Risky Business: Conducting the internal fraud risk assessment

Devising and conducting an internal fraud risk assessment may be a daunting task, but every fraud examiner should have the essentials to get the job done. Here are some steps you can take to prevent and detect fraud. 

The company's CEO was nervous. In 2002, I was presenting him with the results of an investigation I had conducted on suspected fraudulent acts by four managers at a subsidiary of the publicly traded firm and he was quite concerned about his liabilities under the U.S. Sarbanes-Oxley Act.

Given the findings of my investigation, he said he didn't have faith in the abilities of his internal audit staff, chief financial officer, or external auditors to assess the company's fraud controls. He asked that I assess the company's vulnerabilities to fraud and recommend actions to address any shortcomings. This was the first time any client had asked me for a complete assessment of a company's internal fraud controls.

An internal fraud assessment is a daunting task for any fraud examiner regardless of the organization's size. I first had to find a suitable methodology to create a comprehensive assessment guideline. The methodology would have to allow me to complete the project in a reasonable timeframe while still conducting a thorough assessment of the risks to the organization's assets.

After looking at different models, I decided to develop my own fraud assessment guidelines. Fortunately, my background and training as a security consultant had exposed me to several different risk assessment methodologies. And as a fraud examiner, I've compiled several informal questionnaires and audit guidelines that I've used to assist me in conducting interviews and assessments for a variety of employee theft and fraud cases. By combining these two disciplines, I developed the Internal Fraud Vulnerability Assessment Tool (IFVAT) using the standard components of qualitative risk analysis. (A supplemental option is the ACFE Fraud Prevention Check-Up. See www.fraudcheckup.com.)

Standard components of risk analysis
There are four standard components of a qualitative risk analysis:

Identify assets to protect
In the internal fraud assessment, the assets to identify would be such items as currency, checks, credit, inventory, equipment, etc. Prioritize each asset based on its criticality to the organization. Obviously, depending on the type of business, the list of assets and an asset's criticality rating will vary. For example, currency will be a critical asset to a food market but might not be listed on a manufacturing company's critical asset list.

Identify threats to the assets
Threats to the financial assets of an organization are the fraud schemes or acts perpetrated to steal or abuse the assets. The most common internal fraud schemes are cash skimming, cash larceny, misappropriation of inventory and equipment, check tampering, purchasing and billing, payroll, expense, conflicts of interest, corruption, and financial statement fraud.

Determine probability of occurrence
Experience has taught me that determining the probability of the occurrence of a loss event can be more of an art than a science. I've had to draw on several sources of information to make this determination. The fraud examiner must:
1) assess the likelihood of fraud in the organization based on the internal controls environment, the resources to address fraud, the management support of fraud prevention efforts, and the organization's ethical standards;
2) gather all available empirical evidence of organization fraud such as prior reports of fraud incidents, unexplained losses, previous audit findings, and customer or vendor complaints;
3) gather information available from other organizations of similar size and industry about losses from internal fraud; and
4) research information from fraud surveys such as the ACFE's "Report to the Nation on Occupational Fraud and Abuse," which is extremely valuable.

Determine impact of loss
The fraud examiner will use the same information gathered to identify the probability of occurrence. Also, information such as the financial condition of the organization, value of the assets, criticality of the assets to the organization, and revenue produced by the assets will be needed. Determine if the loss will have a material effect on the organization's financial statement.

Assessment of current fraud controls and prevention
Once the fraud examiner gathers the necessary information to identify the assets in need of protection, the threats to those assets, the probability of a loss event from those threats, and the impact of a loss event to the organization, it's time to assess the controls and prevention measures in place to protect the assets.

Preventative measures are different from controls. Preventative measures are intended to prevent fraud before it occurs. (Control measures are intended to not only prevent but also detect and deter fraud if it does occur.) Both preventative and control measures are important in reducing the opportunity for fraud and increasing the important "perception of detection" among employees.

