Assess the inherent fraud risks. Once the fraud risks are identified from different sources, the likelihood of fraud is assessed. Assessing the likelihood is a subjective process because usually relevant data or information is not available to the organization that accurately predicts the likelihood of particular fraud risks.
Assess The Inherent Fraud Risks
To assess the likelihood of the fraud risks, the organization may consider various factors such as past incidents, the prevalence of fraud risk in the industry, internal control environment, available resources to address fraud, fraud prevention efforts by management, ethical standards followed, unexplained losses, customer complaints, etc.
Based on general assessment and utilization of available information, the fraud risk assessor develops or designs the preventive and detective controls in various processes and activities of the organization. The preventive and detective controls are mostly implemented in high-risk processes, which are those where chances of occurrence of fraud are high. Such processes include cash handling, cash management, treasury, operations, etc.
Once the likelihood of fraud is assessed, then the frequency of occurrence of the fraud is assessed. The frequency is assessed based on the availability of past or historical information about the fraud incidents.
The frequencies of occurrence of frauds may be defined as follows:
- Very frequent
- Reasonably frequent
- Occasional and
It means the fraud risk is expected to occur daily or even multiple times in a day. Such fraud risks may not impact high, but due to many occurrences, the impact may be high over a particular period. An example may include pocketing of cash by the person receiving cash at the counter.
It means the fraud risk is expected to occur frequently, which may be one in a day after every two days or weekly. Such fraud risks may also not impact high, but due to many occurrences, the cumulative impact may be high over a particular period. An example may include cash pocketing or stealing small physical assets from office premises.
It means the fraud risk is expected to occur every week or month. Such fraud risks may have a high impact due to fewer fraud incidents over a particular period. An example may include cash pocketing or stealing small physical assets from office premises.
It means the fraud incident does not occur frequently, but the fraudster conducts frauds on certain occasions. Such frauds may have high impacts because they may be backed by proper planning by the fraudsters to gain as many personal benefits as possible. An example may include money laundering activities.
It means the fraud incident occurs once over the years but impacts high both in terms of reputational and financial losses to the organization. Such types of fraud usually involve many fraudsters who may be dispersed in different jurisdictions and locations. Examples may include cyber-attacks on large national organizations to gain and use confidential information.
Similarly, for fraud risk occurrence, the definitions are made by the organization, such as:
- Almost certain
- Reasonably possible
It means the chances of it are very high, which may be more than 90% chance.
It means the chances of occurrence of fraud range between 65% to 90%.
It means the chances of occurrence of frauds range between 35% to 65%.
It means the chances of occurrence of fraud range between 10% to 35%.
It means the chances of occurrence of fraud is less than 10%.
Management and managers responsible for each significant department or area within the organization should conduct the assessment, which should then be shared with the Board of Directors. All parties can then collaborate to develop and implement preventive and detective fraud control activities to mitigate the identified risks based on their likelihood or significance to the organization and taking into account the controls already in place.