Fraud is a discussion that receives a high level of attention from regulators, auditors, and the public due to increasing corporate failures. Most fraud cases happen within organisations rather than in external dealings. Contrary to common belief, 68% of fraud cases occur within organisations by employers and employees, with the rest externally by those in the value chain (KPMG, 2014). The Association of Certified Fraud Examiners (ACFE)’s 2014 Report to the Nations on Occupational Fraud and Abuse suggests that companies lose up to 5% of their revenue annually to fraud. The loss, if applied to the 2013 estimated Gross World Product, translates to a potential projected global fraud loss of nearly US$3.7 trillion (RM13.91 trillion) (ACFE, 2014). The frauds are carried out through asset misappropriation, corruption, and through fraud in financial statements.
In Malaysia, the number of fraud cases have kept on rising, the reported numbers were at 4.8% in 2010, which increased to 7.6% in 2012, and it further increased to 9% in 2014. Malaysia has caught the media’s attention following financial scandals in some of the big Malaysian corporations. The most recent case is the controversy over the debt-laden company transactions in 1Malaysia Development Berhad (1MDB) where billions of dollars were misappropriated from 1Malaysia Development Bhd., an economic-development fund set up by Malaysian Government in 2009 (Hope & Wright, 2016). The case has caused 1MDB to bear RM42 billion in debt and now it is struggling to pay interest to both local and international banks. Port Klang Free Zone scandal (PKFZ) occurred in 2009 which reported a scandal of about RM12 billion after the Port Klang Authority chairperson lodged a report following a financial audit of the project (Malaysia Today, 2017).
The never ending story of corporate failures led to congressional questions about the weaknesses in fraud detection mechanism and the role of fraud risk management. Previously, as measures to curb the weaknesses in fraud detection processes, the Statement of Auditing Standards (SAS) No. 99 was announced by the American Institute of Certified Public Accountants (AICPA) in October 2002 with the objective of raising the efficiency and productivity of auditors in fraud detection by assessing the fraud risk factors in organizations. The fraud risk factors of SAS 99 are based on the fraud triangle model developed by Cressey (1953). According to Iyer and Samociuk (2006), corporate fraud and corruption are arguably the greatest unmanaged commercial risks of the day. Despite the measures taken, major frauds and bribery scandals are widespread and it is just like it was twenty years ago. Iyer and Samociuk (2006) argue that many executives spent the last couple of decades implementing extensive corporate governance and control frameworks which they are supposed to implement, but yet they argue that tougher legislations do not have the desired effect in curbing fraud and corruption. Thus they propose to implement robust processes of fraud defence strategies which can be achieved through fraud risk management process. Its importance is due to exposure of companies to diverse kinds of risks which may affect the decisions of shareholders and other stakeholders (Mazumder & Hossain, 2018).
Nguyen, Ngo and Le (2020) found that the process of risk assessment can reduce the risk of material misstatement in the stage of audit planning. Therefore, the objective of this study is to explore the whole process of fraud risk management strategies that should be implemented by the organizations. Second, this study is conducted to discuss the governance issues which arises at each stage of the process. We believe this study present a unique institutional setting as we try to apply the framework in developing countries like Malaysia. Malaysia provides an appealing institutional setting which can be characterized by concentrated family ownership system (Nahar Abdullah, 2006), political connections (Faccio, Masulis & McConnell, 2006; Johnson & Mitton, 2003), weak enforcement and investor protection (Leuz, Nanda & Wysocki, 2003). Malaysian government has introduced key corporate governance reforms to prevent frauds. However, the persistent pattern of fraud reported by international surveys questions the effectiveness of these reforms. A survey by KPMG (2013–2014) reported that fraud is still a major problem in Malaysian businesses. Moreover, Kroll Advisory Solutions’ “Global Fraud Report” 2012–2013 and Ernst and Young Fraud Investigation and Dispute Services Asia–Pacific (2013) also confirm that Malaysia is more prone to corporate frauds compared to Indonesia, China, and Singapore.
Based on the content analysis of previous literatures, this study finds that fraud risk management process would consists of at least of five stages which are determining the objectives, identifying the risks, evaluating the risks, determining preventive action and implementing and reviewing stage. Our extended analysis has found that this process might not be implemented successfully as there are several governance issues arising in each steps of the process. Our study contributes in the following ways. First it presents the effective framework of risk management process focusing on fraud. A lot of studies have done to highlight the general process of risk management i.e Enterprise Risk Management (ERM) (Sobel & Reding, 2004; Arena, Arnaboldi & Azzone, 2010; Gates, Nicolas & Walker, 2012), but these studies do not talk much about the fraud angle. Literatures that highlight on fraud risk processes are very scarce and limited to certain type of organizations (Clauss, Roncalli & Weisang, 2009; Hess & Cotrell, 2016). Also, this study highlights the governance issues in fraud risk management process especially in emerging countries like Malaysia. Malaysia presents a unique institutional setting where risk management processes are regarded as on the preliminary stage. Currently risk management process requires disclosure by the management and a practice such as an independent risk management committee is regarded as a step further (Securities Commission, 2017).
