© 2020 Association of Certified Fraud Examiners, Inc.
Fraud Risk Management
Fraud Risk Assessment, Part 2
© 2020 Association of Certified Fraud Examiners, Inc.
Fraud Risk Assessment Framework
▪ Frameworks are helpful for performing,
evaluating, and reporting the results of the
fraud risk assessment.
▪ Specific needs and the culture of the
organization must be considered and
accounted for.
© 2020 Association of Certified Fraud Examiners, Inc.
Fraud Risk Assessment Framework
1. Identify potential inherent fraud risks and
schemes.
2. Assess the likelihood of identified inherent
fraud risks.
3. Assess the impact of identified inherent fraud
risks.
4. Evaluate which people and departments are
most likely to commit fraud.
© 2020 Association of Certified Fraud Examiners, Inc.
Fraud Risk Assessment Framework
5. Identify and map existing controls to relevant
fraud risks.
6. Evaluate whether the identified controls are
operating effectively and efficiently.
7. Identify, evaluate, and respond to residual fraud
risks that need to be mitigated.
© 2020 Association of Certified Fraud Examiners, Inc.
Fraud Risk Assessment Framework
Identified
Fraud Risks and
Schemes
Likelihood Impact
Personnel/
Departments
Involved
Existing Fraud
Control
Activities
Effectiveness
of Existing
Control
Activities
Residual
Fraud
Risks
Fraud Risk
Responses
Financial Reporting:
Asset
Misappropriation:
Corruption and
Illegal Acts:
External Risks:
Other Risks:
© 2020 Association of Certified Fraud Examiners, Inc.
Step 1: Identify Potential
Inherent Risks
▪ Use knowledge gathered from:
• Individuals throughout the entity
• Actual frauds and fraud investigations
• External sources
▪ To brainstorm:
• Incentives, pressures, and opportunities for fraud
• Risk of management’s override of controls
• Population of internal and external fraud risks
• Risk of regulatory and legal misconduct
• Reputation risk (as byproduct of fraud risk)
© 2020 Association of Certified Fraud Examiners, Inc.
The Fraud Tree
© 2020 Association of Certified Fraud Examiners, Inc.
Step 2: Assess the Likelihood of
Identified Risks
▪ A subjective process that allows management
to apply preventive and detective controls
rationally. One of the most difficult steps.
▪ Two common approaches:
• The probability that the fraud will be attempted
• The frequency with which a fraud risk will occur
▪ Usually assessed using scale:
• Can be qualitative or quantitative
© 2020 Association of Certified Fraud Examiners, Inc.
Step 2: Assess the Likelihood of
Identified Risks
Rating
Based on Annual FrequencyBased on Annual Probability of
Occurrence
Descriptor Definition Descriptor Definition
5 Very frequent >20 times per year Almost certain >90% chance of
occurrence
4 Frequent 6 to 20 times per year Likely 65% to 90% chance
of occurrence
3Reasonably
frequent2 to 5 times
per year Reasonably possible 35% to 65% chance of occurrence
2 Occasional 1 time per year Unlikely 10% to 35% chance of occurrence
1 Rare <1 time per year Remote <10% chance of occurrence
© 2020 Association of Certified Fraud Examiners, Inc.
Considerations in Assessing the
Likelihood of Identified Risks
Past instances of the particular
fraud
Prevalence of the fraud risk in
the industry
Internal control environment of the organization
Resources available to
address fraud
Support of fraud prevention efforts by
management
Ethical standards and culture of the organization
Number of individual
transactions involved
Number of people involved
Complexity of the fraud risk
Unexplained losses
Complaints by customers or
vendors
Fraud surveys and statistics
© 2020 Association of Certified Fraud Examiners, Inc.
Considerations in Assessing the
Likelihood of Identified Risks
▪ Risk trend is the direction
of movement of a
particular risk that
impacts an organization.
• Might be part of likelihood
or might be a separate
assessment factor.
© 2020 Association of Certified Fraud Examiners, Inc.
Step 3: Assess the Impact of
Identified Risks
▪ As with likelihood,
assess using
predetermined scale:
• Can be qualitative or
quantitative
▪ Need to consider both
financial and
nonfinancial factors
© 2020 Association of Certified Fraud Examiners, Inc.
Step 3: Assess the Impact of
Identified RisksRating Descriptor Definition
5 Catastrophic
• Financial loss to company is in excess of $10 million
• International long-term media coverage
• Widespread employee morale issues; multiple senior leaders leave
• Incident must be reported to authorities and significant sanctions and financial
penalties result
4 Major
• Financial loss to company is between $100,000 and $10 million
• National long-term media coverage
• Widespread employee morale problems and turnover
• Incident must be reported to authorities and sanctions against company result
3 Moderate
• Financial loss to company is between $10,000 and $100,000
• Short-term regional or national media coverage
• Widespread employee morale problems
• Incident must be reported to authorities and immediate corrective action is necessary
2 Minor
• Financial loss to company is between $1,000 and $10,000
• Limited local media coverage
• General employee morale problems
• Incident is reportable to authorities, but no follow-up
1 Incidental
• Financial loss to company is less than $1,000
• No media coverage
• Isolated employee dissatisfaction
• Event does not need to be reported to authorities
© 2020 Association of Certified Fraud Examiners, Inc.
