FRAUD RISK ASSESSMENT Flashcards
factors that influence how at risk an organisation is to fraud
- The business it is in
- The environment in which it operates
- The effectiveness of the internal controls within the business processes
- The ethics and values of the company and the people within it
Fraud Risk Assessment
a process aimed at proactively identifying and addressing an organisation’s vulnerabilities to internal and external fraud
Objective of a Fraud Risk Assessment
the objective of a fraud risk assessment is to help an organisation identify what makes it most vulnerable to fraud
Why Should Organisations Conduct Fraud Risk Assessments?
Improve Communication and Awareness About Fraud
Identify What Activities Are the Most Vulnerable to Fraud
Know Who Puts the Organisation at the Greatest Risk
Develop Plans to Mitigate Fraud Risk
Develop Techniques to Determine If Fraud Has Occurred in High-Risk Areas
What Makes a Good Fraud Risk Assessment?
A good fraud risk assessment is one that fits within the culture of the organisation, is
sponsored and supported by the right people, encourages everyone to be open in his participation, and is generally embraced throughout the business as an important and valuable process.
Engendered Trust
If the organisation and its employees do not trust the people leading and conducting the
fraud risk assessment, they will not be open and honest about the realities of the business, its culture, and its vulnerability to fraud.
The Ability to Think the Unthinkable
A good fraud risk assessment has to allow for the people leading and conducting
the assessment to be expansive in their consideration and evaluation of fraud risk
A Plan to Keep It Alive and Relevant
The organisation should strive to keep
the process alive and relevant through ongoing dialogue, active management of action plans, and development of procedures to ensure the assessment is maintained on a current basis.
Considerations for Developing an Effective Fraud Risk Assessment
Packaging It Right
One Size Does Not Fit All
Keeping It Simple
The goals of the preparation the Company for a Fraud Risk Assessment should be to:
- Assemble the right team to lead and conduct the fraud risk assessment.
- Determine the best techniques to use in conducting the fraud risk assessment.
- Obtain the sponsor’s agreement on the work to be performed.
- Educate the organisation and openly promote the process.
Techniques to Use to Conduct the Fraud Risk Assessment. Interviews
Interviews can be an effective way to conduct a candid one-on-one conversation
Techniques to Use to Conduct the Fraud Risk Assessment. Focus Groups
Focus groups enable the assessor to observe the interactions of employees as they discuss a question or issue.
Techniques to Use to Conduct the Fraud Risk Assessment. Surveys
Surveys can be anonymous or directly attributable to individuals. Sometimes people will share more openly when they feel protected behind a computer or paper questionnaire.
Techniques to Use to Conduct the Fraud Risk Assessment. Anonymous Feedback Mechanisms
In some organisations, anonymous suggestion boxes or similar mechanisms are used to encourage and solicit frequent employee feedback. Additionally, use
of an anonymous feedback mechanism can also be effective in an environment where people are less likely to be open and honest through other methods and techniques.
Obtain the Sponsor’s Agreement on the Work to be Performed
Before the fraud risk assessment procedures begin, the sponsor and the fraud risk assessment team need to agree on:
• The scope of work that will be performed
• The methods that will be used to conduct the work (e.g., surveys, interviews, focus
groups, anonymous feedback mechanisms)
• The individuals who will participate in the chosen methods
• The content of the chosen methods
• The form of output for the assessment
Educate the Organisation and Openly Promote the Process
The fraud risk assessment process should be visible and communicated throughout the business.
Sample Fraud Risk Assessment Framework #1
- Identify potential inherent fraud risks.
- Assess the likelihood of occurrence of the identified fraud risks.
- Assess the significance to the organisation of the fraud risks.
- Evaluate which people and departments are most likely to commit fraud and identify the methods they are likely to use.
- Identify and map existing preventive and detective controls to the relevant fraud risks.
- Evaluate whether the identified controls are operating effectively and efficiently.
- Identify and evaluate residual fraud risks resulting from ineffective or nonexistent
controls.