Here is how we have structured this paper, in the next section, we will present the background of the study by highlighting the definition of risk and risk management, which will be followed by research methodology. Then we discuss our analysis and findings related to our objectives. Finally, we conclude the implications of this study in conclusion part of this study.
2. Background of the Study
Risk can be defined as a decision that is made under conditions of known probabilities (Knight, 1921). It is a combination of probability of an event and its consequences (Kaplan & Garrick, 1981). Nevertheless, a dictionary definition of risk defines it as the chance of injury, damage or loss. Previous researchers have equalized risk with the expected disutility (Campbell, 2005) and the expected loss (Willis, 2007). Many researchers also relate risk with the probability of an adverse outcome (Graham, Wiener, & Sunstein,1995) and the severity of adverse effects (Lowrance, 1976). Technically risk can be defined as the cause and probability of an unwanted event which may or may not occur where something of human value (including humans themselves) is at stake and where the outcome is uncertain (Rosa, 1998). Thus, risks are probabilities that are more related with unfavourable rather than favourable outcomes.
Consequently, organizations are supposed to proactively manage risk, monitoring it in a continuous and conscious way for all the risks associated with their strategic objectives. Monitoring risk indicate that permanent measurement of the severity and evolution of risks within the organization should be done with the objective of maintaining an overall risk profile aligned with the strategic objectives of the organizations (Van Staveren,2009). The management of risk is therefore an integral part of the organization and its processes, with an understanding that potential upside and downside factors can affect the organization. The main objective of risk management would be then according to this view, to understand in advance the impact of each risk factor on the future performance of the organization (Hopkin, 2002).
Due to the importance of risk management processes, several steps have been proposed to manage risk. Despite that, no specific model has been proposed to manage risk of fraud. Previous researches have indicated that the role of risk management has been overlooked by researchers. For example, Omer, Aljaaidi and Al-Moataz (2020) highlight that the role of risk management committee as one of the corporate governance mechanisms has been overlooked by researchers in the field of audit report lag as the committee is regarded as playing minor and insignificant role in financial reporting procedures. It is well understood the fraud can have grave consequences for individuals, companies as well as to the society as a whole, therefore systematic fraud risk management model is the need of the hour to help companies to curb the risk of frauds.
3. Research Methodology
As indicated above, a content analysis of previous literatures is used as a technique for gathering data. This process usually involves codifying qualitative and quantitative information into pre-defined categories in order to derive patterns in the presentation and reporting of information (Guthrie & Abeysekara, 2006). For the purpose of our study, we have used codified qualitative information from the established previous literatures primarily because there are no specific studies that discuss the whole process of fraud risk management in detail. The process begins with identifying the general processes of risk management. In general, Van Staveren (2009) states that the risk management process or cycle consists of at least of five stages which are determining the objectives, identifying the risks, evaluating the risks, considering alternatives and selecting the risk treatment devices and the fifth and the final stage is that of implementation and review.
We attempted to apply general risk management processes to fraud risk management processes by codifying it into several themes which are the objectives of the fraud risk management. These themes are: to identify fraud risk, to evaluating fraud risk, to prevent fraud risk and to monitor fraud risk. Before we segregate these themes into sub themes, we attempt to search more relevant literatures which discusses the process, therefore the third step consists of searching general literatures related to each of the themes. This process is done to get the idea of sub themes of main themes that can help us to find more relevant literatures about fraud risk management processes. Based on this third step, we find several sub themes of main themes as Table 1:
Table 1: Sub themes of Fraud Risk Management Process
The sub themes are the alternative words used to search for previous literatures related to the main themes of fraud risk management process. By having these sub themes, we are able to get more comprehensive view of fraud risk management model that can be used to prevent fraud successfully. Next, all the literatures that have been identified are reviewed and analyzed in order to get a broad picture of fraud risk management process. In addition to reviewing the literatures for developing comprehensive fraud risk management model, we have analyzed governance issues that may arise in each of the main themes of fraud risk management process. Our objective is to ensure that the fraud risk management model that we propose can be implemented effectively if those issues are overcome earlier.
4. Results and Findings
4.1. Fraud Risk Management Process
There are five steps that need to be followed in fraud risk management process which are:
Step 1: Inculcating the Culture of Managing Risks among the Organizations
Under this perspective the literature prescribes that inculcating culture of managing risk is very important and thus should be formalized in a “corporate of organizational risk management policy”. Thus, one needs to understand the objective and importance of fraud risk management process. Fraud risk is ontologically different from fraud. While fraud is an actual act, fraud risk deals with possibility and thus can and must be governed. Fraud is an intentional act committed to procure an unfair or unlawful gain. It includes the fraudulent financial reporting, misappropriation of assets, procurement of illegal revenue or assets procured illegally. Meanwhile, fraud risk is a distinctive framing of risk which has to be managed in the present. Thus, it deals with rules, ideas, roles, procedures, routines, texts, focusing on risk, control systems and managerial responsibility (Power, 2013). Cohen (1985) predicted that the emergence of fraud risk is symptomatic of a more general risk-based turn in approaches to crime, regulation and governance. An important strand in the history of ‘fraud risk’ is to be found in auditing and in the progressive problematization of auditors’ responsibilities for the prevention and detection of fraud.
