2Learning ObjectivesDescribe the factors that influence an organization’s vulnerability to fraud.Explain the difference between preventive and detective controls.Understand the objective of a fraud risk assessment.Discuss why organizations should conduct fraud risk assessments.Understand the characteristics of a good fraud risk assessment.Describe considerations for developing an effective fraud risk assessment.
3Learning ObjectivesList actions that should be taken to prepare a company for a fraud risk assessment.Understand the steps involved in conducting a fraud risk assessment and how to apply a framework to them.Describe approaches to responding to an organization’s residual fraud risks.Name important considerations when reporting the results of a fraud risk assessment.List actions management should take using the results of a fraud risk assessment.Explain how a fraud risk assessment can inform and influence the audit process.
4What Is Fraud Risk?Vulnerability an organization has to overcoming the interrelated elements that enable someone to commit fraud.Fraud triangleNon-sharable financial needOpportunityAbility to rationalize
5Why Be Concerned About Fraud Risk? No organization is immune.Awareness of weaknesses is one key to establishing mechanisms to reduce risk.Risks can be internal or external.
6Factors That Influence Fraud Risk Nature of the businessOperating environmentEffectiveness of internal controlsEthics and values of the company and the people within it
7What Is a Fraud Risk Assessment? Fraud risk assessment: A process aimed at proactively identifying and addressing an organization’s vulnerabilities to internal and external fraud.Objective—To help an organization recognize what makes it most vulnerable to fraud so that it can take proactive measures to reduce its exposure.
8Why Should Organizations Conduct Fraud Risk Assessments? Improve communication about and awareness of fraudIdentify what activities are the most vulnerable to fraudKnow who puts the organization at the greatest risk of fraudDevelop plans to mitigate fraud riskDevelop techniques to determine if fraud has occurred in high-risk areas
9Why Should Organizations Conduct Fraud Risk Assessments? (Cont’d) Assess internal controls:Controls eliminated during restructuringControls eroded over timeLack of controls in a vulnerable areaNonperformance of control proceduresInherent limitations of controlsComply with regulations and professional standards:PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
10What Makes a Good Fraud Risk Assessment? Collaborative effort of management and auditorsThe right sponsorIndependence and objectivity of the people leading and conducting the workA good working knowledge of the businessAccess to people at all levels of the organizationEngendered trustThe ability to think the unthinkableA plan to keep it alive and relevant
11Considerations for Developing an Effective Fraud Risk Assessment Packaging it rightTailor the communication approach to the organization.Be mindful of terminology used.One size does not fit allAdapt the framework to the business model, culture, and language of the organization.Keeping it simpleFocus on areas that are most at risk for fraud.
12Preparing the Company for the Fraud Risk Assessment Assembling the right teamAccounting and finance personnelPersonnel who have knowledge of day-to-day operationsRisk management personnelGeneral counsel or other members of the legal departmentMembers of ethics or compliance functionsInternal auditorsExternal consultants with fraud and risk expertise
13Preparing the Company for the Fraud Risk Assessment (Cont’d) Determining the best techniques to useInterviewsFocus groupsSurveysAnonymous feedback mechanismsObtaining the sponsor’s agreement on the work to be performedScopeMethodsParticipantsForm of outputEducating the organization and openly promoting the process
14Executing the Fraud Risk Assessment Identifying potential inherent fraud risksIncentives, pressures, and opportunities to commit fraudPositionIncentivesPerformance pressuresWeak internal controlsHighly complex business transactionsCollusion opportunitiesRisk of management’s override of controlsManagement knows the controls and standard operating procedures in place to prevent fraudKnowledge of controls can be used to conceal fraud
15Executing the Fraud Risk Assessment (Cont’d) Identifying potential inherent fraud risks (cont’d)Population of fraud risksFraudulent financial reportingAsset misappropriationCollusion opportunitiesRegulatory and legal misconductReputation riskRisk to information technology
16Executing the Fraud Risk Assessment (Cont’d) Assessing the likelihood of occurrence of identified fraud risksPast instances of a particular fraudPrevalence of fraud in the industryInternal control environmentAvailable resourcesSupport of managementEthical standardsTransaction volumeComplexity of the fraud riskUnexplained lossesComplaints by customers or vendors
17Executing the Fraud Risk Assessment (Cont’d) Assessing the significance of the fraud risks to the organizationFinancial statement and monetary significanceFinancial condition of the organizationValue of the threatened assetsCriticality of the threatened assetsRevenue generated by the threatened assetsSignificance to the organization’s operations, brand value, and reputationCriminal, civil, and regulatory liabilities
18Executing the Fraud Risk Assessment (Cont’d) Evaluating which people and departments are most likely to commit fraud and identifying the methods they are likely to useIdentifying and mapping existing preventive and detective controls to the relevant fraudPreventive controlsDetective controls
19Executing the Fraud Risk Assessment (Cont’d) Evaluating whether the identified controls are operating effectively and efficientlyReview accounting policies and procedures.Consider risk of management’s override of controls.Interview management and employees.Observe control activities.Perform sample testing of controls compliance.Review previous audit reports.Review previous reports on fraud incidents, shrinkage, and unexplained shortages.
20Executing the Fraud Risk Assessment (Cont’d) Identifying and evaluating residual fraud risks resulting from ineffective or nonexistent controlsLack of appropriate prevention and detection controlsNoncompliance with established prevention and control measures
21Addressing the Identified Fraud Risks Establishing an acceptable level of riskResponding to residual fraud risksAvoid the riskTransfer the riskMitigate the riskAssume the riskCombination approach
22Reporting the Results Report objective—not subject—results. Keep it simple.Focus on what really matters.Identify actions that are clear and measurable.
23Making an ImpactBegin a dialog across the company to promote awareness, education, and action planning.Look for fraud in high-risk areas.Hold responsible parties accountable for progress.Keep the assessment alive and relevant.
24Fraud Risk Assessment and the Audit Process Auditors should validate that the organization is managing the moderate-to-high fraud risks.Evaluate whether controls are operating effectively and efficiently.Identify whether there is a moderate-to-high risk of management override of internal controls.Develop and deliver reports that incorporate the results of validation and testing of controls.