The Geopolitical Crises and the Alteration of Fraud Risk

1. Context Once again! A deadly conflict in the Middle East between Israel and Palestine overshadows another one in Europe between Russia and Ukraine. These conflicts are not the only ongoing ones. The Asia Pacific region is another area where tensions are potentially dangerous, with a looming conflict in the Taiwan Strait between China, the second biggest economy and rising superpower, and Taiwan, supported by the United States. Others, at a lower scale, do not attract the same media coverage, such as the ones ongoing in Yemen or Sudan. Amid tensions between the world’s powers and the weaponization of civil infrastructure, conflicts are increasingly unpredictable. Globalization helped humanity enjoy a fast growth pace driven by efficiency and competitiveness. It generated endless opportunities for organizations. At the same time, interconnected supply chains exposed businesses to vulnerabilities such as international crises occurring far beyond their traditional markets. For example, the conflict between Russia and Ukraine led to the most extensive trade sanctions in history against Russia[1], and new financial restrictions[2], including the disconnection of multiple Russian banks from the Society for Worldwide Interbank Financial Telecommunication (SWIFT) System[3]. Many global companies had to stop business, cut ties with their Russian partners, and leave the vast territory of the old soviet state. Many other organizations, suppliers, or customers had to do the same to avoid being exposed to export control sanctions. Global leaders’ worst-case scenarios are constantly changing, expanding, and worsening. The risk of running three simultaneous regional conflicts, or one global one, is no longer a theoretical scenario but is becoming more and more probable. Risk emerging from geopolitical instability is multidimensional and complex for government and business leaders alike. More and more organizations recognize the damaging impact that global geopolitical crises could have on their strategies and operations. They are increasingly hiring former diplomats, political consultants, and ex-intelligence officers to depict situations and navigate crises[4] in multiple regions around the globe to avoid disruption. Corporate leaders, investors, sponsors, or lenders, in the private, public, and non-profit sectors are noticing the power shifts and the emerging conflicting interests. They actively look to incorporate evolving risks due to global instability and understand the potential impact. In these periods of uncertainties and instability, new risks may emerge while old ones may transform. This is the case for the risk of fraud, where potential fraudsters are continuously looking for opportunities to achieve their financial gain. While business leaders can’t afford to make distorted decisions, they must also prove resilient during times of uncertainty and world crises. Companies subject to the Sarbanes Oxley Act of 2002 (SOX) or other similar laws remain required by law and must, in all circumstances, maintain adequate internal controls to detect and prevent fraud and ensure the integrity of the company’s financial information[5]. It would be very insufficient to go through all the factors, anti-fraud strategies, tools, and best practices available to decision-makers; we will try to answer two simple questions of current interest: How do geopolitical crises affect fraud risks, and how can managers and those charged with governance adjust their approach to combat fraud and corruption in times of geopolitical tensions? 2. Fraud definition and theory Fraud is considered a reprehensible offense in most countries[6]. The Black Law Dictionary defines fraud as “a knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment.” The Committee of Sponsoring Organization (COSO) and the Association of Certified Fraud Examiners (ACFE) define fraud as “any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.” In the 1940s, the American criminologist and sociologist Donald R. Cressey (1919 – 1987) interviewed more than 200 incarcerated embezzlers to study the minds of white-collar criminals and concluded that: “Trusted persons become trust violators when they conceive of themselves as having a financial problem which is non-shareable, are aware this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation verbalizations which enable them to adjust their conceptions of themselves as trusted persons with their conceptions of themselves as users of the entrusted funds or property”[7]. This observation was formalized within what is currently known as the concept of the Fraud Triangle. The concept is now widely used as a foundation to analyze and further understand fraud mechanisms. It also formed the basis for professional audit standards such as the Statement on Auditing Standard (SAS) 99[8], the Auditing Standard 2401[9], and the International Standard on Auditing (ISA) 240[10]. The concept identifies three factors conducive to fraud:

Source: The ACFE’s Fraud Examiners Manual

Motivation and pressure are typically based on either greed or need. Executive management or employees may have an incentive or be under pressure that provides motivation to commit fraud. The individual has financial problems, cannot solve them through legitimate means, and begins to consider committing illegal acts to solve those issues. Pressures can be internal or external to the entity. They may also come from the unrealistic expectations of investors, authorities, or other stakeholders or a personal desire to maintain a certain level of living standards.

An opportunity must exist to commit fraud. Fraudsters must believe or perceive that fraud can be committed with impunity. A perceived opportunity for fraudulent financial reporting, a misappropriation of assets, or an illegal act may exist when an individual believes internal control can be overridden or ineffective. Fraud is more likely where there is a weak Internal Control System (ICS), poor security over company property, or unclear policies about acceptable behavior.

