5 CHAPTER FIVE Fraud Risk Assessmet INTRODUCTION Sice Ero ad other frauds ear the same time, there has bee a sigificat focus o fraud, iteral cotrols, ad the cocept of fraud risk maagemet icludig risk assessmet. The passage of Sarbaes-Oxley Act (SOX) i 2002 brought both more attetio to these subjects ad put teets related to them ito federal law. The Securities ad Exchage Commissio (SEC) ad its accoutig arm the Public Compaies Accoutig Oversight Board (PCAOB) have bee issuig guidace o this topic. The Committee o Sposorig Orgaizatios (COSO) has also made sigificat efforts i the area of risk assessmet, producig its COSO Model for eterprise risk assessmet. Noetheless, fraud statistics (as relayed i Chapter 2) idicate relative cosistecy i the overall amout of estimated fraud ad a icrease i the amout of losses from fraud actually discovered. The corerstoe ad heart of effective corporate goverace, iteral cotrols, atifraud programs, or fraud ivestigatios is a thorough risk assessmet. Effective fraud risk assessmet is depedet o kowledge of fraud cocepts (the fraud triagle, red flags, fraud schemes, ad accoutig 113
114 Fraud Risk Assessmet iformatio systems), all cosidered i the applicable fraud eviromet (etity, time frame, effectiveess of curret iteral cotrols, etc.). While the term risk assessmet may imply a periodic, poit-i-time exercise, true risk maagemet requires a cotiuous ogoig process. This chapter discusses risk assessmet cocepts ad tools to aid i that process. While preseted primarily from a perspective iteral to the etity at had, cotets here are applicable to exterally coducted fraud ivestigatios ad other exteral audieces. TECHNICAL LITERATURE AND RISK ASSESSMENT The otio of risk assessmet has bee part of the techical literature for audits, suggestig or outright requirig that audits icorporate risk assessmet. Stadards i recet years reflect icreased coverage o risks. For public compaies, the PCAOB s Auditig Stadards No. 5 (AS5), A Audit of Iteral Cotrol over Fiacial Reportig That Is Itegrated with a Audit of Fiacial Statemets (adopted i 2007), built o the previously existig PCAOB stadard No. 2 (AS2) predomiatly by expadig the role of risk assessmet. AS2 addressed risk assessmets from a maagemet ad auditor perspective, ad icluded coverage of risks at various levels (trasactioal, accout, etc.). AS5 furthered AS2 cocepts ad emphasized the importace of a top-dow, risk-based approach to iteral cotrol audits, ad the importace of uderstadig the etity s eviromet (size, idustry, etc.). Broadly speakig, PCAOB stadards are ifused with laguage, cotet, ad suggestios regardig risk assessmet. The America Istitute of Certified Public Accoutats (AICPA) adopted the Risk Suite of stadards, Statemet o Auditig Stadards (SAS) Nos. 104 111 i 2006. Broadly speakig, the Risk Suite addresses risk assessmet i the cotext of fiacial statemet audits ad iteral cotrol. Like AS5, the Risk Suite icludes a emphasis o a holistic, top-dow, risk-based audit approach icludig a thorough kowledge of the etity s eviromet ad its iteral cotrols. More specific to fraud, the AICPA s SAS No. 99, Cosideratio of Fraud i a Fiacial Statemet Audit, provides guidace for fiacial auditors, icludig braistormig durig the plaig phase, ad forced recogitio of certai potetial frauds, especially reveue maipulatio. More broadly, the AICPA stadard requires cosideratio of a host of orgaizatio-specific factors, such as idustry, strategy, ad so forth. Auditors are required to adjust the ature, timig, ad extet of audit procedures
