- Fraud Risk Assessment

Fraud Risk Assessment

In the simplest terms, the objective of a fraud risk assessment is to help an organization recognize what makes it most vulnerable to fraud. Through a fraud risk assessment, the organization is able to identify where fraud is most likely to occur, enabling proactive measures to be considered and implemented to reduce the chance that it could happen. The strategic reasoning used in conducting a fraud risk assessment requires a skeptical mindset and involves asking questions such as:

How might a fraud perpetrator exploit weaknesses in the system of control?
How could a perpetrator override or circumvent controls?
What could a perpetrator do to conceal the fraud?
Could this be a false positive or is there a genuine fraud underway?

What makes a Good Fraud Risk Assessment?

1. Collaborative Effort of Management and Auditors

2. The Right Sponsor

3. A Good Working Knowledge of the Business

4. Access to People at All Levels of the Organization

5. Engendered Trust on the Risk Assessors

6. The Ability to think the Unthinkable

7. One Size Does Not Fit All

8. Keeping It Simple

The Risk Assessment Process

We offer Internal Audit services which focus primarily on fraud risks, along with additional focus on revenue leakage, cost overruns and process optimization.

During the Risk Assessment, we assess the applicable control question, and provide a risk rating on a High-Medium-Low model against Impact and Probability.
From this set of applicable control questions
1. We identify those risks which are already mitigated by existing controls within the organization – Risk Mitigated
2. We identify those risks which are accepted by the management, post a cost-benefit analysis – Risk Accepted
3. We identify those risks which are open (Open Risks), and shall create a risk tracker, assign risk owner, and follow-up towards closure against agreed target date.
The Management would receive a Risk Assessment Report, which will include an Executive Summary and a detailed list of Applicable Risks.

Fraud Risk Assessment Framework

Our Risk Assessment framework has been developed from ACFE Risk Assessment Tool, first developed by Larry Cook CFE, which contains 326 red-flags which an organization could consider for mitigation, across 15 modules are given in table below.

The ACFE’s Fraud Risk Assessment Tool can be used by fraud examiners to identify their client’s or employer’s vulnerabilities to fraud.

As every organization is different, the fraud risk assessment process is often more an art than a science. What gets evaluated and how it gets assessed should be tailored to the organization – there is no one-size-fits-all approach

Module 1: EMPLOYEE ASSESSMENT
34 Questions
The employee assessment questions are designed to assess the probability of a fraudulent event occurring within the organization based on: - Internal Controls - Internal Control Environment - Resources available to prevent, detect and deter fraud
Sample Internal Control Questions:
Does the organization provide an anonymous way to report suspected violations of the ethics and anti-fraud programs?
Do any employees have a close association with vendors or competitors?

Module 2: MANAGEMENT / KEY EMPLOYEE ASSESSMENT
41 Questions
The management/key employee assessment questions are designed to assess the probability of a fraudulent event occurring within the organization based on: - Internal Controls - Internal Control Environment - Resources available to prevent, detect and deter fraud
Sample Internal Control Questions:
Do any of the key employees own a portion of any company that does business with the company?
Do any key employees appear to be living beyond their means?

Module 3: PHYSICAL CONTROLS TO DETER EMPLOYEE THEFT AND FRAUD
12 Questions
The Physical Controls assessment questions are designed to assess the probability of a fraudulent event occurring within the organization based on: - Physical Controls in place to control access to accounting records and information - Physical Controls in place to protect the assets of the organization
Sample Internal Control Questions:
Does the organization restrict access to computer systems with sensitive documents (e.g. accounting software, inventory and payroll) and create a system to provide an audit trail of access?
Does the organisation restrict access to areas with high value assets, sush as shipping, receiving, store-rooms and cash?

Module 4: SKIMMING SCHEMES
28 Questions
Skimming Schemes include: - Collecting Cash, but not recording the sale - Collecting Cash, keeping a portion of the cash, and under-reporting the sale amount. - Collecting a customer's payment, but not crediting the amount to the customer's account - Collecting cash and holding it in a personal interest bearing account before depositing it into the company account.
Sample Internal Control Questions
Does an employee perform an independent verification of the bank deposit ticket to the remittance list generated by the employee who opened the mail?
Is the cashier restricted from accessing bank and customer statements?

Module 5: CASH LARCENY SCHEMES
21 Questions
Cash Larceny Schemes include: - Stealing cash at the point of sale or register - Stealing cash receipts posted to sales and receivable journals - Stealing cash from bank deposits
Sample Internal Control Questions
Are the cash receipts, cash counts, bank deposits, deposit receipt reconciliations, bank reconciliations, posting of deposits and cash disbursements duties segregated?
Is each receivable transaction reviewed for legitimacy and supporting documentation?

Module 6: CHEQUE TAMPERING SCHEMES
22 Questions
Cheque Tampering schemes include: - Forged maker schemes involve forging an authorized signature on a company cheque - Forged endorsement schemes consist of forging the signature endorsement of an intended recipient of a company cheque - Altered payee schemes involve changing the payee designation on the cheque to the perpetrator or an accomplice - Authorized maker schemes occur when employees with signature authority write fraudulent cheques for their own benefit
Sample Internal Control Questions
Has the company established positive pay controls with its bank by supplying the bank with a daily list of cheques issued and authorized for payment?
Has the company notified its bank to not accept cheques over a predetermined maximum amount?

Module 7: CASH REGISTER SCHEMES
20 Questions
The following are types of cash register schemes: - False refund schemes occur when an employee 1) issues a refund for fictitious merchandise and keeps the money or 2) overstates the amount of merchandise returned and skims the excess money. - False void schemes occur when a register worker retains a customer receipt, processes a fictitious voided sale, and keeps the money.
Sample Internal Control Questions
Are customers that are involved in voided sales and refunds randomly contacted to verify the accuracy of the transactions?
Is access to the necessary control keys for refunds and voids restricted to supervisors?