Fraud perpetrators act whenever they find a good opportunity to do so. This opportunity can be inherent to the company to face fraud due to the nature of its activities, accounting, organizational structure, and the industry it belongs to. It can also be isolated around specific transactions and operations that the company may be involved in punctually.

A fraudulent act is justified by a fraudster with a poor personal code of ethics that allows him/her to commit a dishonest act knowingly and intentionally. Such justifications minimize the impact, the extent, or the duration of the act or victimization of the offender. It is worth noting that most fraudsters are first-time offenders with no fraud-related history[xi] and do not view themselves as criminals.

Rationalization increases in the context of absent, low, inconsistent, or unenforced ethical principles. This includes environments with ineffective communication, implementation, support, or enforcement of the entity's values or ethical standards, poor ethical standards, or an insufficient tone at the top. However, other external considerations might affect the rationalization of unethical acts, such as local cultural and social aspects. Rationalization is easier in an environment where breaching the rule of law or ethical values is seen as permissible. This could be the case in societies with long tribal history, societies with allegiance to a local ethnic leader, or countries with illegitimate or questionable political leadership. Companies should not disregard these aspects and seriously consider them.

The three sides of the triangles are correlated. Pressures can push individuals to seek opportunities actively. Opportunities and pressures encourage individuals to rationalize their acts. Therefore, building a coherent anti-fraud program that encompasses all the triangle sides is critical for combatting fraud.

3. How global crises affect organizations and their fraud risk factors

Geopolitical crises affect markets and political systems across the regions, multiplying the possible adverse outcomes within less predictable scenarios. Countries, organizations, and populations brace for disruption and instability. Scenarios may rapidly switch toward an extreme range of possibilities. Such situations push countries and communities to take sides or change priorities. This is not easy when even intelligence communities have difficulties in predicting the future. In 2022, the war in Europe sparked volatility in the global energy markets[xii], aggravated by a mysterious sabotage-like explosion in the Nord Stream gas pipelines[xiii] between Russia and Germany. In addition, the additional sanctions imposed by the Western countries against Russia and Belarus caused additional challenges for international trade, with new export control barriers and higher logistics costs[xiv][xv], including higher insurance premiums and security fees. The crisis also spurred volatility and disruptions in international food supplies, given the leading role of Russia and Ukraine in the agrifood markets.

Businesses and countries are pushed to adapt and adjust their priorities; some sectors benefit from the circumstances, such as those in the renewable energy sector. Others, such as the chemical, agriculture, or insurance sectors, faced additional significant burdens. These conditions pushed further away the expected return to pre-COVID-19 pandemic economic conditions.

The ACFE estimates that organizations lose 5%[xvi] of their revenue due to fraud each year. Organizations of different sizes and industries should not underestimate the potential additional impact the geopolitical situation might have on their organization, their markets, customers, supply chains, and employees—particularly the alteration of the pressure to act unethically and rationalize misconduct.

a. Increased pressure to commit fraud:

Pressures faced by the organizations may quickly cascade down to the employees who might find themselves trapped between two constraints: on one side, employers’ demand to achieve (even more) challenging targets or prevent a loss; on the other hand, a personal financial situation driven by higher cost of living and the fears from the uncertain tomorrow. Further, employees might feel broader pressure to improve their numbers, seek financial rewards, or simply keep their jobs.

These circumstances would spread along the value chain, affecting customers and suppliers depending on their exposure to conflict. Geographical presence, the type of goods sold, or services provided, or the nature and extent of the transactions conducted with one side in the conflict, or the other, may all influence an organization’s exposure to conflict-specific pressures.

b. A “collective” rationalization of misconduct

Local cultural and social beliefs may also play a role. Some conflicts, like the conflict in the Middle East, might have a predominant emotional aspect in certain countries, such as the Arab and Muslim worlds or the Jewish communities. Emotional reactions can be spontaneous or maintained by local governments for political, legitimate, or illegitimate reasons. Depending on which side in the conflict an organization is perceived to be associated with, the rationalization factor could be altered.

Analyzing the collective emotional links between local populations and a given geopolitical conflict might be wise, particularly for international organizations. In the era of information and misinformation using free social media, employees’ emotions are used, and their moral depiction of themselves and their employers might change. Employees might link themselves to a “cause” beyond their financial interests and to which they may show support in different manners. This is not surprising in times when employees are increasingly selecting their employers based on their moral convictions, such as being climate and socially responsible. They also expect their employers to reflect corporate values, missions, and visions, not only in their internal processes and governance but also in their international behavior and global commitments. However, some employees might expect their employer to adopt a certain position based on their individual perceptions of the conflict and its roots.