Risk Assessmet Factors 115 if the circumstaces warrat it, based o a risk assessmet durig braistormig ad subsequet kowledge ad results from procedures. The Istitute of Iteral Auditors (IIA) promotes the idea that all of the iteral audit fuctio audits ad activities should begi with a risk assessmet (e.g., sectios 2010 ad 2600 of Stadards of Professioal Practice i Iteral Audit [SPPIA]). The Iformatio Systems Audit ad Cotrol Associatio (ISACA) also has the same requiremet i its techical literature. Statemet o Iformatio Systems Auditig Stadards (SISAS), Use of Risk Assessmet i Audit Plaig, outlies certai requiremets related to fraud for iformatio techology audits. May other ISACA stadards address risk assessmet as well, most otably SISAS 8, Audit Cosideratios for Irregularities. RISK ASSESSMENT FACTORS The fudametal cocepts of risk assessmet are probability (the chace a evet will occur) ad impact (the magitude of the evet if it occurs). However simple those cocepts are, measurig ad applyig them is difficult. What factors should be cosidered? What tools ca aid i assessig risks? How ca risks be precisely measured? Factors ca be cosidered o may levels, icludig etity, people (behavioral), divisios, geographies, products or services, accoutig or busiess processes, cotrols, or computerized systems. Typically, factors are cosidered first o a etity level, as the probability of fraud, theft, or embezzlemet i ay work eviromet is a product of the persoality of the executive ad employees, the workig coditios, the effectiveess of iteral cotrols, ad the level of hoesty therei (the orgaizatioal culture or eviromet). However the process begis, differet perspectives should be icluded ad/or examied i the risk assessmet process, icludig how etity maagemet icorporates risk maagemet best practices. Corporate Eviromet Factors Employee fraud, theft, ad embezzlemet are more prevalet i some idustries ad some orgaizatios tha i others. The Associatio of Certified Fraud Examiers (ACFE) 2008 Report to the Natio (RTTN) surveyed its members regardig frauds that were resolved, ad a total of 959 cases were reported. Oe of the statistics relates to the idustries represeted by these cases. While the statistical results could idicate the type
116 Fraud Risk Assessmet of idustry that is most likely to hire a Certified Fraud Examier (CFE) to ivestigate a fraud, the results also could idicate idustries more susceptible to fraud. For those idustries that are more susceptible to fraud, etities withi those idustries clearly have greater risk of fraud somethig to cosider i a risk assessmet for those etities. That is, a risk assessmet should take ito accout the level of assessed fraud risk i the idustry of the etity. The 2008 RTTN results are: Idustry by Frequecy: Bakig/Fiacial services (14.5% of all cases reported) Govermet/Public admiistratio (11.7%) Health care (8.4%) Maufacturig (7.2%) Retail (7%) Idustry by Media Loss: Telecommuicatios ($800,000/16 cases) Agriculture/Forestry/Fishig/Hutig ($450,000/13 cases) Maufacturig ($441,000/65 cases) Techology ($405,000/28 cases) Costructio ($330,000/42 cases) A risk assessmet should also cosider the curret ecoomy. I good times, people steal; i bad times, people steal more! A 2008 2009 survey by the ACFE asked 507 CFEs to report o the level of fraud sice the begiig of the ecoomic crisis. More tha half idicated that the umber of frauds had icreased durig that time. Also, 49 percet reported a icrease i the dollar amout of the fraud losses durig the same period. The theory is that oe leg of the fraud triagle is what Doald Cressey referred to as ushareable fiacial eed or pressure (as oted i Chapter 2) ad people geerally are uder more pressure durig a ecoomic recessio ad i that sese there would be a expected icrease i frauds. I additio, covetioal wisdom amog members of the audit ad security commuities suggests that the orgaizatios most vulerable are those with the weakest maagemet, accoutig, ad security cotrols. Orgaizatios that are more vulerable to employee occupatioal fraud ad abuse ca also be distiguished from those that are less vulerable by the evirometal ad cultural cotrasts show i Exhibit 5.1.
