The Fraud Risk Assessment Process

The brainstorming session is the engine of the fraud risk assessment. Its purpose is to generate a comprehensive list of fraud schemes that could plausibly occur in the organisation, before anyone evaluates likelihood or controls. The COSO guide emphasises that participation must be cross-functional: internal audit, finance, operations, legal, compliance, human resources, and business unit management should all be represented. Fraud does not respect departmental silos, and a session dominated by finance staff alone will miss schemes that originate in procurement, IT, or customer-facing operations.

The facilitator typically opens by presenting the ACFE fraud tree as a structural prompt, walking through asset misappropriation (cash skimming, disbursement schemes, inventory theft), financial statement fraud (revenue overstatement, liability understatement, improper disclosures), and corruption (bribery, kickbacks, conflicts of interest). For each category the group is asked: 'Which of these could happen here, given our specific processes, systems, and workforce?' The facilitator must actively prevent premature control discussion. Participants will instinctively say, 'But we have a control for that.' The response is: 'Note the control, but keep it off the scheme list for now.'

The session should also draw on external data sources: ACFE's Report to the Nations (published biennially) provides scheme frequency and loss data by industry and organisation size. For a manufacturing company, the report shows that billing schemes, expense reimbursement fraud, and inventory theft are disproportionately common. That data helps the team avoid the availability bias of focusing only on schemes they have personally encountered. Industry-specific regulatory findings, prior internal audit reports, whistleblower disclosures, and any previous forensic investigation results are also valid inputs.

The brainstorming session produces a list of schemes. Scheme mapping converts that list into a structured inventory by linking each scheme to the specific business process, transaction type, and organisational unit where it could occur. This step is what makes the assessment actionable: it tells the audit team where to look, which controls to test, and which process owners to interview.

A scheme-to-process mapping entry contains: the scheme name and ACFE fraud tree category, the business process (for example, accounts payable, payroll, procurement, revenue recognition), the sub-process or transaction type (vendor invoice processing, new vendor onboarding, sales contract approval), the potential perpetrator role or roles (accounts payable clerk, procurement manager, sales director), the asset or interest at risk (cash, inventory, financial statement integrity), and the existing controls that are intended to address the scheme. That last column is left blank until the control gap analysis step; populating it during mapping creates the temptation to rate risk as low because a control exists, before testing whether it works.

Large organisations with hundreds of processes cannot map every scheme to every process in a single assessment cycle. The scoping decision, which processes to include and at what depth, is itself a risk decision. Material processes, those involving large transaction volumes or high-value assets, are always in scope. Processes flagged as high-risk in prior audits or where recent personnel changes or system migrations have occurred should also be prioritised. The mapping document is a living record: it is updated when new processes are introduced, when the scheme list is revised, or when a fraud incident reveals a previously unmapped vulnerability.

Once schemes are mapped, each entry is scored on two dimensions: inherent likelihood and inherent significance. Both are scored without reference to controls. The purpose of scoring at the inherent level first is to establish a baseline of what the exposure would be if controls failed or were absent. This matters because controls do fail, are circumvented by management override, or erode through staff turnover and process change. An organisation that scores everything as low risk because it has controls in place will not invest adequately in those controls.

Likelihood is assessed by asking: how probable is it that a person in the identified perpetrator role would both have the motivation and the opportunity to execute this scheme, and that the scheme would succeed at least partially? Factors that increase inherent likelihood include high transaction volume (more opportunities to conceal a fraudulent transaction), weak segregation of duties (one person controls multiple steps), high staff turnover (reduced institutional knowledge and informal monitoring), and industry-specific incentive structures (commission-based sales with aggressive targets increases financial statement fraud risk).

Significance is assessed on financial, reputational, and regulatory dimensions. A payroll ghost-employee scheme at a company with 50 employees has a different significance profile than the same scheme at a company with 5,000 employees, even if the per-incident loss is similar, because the second company faces greater reputational exposure and regulatory scrutiny if the scheme is discovered. The combination of likelihood and significance produces a risk rating, often displayed as a three-by-three or five-by-five heat map, with high-high schemes in the top-right corner as the priority targets for control evaluation.

The control gap analysis evaluates the controls that exist for each mapped scheme and assesses whether those controls, if operating effectively, would reduce the inherent risk to within the organisation's risk appetite. The analysis distinguishes between two types of gap. A design gap exists where no control addresses the scheme at all, or where the control as designed could not prevent or detect the scheme even if it operated perfectly. An operating gap exists where the control is appropriately designed but is not being performed as intended, whether because of staff error, lack of supervision, system malfunction, or deliberate circumvention.