Sample Fraud Risk Assessment Framework #1 Identify Potential Inherent Fraud Risks
Brainstorming should include discussions regarding the following areas:
• Incentive programs and how they may affect employees’ behaviour when conducting business or applying professional judgment
• Pressures on individuals to achieve performance or other targets and how such pressures may influence employees’ behaviour
• Opportunities to commit fraud that arise from weak internal controls, such as a lack of segregation of duties
• Management personnel within the organisation generally know the controls and standard operating procedures that are in place to prevent fraud.
• Individuals who are intent on committing fraud may use their knowledge of the
organisation’s controls to do it in a manner that will conceal their actions.
Fraud risks can be classified into three major areas:
fraudulent financial reporting, asset
misappropriation, and corruption.
Potential fraudulent financial reporting risks include:
- Inappropriately reported revenues, expenses, or both
- Inappropriately reflected balance sheet amounts, including reserves
- Inappropriately improved or masked disclosures
- Concealed misappropriation of assets
- Concealed unauthorized receipts, expenditures, or both
- Concealed unauthorized acquisition, disposition, or use of assets
Potential asset misappropriation risks include misappropriation of:
- Tangible assets
- Intangible assets
- Proprietary business opportunities
Potential corruption risks include:
- Payment of bribes or gratuities to companies, private individuals, or public officials
- Receipt of bribes, kickbacks, or gratuities
- Aiding and abetting of fraud by outside parties, such as customers or vendors
Certain other types of risks that can affect or be affected by each of the major areas of fraud risks include
regulatory and legal misconduct, reputation risk, and risk to information
technology (IT)
The likelihood of occurrence of each fraud risk can be classified as
remote, reasonably possible,
or probable
The fraud risk assessment team should consider the following factors in assessing
the likelihood of occurrence of each fraud risk:
- Past instances of the particular fraud occurring at the organisation
- Prevalence of the fraud risk in the organisation’s industry
- Internal controls environment of the organisation
- Resources available to address fraud
- Support of fraud prevention efforts by management
- Ethical standards of the organisation
- Number of individual transactions involved
- Complexity of the fraud risk
- Number of people involved in reviewing or approving a relevant process
- Unexplained losses
- Complaints by customers or vendors
- Information from fraud surveys such as ACFE’s Report to the Nation on Occupational Fraud & Abuse
The fraud risk assessment team should consider qualitative and quantitative factors when assessing the fraud risks to the organisation. The significance of each potential fraud can be classified as
immaterial, significant, or material.
In assessing the significance of each fraud risk, the fraud risk assessment team should consider the following factors:
- Financial statement and monetary significance
- Financial condition of the organisation
- Value of the threatened assets
- Criticality of the threatened assets to the organisation
- Revenue generated by the threatened assets
- Significance to the organisation’s operations, brand value, and reputation
- Criminal, civil, and regulatory liabilities
Evaluate Which People and Departments Are Most Likely to Commit Fraud and
Identify the Methods They Are Likely to Use
In identifying potential fraud risks, the risk assessment team will have evaluated the
incentives and pressures on individuals and departments to commit fraud. The team should use the information gained in that process to identify the individuals and departments most likely to commit fraud and the methods they are likely to use
Identify and Map Existing Preventive and Detective Controls to the Relevant
Fraud Risks
After identifying and assessing fraud risks for likelihood of occurrence and for significance,
the fraud risk assessment team should identify and map existing preventive and detective
controls to the relevant fraud risks.