This challenge goes beyond the organization itself. Even organizations with strong tone at the top, ethical programs, and commitments to values might face heightened fraud factors from their business partners over whom they do not have direct control, but perhaps they may have influence. This may make entities more likely to be particularly exposed to external fraud, including cyber-attacks, Identity theft, ransomware[xvii], sabotage, and corporate extorsion or espionage.

Such circumstances might facilitate trusted persons to become trusted violators by aligning their conception of themselves as users of the entrusted funds or property with their conception of themselves as morally and emotionally part of a conflict occurring far away from their home.

Exposed organizations must adopt a proactive, integrated approach to face risks of heightened fraud factors during times of exposure to geopolitical conflict. This starts with maintaining a robust Fraud Risk Management Program (FRMP), which timely captures the changes in the geopolitical landscape and connects the FRMP to the crisis management process.

4. Adapting the Corporate Fraud Risk Management Program (FRMP)

The COSO Integrated Control Integrated Framework (ICIF) constitutes a leading framework for designing, implementing, and assessing the Internal Control System (ICS) within organizations. In its revised version issued in 2013, the ICIF clarified the principles for implementing an effective ICS. These 17 principles covered the five components of an ICS. Principle 8 of the ICIF states: “The organization considers the potential for fraud in assessing risks to the achievement of objectives”.

In March 2023, the COSO and the ACFE issued the second edition of the Fraud Risk Management (FRM) Guide. This edition considered the trends and changes in the fraud management field since the first edition was issued in 2016. In particular, the guide better considers emerging risks, the legal and regulatory environment, the results of the ACFE research, and the advances in technology such as Data Analytics.

An effective FRMP has five components in line with the COSO ICIF components and principles.

• The FRM Governance

• Fraud risk assessment

• Designing and implementing preventive and detection anti-fraud controls

• Conducting investigations

• Monitoring and evaluation

Organizations can design a comprehensive FRM Program following the five elements above. They may also select to adopt a simplified process starting from their existing ICS and identify specific fraud schemes, assessing their likelihood and impact, and accordingly adjust control activities to mitigate the residual risk. In this article, we will adopt the first and more comprehensive approach while we limit the focus to some selected steps we think of as more relevant to management, investors, sponsors, or lenders during an ongoing geopolitical crisis.

Regardless of the approach adopted, entities must ensure their FRM is integrated, coherent, and consistently applied to prevent, detect, and deter misconduct, particularly during crises.

a. FRM Governance

Principle 1: “The organization establishes and communicates an FRMP that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.”

In this regard, the organization’s leadership should show a clear commitment to the FRMP and set a clear tone at the top about ethical behavior, emphasizing deterring, preventing, and detecting fraud in all circumstances.

A crisis can constitute an opportunity for entities to communicate their strong commitment to their core values, mission, and vision. They can use the context of great attention to remind management consideration of the risks of fraud, the existence of the FRMP within the organizations, and that management regularly updates the program in light of evolving internal and external fraud factors.

Corporations should adopt a “Zero tolerance” policy toward fraud. However, such a policy does not mean that no fraud or misconduct will occur within the organization. It is neither realistic nor efficient to achieve such an objective. A “Zero Tolerance” policy simply means that management takes every allegation very seriously, and every occurrence of misconduct is appropriately disciplined, with no exceptions or distinctions. The management under the board of directors sets its risk appetite[xviii] and the acceptable tolerance level[xix] above which management will act. It is relevant to highlight that in the context of fraud and compliance, appetite and tolerance are not related to accepting known violations, but instead, they reflect the realistic assumptions that it is impossible to eliminate the risk of fraud and non-compliance.

Organizations must make sure that their FRM Policy is updated and that employees are aware of it. The fraud policy is tailored to the organization and defines, among other things, the process of communicating violations and potential violations, including violations perpetrated by members of the senior management teams.

The organization should assign clear responsibilities for the FRMP, starting with the designation of an executive-level individual responsible for the effective implementation of the Program and who regularly reports to the board. The FRM activities are not to be managed within a silo. Instead, shared and multi-dimensional knowledge from business operations, finance, compliance, and other actors in risk management is needed for efficiency and effectiveness. This executive supports the overall risk management governance by integrating a crisis management task force and being aware of the external factors affecting the organization and the fraud risk landscape. During uncertain times, board members and executives usually seek to determine the worst-case, best-case, and most likely scenarios. Organizations may have to identify their critical processes, technologies, resources, partners (e.g.: vendors, customers, authorities, civil society, etc.), key markets, critical sites (e.g.: R&D, Shared Service Centers, or SSC), factories, etc., and identify key dependencies that allow them to continue delivering goods and services and avoid disruption. FRMP representatives and the audit committee can then ask themselves how each scenario could alter their current understanding of the internal and external fraud factors and their fraud risk assessment.