For each scheme, the analysis team identifies the preventive controls (those designed to stop the scheme from occurring) and the detective controls (those designed to discover the scheme after it has started). For a fictitious vendor payment scheme, a preventive control might be segregation of duties between the person who sets up vendors in the master file and the person who approves invoices. A detective control might be a periodic independent review of newly added vendors against a watchlist or confirmation of bank account details. Both types are evaluated: if preventive controls are strong but no detective controls exist, a scheme that slips through prevention will run undetected indefinitely.

Data analytics has become a standard component of detective control evaluation. Continuous monitoring scripts that flag statistical anomalies, such as invoice amounts just below approval thresholds, vendors with no physical address, or payroll payments to employees with duplicate bank account numbers, can identify scheme indicators that manual review would miss. The control gap analysis should evaluate whether analytics monitoring exists for high-rated inherent risk schemes and whether the analytics are calibrated to the specific scheme indicators for those schemes.

Evidence gathering for the control gap analysis draws on multiple sources: walkthroughs with process owners, testing of control operation using transaction samples, review of system access logs and segregation-of-duty reports, and interviews with staff at multiple levels. The evidence gathering methods used in a fraud examination are directly applicable here, though the control gap analysis operates at the population level rather than investigating a specific suspected incident.

Where the control gap analysis identifies a gap, the assessment team develops a risk response. The COSO guide identifies four response options: accept the residual risk (appropriate where the cost of additional control exceeds the expected loss from the scheme, and the residual risk is within risk appetite), mitigate the risk by adding or strengthening controls, transfer the risk through insurance or contractual indemnification, or avoid the risk by exiting the process or activity that creates the exposure. In practice, acceptance and mitigation are the most common responses; outright avoidance is rare because it would require abandoning a business activity.

The residual risk register documents, for each scheme, the inherent risk score, the controls in place, the control gaps identified, the risk response selected, the action owner, and the target implementation date for any new or improved control. This register is the primary deliverable of the fraud risk assessment. It is presented to the audit committee or board, updated on the agreed review cycle (typically annual), and used by internal audit to prioritise audit plan activities toward the highest residual-risk schemes.

International standards provide context for how organisations are expected to respond to identified gaps. The PCAOB in the United States requires external auditors to communicate significant deficiencies and material weaknesses to the audit committee; a fraud risk assessment gap that rises to a material weakness level must be disclosed in the annual report. The UK's Financial Reporting Council Guidance on Audit Committees places responsibility on the committee to review the adequacy of the company's internal controls, which includes the fraud risk response framework. In India, the ICAI's Standard on Auditing 240 (equivalent to ISA 240) requires auditors to perform procedures in response to the risks of material misstatement due to fraud, informed by the results of a fraud risk assessment.

The fraud risk assessment is not a one-time project. It requires a governance structure that assigns ownership, sets a review cadence, and ensures that significant changes to the business trigger a reassessment. The COSO guide recommends annual reassessment as a minimum, with interim reviews when material business changes occur, including acquisitions, new product lines, significant system changes, entry into new markets, or senior management turnover.

Reporting lines matter. The fraud risk assessment results should be reported directly to the audit committee or board, not only to management. This is because some of the highest-rated schemes involve management itself, particularly financial statement fraud. If management controls the reporting of the assessment, findings that implicate management are at risk of being downplayed or omitted. The internal audit function, which in a well-governed organisation reports functionally to the audit committee, is typically responsible for coordinating the assessment and presenting the results. The roles and qualifications of forensic auditors who conduct or advise on the assessment affect the quality and independence of that reporting.

The assessment also connects directly to the organisation's whistleblower and reporting channel infrastructure. A scheme with a high inherent risk score but limited preventive control capability should prompt a check: does the reporting channel reach potential witnesses for this scheme, and is the channel accessible and trusted by the staff in the relevant business unit? In the United States, the Dodd-Frank Act provides financial incentives and legal protections for whistleblowers reporting securities fraud directly to the SEC, bypassing internal channels entirely. The EU Whistleblower Protection Directive 2019/1937 requires organisations of 50 or more employees to maintain internal reporting channels. India's Whistle Blowers Protection Act 2014 covers public officials; listed companies are additionally subject to SEBI's mandatory vigil mechanism requirement. These channels are a critical component of the detective control environment and should be evaluated as part of the control gap analysis.