LEARNING OBJECTIVES

After studying this chapter, you should be able to:

14-1	Describe the factors that influence an organization's vulnerability to fraud
14-2	Explain the difference between preventive and detective controls
14-3	Define and explain the objective of a fraud risk assessment
14-4	Discuss why organizations should conduct fraud risk assessments
14-5	Understand the characteristics of a good fraud risk assessment
14-6	Describe considerations for developing an effective fraud risk assessment
14-7	List actions that should be taken to prepare a company for a fraud risk assessment
14-8	Understand the steps involved in conducting a fraud risk assessment and how to apply a framework to it
14-9	Describe approaches to responding to an organization's residual fraud risks
14-10	Name important considerations when reporting the results of a fraud risk assessment
14-11	List actions management should take using the results of a fraud risk assessment
14-12	Explain how a fraud risk assessment can inform and influence the audit process

OVERVIEW

For the organization's fraud risks to be effectively managed, they must first be identified using a formal risk assessment. If performed and used correctly, a fraud risk assessment can be a powerful proactive tool in the fight against fraud for any business. Additionally, regulators, professional standard-setters, and law enforcement authorities continue to emphasize the crucial role that fraud risk assessment plays in developing and maintaining effective fraud risk management programs and controls.

What Is Fraud Risk?

As discussed in Chapter 1, the fraud triangle, developed by Donald R. Cressey, tells us that there are three interrelated elements that enable someone to commit fraud: the nonshareable financial need that drives a person to want to commit the fraud, the opportunity that enables him to commit the fraud, and the ability to rationalize the fraudulent behavior. The vulnerability that an organization has to those capable of overcoming all three of these elements is fraud risk. Fraud risk can come from sources both internal and external to the organization and is one of the many types of risks to be managed by an organization.

Inherent and Residual Fraud Risks When considering the fraud risks faced by an organization, it is helpful to analyze how significant a risk is before and after risk response. Risks that are present before management action are described as inherent risks. The risks that remain after management action are described as residual risks.

For example, there is an inherent risk that the employee in charge of receiving customer payments at a small company may embezzle incoming cash. Controls, such as segregation of duties and oversight from the company owner, can be implemented to help mitigate this risk; however, even with such controls in place, there will likely remain some residual risk that the bookkeeper may still manage to embezzle funds. The objective of the controls is to make the residual risk significantly smaller than the inherent risk.

Why Should an Organization Be Concerned about Fraud Risk?

Every organization is vulnerable to fraud—no organization has immunity to that risk. The key to reducing this vulnerability is to be consciously aware and realistic about the organization's weaknesses. Only then can management establish mechanisms that effectively prevent or detect fraudulent activities.

Organizational stakeholders expect their stewards to be thoughtful and prudent about protecting the business. Yet, even while tales of fraudsters receive much public attention, many organizations still have difficulty facing the reality of their susceptibility to fraud.

Factors That Influence Fraud Risk

The Nature of the Business The types of risks an organization faces are directly connected to the nature of the business in which it is engaged. For example, the inherent fraud risks faced by hospitals and medical practices are vastly different from those faced by banks and financial institutions, construction companies, educational institutions, or retail organizations.

The Operating Environment The environment in which the organization operates has a direct impact on its vulnerability to fraud. Brick-and-mortar businesses have a very different risk profile than Internet businesses. Likewise, local businesses have different risk profiles than those that operate in the international arena.

The Effectiveness of Its Internal Controls A good system of internal controls, with the right balance of preventive and detective controls, can greatly reduce an organization's vulnerability to fraud. Preventive controls are those manual or automated processes designed to stop an undesirable event from occurring. Detective controls can also be manual or automated, but are designed to identify an undesirable event that has already occurred. No system of internal controls can fully eliminate the risk of fraud, but well-designed and effective internal controls can deter the average fraudster by reducing the opportunity to commit the fraud and increasing the perception of detection.

The Ethics and Values of the Company and its Employees It is extremely difficult, if not impossible, to have a company made up of individuals whose ethics and values are fully aligned with those of the organization. Any gap in alignment can significantly increase an organization's fraud risk.

While many organizations have codes of conduct, those codes are not always clear in drawing the definitive line between acceptable and unacceptable behavior. That lack of clarity leaves room for fraudsters to rationalize their actions. For example, in most organizations, it is generally understood that manipulating financial records is unacceptable behavior that will result in termination; however, it is not always apparent whether taking a pen or pencil home that belongs to the company is unacceptable behavior or what the consequence, if any, would be.

An organization that is clear and consistent about its ethics, values, and expectations will reduce the potential fraudster's ability to rationalize his actions. Likewise, an organization that demonstrates consistency and predictability in how it handles and holds accountable employees who engage in unacceptable behaviors can significantly reduce the risk of fraud.

WHAT IS A FRAUD RISK ASSESSMENT?

Fraud risk assessment is a process aimed at proactively identifying and addressing an organization's vulnerabilities to both internal and external fraud. As every organization is different, the fraud risk assessment process is often more an art than a science. What gets evaluated and how it gets assessed should be tailored to the organization—there is no one-size-fits-all approach. Additionally, organizational fraud risks continually change. It is therefore important to think about a fraud risk assessment as an ongoing, continuous process rather than just an activity.

A fraud risk assessment starts with an identification and prioritization of fraud risks that exist in the business. The process evolves as the results of that identification and prioritization begin to drive education, communication, organizational alignment, and action around effectively managing fraud risk and identifying new fraud risks as they emerge.

What Is the Objective of a Fraud Risk Assessment?

In the simplest terms, the objective of a fraud risk assessment is to help an organization recognize what makes it most vulnerable to fraud. Through a fraud risk assessment, the organization is able to identify where fraud is most likely to occur, enabling proactive measures to be considered and implemented to reduce the chance that it could happen. The strategic reasoning used in conducting a fraud risk assessment requires a skeptical mindset and involves asking questions such as:

• How might a fraud perpetrator exploit weaknesses in the system of controls?
• How could a perpetrator override or circumvent controls?
• What could a perpetrator do to conceal the fraud?