Spikin (2013) outlined several important aspects of fraud risk management as mentioned by Pavodani and Tugnoli (2005). First, the increasing volatility and competition which organizations have to face in this era, have forced them to implement at least some level of risk awareness. Second, in general organizations are facing legal requirements by the authorities and regulators who are demanding the implementation of increasingly more sophisticated risk management practices. In addition, current technology has also exposed organizations to different sorts of new significant threats. This scenario has created new types of risks and an increase in the impact and frequency of existing risks. Hence it can be concluded that the modern recognition of risk management as a process that complements and integrates with other processes in the organization, in a continuous and formalized manner, which seems to be a practical approach to the reality that organizations face. In this sense, the process of risk management is not only an instrument to prevent and manage the impact of damaging events on the organization, but it is also a way to discover the opportunities (Padovani & Tugnoli, 2005).
Step 2: Identifying and assessing fraud risk
The second step of a standard risk management process is related to the identification of the risks that the organization might face. Lister (2007) states that fraud risk assessment is an essential component in anti-fraud strategy as it enables the key stakeholders such as internal auditors, compliance officers and executives to get alert on the fraud vulnerabilities and thus can action can be taken to mitigate them. Fraud risk assessment is part of proactive component of the anti-fraud program which at the end can improve stakeholder confidence in the organization which in turn can attract investors, maintain customers and lower financing costs. SAS 99 requires the auditors to gather information which is necessary to identify risks of material misstatements due to fraud. SAS No. 82 paragraph 31 (1997) states that the auditors need to consider fraud risk factors which can be described as events or conditions that indicate the existence of incentives or pressures to perpetrate fraud or opportunities to carry out fraud.
The identification stage is normally performed by using several instruments such as internal records of the organization, insurance policy checklist, risk analysis questionnaires, flow process charts, analysis of financial statements, inspection of the firm’s operations and interviews among others (Vaughan, 1999). Nevertheless, Trotman and Wright (2012) state that the internal evidences are exposed to manipulation as it is under the control of management. Trotman and Wright (2012) thus suggested that fraud risk assessment should also rely on external evidences that are related to business objectives. They assert that external evidence is most useful in detecting fraud and thus should be included in fraud risk assessment stage.
Drawing on the triangulation framework of audit evidence, Bell, Peecher and Solomon (2005) and Peecher, Schwartz and Solomon (2007) describe a model of fraud risk assessment which consists of three sources, First is Management Information Intermediaries (MII), MII can have both a financial emphasis (i.e internal controls over financial reporting, financial accounting standards and supporting personnel such as book keepers and internal auditors and non-financial emphasis (i.e. systems and processes to help make key strategic, operating and business processes decisions). Second is MBR which consists of accounting journals, ledgers, financial statements and press releases. MII and MBR represent internal evidences. Third is EBS which consists of information from customers or other external parties such as suppliers, regulators, capital markets and competitors. It represents as external evidence in fraud risk assessment and thus it is of particular interest as it cannot be easily manipulated by the management. In these three sources, MII will act as an intermediary between MBR and EBS as it gathers information, measures and transforms EBS into a variety of MBR.
Smith, Omar, Sayd Idris and Baharuddin (2005) stress that fraud risk factor can be alerted using the red flag indicators of fraud. The red flags provide an early warning and alarms of various types of fraud. Many researchers (Romney, Albrecht & Cherrington, (1980); Loebbecke, Eining & Willingham, (1989); Heifman-Hoffman, Morgan & Patton, (1996); Koornhof & Du Plessis, (2000); Apostolou, Hassell, Webber & Sumners, (2001); Gullkvist & Jokipii, (2013) have used SAS-based red flag systems in their research. The research has divided the red flag into three categories which are (1) management characteristics and influence over the control environment, (2) industry conditions and (3) operating and financial stability characteristics. Below are the categories of red flags based on SAS 82 (see Table 2).
Table 2: Fraud Risk Factors in Shortened Versions of the Definitions Used in SAS No. 82
Step 3: Evaluating the level of importance of fraud risk
This step is crucial as it will determine which fraud risk we should focus on in relation to others. In a normal step of risk management process, the importance of risk assessed is usually evaluated by using the formula of likelihood the risk to occur times with its impact (probability x impact). The value of the evaluation will be portrayed as a risk index. Below are the examples of risk matrix usually used in evaluating the importance of the risk (see Tables 3, 4 and 5).
Table 3: Risk Matrix for Evaluating the Importance of Risk
Table 4: General Guideline for Assessing Probability of Risk
Table 5: General Guideline for Assessing Impact of Risk
Nevertheless, the evaluation of both the probability and its impact depend on the justification of those parties that assessed the risk. This is because they are the one who are involved directly with the risk assessed. In fraud risk management, the parties who usually assess the risk are auditors and the risk management committee. To date, there is no specific guideline given on what constitutes the most significant fraud risk indicator. As such auditors assume that all the indicators are equally important (Smith et al., 2005). Thus, it is either they try to focus all the risk assessed or in another way, they assume that all the indicators are common risks that exist in the companies.
