Fraud – Forensic Audit Manual Fraud Risk Assessment

Chapter 1

FRAUD RISK ASSESSMENT

International Standards of Supreme Audit Institutions (ISSAI) 1240, “The Auditor’s

Responsibilities Relating to Fraud in an Audit of Financial Statements,” states that when
planning and performing audit procedures and evaluating and reporting the results thereof,
the auditor should consider the risk of material misstatements in the financial statements
resulting from fraud or error. In compliance to this standard, auditors should include
assessment of fraud in their audit procedures.

As mentioned in the Introduction to this Manual, the Fraud–Forensic Audit Framework is

divided into three major sections:

1.0 Fraud Risk Assessment

2.0 Fraud Response: Proactive measures
3.0 Fraud Response: Reactive measures

Fraud Risk Assessment (FRA) aims to identify areas of fraud risk and evaluate established
controls to prevent and detect fraud. A fraud risk is the risk that an agency’s mandate,
objective and strategies will not be achieved due to the occurrence and impact of fraud. The
purpose of this activity is to: (1) conduct FRA in order to assist COA auditors to identify and
prioritize risks of fraud, and (2) develop the appropriate response for the prioritized or key
fraud risks. The response may include identifying and evaluating processes and controls in
the agency that may prevent, detect or deter the key fraud risks and validating if these
processes and controls are operating effectively. The response may also include performing
detective procedures that aims to confirm the possible occurrence of the key fraud risks.

11
Fraud – Forensic Audit Manual Fraud Risk Assessment

Three types of fraud1 are relevant for the auditors’ consideration:

§ Fraudulent statements – pertains to intentional misrepresentation of the condition of

an agency to deceive users, through the intentional misstatement or omission of
amounts or disclosures, or other information. Most fraudulent statement schemes
involve earnings mismanagement arising from improper revenue recognition, the
overstatement of assets or understatement of liabilities. Non-financial fraudulent
schemes may involve overstatement of the agency’s achievements or results vs. key
performance measures.

§ Misappropriation of assets – a type of fraud wherein the agency’s personnel

uses/misuse the agency’s assets for their own personal gains. Examples are cash
skimming, wherein there is a deliberate theft of cash agency personnel handling cash
collections, and expense misrepresentation, wherein the agency’s personnel charges
personal expenses to agency expenses; and

§ Corruption – refers to fraud in which agency personnel uses his/her position to

obtain benefits either in cash or in kind, for themselves or for someone else.

Fraud risk assessment involves the process to determine the likelihood and significance of
fraud within the agency, thus identifying key fraud risks (KFRs). Key steps in conducting
fraud risk assessment generally include the following:

1.1 Plan the fraud risk assessment

1.2 Understand the agency
1.3 Identify all potential fraud risks
1.4 Assess the likelihood and impact of all potential fraud risks
1.5 Identify and evaluate key fraud risks; and
1.6 Document audit responses for the results of the fraud risk assessment.

The conduct of FRA ideally should be simultaneously done with IRRBA’s Agency Audit
Planning and Risk Assessment, to achieve efficiency and maximum benefit and integration
between the two activities. Linkage is shown in the figure below.

Diagram 7. FRA linkage to IRRBA Framework

1
Association of Certified Fraud Examiners (ACFE) Manual. Texas, USA: Association of Certified Fraud
Examiners, Inc. 2010 edition

12
Fraud – Forensic Audit Manual Fraud Risk Assessment

Diagram 8. FRA Process Flow

1.1 Plan FRA

The objective of planning the FRA is to give COA auditors clarity and structure in
order to complete the work successfully and efficiently. This is achieved initially by:

§ Reviewing audit objectives, team member roles, and responsibilities;

§ Conducting a planning meeting with the engagement team, CD, RD, and other
personnel deemed appropriate; and
§ Developing a customized work plan that addresses tasks, responsibilities,
timelines, and expected work product.

The FRA builds on the information COA auditors obtained during Understanding the
Agency phase and inputs from various sources already gathered. Additional research
performed and information obtained within these earlier activities is utilized during
the FRA.

