Association of Certified Fraud Examiners
← back

Fraud Risk Assessment Scorecard

To assess the strength of the organization’s fraud governance, carefully assess each area below and score the area, factor, or consideration as:

Red: indicating that the area, factor, or consideration needs substantial strengthening and improvement to bring fraud risk down to an acceptable level.

Yellow: indicating that the area, factor, or consideration needs some strengthening and improvement to bring fraud risk down to an acceptable level.

Green: indicating that the area, factor, or consideration is strong and fraud risk has been reduced — at least — to a minimally acceptable level.

Each area, factor, or consideration scored either red or yellow should have a note associated with it that describes the action plan for bringing it to green on the next scorecard.

Fraud Risk Governance Area, Factor, or ConsiderationScoreNotes
INVOLVING APPROPRIATE LEVELS OF MANAGEMENT
Our fraud risk assessment team includes all appropriate levels of management and internal and external sources to assess fraud throughout the organization.
Our risk assessment team includes resources such as:
  • Accounting/finance personnel
  • Non-financial business unit and operations personnel
  • Information technology personnel
  • Risk management personnel
  • Legal and compliance personnel
  • Internal audit personnel
  • External consultants, if expertise is not available internally
Management, senior management, business unit leaders, and significant process owners participate in the risk assessment seeing as they are ultimately accountable for the effectiveness of our organization’s fraud risk management efforts.
Our fraud risk assessment team reviews our organization’s strategic plan, process maps, and control matrices to identify the population of activities that are potentially exposed to fraud.
Our fraud risk assessment team engages in brainstorming sessions to identify incentives, pressures and opportunities to commit fraud; the risk of management override of controls; and the fraud risks that are most relevant to our organization.
Our fraud risk assessment team shares its fraud risk identification information with the board and solicits feedback from them.
Our board assesses the implications of its own processes on fraud risk and considers how its policies may create pressures and incentives to commit fraud.
INCLUDING ENTITY, SUBSIDIARY, DIVISION, OPERATING UNIT, AND FUNCTIONAL LEVELS
Our organization identifies and assesses risk at the entity, subsidiary, division, operating unit and functional levels relevant to the achievement of our objectives.
We assemble multiple fraud risk teams as necessary to accommodate the size and complexity of our organization and to ensure the consideration of every possible fraud scheme and fraud risk exposure.
Each of our fraud risk assessment teams includes personnel with a detailed working knowledge and understanding of the organizational unit under assessment and how it interacts with other organizational units.
ANALYZING INTERNAL AND EXTERNAL FACTORS
Our identification of risks takes into account internal factors such as the processes and controls in place to process and account for everyday transactions, and organizational incentives and pressures to commit fraud.
Our identification of risks takes into account external factors such as customers and vendors with which our organization interacts, the business environment in which we operate, and the extent to which individuals or groups are inclined to disrupt or interfere with our organization’s business.
CONSIDERING VARIOUS TYPES OF FRAUD
Our fraud risk assessment team considers various types of fraud that may be committed against or by the organization including fraudulent financial reporting, fraudulent non-financial reporting, misappropriation of assets, and illegal acts such as corruption.
Our fraud risk assessment team obtains information from external sources such as industry news in order to understand the fraud risks and subset of risks specific to our organization.
Our fraud risk assessment team gathers information about potential fraud from internal sources such as interviews with personnel, brainstorming sessions, complaints received from the whistleblower hotline, and analytical procedures.
When assessing the risk of fraudulent financial reporting, we consider risks such as:
  • Inappropriately reported revenues, expenses, and balance sheet amounts and inappropriately exaggerated or omitted disclosures
  • Concealment of misappropriation of assets, including unauthorized acquisition, disposition and use of assets
  • Concealment of unauthorized receipts and expenditures, such as facilitation payments and bribes
We use a fraud risk assessment matrix to identify and document the specific areas of greatest risk to our organization and to help us determine how to tailor the assessment process accordingly.
Our fraud risk assessment team considers the following questions in addressing significant marketplace disclosures:
  • What controls are in place to monitor internal gathering and reporting of these disclosures?
  • Is there oversight from someone whose compensation is not directly affected by the disclosure?
  • Does someone monitor the organization’s disclosures in relation to other organizations and ask hard questions about whether the organization’s disclosures are adequate or could be improved?
When assessing the risk of fraudulent non-financial reporting, we consider fraud schemes that can lead to:
  • Manipulation of health and safety records and reports
  • Intentional misreporting of productivity measures
  • Falsification of quality assurance reports
  • Falsifications of customer metrics or other operational metrics
  • Falsification of educational or professional credentials
We have developed our own protocols and controls over the processing of non-financial data relevant to our operations.
When assessing the risk of fraudulent non-financial reporting, we consider the following questions:
  • What are key reports on which the organization relies on to operate effectively?
  • What are the key reports or certifications the organization is required to provide by law, rule, regulation or contractual requirements?
  • Is the data contained within those reports from controlled sources, or is it subject to manual intervention and bias?
  • Are there non-financial metrics that are important to the organization’s stakeholders, including regulators?
  • Are there non-financial reports or metrics that can have a direct or indirect impact on personnel compensation and bonuses?
  • Are there industry-specific issues the organization needs to consider?
Our fraud risk assessment team has an understanding of what assets are subject to misappropriation, the locations of the related assets, and which personnel have control over or access to tangible and intangible assets.
Our fraud risk assessment team considers the risk of illegal acts such as:
  • Bribery and gratuities made to companies, private individuals, and public officials
  • Receipt of bribes, kickbacks, and gratuities
  • Aiding and abetting fraud by other parties
