive, undocumented processes
- Initial: Basic awareness with some repeatability
- Repeatable: Defined and standardized processes
- Managed: Integrated, measurable, and aligned processes
- Leadership: Continuous improvement and innovation
In order to assign the position on the maturity scale, auditors and risk management teams can apply the Fraud Risk Management Scorecards provided by the ACFE. BDO utilises a database based on the ACFE’s scorecards and assessment methodology, but adapted to offer more flexibility and to cater to the individual circumstances (industry, size, geographic location etc.) of our clients.
Obtaining information
As an initial step, the auditor obtains an understanding of the target entity's organization and prepares an information and data request to form the basis for the evaluation. Once the auditor has received and reviewed the requested data and documents, the acquired information should be complemented and corroborated through interviews of the organisation's key individuals with respect to fraud risk management.
Deploying the scorecard
Satisfied with the level of information, as a second step, the auditor assigns scores to each area within the FRMA. The scoring is typically based on hundreds of individual questions, identifying gaps between current practices and desired maturity levels. The scorecard helps quantify and build an overall picture of the organization's fraud risk management maturity and highlights areas where improvements are needed.
Action plan
Based on the scorecard results, the auditor summarises the results in a narrative and recommends specific actions to close gaps and move the organization up the maturity scale. This could involve e.g. formalizing processes, strengthening controls or improving fraud risk management monitoring methods.
Continuous monitoring
Once the action plan has been agreed upon, the organization implements changes, tracks progress, and periodically reassesses its practices to ensure continuous improvement. As the organization matures, it moves towards a more proactive and integrated fraud risk management, gradually aligning with best practices, and as a result reducing its overall risk exposure.
Incorporating a Fraud Risk Maturity Assessment into regular business practices is more than a compliance exercise; it is a strategic initiative that reinforces an organization’s commitment to integrity. By leveraging insights from ACFE, organizations can build a resilient fraud risk management system that safeguards their assets and reputation, fostering a culture of trust and accountability.
Sources
ANTI-FRAUD PLAYBOOK THE BEST DEFENSE IS A GOOD OFFENSE - In collaboration with ACFE and Grant Thornton (2020)