13
Fraud – Forensic Audit Manual Fraud Risk Assessment

1.1.1 Identify COA Audit Team and Agree on Responsibilities

The planning stage of the FRA should be participated by TS/SA and ATL.

The responsibilities of the COA audit team are to (a) gather existing
information, such as documents and knowledge about the audited agency,
and (b) develop a preliminary work plan for the FRA.

Only those team members who have the appropriate skills and competencies
shall be assigned to perform the work. The following may be considered in
selecting audit team members to conduct FRA:

§ Adequate technical training and proficiency as auditors

§ Ability to maintain independence
§ Ability to face and defy pressures and temptations
§ Ability to facilitate discussions with agency management

The specific responsibilities of all parties involved are determined and agreed
prior to commencing the FRA. In addition, the audit team is encouraged to
consult with the FAIO or LS for Regional Office, Cluster concerned and other
offices such as TSO.

1.1.2 Conducting planning meeting

In planning the FRA, members of the COA audit team should discuss the
potential material misstatement due to fraud or errors. The objectives of this
discussion are (a) to increase the overall awareness of and sensitivity to fraud
by all members of the team, and (b) to have an interactive exchange of ideas
and sharing of information about how and where the agency’s financial
statements might be susceptible to material misstatement due to fraud. The
importance of maintaining the proper state of mind and level of professional
skepticism throughout the audit should be emphasized. Participation of FAIO
is encouraged to obtain additional information and insights from FAIO based
on their experience in handling investigations.

The suggested agenda of the meeting’s activities may include the following:

§ Identify which agency official/s should be considered in the FRA,

particularly inquiries regarding fraud risk within the agency. Those to be
considered include/s:
o Head of agency and Senior officers, Secretary, Undersecretary,
Assistant Secretaries and Department Heads, for National
Agencies;
o Local Chief Executives for Local Government Units (LGU); and
o Chief Executive Officer (CEO), President, and General Manager
(GM), for Government Owned and Controlled Corporations
(GOCC)

14
Fraud – Forensic Audit Manual Fraud Risk Assessment

COA auditors should focus on those members of agency’s

management who are knowledgeable of the agency’s mandate,
objectives, strategies, framework of operations, operational
performance, information framework, and initiatives, laws and
regulations relevant to the agency, and other key information.

§ Discuss how the FRA and the related approaches to the assessment may
be performed (i.e., walkthrough, interviews, surveys) and documented.
§ Determine responsibilities for the following:
o Coordination of walkthrough, interviews, and/or surveys
o Preparatory work to be completed
o Performance and documentation of the FRA in the Fraud-
Forensic Audit Plan to be developed
§ Determine current fraud prevention controls within the agency, if any.
§ Assess current “tone at the top.”
§ Check any known fraud cases filed against officials/employees of the
agency.
§ Determine the extent of FAIO involvement in the audit as well as the
timing of the procedures to be performed by FAIO, if any.

The brainstorming activity should result in identifying the agency’s

vulnerability to fraud risk/schemes at different locations (e.g. head office,
regional offices, bureaus) and levels (e.g., processes or activities).

The results of the brainstorming activity should be submitted to the CD for

review and comment.

Examples of possible vulnerability:

1. Management override in selection of contractors in public bidding;
2. Collusion in disbursement of payroll funds;
3. Segregation of duties issue regarding cash collection.

Upon completing the planning meeting, document the plan to include:

§ Tasks to be performed
§ Team member to perform each task
§ Planned time to complete each task; and
§ Deadlines for completion (e.g., milestone report to CD/RD)

15
Fraud – Forensic Audit Manual Fraud Risk Assessment

Documentation

To document the COA audit team discussion(s) and planning regarding FRA,
use FoAM Form-01 Fraud Risk Assessment Planning Template (Attachment 1).