Management may also have to review its risk appetite and tolerance statement, ensure their adequacy with the most likely scenario determined, and incorporate them when considering fraud risk throughout the organization, the metrics, and thresholds used. It is central that both management and the board of directors are aligned in their understanding and perception of the risks that the company is willing and prepared to take.

Further, effective FRMP requires all employees to have access to the board, the audit committee, and the internal audit department and that the whistleblower process is in place, known, and easily accessible to employees and partners. Also, additional training sessions about ethical conduct, fraud risk prevention, detection, and deterrence can represent an opportunity for management to communicate with employees and reinforce expectations.

This communication could be enhanced through internal blogs and mobile Apps, allowing employees to communicate about different subjects. While respecting everyone’s opinion, and legal boundaries, these means could be a resource in preventing and detecting fraud. Management should pay attention to staff’s ideas and views to identify the subjects, concerns, and potential training needs. This task can be facilitated using technologies such as text analytics and can help detect indicators of pressure and rationalization among the entity’s personnel.

b. Fraud Risk Assessment

Principle 2: “The organization performs comprehensive risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud controls activities, and implement actions to mitigate residual fraud risk.”

Fraud risk is often related to factors beyond the control of the organization, such as pressure and rationalization. An organization needs to assess fraud risk across all areas of the enterprise, including its operations and compliance areas. Since fraud risk is dynamic, it must be updated as frequently as needed.

Fraud affects areas beyond financial reporting activities. It also includes risks of fraudulent non-financial reporting, asset misappropriation, corruption, and any other non-compliance with laws and regulations, such as bribery, conflict of interest, or economic extortion. Therefore, the assessment should be performed by multi-disciplinary teams, including multiple levels of management, process owners, and responsibilities. Since each level has its own potential fraud risk, the organization can adopt a top-down/Bottom-up approach to ensure alignment across the entity, that management expectations are properly cascaded down the field, and that operational challenges and needs are reported to management and senior executives. For instance, bribery violations might be wrongly viewed as a “business need,” “needed to keep the business running,” or “keep customers happy”[xx] at a lower and operational organizational level, such as a country, unit, or branch level. However, the same act is likely to be unacceptable for board members and senior executives due to the significant financial consequence of such a violation, for example, under the UK Bribery Act of the Foreign Corrupt Practices Act (FCPA).

When new adverse conditions emerge, the entity should integrate them into the risk assessment. However, as seen in the Ukraine or Middle East crises, geopolitics may quickly worsen the likelihood and severity of the scenarios. The assessment team’s structure and scope must be resilient to quickly adapt and capture these changes. For instance, the team can include individuals with a sufficient understanding of the changing political and security situation, such as geopolitical and intelligence analysts and sociologists. The team should then be able to connect the analysis of the geopolitical environment to its specific situation and fraud risk exposure.

Depending on the size and complexity of the entity, assessment teams can be established at different levels of the organization with coordinated efforts and synergies. Each assessment team adjusts its understanding of how certain fraud schemes might occur within the entity, considering the full range of potential consequences. This is usually done through brainstorming sessions. When fraud factors are significantly distorted, management should reconsider the potential fraud schemes, including their likelihood and impact, and adjust its risk register and heat map accordingly. However, the assessment must be consistent, reflecting the critical processes and dependencies identified at the executive and board levels (e.g.: Higher impact).

Besides brainstorming, the organization can consider using other risk and evidence-gathering techniques, such as rule-based analytics, predictive modeling, process mining, and network/link analytics. In this sense, external crises may be opportunities for the entities to accelerate their technology shift, including digitization of their processes and expanding the use of Robotic Process Automation (RPA), Machine Learning, and Artificial Intelligence (AI).

In its assessment, the team should consider potential internal and external fraud risks. External frauds can be initiated by individuals, independent or government-related groups. They may significantly impact the security and safety of the company’s digital, physical, and intellectual assets, including the employees, for which safety will be at the Top of the priorities during times of crisis.