Apostolou et al. (2001) in their exploratory study reported that how 140 auditors rate the relative importance of 25 risk factors identified in SAS No. 82. Based on the three types of fraud risk indicators which are (1) management characteristics and influence over the control environment, (2) industry conditions and (3) operating and financial stability characteristics, the results of their analytic hierarchy process indicate that 58.2 percent of auditors put weight on the red flags dealing with management characteristics and their influence over the control environment. Meanwhile, 27.4 percent and 14.4 percent of auditors perceive operating and financial stability characteristics and industry conditions as equally important. It can be concluded that management characteristics and influence over the control environment risk indicator are rated about twice as important as operating and financial stability characteristics and four times as important as industry conditions red flags. Smith et al. (2005) conducted the same study in Malaysia’s institutional setting, particularly in the Klang Valley area. Using 25 fraud indicators, only seven of the red flags have an average score of 3.00 which indicate that it is generally important. The seven indicators are listed in Table 6:
Table 6: Seven Indicators of Red Flag That Have an Average Score of 3.00 by Smith et al. (2005)
Based on these result, it was concluded that none of the items from the industry conditions group was ranked as important fraud risk indicators. The category was considered as external to the organization and thus, beyond the control of the management. Smith et al. (2005) also test the rank of importance based on the group mean and their results indicate that operating and financial stability characteristics are perceived to be most important compared to the other two groups. This is followed by management influence over the control environment and the least important is the condition of the industry.
In recent studies by Gullkvist and Jokipii (2013), they tried to compare the perceived importance between the categories under fraudulent financial reporting (consists of management characteristics and operating and financial stability) and categories under misappropriation of assets (consists of susceptibility of assets to misappropriation and adequacy of controls) using 28 indicators of fraud. In addition to perceptions of external and internal auditors, Gullkvist and Jokipii (2013) extend the perceptions of importance of fraud risk indicators on the economic crime investigators as they are among the parties that are involved in deterring, detecting and investigating suspicion of frauds. When we compare all the four categories, their result indicates that internal auditors, external auditors and crime investigators perceived the importance of each of the red flags differently. Nevertheless, in fraudulent financial reporting, external auditors and crime investigators perceive operating and financial stability category as more important compared to the management characteristics. Meanwhile internal auditors perceive management characteristic as more important than the operating and financial stability. Previous researches provide consistent evidence that red flag from internal evidences which are management characteristic, management influence over the control environment, adequacy control and operating and financial stability are more important compared to red flag from external evidence which is industry conditions. This is because those red flags are under the control of management.
Step 4: Determining preventive action for risk assessed
This is the crucial part in risk management process as it will determine either the risk identified can be prevented early or not. Power (2013) stresses that in the context of fraud risk management, apparatus of preventing fraud risk is required to be a blend of managerialization and legalization. Managerialization deals with all the activities that are done to keep the business safe, meanwhile legalization is an extensive due process which is taken seriously by the management. Managerialization is regarded as a ‘soft’ approach in controlling processes which require centralized oversight of fraud risk, whereas legalization is an assurance that the companies take for the corrective action. Thus, legalization is an extensive step in order to ensure that the new red flag of fraud had to follow a process for operations to remain auditable. The legalization process provide securitization in order to ensure that the companies respond to the fraud risk identified and take preventive action so that the risks do not become a reality. Power (2013) provides example that on 17th December 2007, the UK Financial Services authority issued a financial penalty of £1.26 million to several regulated entities in the Norwich Union Group for failing to take reasonable care to ensure that it had effective systems and controls in order to respond in an appropriate way and in a timely manner to potential and actual risks arising from a series of actual and attempted frauds in 2006.
Despite difference in the outcome of the two approaches, most of the fraud preventive action focusses on managerialization approach as legalization will create regulatory risk for the companies. Based on the CIMA guideline on fraud risk management, there are four categories of risk response strategy which are listed below: (see Table 7).
Table 7: Categories of Response Strategy (CIMA, 2008)
The selection of the response strategy above is depending on the risk appetite of the organizations. Risk appetite is defined as the level of risk that the organizations are prepared to take which has to be determined by the Board (CIMA, 2008). Thus, before the management determines their response strategy, they need to be informed on the level of risk appetite of the organization by the Board. From the four response strategy above, it can be concluded that risk reduction needs careful consideration compared to the other three. This is because the management needs to strategize how to reduce risk. Those risks cannot be avoided but good strategy needs to be implemented in order to reduce it to a certain level. CIMA (2008) highlighted that the most effective way to prevent fraud is by adopting strategies which are opportunity, pressure, rationalization and capability. Such strategies decrease the motives, reduce the opportunities and limit the capability and ability of fraudsters to rationalize their actions.
Among the fraud risk preventive action that have been highlighted by previous researches are introduction of policies, procedures and controls, and activities such as training and fraud awareness to stop frauds from occurring. Other effective ways that the companies can implement to prevent or discourage frauds are to maintain a fraud policy, establish a telephone hotline, employee reference check prior to employment, vulnerability review that investigates the organization’s exposure to fraud, review of company contracts and agreements, analytical review of financial statement trends and ratios, password protection for cyber businesses and e-commerce, firewall protection, digital analysis, discovery sampling, internal control procedures, internal audit and corporate governance (Bierstaker, Brody & Paccini, 2006; CIMA, 2008; Halbouni, Obeid, & Garbou, 2016).