1.2 Understand the Agency

1.2.1 Document review

In this stage of the FRA, COA auditors should conduct a review of Strategic
Planning and Risk Assessment of the agency to be audited. Information/
documents to be gathered in this activity should be sourced from Integrated
Results and Risk-based Audit Manual (IRRBAM), such as the following:

§ Understanding the Agency (UTA) Form 02-02

§ Process flow documentation
§ Agency Level Control Checklist (ALCC) Form 02-03
§ Audit Risk Assessment Tool Form 02-07

Other documents to be gathered aside from IRRBAM documents are the

following:

§ Prior year working papers

§ Information from the Agency’s website
§ Prior year internal audit reports
§ COA audit management letters
§ Financial statements
§ AOMs that details significant deficiencies and/or material weaknesses
§ Complaints and whistle blower reports about the agency

1.2.2 Understanding Agency’s Mandate and Strategies

COA auditors should develop an understanding of the strategies, agency

objectives/mandates, documented in the IRRBAM UTA Form 02-02, and key
operation risks of the agency, documented in the ALCC and Audit Risk
Assessment Tool templates. The review of these documents will help identify
and assess fraud risks. These fraud risks may also have been previously
identified from the prior year working papers documentation of understanding
the agency’s operations. Please refer to IRRBAM Agency Planning and Risk
Assessment portion.

Agency’s management2 head generally defines and implements a strategic

plan/program to support the agency’s mandate and objectives. Such
strategies generally are built around the agency’s mandate, an understanding
2
Examples of this are Mayors and Governors for Local Government Units; CEO, President, and GM for GOCCs;
Department heads for NGAs.

16
Fraud – Forensic Audit Manual Fraud Risk Assessment

of the current environment (internal/external) in which the agency operates,

and an understanding of the agency’s stakeholder needs and expectations
and other external factors.

COA auditors should also gain a further understanding of the key IT business
applications and underlying infrastructure that supports the processes that
agency has put in place to manage the key fraud risks. If an agency operates
in a computerized environment, relevant IT process or IT General Controls
(ITGC) that supports the agency’s objectives should be documented and
tested by COA auditors or by specialists from Information Technology Office.

Examples of agency’s mandates and possible fraud risk for that agency:
Agency’s Mandate Fraud Risk
To collect revenue from motor Understatement of revenue
vehicle registration for the collections
Government
To undertake construction of Conflict of interest in the awarding
national roads and bridges, of construction contracts
government infrastructures, and
other public works projects
Sustain economic enterprises to Fictitious or inflated expenses for
provide social services to social services
constituents of city/municipality

1.3 Identify All Potential Fraud Risks

A fraud risk is considered as such if its occurrence will have an impact to the
agency’s mandate, objectives and strategies. Fraud risks are based on the nature of
the operation, the agency’s culture, and other factors unique to the agency.

The objective of this activity is to identify all potential fraud risks that might have
impact on the agency’s mandate, objectives and strategies.

COA auditors identify potential fraud risk types in relation to the agency. Auditors
should make a preliminary determination of the fraud risks that are relevant for the
agency by considering the linkages between the fraud risks and the strategies,
objectives, and agency mandates. COA auditors should also include information
obtained during the FRA planning phase (i.e. results of planning meeting as
documented in FoAM Form-01), inquiries made with management3 of the agencies;
and observation in prior years. Using the fraud risk universe (Diagram 9), COA
auditors should list down all the possible fraud schemes that may be perpetrated
within a particular agency.
3
Examples of this are Mayors and Governors for Local Government Units; CEO, President, and GM for GOCCs;
Department heads for NGAs.

17
Fraud – Forensic Audit Manual Fraud Risk Assessment

Diagram 9. Fraud Risk Universe

Examples of potential fraud risks:

1. For agencies with high volume or value of procurement, a contractor could

be selected in exchange for monetary and other considerations;
2. For agencies with high cost of salary or high number of contractual
employee, fictitious employees may be added and the pay obtained by the
fraudster or by someone in collusion; and
3. For agencies that have cash collection functions, theft of cash either by
larceny or through skimming or lapping.

