Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].
Context: Fraud risk assessments performed by internal auditors are designed to identify a company’s vulnerabilities to internal and external fraud, including embezzlement, asset misappropriation, misstatement of financial information, corruption and cybercrime. According to a position paper by The Institute of Internal Auditors, “organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls.”
- A fraud risk management guide produced by the Committee of Sponsoring Organizations (COSO) and the Association of Certified Fraud Examiners (ACFE) states that organizations perform “comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.”
Member question: “Have you typically completed fraud risk assessments based on a company-wide perspective or have you started with a smaller group or portion of the business? IA has not executed one at my company since I have been here, so I’m looking for how this has been approached elsewhere to determine if we can narrow the scope.”
Peer answer 1: “We do a company-wide fraud risk assessment via survey and leverage the ACFE model, tailored for our business. While we include functions across the company, we only survey 55 to 60 cross-functional representatives to complete the survey.”
Peer answer 2: “We do a company-wide one for Sarbanes-Oxley (SOX) focused on financial reporting fraud risk. For operational fraud risk, it’s audit by audit (we require every team to assess fraud risk in the risk control matrix). We just completed a procurement fraud review which was basically a procurement fraud risk assessment plus walk-throughs of key controls.”
Peer answer 3: “Rather than focus on groups or portions of the business, we do ours based on a combination of 23 general fraud schemes that are applicable, e.g., channel partner fraud, government contract noncompliance, manipulation of estimates/reserves, off-balance sheet activity, expense reimbursements), results of relevant investigations that occurred during the year, and emerging trends.
- “We then assign a risk level to each, identify risk mitigations (primarily by mapping them to existing SOX controls), and then flag the schemes with no or insufficient mitigating activities and controls. The flagged areas are either escalated to management for consideration of new risk mitigations or considered as auditable areas as we develop and update our audit plan.”
Peer answer 4: “Our fraud risk assessments are conducted annually with a company-wide perspective to satisfy our entity-level SOX control and to give EY info to modify their audit scope if needed. This approach involves:
- “Considering enterprise risk management assessment results.
- “Conducting surveys to gauge employees’ perspectives on the company’s fraud risk management as well as the company culture on fraud.
- “Identifying processes with high inherent fraud risks for focused analytics. There were 11 this year, but we did analytics on higher inherent risks and where actual fraud happened, assessing the effectiveness of existing controls for these areas.”
NeuGroup Insights asked the member who posed the question for an update. She said, “We have decided to move forward with a company-wide fraud risk assessment in order to perform a more comprehensive assessment. We have not begun the project yet, so there is a possibility the scope will be narrowed slightly.
- “The approach will be to conduct three to five brainstorming sessions with cross-functional groups to obtain input on possible fraud risks and scenarios. In future years, perhaps, I would hope we transition to a survey approach, but that is just a preliminary thought.”