All the response strategies that have been set must be communicated in an effective way to those who are responsible and accountable for the actions. This is important for the simple reason that a person discovering fraud may not be the person who is responsible for taking the measures to stop the fraud. That is why risk management process involves from top to bottom organization involvement in order to ensure that it can be actually implemented. CIMA (2008) highlighted that for the response strategies to be effective, it is essential that responsibility for each specific action is assigned to the appropriate operational manager and there are clear target dates for each action to happen. It is also important to obtain the cooperation of those responsible for the strategy, by formal communication, seminars, action plans and adjustments to budgets.
Step 5: Implementing and Reviewing Fraud Risk Response Strategy
This is the last step of fraud risk management process. This step is the step that determines whether the risk management processes done from the beginning are successful or not. All the fraud risks response strategies that have been determined in fourth step above should be implemented in order to ensure that fraud risk can really be prevented and it can curb the occurrence of fraud. In addition, once it has been implemented, then it needs to be analysed and monitored in order to determine whether the response strategies determined earlier are effective or not. This is the most challenging step as it needs a culture of awareness, care, alertness, responsibility and accountability. This is the step that determines whether the risk management processes that have been done from first step to fourth step are successful or not. Risks that have been determined are successfully managed when they are eliminated or reduced or avoided or transferred to the proper place.
4.2. Critical Analysis on Governance Issues in Fraud Risk Management Process
The second objective of this paper is to analyse the governance issues that arise from each of the step in risk management process. Recently, risk management process has been acknowledged as a process that is expected to help the companies to deter fraud earlier. In new release of Malaysian Code of Corporate Governance 2017 (MCCG 2017) by Securities Commission state that the companies need to have strong internal control and risk management functions. The role of risk management function is to identify business threat and opportunities. This function is expected to help the companies make sound business decisions by incorporating the level of risk that they are willing to accept and execute necessary action to achieve business objectives (Ishak & Mohamad Nor, 2017). In realizing the intended outcome of MCCG 2017, it is important to have effective risk management framework to help the companies to take preventive action on the business threats such as fraud. Thus, in this section we will try to highlight several governance issues at each steps of risk management process that needs to be given attention to by the companies.
In step 1 of determining the objectives of fraud risk management process, it is important for the companies to communicate its importance which will help deter the fraud earlier. As we want to move from fraud detection to fraud prevention, there is crucial need for the companies to ensure that everybody in the organization understand the process and its importance to the organization. The understanding will create a culture of caution, care towards surroundings, responsible and accountable for the action taken. Two issues arise here, first is how to ensure that the information on the importance of risk management process should be communicated so that all the concerned parties appreciate it? If the importance of risk management is well communicated, then how to ensure that risk management culture is embedded as the corporate culture? Australia/New Zealand Risk Management Standard define risk management as the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects (AS/NZS 4360 Risk Management Standard, 2004). Therefore, these two issues need to be paid attention by the organizations in order to ensure that risk management is not merely a process but it is established as more of an organizational culture.
In step 2 and 3, risks are identified from different sources which consists of internal and external sources and will be evaluated as per their level of its importance. The understanding of these two steps is vital as it will determine all the possibilities of fraud threats that should be taken care of. These steps need alertness as people might ignore the threats even though they know the consequences of the risks for different reasons. First, it is possible that the same person may commit the fraud who is responsible and accountable for the action to prevent fraud. Thus, one should not rationalize and be complacent about the existence of fraud threat. Second, the implementation process might be regarded as a tedious one and the management has to analyze the possibilities about the fraud threat in terms of whether it may happen or not and what is the probability of it happening. Thus, the apparent issue after these two steps is that whether measures against the fraud threat should be applied or not. Companies might appreciate the importance of risk management, but when comes to its implementation, it is hard to do. Do the companies consider risk from each of the sources as different sources reflects a different red flag? Do the auditors or risk management committee use the risk matrix in justifying the level of importance of fraud risk? Whether it is done cautiously or it is just complied with the best practices? Teller (2013) highlights the fact there are a number of literature which tells about the importance of risk management process but literature related to how it should be applied and integrated to project success has been scarce.
Togok, Isa and Zainuddin (2016) investigated the practise of Enterprise Risk Management (ERM) among Malaysian companies and found that they rarely disclose details of their risk management programmes (Hoyt & Liebenberg, 2011; Liebenberg & Hoyt, 2003; Pagach & Warr, 2010). There is no effective communication to all the concerned parties, ranging from describing those risks that affect the firm’s strategies and the actions ultimately taken by the management to leverage on the emerging risk opportunities and to minimise the risk of failures (Beretta & Bozzolan, 2004). Thus, risk management system carries little benefit for such firms and their stakeholders.
