Business owners and executives may better understand and manage the possibility and possible effect of fraud by conducting frequent risk assessments. There are two kinds of company risk: inherent and residual. Inherent risk exists before management takes action to reduce the organization’s exposure. Residual risk is what remains after management has developed internal controls to limit and manage hazards.
Because no internal control program can fully remove all hazards, residual risk is always a possibility. However, there are techniques to lessen it.
4 Types of Internal Controls
Internal controls often fall into one of the following categories:
- Detective. This type is designed to detect fraud already occurring. For example, you might generate a report that lists checks issued twice for the same invoice.
- Preventive. This control should deter unwanted activities. You might require your accounting department to reconcile purchase orders to invoices before issuing a payment.
- Directive. This type specifies actions to be taken to reach a desired outcome. For instance, your policy might call for blocking payment to a vendor that isn’t in your vendor master file.
- Corrective. This last form intends to correct risky activity uncovered by accident or by an existing control. So you might establish new policies and procedures to replace those that have been ineffective.
In conclusion: Internal controls are in place to reduce risk. Although deploying them minimizes inherent risk, it usually leaves an organization with some residual risk. You might define residual risk as inherent risk less the effect of internal controls on inherent risk.
Taking Care of the Issue
A risk assessment can assist your company in determining residual risk. To highlight dangers that require additional investigation, experts typically employ a risk matrix, a visual tool that depicts the likelihood and severity of risk.
Transferring residual risk to a third party, such as an insurer, is another alternative for dealing with it. For example, your company may get errors and omissions insurance to reduce the risk of inadvertent mistakes that could have been avoided with more stringent controls.
However, there are situations when the expense of implementing extra controls or shifting residual risk surpasses the gain. Although it may be able to decrease residual risk, implementing extra controls may be prohibitively expensive or create superfluous administrative red tape that annoys staff and consumers. In such instances, many organizations choose to accept residual risk.
Plans for Contingencies and Monitoring
If you opt to leave residual risk, make a plan to mitigate possible damage. Assume your company reconciles its bank accounts on a monthly basis rather than daily or weekly. The residual risk in this scenario is that you may not uncover fraud until many weeks after it has occurred. A contingency plan might assist by offering step-by-step procedures (such as quickly notifying your bank) to rectify any fraud.
It’s also a good idea to examine and monitor residual risk levels on a frequent basis. To back to the previous scenario, if your company performs monthly reconciliations and subsequently decides to increase the number of bank accounts it utilizes, residual risk may become intolerable. At that time, you might wish to start doing weekly or daily reconciliations. Keeping up with industry best practices and compliance requirements can also help keep residual risk under control.
Important Component
Monitoring residual fraud risk is an important part of any risk management program. For additional information or to book a fraud risk assessment, please contact us.
@2023
Principal
Director, Fraud & Forensics
anthony.lanasa@hwco.cpa
Enjoy this article? Here are some others you may like:
Need to Know: What to Tell Employees About Your Antifraud Efforts
Don’t Let Your Industry Determine Your Fraud Destiny
Conflict-of-Interest Policies Prevent Misunderstandings — and Fraud