Information Technology risks and cyber frauds might be of relevance to management. During times of conflict, an organization may be exposed to higher frequency and sophistication of external attacks, particularly companies that reflect an iconic image, have a perceived role, take sides in a conflict, or operate within a particular industry, such as Defense and Security. Organizations should pay particular attention to the risk of unauthorized access to data, data integrity breaches, theft of sensitive information, acts of sabotage (systems and infrastructure degradation), and digital extorsion, such as through ransomware.

During the assessment phase, the organization evaluates the incentives and pressures on individuals and departments and uses that information to determine who is most likely to commit fraud and how the fraudulent activity will most likely be committed so that the organization can formulate appropriate risk responses. Professional auditing standards agree that fraud on revenue must be assumed during an audit of financial statements. The assessment team may consider the same and assess how a crisis generates or alters fraud factors and its associated red flags.

Organizations should not disregard the potential management override of controls, including those designated to prevent and detect fraud. The board may decide to re-evaluate business targets, budgets, and incentive programs for the senior executives in light of the circumstances to reduce pressure and incentives to which they might be exposed. Board members, especially the Audit Committee, should pay attention to red flags emerging from management, such as a change in the rationalization of misconduct, change in accounting methods, inadequate changes in management hypothesis, assumptions, and estimates, or changes in intercompany policies.

The time of crisis may also reveal fraudulent practices occurring in the past. For instance, management may start releasing provisions that have been illegitimately built during a period of stability. These so-called “soft provisions”, or “provisions for rainy days,” are usually built without satisfying all the Generally Accepted Accounting Principles (GAAP) requirements, with the sole purpose of being released during periods of uncertainties to massage performance and make it artificially appearing sustainable.

Once all data is considered and fraud schemes, potential perpetrators, locations, and tools are determined, the organization can identify the existing fraud control activities in place (Type A controls) and assess their effectiveness. After evaluating residual risks, management can determine what controls (Type B controls) and procedures should be implemented to address them. It may also identify how the response should be implemented across the organization and how the organization can influence and get assurance from its key supply chain partners to mitigate external fraud risks.

In its assessment, an entity may consider the following factors when deciding to add anti-fraud controls:

• The criticality of the process or its interdependence with other critical processes,

• The tolerance level for a particular risk, such as compliance-related or efficiency-related risks,

• Industry in which the company operates (e.g., Pharmaceutics, defense, financial services, agriculture, etc.),

• The type of goods and services provided (necessity goods, utilities, etc.),

• The type of customers, vendors, and other partners with whom it interacts,

• Technology and internal systems used,

• The technology interfaces used to interact with customers, suppliers, and other third parties,

• Any history of fraud or control weakness,

• Outsourced and insourced activities.

c. Fraud Control Activities: Strong yet resilient

Principle 3: “The organization should select, develop, and deploy preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner”.

The organization selects its fraud control activities in response to the organization-specific factors and relevant business processes. It aims to actively deter fraud through preventive (e.g.: authorization and approval of transactions, segregation of duties, etc.) and detective controls (accounts and bank reconciliations, data analytics, etc.) in place. These are necessary to maintain a rigorous anti-fraud culture. The organization should consider implementing preventive controls at lower organizational levels and early in business processes to be more effective. The organization implements detective controls in situations where implementing preventive controls would be too costly or too intrusive to business operations. Management also considers a balance between visible and covert control activities that might be known or unknown to employees and partners. Data analytics, regular background checks, and systematic or regular reviews against sanctions lists could all be examples of covert hidden controls. Moreover, management should consider physical and logical access to their facilities, assets, and information systems and combine routine and non-routine controls.

It is particularly important to control activities to remain tied to risk assessment. Controls need not be the same across the entire organization. They must, however, reflect the fraud scheme, its likelihood and impact, its location, and the perpetrator’s level, etc. Activities will then better protect the key dependencies identified and ensure appropriate focus and discipline are given to the vital processes.

Nevertheless, the question that all managers, executives, auditors, and consultants ask remains: How much control does an organization need to have? The questions can also be asked from another perspective: How much risk is too much risk? Particularly in times of crisis and uncertainty, during which organizations must be more adaptable and agile. There is no one clear answer. It is a case-by-case consideration.

Not every process within an organization has to be resilient. In some processes, priority may be given to reliability and compliance, with a low level of risk tolerance; while in others, the management may focus on flexibility, speed, and relevance. A company may want to be resilient in reacting to customer complaints through electronic interfaces and ensuring customer satisfaction, but it would require robust controls over its customer data security. Companies in highly regulated industries, such as life science and pharmaceuticals, may have little room to increase their risk acceptance in their research and manufacturing processes, in contrast, other industries, such as consumer electronics, may do.

