E.5 IIA’s Fraud Risk Assessment Tool

Background

  1. “Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving gain.”1

  2. Internal audit (IA) has an important role in assisting management with identifying potential frauds. The IIA Standard 2210.A2 requires that “internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.” Internal auditors should understand the characteristics of fraud, techniques used to commit fraud, and types of frauds associated with audited business units and processes.

  3. Increased legislation and regulatory requirements in many countries require the Office to understand and address risks of material misstatement due to fraud.

Objective

  1. The IIA's Fraud Risk Assessment (FRA) Tool is a subjective assessment that will assist the audit team with establishing the audit scope in the planning phase by identifying and evaluating fraud schemes that could enable fraud to occur within the business unit or process under audit.

Completion of the Fraud Risk Assessment Tool

Step 1—Event Identification and Assessment

  1. The objective of step 1 is to identify and assess fraud schemes that are relevant to the process or business area under audit. Complete step 1 during the audit planning phase.

  2. Assessing fraud risk is a subjective process, and internal auditors need to exercise professional skepticism when completing the FRA matrix. The initial assessment should consider inherent risk absent of any known controls that address the fraud risk factors identified in the audit. Complete step 1 concurrently with other IA planning activities. Gather input from management and the audit team members to enhance or modify this assessment as necessary throughout the planning phase. Consider information from the following audit documents and sources:

    • Risk assessment

    • Self-assessment questionnaire

    • Planning memorandum

    • Planning interviews with management

    • Entrance meeting

    • Prior audit reports

    • Special investigations

    • External auditor management letter

    • Other relevant quantitative/qualitative factors

Identify Fraud Schemes

  1. The FRA matrix contains a listing of categories and subcategories where fraud may occur within the Office. Review and identify the listing of categories and subcategories in the FRA tool that are applicable to the business unit or process under audit.

  2. Each category and subcategory in the FRA contains a listing of fraud schemes in the Fraud Schemes field. Review the listing of fraud schemes for each category or subcategory applicable to the process or business unit under audit. Identify which fraud schemes are applicable to the business unit or process under audit. Additional fraud schemes identified and not listed in the FRA can be added in the Other Fraud Schemes section.

  3. Mark inapplicable fraud schemes N/A in the following fields: (1) Likelihood, (2) Significance, and (3) People/Department.

Assess Fraud Schemes

  1. Assess the risk of fraud occurring for each applicable fraud scheme in the process or business unit under audit by completing the following fields in the FRA matrix: (1) Likelihood, (2) Significance, and (3) People/Department. Descriptions for evaluating fraud schemes are discussed below.

Likelihood

  1. Likelihood is the probability that the fraud scheme will lead to fraud occurring in the business process or unit under audit. Consider factors like past occurrences of the fraud scheme within the business unit or process, prevalence of the fraud scheme in the industry, the number of individual transactions in the business unit or process, the complexity of the risk, ability to convert highly liquid assets into cash, and the number of people reviewing and approving transactions or processes.

  2. Assign one of the following ratings for likelihood to each applicable fraud scheme:

    • Remote—A low risk exists of the fraud scheme occurring.

    • Reasonably Possible—A medium risk exists of the fraud scheme occurring.

    • Probable—A high risk exists of the fraud scheme occurring.

Significance

  1. Significance is the impact the fraud has on the Office if the business unit perpetrated the identified fraud scheme. The assessment of significance should include not only financial statement and monetary significance, but also significance to the organization’s operations, brand value, reputation, and regulatory liability (including civil and criminal violations).

  2. Assign one of the following ratings for significance to each applicable fraud scheme:

    • Immaterial—The fraud scheme, if perpetrated, has little or no impact on the Office’s financial statements or reputation.

    • Significant—The fraud scheme, if perpetrated, has a moderate impact on the Office’s financial statements or reputation.

    • Material—The fraud scheme, if perpetrated, has a major impact on the Office’s financial statements or reputation.

People/Department

  1. Part of the risk assessment process includes evaluating the incentives and pressures on individuals/departments to assess who has an ability to commit a fraud. Document the individual or department that has an ability to commit a fraud in the process or business unit under audit. This information helps determine how to address specific fraud risks, if necessary.

Step 2—Evaluation of Existing Controls

  1. The objective of step 2 is to identify and evaluate internal controls in place that mitigate fraud schemes. Complete step 2 after completing step 1.

  2. Identify the schemes that had a “probable” likelihood rating and/or “material” significance rating from step 1.

Identify Existing Antifraud Controls that Mitigate Fraud Schemes

  1. In the Existing Antifraud Controls field, list the existing internal controls that mitigate fraud risk schemes with a “probable” likelihood rating and/or “material” significance rating. Consider utilizing and linking other audit planning documents to controls that address identified risks.

  2. The internal control mapping occurs after fraud risks are identified and assessed for likelihood and significance. By progressing in this order, the framework intends for the internal audit team to assess identified fraud risks on an inherent basis, without consideration of internal controls.

Assessment of Internal Controls that Mitigate Fraud Schemes

  1. Evaluate whether the identified controls are properly designed and operate effectively to mitigate fraud risks as intended for each fraud scheme with a “probable” likelihood rating and/or “material” significance rating.

  2. Assign one of the following ratings for internal control effectiveness in the Control Design and Effectiveness Assessment field:

    • Effective—The internal controls are designed appropriately and operate effectively to mitigate fraud risks as intended.

    • Ineffective—The internal controls are inappropriately designed and/or operate ineffectively. They do not mitigate fraud risks as intended.

Step 3—Planned Audit Responses and Communications

  1. The objective of step 3 is to: (1) determine how to address each fraud risk scheme where internal controls are ineffective at preventing fraud and (2) communicate the fraud to the fraud investigations department or fraud risks to management. Complete step 3 after completing step 2.

  2. The nature and extent of the specific procedures to be considered depend on the audit client. Some procedures to consider that address fraud risk include: modify existing auditing procedures, develop additional audit testing procedures, or recommend the business unit implement additional controls.

Address the Fraud Schemes with Ineffective Internal Controls

  1. Identify the fraud schemes with an “ineffective” rating in the Control Design and Effectiveness Assessment field.

  2. In the Comments field, document how the audit addressed each fraud risk scheme with ineffective controls. This includes any written comments and/or links to relevant audit planning documents and audit testing workpapers that address fraud schemes with ineffective internal controls.

Audit Communications

  1. Any fraud uncovered by the internal audit team during the audit must be communicated to the fraud investigations department. Consider also whether management needs to know about any fraud risks identified during the audit. Ensure that any communications about fraud to the fraud investigations department or fraud risk to management are documented in the audit testing working papers linked to the FRA.

Note: The internal audit team should consider the risk of fraud throughout the audit. Consider whether the assessment of previously identified risks is changed or additional fraud risks are uncovered during the audit. Modify the FRA as necessary throughout the audit to address fraud risk.

1 The Institute of Internal Auditors, The American Institute of Certified Public Accountants, and Association of Certified Fraud Examiners, “Managing the Business Risk of Fraud:  A Practical Guide,” July 2008

Last modified:
2018-03-06