Risk Assessmet Factors 117 EXHIBIT 5.1 Corporate Fraud Eviromet: Potetial for Fraud Factors High Fraud Potetial Low Fraud Potetial Maagemet Style Autocratic, profit focused Participative, customer focused Maagemet Orietatio Maagemet Structure ad Cotrols CEO Characteristics Authority Plaig Performace Reportig Low trust X theory Power drive Maagemet by crisis issues ad persoal differeces are skirted or repressed Bureaucratic Regimeted Iflexible Imposed cotrols May-tiered, vertical Swiger Braggart Self-iterested Driver Isesitive to people Feared Isecure Gambler Impulsive Tight-fisted Number ad thigs orieted Profit seeker Vai Bombastic Highly emotioal Partial Preteds to be more tha he/she is Cetralized, reserved by top maagemet Rigid rules strogly eforced Cetralized Short rage Measured quatitatively ad o a short-term basis Critical feedback Negative feedback Routie reports oly Everythig documeted a rule for everythig High trust Y theory Achievemet drive Maagemet by objective Issues ad persoal differeces are cofroted ad addressed opely Collegial Systematic Ope to chage Self-cotrolled Flat structure, horizotal Professioal Decisive Fast-paced Friedly Respected by peers Secure Risk taker Thoughtful Geerous with persoal time ad moey Products ad market orieted Builder Self-cofidet Helper Composed, calm, deliberate, eve dispositio Fair Kows who, what, ad where he/ she is Decetralized, delegated to all levels Reasoable rules fairly eforced Decetralized Log rage Measured both qualitatively ad quatitatively, ad o a logterm basis Positive feedback Supportive feedback Exceptio reportig Adequate documetatio, but ot burdesome some discretio allowed (cotiued)
118 Fraud Risk Assessmet EXHIBIT 5.1 (Cotiued ) Primary Maagemet Cocers Formal, writte, stiff, pompous, ambiguous iteral commuicatios Preservatio of capital Profit maximizatio Iformal, oral, clear, friedly, ope, cadid iteral commuicatios Huma, the capital ad techological asset utilizatio Profit optimizatio Reward System Puitive Peurious Politically admiistered Maily moetary Reiforcig Geerous Fairly admiistered Recogitio, promotio, added resposibility, choice assigmets, plus moey Busiess Ethics Ambivalet: rides the tides Clearly defied ad regularly followed Values ad Beliefs Iteral Relatioships Ecoomic, political Self-cetered Highly competitive, hostile Social, spiritual Group-cetered Friedly, competitive, supportive Exteral Relatioships/ Competitors Peer Relatioships Success Basis/ Formula Hostile Hostile, aggressive, cotetious Works harder Professioal Cooperative, friedly Works smarter Huma Resource Problems High turover Burout Grievaces Abseteeism Not eough promotioal opportuities for all the talet Fiacial Cocers Cash flow shortage Opportuities for ew ivestmets Compay Loyalty Low High Growth Patter Sporadic Cosistet, steady Source: Jack Bologa, Foresic Accoutig Review (1985). Iteral Factors Iteral factors that ehace the probability of fraud, theft, ad embezzlemet iclude iadequate maagemet cotrols or moitorig activities such as the followig: Failure to create a hoest culture
Risk Assessmet Best Practices 119 Failure to articulate ad commuicate miimum stadards of performace ad persoal coduct Iadequate orietatio ad traiig o legal, ethical, fraud, ad security issues Iadequate compay policies with respect to sactios for legal, ethical, ad security breaches; especially for frauds ad white-collar crimes Failure to cousel ad take admiistrative actio whe performace level or persoal behavior falls below acceptable stadards, or violates etity priciples ad guidelies Ambiguity i job roles, duties, resposibilities, ad areas of accoutability Lack of timely or periodic audits, ispectios, ad follow-through to esure compliace with etity goals, priorities, policies, procedures, ad govermetal regulatios; geerally speakig, a lack of accoutability over key positios of trust Fraud Factors Ay risk assessmet should also cosider the fraud schemes that are more likely to occur i order to guide the atifraud program. Prevetio ad detectio coutermeasures are certaily more effective if they address the most likely fraud schemes to be committed. For fiacial statemet frauds, clearly the executives of the etity are the most likely would-be fraudster ad thus a risk assessmet would ecessarily iclude those idividuals. For asset misappropriatio, a employee i a trusted positio is likely to be the culprit. For corruptio, it might be the same but it icludes somebody outside the etity workig with someoe iside a uique characteristic of corruptio schemes. The statistics from the ACFE RTTNs ca provide some assistace i makig these determiatios, as ca a productive braistormig of a crossfuctioal team. RISK ASSESSMENT BEST PRACTICES If a etity has ot doe a formal risk assessmet, it caot effectively defed itself from those risks, or mitigate those risks for obvious reasos. I order to develop a effective risk assessmet, maagemet should take a coscietious, formal approach rather tha a ad hoc approach. That approach icludes the people ad the process.