  • Violation of the False Claims Act or other relevant federal, state, or local laws and regulations
We have considered all applicable anti-corruption laws that may affect our overseas operations in establishing our fraud risk management program.
Our board evaluates its performance regularly with respect to reputation risk and ensures that our organization’s risk assessment process includes the consideration of reputation risk.
We incorporate information technology risk and the ongoing threat of cyber fraud into our overall fraud risk assessment.
SPECIFICALLY CONSIDERING THE RISK OF MANAGEMENT OVERRIDE OF CONTROLS
During the risk identification process, our fraud risk assessment team specifically considers the potential for management override of controls, including the controls designed to prevent or detect fraud.
We keep the risk of management’s override of controls in mind when evaluating the effectiveness of controls.
ESTIMATING THE LIKELIHOOD AND SIGNIFICANCE OF RISKS IDENTFIED
Our risk assessment team evaluates the likelihood and significance of identified fraud risks based on historical information, known fraud schemes, and interviews with business process owners.
Our management assesses the likelihood of a fraud risk’s occurrence by determining instances in which the particular fraud has occurred in our organization in the past, the prevalence of the particular fraud risk in our organization’s industry, and other factors.
Our organization categorizes the likelihood of a particular fraud risk as remote, reasonably possible, or probable.
Our management assesses the significance of a fraud risk by taking into account financial and monetary significance as well as significance to our organization’s operations, brand value, reputation, and criminal, civil, and regulatory liability.
Our organization categorizes the significance of a fraud risk as inconsequential, more than inconsequential, or material.
ASSESSING PERSONNEL OR DEPARTMENTS INVOLVED IN ALL ASPECTS OF THE FRAUD TRIANGLE
We evaluate the incentives and pressures on individuals and departments and use that information to determine who is most likely to commit fraud and the means by which the fradulent activity will most likely be committed so that we can formulate appropriate risk responses.
Our fraud risk assessment team focuses on the elements of the fraud triangle, namely:
  • Incentives and pressures that motivate an individual to commit a fraudulent act
  • Opportunities or perceived opportunities that provide an individual with some assurance that a fraudulent act can be committed without being detected
  • Attitudes or rationalizations that enable an individual to internally justify the performance of a fraudulent act
Our board evaluates incentive programs for senior executives and management evaluates these programs for others in the organization.
Our fraud risk assessment team considers incentives to commit fraud such as compensation or maintaining the status quo, as well as pressures to commit fraud such as a desire to achieve performance or other targets.
Our fraud risk assessment team considers how our organization may affect attitudes and rationalizations through our hiring and evaluation process and in the tone established by leadership and management.
Our fraud risk assessment team considers opportunities for unauthorized acquisition, use or disposal of assets and for altering of our entity’s reporting records.
We examine areas where opportunities to commit fraud are the greatest, namely where internal controls are weak and there is a lack of segregation of duties.
IDENTIFYING EXISTING FRAUD CONTROL ACTIVITIES AND ASSESSING THEIR EFFECTIVENESS
Our fraud risk assessment team examines each specific fraud scheme or risk, identifies the control activities in place to mitigate these risks, and determines the effectiveness of these existing controls.
Our management evaluates the potential of any residual risks and determines what controls and procedures should be implemented in order to address such risks.
We prioritize the fraud risks that are deemed to be highly likely and highly significant.
Our risk assessment team evaluates control optimization and notes any instances of unnecessary or redundant control activities.
DETERMINING HOW TO RESPOND TO RISKS
Our board determines our organization’s risk tolerance, taking into consideration our responsibilities to all shareholders, citizens, capital providers, and other stakeholders.
Our board ensures that management has selectively and efficiently implemented the right level of controls based on our established risk tolerance.
Management’s documentation of fraud control activities includes a description of what the control is designed to do, who is to operate the control, who is to monitor and assess the effectiveness of the control, and the related segregation of duties.
USING DATA ANALYTICS TECHNIQUES FOR FRAUD RISK ASSESSMENT AND FRAUD RISK RESPONSES
We perform disaggregated analytics on revenue as part of the fraud risk assessment process.
We use data analytics to compile, display, and analyze the results of employee surveys, facilitated sessions, and other data-gathering techniques.
We utilize any of the following data analytics techniques in order to gather fraud risk evidence:
  • Data stratification
  • Risk scoring
  • Trend analysis
  • Fluctuation analysis
  • Data visualization
  • Statistical and predictive modeling
  • Using information from external sources in analytics
PERFORMING PERIODIC REASSESSMENTS AND ASSESSING CHANGES TO FRAUD RISK
We perform an initial risk assessment and then re-perform periodically.
Our risk assessment team recognizes that both external and internal changes result in the need for a new and updated fraud risk assessment related to areas affected by the change.
We consider how external changes such as that in the regulatory or economic environment can affect items with which regulators are most concerned and the financial incentives and pressures facing our organization.
We consider how organizational changes such as the introduction of new product lines or services can lead to new incentives and pressures on employees and new activites that need to be assessed for fraud risks.
We consider the impact of outsourcing initiatives on current employee morale and whether the outsource provider has adequate controls to address the fraud risks inherent in the services they provide.
We consider how changes in organizational leadership may change the tone at the top and therefore affect the culture of compliance within our organization.
We consider how changes in organizational leadership can change who executes and approves transactions and who oversees the fraud risk management program, and whether these new leaders fully understand the processes, controls and monitoring activities that are in place.
DOCUMENTING THE RISK ASSESSMENT
We document our fraud risk assessment in a matrix that includes the following columns, from left to right:
  • Identified fraud risks and schemes
  • Likelihood of occurrence
  • Significance of occurrence
  • Personnel/Departments involved
  • Exisiting fraud control activities
  • Effectiveness of existing control activities
  • Residual fraud risks
  • Fraud risk reponses


← back