WHY SHOULD ORGANIZATIONS CONDUCT FRAUD RISK ASSESSMENTS?

Every organization should conduct a fraud risk assessment and build procedures to keep the assessment process current and relevant. Not only is this practice good corporate governance, it makes good business sense.

Improve Communication and Awareness about Fraud

A fraud risk assessment can be a great vehicle for an organization to open up communication and raise awareness about fraud. When employees are engaged in an open discussion about fraud, the conversations themselves can play a role in reducing fraud vulnerability. Employees are reminded that the organization does care about preventing fraud and are also empowered to come forward if they suspect fraud is occurring. Open communication and awareness about fraud can also deter a potential fraudster by reducing his ability to rationalize bad behavior and increasing his perception that someone might catch on to his actions and report him.

Identify What Activities Are the Most Vulnerable to Fraud

Management must know where the company is most vulnerable to fraud in order to prevent it. For most companies, the normal course of business generally involves many different activities; however, not all the activities in which the company engages are equal in terms of increasing the business's exposure to fraud. The fraud risk assessment helps guide the organization to focus on the activities that put the company at greatest risk.

Know Who Puts the Organization at the Greatest Risk

The actions of certain individuals can significantly increase the company's vulnerability to fraud. The risk can be driven by the way in which someone makes decisions, behaves, or treats others within and outside the organization. The fraud risk assessment can help home in on those people and their activities that might increase the company's overall fraud risk.

Develop Plans to Mitigate Fraud Risk

If management knows where the greatest fraud risks are, it can put plans in place to reduce or mitigate those risks. The results of the fraud risk assessment can be used to gain alignment among various stakeholders and to drive preventive action.

Develop Techniques to Determine Whether Fraud Has Occurred in High-Risk Areas

Assessing an area as having a high fraud risk does not conclusively mean that fraud is occurring there. Nevertheless, the fraud risk assessment is useful in identifying areas that should be proactively investigated for evidence of fraud. In addition, putting high-risk areas under increased scrutiny can deter potential fraudsters by increasing their perception of detection.

Assess Internal Controls

Many organizations rely heavily on their internal control system to prevent and detect fraud. Although internal control plays a critical role in fraud prevention and detection, it is a dynamic system that requires constant reevaluation of its weaknesses. Performing a fraud risk assessment provides management with the opportunity to review the company's internal control system for effectiveness, taking into account the following considerations:

• Controls that might have been eliminated due to restructuring efforts (e.g., elimination of separation of duties due to downsizing)
• Controls that might have eroded over time due to reengineering of business processes
• New opportunities for collusion
• Lack of internal controls in a vulnerable area
• Nonperformance of control procedures (e.g., control procedures compromised for the sake of expediency)
• Inherent limitations of internal controls, including opportunities for those responsible for a control to commit and conceal fraud (e.g., through management and system overrides)

Comply with Regulations and Professional Standards

Fraud risk assessments can assist management and auditors (internal and external) in satisfying regulatory requirements and complying with professional standards pertaining to their responsibility for fraud risk management. For example, in the United States, Public Company Accounting Oversight Board Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements,” specifically states that auditors should take into account the results of the fraud risk assessment when planning and performing the audit of internal control over financial reporting.

The PCAOB has also issued eight auditing standards (AS Nos. 8–15), specifically addressing the auditors' assessment of, and response to, risk during a financial statement audit. Similarly, the AICPA Statements on Auditing Standards include specific requirements and guidance on risk assessments and key points to consider when performing risk assessments in audit engagements. These standards address audit procedures from the planning stages to the evaluation of audit results.

WHAT MAKES A GOOD FRAUD RISK ASSESSMENT?

A good fraud risk assessment is one that fits within the culture of the organization, is sponsored and supported by the right people, encourages everyone to openly participate, and is generally embraced throughout the business as an important and valuable process. Conversely, a fraud risk assessment that is conducted without these conditions will have inferior results.

The following are key elements to conducting a good fraud risk assessment.

Collaborative Effort of Management and Auditors

As regulations and professional standards indicate, both management and auditors have a responsibility for fraud risk management. However, each of these parties has unique knowledge and perspective of the fraud risks faced by the organization. Management has intricate familiarity of day-to-day business operations, responsibility for assessing business risks and implementing organizational controls, authority to adjust operations, influence over the organization's culture and ethical atmosphere, and control over the organization's resources (e.g., people and systems). Auditors, conversely, are trained in risk identification and assessment and have expertise in evaluating internal controls, which is critical to the fraud risk assessment process. Consequently, the fraud risk assessment is most effective when management and auditors share ownership of the process and accountability for its success.

The Right Sponsor

Having the right sponsor for a fraud risk assessment is extremely important in ensuring its success and effectiveness. The sponsor must be senior enough in the organization to command the respect of the employees and elicit full cooperation in the process. The sponsor also must be someone who is committed to learning the truth about where the company's fraud vulnerabilities are; this person must be a truth seeker—not someone who is prone to rationalization or denial. In the ideal situation, the sponsor would be an independent board director or audit committee member; however, a chief executive officer or other internal senior leader can be equally effective.

Organizational culture plays a key role in influencing the entity's vulnerability to fraud. If the company's culture is shaped by a strong and domineering leader, obtaining candid participation from participants might be difficult with that leader as sponsor of the fraud risk assessment. Consider how effective a fraud risk assessment of HealthSouth would have been with Richard Scrushy as its sponsor. Similarly, a fraud risk assessment of Enron sponsored by Kenneth Lay or Jeffrey Skilling would have been worthless.

The right sponsor is someone who is willing to hear the good, the bad, and the ugly. For example, a fraud risk assessment reveals that one of the greatest fraud risks facing the organization is bribery/corruption based on the close relationship between one of the key business leaders and the company's business partners. For the fraud risk assessment to be effective, the sponsor needs to be independent and open in their evaluation of the situation and, most important, appropriate in their response to the identified risks.

