In our modern-day risk landscape, companies must navigate uncertainties in the external and internal environment. Though no company likes the possibility of bad actors committing fraud, external and internal risk of fraud remains a pressing — and costly — concern.
According to the Association of Certified Fraud Examiners’ (ACFE) 2020 Global Fraud Study, organizations lose an average of 5% of revenue to fraud each year. More alarmingly, a lack of internal controls to prevent fraud contributes to nearly a third of global fraud cases.
Fortunately, identifying fraud risks and mitigating them doesn’t have to be difficult. With a fraud risk assessment, companies can understand the overall risk universe. In this article, we break down the main components of an effective fraud risk strategy, providing 5 simple steps on how to conduct a fraud risk assessment.
What Is a Fraud Risk Assessment?
According to The Journal of Accountancy, perpetrators commit fraud for two reasons: greed or need. There are three elements that enable someone to commit fraud: motive, opportunity, and rationalization. Due to financial need, ability to execute a fraud scheme, and personal justification of dishonest actions, bad actors commit fraud.
A fraud risk assessment is aimed at proactively addressing a business’s vulnerabilities to internal and external fraud. Though types of fraud vary by business line, internal frauds include embezzlement and misappropriation of assets, while external frauds include hacking and theft of proprietary information.
Commonly, perpetrators commit fraud due to weaknesses in internal controls. When used to understand these weaknesses and the risk environment, a fraud risk assessment can help management formulate a mature risk management plan.
How Does a Fraud Risk Assessment Work?
A fraud risk assessment should be tailored to an organization’s unique industry and operations. Management and managers responsible for each department should perform a risk assessment by examining the organization’s exposure to fraud risk events. Because changes in the internal and external environment are certain, the assessment should be refreshed regularly to mitigate risks to an acceptable level.
The fraud risk assessment can take many forms: a matrix, narrative, or any other format that the organization finds easiest to understand. It should be shared with the Board of Directors, and jointly, all parties should implement anti-fraud controls based on the likelihood and impact each risk will have on the organization.
Why Is a Fraud Risk Assessment Important?
Performing regular fraud risk assessments is a small investment compared to the cost of fraudulent activity. As the ACFE’s 2020 Global Fraud Study shows, worldwide fraud schemes cause losses of more than $3.6 billion dollars annually. A fraud risk assessment is essential in helping businesses proactively identify external and internal risks that can have a significant impact on their reputation, exposure to criminal or civil liability, and assets.
Once these fraud risks have been identified, companies can develop a mitigation strategy. While it’s impossible to eliminate all fraud risks, a fraud risk assessment is a powerful tool in reducing the probability and severity of those risks.
What Should a Fraud Risk Assessment Address?
The fraud risk assessment should address four key areas: asset misappropriation, financial and non-financial reporting, regulatory compliance areas, and illegal acts.
In general, cash, inventory, and company assets are subject to misappropriation and must be examined for potential skimming, larceny, and fraudulent disbursements. Asset misappropriation is also more than theft or embezzlement — employees who use company equipment, such as computers, for their personal benefit are engaging in misappropriation.
Financial and Non-Financial Reporting
Inconsistency between financial and nonfinancial information can reflect internal fraud. Commonly carried out by management by overriding internal controls, fraud in the financial statements can include overstating revenues, profits, and assets; and understating expenses, losses, and liabilities. Auditors should analyze non-financial performance indicators such as the number of facilities/stores, the number of customer accounts, and the number of employees (depending on the company).
Regulatory Compliance Areas
As business risk becomes increasingly complex due to external risks like the coronavirus crisis, auditors must maintain a watchful eye on the relationship between a company’s risk of fraud and their compliance efforts. A recent report by EY found that the risk of fraud can spike during global events like the pandemic, leading to decreases in compliance activity. Investigate the compliance activities of the organization — is compliance merely a “check-the-box” exercise, or is it a genuine effort at creating a culture of integrity?
Fraud is fundamentally an illegal act, and auditors should maintain sufficient knowledge of the characteristics and indicators of fraud, techniques used to commit fraud, and types of fraud associated with the activities being audited. The fraud risk assessment is an excellent tool in helping audit, risk, and compliance professionals provide reasonable assurance in preventing and detecting fraud.
What Are the Main Fraud Risk Assessment Components?
