What To Do: Performing and Refreshing Fraud Risk Assessments
May 25, 2021
By Jack Paladino
After over a year of great uncertainty resulting from the COVID-19 pandemic, the world has begun to experience signs of life, largely in part due to the rollout of multiple vaccines and loosened restrictions on businesses. While the end of the pandemic has yet to come, businesses are expected to experience growth because of increased consumer activity. With growth expected, it is crucial for management of organizations to consider the risk of fraud, including impact and likelihood, especially if the topic has previously not been a top priority.
The Institute of Internal Auditors (IIA) defines fraud as “any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.”1 Based on the Association of Certified Fraud Examiners (ACFE) 2020 Report to the Nations, organizations lose 5% of revenue to fraud each year on average.2 A fraud risk assessment is an effective tool utilized by companies of all sizes and industries to effectively identify and prioritize areas of fraud risk within their organization, with a focus on the review of potential fraud schemes and the internal controls in place to prevent or detect those schemes.
Fraud Risk Management Principles
To better understand all factors of performing a successful fraud risk assessment, management should first consider the Fraud Risk Management Principles3 developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and ACFE. These principles help an organization prevent and timely detect fraud by establishing a structured approach to fraud risk governance, periodic assessment and continuous monitoring. These principles were developed in accordance with COSO’s five components (Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities) and 17 principles of internal control, which guide organizations in designing and implementing an effective system of internal controls. The COSO framework components and Fraud Risk Management Principles are detailed below:
Perform a Comprehensive Fraud Risk Assessment
Fraud risk assessments should be tailored to each company’s industry, risks and needs and should focus on the risk of fraudulent financial reporting, as well as asset misappropriation and corruption risks. The purpose of this article will be to focus on Fraud Risk Management Principle 2, regarding performance of the fraud risk assessment. Fraud risk areas that management should consider may include, among others:
- Financial Reporting
- Travel and Expenditures
Management of companies may be tasked with making quick decisions, delegating responsibilities to newly hired individuals or taking on additional responsibilities themselves. All potential scenarios present the increased risk of fraud being perpetrated, for reasons such as a lack of segregation of duties. Management must always maintain vigilance of typical fraud indicators, commonly referred to as “red flags,” as part of their efforts to identify if a fraud has occurred; this is especially true during periods of business growth that may expose vulnerabilities. The “fraud triangle”4 is a term utilized to identify the reasons for an individual to commit fraud, as depicted below:
Once management has identified key areas for fraud risk within the organization, an evaluation should be performed to determine relevant fraud schemes. To assist in the performance of this evaluation, management may elect to conduct employee interviews or facilitate workshop sessions. Surveys are also a useful tool to obtain feedback from a broad range of employees across the organization operating in different departments and/or international jurisdictions. Organizations can also review hotline databases to assess any past patterns, as well as perform a review of frauds committed at companies within the same industry. When compiling the likely fraud schemes, management should consider both the preventive and detective controls in place, or lack thereof, to effectively evaluate the following:
- The likelihood of the fraud scheme succeeding, if attempted;
- The level of pressure an individual faces to commit the fraud scheme;
- The attitude/rationale of an individual to justify the fraud scheme; and
- The impact to the organization if the fraud scheme was successful.
When performing the assessment of fraud schemes against the organization’s internal control environment, it is important to ensure proper rating of the likelihood that the fraud would be successful if it was attempted (i.e., committed and not detected timely, reflecting a potentially weak internal control system). Companies should be assessing their fraud risks against significance and likelihood of the fraud. A baseline rating system for the criteria is outlined below based on EisnerAmper’s research for a client project.
Likelihood of Occurrence
|Low||Indicates the fraud scheme has happened or could happen, but likely only to occur once or twice in a ten-year period.|
|Medium||Indicates the fraud scheme has or might occur, likely, every three to four years.|
|High||Indicates the fraud scheme will and/or has occurred once or more on an annual basis.|
Severity of Impact (Significance)*
Potential Financial Impact
Fraudulent Financial Statements
Misappropriation of Assets
Qualitative Factors (Description)
|Low||Loss < $250,000||Loss < $25,000||Loss < $250,000||A successfully executed fraud scheme with a low significance may result in bad publicity and a damaged reputation to a limited audience, generally with no impact on shareholder value.|
|Medium||Loss $250,000 to $2,000,000||Loss $25,000 to $150,000||Loss $250,000 to $750,000||A successfully executed fraud scheme with a medium significance may result in an increase of bad publicity and a damaged reputation to a regional audience, with shareholder value/reputation affected in the short term.|
|High||Loss > $2,000,000||Loss > $150,000||Loss > $750,000||A successfully executed fraud scheme with a high significance may result in bad publicity and a damaged reputation on a global scale, with shareholder value and reputation severely affected.|
*Note: Amounts depicted in the table are for demonstration purposes only. Companies should adjust figures based on factors including risk tolerance levels and organization size.
As depicted, assessment as to the impact on the organization of a successful fraud considers the following, but is not limited to: monetary losses, reputational damages, lawsuits and criminal charges. A comprehensive fraud risk assessment will assign ratings for opportunity or likelihood, impact and pressure, while detailing the potential attitude/rationale of the individual(s) who may be in a position to commit the fraud scheme(s). Mitigating preventive or detective controls should be mapped to each of the rated fraud schemes to provide an overall level of residual risk, i.e., any remaining risk after an organization’s internal controls or procedures have been applied to reduce risk. Any instances of fraud control gaps should be highlighted by management for prompt implementation and/or remediation.
Management is responsible for maintaining an effective system of internal controls, which assists in ensuring all relevant fraud risks are appropriately mitigated on a continuous basis. Organizations must ensure fraud risks are periodically assessed to account for any changes to the business and implement additional controls to address any heightened fraud risks. Common examples of fraud schemes perpetrated are listed below:
- Addition of fictitious vendors and invoices leading to inappropriate disbursements.
- Submission of inflated expense reports leading to inappropriate reimbursements.
- Inclusion of fictitious employees on payroll leading to inappropriate compensation expenses.
- Documenting of inflated inventory counts leading to misstated financial statements.
- Adjustment of sales to exactly meet budget and expectations.
- Skimming from cash receipts leading to inaccurate revenue.
In accordance with Fraud Risk Management Principle 2, management should perform a risk assessment to identify specific fraud schemes and risks, assessing each for likelihood of occurrence and significance of financial impact. A comprehensive assessment will also include evaluation of existing preventive and detective fraud control activities, as well as a plan for implementation of additional activities to mitigate residual risk. To help stay prepared, organizations should take the time to reassess the adequacy of their fraud risk management plans when the act occurs at other companies; by doing so, organizations will often identify improvements to their own plans.
1“Fraud and Internal Audit,” Institute of Internal Auditors.
2“2020 Report to the Nations,” Association of Certified Fraud Examiners.
4 “Fraud Triangle,” Corporate Finance Institute.