more-arw search

Q&A Forum

How does one conduct a fraud risk assessment?

If I was going to audit our existing processes to look for vulnerabilities what would be the best way to start my assessment?


Topic Expert
Scott MacDonald
Title: President/Owner
Company: AlphaMac Resources, Inc.
(President/Owner, AlphaMac Resources, Inc.) |

Follow the money. That may sound simplistic, but fraud is going to occur anywhere there is value to be stolen. This includes, cash, fixed assets, product, raw materials, accounts payable, etc. Think of any way someone can divert assets to their personal use.

Here is a short list of things to look at:
1. Pay to play schemes for vendors
2. False/fake vendors
3. Poor controls over check stock and access to checking accounts.
4. Expense reports - false invoices, etc
5. Poor controls in accounts receivable and accounts payable
6. Poor segregation of duties in cash, A/R, A/P and inventory control
7. Employees living above their means. (example: extravagant spending on cars, trips, jewelry, parties, etc.)
8. Lack of or poor reconciliations and detailed review by management.
9. Poor physical security of assets (cash, inventories, fixed assets, vehicles, etc)
10. Poor password and network security.
11. Manual journal entries to accounts that should only have automated entries.

Finally, if you don't have a way for employees AND vendors to report issues to you in a confidential manner, you are not going to get an early warning of problems.

Also look for areas where a person who has information on wrong doing has been eliminated by the perpetrator. Example: An otherwise outstanding employee is suddenly fired by their boss for reasons that don't make sense given their past performance. Could be that outstanding employee wouldn't go along with the illegal or immoral activity and was eliminated.

By the way, there are computer programs and consulting companies that can help determine if there is potential fraudulent activity.

Topic Expert
Chester Hurtado
Title: CFO
Company: Tradeworks
(CFO, Tradeworks) |

Scott's comments are spot on. Something else to consider is that there are usually three aspects that can lead to fraud:

1) Opportunity. As Scott detailed in his comments, if there are poor controls then that provides the individual with the access to commit the fraud.

2) Need. This is difficult to know unless the employee tells you directly that they need money. It is also subjective, as one person's want is another person's need. As Scott mentioned, look to see if anyone is living above their pay grade and evaluate if they have opportunity.

3) Rationalization. Again, this is subjective. Someone might feel they should be paid more, or that the company can afford the fraud, or that they dislike the company for whatever reason. Being aware of employee discontent is important, as in Scott's example.

Lastly, I have sometimes found that employees that never take a vacation or are very secretive about their work can be hiding something that they don't want anyone else to know about.

It is impossible to eliminate fraud 100%. If someone wants to steal they are going to do it. The trick is to make it difficult and to be able to find it as quickly as possible.

Charles Gregory
Title: Product Manager
Company: BAE Systems Applied Intelligence
(Product Manager , BAE Systems Applied Intelligence) |

I agree with everything Chester and Scott have said.

I would also add that it is important to look at the strength of the existing control functions:
1) do the controllers have the right tool kit to identify fraud on an on-going basis?
2) do they understand the business well enough to be able challenge the people they are monitoring? Often, in my experience, controllers raise concerns about processes they only partially understand and then are fooled into accepting fairly superficial answers from the supposed 'experts' (who may have a vested interest in preserving malpractice).
3) look for evidence that when the controllers are conducting their investigations, they are applying appropriate due diligence and evidencing their work. Check some cases - does the evidence support their conclusions?

If these guys can get it right on a day-to-day basis, the chances of falling prey to fraud will be significantly reduced.

Topic Expert
Christie Jahn
Title: CFO
Company: Prime Investments & Development
(CFO, Prime Investments & Development) |


Would elaborate more on these two?
1. Pay to play schemes for vendors - What does this mean?
2. False/fake vendors - what steps would you take to ensure a vendor is legit?

(Internal Auditor) |

I agree with Charles, Chester, and Scott, but the Association of Certified Fraud Examiners say you should consider more than just asset misappropriation. Their fraud tree has two other branches: financial statement fraud and corruption & bribery. Their method suggests brainstorming your possible exposures in those three areas, assessing the likelihood and impact of those exposures, documenting the controls you have for those exposures, then assessing your residual risk i.e., are you over or under controlled anywhere, if so determining what actions you need to take. Again, I agree with the previous posters, I’m just adding to their comments.


Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected] to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.