120 Fraud Risk Assessmet Leader(s) The risk-assessmet process should iclude a appropriate perso or group, ad ideally should iclude a team. For orgaizatioal maagemet, the appropriate perso ormally would be someoe who has sufficiet idepedece, such as someoe from the iteral audit fuctio, if oe exists, ad the ability to effectively support risk maagemet. The value of havig a perso experieced ad prove to be effective i assessig risk ivolved with ay risk assessmet fuctio caot be overstated. Neither ca the support of the etity s audit committee ad/or board of directors. Team The team should be chose carefully. Although it should start with the iteral expert ad/or cosultat, it must iclude a broad cross-sectio of the etity. That cross-sectio should ivolve differet levels of the etity, especially levels of maagemet. The team should represet all of the major busiess uits (especially accoutig ad sales because most frauds occur there), busiess processes, key positios, ad perspectives ecessary to provide a quality risk assessmet. People who thik creatively, reaso logically, uderstad the busiess ad idustry well, ad ca effectively play devil s advocate should be sought, regardless of their positio. Documetig risk assessmets is critical, most particularly because the documetatio ca be reviewed afterward whe the risk as assessed has or has ot bee realized. Documetatio ca the serve as a learig tool for more effective assessmets ad prevetive measures; that is, lessos leared ca help fie-tue future versios of risk assessmet. Documetatio also establishes accoutability for persos ivolved i the process. Several tools ca be used to coduct the risk assessmet, which would serve a dual purpose of documetig it as well. Exhibit 5.2 provides a checklist to serve as oe example of how to orgaize a risk assessmet. Frequecy ad Aligmet with Fiace Formal risk assessmet withi a etity should be coducted regularly, probably every 12 to 24 moths. A aual frequecy would allow fraud risk assessmets to alig with the typical fiacial plaig ad/or fiacial reportig time frames. Fiacial plaig etails future cosideratios overlappig fiace ad fraud. Fiacial reportig ca iclude fidigs (adjustmets, disclosures, cotrol deficiecies, etc.) that might require future
Risk Assessmet Best Practices 121 EXHIBIT 5.2 Risk Maagemet Checklist 1. Does the orgaizatio have a adequate level of fraud awareess ad are appropriate policies i place to miimize fraud risk? Specifically: a. Geeric risk factors Yes No N/A Ref Has each employee bee assiged a maximum opportuity level to commit fraud; for each employee, has maagemet asked itself the questio, What is the maximum amout of which this employee could defraud the orgaizatio, ad does this represet a acceptable risk? ( ) ( ) ( ) Has a catastrophic opportuity level bee set; that is, has maagemet asked itself the questio, Have we esured that o sigle employee or group of employees i collusio ca commit a fraud that would place the orgaizatio i immiet risk of survival? ( ) ( ) ( ) Is it the orgaizatio s policy to immediately dismiss ay employee who is foud to have committed a fraud? ( ) ( ) ( ) Is it the orgaizatio s policy to report all frauds to the authorities ad press charges? ( ) ( ) ( ) For ay ad all frauds that the compay has experieced i the past, have the reasos that led to the fraud bee evaluated ad corrective actio take? ( ) ( ) ( ) b. Maagig idividual risk factors (i.e., to promote moral behavior ad miimize the motivatio to commit fraud) Does the orgaizatio have a corporate missio statemet, which icludes as a objective good corporate citizeship; that is, maitaiig good stadig i the commuity? ( ) ( ) ( ) Does the orgaizatio have a writte code of ethics ad busiess coduct? ( ) ( ) ( ) Does the orgaizatio coduct ethical ad security traiig for ew employees with periodic updates for existig employees? ( ) ( ) ( ) Does maagemet set the right example; for example, does it follow the corporate missio statemet, code of ethics ad busiess coduct, ad other orgaizatio policies, ad do the employees clearly see it doig so? ( ) ( ) ( ) (cotiued)
