Fraud Risk Assessment: Discover What You Don’t Know
By Ali Wagner, MACCT, CFE, REDW Financial Forensics & Litigation Services Analyst
Fraud risks are out there, but not every organization is equipped to recognize and reduce impacts. Identifying the schemes your organization is vulnerable to, both internal and external, is imperative to informing your fraud risk assessment. But where do you begin?
Read Part 1 of REDW’s #InternalAuditAwarenessMonth series, “Establishing a Fraud Risk Management Program—Beyond Checking the Boxes.”
Develop a Fraud Risk Map
Build a strong fraud risk assessment by designing a comprehensive fraud risk map (or matrix) that identifies significant fraud scenarios across your organization. A fraud risk map is essentially the foundation for your fraud risk management program and a resource that outlines potential fraud schemes and related information.
Key elements to include in your fraud risk map:
- Business unit (e.g. payroll, accounts payable)
- If the potential fraud is in play by an internal or external party
- General fraud category (e.g. asset misappropriation, corruption, financial statement fraud)
- Fraud scheme type (e.g. expense reimbursement, payroll, skimming, larceny)
- Sub fraud scheme (e.g. write-offs, ghost employees, fictitious expenses)
- Actor (who might have a motive or incentive to commit fraud)
- Fraud risk entry point, or origin of the fraud
- Underlying fraud risks and vulnerabilities
- Related control activities
Organization for your fraud risk map can be broken out by department, business function, process, etc. Recognize that fraud can happen at any level of the organization and consider the entire enterprise.
Development should align with your risk assessment strategy and ultimate advancement.
Focus should take aim on internal and external fraud schemes for each area of your fraud risk map, later integrating them into a comprehensive fraud risk map for your organization.
Key focus points in specific fraud schemes:
- Discuss fraud schemes in a group setting whenever possible in order to benefit from conversations between relevant stakeholders who understand the functional area.
- Consider both the actor (i.e., the perpetrator) and the fraud risk entry points (i.e., their function or process).
- Remember that not all fraud is financial. Some fraud can affect an organization’s reputation even if it doesn’t lead to major financial loss.
- Leverage available resources to ensure your listing is comprehensive, including existing risk registers at your organization, along with industry emerging trends and research. (For reference, see the Association of Certified Fraud Examiners (ACFE) Fraud Tree.)
Emphasize importance by periodically refreshing and drawing attention to the fraud risk map as part of your ongoing fraud risk assessment activities.
Discover What You Don’t Know
Every enterprise faces a variety of risks from both internal and external sources. Designing your fraud risk map and developing a comprehensive fraud risk assessment are both strategies your organization can leverage to identify and understand risks, provide basis for management, and increase perception of detection.
Communicate your fraud risk assessment broadly, promoting the process at all levels of the organization so it’s visible from the top down. Your methodology should be tailored to the unique vulnerabilities and strategic goals of your organization, and include the following steps:
- Establish your fraud risk assessment team, and clearly define roles and responsibilities to ensure appropriate levels of management.
- Determine your starting place. Implement an organization-wide fraud risk assessment or a targeted fraud risk assessment.
- Identify possible fraud schemes. Identify and assess risks at the entity, subsidiary, division, operating unit, and functional levels.
Your fraud risk assessment team should specifically consider the potential for management override of controls, including the controls designed to prevent or detect fraud.
- Estimate the likelihood and impact of each fraud scheme. Consider historical information and fraud schemes known to have happened in the past to categorize the likelihood of a fraud risk’s occurrence.
- Identify presence and efficacy of existing controls. The risk assessment team should examine each specific fraud scheme (or risk), identify the existing related control activities, and evaluate efficacy in terms of mitigating fraud risk.
- Prioritize fraud risks. Evaluate between the likelihood and impact and presence and efficacy assessments established in the previous two steps. For example, if a fraud risk lacks effective controls, it would be scored as a higher priority or a more significant risk than one with multiple, effective controls in place.
The key to efficacy is stakeholder communication that ensures understanding of these terms. Without that understanding, the results will not be insightful.
- Assess and respond to high priority or significant fraud schemes. You may choose to strengthen existing control activities, add new control activities, or consider using data analytics to combat high-priority risks. Your chosen response here should align with your organization’s fraud risk tolerance, and the roadmap and strategy you developed in Part 1 of this series.
- Document the risk assessment. Key items to document include the methodology, assessment results, and organization response strategies.
Columns to include on your fraud risk assessment might include:
- Identified fraud risks and schemes
- Likelihood of occurrence
- Significance of occurrence
- Personnel/Departments involved
- Existing fraud control activities
- Effectiveness of existing control activities
- Residual fraud risks
- Fraud risk responses
- Reassess periodically, considering changes external to the organization, and internal operational and leadership changes.
To start, consider conducting a pilot fraud risk assessment in a particular area, as implementing at the higher level may be too detailed or daunting for many organizations. This focused approach will allow you to test your methodology and implement lessons learned as you expand your assessment across the organization.
How REDW Can Help
For questions or assistance in assessing and structuring your organization’s fraud risk assessment or if you have concerns that fraud has occurred within your organization, please contact REDW Financial Forensics & Litigation Services Analyst Ali Wagner, or REDW Principals Ed Street or Jessica Bundy.
Our professional team maintains specialized training and credentials in the area of fraud examination and maintains considerable experience performing thorough analyses of indicators and allegations of fraud for both private and government organizations. We respect client concerns and conduct examinations in a discreet manner to minimize the disruption of operations.
Learn more about our commitment to integrity and objectivity in fraud examination.
Stay tuned for Part 3 in REDW’s #InternalAuditAwarenessMonth series – Fraud Control Activities: Using Data to Uncover Fraud. Knowledge is Power!
Sources of Information:
ACFE 2020 Report to the Nations. Copyright 2020 by the Association of Certified Fraud Examiners, Inc.
ACFE The Anti-Fraud Playbook: The Best Defense Is a Good Offense. Copyright 2020 by the Association of Certified Fraud Examiners, Inc.
Fraud Risk Management Guide Executive Summary. Copyright 2016 by the Committee of Sponsoring Organizations of the Treadway Commission and the Association of Certified Fraud Examiners, Inc.
Cyber-attacks are increasing. How is your firm managing business risk? Participate in our Risk Management Survey.