January 16, 2025 - Fraud risk poses a unique challenge that involves intentional, deceptive actions within an organization. Discover how to proactively mitigate fraud and enhance your organization's defenses through targeted risk assessments.

What is fraud risk?

Fraud risk is complex and differs from other risk typically found in an organization’s Enterprise Risk Management (ERM) program. Unlike financial, operational, or compliance risk, fraud risk specifically involves intentional, deceptive actions or misconduct by individuals or groups. Fraud is perpetrated by people, not processes, systems, or business units.

According to the ACFE’s Occupational Fraud 2024: A Report to the Nations, organizations lose 5% of their revenue to occupational fraud each year.

“Many organizations are often unprepared to identify and manage fraud risk leading to surprise, confusion, and strong emotions when a fraud is perpetrated against them,” said David Varner, Director in Risk Advisory at Citrin Cooperman.

To better understand and analyze fraud risk, many organizations utilize the “Fraud Triangle” to explain the factors that lead people to commit fraud. It consists of three interrelated elements:

• Opportunity: Situations that enable fraud, often due to weak internal controls or oversight.
• Pressure: Motivations or incentives to commit fraud, such as financial troubles or personal gain.
• Rationalization: Justifications that make the fraudulent behavior seem acceptable to the perpetrator.

Organizations can control opportunities for fraud but have less influence over pressure and rationalization.

While organizations can implement various controls and measures to mitigate opportunities for fraud, they tend to have less influence over pressure and rationalization. Those factors typically lie more within the individual or group's mindset and external circumstances.

Pressure may stem from financial difficulties, job insecurity, or personal motives, making it challenging for organizations to address directly. Similarly, rationalization involves justifying unethical behavior, which can be influenced by personal values, peer influence, and organizational culture.

All these influential factors make fraud risk hard to quantify; it’s either mitigated or not. This makes traditional risk assessment methods that use probability and impact to calculate and rank a raw risk score challenging to apply.

However, many organizations use a targeted fraud risk assessment to identify and manage fraud risk.

What is a targeted fraud risk assessment?

A targeted fraud risk assessment begins with understanding an organization’s business units and processes. Identifying where these units and processes intersect is essential, as these intersections represent specific activities where fraud could be perpetrated.

To assess fraud risk effectively, your organization must map these activities to potential fraud schemes. This means identifying the different ways fraud could happen within each activity.

For example, a typical accounting and finance function would have an accounts payable process that consists of many different activities. One of those activities would likely be adding a new vendor to the vendor master file. This would introduce the risk that an employee could add a fictitious vendor and perpetrate a fictitious invoice scheme.

“The ACFE Fraud Tree and Report to the Nations are valuable resources for identifying the various fraud schemes and understanding the current fraud risk landscape,” said Varner.

The next step is to evaluate if controls are in place to prevent or detect these schemes. Types of controls you might find include:

• Reviews: Evaluation of transactions or activities using judgment, familiarity, or other unique criteria to identify an exception to an expected condition.
• Approvals: Granting permission to process a transaction or perform an activity by an individual or delegated limitation.
• Reconciliations: Comparing two or more groups of transactions to identify differences or discrepancies.
• Matching: Comparing two or more individual transactions to identify differences or discrepancies.
• Reperformance: Independently reperforming a procedure or activity to identify errors or omissions.
• Limiting approval authority: Setting a defined threshold prevents an individual or system from granting permission to process a transaction or perform an activity.
• Dual authentication: Requiring two individuals to authorize a transaction or perform an activity.
• Segregating functions: Separating incompatible physical or system access, roles, or responsibilities between individuals.
• Restricting access or functionality: Preventing or limiting accessibility to process a transaction or perform an activity.
• Monitoring: Continuously observing or checking the status of an expected condition for a process or transaction.

Generally, preventive controls aim to stop fraud, while detective controls aim to catch fraud after it happens. It’s important to evaluate how well each control was originally designed and how effectively it currently operates. Weak or missing controls increase an organization's exposure to fraud and create higher risk.

In the previous accounts payable example, restricting access, segregating functions, and reviewing and approving invoices before processing would likely reduce the risk that a fictitious invoice scheme could happen.

Organizations face ongoing challenges related to fraud risk. Understanding its unique nature and using effective tools can enhance an organization’s ability to prevent and detect fraud.

By taking a proactive approach with a targeted fraud risk assessment, your organization can be ready to respond quickly to any fraud incident.

Are you interested in a targeted fraud risk assessment? Get started today.