Skip to content

Fraud Risk Assessments: A Key Tool for Organizations, Forensic Accountants and Internal Auditors

Nov 15, 2016

“The question is not what you look at, but what you see.”  - Henry David Thoreau

While Thoreau was likely thinking of far more pleasant matters when writing those words, they are remarkably relevant to the topic of identifying fraud.  

The Association of Certified Fraud Examiners’ (“ACFE”) most recent global survey estimates that the median loss caused to an organization by fraud for all cases included in its survey was $150,000.1   This statistic highlights that while fraud is likely present in most companies, it may be hard to identify in a cost efficient manner, as it may not be pervasive.  

Enter the fraud risk assessment. In circumstances where budget constraints create barriers to examining or implementing controls for every aspect of an organization that is susceptible to fraud, the fraud risk assessment is a valuable tool.  For forensic accountants and internal auditors, a fraud risk assessment provides a road map of key areas requiring focused monitoring and investigative procedures.  For organizations, a fraud risk assessment offers guidance on how to deploy limited resources to mitigate fraud risk in the most susceptible areas.  

A fraud risk assessment generally begins with gaining an understanding of how an organization’s current established controls and procedures are functioning within the existing organization structure to measure internal risks as well as how they are addressing external industry risks.  This understanding is then used to assess the likelihood that an individual in a specific position within the organization could accomplish a given fraud scheme without timely detection. The procedures and controls are never evaluated in a vacuum, but always within the context of the positions that interact with the controls and procedures.

Once an organization’s internal and external risks have been identified based on specific positions, the next step is to compile a list of the most likely and most easily perpetrated fraud schemes.  This process should result in identifying specific fraud schemes rather than broader risks to the organization. For example: Rather than identifying revenue recognition as a fraud risk, a properly conducted fraud risk assessment would identify the organization’s risk of tying incentive compensation to quarterly revenue performance as a more specific fraud risk related to the timing of revenue recognition for contracts.

The next step in a fraud risk assessment is to prioritize the identified fraud risks.  The results of this step should consider the likelihood a particular fraud scheme will be perpetrated, as well as its financial, reputational and other impacts on the organization.  This process helps ensure that the allocation of limited resources is directed at the areas where the greatest probability of fraud and highest material impact reside. 

Lastly, the fraud risk assessment shifts to proactive monitoring.  The monitoring phase is where testing is conducted to determine if controls are sufficient to deter fraud and if remediation plans are necessary to correct areas of weakness in internal controls.  

It is important to remember that a fraud risk assessment is an ongoing process.  As external and internal factors change, so too do the risks that pose a threat to an organization.  A fraud risk assessment must be a dynamic process that adapts and considers these changes to most appropriately address and respond to risk. Ultimately, a fraud risk assessment should function like the words of Thoreau and provide a clear line of sight into the risks that are most likely to impact an organization.

1 Association of Certified Fraud Examiners, Inc., 2016 Report to the Nations on Occupational Fraud and Abuse.



Contact EisnerAmper

If you have any questions, we'd like to hear from you.

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.