Module 8: PURCHASING AND BILLING SCHEMES
24 Questions
The following are types of purchasing and billing schemes: - Shell company schemes occur when an employee submits invoices for payment from a fictitious company controlled by the employee - Pay-and-return schemes occur when an employee arranges for overpayment of a vendor invoice and pockets the overpayment amount when it is returned to the company - Personal purchase schemes occur when an employee submits an invoice for personal purchases to the company for payment, or when an employee uses a company credit for personal purchases
Sample Internal Control Questions
Are records of goods returned to vendors matched to vendor credit memos?
Are vendors with post office box addresses verified?

Module 9: PAYROLL SCHEMES
21 Questions
The following are types of payroll schemes: - Ghost employee schemes occur when a person not employed by the company is on the payroll. - Overpayment schemes occur when a company pays an employee based on falsified hours or rates - Commission schemes occur when the amount of sales made or the rate of commission is fraudulently inflated
Sample Internal Control Questions
Are personnel records maintained independently of payroll and timekeeping functions?
Are appropriate forms completed and signed by the employee to authorise payroll deductions and withholding exceptions?

Module 10: EXPENSE SCHEMES
7 Questions
The following are types of expense schemes: - Mischaracterized expense schemes occur when an employee requests reimbursement for a personal expense, claiming the expense to be business related - Overstated expense schemes occur when an employee overstates the cost of actual expenses and seeks reimbursement - Fictitious expense schemes occur when an employee invents a purchase and seeks reimbursement for it - Multiple reimbursement schemes occur when an employee submits a single expense for reimbursement multiple times.
Sample Internal Control Questions
Are the expense-accounts reviewed and analyzed periodically using historical comparisons or comparisons with budgeted amounts?
Is there a random authentication of expenses receipts and expenses claimed?

Module 11: THEFT OF INVENTORY AND EQUIPMENT
33 Questions
The following are types of schemes that involve the theft of inventory and equipment: - Fake sale scheme occur when an accomplice of an employee "buys" merchandise, but the employee does not ring up the sale and the accomplice takes the merchandise without making any payment. - Purchasing schemes occur when an employee with purchasing authority uses that authority to purchase and misappropriate merchandise. - Receiving schemes occur when an employee with purchasing authority uses that authority to purchase and misappropriate merchandise - Receiving schemes occur when an employee creates false sales documents and false shipping documents to make it appear that missing inventory was not actually stolen, but rather sold. - Misuse of company assets occurs when an employee borrows company assets for personal use without authorization - Larceny schemes occur when an employee takes inventory from the company premises without attempting to conceal the theft in the accounting records.
Sample Internal Control Questions
Is the company experiencing sizeable inventory increases without comparable sales increases?
Is a receiving report prepared for all purchased goods?

Module 12: THEFT OF PROPRIETARY INFORMATION
12 Questions
Theft of proprietary information involves theft or disclosure of confidential or trade secret information for financial gain.
Sample Internal Control Questions
Is sensitive information properly secured when not being used?
Are compromises to the security or proprietary information promptly investigated to determine the source?

Module 13: CORRUPTION
13 Questions
The following are types of schemes that involve corruption: - Bribery Schemes involve offering, giving, receiving or soliciting of a thing of value to influence a business decision. - Kickback schemes occur when vendors make undisclosed payments to employees of purchasing companies in order to enlist the employees in overbilling schemes. - Bid-rigging schemes occur when an employee fraudulently assists a vendor in winning a contract through the competitive bidding process. - Economic extortion schemes occur when an employee demands payment from a vendor for decisions made in the vendor's favor. Refusal to pay the extorter results in harm to the vendor. - Illegal gratuities schemes involve giving or receiving something of value to reward a business decision.
Sample Internal Control Questions
Are purchases reviewed to identify favored vendors?
Are purchases reviewed to detect out of line costs?

Module 14: CONFLICTS OF INTEREST
6 Questions
The following are types of schemes that involve conflicts of interest: - Purchase schemes involve the overbilling of a company for good or services by a vendor in which an employee has an undisclosed ownership or financial interest. - Sales schemes involve the underselling of company goods by an employee to a company in which the employee maintains a hidden asset.
Sample Internal Control Questions
Are vendors who employ former company employees under increased scrutiny?
Are vendor audits conducted by someone independent of the purchase, sales, billing and receiving departments?

Module 15: FRAUDULENT FINANCIAL REPORTS
32 Questions
The following are schemes involving fraudulent financial reports: - Fictitious revenue schemes involve recording fictitious revenue from the sale of goods of services. - Improper timing schemes involve recording revenues or expenses in improper accounting periods - Understating liabilities schemes involve concealing or understating liabilities and expenses, capitalizing expense or expensing capital expenses - Improper disclosure schemes involve the improper disclosure of material information, such as contingent liabilities, significant events, management fraud, related party transactions, or accounting changes. - Improper asset valuation schemes involve the improper valuation of inventory, accounts receivable, fixed assets, intangibles or other assets.
Sample Internal Control Questions
Do one or a few large transactions account for a significant portion of any account balance or amount?
Does the organization have difficulty collecting receivables or have other cash flow problems?

Why is "Fraud Risk Assessment" Important?

Concealment of the fraud means not only hiding criminal’s identify, but also hiding the fact that a fraud has even occurred. The most successful frauds are those in which the victim organization is unaware that it is being robbed. Obviously, once a business learns that it is being victimized it will take steps to find the source and put a stop to the scheme.

For an organization to be able to effectively manage its fraud risks, the risks must first be identified using a formal risk assessment. It is a powerful proactive tool in the fight against fraud for any business.