Fighting fraud with business continuity planning
If the pandemic has taught business anything, it’s that unexpected disaster can take many forms and strike at any time.
It can be challenging for businesses to focus on the future when trying to immediately cope with revenue interruption, changed consumer behavior, supply chain disruption, and workforce upheaval. Preparing to defend against fraud may be even more challenging in times of crisis; oftentimes fraud seems a distant threat that takes a back seat to more immediate problems during a disaster.
However, fraud is a real risk for businesses during times of disaster. The COVID-19 pandemic has been a boon for fraudsters. Global accountancy firm BDO’s 2020 Fraud Track Survey of 500 midsize U.K. firms found that 39% had experienced an increase in fraud within the last year. PwC’s Global Economic Crime and Fraud Survey 2020 found that 47% of the businesses surveyed had experienced fraud within the last 24 months, with estimated losses topping $42 billion.
There are tools that practitioners can offer clients to help fight back. Business continuity planning is a key way for organizations to prepare for future disruptions, and it is important that practitioners approach planning with a fraud mitigation strategy top of mind.
Done well, business continuity planning can help businesses identify and mitigate increased fraud risks in times of crisis. For practitioners, including fraud risk mitigation in business continuity planning can be a significant value add for clients and present new business opportunities.
“If businesses aren’t prepared to have fraud risk mitigation woven into their business fabric, and especially their business continuity planning, they can find themselves in a real tough spot,” said Bryan C. Moser, CPA/ABV/CFF, a partner with Grant Thornton LLP’s Forensic Advisory Services. “Businesses need to prepare effectively for the things that can happen and think proactively about how to address them.”
Moser, author of the Winter 2021 Eye on Fraud, “Mitigating Fraud Risk Through Business Continuity Planning,” published by the AICPA Forensic and Litigation Services (FLS) Fraud Task Force, offers the following advice for practitioners when applying fraud mitigation strategies to their business continuity planning efforts.
Know the business
The first step in helping organizations prepare for fraud risk and business interruption is to fully understand the nature of their business, according to Richard Balog, CPA/CFF, managing partner at Balog + Tamburri, a firm based in Jacksonville, Fla., with four offices in Florida and Georgia. Practitioners should understand the organization’s customer base, the product cost, and expected revenues if they are to calculate potential fraud risks and the potential financial impact. Spend time talking to key stakeholders and company officials to get a clear handle on the most essential business activities.
“The CPA has to understand the business,” Balog said. “If you can effectively predict the economic impact to an organization of a noneconomic event, you are going to be that much better at anticipating change, and that gives you a competitive edge.”
Understanding the key elements of a business also helps practitioners avoid suggesting fraud mitigation steps that might interfere with business activities, according to Moser. For example, if a client is dependent on key vendors, rigorous but slower vendor onboarding procedures may limit access to critical supplies during a crisis.
“That really means that you can’t grind the business to a halt with whatever fraud risk mitigation steps you’re suggesting,” Moser said.
Know the risks
Once you understand the key elements of a business, the next step is to conduct or leverage an existing fraud risk assessment so that you have a precise understanding, prior to creating the business continuity plan, of the current fraud risks for the business. That gives you a solid baseline to start your planning process.
It is critical at this stage to involve stakeholders from across the business to understand how fraud risks may change or grow in the event of a disruption. Accountants can “add considerable value by facilitating a dialogue among stakeholders, helping to identify fraud risks,” Moser wrote.
When assessing fraud risks, it’s important to ask about risks that have resulted in past financial losses, what fraud risks others within the industry have experienced, and if the company has already identified fraud risks. Engaging with clients about fraud helps raise their awareness of fraud risk and the value of mitigation strategies.
“Once you get multiple people thinking and brainstorming, then businesses will start to realize that perhaps they have more vulnerabilities than they realize,” Moser said.
Identify the most vulnerable parts of a business
Every business is different, and each has different fraud vulnerabilities. It is important to look at a business’s processes and its dependencies, along with industrywide vulnerabilities, when building a business continuity plan.
“We can anticipate the kind of frauds we’re going to see based on the industry the client is in,” Balog said. “We build fraud into our assumption sets based on the industry.”
Moser recommends advising clients to consider the areas of their business that are most vulnerable during a crisis. Is the business highly dependent on cash, making it more vulnerable to theft when normal procedures are interrupted? Will a disaster disrupt critical IT infrastructure, making the organization more vulnerable to cybersecurity risks?
However, there are fraud risks common to most businesses to consider.
“Typically, when it comes to fraud risk management and thinking about business disruptions, a few overarching areas are generally higher risk for the business,” Moser said. Those common, more prevalent areas of risk to consider when evaluating the fraud risk vulnerabilities include vendor management, payment processing, accounts receivable, and IT infrastructure. When incorporating these risks into a business continuity plan, ensure clear segregation of duties and controls, offer communication plans, and include alternate payment processing procedures.
Identify most common fraud schemes during a disaster
In a disaster, organizations will have to quickly do new kinds of business with new partners. Oftentimes, businesses won’t have the time or the wherewithal to focus on fraud risk when they are scrambling to find new vendors, deal with changed workspaces, or pivot their business models.
Moser recommends making sure clients have a clear sense of frauds that increase during upheaval so they can plan for the kinds of fraud that emerge during a disaster. Therefore, it is essential that practitioners communicate common fraud schemes like phishing attacks, fraudulent vendors, and price gouging.
“It’s also important to remind clients not only about common fraud schemes but that the incidence of fraud increases during a disaster,” Moser said.
Communicate before trouble strikes
Communication is perhaps the most essential step for integrating fraud mitigation into a business continuity plan. Both Moser and Balog recommend talking with clients not only to understand their business and risks but also to understand their priorities and processes.
Moser also recommends advising clients to have a communication plan in place in the event of a disaster. Be sure to include communication updates for relevant team members that address fraud risks during a disaster. Employees will need to know what to look out for and how to report suspected fraud, and receive regular updates on evolving fraud risk during a crisis.
“It is important to determine the likely audience and communication method,” Moser wrote. “When the crisis strikes, nobody will feel as if they have time to add communications that were not contemplated.”
Taking the time to coach clients on fraud risk mitigation strategies before a disaster makes it easier to implement those plans during a crisis. Practitioners need to advise clients to consistently educate and train employees and stakeholders about fraud risk before disaster strikes so that they are not caught unawares in a crisis.
“It’s especially important in times of crisis because fraud risk, even in the normal course of business, might not be top of mind,” Moser said.
— Drew Adamek ([email protected]) is a JofA senior editor.