8
Fraud risk identification may include gathering external information from regulatory bodies (e.g., securities
commissions), industry sources (e.g., law societies), key guidance setting groups (e.g., Cadbury, King Report
7
, and The
Committee of Sponsoring Organizations of the Treadway Commission (COSO)), and professional organizations (e.g.,
The Institute of Internal Auditors (IIA), the American Institute of Certified Public Accountants (AICPA), the Association
of Certified Fraud Examiners (ACFE), the Canadian Institute of Chartered Accountants (CICA), The CICA Alliance for
Excellence in Investigative and Forensic Accounting, The Association of Certified Chartered Accountants (ACCA),
and the International Federation of Accountants (IFAC), plus others noted in Appendix A of this document). Internal
sources for identifying fraud risks should include interviews and brainstorming with personnel representing a broad
spectrum of activities within the organization, review of whistleblower complaints, and analytical procedures.
An effective fraud risk identification process includes an assessment of the incentives, pressures, and opportunities
to commit fraud. Employee incentive programs and the metrics on which they are based can provide a map to where
fraud is most likely to occur. Fraud risk assessment should consider the potential override of controls by management
as well as areas where controls are weak or there is a lack of segregation of duties.
The speed, functionality, and accessibility that created the enormous benefits of the information age have also
increased an organization’s exposure to fraud. Therefore, any fraud risk assessment should consider access and
override of system controls as well as internal and external threats to data integrity, system security, and theft of
financial and sensitive business information.
Assessing the likelihood and significance of each potential fraud risk is a subjective process that should consider not
only monetary significance, but also significance to an organization’s financial reporting, operations, and reputation,
as well as legal and regulatory compliance requirements. An initial assessment of fraud risk should consider the
inherent risk
8
of a particular fraud in the absence of any known controls that may address the risk.
Individual organizations will have different risk tolerances. Fraud risks can be addressed by establishing practices
and controls to mitigate the risk, accepting the risk — but monitoring actual exposure — or designing ongoing or
specific fraud evaluation procedures to deal with individual fraud risks. An organization should strive for a structured
approach versus a haphazard approach. The benefit an implemented fraud risk management program provides
should exceed its cost. Management and board members should ensure the organization has the appropriate control
mix in place, recognizing their oversight duties and responsibilities in terms of the organization’s sustainability
and their role as fiduciaries to stakeholders, depending on organizational form. Management is responsible for
developing and executing mitigating controls to address fraud risks while ensuring controls are executed efficiently
by competent and objective individuals.
Fraud Prevention and Detection
Fraud prevention and detection are related, but are not the same concepts. Prevention encompasses policies,
procedures, training, and communication that stop fraud from occurring, whereas, detection focuses on activities
and techniques that promptly recognize timely whether fraud has occurred or is occurring.
7
The Cadbury Report refers to
The Report of the Committee on the Financial Aspects of Corporate Governance,
issued by the United
Kingdom on Dec. 10, 1992 and the King Report refers to the
King Report on Corporate Governance for South Africa,
issued in 1994.
8
Inherent risk is the risk before considering any internal controls in place to mitigate such risk.