Words have power, but words can also create confusion.
One of my personal complaints about the professional literature regarding terms used to describe fraud risk. We use so many terms interchangeably that I believe it creates confusion. Let’s try to cut through that confusion by implementing better definitions.
For instance, what is the difference between a fraud scheme, a fraud scenario, a fraud risk statement and a fraud risk?
And, is the phrase “fraud scheme” the correct phrase for our profession? I raise this question because the new standards use the phrase “fraud scheme”.
What my research told me about the phrase “fraud scheme”
I googled the phase fraud scheme and here is what I found:
A fraud scheme is one of the multitude of ways scammers illegally procure funds from a person or business. Fraud schemes are a type of theft.
Fraud schemes are schemes that fraudsters have created to execute a criminal or fraudulent scenario, in order to obtain the personal benefits derived from it.
An illegal enterprise (such as extortion or fraud or drug peddling or prostitution) carried on for profit.
A scheme is a plan or arrangement involving many people which is made by a government or other organization. Fraud is the crime of gaining money or financial benefits by a trick or by lying.
Fraud schemes are schemes that fraudsters have created to execute a criminal or fraudulent scenario, in order to obtain the personal benefits derived from it.
Back to my question: is the phrase “fraud scheme” correct for our profession?
Internal Audit Standards 2025: Fraud Responsibilities
As I said in previous blogs, I searched on “new IIA standards and fraud responsibilities summary” and here is what the AI provided.
The new IIA (Institute of Internal Auditors) Global Internal Audit Standards place a significant emphasis on internal auditors actively assessing and mitigating fraud risk within an organization, requiring them to take a more proactive approach to fraud detection and incorporate a deeper understanding of potential fraud schemes into their audit planning and execution; this aligns with the broader responsibility of the internal audit function to support strategic objectives and contribute to the organization's overall success beyond just financial controls.
Leonard’s Dictionary of Fraud Terms
In my practice, I’ve developed definitions for the term we commonly use so that we have a common understanding and agreement on what we’re talking about.
Fraud: a deceitful act that involves concealment of facts, violation of trust, or misrepresentation of the truth. It is a deliberate attempt to cause injury or deprive someone of their rights. Source of fraud definition Black’s Law Dictionary.
Fraud Risk: An intentional and concealed threat designed to cause harm to the organization by exploiting the natural vulnerabilities that exist within our overall internal control structure. Source Leonard W Vona
Fraud Risk Statement: Description of a threat facing the organization that has an element of deceit or concealment
Fraud Scenario: How someone would perpetrate a fraud risk statement against your organization
Fraud Scheme: Systematic plan or arrangement for a perpetrator to commit a fraud risk statement. FYI, scheme and scenario are basically the same.
Fraud Risk Universe: All fraud risk statements in all fraud risk statements categories that can be perpetrated against an organization. Consideration would be given to all known historical fraud risk statements and all anticipated futuristic fraud risk statements.
Fraud Data Analytics: A methodology of using data mining to analyze data for the red flags that correlates to a specific fraud risk statement. It is about identifying transactions that have the highest probability of containing a fraudulent transaction.
Fraud Audit Procedure: Testing the authenticity of a transaction/document / internal control by examining audit evidence that is created externally or stored externally.
Leonard's Experience Teaching Fraud Classes
I have personally spoken about fraud risk in 6 continents and over 45 countries. I would guess I have spoken to over 25,000 auditors. I wrote a class for the IIA and distinctly remember the confusion the instructor had over the terms I used in the course. I have read the IIA competency framework, Fraud Risk Management Guide, Second Edition. I could go on and on, but I will not.
I believe that, undoubtedly, the profession would be well served by creating an audit fraud dictionary. It would be useful to promote fraud auditing as a practice and ensure that we’re talking abou the same things. Meanwhile, here is my recommendation to all CAE’S: In your work paper standards, or your audit programs document the fraud terms that you use. Someday, and hopefully that day may never come, some regulator or attorney is going to question the scope or quality of your work. Just ask the risk professionals at Wells Fargo, Silicon Valley Bank and Arthur Andersen.
For fun, how do you spell or say fraud in the following languages?
1. Polish / “oszustwo”
2. Arabic “aihtial” / احتيال
3. Russian “мошенничество”
4. Japanese “Sagi” 詐欺
5. Persian “taghalab” تقلب
6. Serbian “превара”
7. Irish “calaois”
Obviously, I do not speak all these languages, so I relied on the internet. I hope it is right.
Since we're in the month of April Fool's Day, what do you know about this pseudo holiday?
1. What is the origin of April Fool’s Day?
2. Is it true that each country has its own customs regarding April 1?
3. Is it true that the story of Noah’s Ark may have been the inspiration for April Fool's?
4. What hoax did the BBC play on its viewers in 1957?
5. Which technology company had a history of April 1 pranks?
(Answers coming in the next blog)
