The Big “R”

Three key elements of fraud risk assessment

Organizations that have not performed a fraud risk assessment may be two-thirds more likely to suffer a fraud-related event, states KPMG-endowed fraud and forensic accounting professor Larry Crumbley. Learn the three key elements that a company’s fraud risk assessment should address.

Ernst & Young found that organizations that had not performed fraud vulnerability reviews were almost two-thirds more likely to have suffered a fraud within the past 12 months. An organization’s profile of business risks should be comprehensive and include consideration of fraud. Appropriate accounting systems need to be in place to effectively manage the risks. Risk assessment services should identify and assess primary potential risks faced by the business, independent assessment of risk identified by an entity, and evaluation of an entity’s systems for identifying and limiting risks. Possible ways to mitigate risks should be identified, such as installation of risk-reduction systems and processes, transferring or sharing of the risks, and avoidance of the risks.

A fraud risk assessment should include three key elements:¹

• Identify inherent fraud risk. Gather information to obtain the population of fraud risks that could apply to the organization. Included in this process is the explicit consideration of all types of fraud schemes and scenarios; incentives, pressures, and opportunities to commit fraud; and IT fraud risks specific to the organization.
• Assess likelihood and significance of inherent fraud risk. Assess the relative likelihood and potential significance of identified fraud risks based on historical information, known fraud schemes, and interviews with staff, (including business process owners).
• Respond to reasonably likely and significant inherent and residual fraud risks. Decide what the response should be to address the identified risks and perform a cost-benefit analysis of fraud risks over which the organization wants to implement controls or specific fraud detection procedures.

A forensic accounting novel explains the various types of risks in an organization as many small risks, some moderate risks, and one or two huge risks. The “Big R” can destroy an organization (e.g., Arthur Andersen, WorldCom and Enron). Risks can be classified as operational, financial reporting, and compliance. Fleet Walker, an imaginary internal auditor for the New York Yankees, gives this description of his risk assessment:²

Fleet [Walker] realized the importance of risk assessment. Resources are scarce in any organization and especially in internal auditing department. They must be spent wisely where they will do the most good. Risk assessments allow the internal auditor to identify the parts of the organization that are the most risky and to then allocate precious audit resources to ensure the risk associated with those areas is addressed. Fleet annually broke down the Yankee organization into “Auditable Units” and then ranked each auditable unit in terms of riskiness. Fleet measured risk using several “risk factors” such as “impact on operations and customer satisfaction,” “legal impact,” “degree of computerization,” “recent organizational or technological change,” and “time since last audit.” Audits were placed on the audit schedule based on their total ranking. Fleet was proud of this system because he had purposely designed the risk factors to measure operational and compliance risks.

D. Larry Crumbley is a KPMG-endowed professor at Louisiana State University and co-author of the Forensic & Investigative Accounting textbook published by Commerce Clearing House. He is the author of 13 novels, most having the main character of a forensic accountant. He can be contacted at dcrumbl@lsu.edu.

¹ Institute of Internal Auditors, American Institute of Certified Public Accountants, Association of Certified Fraud Examiners. “Section 2: Fraud Risk Assessment.” http://www.cafe.com/documents/managing-business=risk.pdf.

² D. L. Crumbley, D.E. Ziegenfuss, and J.J. O’Shaughnessy, The Big R: A Forensic Accounting Action Adventure, (Durham, NC: Carolina Academic Press, 2008): 75.