Fraud risk assessment: building a framework that does more than tick boxes
Most fraud risk assessments are a one-page document that lists 'segregation of duties' under every process and gets refreshed annually. That document does not prevent fraud. Here is what a real framework looks like.
Every audit committee we have presented to in the last five years has, at some point in the meeting, asked the same question. 'Do we have a fraud risk assessment?' The CFO points to a document, typically a one-page Excel file with processes listed in column A, risks in column B, and 'segregation of duties' or 'maker-checker' in column C. The committee nods. The agenda moves on.
That document is not a fraud risk assessment. It is a checkbox in support of the auditor's compliance with Standard on Auditing 240 (The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements). It does not identify fraud risk at a granular enough level to be operational, and it does not score the risks in a way that lets management decide where to invest in controls.
We build fraud risk assessments that do something different. They are scoped to the actual fraud schemes the business is susceptible to, aligned to the COSO internal control framework, and informed by the ACFE Report to the Nations, which is the most reliable empirical source on how fraud actually occurs.
The three sources of fraud risk
COSO's fraud risk management guide, co-authored with ACFE, splits fraud risk into three sources. Most internal frameworks collapse these into one bucket, which is the first analytical mistake.
Financial reporting fraud. Misstatement of financial results, typically by management, to meet earnings expectations or covenant thresholds. Channel stuffing, revenue cut-off manipulation, expense capitalisation, reserve manipulation, off-balance-sheet structures.
Asset misappropriation. Theft of cash, inventory, or other assets, typically by employees. Skimming, larceny, payroll fraud, expense reimbursement fraud, inventory theft.
Corruption. Use of company resources or position for private gain, typically involving a third party. Kickbacks, bid rigging, conflicts of interest, bribery.
Each of these has different perpetrators, different control environments, different detection signals, and different remediation paths. A fraud risk assessment that does not separate them produces controls that are too generic to be useful.
Risk assessment by process
The fraud risk assessment we build maps each in-scope process to specific fraud schemes that could occur within that process. Not generic categories. Specific schemes with a named perpetrator profile.
Revenue recognition fraud
Channel stuffing. Sales team books revenue at quarter-end by shipping product to distributors who have agreed to return it the following quarter. The shipment is documented, the revenue is recognised, the return is processed quietly later.
Side letters. A sales executive offers a customer a return right or an extended payment term in writing, not disclosed to finance. The revenue is recognised at full value; the practical economics resemble a consignment.
Cut-off manipulation. Shipments are held in the dispatch dock past quarter-end and dated as if shipped before it. Or the reverse — early-shipped goods are dated forward into the next period to smooth revenue.
Long-form services revenue. For percentage-of-completion contracts, the cost-to-cost progress is over-estimated to accelerate revenue recognition.
Each of these has a different control. Channel stuffing is detected by post-quarter return rate analysis. Side letters are detected by sales team surveys and customer confirmation reads. Cut-off is detected by shipping dock physical observation and bill-of-lading reconciliation. Long-form services are detected by project review with independent estimators.
Procurement fraud
Kickbacks. A procurement manager directs purchases to a vendor who pays them privately. Detected by vendor concentration analysis (a single buyer accounting for an unusual share of one vendor's revenue), unexplained vendor-price increases, and vendor master review for vendors with phone numbers or addresses matching employee records.
Phantom vendors. A buyer creates a fictitious vendor, processes invoices, and routes payment to a controlled bank account. Detected by vendor master analytics — vendors with no GST registration, vendors with sequential invoice numbers across calendar gaps, vendors with no audit history.
Bid rigging. Two or more vendors coordinate on bid prices to maintain artificially high pricing. Detected by price benchmarking, RFP-response timing analysis, and vendor relationship mapping.
Payroll fraud
Ghost employees. Names on the payroll who do not work at the company, with salary routed to an accomplice's account. Detected by HR-payroll reconciliation, biometric attendance cross-check, and bank account uniqueness analysis.
Inflated overtime. Field employees claim overtime that was not worked. Detected by overtime pattern analysis (same employees, same hours, same approver) and supervisor approval audit.
Inventory fraud
Write-off cover. Inventory shrinkage from theft is masked by writing it off as obsolete or damaged. Detected by write-off concentration analysis and physical count reconciliation.
Cycle-count manipulation. Counts are adjusted at month-end to hide shortages, with the reconciliation back-fitted to the system balance.
Quantitative scoring
Each fraud scheme is scored on three axes: likelihood (how plausible the scheme is given the current environment), impact (the financial and reputational cost if it occurs), and velocity (how quickly the scheme can scale before being detected).
Likelihood is informed by the ACFE base rate for that scheme, adjusted for the company's specific risk factors. Impact is computed against the company's materiality threshold. Velocity is the time-to-detection assumption.
The product of the three scores gives a fraud risk score per scheme. Schemes with scores above a defined threshold get a control. Schemes below the threshold get monitoring. Schemes well below get accepted residual risk.
This is where the framework stops being a one-page document and starts being an investment decision. Where the score is highest, the company invests in controls. Where it is low, the company accepts the risk. The audit committee sees the scoring and can challenge it.
The 'segregation of duties' problem
Segregation of duties (SoD) is a control. It is not a fraud risk assessment. When an SoD matrix shows up in column C of every row, the framework has stopped doing assessment work and started doing documentation work.
Real SoD analysis identifies the specific incompatible duty pairings — vendor master creation and invoice approval, customer credit limit setting and order release, journal entry preparation and journal entry approval — and tests whether the ERP roles violate any of them. In our experience, most ERPs have between 20 and 80 active SoD violations at any given time, often with workarounds in place that are not documented.
An SoD analysis that finds no violations is not a passing grade. It is a sign the analysis was not deep enough.
What a real framework deliverable looks like
The deliverable from a fraud risk assessment is three things, not one document.
First, the fraud risk register — every scheme, scored, with control reference and owner.
Second, the control mapping — every score-relevant control linked to the scheme it mitigates, with frequency, type, and owner.
Third, the monitoring dashboard — the analytics that run continuously to detect the schemes the controls are designed to prevent. This is what management and audit committee actually look at.
A fraud risk assessment that updates annually is a static document. A fraud risk assessment that informs the monitoring dashboard refreshes every month, because the dashboard refreshes every month. The framework is alive when the dashboard is alive.
Calibrating to the ACFE base rates
The ACFE Report to the Nations is published every two years. It documents the median loss, the typical detection method, and the duration of fraud schemes across thousands of real cases globally. The 2024 edition reported a median loss of $145,000 per fraud case, a median duration of 12 months, and tips as the leading detection method by a wide margin.
Calibrating an internal fraud risk assessment to these base rates is a discipline most companies do not practice. They estimate likelihood on intuition. The ACFE data lets the audit committee benchmark whether the company's score for a given scheme is consistent with industry experience, or whether management is being optimistic about likelihood.
What we build differently
Two things, mainly.
First, we build the scheme-level risk register before the control map. Most engagements run the other way — list the controls, then back-fit the risks they address. The order matters. If you map controls first, you only assess risks the existing controls happen to address. The risks the controls do not address remain invisible.
Second, we tie the monitoring dashboard to the top-scored schemes, not to the control test results. The control might be operating effectively, but the dashboard tells the audit committee whether the underlying risk is materialising. The two are different. Control test results are a backward-looking compliance signal. The monitoring dashboard is a forward-looking exposure signal.
The audit committees that take fraud risk seriously eventually want both. The companies that have not built either yet should start with the scheme-level register. The rest follows.
References
