Fraud affects everyone in the company. It undermines trust and exposes weaknesses in the business. Can you fight fraud with the GRC Assessment Tools? Yes — let me show you how.
Assess How You Address Risk
Risk is inherent in business. We need to identify, address, and mitigate risk on a continuous basis. Like the Carpenter’s adage: “measure twice, cut once” — risk should be part of an ongoing organizational commitment.
We scan the horizon for the next hacker, cracker, rootkit, or script kiddie (look it up). We know there’s exponential growth of risk on a global scale.
But we’ve turned our attention away from the tools we use to assess the design, effectiveness, processes, and resources for addressing risk. Like a piece of duct tape that’s been holding on too long, how we’re assessing GRC may not be doing the job anymore. Most of us need to update our GRC toolkit.
Let’s consider the risk associated with fraud. Below are examples of how different team members can use the OCEG GRC Assessment Tools (aka the Burgundy Book) in the design, assessment, and execution of a fraud prevention program.
The Risk Team
The risk team, made up of finance, audit, and IT, is typically responsible for identifying material accounts and systems where fraud could occur. They identify risk metrics and procedures to mitigate the potential for fraud to occur. The Burgundy Book helps them to:
- Determine if the business has well-designed and effectively functioning processes to identify what constitutes fraudulent activities
- Ensure alignment to current versions of applicable laws, rules, and regulations
- Implement comprehensive controls and remediation activities to address fraud once discovered
Be Informed. As an OCEG Basic Member (it’s free to join) you can download the GRC Capability Model and an excerpt of the GRC Assessment Tools.
Be Empowered. Get access to the GRC Assessment Tools and all of the OCEG GRC standards. Sign up for an All Access Pass.
Become An Expert. Your All Access Pass Membership INCLUDES the opportunity to obtain GRC Professional (GRCP) and GRC Audit (GRCA) Certification (no additional charges or fees for exam prep or online testing).
Appendix 4 of the Burgundy Book offers suggested criteria for several levels of policy and procedures. It provides guidance for:
- Risk Requirements
- Opportunities Identification & Assessment Methodology
- Investigative Management Plan
- Prioritized Risk Matrix
The Compliance Team
Whether the compliance team is internal or external, they’re often tasked with oversight and testing of fraud procedure and policy. They’ll have to provide assertion that fraud controls are working, across the organization and within legal boundaries. Often those legal boundaries are inconsistent within and across jurisdictions.
The compliance team may actually expose the firm to greater brand, reputational and compliance risk by running afoul of proper anonymity, reporting recipient, and data transfer requirements.
The compliance team can prevent these risks. Using the Burgundy Book they can define two key documents:
- Strategic Plan (which covers the governance and accountability structure for identifying and monitoring changes in legal boundaries)
- GRC Design and Performance Assessment Methodology
The compliance team is also responsible for validating fraud related policy and protocols such as:
- Background Check methodology,
- Policy & Related Procedure Matrix
- Code of Conduct
The Burgundy Books helps create straightforward templates and criteria for these artifacts.
Operations in this context include the employees and leadership. They create the culture needed to build a strong GRC program.
Operations must accept and understand the risks associated with fraud. And they need to support adherence to corporate risk policy and compliance standards.
A key indicator for assessing the GRC program for operations includes their involvement in:
- Creating the Ethical Decisions Guidelines
- Acknowledgment and acceptance of the Code of Conduct
- Ensuring a detailed Awareness and Education Plan
The Burgundy Book assessment criteria define each of these policies and plans.
More Than An Audit Manual
Though labeled “assessment tools,” the Burgundy Book isn’t just an audit manual. The example above illustrates how to use the Burgundy book to design, assess and execute a fraud prevention program. But this is just one of many examples.
This article focused on tools found in the appendices of the Burgundy Book. But there’s much more to it. The first half of the Burgundy Book gives you a checklist for how to conduct an assessment of GRC capabilities. It outlines what to do and articulates expectations for a GRC assessment.
Find out more about the tools available in the new Burgundy Book. Add them to your GRC toolkit today.
This guest post was written by Emily Suppe’. Emily is a Risk and Compliance Engagement Leader in Tata’s Global Consulting Group. She’s a Certified Internal Auditor, SOX Auditor, and former CFO. For the past twelve years, Emily has done GRC consulting and sales, working with large ERP and custom software solutions.