122 Fraud Risk Assessmet EXHIBIT 5.2 (Cotiued) Does the corporate culture avoid characteristics that promote uethical behavior; for example, high or eve hostile competitiveess withi the orgaizatio, pushig employees to burout, rigid ad/or petty policies, or over-cetralizatio of authority? () () () Whe hirig, does the orgaizatio, to the extet possible, seek out idividuals of high moral character ad weed out those of low moral character? () () () For especially sesitive positios, are screeig ad/or testig procedures used; for example, backgroud checks, psychological testig, drug testig, lie detector tests where legal? () () () Does the orgaizatio provide ad/or ecourage couselig for employees with persoal problems; for example, alcohol ad drug abuse? () () () Does the orgaizatio have fair employee relatios ad compesatio policies; for example, salaries, frige beefits, performace appraisal, promotios, severace pay? Do these policies compare favorably with competitors ad promote a eviromet that miimizes disechatmet ad similar motivatios to () () () commit fraud? Are fair mechaisms i place for dealig with employee grievaces? () () () As a feedback mechaism o its policies with respect to employee relatios, does the orgaizatio coduct exit iterviews of departig employees? () () () c. Maagemet awareess Overall, does maagemet exhibit a awareess of fraud ad its possible maifestatios; for example, sigs of employee problems such as drug addictio, ad low-paid employees who suddely appear with trappigs of wealth? () () () 2. Does the orgaizatio have a adequate system of iteral cotrols? Specifically: a. Fraud itegral to iteral cotrols Yes No N/A Ref Has the eed for fraud prevetio bee explicitly cosidered i the desig ad maiteace of the system of iteral cotrols? () () ()
Risk Assessmet Best Practices 123 b. Cotrol over physical ad logical access Yes No N/A Ref Does the orgaizatio have a policy ad practice of lockig doors, desks, ad cabiets after hours ad whe uatteded, especially for areas with valuable assets icludig files ad records such as persoel ad payroll, checks ad. other accoutig documets, customer ad vedor lists, corporate strategies, marketig plas, ad research? ( ) ( ) ( ) Does the orgaizatio have a policy ad practice of usig IDs ad passwords for geeral computer access? ( ) ( ) ( ) For sesitive files ad applicatios, does the computer system require additioal access cotrols? For example, does the access cotrol of each user ID limit him/her access? Are there additioal layer(s) of access cotrol for remote access (such as smart cards, temporary PINs, ( ) ( ) ( ) biometrics, etc.)? Does the orgaizatio have a stated ad eforced policy that access is restricted to those requirig it to perform their job fuctios, icludig a strict policy agaist employees allowig access to uauthorized persoel by loaig keys, sharig passwords, ad so o? ( ) ( ) ( ) For especially sesitive areas, are there additioal ( ) ( ) ( ) computerized security ad/or electroic surveillace systems? To a impartial observer, does the workplace appear to have adequate access cotrols? ( ) ( ) ( ) c. Job descriptios Does the orgaizatio have writte ad specific job descriptios? ( ) ( ) ( ) Do employees ad maagers adhere to them? ( ) ( ) ( ) Does the compay have a orgaizatio chart that reflects ad is cosistet with the employee job descriptios? ( ) ( ) ( ) Are icompatible duties segregated; that is, hadlig of valuable assets, especially cash ad related records? ( ) ( ) ( ) Is the purchasig fuctio properly segregated; for example, to esure that oe idividual caot requisitio goods or services, approve ad make the related paymet, ad access accouts payable records? ( ) ( ) ( ) (cotiued)
124 Fraud Risk Assessmet EXHIBIT 5.2 (Cotiued) Yes No N/A Ref Are especially sesitive duties duplicated; that is, the double-sigig of checks over a specified amout? () () () Do job descriptios specify that aual vacatios must be take? () () () Overall, has the process of formulatig job descriptios bee a itegrated oe, givig adequate cosideratio to the importace of fraud prevetio? () () () d. Regular accoutig recociliatios ad aalyses Bak recociliatios, for all accouts? () () () Accouts receivable recociliatios (moth to moth, geeral ledger to subledger)? () () () Accouts payable recociliatios (moth to moth, geeral ledger to subledger)? () () () Variace aalysis of geeral ledger accouts (budget to actual, curret year versus prior year)? () () () Vertical aalysis of profit ad loss accouts, that is, as a percetage of sales, agaist historical ad/or budget stadards? () () () Detailed sales ad major expese aalysis; that is, by product lie or geographic territory? () () () e. Supervisio Do supervisors ad maagers have adequate fraud awareess; that is, are they alert to the possibility