As I discussed previously, Compliance is a major concern for upper management. In this fashion, fraud and compliance risk assessments offer an analysis of potential risks. In fact, la vrai raison d'être about this process is to serve as the starting point in building better risk management practices across the organization. Since these assessments can be integrated with existing audit risk mapping, it rarely requires additional resources or training for Internal Audit staff. Main challenges to develop a risk assessment are 1) to mitigate the risk of overlooking fraud and compliance issues during the audit-planning stages, and 2) to highlight critical areas where internal controls need to be strengthened.
Logical steps to simplify the assessment and to organize business processes are to:
1) designate a Risk Assessment Leader (RAL) as a process facilitator and involve personnel from various levels of the organization, including management, Legal, Internal Audit, business process owners, IT management, and the Audit Committee (the Assessment Team),
2) identify the universe of potential risks,
3) tailor identified schemes to specific businesses,
4) determine if potential fraud and compliance risks are remote, more than remote, or probable,
5) determine if controls are in place to sufficiently mitigate identified risks,
6) determine materiality of individual risks or location and impact of key fraud risks,
Materiality = Impact * Occurrence
7) map fraud and compliance risks to existing internal controls (linkage to existing 404 work), and
8) prioritize follow-up activities according to categories of responses
Since the fraud and compliance management responsibilities are typically divided among various functions, Organizations should assemble a multidisciplinary team coordinated by a RAL to establish a framework for assessing the different kinds of fraud risks that may adversely affect operations. The Assessment teams should meet regularly (quarterly) to discuss the risk assessment implementation, from establishing the original framework through identifying, assessing, and remediating fraud risks.
In order to comply with current and more sophisticated external audit requirements and with recent legislation by the SEC and PCAOB regarding fraud prevention, audit departments should swiftly adopt these risk mappings.