CSA Sentinel - The Institute Of Internal Auditors  


Fourth Quarter 2006 • Vol. 10 • No. 4
printPrint Article
printPrint Entire Issue

A Practical Guide to Assessing Fraud Risk in Your Organization

Learn about a practical approach to designing and managing a fraud risk assessment and the differences between a successful and unsuccessful assessment.


The focus on fraud in corporations has grown tremendously across the globe since 2002. Legislative and legal forces — such as the U.S. Sarbanes-Oxley Act of 2002, the American Institute of Certified Public Accountants' SAS 99, Consideration of Fraud in a Financial Statement Audit, and the Public Company Accounting Oversight Board's Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements — have created the need for companies to assess and report the likelihood of fraud occurring in their company and its impact.

A significant transition in internal fraud management also has occurred in more recent years. Fraud management used to be largely the responsibility of human resources and security departments. However, since the genesis of Sarbanes-Oxley, audit and finance teams have become a major part of the fraud management equation. This shift in responsibility stems from the fact that even small frauds can have major impacts on corporate reputations and can lead to material impacts on financial reporting. More than ever before, auditors need to be at the forefront of fraud management. An effective tool that auditors can use to help prevent fraud before it occurs is the fraud risk assessment, which can provide a realistic view of where fraud can occur inside an organization.


It is useful to provide some context for implementing a fraud risk assessment within the broader goal of managing fraud. Two types of anti-fraud activities commonly deployed by companies are reactive detection and investigation activities, both of which take place after the fraud has occurred.

Ideally, companies should be proactive rather than reactive and prevent fraud before it occurs. According to the Association of Certified Fraud Examiners, the top five most effective fraud prevention tactics are:

  1. Implementing strong internal controls.
  2. Background checks for new hires.
  3. Anti-fraud policies.
  4. Ethics training.
  5. Surveillance.

A fraud risk assessment can be effective in preventing fraud before it occurs. The goal is to identify fraud risks that are likely to occur and will negatively impact the company's finances and reputation. The results can be plotted on a traditional X-Y heat map to indicate the risks that range from low to high on each assessment scale. Figure 1 is an example of a traditional X-Y heat map showing risks ranked on their likelihood of occurrence and impact to the organization.

 Figure 1: Sample X-Y heat map

It is important for companies to spend adequate time designing their assessment metrics to create reliable results. To illustrate this, think of a small car — maybe it's a compact car such as a BMW MINI; a smart automobile, which is even smaller; or a toy car (Figure 2). Regardless, all three fit the label "small car." As you can see from this example, confusion can result from not providing specific metrics around assessment criteria, such as likelihood and impact. For instance, specify whether the lowest level on your likelihood assessment scale represents no possibility of happening or 0 to 25 percent likelihood.

Figure 2 Vertical 
 Figure 2: Examples of different perspectives

Similarly, there are two key metrics that should be detailed for impact, which are reputational and financial. The highest level on your impact assessment scale could include the following descriptions for reputation:

  • Negative media attention.
  • Loss of confidence.
  • Major public embarrassment.
  • Opinion leaders or customers unanimous in public criticism.
  • Shareholder involvement in addressing issues.
  • Chief executive officer held publicly accountable.

Financial metrics for this same level of impact are often a percentage of operating income that would represent a catastrophic loss to the company financially. It is extremely important to get these metrics right before moving forward.


Risk assessments are not a new concept for many corporations, but there is a particular challenge in assessing fraud risk versus other operational, financial, or compliance risks. Fraud is about people acting illegally in your organization — the people you pass in the hall, go to lunch with, and share a toast with at the annual holiday party — which poses a challenge. Assessing the probability of fraud occurring in your organization is equivalent to asking, "Do you believe that anyone you know could defraud the company?" Most people will reply, "No." Everyone knows that companies experience fraud, but it's difficult to imagine that the people we know could do it. Therefore, it is not surprising that at the conclusion of many fraud risk assessments, the picture looks overly optimistic with low likelihood and impact scores.