In balancing its controls, the organization should consider all costs of implementing controls, including the direct cost of the control and the potential costs of the control’s effect on or interference with operations, in arriving at the optimum mix of preventive and detective controls. It may also consider centralizing a number of its standard key controls through Shared Service Centers (SSC) to ensure efficiency and faster adaptation to changes while keeping certain other complex or non-routine transactions decentralized at the unit’s level.

Organizations should ensure they have control activities in place to prevent improper transactions through top-side adjustments to their accounting information because journal entries present one of the easiest ways for management to circumvent controls over financial reporting. Those in charge of governance and the FRMP leader should be alert to evidence of management override of controls, in the application of inappropriate bias in assumptions underlying accounting estimates, unusual transactions occurring near period-end, as well as to pressures on subordinates to initiate or participate in such improper transactions or activities. In this context, the entity may use data analytics-based controls to identify or prevent suspicious transactions such as Z-Score, the Benford Law, and process mining. Those charged with governance must also remain attentive to the management style, such as willingness to influence internal audit work by reducing its scope or cutting its resources.

Regarding external fraud risks from the supply chain partners, management can first ensure that all its relevant suppliers have formally accepted their Supplier’s Code of Conduct (SCOC) and signed written contracts that include a right-to-audit clause. The organization should execute this right, particularly on its most critical suppliers. It may want to ensure that suppliers and customers have technological controls in place, such as third-party due diligence checks against sanctions, criminal or watch list databases or risk-scoring mechanisms that restrict certain business activities from occurring. The entity may also want to ensure that its vendors have anti-fraud programs in place, have a working whistleblower hotline to report irregularities or require them to provide compliance confirmation statements to key laws and regulations such as the FCPA. A company could generally not force its vendors to adopt the same controls it is willing to see, but, except in rare cases, it is in the position to select its partners. Business requirements that reflect its risk tolerance should, in general, be reflected in the procurement process, contractual agreements, and communication with suppliers.

d. Investigation and Corrective Actions:

Principle 4: “The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective actions to address fraud appropriately and in a timely manner”.

As per the ACFE report to the nation in 2022, 42% of occupational fraud is detected through tips, directly followed by the Internal Audit with only 16% of the cases. Over half of the tips are initiated by employees. using the whistleblower hotline. As per the ACFE’s study, “Maintaining a hotline or reporting mechanism increases the chances of earlier fraud detection and reduces losses. Fraud awareness training encourages tips through reporting mechanisms.”. Additionally, fraud losses are twice as high and last longer within organizations without hotlines than those with[xxi].

Accordingly, organizations should promote the use of the Whistleblower hotline and ensure that it is known to employees and partners through internal and external communications such as internal flyers, emails, or on the corporate website. The hotline should be easily accessible with multilingual capabilities 24/7, with a priority for locations more prone to potential fraud schemes identified during the assessment phase. The organization may also demonstrate its support of the whistleblower system with a senior-level “champion” who owns and oversees it. The effectiveness of using the hotline increases when employees are confident and trained to use it. The 2022 ACFE’s report to the Nations observed that reporting fraud is more likely when employees receive proper training on hotlines and reporting[xxii].

It remains vital that the organization demonstrates its commitment to act after allegations are reported. To increase accountability and reinforce ethical values, all allegations must be taken seriously, particularly when they relate to management.

Multiple securities laws, such as the Sarbanes Oxley Act of 2002 (SOX), require companies under its scope to protect whistleblower employees. Retaliating against whistleblowers, employees, or contractors is considered a criminal act under the SOX and is punished by up to 10 years in jail[xxiii].

It is central that the organization has already established fraud investigation and response protocols including, but not limited to:

· The collection, documentation, and processing of allegations,

· The planning and execution of the investigations,

· The resources used,

· The reporting of the results,

· Communication with internal and external parties such as authorities or external auditors

· Assessing root causes, and

· Initiating the risk mitigation process.

These protocols, which can be documented in an approved “Fraud Response Plan,” should take into account the legal constraints in the countries where they will be conducted, such as privacy and data protection laws. Moreover, data collected through the hotlines may integrate Data Analytics procedures to identify trends, departments, locations, and common circumstances to adjust the FRMP as needed to face the evolving risks.

The response plan should outline the organization's board of directors' authority to conduct investigations independently of the organization. Particularly, investigations involving senior management can be directly overseen by board members such as the Audit Committee.

Since geopolitical crises often incur deteriorating security and safety in the region and countries involved, it is important that investigation protocols give proper consideration to the security and safety aspects, as investigation costs and durations might be impacted.

e. FRMP Monitoring

Principle 5: “The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates fraud risk management to parties responsible for taking corrective action, including senior management and the board of directors”.