Step 4 highlights that there are two approaches in determining the preventive action for fraud risk factors which are managerialization and legalization approach. To date, a lot of research has been done in order to seek the best method in preventing fraud i.e corporate governance, whistleblowing system and internal control procedures as part of the fraud risk management process. Nevertheless, most of the methods focus on managerialization approach. In emerging countries like Malaysia for example, risk management is still at a preliminary stage (Togok et al., 2016). Without strong enforcement by regulators, companies might not implement risk management process or at least, not in a speedy manner (Acharyya & Johnson, 2006, Togok et al., 2016). Thus, before moving towards legalizing the risk management framework, a lot of efforts should be done and issues need to be solved in order to ensure that risk management becomes a corporate culture whereby every parties in the organization are alert, careful, cautious, responsible and accountable for their actions.
Step 5 of fraud risk management process highlights the need of a system where the top management can monitor all the fraud risk factors in an organization. Perhaps currently, the effectiveness of the action taken in curbing fraud is done by having regular meetings and discussions to ensure that those who are responsible for the actions implement the preventive fraud strategies. Therefore, the seriousness of the fraud risk factor would not be informed unless meeting is held or person in charge who really care and are alert on the fraud risk factors. In creating the risk care culture, there should be a system where the top management can monitor all the risk factors identified in a timely manner. The existence of this system can hopefully motivate and provide initiative for those who identify the risk factors and it is ensured that the top management pays attention to those risk factors.
The objectives of this paper is to explore the whole process of fraud risk management strategies that should be implemented by the organizations and to investigate the governance issues at each stage of fraud risk management process. Our content analysis highlights on the need of comprehensive and effective framework of fraud risk management process in order to ensure that the objective of the companies and regulators to reduce fraud in the future is achieved. This paper highlights that risk management as not merely a process, but rather it more towards embedding the process into the organizational culture. The process needs an alertness, care, cautious, responsible and accountable for every determined action. This paper also contributes to the understanding of governance issues which arises in each stage of the fraud risk management process and needs to be solved to ensure that the objectives of the process is realized.
This paper provides implications to the companies in understanding the effective framework to be applied in curbing fraud cases to happen in the future. This process is a detail process that needs attention and participation of every concerned parties in the organization. It also highlights the role of regulators in order to ensure that risk management process is not just complying, but appreciating the effectiveness of the process. Future research may investigate the real implementation of risk management framework among the listed companies in order to know the extent of its application in mitigating fraud. In moving towards industrial revolution 4.0, future research may also propose a system to monitor the risk management process which eventually may lead to effectiveness of the process.
The authors wish to express their gratitude to the Ministry of Higher Education, Malaysia for funding this research project through the Grant Scheme (600-IRMI/FRGS 5/3 (070/2017) and University Teknologi MARA (UiTM) Kelantan for the administrative support.
- ACFE (Association of Certified Fraud Examiner). (2014). Report to the Nations on Occupational Fraud and Abuse. ACFE Publication. Retrieved January 12, 2019, from https://www.acfe.com/rttn/docs/2014-report-to-nations.pdf
- Acharyya, M., & Johnson, J. (2006). Investigating the development of enterprise risk management in the insurance industry: An empirical study of four major European insurers. The Geneva Papers on Risk and Insurance, Special Issue July, 55-80.
- Apostolou, B. A., Hassell, J. M., Webber, S. A., & Sumners, G. E. (2001). The relative importance of management fraud risk factors. Behavioral Research in Accounting, 13(1), 1-24. https://doi.org/10.2308/bria.2001.13.1.1
- Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of enterprise risk management. Accounting, Organizations and Society, 35(7), 659-675. https://doi.org/10.1016/j.aos.2010.07.003
- AS/NZS 4360. (2004). Risk Management (3rd ed.). Standards Australia/Standards New Zealand. Retrieved February 15, 2019, from https://www.saiglobal.com/PDFTemp/Previews/OSH/as/as4000/4300/4360-2004.PDF
- Bell, T. B., Peecher, M. E., & Solomon, I. (2005). The 21st century public company audit: Conceptual elements of KPMG's global audit methodology. KPMG LLP.
- Beretta, S., & Bozzolan, S. (2004). A framework for the analysis of firm risk communication. The International Journal of Accounting, 39(3), 265-288. https://doi.org/10.1016/j.intacc.2004.06.006
- Bierstaker, J. L., Brody, R. G., & Pacini, C. (2006). Accountants' perceptions regarding fraud detection and prevention methods. Managerial Auditing Journal, 21(5), 520-535. https://doi.org/10.1108/02686900610667283
- Campbell, S. (2005). Determining overall risk. Journal of Risk Research, 8(7-8), 569-581. https://doi.org/10.1080/13669870500118329
- CIMA (Chartered Institute of Management Accountant). (2008). Fraud risk management: A guide to good practice. CIMA Publication. Retrieved January 12, 2019, from https://www.cimaglobal.com/documents/importeddocuments/cid_techguide_fraud_risk_management_feb09.pdf.pdf
- Clauss, P., Roncalli, T. and Weisang, G. (2009). Risk management lessons from Madoff Fraud. Credit, Currency, or Derivatives: Instruments of Global Financial Stability or crisis? International Finance Review, 10, 505-543. https://doi.org/10.1108/S1569-3767(2009)0000010019
- Cohen, S. (1985). Visions of Social Control. London, UK: Polity.