Tackling the fraud assessment challenge requires certain insights into human nature. First, identify which of the hundreds of fraud schemes could be perpetrated within your organization. To go broad, begin by running a risk assessment online that uses Web-based risk assessment software, such as that in Figure 3, to house the risks. At minimum, participants should be chosen from each of the company's business units or geographic locations including finance, internal auditing, sales, distribution, human resources, security, and internal legal council. It is important to offer participants anonymity so they can be candid.

Example of Online Risk Assessmen 
 Figure 3: Example of online risk assessment software

Expect the results received to underestimate the magnitude of the impact and likelihood of each risk. If that's the case, why should companies bother conducting the online assessment if the results are not accurate? The answer is that while the results do not show how much risk the company currently faces, online assessments are a best practice that's accurate in prioritizing which risks need to be watched closely.

Example of Risk and Control
 Figure 4: Example of risk and control self-assessment software

To go deep, assemble a team of fraud risk owners for a fraud assessment workshop. The workshop usually consists of a cross section of appropriate participants from the business units or geographic locations mentioned above. Load the top-ranked risks from the online risk assessment into a risk and control self-assessment (RCSA) software program, demonstrated in Figure 4. Present the participants with the results from the previous online risk assessment during the risk workshop.

Next, consider beginning with the person in the room with the greatest knowledge about the fraud risk to start a discussion on the impact followed by the likelihood of the risk occurring. The reason for discussing impact before likelihood is interesting. The human mind is good at creating associations between two different, but related concepts. Often, if people come to a conclusion about how likely a risk is to occur, they will translate the result onto the impact score. For example, a low score for likelihood often can result in the impact having a low score. Impact and likelihood ratings are separate questions, and there are many instances where likelihood can be low, but if the risk happened, the impact would be catastrophic.

After a candid discussion about the risk, participants could use anonymous voting techniques to score each risk systematically with the same criteria as the online assessment. Because the results generated by the RCSA software are anonymous, participants could communicate their honest opinion about fraud without being influenced by outside factors such as peer pressure, politics, scrutiny from their superiors, or influence from a dominant speaker in the meeting.

Auditors will find that the order of risks ranked in the online risk assessment and the order of risks ranked in the workshop are often similar. Typically, the difference is that the fraud risks from the workshop have received higher overall scores across both criteria and represent a more realistic view of where fraud can occur inside the organization.


A successful fraud risk assessment consists of several components:

  • Begin the process with the end result in mind, which is to understand where fraud is most likely to occur so that the risk of fraud can be controlled effectively.
  • Reach out across the organization to gather many opinions about where fraud can occur.
  • Consider the frame of mind that the participants have while they are conducting the assessment, remembering that most people cannot easily envision fraud happening.
  • Offer fraud risk stakeholders the opportunity to engage in a discussion that is collaborative and anonymous by using RCSA software.
  • During your assessment, don't dismiss an outlier who has an opinion that differs from the rest of the group, as they often have a perspective that is enlightening and worth listening to.

After the assessment is complete, stand back from the results and ask yourself if they make sense. If they don't, keep reassessing the risks until you are confident that the picture on your X-Y heat map represents the company you are trying to protect.

Richard Wilson is executive vice president of Resolver Inc. He recently designed and managed an online fraud risk assessment that included more than 650 participants across 25 countries, followed by workshops with key stakeholders throughout the United States. Wilson has experience managing the operations of a growing company and has skills in strategic planning, organizational design, process planning, and resource management.
Rate this article!
Extremely relevant    6    5    4    3    2    1    Not relevant
Extremely useful    6    5    4    3    2    1    Not useful
Quick Poll

How has flextime work schedules impacted audit completion time for your agency?

Audits have been completed faster.

There has been no change.

Audits take longer to complete.

My agency does not have a flextime poilcy.

View Results