Fraud Risk Management Fraud Risk Assessment Part 2 2017 Association of Certified Fraud Examiners, Inc.
Fraud Risk Assessment Frameworks Frameworks are helpful for performing, evaluating, and reporting the results of the fraud risk assessment. Specific needs and the culture of the organization must be considered and accounted for. 2017 Association of Certified Fraud Examiners, Inc. 2 of 27
Fraud Risk Assessment Framework 1. Identify potential inherent fraud risks and schemes. 2. Assess the likelihood of identified inherent fraud risks. 3. Assess the impact of identified inherent fraud risks. 4. Evaluate which people and departments are most likely to commit fraud. 2017 Association of Certified Fraud Examiners, Inc. 3 of 27
Fraud Risk Assessment Framework 5. Identify and map existing controls to relevant fraud risks. 6. Evaluate whether the identified controls are operating effectively and efficiently. 7. Identify, evaluate, and respond to residual fraud risks that need to be mitigated. 2017 Association of Certified Fraud Examiners, Inc. 4 of 27
Fraud Risk Assessment Framework Identified Fraud Risks and Schemes Likelihood Impact Personnel / Departments Involved Existing Fraud Control Activities Control Activities Effectiveness Residual Fraud Risk Fraud Risk Response Financial Reporting: Asset Misappropriation: Corruption and Illegal Acts: External Risks: Other Risks: 2017 Association of Certified Fraud Examiners, Inc. 5 of 27
Step 1: Identify Potential Inherent Risks Use knowledge gathered from: Individuals throughout the entity Actual frauds and fraud investigations External sources To brainstorm: Incentives, pressures, and opportunities for fraud Risk of management s override of controls Population of internal and external fraud risks Risk of regulatory and legal misconduct Reputation risk (as byproduct of fraud risk) 2017 Association of Certified Fraud Examiners, Inc. 6 of 27
2017 Association of Certified Fraud Examiners, Inc. 7 of 27
Step 2: Assess the Likelihood of Identified Risks Subjective, and often difficult, process that allows management to apply preventive and detective controls rationally Two common approaches: The probability that the fraud will be attempted The frequency with which a fraud risk will occur Usually assessed using scale Can be qualitative or quantitative 2017 Association of Certified Fraud Examiners, Inc. 8 of 27
Step 2: Assess the Likelihood of Identified Risks Rating Based on Annual Frequency Based on Annual Probability of Occurrence Descriptor Definition Descriptor Definition 5 Very frequent >20 times per year Almost certain >90% chance of occurrence 4 Frequent 6 to 20 times per year Likely 65% to 90% chance of occurrence 3 Reasonably frequent 2 to 5 times per year Reasonably possible 35% to 65% chance of occurrence 2 Occasional 1 time per year Unlikely 1 Rare <1 time per year Remote 10% to 35% chance of occurrence <10% chance of occurrence 2017 Association of Certified Fraud Examiners, Inc. 9 of 27
Considerations in Assessing the Likelihood of Identified Risks Past instances of the particular fraud Prevalence of the fraud risk in the industry Internal control environment of the organization Resources available to address fraud Support of fraud prevention efforts by management Ethical standards and culture of the organization Number of individual transactions involved Number of people involved Complexity of the fraud risk Unexplained losses Complaints by customers or vendors Fraud surveys and statistics 2017 Association of Certified Fraud Examiners, Inc. 10 of 27
Considerations in Assessing the Likelihood of Identified Risks Risk trend is the direction of movement of a particular risk that impacts an organization. Might be part of likelihood or might be a separate assessment factor. 2017 Association of Certified Fraud Examiners, Inc. 11 of 27
Step 3: Assess the Impact of Identified Risks As with likelihood, assessed using predetermined scale Can be qualitative or quantitative Need to consider both financial and nonfinancial factors 2017 Association of Certified Fraud Examiners, Inc. 12 of 27
Step 3: Assess the Impact of Identified Risks Rating Descriptor Definition 5 Catastrophic 4 Major 3 Moderate 2 Minor 1 Incidental Financial loss to company is in excess of $10 million International long-term media coverage Widespread employee morale issues; multiple senior leaders leave Incident must be reported to authorities and significant sanctions and financial penalties result Financial loss to company is between $100,000 and $10 million National long-term media coverage Widespread employee morale problems and turnover Incident must be reported to authorities and sanctions against company result Financial loss to company is between $10,000 and $100,000 Short-term regional or national media coverage Widespread employee morale problems Incident must be reported to authorities and immediate corrective action is necessary Financial loss to company is between $1,000 and $10,000 Limited local media coverage General employee morale problems Incident is reportable to authorities, but no follow-up Financial loss to company is less than $1,000 No media coverage Isolated employee dissatisfaction Event does not need to be reported to authorities 2017 Association of Certified Fraud Examiners, Inc. 13 of 27