Independence and Objectivity of the People Leading and Conducting the Work

A good fraud risk assessment can be effectively conducted either by people inside the organization or using external resources. Either way, it is critical that the people leading and conducting the fraud risk assessment remain independent and objective throughout the assessment process. Additionally, they must be perceived as independent and objective by others.

Those leading and performing the work should be mindful of any personal biases they may have regarding the organization and the people within it and should take steps to reduce or eliminate all biases that may affect the fraud risk assessment process. For example, if an employee on the fraud risk assessment team had a bad past experience with someone in the accounts payable department, he might allow that experience to affect his evaluation of the fraud risks related to that area of the business. To preclude this possibility, someone else should perform the fraud risk assessment work related to the accounts payable department's activities.

Cultural neutrality is an important aspect of independence and objectivity when leading or conducting a fraud risk assessment. Some organizations have very strong corporate cultures that can play a big role in influencing the way the people inside the organization think about fraud risk. If people within the organization are leading and conducting the fraud risk assessment, they must be able to step outside the corporate culture to assess and evaluate the presence and significance of fraud risks in the business.

A Good Working Knowledge of the Business

The individuals leading and conducting the fraud risk assessment need to have a good working knowledge of the business. Every organization is unique; even companies that appear similar have characteristics that differentiate them—and their fraud risks—from their competitors. Some of those differences can be obvious, whereas others are more subtle.

To ensure a good working knowledge of the business, the fraud risk assessor must know, beyond a superficial level, what the business does and how it operates. He must also have an understanding of what makes the organization both similar to and different from other companies in related lines of business.

Obtaining information about broad industry fraud risks from external sources can be helpful. Such sources include industry news; criminal, civil, and regulatory complaints and settlements; and professional organizations, such as the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners.

Access to People at All Levels of the Organization

It is often said that perception is reality. In other words, how an individual perceives a situation is his reality of that situation. In an organization, it is important that the perceptions of people at all levels are included in the fraud risk assessment process.

Leaders of a business or function often have very different perspectives from their subordinates on how something is perceived or executed, but this does not mean that one perspective is right and the other is wrong. What it does mean is that expectations and perceptions within the organization are not aligned, which could increase fraud risk.

Risk assessments created or performed by management and auditors without the input of the staff performing the operational tasks will be ineffective. It is crucial to include members of all levels of the organization in the risk assessment process to ensure that all relevant risks are addressed and reviewed from many different perspectives.

Engendered Trust

If management and employees do not trust the people leading and conducting the fraud risk assessment, they will not be open and honest about the realities of the business, its culture, and its vulnerability to fraud. Trust is not something that can be granted by authority; it must be earned through words and actions. As they engage employees throughout the business, those leading and conducting the fraud risk assessment should deliberately and carefully plan the initial contact with an effort to develop a rapport and gain trust.

The Ability to Think the Unthinkable

Most honest people are not naturally inclined to think like a criminal. In fact, many large-scale frauds that have occurred would have been deemed unthinkable by people closest to the events. But a necessary part of conducting an effective fraud risk assessment involves thinking like a fraudster. A good fraud risk assessment has to allow for the people leading and conducting the assessment to be expansive in their consideration and evaluation of fraud risk. Thoughts of “it couldn't happen here” should not be allowed to moderate the evaluation of fraud risk.

A Plan to Keep It Alive and Relevant

The fraud risk assessment should not be treated as a one-time exercise that is executed, reported on, and then put on a shelf to collect dust. The organization should strive to keep the process alive and relevant through ongoing dialogue, active management of action plans, and development of procedures to ensure that the assessment is maintained on a current basis.

CONSIDERATIONS FOR DEVELOPING AN EFFECTIVE FRAUD RISK ASSESSMENT

A fraud risk assessment is only effective if the organization embraces it and uses the results to monitor, change, or influence the factors that put the company at risk for fraud. To this end, several matters should be considered during the development of the fraud risk assessment.

Packaging It Right

People do not easily relate to or embrace things they don't understand. Every organization has its own vocabulary and preferred methods of communication. The announcement and execution of the fraud risk assessment, including the reporting of the results, will only be effective if completed in the language of the business. For example:

• In a creative organization where decisions are made based on qualitative assessments and instinct and where the majority of communication is visual, a quantitative approach to assessing fraud risk—one that is driven by numbers and calculations—would most likely be rejected
• In an organization where the business is built and run on quantitative decision-making models, a qualitative approach with no quantitative components would most likely be rejected

The assessor must remain mindful of the language used throughout the fraud risk assessment. Specifically, he should stay away from technical language that won't resonate with the intended audience. For example, many people might not easily relate to or understand the term cash larceny. If cash larceny is one of the organization's greatest fraud risks, it might be more effective to explain the concept in layman's terms, describing the risk as “theft of cash.”

One Size Does Not Fit All

Do not try to fit a square peg into a round hole; what works in one organization most likely will not easily work in another. Recognizing the nuances of the business and tailoring the approach and execution to the specific organization contributes to the success of the fraud risk assessment. While a generic framework or toolset can be a valuable starting point for the development of the fraud risk assessment, it must be adapted to fit the business model, culture, and language of the organization.

Keeping It Simple

The more complicated the fraud risk assessment is, the harder it will be to execute it and use it to drive action. Whether the assessor uses a generic assessment framework or develops one specifically for the organization, he should focus the effort and time on evaluating the areas that are most likely to have fraud risk.

PREPARING THE COMPANY FOR THE FRAUD RISK ASSESSMENT

Properly preparing the company for the fraud risk assessment is critical to the assessment's success. The culture of the organization should influence the approach used in the fraud risk assessment preparation.

Assembling the Right Team to Lead and Conduct the Fraud Risk Assessment

The organization should build a fraud risk assessment team consisting of individuals with diverse knowledge, skills, and perspectives to lead and conduct the assessment. The size of the team will depend on the size of the organization and the methods used to conduct the assessment. The team should have individuals who are credible and who have experience in gathering and eliciting information.

