Scribd
Upload
81 views

Forensic Auditing - Chapter 5

The document discusses fraud risk assessment best practices. It notes that the AICPA adopted risk assessment standards in 2006 focusing on risk-based audits and internal controls. A fraud risk assessment should consider probability and impact of events, and factors like corporate environment, internal controls, and likely fraud schemes. Best practices include designating assessment leaders and teams, conducting assessments regularly and aligning them with financial reporting, and using checklists to document the assessment process and identified risks.

Uploaded by

Salsa Ardila
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
81 views

Forensic Auditing - Chapter 5

The document discusses fraud risk assessment best practices. It notes that the AICPA adopted risk assessment standards in 2006 focusing on risk-based audits and internal controls. A fraud risk assessment should consider probability and impact of events, and factors like corporate environment, internal controls, and likely fraud schemes. Best practices include designating assessment leaders and teams, conducting assessments regularly and aligning them with financial reporting, and using checklists to document the assessment process and identified risks.

Uploaded by

Salsa Ardila
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

FRAUD RISK ASSESSMENT

The American Institute of Certified Public Accountants (AICPA) adopted the ‘‘Risk
Suite’’ of standards, Statement on Auditing Standards (SAS) Nos. 104–111 in 2006. Broadly
speaking, the Risk Suite addresses risk assessment in the context of financial statement audits
and internal control. Like AS5, the Risk Suite includes an emphasis on a holistic, top-down,
risk-based audit approach including a thorough knowledge of the entity’s environment and its
internal controls.
The fundamental concepts of risk assessment are probability (the chance an event will
occur) and impact (the magnitude of the event if it occurs). if the circumstances warrant it,
based on a risk assessment during brainstorming and subsequent knowledge and results from
procedures

RISK ASSESSMENT FACTORS


The fundamental concepts of risk assessment are probability (the chance an event will
occur) and impact (the magnitude of the event if it occurs). Factors can be considered on many
levels, including entity, people (behavioral), divisions, geographies, products or services,
accounting or business processes, controls, or computerized systems. However the process
begins, different perspectives should be included and/or examined in the risk assessment
process, including how entity management incorporates risk management best practices.
• Corporate Environment Factors
That is, a risk assessment should take into account the level of assessed fraud risk in
the industry of the entity. The 2008 RTTN results are: Industry by Frequency:
➢ Banking/Financial services (14.5% of all cases reported)
➢ Government/Public administration (11.7%)
➢ Health care (8.4%)
➢ Manufacturing (7.2%)
➢ Retail (7%)

Risk assessment should also consider the current economy. conventional wisdom
among members of the audit and security communities suggests that the organizations most
vulnerable are those with the weakest management, accounting, and security controls.

• Internal Factors
Internal factors that enhance the probability of fraud, theft, and embezzlement include
inadequate management controls or monitoring activities such as the following: (1)
Failure to create an honest culture, (2) Failure to articulate and communicate minimum
standards of performance and personal conduct, (3) Inadequate orientation and training
on legal, ethical, fraud, and security issues, (4) Inadequate company policies with
respect to sanctions for legal, ethical, and security breaches; especially for frauds and
white-collar crimes, (5) Failure to counsel and take administrative action when
performance level or personal behavior falls below acceptable standards, or violates
entity principles and guidelines, (6) Ambiguity in job roles, duties, responsibilities, and
areas of accountability, (7) Lack of timely or periodic audits, inspections, and follow-
through to ensure compliance with entity goals, priorities, policies, procedures, and
governmental regulations; generally speaking, a lack of accountability over key
positions of trust
• Fraud Factors
Any risk assessment should also consider the fraud schemes that are more likely to
occur in order to guide the antifraud program. Prevention and detection
countermeasures are certainly more effective if they address the most likely fraud
schemes to be committed.

RISK ASSESSMENT BEST PRACTICES


In order to develop an effective risk assessment, management should take a conscientious,
formal approach rather than an ad hoc approach. That approach includes the people and the
process.
1. Leader(s)
2. Team
3. Frequency and Alignment with Finance

RISK MANAGEMENT CHECKLISTS AND DOCUMENTATION


The checklist is designed to assist accountants in assessing and managing the risk of fraud
in their organizations and those of their clients. This checklist is intended for general use only.
While the use of the checklist helps ensure adequate factors are considered, using the checklist
does not guarantee fraud prevention or detection and the checklist is not intended as a substitute
for audit or similar procedures.
• Fraud Schemes Checklist
The columns of this form of risk assessment include (1) The fraud scheme, (2) An
assessment of inherent risk for that fraud in the particular entity or business process, (3)
The factor internal controls has in mitigating that risk, (4) The ‘‘residual risk’’ left over
after the mitigation of existing internal, (5) controls related to this fraud scheme in this
entity or business process, (6) Business processes, where the scheme is likely to occur,
if it does occur, (7) Red flags, which could be used to detect this scheme
• Different Entities to Assess
If an organization is large enough, a single risk assessment may not be as useful as
separate risk assessments. In this case, it is recommended that a different assessment
and team be used for each major business unit, each significant business process that
crosses business units, the corporate unit (executives, etc.), and any other entity or
element that the leaders and team identify.
• Fraud Schemes
using other taxonomies, or good judgment about specific schemes that are risks to this
particular industry or entity, one should make any necessary additions or deletions.
Herein is the value of using brainstorming—teams using shared criteria to make sure
that important schemes are not missed and that irrelevant schemes are not considered
(at least for specific entities certain fraud schemes may be irrelevant).
• Measures and Relationships
Measuring risk in a quantitative sense is usually quite difficult. Some base must be used
as a corollary to the impact of potential losses of a possible fraud. Such a determination
should be made and agreed on by the team according to shared, planned criteria.
• Inherent Risk
The team should determine what the inherent risk is for this fraud scheme for this entity
or business process. The assessment could be a probability (1 to 100 percent) or simply
low, medium, or high risk
• Controls Assessment
Auditors and other key people on the team should determine what controls are in place
to mitigate the specific fraud scheme
• Residual Risk
A simple mathematical function of subtracting the level of control mitigation from the
inherent risk will leave the residual risk. Residual risk will inevitably require one of
two responses: no action, as the remaining risk is accepted, or action to mitigate or
remediate through additional prevention or detection procedures (even potentially
including the purchase of insurance).
• Business Processes
The business process owner should be documented as the responsible party for the area
and, if applicable, for responding to unacceptable residual risk
• Red Flags
Here the team would identify the red flags that could be associated with the scheme.
This documentation is a starting point for fraud prevention or detection procedures.

You might also like