- Cressey, D. R. (1953). Other people's Money: A study of the social psychology of embezzlement. Montclair, NJ: Patterson Smith.
- Faccio, M., Masulis, R. W., & McConnell, J. J. (2006). Political connections and corporate bailouts. The Journal of Finance, 61(6), 2597-2635. https://doi.org/10.1111/j.1540-6261.2006.01000.x
- Gates, S., Nicolas, J. L., & Walker, P. L. (2012). Enterprise risk management: A process for enhanced management and improved performance. Management Accounting Quarterly, 13(3), 28-38. https://hal.archives-ourvertes.fr/hal-00857435
- Graham, J. D., Wiener, J. B., & Sunstein, C. R. (Eds.). (1995). Risk vs. risk. Cambridge, MA: Harvard University Press.
- Gullkvist, B., & Jokipii, A. (2013). Perceived importance of red flags across fraud types. Critical Perspectives on Accounting, 24(1), 44-61. https://doi.org/10.1016/j.cpa.2012.01.004
- Guthrie, J., & Abeysekera, I. (2006). Content analysis of social, environmental reporting: what is new? Journal of Human Resource Costing & Accounting, 10 (2), 114-126. https://doi.org/10.1108/14013380610703120
- Halbouni, S. S., Obeid, N., & Garbou, A. (2016). Corporate governance and information technology in fraud prevention and detection: Evidence from the UAE. Managerial Auditing Journal, 31(6/7), 589-628. https://doi.org/10.1108/MAJ-02-2015-1163
- Heiman-Hoffman, V. B., Morgan, K. P., & Patton, J. M. (1996). The warning signs of fraudulent financial reporting. Journal of Accountancy, 182(4), 75-77.
- Hess, M. F., & Cottrell Jr, J. H. (2016). Fraud risk management: A small business perspective. Business Horizons, 59(1), 13-18. https://doi.org/10.1016/j.bushor.2015.09.005
- Hope, B. & Wright, T. (2016). U.S. Links Malaysian Prime Minister to Millions Stolen from Development Fund. The Wall Street Journal. Retrieved January 12, 2019, from https://www.wsj.com/articles/u-s-seeks-1-billion-in-asset-seizures-tied-to-malaysian-fund-1mdb-1469019540
- Hopkin, P. (2002). Holistic risk management in practice. London, UK: Witherbys Printing.
- Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk management. Journal of Risk and Insurance, 78(4), 795-822. https://doi.org/10.1111/j.1539-6975.2011.01413.x
- Ishak, S., & Mohamad Nor, M. N. (2017). The Role of Board of Directors in the Establishment of Risk Management Committee. In: Proceedings of the SHS Web of Conferences (Vol. 34, pp. 1-4). 17th Annual Conference of the Asian Academic Accounting Association, Kuching, Sarawak, November 20-22, 2016. EDP Sciences.
- Iyer, N., & Samociuk, M. (2016). Fraud and corruption: Prevention and detection. London, UK: Routledge.
- Johnson, S., & Mitton, T. (2003). Cronyism and capital controls: evidence from Malaysia. Journal of Financial Economics, 67(2), 351-382. https://doi.org/10.1016/S0304-405X(02)00255-6
- Kaplan, S., & Garrick, B. J. (1981). On the quantitative definition of risk. Risk Analysis, 1(1), 11-27. https://doi.org/10.1111/j.1539-6924.1981.tb01350.x
- Knight, F. H. (1921). Risk, uncertainty and profit (Vol. 31). Boston, MA: Houghton Mifflin.
- Koornhof, C., & Du Plessis, D. (2000). Red flagging as an indicator of financial statement fraud: The perspective of investors and lenders. Meditari Accountancy Research, 8(1), 69-93. https://doi.org/10.1108/10222529200000005
- KPMG. (2014). KPMG Malaysia Fraud, Bribery and Corruption Survey 2013. KPMG Publication. Retrieved February 15, 2019, from https://www.academia.edu/7301608/KPMG_Malaysia_Fraud_Bribery_and_Corruption_Survey_2013
- Leuz, C., Nanda, D., & Wysocki, P. D. (2003). Earnings management and investor protection: An international comparison. Journal of Financial Economics, 69(3), 505-527. https://doi.org/10.1016/S0304-405X(03)00121-1
- Liebenberg, A. P., & Hoyt, R. E. (2003). Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officers, Risk Management and Insurance Review, 6(1), 37-52. https://doi.org/10.1111/1098-1616.00019
- Lister, L. A. (2007). Practical Approach to Fraud Risk: Comprehensive Risk Assessment Can Enable Auditors to Focus Anti-Fraud Efforts on Areas Where Their Organization is Most Vulnerable. Internal Auditors, 64(6), 1-30.
- Loebbecke, J. K., Eining, M. M., & Willingham, J. J. (1989). Auditors experience with material irregularities-frequency, nature, and detectability. Auditing-A Journal of Practice & Theory, 9(1), 1-28.
