1

Fraud Risk Assessment

Chapter 14

2

• Describe the factors that influence an organization’s vulnerability to fraud.

• Explain the difference between preventive and detective controls.

• Understand the objective of a fraud risk assessment.• Discuss why organizations should conduct fraud risk

assessments.• Understand the characteristics of a good fraud risk

assessment.• Describe considerations for developing an effective fraud

risk assessment.

Learning Objectives

3

• List actions that should be taken to prepare a company for a fraud risk assessment.

• Understand the steps involved in conducting a fraud risk assessment and how to apply a framework to them.

• Describe approaches to responding to an organization’s residual fraud risks.

• Name important considerations when reporting the results of a fraud risk assessment.

• List actions management should take using the results of a fraud risk assessment.

• Explain how a fraud risk assessment can inform and influence the audit process.

Learning Objectives

4

What Is Fraud Risk?

• Vulnerability an organization has to overcoming the interrelated elements that enable someone to commit fraud.

• Fraud triangle– Non-sharable financial need– Opportunity– Ability to rationalize

5

Why Be Concerned About Fraud Risk?

• No organization is immune.• Awareness of weaknesses is one key to

establishing mechanisms to reduce risk.• Risks can be internal or external.

6

Factors That Influence Fraud Risk

• Nature of the business• Operating environment• Effectiveness of internal controls• Ethics and values of the company and the people

within it

7

What Is a Fraud Risk Assessment?

• Fraud risk assessment: A process aimed at proactively identifying and addressing an organization’s vulnerabilities to internal and external fraud.

• Objective—To help an organization recognize what makes it most vulnerable to fraud so that it can take proactive measures to reduce its exposure.

8

Why Should Organizations Conduct Fraud Risk Assessments?

• Improve communication about and awareness of fraud

• Identify what activities are the most vulnerable to fraud

• Know who puts the organization at the greatest risk of fraud

• Develop plans to mitigate fraud risk• Develop techniques to determine if fraud has

occurred in high-risk areas

9

Why Should Organizations Conduct Fraud Risk Assessments? (Cont’d)

• Assess internal controls:– Controls eliminated during restructuring– Controls eroded over time– Lack of controls in a vulnerable area– Nonperformance of control procedures– Inherent limitations of controls

• Comply with regulations and professional standards:– PCAOB Auditing Standard No. 5, An Audit of Internal

Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

10

What Makes a Good Fraud Risk Assessment?

• Collaborative effort of management and auditors• The right sponsor• Independence and objectivity of the people leading and

conducting the work• A good working knowledge of the business• Access to people at all levels of the organization• Engendered trust• The ability to think the unthinkable• A plan to keep it alive and relevant

11

Considerations for Developing an Effective Fraud Risk Assessment

• Packaging it right– Tailor the communication approach to the organization.– Be mindful of terminology used.

• One size does not fit all– Adapt the framework to the business model, culture,

and language of the organization.• Keeping it simple

– Focus on areas that are most at risk for fraud.

12

Preparing the Company for the Fraud Risk Assessment

• Assembling the right team– Accounting and finance personnel– Personnel who have knowledge of day-to-day

operations– Risk management personnel– General counsel or other members of the legal

department– Members of ethics or compliance functions– Internal auditors– External consultants with fraud and risk expertise

13

Preparing the Company for the Fraud Risk Assessment (Cont’d)

• Determining the best techniques to use– Interviews– Focus groups– Surveys– Anonymous feedback mechanisms

• Obtaining the sponsor’s agreement on the work to be performed– Scope– Methods– Participants– Form of output

• Educating the organization and openly promoting the process

14

Executing the Fraud Risk Assessment

• Identifying potential inherent fraud risks– Incentives, pressures, and opportunities to commit fraud

Position IncentivesPerformance pressuresWeak internal controlsHighly complex business transactionsCollusion opportunities

– Risk of management’s override of controls Management knows the controls and standard

operating procedures in place to prevent fraudKnowledge of controls can be used to conceal fraud

15

Executing the Fraud Risk Assessment (Cont’d)

• Identifying potential inherent fraud risks (cont’d)– Population of fraud risks

Fraudulent financial reportingAsset misappropriationCollusion opportunities

– Regulatory and legal misconduct– Reputation risk– Risk to information technology

16

Executing the Fraud Risk Assessment (Cont’d)

• Assessing the likelihood of occurrence of identified fraud risks– Past instances of a particular fraud– Prevalence of fraud in the industry– Internal control environment– Available resources– Support of management– Ethical standards– Transaction volume– Complexity of the fraud risk– Unexplained losses– Complaints by customers or vendors

17

Executing the Fraud Risk Assessment (Cont’d)

• Assessing the significance of the fraud risks to the organization – Financial statement and monetary significance– Financial condition of the organization– Value of the threatened assets– Criticality of the threatened assets– Revenue generated by the threatened assets– Significance to the organization’s operations, brand value,

and reputation– Criminal, civil, and regulatory liabilities

18

Executing the Fraud Risk Assessment (Cont’d)

• Evaluating which people and departments are most likely to commit fraud and identifying the methods they are likely to use

• Identifying and mapping existing preventive and detective controls to the relevant fraud– Preventive controls– Detective controls

19

Executing the Fraud Risk Assessment (Cont’d)

• Evaluating whether the identified controls are operating effectively and efficiently– Review accounting policies and procedures.– Consider risk of management’s override of controls.– Interview management and employees.– Observe control activities.– Perform sample testing of controls compliance.– Review previous audit reports.– Review previous reports on fraud incidents, shrinkage,

and unexplained shortages.

20

Executing the Fraud Risk Assessment (Cont’d)

• Identifying and evaluating residual fraud risks resulting from ineffective or nonexistent controls– Lack of appropriate prevention and detection controls– Noncompliance with established prevention and control

measures

21

Addressing the Identified Fraud Risks

• Establishing an acceptable level of risk• Responding to residual fraud risks

– Avoid the risk– Transfer the risk– Mitigate the risk– Assume the risk– Combination approach

22

Reporting the Results

• Report objective—not subject—results.• Keep it simple.• Focus on what really matters.• Identify actions that are clear and measurable.

23

Making an Impact

• Begin a dialog across the company to promote awareness, education, and action planning.

• Look for fraud in high-risk areas.• Hold responsible parties accountable for progress.• Keep the assessment alive and relevant.

24

Fraud Risk Assessment and the Audit Process

• Auditors should validate that the organization is managing the moderate-to-high fraud risks.– Evaluate whether controls are operating effectively and

efficiently.– Identify whether there is a moderate-to-high risk of

management override of internal controls.– Develop and deliver reports that incorporate the results

of validation and testing of controls.