The team members can include internal and external resources such as:

• Accounting and finance personnel who are familiar with the financial reporting processes and internal controls
• Nonfinancial business unit and operations personnel who have knowledge of day-today operations, customer and vendor interactions, and issues within the industry
• Risk management personnel who can ensure that the fraud risk assessment process integrates with the organization's enterprise risk management program
• The general counsel or other members of the legal department
• Members of any ethics or compliance functions within the organization
• Internal auditors
• External consultants with fraud and risk expertise
• Any business leader with direct accountability for the effectiveness of the organization's fraud risk management efforts

Determining the Best Techniques to Use in Conducting the Fraud Risk Assessment

There are many ways to gather information during a fraud risk assessment. Picking a method or combination of methods that is culturally right for the organization will help ensure its success. The assessment team should also consider the best ways to gather candid information from people throughout all levels of the organization, starting by understanding what techniques are commonly and effectively used throughout the organization. The following are some examples of methods that can be used to conduct the fraud risk assessment.

Interviews Interviews can be an effective way to conduct a candid one-on-one conversation, but their usefulness depends on how willing people in the organization are to be open and honest in a direct dialogue with the interviewer. The assessor must consider whether interviews are commonly and effectively used in the organization to gather and elicit information. He should also speak with individuals who have previously conducted interviews with employees to glean lessons learned. For each potential interviewee, the assessor should gauge the willingness of the interviewee to be open and honest—some people might be good interview candidates, whereas others might need to be engaged through a different approach.

Focus Groups Focus groups enable the assessor to observe the interactions of employees as they discuss a question or issue. Some topics may lend themselves to being discussed in an open forum in which people feel comfortable among their colleagues. Additionally, when discussing tough or thorny issues in a group, an anonymous, real-time voting tool can be an effective way of opening up a dialogue among the participants.

The success of a focus group is highly dependent on the skill of the facilitator. If focus groups are used as part of the fraud risk assessment, they should be led by an experienced facilitator with whom the group can relate and whom they trust. Getting a group to open up and talk honestly can be very difficult. An experienced facilitator will be able to read the group and use targeted techniques (for example, group icebreakers) to make the session a success.

Surveys Surveys can be anonymous or directly attributable to individuals. Sometimes people share more openly when they feel protected behind a computer or paper questionnaire. In an organization where the culture is not one in which people open up and talk freely, an anonymous survey can be an effective way to get feedback. However, employees can be skeptical about the true anonymity of a survey, especially in organizations that use surveys to solicit feedback anonymously but send follow-up emails to individual delinquent respondents. If the assessor determines that an anonymous survey is an appropriate technique to use in the fraud risk assessment, he should clearly and explicitly explain to employees how anonymity will be maintained.

Anonymous Feedback Mechanisms In some organizations, anonymous suggestion boxes or similar mechanisms are used to encourage and solicit frequent employee feedback. In these companies, information pertaining to the fraud risk assessment can be requested in the same way. Additionally, use of an anonymous feedback mechanism can be effective in an environment where people are less likely to be open and honest through other methods and techniques.

One approach to effectively using the anonymous feedback technique involves establishing a question of the day that is prominently displayed above a collection box. An example of such a question is: “If you thought fraud were occurring in the company, would you come forward? Why or why not?” Another approach involves using a table lineup of five to ten opaque boxes, each with a statement posted above it. Employees are provided with poker chips in two different colors and told that one color indicates “I agree” and the other indicates “I disagree.” Employees are then encouraged to respond to each statement by putting a corresponding chip in each box to indicate their response.

Obtaining the Sponsor's Agreement on the Work to Be Performed

Before the fraud risk assessment procedures begin, the sponsor and the assessment team need to agree on:

• The scope of work that will be performed
• The methods that will be used (e.g., surveys, interviews, focus groups, or anonymous feedback mechanisms)
• The individuals who will participate in the chosen methods
• The content of the chosen methods
• The form of output for the assessment

Educating the Organization and Openly Promoting the Process

The fraud risk assessment process should be visible and communicated throughout the business. Employees will be more inclined to participate in the process if they understand its purpose and the expected outcomes.

Sponsors should be strongly encouraged to openly promote the process. The more personalized the communication from the sponsor, the more effective it will be in encouraging employees to participate. Whether through a video, town-hall meeting, or companywide email, the communication should be aimed at eliminating any reluctance employees have about participating in the fraud risk assessment process.

EXECUTING THE FRAUD RISK ASSESSMENT

Fraud risk assessments can be executed in many ways. To ensure the assessment's success, the approach should be structured, rational, and tailored to the organization. Consequently, when conducting a fraud risk assessment, it is helpful to use a framework for performing, evaluating, and reporting the results of the work. Fraud risk can be analyzed and reported both qualitatively and quantitatively using a consistent framework. In adopting a framework, however, the fraud risk assessment team must ensure that the specific needs and culture of the organization are considered and accounted for. Without tailoring the fraud risk assessment approach to the specific organization, the team encounters the risk of missing important factors or obtaining results that are unreliable or meaningless.

The sample framework discussed below is based on information contained in Managing the Business Risk of Fraud: A Practical Guide, sponsored by the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners.¹ This framework illustrates a comprehensive approach to applying the elements of a fraud risk assessment.

Using this framework, the fraud risk assessment team incorporates the following fraud risk assessment approach:

1. Identify potential inherent fraud risks
2. Assess the likelihood of occurrence of the identified fraud risks
3. Assess identified fraud risks' significance to the organization
4. Evaluate which people and departments are most likely to commit fraud and identify the methods they are likely to use
5. Identify and map existing preventive and detective controls to the relevant fraud risks
6. Evaluate whether the identified controls are operating effectively and efficiently
7. Identify and evaluate residual fraud risks resulting from ineffective or nonexistent controls

The table in Exhibit 14-1 provides a visual representation of the steps involved in this framework and can be filled in as the fraud risk assessment is performed.²

Identifying Potential Inherent Fraud Risks

One of the first steps in a fraud risk assessment involves identifying potential fraud risks inherent to the organization. The fraud risk assessment team should brainstorm to identify the fraud risks that could apply to the organization. Brainstorming should include discussions regarding the following factors.

