A fraud risk assessment is a tool used by management to identify and understand risks to its business and weaknesses in controls that present a fraud risk to the organization. Once a risk is identified, a plan can be developed to mitigate those risks by instituting controls or procedures and assigning individuals to monitor and effectuate the plan of mitigation.
Fraud Risk Assessment Guidelines
The assessment should be performed or updated periodically due to changes in:
- Internal processes and controls.
- Organizational structure.
- Segregation of duties among various personnel.
The fraud risk assessment should address:
- Asset misappropriation.
- Financial and non-financial reporting.
- Regulatory compliance areas.
- Illegal acts.
The assessment should be performed by management and managers responsible for each significant department or area within the organization and then shared with the Board of Directors. Jointly, all parties can then develop and implement preventive and detective fraud control activities to mitigate the risks identified based on their likelihood or significance to the organization and considering the controls already in place.
The assessment can be performed using a matrix format, narrative or any other format that best suits the organization for ease of reading, understanding and evaluation. The components of the assessment that should be included are listed below.
Fraud Risk Assessment Components
- Description of fraud risk or schemes:Examples include fraudulent disbursements, undisclosed relationships/related parties, theft by cyber-fraud, revenue recognition, bribery, manipulation of liabilities and expenses, false employee qualifications or certification, compliance with government regulations, inappropriate journal entries, improper reporting and disclosures, theft of assets or services
- Identification of existing anti-fraud controls:Internal controls in effect, preventive or detective controls.
- Likelihood of occurrence:Based on frequency – rare to very frequent – or probability of occurrence – remote to almost certain.
- Significance to the organization:Incidental to catastrophic.
- Assessment of control effectiveness:Ineffective to very effective.
- Fraud risk response: Additional controls or corrective action activities proposed to be implemented.
- Responsible person:To implement controls and mitigation efforts.
- Monitoring activities:To be periodically conducted and frequency of occurrence.
The fraud risk assessment is just one tool to use in developing a comprehensive approach to managing fraud risk, which should also include the development of a fraud risk policy as part of organizational governance, the development of preventive and detective fraud control activities, a fraud reporting process – whistleblower policy – and a coordinated approach to investigation and corrective action.
More on Withum’s Not-for-Profit Services
For any questions or additional information, fill in the form below.
How Can We Help?