The assessment of preventative and control measures requires a thorough review of the accounting policies and procedures; fraud-related policies and procedures; interviews with management and employees; sample testing of controls compliance; observation of control activities; review of previous audit reports; and review of previous reports on fraud incidents, shrinkage, and unexplained shortages.

Vulnerability identification
The assessment will identify the lack of appropriate controls and appropriate prevention measures or the noncompliance with established controls and measures needed to protect an asset from an identified threat. The identified deficiencies increase the probability of the occurrence of a loss event and create a vulnerability to fraud.

For example, the failure to separate the duties of a bookkeeper recording the accounts receivables and preparing the bank deposits for the organization will result in a vulnerability to the loss of cash receipts from skimming. The probability of an occurrence will depend on the control environment, the volume of transactions, the loss history, and the experience of similar organizations. The control environment includes the number and quality of controls, management support for controls, employee awareness, and the actions taken by the organization in response to suspected incidents of fraud. The impact of loss will depend on these same factors, combined with the financial condition of the organization.

Addressing vulnerabilities
There are four approaches to addressing risk:
1) Avoid the risk
The organization may decide to avoid a risk by eliminating an asset if the prevention or control measures required to protect against an identified threat is too expensive. This requires the fraud examiner to complete a cost benefit analysis of the value of the asset to the organization compared to the cost of implementing measures to protect the asset.
2) Transfer the risk
Typically an organization will transfer its risk, or at least a significant portion of a risk, by purchasing some type of fidelity insurance or bond. The cost to the organization is the premium paid for the insurance or bond. The covered risk of loss is then transferred to the insurance company, less any deductible payment included in the contract.
3) Mitigate the risk
Risk mitigation is addressed by implementing appropriate countermeasures such as prevention and financial controls. Prevention measures include employee education, fraud risk assessments, and fraud hotlines and ethics programs, among others. Financial control measures include policies, procedures, segregation of duties, and confidential reporting systems. The fraud examiner has to evaluate each countermeasure to determine if it's cost effective and reasonable given the level of risk such as probability of occurrence and impact of loss.
4) Assume the risk
The organization can assume the risk if it determines that the probability of occurrence and impact of loss are low. The organization may decide that it's more cost effective to assume the risk, rather than eliminate the asset, buy insurance to transfer the risk, or implement counter measures to mitigate the risk.

The organization could also elect to combine the above approaches. For example, if the probability of a loss occurrence is high and the impact to the organization from a loss is high, the organization may decide to transfer part of the risk through the purchase of insurance and implement prevention and financial controls to mitigate the risk.

Developing recommendations
The fraud examiner can develop cost effective and reasonable recommendations for addressing the risks from fraud by:

• reviewing current fraud controls;
• determining the probability that a threat will develop into a loss event;
• determining the impact of the loss event to the organization;
• identifying vulnerabilities to the threats;
• identifying prevention or control measures to mitigate the risks; and
• conducting a cost/benefit analysis of countermeasures and consider other options (transfer, assumption, and avoidance).

The matrix below will simplify the decision-making process. The fraud examiner can arrive at an appropriate response by determining the level of probability of occurrence and impact of loss for each identified threat.

The beauty of the fraud risk assessment
Conducting a fraud risk assessment provides the necessary information for an organization to make sound decisions to effectively address risks. Unfortunately, a majority of organizations unintentionally assume the risks of internal fraud by failing to identify and gather this information, which can result in significant risks. Employee fraud and theft losses go beyond financial assets. Organizations may also experience a loss of reputation, efficiencies, employee morale, and the ability to recruit high caliber employees.

Certified Fraud Examiners become invaluable to their organizations when they educate them about the benefits of fraud risk assessments and assist them in conducting the assessments.

Larry E. Cook, CFE, CPP, is president and founder of CVA Solutions Inc., a risk assessment, consulting, and audit firm specializing in fraud examinations and assessments. His Web site is: www.ifvat.com.

[Some links may no longer be available. —Ed.]

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.