- Lowrance, W. W. (1976). Of acceptable risk: Science and the determination of safety. Los Altos, CA: William Kaufmann, Inc.
- Malaysia Today. (2017). PKFZ: The Scandal with No Culprits? Malaysia Today Newsletter. Retrieved January 12, 2019, from https://www.malaysia-today.net/2017/03/17/pkfz-the-scandal-with-no-culprits/
- Mazumder, M. M. M., & Hossain, D. M. (2018). Research on corporate risk reporting: Current trends and future avenues. Journal of Asian Finance, Economics and Business, 5(1), 29-41. doi:10.13106/jafeb.2018.vol5.no1.29
- Nahar Abdullah, S. (2006). Directors' remuneration, firm's performance and corporate governance in Malaysia among distressed companies. Corporate Governance: The International Journal of Business in Society, 6(2), 162-174. https://doi.org/10.1108/14720700610655169
- Nguyen, H., Ngo, T. K. T., & Le, T. T. (2020). Risk of Material Misstatement in the Stage of Audit Planning: Empirical Evidence from Vietnamese Listed Enterprises. Journal of Asian Finance, Economics, and Business, 7(3), 137-148. https://doi.org/10.13106/jafeb.2020.vol7.no3.137
- Omer, W. K. H., Aljaaidi, K. S., & Al-Moataz, E. S. (2020). Risk Management Functions and Audit Report Lag among Listed Saudi Manufacturing Companies. Journal of Asian Finance, Economics and Business, 7(8), 61-67. https://doi.org/10.13106/jafeb.2020.vol7.no8.061
- Padovani, R., & Tugnoli, A. (2005). Enterprise Risk Management in Non-Financial Enterprises: Theoretical Aspects and Case Studies in the Italian Market. Faculty of Systems Engineering, Polytechnic University of Milan, Italy.
- Pagach, D. P., & Warr, R. S. (2010). The effects of enterprise risk management on firm performance. SSRN Working Paper. Retrieved February 15, 2019, from file:///C:/Users/ASUS/Downloads/SSRN-id1155218.pdf
- Peecher, M., Schwartz, R., & Solomon, I. (2007). It's all about audit quality: Perspectives on strategic-systems auditing. Accounting, Organizations and Society, 32(4-5), 463-485. https://doi.org/10.1016/j.aos.2006.09.001
- Power, M. (2013). The apparatus of fraud risk. Accounting, Organizations and Society, 38(6-7), 525-543. https://doi.org/10.1016/j.aos.2012.07.004
- Romney, M. B., Albrecht, W. S., & Cherrington, D. J. (1980). Auditors and the detection of fraud. Journal of Accountancy, 149(5), 63-69.
- Rosa, E. A. (1998). Metatheoretical foundations for post-normal risk. Journal of Risk Research, 1(1), 15-44. https://doi.org/10.1080/136698798377303
- Securities Commission. (2017). Malaysian Code of Corporate Governance 2017. Securities Commission Publication. Retrieved January 12, 2019, from www.sc.com.my/wp-content/uploads/eng/html/cg/mccg2017.pdf
- Smith, M., Omar, N., Sayd Idris, S. I. Z., & Baharuddin, I. (2005). Auditors' perception of fraud risk indicators: Malaysian evidence. Managerial Auditing Journal, 20(1), 73-85. http://dx.doi.org/10.1108/02686900510570713
- Sobel, P. J., & Reding, K. F. (2004). Aligning corporate governance with enterprise risk management. Management Accounting Quarterly, 5(2), 29-37.
- Spikin, I. C. (2013). Risk Management theory: The integrated perspective and its application in the public sector. State, Government and Public Administration, (21), 89-126. https://doi.org/10.5354/0717-8980.2013.29402
- Teller, J. (2013). Portfolio risk management and its contribution to project portfolio success: An investigation of organization, process, and culture. Project Management Journal, 44(2), 36-51. https://doi.org/10.1002/pmj.21327
- Togok, S. H., Isa, C. R., & Zainuddin, S. (2016). Enterprise risk management adoption in Malaysia: A disclosure approach. Asian Journal of Business and Accounting, 9(1), 83-104.
- Trotman, K. T., & Wright, W. F. (2012). Triangulation of audit evidence in fraud risk assessments. Accounting, Organizations and Society, 37(1), 41-53. https://doi.org/10.1016/j.aos.2011.11.003
- Van Staveren, M. T. (2009). Risk, innovation & change: Design propositions for implementing risk management in organizations. PhD Dissertation. University of Twente. Enschede, The Netherlands.
- Vaughan, D. (1999). The dark side of organizations: Mistake, misconduct and disaster. Annual Review of Sociology, 25, 271-305. https://doi.org/10.1146/annurev.soc.25.1.271
- Willis, H. H. (2007). Guiding resource allocations based on terrorism risk. Risk Analysis: An International Journal, 27(3), 597-606. https://doi.org/10.1111/j.1539-6924.2007.00909.x
- The Effect of Fraud Pentagon Theory on Financial Statements: Empirical Evidence from Indonesia vol.8, pp.3, 2020, https://doi.org/10.13106/jafeb.2021.vol8.no3.1163