6/2/2023

FRAUD RISK
ASSESSMENT

Introduction
Fraud
Principles

Fraud Prevention,
Possibility of
Entity Activities Detection, &
Fraud
Investigation

Fraud Scheme
and Red Flags
Fraud Risk
Assessment
 6/2/2023

What is Fraud Risk?

 Fraud risk = the vulnerability that an organization
faces from individuals capable of combining all
three elements of the fraud triangle
 Sources of FR: internal and external
 A fraud risk assessment  the cornerstone of an
antifraud program that anticipates, rather than
reacts to fraud and misconduct.
 No system of internal controls can fully
eliminate the risk of fraud

What is Fraud Risk?

 Inherent Risks = Risks that are present
before management action
 Control Risks = the likelihood that a
material misstatement (frauds) would not
be caught by the client’s internal
controls
 Residual Risks = The risks that remain
after management action
 6/2/2023

What is a Fraud Risk Assessment?

 Process to:
 identify inherent fraud risk
 Industry, geo-political risks
 Company risks (Incentive plans, Growth rate,
Consolidation)
 Risk of management override
 assess the likelihood and significance of inherent
fraud risk
 Likelihood – remote, possible, probably
 Significance – not just dollars; reputation, management
time
 develop a response fraud risk

What is a Fraud Risk Assessment?

 Objectives:
 to identify and document risks and
controls for various scenarios & schemes
that can affect the company and its
shareholders
 To ensure compliance with corporate
governance requirements
 FRA focus on fraud schemes and
scenarios ----- fraud factors
 6/2/2023

Fraud Factors
 Assessment should consider the fraud schemes
 For financial statement frauds: the executives of
the entity are the most likely would-be fraudster
a risk assessment would necessarily include those
individuals.
 For asset misappropriation: an employee in a
trusted position is likely to be the culprit.
 For corruption: include somebody outside the
entity working with someone inside—a unique
characteristic of corruption schemes.

RISK ASSESSMENT FACTORS

 General Factors:
 entity, people (behavioral), divisions, geographies,
products or services, accounting or business
processes, controls, or computerized systems.
 Why?
 All frauds are product of:
 the personality of the executive and employees,
 the working conditions,
 the effectiveness of internal controls,
 the level of honesty therein (the organizational
culture or environment)
 6/2/2023

RAF: Internal Factors

 SOURCE of Risks:
 The absence of honest culture

 Failure to articulate and communicate minimum

standards of performance and personal conduct
 Inadequate orientation and training on legal,
ethical, fraud, and security issues
 Inadequate company policies (sanctions for
legal, ethical, and security breaches)

RAF: Internal Factors

 Failure to counsel and take administrative action
(performance level or personal behavior below
acceptable standards, or violates entity principles and
guidelines
 Ambiguity in job roles, duties, responsibilities, and
areas of accountability
 Lack of timely or periodic audits, inspections, and
follow-through to ensure compliance with entity goals,
priorities, policies, procedures, and governmental
regulations;
 Lack of accountability over key positions of trust
 6/2/2023

Respond to Residual Fraud Risks

 Avoid the risk
 Eliminate asset or activity if controls are too expensive

 Transfer the risk

 Purchase fidelity insurance policy

 Mitigate the risk

 Implement countermeasures, such as prevention and
detection controls
 Assume the risk
 If probability of occurrence and impact of loss are low
 Combination approach

What Makes a Good Fraud Risk Assessment?

 Need formal approach not ad hoc approach.
 Collaborative Effort – share ownership
 The Right Sponsor
 Senior in organization  ideally an independent board or
audit committee member
 Independence/Objectivity
 Whether conducted by internal or external resources
 Be mindful of personal biases

 Access to People at All Levels

 The Ability to Think the Unthinkable
 Think like a fraudster
 6/2/2023

Assembling Fraud Risk Assessment Team

 Consist of individuals with diverse

knowledge, skills, and perspectives
 Includes members from internal and
external resources:
 Accounting and finance personnel
 Management teams
 Legal department
 Compliance department
 Internal auditors
 External consultants

Determine the Best Techniques of the Fraud

Risk Assessment
 Interviews
 Focus groups
 Surveys
 Anonymous feedback mechanisms
 6/2/2023

RISK MANAGEMENT CHECKLISTS AND

DOCUMENTATION
 RM Checklist is designed to assist accountants in assessing
and managing the risk of fraud in their organizations and
those of their clients

Fraud Schemes Checklist

 Use an appropriate taxonomy of fraud
schemes
 the ACFE fraud tree could be used to
determine at least the initial list of fraud
schemes:
 Fraudulent Financial Statement
 Asset Misappropriation
 Corruption
 6/2/2023

