Log in / Register
Home arrow Business & Finance arrow Fraud and fraud detection
< Prev   CONTENTS   Next >


It is not possible to eliminate fraud risk in any given area other than to avoid it all together. A company may choose not to deal with a particular vendor or purchaser. They may choose not to acquire assets that need a high level of protection or to expand or do business in an unstable country. Alternatively, they may select an exit strategy if the risk is found to be too great. Avoidance would have been the result of either a formal or informal risk assessment. A risk analysis would have been considered and found that the cost outweighs the benefits.

Some risks will be assumed without additional control features being implemented, since the cost of implementation would be higher than the expected loss. For example, banks issuing credit cards may be able to reduce fraudulent charges if they implement new high-tech security measures, but the cost in terms of dollars or customer inconvenience would be higher than the cost of fraudulent transactions. Fraud is a cost of doing business and it needs a cost-to-benefit or return-on-investment analysis. The risk assessment aids in the determination of the level of controls to implement while balancing acceptable risk tolerance against costs of reducing the risk.

Risk = Impact x Probability (threats and vulnerabilities)

In most cases, the company will seek to mitigate the risks by implementing controls. These could be preventative, monitoring, or detection controls. Risk can also be mitigated by purchasing insurance or, in the case of certain employees, requiring them to be bonded.

It may be determined that costs exceed the benefits of preventing fraud in a particular area. However, investments in measures to detect rather than prevent the fraud may be an acceptable risk given the lower costs and likelihood of high losses. Detective measures must also be factored into any risk assessment.

The decision on how far to go will depend on the risk assessment and the reason for performing the risk assessment. It is a management decision as to what level to take the response to the risk of fraud. The decision will be primarily based on why the fraud risk assessment was undertaken in the first place. Was it due to audit or regulatory requirements? Was it management's desire to evaluate the internal control system? Was it to reduce the cost for fraud?

A risk assessment will identify potential areas of fraud, whether internal or external, directly or indirectly, and how vulnerable or how likely the threat is to occur. Factors that determine the probability component include:

- The industry or nature of the business

- The values and ethics of senior management and employees

- Internal controls—preventive and detective

- Business environment—local versus multinational, small versus large, brick-and-mortar versus Internet, geographic location, economic conditions

- Likelihood

- Industry trends

- History

- Resources

- Internal control

- Complexity

- Volume

- Standards

- Whistleblower

- Complaints - Moral

- Impact

- Value

- Maximum exposure

Other issues that must be considered when performing a risk assessment include the possibility of adverse publicity resulting in a loss of consumer confidence, potential lawsuits, violating laws, and the overall impairment to carrying on normal business.

Appendix D of Managing the Business Risk of Fraud6 is an excellent example of the fraud-risk assessment framework for revenue recognition risk that can be used as a template for any organization. It can also be modified to encompass any type of risk.

The template lists various fraud risks and schemes and then associates the following with each of the schemes:

- Likelihood of occurrence

- Significance to the organization

- People and/or department subject to the risk

- Existing antifraud internal controls

- Assessment of internal control effectiveness

- Residual risks

- Fraud-risk response


Understanding what fraud is and the types of frauds allows us to focus on occupational fraud in this book. Being able to assess fraud risk provides us with priorities as to where to invest time and resources to have the largest impact in detecting and reducing incidents of fraud.


1. Black's Law Dictionary, "What Is FRAUD?," accessed June 17, 2013, thelawdictionary .org/fraud-2.

2. Steve W. Albrecht et al., Fraud Examination, 4th ed. (Mason, OH: Cengage Learning, 2012).

3. 'Association of Certified Fraud Examiners—2012 Report to the Nations," accessed June 17, 2013,

4. Ibid.

5. Andrew Valentine, "Case Study: Pro-Active Log Review Might Be a Good Idea," Verizon Enterprise Solutions, accessed April 24, 2014, blog/index.xml?postid=1626.

6. Institute of Internal Auditors, the American Institute of Certified Public Accountants, and Association of Certified Fraud Examiners, Managing the Business Risk of Fraud: A Practical Guide, fraud%2 0paper.pdf.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science