1.3.1 Fraud Triangle

Fraud researchers and forensic professionals talk about a “fraud triangle”

(Diagram 10). The fraud triangle concept is relevant to identifying and
understanding the importance of fraud risk factors that may be present.
These are the three conditions usually present when people commit financial
fraud or misappropriate assets, and impact the likelihood of occurrence of
fraud. COA auditors should be alert for the following conditions4:

Pressure - Incentives or pressures to perpetrate fraud to achieve desired

results - public sector employees are often under pressure to deliver high
quality services with few resources and within budget expectations. This
creates an incentive to overstate revenues and understate expenditures, and
to overstate accomplishments vs. agency or department targets. On a
personal level, public sector employees may be subjected to pressures from
vendors, peers, relatives and other parties who want to gain favor from the
agency through unlawful means;

Rationalization - Personnel who are able to rationalize to themselves a need

for the fraud (i.e. convince themselves the fraud is justified) - generally lower

4
ISSAI 1240 – “The Auditor’s responsibilities relating to fraud in an audit of financial statements”

18
Fraud – Forensic Audit Manual Fraud Risk Assessment

salary levels in the public sector compared to the private sector may lead
employees to believe that they can justify misuse of funds. Further
rationalization may happen when employees see or believe that their officials
are misusing agency funds without being reprimanded or penalized.

Opportunity - (e.g. control-related concerns) to carry out fraud without being

detected - lack of sufficient qualified personnel is prevalent in the public
sector. Such situation may often result in segregation of duties issue that
creates the opportunity for fraud. Public sector employees who perform
collection and cash custody functions with little or no supervision or counter
check leads to higher fraud risk, in particular for those agencies with high
volume, low value cash transactions such at police stations or health clinics;

Diagram 10. Fraud Triangle Source: Dr. Donald R. Cressey Fraud Triangle

COA auditors should go through a brainstorming activity to identify the

agency’s potential fraud risks. This activity will be an avenue for the COA
auditors to discuss different types of pressures, opportunities, and
rationalization of government employees and/or officials to commit fraud; the
risk of management override of internal control systems; possible fraud
schemes that may occur within a particular agency; regulatory, compliance,
and legal misconduct risk within a particular agency; and the impact of IT on
fraud risk identified, if the agency has a progressive IT infrastructure in place.

1.3.2 Fraud Categories

COA auditors should use the Fraud Risk Categories (Attachment 2) as sample
classification of fraud risk types (schemes) in order to help catalog and share
knowledge. This fraud risk framework provides insights to possible
approaches to fraud risks identified, but is not all encompassing and needs to
be customized for each agency situation.

19
Fraud – Forensic Audit Manual Fraud Risk Assessment

1.4 Assess the Likelihood and Impact of all potential fraud risks

There are two primary criteria used in assessing fraud risk. These include:

§ Likelihood—the probabilities of a fraud risk occurring over a predefined time

period (frequency of occurrence).
§ Impact—the extent to which the fraud risk, if realized, would affect the
agency. Factors that may help define the impact rating may include financial
effect, reputation impacts, ability to achieve mandate, operations, objectives,
strategies, and key performance indicators.

COA auditors should assess the fraud risks identified based on the likelihood and
impact it will have on the agency’s mandate, strategies and objectives.

After identification of all potential fraud risks, COA auditors should assess their
likelihood and impact. When assessing the likelihood and impact of fraud risk, COA
auditors should assess the risk at the inherent level, without considering the internal
controls of the agency. This is to avoid misclassifying a fraud risk into a lower risk
because of the perceived operation of the internal control to prevent, deter or detect
such risk. Such perception may prove to be incorrect and the particular fraud risk
may fall outside the scope of the audit plan because of the incorrect risk
classification.

Assessing the likelihood and impact of each potential fraud risk is a subjective
process. However, it is strongly recommended to provide justification or supporting
explanation for the assessment made, to provide understanding to the CD, RD, and
others who will review the results of the FRA.

1.4.1 Assessing Likelihood

The likelihood of fraud occurring generally increases when one or more fraud
risks have been identified, particularly in an environment where significant
pressure exists to meet financial or operational targets.

