Corporate Fraud Risk Management: learn how to improve controls and minimize occurrences

By May 22, 2020 No Comments

*Kelli Ribeiro

Corporate fraud is common in all types and sizes of organizations.

In Brazil, the average loss of fraud losses reaches 5% of annual revenues according to company report Association of Certified Fraud Examiners (ACFE) and companies specialized in preventing corporate risks.

The advancement of technology motivates fraudsters to increasingly sophisticated their methods of attack, however the new regulations seek to establish stricter rules.

Types of fraud

The strategies used by fraudsters are increasingly improved to circumvent the internal controls adopted by organizations.

Corporate fraud generally falls into the following categories:

  • Misappropriation of information and assets;
  • Cyber crimes;
  • Deviation schemes in payroll, cash and accounting;
  • Reimbursement of fictitious expenses, among others.

 Measures to minimize the occurrence of fraud

Fraud is less likely to occur in companies where there are internal controls and constant monitoring.

Risk assessment is a fundamental process for identifying risks and establishing controls. It consists of three stages:

  • Identification of risks;
  • Risk analysis; and
  • Risk assessment.

The result obtained after the evaluation of its controls, the so-called residual risks, will be decisive for assessing the processes in detail and the loopholes that facilitate the realization of fraud and other illicit acts.

The well-established risk assessment in the organization and in conjunction with the existence of other strict Information Security controls, which are well implemented, have constant monitoring and concern for making users aware, will facilitate the identification of fraudsters' behaviors.

Information Security Controls

The following information security controls help to minimize the risk of fraud in the corporate environment:

  • Ensure the protection of information since it is a resource that allows fraud to be carried out;
  • Establish access controls (identification, authentication and user authorization);
  • Record and monitor the access logs for auditing;
  • Periodically evaluate information security in systems and applications;
  • Monitor security indicators and incidents reported by the Information Security area;
  • Periodically report to the top management the security level of the organization, including information on areas that have problems, with recommendations for improvement.


Fraud is an imminent risk to any organization. To combat them, it is necessary to invest efforts to minimize losses.

Large organizations have mapped processes, but they do not guarantee the continuous improvement of controlstherefore, it is necessary to decentralize the processes, act in continuous improvement and make system users aware.

People should receive training and capacity building to develop the know how necessary to address this view of risks in their activities and act preventively to identify possible frauds.

* Kelli Ribeiro is GRC Specialist Consultant at [SAFEWAY] | Compliance | LGPD | ISO 27001,20000 and 22301


THE SAFEWAY is an Information Security consulting company, recognized by its clients for offering high added value solutions, through projects that fully meet the needs of the business. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, who constitute, in large part, the 100 largest companies in Brazil.