How Accounting Professionals and Organizations Can Leverage Fraud Risk Assessments

“The question is not what you look at, but what you see.” - Henry David Thoreau. 

While Thoreau was likely thinking of far more pleasant matters when writing those words, they are remarkably relevant to the topic of identifying fraud.  

By the numbers 

The most recent global survey from the Association of Certified Fraud Examiners (“ACFE”) estimates that a typical fraud case lasts a full year before detection and the resulting median loss to an organization was $117,000. The ACFE’s global survey also suggests the fraud detection method is directly correlated with both the fraud’s duration and amount of loss. The ACFE survey specifically indicates that fraud discovered via passive detection methods typically have longer durations and higher fraud losses versus those discovered via active detection methods. For example, the ACFE estimates that frauds detected by accident (a passive detection method) typically have a duration of almost two years and a loss of $100,000; however, frauds detected via automated traction/data monitoring (an active detection method) typically have a duration of six months and a loss of $50,000. These statistics highlight that while fraud is likely present in many companies, it may be hard to identify it in a cost-efficient manner.  

A valuable roadmap 

Enter the fraud risk assessment. In circumstances where budget constraints create barriers to examining or implementing controls for every aspect of an organization that is susceptible to fraud, the fraud risk assessment is a valuable tool. For forensic accountants and internal auditors, a fraud risk assessment provides a road map of key areas requiring focused monitoring and investigative procedures. For organizations, a fraud risk assessment offers guidance on how to deploy limited resources to mitigate fraud risk in the most susceptible areas. A fraud risk assessment provides an organization with information to implement active fraud detection methods—while keeping these methods focused on the areas with the greatest risk and, therefore, provides the organization with a more cost-efficient manner to manage fraud risk. 

The risk assessment 

A fraud risk assessment generally begins with gaining an understanding of how an organization’s current established controls and procedures are functioning within the existing organization structure to measure internal risks, and it also examines how they are addressing external industry risks. This understanding is then used to assess the likelihood that an individual in a specific position within the organization could accomplish a given fraud scheme without timely detection. The procedures and controls are never evaluated in a vacuum but within the context of the positions that interact with the controls and procedures. 

Likely suspects 

Once an organization’s internal and external risks have been identified based on specific positions, the next step is to compile a list of the most likely and most easily perpetrated fraud schemes. This process should result in identifying specific fraud schemes rather than broader risks to the organization. For example, rather than identifying revenue recognition as a fraud risk, a properly conducted fraud risk assessment would identify the organization’s risk of tying incentive compensation to quarterly revenue performance as a more specific fraud risk related to the timing of revenue recognition for contracts. 

Calculate the odds 

The next step in a fraud risk assessment is to prioritize the identified fraud risks. The results of this step should consider the likelihood a particular fraud scheme will be perpetrated as well as its financial, reputational, and other impacts on the organization. This process helps ensure that the allocation of limited resources is directed at the areas where the greatest probability of fraud and highest material impact exist.  

Ongoing monitoring 

Lastly, the fraud risk assessment shifts to proactive monitoring. The monitoring phase is where testing is conducted to determine if controls are sufficient to deter fraud and if remediation plans are necessary to correct areas of weakness in internal controls.  

It is important to remember that a fraud risk assessment is an ongoing process because the threats to an organization change as external and internal factors change. A fraud risk assessment must be a dynamic process that adapts and considers these changes to most appropriately address and respond to changes in the risks the organization faces. Ultimately, a fraud risk assessment should function like the words of Thoreau and provide a clear line of sight into the risks that are most likely to impact an organization.