Connect With an Advisor
Home | Resource Center | Articles

November 14, 2023

Matt Stelzman

Principal, Litigation & Valuation Advisory Leader

Chattanooga, TN

423-690-7944

[email protected]

Related Services

Related Articles




< Back to Resource Center

Fraud Risk Management #2 – Understanding Risk Assessment

In recognition of International Fraud Awareness Week, Windham Brannon’s Matt Stelzman takes a deeper dive into the Internal Control-Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (commonly referred to as COSO).

Our first article discussed Principle 1: Fraud Risk Governance and its relation to the control environment as well as the first five underlying COSO principles. Our second article takes a look at fraud risk management and Principle 2: Fraud Risk Assessment.

Principle 2: Fraud Risk Assessment

“The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.”

Fraud risk assessments correlate to COSO principles six through nine, or more broadly, the internal control component risk assessment. Similarly to the first principle, there are several areas of focus that should be considered.

Who should be involved with fraud risk assessment?

First, the fraud risk assessment needs to involve the appropriate levels of management of the organization. Senior Management should establish the fraud risk assessment team, and it should include individuals with varying knowledge, skills and viewpoints from all throughout the organization, not just accounting and finance personnel. These individuals should be significant process owners or business unit managers because they will be responsible for the effectiveness of the organization’s fraud risk management efforts. This fraud risk assessment team can then brainstorm ways in which fraudulent events could occur throughout the organization.

Second, the organization should include the entity, subsidiary, division, operating unit and functional levels of the organization when identifying and assessing fraud risks. Obviously, all of these considerations are not applicable to every organization, and their applicability will vary based on the size and complexity of the organization. In the event that an organization is very large or complex, different teams of risk assessors can be formed to perform multiple fraud risk assessments. The multiple risk assessments can then be combined into one larger assessment by the fraud risk management specialist.

How do internal and external factors affect assessment?

Internal and external factors and their potential impacts must be considered regarding the organization’s achievement of objectives. Internal factors are the types of activities the organization performs in the day-to-day operations; including the processes and associated controls in place to account for these processes. Internal factors can also include incentives and pressures such as sales performance metrics, revenue goals and budgetary restrictions. External factors can include the organization’s customers and/or vendors and the environment in which the organization operates. Different geographies can play a role here, such as laws or groups that would be inclined to interfere with the business. Overall, the fraud risk assessment will address not only internal fraud risks, but also external fraud risks from outside parties.

What about the Fraud Triangle?

The fraud risk assessment should involve the fraud attributes and characteristics, which are widely known as the Fraud Triangle.

Later research has expanded the Fraud Triangle into the Fraud Pentagon, which includes:

While both the Fraud Triangle and the Fraud Pentagon are excellent models, and elements of them are usually present when analyzing known frauds, they are not perfect standalone predictors.

What else should be considered during the assessment?

The various types of fraud that exist should also be considered in the fraud risk assessment.

  • Fraudulent financial reporting – Any intentional misstatement of accounting information.
  • Fraudulent non-financial reporting – Environmental, health, and safety records; misreporting of productivity measures; falsification of reports or operational metrics, etc.
  • Misappropriation of assets – Theft of cash, inventory or assets; theft of intangible assets such as trade secrets or personal identifying information (PII).
  • Other illegal acts and corruption – Violation of federal or state regulations, data protection laws, tax obligations and banking/financial services regulations, etc.

Part of the fraud risk assessment should also include the identification of existing fraud control activities and the evaluation of their effectiveness. Most organizations develop controls starting with the accounting process, but with a fraud scheme-specific approach organizations can identify all possible fraud schemes, not just those related to accounting functions. Most organizations have existing fraud controls in place, but examining them through a fraud-specific lens allows those controls to be evaluated for effectiveness. Finally, additional controls can be implemented to address any residual fraud risks the organization wishes to remediate.

Finally, considering the risk of management override of controls should be addressed specifically in the fraud risk assessment. By including this in the fraud risk assessment, it eases the uncomfortableness that could be experienced by pointing out the risks of management override to superiors in the organization.

What should be done after risks are identified?

Once the fraud risks have been identified, they must be measured based on their likelihood and significance through an inherent risk lens. Looking at inherent risks means assessing them without consideration of known controls, including likelihood and significance.

  • Likelihood – The assessment of how likely it is for the fraud to occur; can generally be categorized as ‘remote, reasonably possible, and probable’.
  • Significance – The assessment of how the fraud could affect the organization; financially, operationally, reputationally and liability.

The fraud risk assessment should be documented, perhaps with a matrix, and re-visited periodically as all organizations experience change. With change comes different fraud risks that may not have been included in the initial assessment, but should be included based on a change to the organization. Examples of some changes could include but are not limited to, operational changes, leadership changes and changes in the fraud landscape.

If your organization needs help with a proper fraud risk assessment, reach out to your Windham Brannon advisor today, or contact Matt Stelzman.

Sources:

  1. COSO, Internal Control-Integrated Framework (May 2013)
  2. COSO & ACFE, Fraud Risk Management Guide 2nd Edition (2023)
  3. ACFE, Occupational Fraud 2022: A Report to the Nations (2022)