1.4.2 Assessing Impact

The fraud risk that directly impacts the mandate of the agency and has the
highest probability of occurrence is ranked high. Fraud risk is low when it has
no direct impact to the agency’s mandate, strategies and objectives and the
occurrence is remote. Those fraud risks that are not classified as high or low
as defined here are ranked as moderate fraud risk.

1.5 Identify and Evaluate Key Fraud Risks (KFRs)

COA auditors should prioritize the fraud risks identified based on the overall
assessment. Those that are assessed as high and moderate will be tagged as the Key

20
Fraud – Forensic Audit Manual Fraud Risk Assessment

Fraud Risk (KFR). COA auditors should refer to the key government risks, identified
during the Audit Risk Assessment, to obtain guidance on how to prioritize KFRs.

In performing an overall assessment of KFR, COA auditors may use the following
matrix:

High Moderate High High

IMPACT

Moderate Low Moderate High

Low Low Low Moderate

Low Moderate High

LIKELIHOOD
Diagram 11. Matrix for KFR Overall Assessment

The activity in this phase of the FRA is to confirm the results of our understanding of
the KFRs of the agency and share this assessment with CD/RD/FAIO (or its
equivalent for regional offices) and prepare preliminary listings of possible fraud
schemes of each KFR.

After identifying the KFRs of an agency, COA auditors should plan and design the
type of testing/response they would conduct. At this phase of the fraud risk
assessment, COA auditors should also decide what response should be appropriate to
the identified fraud risk such as the specific fraud control testing and/or specific fraud
detection procedures that should be performed. In preparing the responses to the
key fraud risk, COA auditors should consider any relevant fraud prevention controls
existing in the agency and perform an analysis on the controls to address the fraud
risk identified. The audit response should include a Rationale as to why the auditors
decided on such response.

Ultimately the COA audit team is responsible for determining which of the identified
fraud risks will be covered in the performance of specific fraud controls testing
activities.

The table below shows how COA auditors may assess KFRs and plan the audit
response for identified KFRs:

21
Fraud – Forensic Audit Manual Fraud Risk Assessment

Fraud Overall
Fraud Risk Likeli- Audit
Category Impact assess- Rationale
Statement hood Response
and Schemes ment

Corruption- There may be Low Low Low Test of Due to the

Bid rigging a risk that the internal implementation of
Bidding for the controls RA 9184, the
procurements and fraud controls over the
Inherent Fraud Risk

of goods and specific bidding process

services are detective has been
rigged test established thus
likelihood of the
fraud is minimal.
For the impact,
since there are
few high cost
goods and
services being
procured, the
impact of these
bids is considered
low.

A sample of completed Fraud Risk Assessment template is available in Attachment 3.

1.6 Document Audit Responses for the Results of FRA

The results of the FRA should be submitted to the Cluster Director (CD)/Regional
Director (RD) for review and comment. The CD/RD shall evaluate whether the overall
assessment for the fraud risk indicated is justifiable based on the justification and
information provided by the audit team to support the assessment. The CD/RD shall
also evaluate whether the audit team has chosen the proper audit response in the
FRA based on the Rationale indicated. The CD/RD may consult with the FAIO and/or
the Legal Services (LS), in each Regional Office, when reviewing the results of the
FRA.

Upon approval of the FRA by the CD/RD, the audit team shall now proceed to
executing the audit responses indicated in the FRA template.

This completed assessment of fraud risk, signed by the CD/RD, SA and Team Leader
(TL), and any related documentation should be filed with the audit working papers.

Documentation

COA auditors should document understanding on the identified KFR (Section 1.3),
assessment and prioritized KFR (Section 1.4), and responses to the identified KFR
(Section 1.5) using FoAM Form-02 Fraud Risk Assessment template (Attachment 4).

22
Fraud – Forensic Audit Manual Fraud Risk Assessment

Sample FRA template is presented in Attachment 2. This is linked to IRRBAM’s

Significant Agency Risk Identification Matrix (Form 02-05).

23