Dealing with Fraud Risk … Not Your Average Fraud Risk Assessment

It is a good sign that more and more organizations are using Fraud Risk Assessments (FRA) to determine the specific fraud risks to which they are vulnerable as a guideline for planning fraud audits aimed at detecting the red flags of fraudulent activity and eliminating weaknesses in anti-fraud controls.

Challenge: There is currently no established standard for conducting a fraud risk assessment. However, one of the more original and potentially most effective FRA methods was developed by long-time fraud investigator Leonard Vona.…

There are three basic levels at which FRAs can be performed. They are based on the degree to which management and/or its internal and external auditors wish to identify and mitigate fraud threats…
1. Macro-risk level. This type of FRA is designed to identify fraud risk at the organization-wide level. It focuses on the status of internal controls—to determine the likelihood of a fraud risk occurring. Management can then determine the potential cost of a fraud…and then decide how to manage the risk.
2. Micro-risk level. This FRA is designed to identify specific fraud schemes in key processes.
Important: The FRA then links the specific internal controls to specific fraud risks inherent in the process. This includes an assessment of internal control procedures…monitoring controls…and controls associated with reporting channels that directly impact the fraud risk.
3. Mega-risk level. This is also called a fraud penetration risk assessment (FPRA). It is designed to determine the most common points at which fraudulent transactions could occur in a specific account, transaction type and/or business location.

Key: The FPRA is where the real risk of specific types of fraud is evaluated so that auditors can develop an effective fraud audit program to pinpoint red flags of fraudulent activity before allegations of illegal activity are communicated via a hotline or other reporting channel.


Key: If the FPRA reveals that a fraud could occur and cause significant damage, the auditors then have what they need to develop an audit procedure that addresses that specific fraud risk.

An FRA has three key stages…
Stage 1: Identification of risk. This procedure aims not to predict whether fraud will occur, but rather how fraud typically occurs in a specific situation. This requires identifying fraud schemes that are most likely to occur in a business function.
Example: In the cash disbursements function there are five inherent fraud schemes that can occur—false billing, passthrough billing, over-billing, disguised billing and conflict of interest.
Next step: The auditor then assesses the potential opportunities that exist for a dishonest employee to commit one of these schemes. In cash disbursements, these opportunities typically are…

  • Absence of internal control.
  • Access to the internal control. Controls are only as effective as the “gatekeepers” responsible for enforcing them.  When a gatekeeper,such as a receiving clerk in a warehouse,is responsible for processing all receiving reports and delivery receipt certification, that means he or she has direct access to these controls. Such direct access provides the gatekeeper the opportunity to commit fraud. In the receiving clerk example, he or she could falsify the quantity or quality of a specific delivery and then accept a kickback from the vendor.
  • Indirect access to controls. This exists when someone with the requisite authority induces someone to help perpetrate a fraud. For example,operations managers generally do not have access to the accounts payable master file to add vendors or change vendor information. However, when an operations manager submits an approved invoice to accounts payable for a new vendor and A/P sets up the new vendor, the operations manager has indirect access to the opportunity.
  • Internal control failures due to employee failure to enforce a control… computer system override of controls… collusion between, for example, an employee and a vendor…absence of segregation of duties (SoD), and/or management override of control(s).

Key: With a clear understanding of these controls-related opportunities to commit one or more of the five fraud schemes, together with their own experience, auditors can then determine specific fraud scenarios that the organization is at risk for within each scheme. Examples for over-billing schemes:

  • Preparation of a false work order by a dishonest vendor and manager.
  • Falsification of billing rates by a vendor and/or manager such as inflated afterhours service rates.
  • Permission by a company manager for non-company equipment or other assets to be serviced by outside vendors at the company’s expense.
  • False notification by a vendor that service on a company asset is required.

Stage 2: Assessing the likelihood of a fraud scenario occurring. This process aims to assign a numerical “grade” for the likelihood of a specific fraud scheme occurring. Steps to take…

  • Assess specific controls in place for preventing occurrence of the various scenarios. This enables auditors to determine how likely (or unlikely) it is—on a scale of one to three—that such a scenario will occur based on the controls in place, with one representing the most effective possible risk mitigation. Examples:

One: Control design optimally minimizes occurrence of the fraud risk and minimizes control failures.
Two: Control design reasonably minimizes occurrence of the fraud risk.
Three: Control design does not minimize occurrence of the fraud risk.

  • Assess fraud detection measures for catching frauds early. This requires assessment of the control-monitoring measures in place as well as the effectiveness of supervision of these measures. It also requires analysis of the effectiveness of existing reporting channels for alerting management to the existence of a fraud incident.

Stage 3: The fraud audit response. Once the fraud schemes and scenarios are identified, and the likelihood of the occurrence is measured for each, a “fraud data profile” for each scenario can be developed using one of the popular forensic accounting software programs such as IDEA or ACL.

Essentials: The program is used to conduct data mining to flag specific patterns of the likeliest fraud scenarios listed in Stage 2. Examples:

  • Missing data or gaps in required data. Fraudsters often inadvertently raise these red flags when they attempt to conceal their crimes.
  • Duplicate data. Data revealing two or more vendors or transactions with the same information is a red flag that one or the other is fraudulent.
  • Logic tests. These data mining exercises search for transactions that don’t fit the norm.
  • Circumvention analysis. Data showing transactions for amounts below the control threshold or that bypass control functions are flagged via this technique.
  • Matching or comparing analysis. Here, the auditor matches the database being audited with others over which the suspect has no control, to flag discrepancies that could indicate fraud.

Key: With effective data mining techniques, the auditor should end up with red flags of potential frauds consistent with those that he or she determined to be most likely to occur in the organization’s business environment. The auditor must then use professional judgment to determine if he or she will conduct further analysis…or whether to turn the results of the audit over to management to decide if a full-fledged fraud investigation is warranted.


Reprinted with permission from the publisher. Copyright 2008 White-Collar Crime Fighter
Source: Leonard W.Vona,CPA,CFE,an independent antifraud consultant, investigator and trainer. He has over 30 years of experience assisting large organizations with fraud risk assessment, investigations and fraud prevention programs. Leonard is author of Fraud Risk Assessment, Building a Fraud Audit Program, recently published by Wiley. He can be reached at

Contact Us

Become a Partner

If you are interested in becoming a certified partner, please contact us by clicking below.

Become a Partner »