Considerations in Assessing the Impact of Identified Risks Financial statement and monetary impact Financial condition of the organization Value of the threatened assets Criticalness of the threatened assets Revenue generated by the threatened assets Impact on operations, brand value, and reputation Financial damages caused to employees or third parties Criminal, civil, and regulatory liabilities Requirements to report fraud to governmental authorities Reputational damage among stakeholders Adverse media coverage Competitive advantages to competing companies Decline in employee morale Lost productivity Loss of key staff Data loss Work stoppages Time and resources spent investigating and following up 2017 Association of Certified Fraud Examiners, Inc. 14 of 27
Considerations in Assessing the Impact of Identified Risks Risk velocity is the speed with which a particular risk occurs. It might be part of impact or it might be a separate assessment factor. 2017 Association of Certified Fraud Examiners, Inc. 15 of 27
Step 4: Evaluate Who Is Most Likely to Commit Fraud Use the assessment of incentives and pressures to identify individuals and departments most likely to commit fraud. 2017 Association of Certified Fraud Examiners, Inc. 16 of 27
Step 5: Identify and Map Existing Controls to Inherent Risks Preventive versus detective General versus process-specific Reference specific policy or procedure that supports the control 2017 Association of Certified Fraud Examiners, Inc. 17 of 27
Step 6: Evaluate Whether Controls Are Operating Effectively and Efficiently Review accounting policies and procedures. Consider the risk of override. Interview management and employees. Observe control activities. Test samples of transactions for compliance. Conduct transaction walk-throughs. Review previous audit reports. Review previous reports on fraud incidents, shrinkage, and unexplained shortages. 2017 Association of Certified Fraud Examiners, Inc. 18 of 27
Step 6: Evaluate Whether Controls Are Operating Effectively and Efficiently If assessment team does not perform controls testing, they need to gain understanding of: Timing When was the last time the relevant controls were formally tested? Extent How many transactions were tested and which attributes of the internal controls were tested? Results Were deviations from expected internal controls discovered? 2017 Association of Certified Fraud Examiners, Inc. 19 of 27
Step 6: Evaluate Whether Controls Are Operating Effectively and Efficiently Control Risk Rating Description 5 Very effective reduces 81 100% of the risk 4 Effective reduces 61 80% of the risk 3 Moderately effective reduces 41 60% of the risk 2 Marginally effective reduces 21 40% of the risk 1 Not effective reduces 20% or less of the risk 2017 Association of Certified Fraud Examiners, Inc. 20 of 27
Step 7: Measure Residual Fraud Risks Identify residual fraud risks that have not been adequately mitigated due to: Lack of appropriate controls Noncompliance with established control measures Evaluate the likelihood and impact of these residual risks. 2017 Association of Certified Fraud Examiners, Inc. 21 of 27
Addressing the Identified Fraud Risks Establish an acceptable level of risk to use as a basis for response (management). Rank and prioritize identified risks. Estimate the likely cost of each risk. Use a heat map. 2017 Association of Certified Fraud Examiners, Inc. 22 of 27
Estimating Likely Cost of a Risk Risk Likely cost Likelihood of occurrence Potential loss Rank Risk of lost business and reputation damage from a disruption in data processing $100,000 (lost revenue) 2% $2,000 (2% x $100,000) 3 Risk of lost revenues from losing a major client $500,000 (lost revenue) 15% $75,000 (15% x $500,000) 1 Risk of employee embezzlement $150,000 7% $10,500 (7% x $150,000) 2 2017 Association of Certified Fraud Examiners, Inc. 23 of 27
Using Heat Maps 2017 Association of Certified Fraud Examiners, Inc. 24 of 27
Using Heat Maps 2017 Association of Certified Fraud Examiners, Inc. 25 of 27
Using Heat Maps 2017 Association of Certified Fraud Examiners, Inc. 26 of 27
Using Heat Maps 2017 Association of Certified Fraud Examiners, Inc. 27 of 27
Responding to Residual Fraud Risks Avoid the risk. Transfer the risk. Mitigate the risk. Reduce the likelihood. Reduce the impact. Assume the risk. Use a combination approach. 2017 Association of Certified Fraud Examiners, Inc. 28 of 27
Documenting Risk Mitigation Plans Described new/revised internal control(s) Is the new control applicable to one or multiple fraud risks? Is it preventive or detective? Anticipated effect (i.e. reduction in impact and/or likelihood) Consider plotting effect on heat map Who is responsible for enacting? Anticipated completion date 2017 Association of Certified Fraud Examiners, Inc. 29 of 27
Reporting the Assessment Results Report objective not subjective results. Keep it simple. Focus on what really matters. Identify actions that are clear and measurable. 2017 Association of Certified Fraud Examiners, Inc. 30 of 27
Making an Impact with the Fraud Risk Assessment Use the results to: Begin a dialogue across the company. Look for fraud in high-risk areas. Hold responsible parties accountable for progress. Keep the assessment process alive and relevant. Modify or create the code of conduct or ethics policy. Monitor key controls. 2017 Association of Certified Fraud Examiners, Inc. 31 of 27