Fraud Risk Assessments
Fraud Risk Assessment Methodology
There is no one way to implement a fraud risk assessment. The methodology selected is dependent on the reason for performing the fraud risk assessment. Is the risk assessment to satisfy regulatory requirements, audit requirements, internal control assessment or to locate fraud in a core business system? This can generally be discovered by asking:
"At what risk level does management or the auditor desire to identify and respond to the risk of fraud?"
- Macro Risk: Enterprise Wide Fraud Risk Assessment
- Micro Risk: Business Process Fraud Risk Assessment
- Mega Risk: Fraud Penetration Assessment
Macro Risk: Enterprise-Wide Fraud Risk Assessment
The enterprise-wide fraud risk assessment is designed to provide a comprehensive identification of all fraudulent activities facing an organization and linking the ownership and audit responsibility to the fraud risk. The purpose is to create a structure for establishing ownership, assessing the likelihood of fraud occurring, understanding the fraud impact, and how the fraud risk will be managed. The enterprise-wide assessment focuses on the internal control environment for assessing the likelihood of the fraud risk occurring. The fraud impact should be identified and understood. The organizational culture will determine if a quantitative or descriptive approach will be used to document the fraud impact. Management’s goal is to create a structure for managing the cost of fraud.
Micro Risk: Business Process Fraud Risk Assessment
The business process fraud risk assessment is designed to identify specific fraud schemes at the business process level and link the specific internal control procedures to the fraud risk inherent to the process. The process wide assessment focuses on the internal control procedures, monitoring controls and the information and communication controls. Management’s goal is to arrive at the risk mitigation decision. The auditor’s goal, while similar, is intended to focus on the development of the audit program.
Mega Risk: Fraud Penetration Assessment
The fraud penetration assessment, or the mega risk assessment, is designed to identify the most likely location of a fraudulent transaction in a specific account, transaction type, and business location. The purpose is to develop a fraud audit program to locate and identify fraudulent activity before allegations of fraud are identified through a hotline, tip or through some unpredictable event. The goal is to locate fraudulent transactions in the core business system.