A fraud risk assessment should feature the following components:
- Description of Fraud Risks: while fraud risks vary, examples include theft of assets, fraudulent disbursements, manipulation of expenses, and inappropriate journal entries.
- Likelihood of Occurrence: though granularity can vary, define the probability of the fraud risk as remote to almost certain.
- Significance to the Organization: level of significance can also vary, but common categories include inconsequential to material.
- Identification of Anti-Fraud Controls: every organization has internal controls to prevent fraud, and auditors must examine how robust these are.
- Assessment of Control Effectiveness: label controls as ineffective to very effective.
- Fraud Risk Response: after identifying a fraud risk, determine corrective action activities or additional controls that should be implemented.
- Responsible Person: decide who will implement controls and mitigation efforts.
- Monitoring Activities: establish monitoring activities that will be conducted and how frequently they will occur.
Read on for 5 simple steps to conduct a fraud risk assessment.
5 Simple Steps to Conduct a Fraud Risk Assessment
Step 1: Identify Risks
Identifying risks most relevant to the organization is a key first step in conducting a fraud risk assessment. Factors that influence fraud risk include:
- The nature of the business and environment in which it operates.
- The effectiveness of internal controls.
- The ethics and values of the company and its employees.
It’s important to evaluate which people and departments are most likely to commit fraud and identify the methods they are likely to use. Examine incentives, pressures, and opportunities to commit fraud; anti-fraud controls already in place; risk of management to override controls; risk of regulatory and legal misconduct; and risk to information technology. Identifying these factors will enable you to create a successful risk management plan.
Step 2: Quantify Risks
Assess the likelihood of occurrence of the identified risks and significance to the organization. A risk assessment matrix, also known as a probability and severity matrix, can be a helpful tool in quantifying risks and evaluating their impact.
When assessing likelihood, you should consider:
- Prevalence of the fraud risk in the organization’s industry.
- Number of individual transactions involved and complexity of the fraud risk.
- Number of people involved in approving and reviewing the relevant process.
When assessing significance, be sure to consider:
- Financial condition of the organization.
- Value and criticality of threatened assets.
- Criminal, civil, and regulatory liabilities.
Step 3: Respond to Risks
Once risks have been quantified, decide on a mitigation strategy and who will be responsible for its implementation. Every organization must establish an acceptable level of risk based on a thorough cost benefit analysis.
When deciding on how to respond to risks, an organization may choose to:
- Avoid the risk by terminating the activity.
- Transfer the risk and its financial consequences to a third party.
- Mitigate the risk by reducing its likelihood and impact.
- Assume the risk because the cost of mitigating it isn’t worth it.
Remember that putting internal controls in place is one of the most effective mitigation strategies an organization can use. The risk of asset misappropriation is a lot easier to reduce when a company is rigorous about segregation of duties, for example.
Step 4: Monitor and Review Risks
As with any risk management strategy, there is no such thing as a one-and-done approach to fraud risk assessment. A process that requires ongoing monitoring and review, the fraud risk assessment must be refreshed to respond to the changing risk environment. Not only can new fraud risks appear due to changes in the risk universe, but their impact can change too.
Step 5: Report Risks
By using a tailored and comprehensive fraud risk assessment approach, an organization will be able to avoid another important risk: missing valuable information and obtaining unreliable results. When communicating the results of a fraud risk assessment, stay objective, identify actions that are clear and measurable to drive results, and recommend control activities that reduce the risk of fraud.
How Can I Strengthen My Fraud Risk Assessment Process?
Whether your company has instituted an enterprise-wide fraud risk assessment or started in one business area and built out the program over time, a best-in-class fraud risk assessment must take a deep dive into how to improve current processes. Some questions to consider in your deep dive include:
- What are my company’s top risks?
- What controls are already in place, and how effective are they?
- What are the key gaps and vulnerabilities in my organization?
- Who are the key stakeholders that should be involved in my fraud risk assessment?
- How can my company strategically integrate its fraud risk strategy across departments?
With comprehensive answers to these questions, you’ll be well on your way to a fraud risk assessment strategy that will drive exceptional business results.
How to Productively Manage Fraud Risks Moving Forward
Managing fraud risk is a long-term journey that takes time, multiple iterations, and the right mix of insight and action. Fortunately, audit, risk, and compliance professionals don’t have to do it alone. With the right technology, you can manage your fraud risk environment and set your company up for success. Get started with RiskOversight today!
Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.