Considerations in Assessing the
Impact of Identified Risks
Financial statement and
monetary impact
Financial condition of the
organization
Value of the threatened assets
Criticalness of the threatened assets
Revenue generated by the threatened assets
Impact onoperations, brand
value, and reputation
Financial damages caused to employees or
third parties
Criminal, civil, and regulatory liabilities
Requirements to report fraud to governmental
authorities
Reputational damage among
stakeholders
Adverse media coverage
Competitive advantages to
competing companies
Decline in employee morale
Lost productivity Loss of key staff
Data loss Work stoppages
Time and resources spent investigating and
following up
© 2020 Association of Certified Fraud Examiners, Inc.
Considerations in Assessing the
Impact of Identified Risks
▪ Risk velocity is the
speed with which a
particular risk occurs.
• It might be part of impact
or it might be a separate
assessment factor.
© 2020 Association of Certified Fraud Examiners, Inc.
Step 4: Evaluate Who Is Most
Likely to Commit Fraud
▪ Use the assessment of
incentives and
pressures to identify
individuals and
departments most likely
to commit fraud.
© 2020 Association of Certified Fraud Examiners, Inc.
Step 5: Identify and Map Existing
Controls to Inherent Risks
▪ Preventive versus detective
▪ General versus process-specific
▪ Reference specific policy or procedure that
supports the control
© 2020 Association of Certified Fraud Examiners, Inc.
Step 6: Evaluate Whether Controls Are
Operating Effectively and Efficiently
▪ Review accounting policies and procedures.
▪ Consider the risk of override.
▪ Interview management and employees.
▪ Observe control activities.
▪ Test samples of transactions for compliance.
▪ Conduct transaction walk-throughs.
▪ Review previous audit reports.
▪ Review previous reports on fraud incidents,
shrinkage, and unexplained shortages.
© 2020 Association of Certified Fraud Examiners, Inc.
Step 6: Evaluate Whether Controls Are
Operating Effectively and Efficiently
▪ If assessment team does not perform controls
testing, it needs to gain understanding of:
• Timing—When was the last time the relevant controls
were formally tested?
• Extent—How many transactions were tested and
which attributes of the internal controls were tested?
• Results—Were deviations from expected internal
controls discovered?
© 2020 Association of Certified Fraud Examiners, Inc.
Step 6: Evaluate Whether Controls Are
Operating Effectively and Efficiently
Control
Risk
Rating
Description
5 Very effective—reduces 81–100% of the risk
4 Effective—reduces 61–80% of the risk
3 Moderately effective—reduces 41–60% of the risk
2 Marginally effective—reduces 21–40% of the risk
1 Not effective—reduces 20% or less of the risk
© 2020 Association of Certified Fraud Examiners, Inc.
Step 7: Measure Residual Fraud Risks
▪ Identify residual fraud risks that have not been
adequately mitigated due to:
• Lack of appropriate controls
• Noncompliance with established control measures
▪ Evaluate the likelihood and impact of these
residual risks.
© 2020 Association of Certified Fraud Examiners, Inc.
Addressing the Identified Fraud Risks
▪ Establish an acceptable level of risk to use as a
basis for response (management).
▪ Rank and prioritize identified risks.
• Estimate the likely cost of each risk.
• Use a heat map.
© 2020 Association of Certified Fraud Examiners, Inc.
Estimating Likely Cost of a Risk
Risk Likely costLikelihood of
occurrencePotential loss Rank
Risk of lost business
and reputation damage
from a disruption in
data processing
$100,000
(lost revenue)2%
$2,000
(2% x $100,000)3
Risk of lost revenues
from losing a major
client
$500,000
(lost revenue)15%
$75,000
(15% x
$500,000)
1
Risk of employee
embezzlement$150,000 7%
$10,500
(7% x $150,000)2
© 2020 Association of Certified Fraud Examiners, Inc.
Using Heat Maps
© 2020 Association of Certified Fraud Examiners, Inc.
Using Heat Maps
© 2020 Association of Certified Fraud Examiners, Inc.
Using Heat Maps
© 2020 Association of Certified Fraud Examiners, Inc.
Using Heat Maps
© 2020 Association of Certified Fraud Examiners, Inc.
Responding to Residual Fraud Risks
▪ Avoid the risk.
▪ Transfer the risk.
▪ Mitigate the risk.
• Reduce the likelihood.
• Reduce the impact.
▪ Assume the risk.
▪ Use a combination
approach.
© 2020 Association of Certified Fraud Examiners, Inc.
Documenting Risk Mitigation Plans
▪ Describe new/revised internal control(s).
▪ Is the new control applicable to one or multiple
fraud risks?
▪ Is it preventive or detective?
▪ What is the anticipated effect (i.e., reduction in
impact and/or likelihood)?
• Consider plotting effect on heat map.
▪ Who is responsible for enacting?
▪ What is the anticipated completion date?
© 2020 Association of Certified Fraud Examiners, Inc.
Reporting the Assessment Results
▪ Report objective—not subjective—results.
▪ Keep it simple.
▪ Focus on what really matters.
▪ Identify actions that are clear and measurable.
© 2020 Association of Certified Fraud Examiners, Inc.
Making an Impact with the
Fraud Risk Assessment
▪ Use the results to:
• Begin a dialogue across the company.
• Look for fraud in high-risk areas.
• Hold responsible parties accountable for progress.
• Keep the assessment process alive and relevant.
• Modify or create the code of conduct or ethics policy.
• Monitor key controls.