Fraud Risk Assessment

Risk assessment and fraud susceptibility assessments are the largest contributors of active fraud prevention. Fraud can be prevented by assessing which departments in an organization are exposed to fraud, and using limited resources to restrict exposures in an organization. Fraud risk assessments are non-stop processes; therefore the intelligence keeps on increasing in an organization to prevent future frauds.

Four components of a fraud risk assessment:

1. Identify areas of exposures:

This is a process where the audit team identifies areas where fraud has been committed based on current trends within the industry, rumors, allegations, or it may be triggered by discoveries in other locations. The audit team needs to identify the types of fraud committed, such as cheque fraud, procurement fraud, and computer fraud. The frauds need to be evaluated to facilitate a process of prioritizing fraud risk. Managers of each department are responsible for evaluating their own departments in terms of their department’s fraud risk. The evaluation can consist of either atop-down or pyramid fashion, making all departments aware of fraud risk and recognize proactive steps taken by the board of directors to restrict the organization’s exposure to fraud as set out in the fraud policy. With this step everyone is made aware of fraud and has to contribute to the fight against fraud. After all the evaluations from each department is received, the fraud team has to assess the priorities of each department and start a planning process.

2. Grade positions in the exposed areas:

Further assessments are necessary to determine if there has been any fraud committed or if there is any fraud in progress in the exposed areas. This is a very subjective test and should be used as a guideline for prioritization purposes only. If the assessment has revealed exposure to a particular fraud, the positions which are the most exposed, and where the heaviest reliance is placed must be determined. Internal controls must then be assessed, as well as the segregated duties in this section. To be able to assess the problems, internal and external auditors should rethink previous problems in terms of controls, which may give good indications of where the problem areas are.

Risk Priorities:

• Low Risk

Internal controls = very good.
Segregation of duties = more than adequate.
Supervisory and custodial controls = effective.
There should be no known or rumored losses in that section.

• Medium Risk

Internal controls = good.
Segregation of duties = adequate.
There should be no audit queries relating to control issues.
There should be an assessment that there is heavy reliance on trust, but that it is not an issue.

• High Risk

Internal controls = deficient.
Supervisory and custodial controls = inadequate.
There will be heavy reliance on trust.
There will be historical audit queries.
There may be previous losses.
• Critical Risk

Includes all of the factors considered under High Risk (above).
There will be known shortages.
The incumbent can do a considerable amount of damage to the organization.

3. Grade employees:

Employees that fall under the High Risk and Critical Risk profiles must be graded as low, medium, high, or red, based on the reviews. Low and Medium Risk employees do not match the description of fraudsters, but still, fraudsters often appear to be above suspicion.

High risk employees are the ones who fit a fraudster’s profile.

Red risk employees are the ones who fit a fraudster’s profile, and have been named in actual fraud alerts such as anonymous tip-offs, a track record of indiscretions, or repeated warnings. Red risk employees are those who previously got off on a technicality, have prior criminal records, or have been dismissed for dishonesty from previous jobs. They are usually the ones talked about like: “we know he is stealing, but we haven’t caught him yet”.

To grade employees and test whether the allegations are true, test will have to be performed to profile the alleged fraudster.

Profiling consists of:
• All personal details.
• Previous employment.
• Personal habits.
• Background checks.
• Qualifications.
• Financial profile.
• Behavioral profile.
• Access in the different departments of the organization.
• Asset tracing.
• Links with suppliers.

4. Proactive tests for fraud:

Proactive fraud auditing is justified for all sectors which are exposed to any type of fraud. The testing for fraud is very open-ended and requires a number of complementary skills. When elements of fraud are discovered, a fraud response plan should be followed.