of fraud wheever a uusual or exceptioal situatio occurs, such as whe a supplier or customer complais about its accout? () () () Do supervisors ad maagers diligetly review the work of their subordiates; for example, accoutig recociliatios, ad, where appropriate, eve have the employee reperform the work? () () () For smaller busiesses or where divisio of duties is ot possible, is close supervisio i place so as to compesate for the lack of segregatio? () () () Is supervisory or maagemet override (a maager or supervisor takig charge of, alterig or otherwise iterferig i the work of a subordiate) prohibited, ad are others i the hierarchy alert to this situatio as a fraud red flag? () () ()
Risk Maagemet Checklists ad Documetatio 125 f. Audit Yes No N/A Ref Is there a iteral audit fuctio? ( ) ( ) ( ) Does the iteral audit fuctio perform regular checks to esure that fraud prevetio mechaisms are i place ad operatig as iteded? ( ) ( ) ( ) Are exteral audits performed o a regular basis; ( ) ( ) ( ) that is, quarterly for larger busiesses? Does maagemet fully cooperate with exteral auditors with respect to its work i geeral ad fraud matters i particular; that is, through the audit committee? ( ) ( ) ( ) 3. Has the orgaizatio addressed the followig fraud prevetio issues? Promotig a ethical eviromet? ( ) ( ) ( ) Risk fiacig? ( ) ( ) ( ) cosideratio. Ideally, risk assessmets are a cotiuous process whereby cetral owers cosistetly moitor ad adapt to the fraud eviromet with periodic refreshes of the risk assessmet ad pla for respose. Public compaies have SOX 404 as a madated type of this iterative process. RISK MANAGEMENT CHECKLISTS AND DOCUMENTATION The checklist show i Exhibit 5.2 is desiged to assist accoutats i assessig ad maagig the risk of fraud i their orgaizatios ad those of their cliets. Geerally, all No aswers require ivestigatio ad follow-up, the results of which should be documeted. Where there is such additioal documetatio, the purpose of the Ref colum is to cross-referece the checklist to the appropriate source. This checklist is iteded for geeral use oly. While the use of the checklist helps esure adequate factors are cosidered, usig the checklist does ot guaratee fraud prevetio or detectio ad the checklist is ot iteded as a substitute for audit or similar procedures. If fraud prevetio is a especially vital cocer or if fraud is suspected, a systematic assessmet beyod a checklist should be performed ad/or a specialist s advice should be sought. 1
126 Fraud Risk Assessmet Fraud Schemes Checklist Aother approach to risk assessmet is to use a appropriate taxoomy of fraud schemes. For example, the ACFE fraud tree could be used to determie at least the iitial list of fraud schemes. This approach ca work particularly well. The colums of this form of risk assessmet iclude (see Exhibit 5.3): The fraud scheme A assessmet of iheret risk for that fraud i the particular etity or busiess process The factor iteral cotrols has i mitigatig that risk The residual risk left over after the mitigatio of existig iteral cotrols related to this fraud scheme i this etity or busiess process Busiess processes, where the scheme is likely to occur, if it does occur Red flags, which could be used to detect this scheme Differet Etities to Assess If a orgaizatio is large eough, a sigle risk assessmet may ot be as useful as separate risk assessmets. I this case, it is recommeded that a differet assessmet ad team be used for each major busiess uit, each sigificat busiess process that crosses busiess uits, the corporate uit (executives, EXHIBIT 5.3 Fraud Schemes Geeral atifraud Fraudulet statemets Fiacial: Overstate reveues Timig differeces Fictitious reveues Cocealed liabilities Improper disclosures Improper asset valuatio Asset/reveue uderstated Fraud Schemes Risk Checklist Iheret Risk Cotrols Assessmet Residual Risk Busiess Processes Red Flags