Fraud Schemes Checklist

 The columns of risk assessment form include
 The fraud scheme
 An assessment of inherent risk
 The availability of internal controls in mitigating that
risk
 The ‘‘residual risk’’ left over after the mitigation of
existing internal controls
 Business processes, where the scheme is likely to
occur, if it does occur
 Red flags, which could be used to detect this scheme
 6/2/2023

Inherent Risk
 Risks that are present before management
action
 Factors affecting inherent risk:
 Dollar size of the account
 Liquidity
 Volume of transactions
 Complexity of the transactions
 New accounting pronouncements
 Subjective estimates

4-19

Control Risk
 Control Risk (CR) is the likelihood that a
material misstatement (fraud) would not be
caught by the client’s internal controls.
 Factors affecting control risk include:
 The environment in which the company
operates (its “control environment”).
 The existence (or lack thereof) and
effectiveness of control activities.
 Monitoring activities (audit committee,
internal audit function, etc.).
4-20
 6/2/2023

Measures and Relationships

 Residual Risk
 The risks that remain after management action
 Residual Risk = the inherent risk minus the level of
control mitigation
 Responses:
 no action, as the remaining risk is accepted
 action to mitigate or
 remediate through additional prevention or detection
procedures

Measures and Relationships

 Business Processes
 to identify which business processes (i.e., cash
receipts, payroll, etc.) are involved with this scheme

 Red Flags
 identify the red flags that could be associated
with the scheme
 6/2/2023

Measures and Relationships

 What is a relevant, reliable, and representative
indication of the risk needing measurement?
 Inherent Risk
 could be a probability (1 to 100 percent)
 simply low, medium, or high risk

 Controls Assessment
 what controls are in place to mitigate the specific
fraud scheme

Example of measure
 Assess Likelihood of Fraud
1. Remote (<5% chance of occurrence)
2. Possible (5-50% chance of occurrence)
3. Somewhat likely (51-75% chance of occurrence)
4. Probable (>75% chance of occurrence)
 Assess Significance of Risk
1. Negligible
2. Serious
3. Significant
4. Material
 6/2/2023

Likelihood: more details

Likelihood
Based on Annual Probability of
Based on Annual Frequency
Rating Occurrence
Descriptor Definition Descriptor Definition
More than twenty >90% chance of
5 Very frequent Almost certain
times per year occurrence

Six to twenty times 65% to 90% chance

4 Frequent Likely
per year of occurrence

Reasonably Two to five times 35% to 65% chance

3 Reasonably possible
frequent per year of occurrence

10% to 35% chance

2 Occasional Once per year Unlikely
of occurrence

Less than once per < 10% chance of

1 Rare Remote
year occurrence

Significance: more details

Rating Descriptor Definition
5 Catastrophic  Financial loss to company in excess of $10 million
 International, long-term media coverage
 Widespread employee morale issues and loss of multiple
senior leaders
 Required to report incident to authorities, resulting in
significant sanctions and financial penalties
4 Major  Financial loss to company between $100,000 and $10 million
 National, long-term media coverage
 Widespread employee morale problems and turnover
 Required to report incident to authorities, resulting in
sanctions against company
3 Moderate  Financial loss to company between $10,000 and $100,000
 Short-term, regional or national media coverage
 Widespread employee morale problems
 Required to report incident to authorities and take immediate
corrective action
2 Minor  Financial loss to company between $1,000 and $10,000
 Limited, local media coverage
 General employee morale problems
 Incident is reportable to authorities, but no follow-up
 Financial loss to company less than $1,000
1 Incidental  No media coverage
 Isolated employee dissatisfaction
 Event does not need to be reported to authorities
 6/2/2023

Rating IC Efffectiveness

Risk Matrix
Significance (Impact)
Likelihood
1 2 3 4 5
(Incidental) (Minor) (Moderate) (Major) (Catastropic)

Almost certain (5) X (5) X(20)

Likely (4) X (20)

(ie. markup Procurement)
Reasonably possible (3) X 6

Unlikely (2)

Remote(1) x (3)

= Need more action

 6/2/2023

FRAUD RISK ASSESSMENT FORM

FRAUD RISK ASSESSMENT FORM

 6/2/2023

FRAUD RISK ASSESSMENT FORM

 6/2/2023

CLOSING NOTES:
KEY TAKE AWAY KNOWLEDGE
 Fraud Risk Assessment is important part of Fraud
detection, prevention and investigation
 Fraud Risk Assessment requires understanding
 Taxonomy of fraud schemes, and
 Red Flags

 Fraud Risk Assessment is continuous process :

 should be conducted regularly
 Using Formal approach
 Involving a Integrated Team

 Fraud Risk can be assessed using Risk Management

checklist or Fraud Scheme Checklist