EXHIBIT 14-1 Sample Fraud Risk Assessment Framework

Incentives, Pressures, and Opportunities to Commit Fraud When assessing the potential incentives, pressures, and opportunities to commit fraud, the fraud risk assessment team should evaluate:

• Opportunities to commit fraud that arise from a person's position (i.e., given his responsibilities and authority)
• Incentive programs and how they might affect employees' behavior when conducting business or applying professional judgment
• Pressures on individuals to achieve performance or other targets and how such pressures might influence employees' behavior
• Opportunities to commit fraud that arise from weak internal controls, such as a lack of segregation of duties
• Highly complex business transactions and how they might be used to conceal fraudulent acts
• Opportunities for collusion (intrinsic to schemes such as bribery or kickbacks)

Risk of Management's Override of Controls When considering the potential for management's override of controls, the fraud risk assessment team should keep in mind that:

• Management within the organization generally knows the controls and standard operating procedures that are in place to prevent fraud
• Individuals who are intent on committing fraud might use their knowledge of the organization's controls to do so in a manner that will conceal their actions

Population of Fraud Risks The fraud risk identification process requires an understanding of the universe of fraud risks and the subset of risks that apply to a particular organization. It includes gathering information about the business itself, including its business processes, industry, and operating environment, as well as all associated potential fraud risks. Such information can be obtained from external sources—such as industry news outlets; criminal, civil, and regulatory complaints and settlements; and professional organizations and associations—and from internal sources by interviewing and brainstorming with personnel, reviewing complaints on the whistleblower hotline, and performing analytical procedures.

Fraud risks can be classified according to the three major categories of occupational fraud: financial statement fraud, asset misappropriation, and corruption.

Financial Statement Fraud Potential risks related to fraudulent financial reporting include:

• Inappropriately reported revenues, expenses, or both
• Inappropriately reflected balance sheet amounts, including reserves
• Inappropriately improved or masked disclosures
• Concealed misappropriation of assets
• Concealed unauthorized receipts, expenditures, or both
• Concealed unauthorized acquisition, use, or disposition of assets

Asset Misappropriations Potential asset misappropriation risks include misappropriation of:

• Tangible assets
• Intangible assets
• Proprietary business opportunities

Corruption Potential corruption risks include:

• Payment of bribes or gratuities to companies, private individuals, or public officials
• Receipt of bribes, kickbacks, or gratuities
• Aiding and abetting of fraud by outside parties, such as customers or vendors

Certain other types of risks that can affect or be affected by each of the major areas of fraud risks include regulatory and legal misconduct, reputation risk, and risk to information technology.

Regulatory and Legal Misconduct Regulatory and legal misconduct includes a wide range of risks, such as conflicts of interest, insider trading, theft of competitor trade secrets, anticompetitive practices, environmental violations, and trade and customs regulations in areas of import and export. Depending on the particular organization and the nature of its business, some or all of these risks may be applicable and should be considered in the fraud risk assessment process.

Reputation Risk Reputation risk must be considered as part of the organization's risk assessment process because fraudulent acts can damage an organization's reputation with customers, suppliers, capital markets, and others. For example, fraud leading to a financial restatement can damage an organization's reputation in capital markets, which can increase the organization's cost of borrowing and depress its market capitalization.

Risk to Information Technology Information technology (IT) is a critical component of fraud risk assessment. Organizations rely on IT to conduct business, communicate, and process financial information. A poorly designed or inadequately controlled IT environment can expose an organization to threats to data integrity, threats from malicious security system crackers, and theft of financial and sensitive business information. Whether in the form of hacking, economic espionage, Web defacement, sabotage of data, viruses, or unauthorized access to data, IT fraud risks can result in significant financial and information losses.

Assessing the Likelihood of Occurrence of the Identified Fraud Risks

Assessing the likelihood of each potential fraud risk is a subjective process that enables the organization to manage its fraud risks and apply preventive and detective controls rationally. The fraud risk assessment team should first consider fraud risks to the organization on an inherent basis, without consideration of known controls. By approaching the assessment in this manner, the team will be better able to consider all relevant fraud risks and then evaluate and design controls to address those risks.

The likelihood of occurrence of each fraud risk can be classified as remote, reasonably possible, or probable. The fraud risk assessment team should consider the following factors in assessing the likelihood of occurrence of each fraud risk:

• Past instances of the particular fraud at the organization
• Prevalence of the fraud risk in the organization's industry
• Internal control environment of the organization
• Resources available to address fraud
• Support of fraud prevention efforts by management
• Ethical standards of the organization
• Number of individual transactions involved
• Complexity of the fraud risk
• Number of people involved in reviewing or approving a relevant process
• Unexplained losses
• Complaints by customers or vendors
• Information from fraud surveys, such as the ACFE's Report to the Nations on Occupational Fraud & Abuse

Assessing the Significance to the Organization of the Fraud Risks

The fraud risk assessment team should consider qualitative and quantitative factors when assessing the significance of identified fraud risks to the organization. For example, a particular fraud risk that might only pose an immaterial direct financial risk to the organization but that could greatly affect its reputation would be deemed a significant risk to the organization.

The significance of each potential fraud can be classified as immaterial, significant, or material. In assessing the significance of each fraud risk, the fraud risk assessment team should consider the following factors:

• Financial statement and monetary significance
• Financial condition of the organization
• Value of the threatened assets
• Criticality of the threatened assets to the organization
• Revenue generated by the threatened assets
• Significance to the organization's operations, brand value, and reputation
• Criminal, civil, and regulatory liabilities

Evaluating Which People and Departments Are Most Likely to Commit Fraud and Identifying the Methods They Are Likely to Use

In identifying potential fraud risks, the risk assessment team will have evaluated the incentives and pressures on individuals and departments to commit fraud. The team should use the information gained in that process to identify the individuals and departments most likely to commit fraud and the methods they are likely to use. This knowledge will assist the organization in tailoring its fraud risk response, including establishing appropriate segregation of duties, proper review and approval chains of authority, and proactive fraud auditing procedures.