Risk Maagemet Checklists ad Documetatio 127 etc.), ad ay other etity or elemet that the leaders ad team idetify. It is possible the compay is so large that differet layers may be ecessary: for istace, busiess uits rolled up to subsidiaries, rolled up to corporate, where higher risks are rolled up with specifics as to the uit associated with the specific risk. A potetially more effective, though more challegig, way to assess risk at a high level i large orgaizatios is by accoutig or busiess processes as these ca more accurately reflect the fraud risks preset ad ca more easily alig with fraud schemes; for example, cash maagemet, payroll, maufacturig product X, or research ad developmet. Fraud Schemes There are a variety of ways to determie the fraud schemes to list i the first colum of Exhibit 5.3 ( Fraud Schemes). However, oe should start with some established taxoomy (see Chapter 2) ad add or delete from that list as eeded. The, usig other taxoomies, or good judgmet about specific schemes that are risks to this particular idustry or etity, oe should make ay ecessary additios or deletios. Herei is the value of usig braistormig teams usig shared criteria to make sure that importat schemes are ot missed ad that irrelevat schemes are ot cosidered (at least for specific etities certai fraud schemes may be irrelevat). Measures ad Relatioships Measurig risk i a quatitative sese is usually quite difficult. Some base must be used as a corollary to the impact of potetial losses of a possible fraud. What is a relevat, reliable, ad represetative idicatio of the risk eedig measuremet? Such a determiatio should be made ad agreed o by the team accordig to shared, plaed criteria. The critical ad difficult job of measurig risks is agai a testamet to the importace of selectig a diversified, orgaizatio-ecompassig team able to make logical decisios durig the risk-assessmet process. Iheret Risk The team should determie what the iheret risk is for this fraud scheme for this etity or busiess process. The assessmet could be a probability (1 to 100 percet) or simply low, medium, or high risk. A umber of factors ca be cosidered here, some of which are idustry, strategy, market volatility, ad orgaizatioal structure.
128 Fraud Risk Assessmet Cotrols Assessmet Auditors ad other key people o the team should determie what cotrols are i place to mitigate the specific fraud scheme. The assessmet would, of course, match the method of assessig iheret risk (percetage or tier). Oe must be sure to cosider that people i key positios ca best evaluate weakesses i iteral cotrols ad risks; but those same persos are potetially the oes to commit fraud i the give area. Residual Risk A simple mathematical fuctio of subtractig the level of cotrol mitigatio from the iheret risk will leave the residual risk. Agai, it would take the form of whatever was chose for iheret risk. Residual risk will ievitably require oe of two resposes: o actio, as the remaiig risk is accepted, or actio to mitigate or remediate through additioal prevetio or detectio procedures (eve potetially icludig the purchase of isurace). The respose take should be documeted ad tracked over time, i part to determie the etity s abilities to measure ad maage risks. Busiess Processes This colum is a otatio colum to idetify which busiess processes (i.e., cash receipts, payroll, etc.) are ivolved with this scheme. The busiess process ower should be documeted as the resposible party for the area ad, if applicable, for respodig to uacceptable residual risk. Cosiderig the aggregated umber ad risk ratigs of all schemes by busiess process ca also shed light o fraud risk. Red Flags Here the team would idetify the red flags that could be associated with the scheme. This documetatio is a startig poit for fraud prevetio or detectio procedures. Red flags are available from a variety of literature sources. They iclude: ISACA s stadard 030.020.010 (SISAS 8), Audit Cosideratios for Irregularities AICPA SAS No. 99, Cosideratio of Fraud i a Fiacial Statemet Audit 2 PCAOB Stadards No. 5 ad No. 2
Notes 129 Occupatioal Fraud ad Abuse 3 Corporate policies, procedures, ad iteral cotrols Actual fraud cases, especially the etity s SUMMARY Risk assessmet is a critical startig poit for audits i geeral. I this chapter, risk assessmet is used as a tool for a etity s atifraud program, where the etity is tryig to miimize its fraud risk. As such, this step does ot occur durig the fraud audit processes. Rather, it is a tool to idetify the risks ad address the most importat oes. It is recommeded that ay busiess, especially a publicly-traded oe, go through this exercise o a regular basis, ad that fraud auditors cosider these cocepts ad maagemet s risk maagemet abilities i the course of fraud prevetio, detectio, ad ivestigatio. NOTES 1. Joseph T. Wells, Priciples of Fraud Examiatio (New York: Joh Wiley Sos, 2008). 2. AU316, pp. 30 34. 3. Joseph T. Wells, Occupatioal Fraud ad Abuse (Austi, TX: ACEF, 1997).