Management’s Responsibility for Enterprise Risk Management and Internal Control

While the idea of fraud can be daunting, Federal agencies must know their responsibilities to prevent/mitigate it.

Management’s Responsibility for Enterprise Risk Management and Internal Control

By Keith Freundlich, Spencer Blackstone, and Alex Torres

The Association of Certified Fraud Examiners (ACFE) defines fraud as “any activity that relies on deception in order to achieve a gain. Fraud becomes a crime when it is a ‘knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment’ (Black’s Law Dictionary).” (1) If fraud runs rampant throughout a Federal agency, it can hurt employee morale and reduce the level of trust of the taxpaying public, thus potentially reducing funding in the next fiscal year (FY). While the idea of fraud can be daunting, Federal agencies must know their responsibilities to prevent/mitigate it.

The next question is: What are those responsibilities? Many auditors and agency leaders are unaware of compliance requirements related to fraud risk management that arise from legislation or regulations. For example, an agency might be unaware that Office of Management and Budget’s (OMB) Circular A-123 requires agencies to perform certain actions pertaining to fraud, such as creating fraud risk profiles (also referred to as “fraud risk assessments”).

(2)

Investing in the Correct Fraud Risk Approach

Below are the identified benefits of following the correct steps, methods, and processes to develop successful fraud risk profiles. These will ultimately help Federal agencies drastically reduce their risk of fraud permeating the workforce, thus improving both agency mission and overall confidence in the organization.

Helping an Agency Better Assess its Risks of Fraud

Federal agencies should begin by performing a fraud risk assessment. The agency increases its chances that the fraud risk will be properly categorized and assessed by giving stakeholders a multitude of factors on how to assess their fraud risks for likelihood and impact. Some examples of factors to consider within Inherent/Residual Risk Assessment sections above include: 1) the importance of financial reporting accuracy, 2) the volume of transactions, 3) the reputational impact, and 4) non-compliance with regulatory bodies.

The Government Accountability Office’s (GAO) Standards for Internal Controls in the Federal Government (Green Book) lays out principles for the risk assessment process, which include: “Define Objectives and Risk Tolerances, Identify, Analyze, and Respond to Risk, Assess Fraud Risk, and Analyze and Respond to Change.”(3) OMB Circular A-123 provides an outline of how a fraud risk assessment might look; however, the agency must determine the final layout that best suits its organization.

(4)

Implementing Tools to Better Identify Fraud Risks and Controls

Federal agencies should collect fraud risks from their entity stakeholders annually. This routine level of frequency increases the chances the agency is aware of the potential fraud risks and knows how it is currently addressing those issues. Instituting a standardized process or tool that utilizes a drop-down selection will reduce the level of confusion and ensure uniformity of responses. Freeform responses are still used and are useful for stakeholders to describe and explain their controls and how they are ensuring they are designed and operating effectively. However, implementing standardized responses ultimately allows for easier categorization, thus allowing an entity to better analyze and leverage the data received to inform decisions on the use of resources to perform a suitability analysis of fraud controls.

The Importance of a Suitability Analysis

OMB Circular A-123 states that entities and Managers should utilize GAO’s A Framework for Managing Fraud Risks in Federal Programs (published in July 2015) as a resource to “combat fraud and preserve integrity in government agencies and programs.”(5) As part of this analysis, it suggests that entities “examine the suitability of existing (fraud) controls.”(6) Suitability, while not expressly defined within GAO’s analysis, provides entities with a way of determining the “extent to which existing (fraud) control activities mitigate the likelihood and impact of inherent risks and whether the remaining risks exceed managers’ tolerance.”(7) An entity should review the suitability of its fraud controls because this can help key stakeholders “identify areas where existing control activities are not suitably designed or implemented to reduce risks to a tolerable level. Based on this analysis and defined risk tolerance, managers then rank residual fraud risks in order of priority, and determine their responses, if any, to mitigate the likelihood and impact of residual risks that exceed their risk tolerance.”(8)

Representing the Health of an Agency’s Fraud Risk Assessment Program

Progress reports can be useful tools for informing the reader of the health of the fraud risk assessment program. Decisions can be made, by the entity stakeholders and management, regarding where to use and/or remove resources from areas that no longer need them. In today’s budget-conscious environment, a progress report can be crucial to the success of the fraud risk assessment program. Most importantly, having a progress report ensures accountability for the program. A successful program and entity are more likely when all stakeholders and management are aware that their fraud risk management responsibilities will be reviewed.

The Need for Trained Stakeholders to Proactively Perform Fraud Risk Assessments

Management at each Federal agency is supported by its specialized staff and stakeholders. These specialized staff members and stakeholders identify fraud risks; collect and analyze data; and utilize the results of monitoring, evaluation, and investigations to improve fraud prevention, detection, and response. In doing so, they benefit the agencies’ ability to reduce the risk of undermining programmatic missions, disrupt services, and force management to expend valuable time and resources to resolve and recover assets lost due to fraud.

Increasing awareness of these types of fraud risks, their likelihood, and their impact will help staff learn how to assess those fraud risk in a formal fraud risk assessment. For instance, informing staff about how “reputational risks of fraud can damage the perception of an entity, impact employee morale, and create distrust by the public, further hindering their efforts to provide services to the public.”(9) By training staff annually (at a minimum or as much as the Federal agency feels necessary) how to assess their fraud risks, the entity will be better prepared to: 1) identify what could cause fraud to occur, 2) determine how likely it is for fraud to occur, 3) measure any potential impact on the entity, and 4) determine how to act on and treat the potential for fraud.

Investing in a robust fraud risk assessment program is pivotal to the success of a Federal agency. Kearney & Company, P.C. (Kearney) can assist Federal agencies in meeting this requirement, regardless of whether they have begun their fraud risk assessment program or have a fraud risk assessment already in place. Our approach, outlined above, can be modified to suit a Federal agency, and it is the best setup to ensure a Federal agency meets the requirements outlined in OMB Circular A-123. Kearney’s approach can improve the assessment of likelihood and impact of fraud and reduce the risk by offering review over the suitability of controls currently in-place.

Connect With Us

This publication is for informational purposes only and does not constitute professional advice or services, or an endorsement of any kind. Readers should first consult with a professional before acting with regard to the subjects mentioned herein.

Kearney is a Certified Public Accounting (CPA) firm that focused on providing accounting and consulting services to the Government.

(1) https://www.acfe.com/fraud-resources/fraud-101-what-is-fraud
(2) https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-17.pdf
(3) https://www.gao.gov/assets/gao-14-704g.pdf
(4) https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-17.pdf
(5) https://www.gao.gov/assets/gao-15-593sp.pdf, page 2
(6) https://www.gao.gov/assets/gao-15-593sp.pdf, page 2
(7) https://www.gao.gov/assets/gao-15-593sp.pdf, page 19
(8) https://www.gao.gov/assets/gao-15-593sp.pdf, page 19
(9) OMB Circular A-123, OMB Circular A-123 Fraud Risk Profile Requirements, https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-17.pdf