Fraud Risk ManagementRisk Likely cost Likelihood of occurrence Potential loss Rank Risk of lost...

© 2020 Association of Certified Fraud Examiners, Inc.

Fraud Risk Management

Fraud Risk Assessment, Part 2


Fraud Risk Assessment Framework

▪ Frameworks are helpful for performing,

evaluating, and reporting the results of the

fraud risk assessment.

▪ Specific needs and the culture of the

organization must be considered and

accounted for.



1. Identify potential inherent fraud risks and

schemes.

2. Assess the likelihood of identified inherent

fraud risks.

3. Assess the impact of identified inherent fraud

risks.

4. Evaluate which people and departments are

most likely to commit fraud.



5. Identify and map existing controls to relevant

fraud risks.

6. Evaluate whether the identified controls are

operating effectively and efficiently.

7. Identify, evaluate, and respond to residual fraud

risks that need to be mitigated.



Identified

Fraud Risks and

Schemes

Likelihood Impact

Personnel/

Departments

Involved

Existing Fraud

Control

Activities

Effectiveness

of Existing

Control

Activities

Residual

Fraud

Risks

Fraud Risk

Responses

Financial Reporting:

Asset

Misappropriation:

Corruption and

Illegal Acts:

External Risks:

Other Risks:


Step 1: Identify Potential

Inherent Risks

▪ Use knowledge gathered from:

• Individuals throughout the entity

• Actual frauds and fraud investigations

• External sources

▪ To brainstorm:

• Incentives, pressures, and opportunities for fraud

• Risk of management’s override of controls

• Population of internal and external fraud risks

• Risk of regulatory and legal misconduct

• Reputation risk (as byproduct of fraud risk)


The Fraud Tree


Step 2: Assess the Likelihood of

Identified Risks

▪ A subjective process that allows management

to apply preventive and detective controls

rationally. One of the most difficult steps.

▪ Two common approaches:

• The probability that the fraud will be attempted

• The frequency with which a fraud risk will occur

▪ Usually assessed using scale:

• Can be qualitative or quantitative


Step 2: Assess the Likelihood of

Identified Risks

Rating

Based on Annual FrequencyBased on Annual Probability of

Occurrence

Descriptor Definition Descriptor Definition

5 Very frequent >20 times per year Almost certain >90% chance of

occurrence

4 Frequent 6 to 20 times per year Likely 65% to 90% chance

of occurrence

3Reasonably

frequent2 to 5 times

per year Reasonably possible 35% to 65% chance of occurrence

2 Occasional 1 time per year Unlikely 10% to 35% chance of occurrence

1 Rare <1 time per year Remote <10% chance of occurrence


Considerations in Assessing the

Likelihood of Identified Risks

Past instances of the particular

fraud

Prevalence of the fraud risk in

the industry

Internal control environment of the organization

Resources available to

address fraud

Support of fraud prevention efforts by

management

Ethical standards and culture of the organization

Number of individual

transactions involved

Number of people involved

Complexity of the fraud risk

Unexplained losses

Complaints by customers or

vendors

Fraud surveys and statistics



Likelihood of Identified Risks

▪ Risk trend is the direction

of movement of a

particular risk that

impacts an organization.

• Might be part of likelihood

or might be a separate

assessment factor.


Step 3: Assess the Impact of

Identified Risks

▪ As with likelihood,

assess using

predetermined scale:

• Can be qualitative or

quantitative

▪ Need to consider both

financial and

nonfinancial factors


Step 3: Assess the Impact of

Identified RisksRating Descriptor Definition

5 Catastrophic

• Financial loss to company is in excess of $10 million

• International long-term media coverage

• Widespread employee morale issues; multiple senior leaders leave

• Incident must be reported to authorities and significant sanctions and financial

penalties result

4 Major

• Financial loss to company is between $100,000 and $10 million

• National long-term media coverage

• Widespread employee morale problems and turnover

• Incident must be reported to authorities and sanctions against company result

3 Moderate

• Financial loss to company is between $10,000 and $100,000

• Short-term regional or national media coverage

• Widespread employee morale problems

• Incident must be reported to authorities and immediate corrective action is necessary