As highlighted in the principle, the organization considers a balance between ongoing routine and separate occasional monitoring activities. These activities aim to answer the “What next?” question and warrant the five principles of the FRMP are present and functioning.

Doing so requires establishing criteria that can be observed and measured, such as the number of allegations reported, the process impacted, the location, station, branch, and business unit affected, the reporting means used, the type of fraud committed, the organizational level, etc. FRM Monitoring criteria could also include the number of subcontractors accepting the company’s SCOC or the number of audits performed on them. The Internal Audit might be of help in this context through its assurance and advisory services.

The FRMP Leader, together with management and the audit committee, can seek to understand whether the Program includes a clear process to identify and assess fraud risk exposure during geopolitical crises. The organization's FRMP Leader coordinates and collaborates with the audit and compliance departments, risk management, corporate security, and ethics teams, and any task force or individual designated to cover geopolitical risks and outcomes, ensuring efforts in these areas are effectively and efficiently working together to meet the organization’s needs.

5. Documentation

All the activities within the FRMP must be properly documented, providing appropriate and sufficient audit trials to allow verification, independent auditing, and regular monitoring. To decide how much documentation is needed to support an activity or process, the parties involved in the FMRP should use their professional judgment. Documentation should be in sufficient detail to provide a clear understanding of the activities’ nature, owner, purpose, source, frequency, evidence obtained, and the conclusions reached. Also, the documentation should be appropriately organized to provide a clear link to any significant issues detected. It may include narratives, control descriptions, flowcharts, memoranda, confirmations, correspondence, schedules, review and investigation programs, letters of representation, management, and third-party confirmations. Some professional standards provide guidance on what constitutes adequate documentation. The PCAOB’s standard Auditing Standard AS 1215[xxiv] requires documentation must contain sufficient information to enable an experienced auditor, having no previous connection with the engagement, (a) to understand the nature, timing, extent, and results of the procedures performed, evidence obtained, and conclusions reached, and (b) to determine who performed the work and the date such work was completed as well as the person who reviewed the work and the date of such review. FRMP Leaders, management, those charged with governance, and other risk professionals may benefit from benchmarking with the professional standards while considering their own needs for decision-making.

6. Our Final word

Amid tense geopolitical context, business leaders are being increasingly challenged by growing uncertainties and increasingly disruptive events, often initiated in far-away territories. From the securing of the COVID-19 pandemic vaccine to the war in Ukraine, the explosive situation in the Middle East, and the growing tensions between the US and China, geopolitical events can pose significant harm to corporations and their supply chains around the globe. In this context, balancing risk and rewards has always been central to board members, management, and process owners when making strategic or tactical decisions.

As fraud risk is influenced by internal and external factors, organizations must be prepared to quickly alter their anti-fraud control strategy, update their risk and controls registers, and foster their culture toward rejecting misconduct. They can mitigate the risk by adopting a systematic and integrated approach capable of identifying, capturing, assessing, and responding to the fraud risk as well as learning from failures. Organizations that already have robust ICS and FRM in place are better prepared and can better adapt to changes in fraud risk’s morphology. As seen above, they should focus on the five elements of the FRM, starting with having the right governance structure, defined risk tolerance levels, and clear responsibilities. They must ensure that fraud governance, risk assessment, and response are integrated with each other and with the overall Risk Management structure, including the ICS. They should ensure that neither fraud risk management nor the management of geopolitical and macroeconomic risks is managed as silos activities. Further, being a key part of risk management activities, FRM should reflect the critical dependencies specific to the organization to ensure efficiency and resilience during international crises. It is moreover important to establish and maintain efficient and effective communication between risk managers so they are able, under the FRMP Leader and the board, to identify and assess the fraud risks affecting key processes, units, and locations following a Top-Down / Bottom-Up approach. When doing so, technology such as Data Analytics can be a strong ally to management and those charged with governance for each of the FRM components.

At BAK Global Risk Management, we help our clients create value through a robust and resilient risk management system, mitigating risks and creating opportunities. We provide advisory, assurance, and fraud investigation services to organizations in the private, public, and non-profit sectors. We can support you in designing and implementing effective Fraud Risk Management Programs, conducting internal examinations on financial and non-financial fraud allegations, or having an independent opinion about your anti-fraud systems, particularly when operating in high-risk markets.