Identifying and Mapping Existing Preventive and Detective Controls to the Relevant Fraud Risks

After identifying and assessing fraud risks for likelihood of occurrence and for significance, the fraud risk assessment team should identify and map existing preventive and detective controls to the relevant fraud risks.

Preventive Controls Preventive controls, which are intended to prevent fraud before it occurs, include:

• Bringing awareness to personnel throughout the organization of the fraud risk management program in place
• Performing background checks on employees (where permitted by law)
• Hiring competent personnel and providing them with antifraud training
• Conducting exit interviews
• Implementing policies and procedures
• Segregating duties
• Ensuring proper alignment between an individual's authority and his level of responsibility
• Reviewing third-party and related-party transactions

Detective Controls Detective controls, which are intended to detect fraud if it does occur, include:

• Establishing and marketing the presence of a confidential reporting system, such as a whistleblower hotline
• Implementing proactive controls for the fraud detection process, such as reconciliations, independent reviews, physical inspections/counts, analysis, and audits
• Implementing proactive fraud detection procedures, such as data analysis and continuous auditing techniques
• Performing surprise audits

Evaluating Whether the Identified Controls Are Operating Effectively and Efficiently

The fraud risk assessment team must ensure that there are adequate controls in place, that the controls are mitigating fraud risk as intended, and that the benefit of the controls exceeds the cost. Such an assessment requires:

• Review of the accounting policies and procedures in place
• Consideration of the risk of management's override of controls
• Interviews with management and employees
• Observation of control activities
• Sample testing of controls compliance
• Review of previous audit reports
• Review of previous reports on fraud incidents, shrinkage, and unexplained shortages

Identifying and Evaluating Residual Fraud Risks Resulting from Ineffective or Nonexistent Controls

Consideration of the internal control structure might reveal certain residual fraud risks, including management's override of established controls that have not been adequately mitigated due to:

• Lack of appropriate prevention and detection controls
• Noncompliance with established prevention and control measures

The likelihood and significance of occurrence of these residual fraud risks should be evaluated by the fraud risk assessment team in the development of the fraud risk response for likelihood and significance of occurrence.

ADDRESSING THE IDENTIFIED FRAUD RISKS

Establishing an Acceptable Level of Risk

Because it is neither practical nor cost-effective for an organization to eliminate all fraud risk, management must establish an acceptable level of fraud risk based on the business objectives and risk tolerance of the organization. In responding to fraud risks identified during the fraud risk assessment, management must determine how the fraud risks affect business objectives and, using cost/benefit analysis, decide where to best allocate resources for fraud prevention and detection.

Ranking and Prioritizing Risks

Once risks are identified, they need to be prioritized. There are two basic frameworks for prioritizing risk:

• Estimating the likely cost of a risk
• Using a quadrant graph, called a heat map, to identify those risks that are both likely and significant

Estimating Likely Cost of a Risk Estimating the likely cost of a risk involves determining a quantitative value for the expected loss based on the risk's potential cost and likelihood of occurrence. Both of these factors are estimates—and are far from objective—but by engaging in a process to estimate and quantify these elements of risk, an organization can prioritize its risks from the highest to lowest expected cost and focus on the outcomes that would be the most expensive.

Consider the following risk scenarios:

1. Risk of lost business and reputation damage from a disruption in data processing:

   Likely cost (in lost revenue) = $100,000

   Likelihood of occurrence = 2%

   Potential loss = $2, 000 (2% × $100,000)

2. Risk of lost revenues from losing a major client:

   Likely cost (in lost revenue) = $500,000

   Likelihood of occurrence = 15%

   Potential loss = $75,000 (15% × $500,000)

3. Risk of employee embezzlement:

   Likely cost = $150,000

   Likelihood of occurrence = 7%

   Potential loss = $10,500 (7% × $150,000)

This analysis could then be used to rank these three risks by listing them from highest to lowest potential loss:

Risk	Potential Loss
Loss of a major client	$75,000
Employee embezzlement	$10,500
Data process disruption	$2,000

Based on this listing, the assessment team would be equipped with an awareness of the most expensive losses and could allocate their compliance resources accordingly to mitigate, share, or abandon the highest cost risks.

Plotting Risks on a Heat Map With a heat map, such as the one in Exhibit 14-2, the risk assessment team seeks to focus its attention on those risks that are both likely and significant. The risk assessment team goes through the list of risks and places each in a quadrant of the heat map based on its assessed significance and likelihood. The follow-on analysis prioritizes those risks that are in the dark and light grey areas.

EXHIBIT 14-2 Example Heat Map Reflecting Fraud Risks

Responding to Residual Fraud Risks

Regardless of the framework used to conduct the fraud risk assessment, management will need to address the identified risks to ensure that the organization is within its established tolerance level for fraud risk. Larry Cook, CFE, principal author of the ACFE Fraud Risk Assessment Tool (located in Appendix C), suggests that management can use one, or a combination, of the following approaches to respond to the organization's residual fraud risks:

• Avoid the risk
• Transfer the risk
• Mitigate the risk
• Assume the risk³

Avoid the Risk Management may decide to avoid the risk by eliminating an asset or exiting an activity if the control measures required to protect the organization against an identified threat are too expensive. For example, a multinational conglomerate might choose not to conduct business in countries with a very poor ranking on the Transparency International Corruption Perception Index. This approach requires the fraud risk assessment team to complete a cost-benefit analysis of the value of the asset or activity to the organization compared to the cost of implementing measures to protect the asset or activity.

Transfer the Risk Management may transfer some or all of the risk by purchasing fidelity insurance or a fidelity bond. For example, a financial institution, as part of its vendor management program, might require its outside systems analysts to have in place third-party fidelity coverage before allowing them to do work for the financial institution. The cost to the organization is the premium paid for the insurance or bond. The covered risk of loss is then transferred to the insurance company.

