Stephen Drain, Partner in Forensic Services at PwC Auckland New Zealand, discusses how fraud risk assessments are essential for law firms, following the new Anti-Money laundering and Countering Financing of Terrorism laws. Find Stephen’s previous article on the AML/CFT Act here.
 |
Recently I wrote about the requirements for Law Firms to ensure that their anti-money laundering risk assessment was kept up to date, to ensure full compliance with the Anti-Money laundering and Countering Financing of Terrorism (AML/CFT) Act. For many organisations, risk assessments are the first step in risk mitigation in many areas of business. Some, like the AML/CFT risk assessment, are a statutory requirement, while other risk assessments are best practice.
One particular risk area of interest to many of PwC’s clients is fraud, and a fraud risk assessment is often completed as part of a wider fraud framework or control agenda.
It’s tempting to think that lawyers and other professionals couldn’t be subject to “fraud”, or at least that the risk is low. After all, we don’t deal with cash (or not much), banking systems are secure, and we have limited suppliers all of whom we are likely to know, or at least have dealt with for some time.
This assumption may be a serious mistake. No sector or organisation is immune to fraud, especially given its global and technology-enabled nature.
In considering what problems are being addressed through a fraud risk assessment, it is useful to extend the definition of fraud to include theft, corruption, and other serious probity concerns. Although these matters are not strictly speaking fraud, it is a good shortcut word and usually captures the attention of those that it needs to.
Firstly some definitions.
We all know what theft is – stealing – or to include part of the Crimes Act’s legal definition, to permanently deprive a person with an interest in the thing, of that interest. It can, however, also include dealing with property in such a manner knowing that it cannot be returned in the condition it was taken. This last bit has obvious relevance to organisations with physical assets that employees might find attractive to use for “weekend jobs”. It may not, on first thought, be considered relevant to lawyers, but what about expensive IT hardware?
Fraud involves some form of deception. A common example is a false invoice intentionally submitted to extractpayment for goods or services not provided. But what about false or misleading CVs or qualifications provided by prospective employees?
Corruption involves the misuse of a position or role for private gain. We know that the perceived levels ofcorruption in New Zealand are low when compared globally. However, public sector respondents to PwC’s 2018 Global Economic Crime Survey rated corruption as the economic crime expected to have the greatest impact on their organisations in the coming two years.
In considering the risks of each of these types of economic crimes, along with probity concerns such as conflicts of interest, professionals should consider both internal and external risks.
The PwC survey found that the threats of economic crime were greater from external parties than staff. However, in the detail, many of those external customers were “frenemies”; external contractors, agents and customers whom organisations think that they know and trust. In some instances, trusted external contractors can have greater access to your systems and records than members of your own team; so the risk threat is possibly greater, and there’s a good chance you know less about them than your own people.
So what’s a quick and effective way to conduct a fraud risk assessment? A facilitated workshop is a good start; ideally involving an expert fraud facilitator. The facilitator can start with definitions and examples of what might constitute fraud for your firm, then lead a discussion involving those who work in the key areas of your practice. Your staff will likely know what your fraud threats are, and you might be surprised how much insight and experience those, particularly in the finance or human resources areas of your practice, may have in combatting or identifying fraud. Obviously if you’re a small practice then you won’t necessarily have specialist teams looking after different areas, so you’ll need to innovate with who attends, to get the best out of a workshop.
Chances are, you will have controls in place to manage some of the fraud risks that come up. For example, a simple fraud control is an employee screening process including a Police check and references. But for the purposes of the risk assessment, put aside any controls to begin with so you can build a full picture of vulnerabilities. Actions you later take will take account of existing controls, but to ignore or minimise risks where controls exist can have unintended consequences. Changes in technology and behaviours can make these controls redundant, and the redundant control can be more easily overlooked if the risks have not been properly understood in the first place.
Once you’ve assembled a list of fraud risks, you can then consider the impact and likelihood of each of them. A matrix of some sort will quickly enable you to prioritise those fraud risks which should be addressed first.
Addressing your fraud risks thoroughly requires a comprehensive fraud control framework, or ecosystem, that moves well beyond the particular risk and control, and captures matters including staff on-boarding, culture and training.
In future articles I’ll discuss the components of a fraud framework, and the importance of each, particularly of having a culture in which staff feel empowered to speak up when they have concerns. Having completed your own fraud risk assessment, you will have already activated some key parts of this framework, and almost certainly raised awareness in the team. Even if you don’t take it any further, it won’t have hurt the practice.
Stephen Drain, leads PwC’s Forensic Services team, specialising in the prevention, detection and response to economic crime particularly fraud, corruption and money laundering. He has led and investigated a wide range of financial crimes from initial investigation to final proceedings and is experienced in working discretely with boards and senior leaders to help them meet a range of challenges including suspected fraud, probity concerns and regulatory investigations. Stephen leads the firm’s Anti-money laundering (AML) practice which offers a full range of AML services including assisting clients to design and implement risk-assessments and programmes in accordance with the Anti-money Laundering and Countering the Financing of Terrorism (AML/CFT) Act, conducting AML/CFT Audits (pursuant to 59 of the AML/CFT Act) and Reviews, and developing and delivering relevant training.
Stephen’s early career was in the New Zealand Police and after qualifying as a detective he moved to the Serious Fraud Office (SFO) initially as an investigator and later Supervising Senior (Investigations). After leaving the SFO, Stephen had two senior roles in leadership development, and joined PwC in 2012. Stephen is PwC Consulting’s People and Culture Partner. Stephen leads an Authentic Leadership development practice at PwC and has a personal leadership blog. His qualifications, education and professional associations are: Master of Business Administration, The University of Auckland; Post Graduate Diploma in Business (Finance), The University of Auckland; Member Institute of Directors in New Zealand; Chartered member Human Resources Institute of New Zealand (with specialisation in Development, Training and Learning). Contact Stephen at stephen.c.drain@pwc.com You can also connect with PWC New Zealand via LinkedIn, Facebook and Twitter