2 Minor

• Financial loss to company is between $1,000 and $10,000

• Limited local media coverage

• General employee morale problems

• Incident is reportable to authorities, but no follow-up

1 Incidental

• Financial loss to company is less than $1,000

• No media coverage

• Isolated employee dissatisfaction

• Event does not need to be reported to authorities



Impact of Identified Risks

Financial statement and

monetary impact

Financial condition of the

organization

Value of the threatened assets

Criticalness of the threatened assets

Revenue generated by the threatened assets

Impact onoperations, brand

value, and reputation

Financial damages caused to employees or

third parties

Criminal, civil, and regulatory liabilities

Requirements to report fraud to governmental

authorities

Reputational damage among

stakeholders

Adverse media coverage

Competitive advantages to

competing companies

Decline in employee morale

Lost productivity Loss of key staff

Data loss Work stoppages

Time and resources spent investigating and

following up



Impact of Identified Risks

▪ Risk velocity is the

speed with which a

particular risk occurs.

• It might be part of impact

or it might be a separate

assessment factor.


Step 4: Evaluate Who Is Most

Likely to Commit Fraud

▪ Use the assessment of

incentives and

pressures to identify

individuals and

departments most likely

to commit fraud.


Step 5: Identify and Map Existing

Controls to Inherent Risks

▪ Preventive versus detective

▪ General versus process-specific

▪ Reference specific policy or procedure that

supports the control


Step 6: Evaluate Whether Controls Are

Operating Effectively and Efficiently

▪ Review accounting policies and procedures.

▪ Consider the risk of override.

▪ Interview management and employees.

▪ Observe control activities.

▪ Test samples of transactions for compliance.

▪ Conduct transaction walk-throughs.

▪ Review previous audit reports.

▪ Review previous reports on fraud incidents,

shrinkage, and unexplained shortages.




▪ If assessment team does not perform controls

testing, it needs to gain understanding of:

• Timing—When was the last time the relevant controls

were formally tested?

• Extent—How many transactions were tested and

which attributes of the internal controls were tested?

• Results—Were deviations from expected internal

controls discovered?




Control

Risk

Rating

Description

5 Very effective—reduces 81–100% of the risk

4 Effective—reduces 61–80% of the risk

3 Moderately effective—reduces 41–60% of the risk

2 Marginally effective—reduces 21–40% of the risk

1 Not effective—reduces 20% or less of the risk


Step 7: Measure Residual Fraud Risks

▪ Identify residual fraud risks that have not been

adequately mitigated due to:

• Lack of appropriate controls

• Noncompliance with established control measures

▪ Evaluate the likelihood and impact of these

residual risks.


Addressing the Identified Fraud Risks

▪ Establish an acceptable level of risk to use as a

basis for response (management).

▪ Rank and prioritize identified risks.

• Estimate the likely cost of each risk.

• Use a heat map.


Estimating Likely Cost of a Risk

Risk Likely costLikelihood of

occurrencePotential loss Rank

Risk of lost business

and reputation damage

from a disruption in

data processing

$100,000

(lost revenue)2%

$2,000

(2% x $100,000)3

Risk of lost revenues

from losing a major

client

$500,000

(lost revenue)15%

$75,000

(15% x

$500,000)

1

Risk of employee

embezzlement$150,000 7%

$10,500

(7% x $150,000)2


Using Heat Maps


Using Heat Maps


Using Heat Maps


Using Heat Maps


Responding to Residual Fraud Risks

▪ Avoid the risk.

▪ Transfer the risk.

▪ Mitigate the risk.

• Reduce the likelihood.

• Reduce the impact.

▪ Assume the risk.

▪ Use a combination

approach.


Documenting Risk Mitigation Plans

▪ Describe new/revised internal control(s).

▪ Is the new control applicable to one or multiple

fraud risks?

▪ Is it preventive or detective?

▪ What is the anticipated effect (i.e., reduction in

impact and/or likelihood)?

• Consider plotting effect on heat map.

▪ Who is responsible for enacting?

▪ What is the anticipated completion date?


Reporting the Assessment Results

▪ Report objective—not subjective—results.

▪ Keep it simple.

▪ Focus on what really matters.

▪ Identify actions that are clear and measurable.


Making an Impact with the

Fraud Risk Assessment

▪ Use the results to:

• Begin a dialogue across the company.

• Look for fraud in high-risk areas.

• Hold responsible parties accountable for progress.

• Keep the assessment process alive and relevant.

• Modify or create the code of conduct or ethics policy.

• Monitor key controls.

Date post:	17-Jun-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Fraud Risk ManagementRisk Likely cost Likelihood of occurrence Potential loss Rank Risk of lost...

Documents