Mitigate the Risk Management can mitigate the risk by implementing appropriate countermeasures, such as prevention and detection controls. An example of this is an accounting system in which managers responsible for authorizing or reviewing transactions are provided with read-only access, thus restricting them from entering data or reconciling accounts. The fraud risk assessment team should evaluate each countermeasure to determine whether it is cost-effective and reasonable given the probability of occurrence and impact of loss.

Assume the Risk Management may choose to assume the risk if it determines that the probability of occurrence and impact of loss are low. Management may decide that it is more cost-effective to assume the risk than it is to eliminate the asset or exit the activity, buy insurance to transfer the risk, or implement countermeasures to mitigate the risk.

Combination Approach Management may also elect a combination of these approaches. For example, if the probability of occurrence and impact of loss are high, management may decide to transfer part of the risk through the purchase of insurance, as well as to implement preventive and detective controls to mitigate the risk.

REPORTING THE RESULTS OF THE FRAUD RISK ASSESSMENT

The success of the fraud risk assessment process hinges on how effectively the results are reported and what the organization then does with those results. A poorly communicated report can undermine the entire process and bring all established momentum to a halt. The report should be delivered in the style most suited to the language of the business.

Considerations When Reporting the Assessment Results

To maximize the effectiveness of the fraud risk assessment process, the team should remember several key points when developing the report of the results.

Report Objective–Not Subjective–Results Much instinct and judgment goes into performing the fraud risk assessment. When reporting the results of the assessment, the team must stick to the facts and keep all opinions and biases out of the report. A report that is peppered with the assessment team's subjective perspective will dilute, and potentially undermine, the results of the work.

Keep It Simple The assessment results should be reported in a way that is easy to understand and that resonates with management. The reader of the report should be able to quickly view and comprehend the results. A simple one-page visual can sometimes have the greatest effect.

Focus on What Really Matters Less is often more when it comes to reporting the results of the fraud risk assessment. The team should take care not to turn the report into a laundry list of things that management will have to sort through and prioritize. Instead, the report should be presented in a way that focuses on what really matters, clearly highlighting those points that are most important and that will make the most impact on the organization's fraud risk management efforts.

Identify Actions That Are Clear and Measurable The report should include key recommendations for action that are clear and measurable and that will decrease fraud risks. The actions should be presented in a way that makes apparent exactly what needs to be done. The report should not include recommendations that are vague or that wouldn't reduce the risk of fraud. Additionally, management and those affected by the suggested actions should have vetted and agreed to the recommendations.

MAKING AN IMPACT WITH THE FRAUD RISK ASSESSMENT

To make the most of the fraud risk assessment process, management should not see the final report as the end of the process. The true value of a fraud risk assessment lies in how effectively and extensively management uses the results in its ongoing antifraud efforts.

Beginning a Dialogue across the Company

The results of the initial fraud risk assessment can be used to begin a dialogue across the company that promotes awareness, education, and action planning aimed at reducing the risk of fraud. Engaging in an active dialogue is an effective way to further establish boundaries of acceptable and unacceptable behavior. Open communication about fraud risks also increases the chance that employees will come forward if they believe they have witnessed potential fraud.

Looking for Fraud in High-Risk Areas

An internal audit or investigative team within the organization can use the results of the fraud risk assessment to identify high-risk processes or activities and unusual transactions that might indicate fraud. This practice can also provide some reassurance if the subsequent search for fraud reveals that, despite the assessed risk, fraud does not appear to be occurring at that point in time. Management should remember, however, that just because there is no evidence that fraud is occurring in the present, the risk that it could occur is not eliminated.

Holding Responsible Parties Accountable for Progress

It is often said that what gets measured gets done. To effectively reduce identified fraud risk, management must hold employees accountable for driving results. The organization should track and measure progress against agreed-upon action plans. Publicly celebrating successes can be as effective, or even more effective, at encouraging the right behaviors as at providing negative consequences for failing to deliver results.

Keeping the Assessment Alive and Relevant

Because there are so many factors that can affect an organization's vulnerability to fraud risk, management must ensure that the fraud risk assessment stays current and relevant. Someone within the organization should be assigned ownership of the fraud risk assessment process. That person or team should build processes to ensure that all changes in the business model, company operating environment, and personnel are considered relative to their impact on the company's risk of fraud.

Monitor Key Controls

At the culmination of a fraud risk assessment, the organization should have a clear view of both the areas where the organization is susceptible to fraud and the controls that are designed and implemented to address those weak spots. To effectively manage the identified fraud risks, management should use the results of the fraud risk assessment to monitor the performance of key internal controls. Such proactive attention will allow the identification and correction of deficiencies in control design or operation as quickly as possible.

THE FRAUD RISK ASSESSMENT AND THE AUDIT PROCESS

The fraud risk assessment should play a significant role in informing and influencing the audit process. In addition to being used in the annual audit planning process, the fraud risk assessment should drive thinking and awareness in the development of audit programs for areas that have been identified as having a moderate to high risk of fraud. Although auditors should always be on guard for indicators of fraud risk, the results of the fraud risk assessment can help them design audit programs and procedures in a way that enables them to look for fraud in known areas of high risk.

In the course of their work, auditors should validate that the organization is appropriately managing the moderate to high fraud risks identified in the fraud risk assessment by:

• Identifying and mapping the existing preventive and detective controls that pertain to the moderate to high fraud risks identified in the fraud risk assessment
• Designing and performing tests to evaluate whether the identified controls are operating effectively and efficiently
• Identifying within the moderate to high fraud risk areas whether there is a moderate to high risk of management override of internal controls
• Developing and delivering reports that incorporate the results of their validation and testing of the fraud risk controls

The template in Exhibit 14-3 can be used by auditors to evaluate how effectively the moderate to high fraud risks are being managed by the business.

