Over the next few blogs, I will discuss the concept of a new approach to fraud risk assessment with a new model. This is for those who are open-minded to change. It is important to note that it is not my goal to say what we are doing is right or wrong. However, we as a profession must be willing to evolve in our thought process. If you study all the fraud literature, you will see a gradual change or improvement in the fraud risk guidance. What I am proposing should be the next leap forward for our profession.
I have decided to start at the end of the fraud risk assessment process and work my way backward. Most, if not all, fraud risk assessments end with the concept of residual risk. We arrive at residual risk by evaluating the effectiveness of internal controls.
So, what is residual risk?
As I often do with concepts, I have searched the internet for an explanation. As you know, when you do a Google search now, the first item is the AI explanation. Being an analytic person, I liked the following formula.
The fundamental risk management formula is: Residual Risk = Inherent Risk - Impact of Risk Controls.
Residual risk is the exposure that remains after all reasonable security, safety, or management controls that have been applied to mitigate an initial threat. It is essentially the "leftover" risk that an organization, project, or individual must either accept or address through further actions.
Upon my reflection of 50 years
Today, I believe that our profession places more emphasis on the operating effectiveness of internal control rather than the adequacy of the design of internal control. I suspect we do so because we believe in internal control theory. Also, in testing control effectiveness, we can quantify the results. Tell me which accountant does not like to quantify their results. 25 out of 25 expenditures fully complied with the internal controls. Therefore, residual risk must be low. But is this correct?
In my new model and new approach, we do not see residual risk as an endpoint, but as the beginning of understanding how to better manage the fraud risk within your organization or within your audit. We should not see high residual risk as bad. In reality, not all fraud risk statements can be stopped. It serves no purpose to imply that the likelihood of the risk of fraud occurring is low when, in fact, we cannot prevent it from happening.
So, what is new or what has changed? In one sense, nothing has changed. The process starts by identifying the fraud risk statement. We then link our internal controls to that fraud risk statement. But here is the change: instead of arriving at a residual score, we should communicate whether our internal controls as designed can prevent or detect a fraud risk statement.
In the new model, our opinion is first based on the adequacy of design rather than operating effectiveness. We do not consider impact because, if we are going to be honest, for the most part, there is no way to calculate financial impact.
In the new model, we are going to indicate whether our internal controls as designed can reasonably prevent or detect a fraud risk statement.
- Internal controls as designed are unable to prevent or detect the fraud risk statement
- Internal controls as designed are unable to prevent but can detect the scheme if it is occurring
- Internal controls as designed are able to prevent or detect the scheme at an acceptable level
FYI, in a future blog, we will link our control strategy to the above risk rating. I know someone out there is asking that question.
Now I want to read the following fraud risk statements. So, knowing your company’s internal controls, I want you to rate each fraud risk statement using the new model.
- Real supplier acting in collusion with a company employee overbills the company by increasing the price or cost of the invoice within automated tolerance levels, causing the diversion of company funds.
- Real supplier acting in collusion with a company employee overbills the company by shipping less quantity (non-inventory) than the quantity on the invoice, causing the diversion of company funds.
- Budget owner purchases goods used by the company in excess quantity with the intent of diverting the goods for resale, resulting in the diversion of company funds.
So, this is my opinion
Now ask yourself, based on the fraud risk statement as listed, how did you rate your internal controls? The first two schemes are collusion-based schemes. It is almost impossible to say you can prevent the scheme from occurring. In the third scheme, the control owner is perpetrating the scheme, so the prevention control is corrupted. Ask yourself, if the scheme is occurring, would your internal controls detect the occurrence of the scheme within a reasonable time period?
My final thoughts for you to ponder:
I argue the goal of fraud risk assessment is to understand and manage fraud risk rather than arriving at a low residual risk score — a subtle but important difference.
Fraud Trivia
The concept of "fraud risk assessment" developed over time within the auditing and accounting professions, primarily formalized in guidance documents from professional bodies.
Answers from last month
1. What was the professional standard that required a fraud risk assessment? SAS # 99 issued in 2002
2. What was an early step in formalizing the auditor's role regarding potential financial misstatements? (SAS) No. 82, Consideration of Fraud in a Financial Statement Audit. This standard explicitly required auditors to consider fraud risk factors as part of the audit planning process.
3. True or False? Fraud is a broad legal concept, and auditors do not make legal determinations of whether fraud has occurred. True!
4. Fraud Risk Management Guide was published in what year? 2016
5. What is one of the most significant changes in fraud risk assessment as of today? Leveraging advanced technology (AI/ML) for real-time, data-driven analysis, combating rapidly evolving digital threats like synthetic identity theft, account takeover (ATO), and sophisticated wire fraud.
6. True or False? Fraud makes its way into pop culture and social networks – creating more fraudsters and attacks
This month's questions
As you know, Edwin Sutherland was Dr. Cressey mentor, but what do you know about Edwin Sutherland.
- He is best known for the development of what theory?
- What award is named for Sutherland?
- What do Larry Bird and Sutherland have in common?
- What common phrase did Sutherland coin?
- Why was the first edition of Edwin Sutherland's White-Collar Crime heavily censored by Dryden Press?
- By whom, and when was the book finally issued without censorship?


