Fraud Risk Assessment

A fraud risk assessment is an assessment conducted over the areas of the organization where there is potential fraud risk. Auditors examine company assets, financial documentation, and disclosures. ?This process seeks to identify fraud risks to the organization — both internal and external fraud — analyze those risks, and develop an action plan for mitigating or controlling those risks. There is a significant risk of fraud in the information technology arena of business, so risk assessments should also take into account an organization’s IT risk posture. Though types of fraud vary by business line, internal fraud includes embezzlement and misappropriation of assets, while external fraud includes provider fraud and theft of proprietary information.

According to The Journal of Accountancy, perpetrators commit fraud for two reasons : greed or need. There are three elements that enable someone to commit fraud: motive, opportunity, and rationalization. Due to financial pressure, the ability to execute a fraud scheme, and personal justification of dishonest actions, bad actors commit fraud. Commonly, perpetrators can commit fraud due to weaknesses in internal controls. When used to understand these weaknesses and the risk environment, a fraud risk assessment can help management formulate a mature risk governance and management plan .

What Should a Fraud Risk Assessment Address?

A fraud risk assessment should address four key areas: asset misappropriation, financial and non-financial reporting, regulatory compliance areas, and illegal acts.

Asset Misappropriation

In general, cash, inventory, and company assets are subject to misappropriation and must be examined for potential skimming, larceny, and fraudulent disbursements. Asset misappropriation is also more than theft or embezzlement — employees who use company equipment, such as computers, for their personal benefit without approval may be engaging in misappropriation and/or occupational fraud.

Financial and Non-Financial Reporting

Inconsistency between financial and nonfinancial information can reflect internal fraud. Financial statement fraud is also a form of occupational fraud. Commonly carried out by management by overriding internal controls, fraud in the financial statements can include overstating revenues, profits, and assets; and understating expenses, losses, and liabilities. Auditors should analyze non-financial performance indicators such as the number of facilities, the number of customer accounts, and the number of employees (depending on the company).

Regulatory Compliance Areas

As business risk becomes increasingly complex due to external risks like the COVID-19 pandemic, internal auditors and external auditors must maintain a watchful eye on the relationship between a company’s risk of fraud and its compliance efforts. A recent report by EY found the risk of fraud can spike during global events, like the pandemic, leading to decreases in compliance activity. During the fraud risk assessment, the team should investigate the compliance activities of the organization — is compliance merely a “check-the-box” exercise, or is it a genuine effort at creating a culture of integrity?

Fraud risk assessments should also evaluate whether the proper fraud and whistleblower hotlines and resources are in place in accordance with regulatory requirements. Hotlines are critical for companies’ fraud detection efforts, as many fraud activities are detected when a tip or report is sent in, often anonymously.

Illegal Acts

Fraud is fundamentally an illegal act, and auditors should maintain sufficient knowledge of the characteristics and indicators of fraud, techniques used to commit fraud, and types of fraud associated with the activities being audited. The fraud risk assessment is an excellent tool for helping audit, risk, and compliance professionals in preventing and detecting fraud. In some cases, conducting detailed data analysis of financial figures can reveal anomalies that may point to fraudulent activity.

What Are the Main Fraud Risk Assessment Components?

A fraud risk assessment should feature the following components:

• Description of Fraud Risks: while fraud risks vary, examples include theft of assets, fraudulent disbursements, manipulation of expenses, and inappropriate journal entries.
• Likelihood of Occurrence: though granularity can vary, define the probability of the fraud risk occurring as remote to almost certain.
• Significance to the Organization: level of significance can also vary, but common categories include inconsequential to material. Sometimes, this parameter may be titled “materiality.”
• Identification of Anti-Fraud Controls: every organization has internal controls to prevent fraud, and auditors must examine how robust these are.
• Assessment of Control Effectiveness: the assessment must determine if the control is sufficient to mitigate related risks or if additional controls are necessary.
• Fraud Risk Response: after identifying a fraud risk, determine corrective action activities or additional controls that should be implemented.
• Responsible Person: decide who will implement controls and mitigation efforts.
• Monitoring Activities: establish monitoring activities that will be conducted to track progress and performance, and how frequently they will occur.

Steps to Conduct a Fraud Risk Assessment

Step 1: Identify Risks

Identifying risks most relevant to the organization is a key first step in conducting a fraud risk assessment. Factors that influence fraud risk include:

• The nature of the business and the environment in which it operates.
• The effectiveness of internal controls.
• The ethics and values of the company and its employees.

It’s important to evaluate which people and departments are most likely to commit fraud and identify the methods they are likely to use. Examine incentives, pressures, and opportunities to commit fraud; anti-fraud controls already in place; risk of management to override controls; risk of regulatory and legal misconduct; and risk to information technology. Identifying these factors will enable you to create a successful risk management plan .

Identifying risks may necessitate interviewing stakeholders and process owners, or even observing their activities in real-time. Identified risks should be documented in a risk register.

Step 2: Quantify Risks

Assess the likelihood of occurrence of the identified risks and their significance to the organization. A risk assessment matrix , also known as a probability and severity matrix, can be a helpful tool in quantifying risks and evaluating their impact. Scoring or quantifying risks allows for easy and clear prioritization of mitigation activities, as significant risks will rise to the top while negligible risks can be deprioritized.

When assessing likelihood, you should consider:

• Prevalence of the fraud risk in the organization’s industry.
• Number of individual transactions involved and complexity of the fraud risk.
• Number of people involved in approving and reviewing the relevant process.

When assessing significance, be sure to consider:

• Financial condition of the organization.
• Value and criticality of threatened assets.
• Criminal, civil, and regulatory liabilities.

As with all risk management analyses, the results of this step should be documented for each identified risk to inform the organization’s risk response.

Step 3: Respond to Risks

Once risks have been quantified, develop and select a mitigation strategy and who will be responsible for its implementation. Business units may have to collaborate with risk practitioners and audit professionals to develop adequate controls for corresponding risks. Every organization must establish an acceptable level of risk, or risk appetite, based on a thorough cost-benefit analysis.

When deciding on how to respond to risks, an organization may choose to:

• Avoid the risk by terminating the activity.
• Transfer the risk and its financial consequences to a third party.
• Mitigate the risk by reducing its likelihood and impact.
• Accept the risk because the cost of mitigating it isn’t worth it.

Remember, putting internal controls in place is one of the most effective mitigation strategies an organization can use. The risk of asset misappropriation is a lot easier to reduce when a company is rigorous about asset management and monitoring, for example.

Step 4: Monitor and Review Risks

With any risk management strategy , there is no such thing as a one-and-done approach to fraud risk. A process that requires ongoing monitoring and review, the fraud risk assessment must be refreshed to respond to the changing risk environment. Not only can new fraud risks appear due to changes in the risk universe, but their impact can change too. Monitoring alone is not enough — as organizations discover gaps and improvement areas in their existing fraud risk management program, they should add those opportunities to the roadmap and continuously augment their program. Fraudsters will continue to seek out ways to commit fraud, and companies will need to adjust their approaches to prevent fraud.

Step 5: Report Risks

By using a tailored and comprehensive fraud risk assessment approach, an organization will be able to avoid another important risk: missing valuable information and obtaining unreliable results. When communicating the results of a fraud risk assessment, stay objective, identify actions that are clear and measurable to drive results, and recommend control activities that reduce the risk of fraud. Reporting should always consider the target audience of the report, the questions that need answers, and the audience’s needs.