For more information about how we can help, give us a call at +49 152 51 04 19 81 or +1 (954) 496-0464 or visit our website and book your free consultation directly online at www.bak-grm.com

[1] Russia Sanctions and Export Controls (trade.gov), U.S. International Trade Administration of the U.S. Department of Commerce, October 2023 [2] Council Regulation (EU) 2022/345 of 1 March 2022 amending Regulation (EU) No 833/2014 concerning restrictive measures in view of Russia’s actions destabilizing the situation in Ukraine. EUR-Lex - L:2022:063:TOC - EN - EUR-Lex (Europa.eu) [3] An update to our message for the Swift Community | Swift, March 2022. [4] Companies on the hunt for geopolitical advice as tensions rise. Financial Times, October 17, 2023. [5] Section 302 of the SOX makes the CEO and CFO of public companies personally responsible for the accuracy of the financial statements. Signing officers must review and certify the accuracy of financial statements, establish and maintain internal controls, and disclose all significant deficiencies, fraud, and significant changes in internal controls [6] With different legal systems and jurisdictions, the definition of fraud might differ from country to country. It is, therefore, important for the professionals to refer to the legal definition of fraud in each relevant jurisdiction. [7] Other People’s Money: A Study in the Social Psychology of Embezzlement. Donal R. Cressey (Montclair: Patterson Smith, 1973) [8] Consideration of Fraud in a Financial Statement Audit, Issued by the American Institute of Certified Public Accountants (AICPA) [9] Consideration of Fraud in a Financial Statement Audit, issued by the Public Accounting Oversight Board (PCAOB) 4 The Auditor’s Responsibilities Relating to Fraud in an Audit of the Financial Statements, issued by the International Auditing and Assurance Standards Board (IAASB) [xi] The ACFE’s 2022 Report to the Nations on Occupational Fraud identified that only 6% of perpetrators had fraud-related convictions. 83% of fraudsters in the study had no prior record of having been punished or terminated by an employer for fraud-related conduct. [xii] The impact of the war in Ukraine on euro area energy markets (Europa.eu). The European Central Bank (ECB) Economic Bulletin, Issue April 2022. [xiii] Nord Stream gas 'sabotage': who's being blamed and why? | Reuters, October 2022. [xiv] Maritime Trade Disrupted: The war in Ukraine and its effects on maritime trade logistics | UNCTAD, The United Nations Conference on Trade and Development (UNCTAD), June 2022. [xv] The Repercussions of the Ukraine Conflict for Shipping and Insurance (maritime-executive.com), The Maritime Executive, September 2023 [xvi] Key findings. Occupational Fraud 2022: A Report to the Nations. Association of Certified Fraud Examiners – 2022) [xvii] Although in the Russia – Ukraine war, ransomware attacks have decreased due to the difficulties in processing ransom payments due to international sanctions on Russia and effective preparation in cyber-defenses in Ukrainian and Western countries. However, as per Google’s Threat Analysis Group (TAG) report “Fog of War: How the Ukraine conflict transformed the cyber threat landscape,” these cyber-attacks will remain disruptive and destructive [xviii] COSO defines risk appetite as the amount of risk that an organization is willing to accept to achieve its mission. [xix] The COSO defines risk tolerance as the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve. In other words, risk tolerance can be considered as the acceptable deviation from the risk appetite set. In general, Risks higher than the risk tolerance will need to be mitigated. Mitigating risks below the risk appetite might be inefficient. Risks between risk appetite and tolerance levels have to be mitigated based on a risk and rewards analysis. [xx] Note that these statements constitute an example of rationalization reflecting a financial pressure to perform and achieve a certain operational of financial target. [xxi] The average loss for organizations that did not implement a Whistleblower hotline reaches $200,000 per case and lasts 18 months before being reported, while for those with effective hotlines, the loss is limited to $100,000 and is reported within 12 months. (Hotline and Reporting Mechanism effectiveness. Occupational Fraud 2022: A Report to the Nations. Association of Certified Fraud Examiners – 2022) [xxii] 58% of the tips were made through hotlines, with employees receiving training on hotlines and reporting, versus 42% without training. (Hotline and Reporting Mechanism effectiveness. Occupational Fraud 2022: A Report to the Nations. Association of Certified Fraud Examiners – 2022) [xxiii] Section 1107 “Retaliation against informants” states that “Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense, shall be fined under this title or imprisoned not more than 10 years, or both.’’ [xxiv] Auditing Standard “Audit Documentation”

Disclaimer:

This communication contains general information only and should not considered or relied on as professional, legal, or financial advice or service. By using or viewing the attached document, you agree that BAK Global Risk Management, or any of its related individuals or entities, cannot be held liable for the use of this document made open and how it may circulate.