PREVENTIVE CONTROLS
• Bringing awareness to personnel throughout the organisation of the fraud risk
management program in place
• Performing background checks on employees
• Hiring competent personnel and providing them with anti-fraud training
• Conducting exit interviews
• Implementing policies and procedures
• Segregating duties
• Ensuring proper alignment between an individual’s authority and his level
of responsibility
• Reviewing third-party and related-party transactions
DETECTIVE CONTROLS
• Establishing and marketing the presence of a confidential reporting system, such as a whistleblower hotline
• Implementing proactive fraud detection process controls, such as reconciliations,
independent reviews, physical inspections/counts, analysis, and audits
• Implementing proactive fraud detection procedures, such as data analysis, continuous auditing techniques, and other technology tools
• Performing surprise audits
Evaluate Whether the Identified Controls Are Operating Effectively and Efficiently
Such an assessment requires:
• Review of the accounting policies and procedures in place
• Consideration of the risk of management’s override of controls
• Interviews with management and employees
• Observation of control activities
• Sample testing of controls compliance
• Review of previous audit reports
• Review of previous reports on fraud incidents, shrinkage, and unexplained shortages
Identify and Evaluate Residual Fraud Risks Resulting from Ineffective or
Nonexistent Controls
Consideration of the internal control structure may reveal certain residual fraud risks, including management’s override of established controls that has not been adequately mitigated due to:
• Lack of appropriate prevention and detection controls
• Noncompliance with established prevention and control measures
These residual fraud risks should be evaluated by the fraud risk assessment team in the
development of the fraud risk response for likelihood and significance of occurrence.
Sample Fraud Risk Assessment Framework #2—Fraud Risk Index
The following is a suggested framework that has two components: the Fraud Risk Index,
which looks at indicators of areas that put the organisation at risk for fraud, and the
Leadership Risk Profile, which examines the way business leaders operate to help determine
if they behave or conduct business in a way that can increase the company’s risk of fraud.
Fraud Risk Index
The Fraud Risk Index is the overall assessment of fraud risk for the organisation based on three components:
• The Environmental Risk Index
• The Culture Quotient
• The Prevent/Detect Index
Fraud Risk Index. THE ENVIRONMENTAL RISK INDEX
The Environmental Risk Index is an assessment of macro-level fraud risk indicators that can affect the organisation’s vulnerability to fraud. These include factors such as pressures on the business, the organisation’s system of internal controls, the tone at the top, and the overall
quality of the mechanisms that the company has in place to prevent and detect fraud.
Fraud Risk Index. The Culture Quotient
he Culture Quotient is an assessment of how the organisation and its people behave or are perceived to behave. The Culture Quotient includes: Tolerance Index, Entitlement Index, Notification Index
Tolerance Index
an assessment of the organisation’s tolerance for bad behaviour.
Entitlement Index
an assessment that helps determine whether people in the company display or promote a sense of entitlement
Notification Index
an assessment of how likely it is that employees will come forward
when they suspect something is wrong.
Prevent/Detect Index
assesses the quality of the specific mechanisms that the organisation has in place to prevent or detect potential fraud, particularly those fraud schemes for which the company is at the greatest risk
To calculate the Prevent/Detect Index
a standard, comprehensive population of fraud schemes, such as the ACFE Occupational Fraud Classification System, is used to evaluate each scheme that applies to the business and determine which schemes are the high-risk
schemes that the organisation should focus on. For those fraud schemes that apply to the company, an evaluation of each scheme should be performed to identify:
• The likelihood that the scheme could be perpetrated
• The significance of the fraud risk to the company
• Whether there are preventive or detective internal controls in place to moderate the risk to a sufficient level
Leadership Risk Profile
The Leadership Risk Profile is developed to provide a macro-level organisational view of
which business leaders, if any, increase the organisation’s vulnerability to fraud through their:
• Leadership style
• Operating behaviours
• Decision-making practices
As part of this evaluation, the team should consider any information that indicates unique pressures on or incentives for each leader that could increase the organisation’s fraud risk.
Such pressures and incentives can include, but are not limited to:
- A significant amount of personal net worth invested in the company
- A large portion of compensation tied to activities that the leader can manipulate (e.g., sales volumes or other business performance measures)
- A pending divorce
- Recent organisational changes that have either greatly expanded or reduced/eliminated the leader’s span of control
- Living larger than life
- Dependence on drugs or alcohol
- Gambling problems