Fraud Risk Assessment Tool

The ACFE's Fraud Risk Assessment Tool, located in Appendix C, can be used to identify an organization's vulnerabilities to fraud, either during the audit process or as a stand-alone assessment. The Fraud Risk Assessment Tool consists of fifteen modules, each containing a series of questions designed to help organizations focus on specific areas of risk.

EXHIBIT 14-3 Template for Evaluating Management of Fraud Risks

SUMMARY

Stakeholders expect management to be prudent when it comes to protecting a business. Since no company is immune to fraud risk, all companies' antifraud programs should include ongoing, continuous fraud risk assessments to proactively identify and address vulnerabilities to internal and external fraud. The fraud risk assessment process begins with the identification and prioritization of fraud risks, but evolves as the results of that identification and prioritization drive education, communication, organizational alignment, and action around effectively managing fraud risk and identifying new fraud risks as they emerge.

A good fraud risk assessment is dependent upon several factors, including the right sponsor, collaboration between management and auditors, the independence and objectivity of those leading and conducting the work, and the assessors' solid working knowledge of the business. Customization, simplicity, and proper packaging are also critical to the effectiveness of the fraud risk assessment. In order to properly prepare for a fraud risk assessment, management must assemble the right team to lead and conduct the assessment, determine the best techniques to use in conducting the assessment, obtain the sponsor's agreement on the work to be performed, educate the employees, and openly promote the process.

A company may find it useful to incorporate its fraud risk assessment strategy into a framework—a helpful tool for per-forming, evaluating, and reporting the results of the fraud risk assessment. Using one sample framework, the fraud risk assessment team begins with a list of identified fraud risks, which are assessed for relative likelihood and significance of occurrence. Next, the risks are mapped to people and departments impacted and to relevant controls. Subsequently, the relevant controls are evaluated for design effectiveness and are tested to validate their operating effectiveness. Lastly, residual risks are identified and a fraud risk response is developed to address them. In responding to a residual fraud risk, management may choose to avoid, transfer, mitigate, or assume the risk, or some combination thereof. Management's response will depend on factors that include the likelihood and significance of the risk and the cost-effectiveness of the approach.

The success of the fraud risk assessment hinges on management's effectiveness in reporting the results of the assessment and using them in its ongoing antifraud efforts. Management's report should be objective, simple, and focused on important areas, and should include key recommendations for action. By sharing the results of the assessment with auditors, management can assist the auditors in designing audit programs and procedures that detect fraud in high-risk areas. To ensure continued success in reducing fraud risk, management should use the results of the assessment to promote open communication throughout the company about fraud risk, identify high-risk areas, and hold responsible parties accountable for progress.

ESSENTIAL TERMS

Fraud risk The vulnerability that an organization has to those capable of overcoming the three elements of the fraud triangle: motive, opportunity, and rationalization.

Preventive controls Manual or automated processes designed to stop an undesirable event from occurring.

Detective controls Manual or automated processes designed to identify an undesirable event that has already occurred.

Fraud risk assessment A process aimed at proactively identifying and addressing an organization's vulnerabilities to internal and external fraud.

Fraud risk assessment framework A tool used in performing, evaluating, and reporting the results of a fraud risk assessment that enables fraud risk to be analyzed and reported both qualitatively and quantitatively.

Inherent fraud risks Fraud risks that a company faces in the absence of any attempts—such as internal controls—to mitigate them.

Residual fraud risks Fraud risks that remain after attempts to mitigate them, usually as the result of ineffective or nonexistent controls.

Heat map A quadrant graph that provides a visual representation of the likelihood and significance of an organizations fraud risks.

REVIEW QUESTIONS

14-1 (Learning objective 14-1) What are four factors that influence the level of fraud risk faced by an organization?

14-2 (Learning objective 14-2) What is the difference between preventive controls and detective controls?

14-3 (Learning objective 14-3) What is the objective of a fraud risk assessment?

14-4 (Learning objective 14-4) What can an effective fraud risk assessment help management to accomplish?

14-5 (Learning objective 14-5) What characteristics constitute a good fraud risk assessment?

14-6 (Learning objective 14-6) What are three considerations for developing an effective fraud risk assessment?

14-7 (Learning objective 14-7) What can management do to prepare a company for a fraud risk assessment? 14-8 (Learning objective 14-8) What steps are involved in conducting a fraud risk assessment using the sample framework discussed in the chapter?

14-9 (Learning objective 14-9) Describe four approaches for responding to an organization's residual fraud risks.

14-10 (Learning objective 14-10) What are four important considerations to keep in mind when reporting the fraud risk assessment results?

14-11 (Learning objective 14-11) What actions can management take to make the most impact with the fraud risk assessment?

14-12 (Learning objective 14-12) How can a fraud risk assessment inform and influence the audit process?

DISCUSSION ISSUES

14-1 (Learning objective 14-1) How is fraud risk influenced by a company's internal control? How is fraud risk influenced by a company's ethics, values, and expectations?

14-2 (Learning objective 14-6) Why is it important that management and auditors collaborate on a fraud risk assessment?

14-3 (Learning objective 14-6) What qualities and characteristics should be considered when choosing a sponsor for a fraud risk assessment?

14-4 (Learning objective 14-6) Green is an internal auditor and the lead on the company's fraud risk assessment. In the past, he and Blue, an accounts receivable clerk, have had several heated disagreements over accounting procedures. What risk would Green be taking by having Blue perform the fraud risk assessment work related to the accounts receivable department's activities? How might this risk be best addressed?

14-5 (Learning objective 14-7) Who should be included on a fraud risk assessment team?

14-6 (Learning objective 14-8) What topics should be discussed in identifying fraud risks that could apply to the organization?

14-7 (Learning objective 14-8) What risks related to each of the three primary categories of fraud should the fraud risk assessment team consider?

14-8 (Learning objective 14-8) What risks should the fraud risk assessment team consider in addition to the specific risks related to each of the three primary categories of fraud?

14-9 (Learning objective 14-9) When might an organization choose to avoid a risk rather than assuming, transferring, or mitigating it?

ENDNOTES