Fraud risk assessments: A tool for fighting fraud?

Survey reveals experiences with fraud risk assessments

A formal fraud risk assessment (FRA) could cut median fraud loss by nearly half, but companies don’t always perform them. That leaves many organizations potentially unaware of what frauds they could fall victim to, or how to protect themselves against these frauds. In a survey, 73 executives from a variety of industries shared their experiences and the challenges they face in implementing FRAs.

Fraud risk management program: How are deceptions detected?

In this publication, we focus on how respondents use FRAs in their organization, the components of the FRA, where within organizations fraud risk management occurs, and respondents said they were facing challenges.

Eighty percent of the respondents to our survey said that fraud risk management is a component of their broader enterprise risk management activity. Nearly three-quarters of the respondents indicated their organization has a fraud risk framework in place. Ninety-two percent of public company respondents said their organizations have an established fraud risk framework, while only 56% of private company respondents answered said theirs did. From an industry perspective, most respondents said a fraud risk management framework exists in their organization. Financial services and energy and resources—both highly regulated industries—lead the pack in having a fraud risk management framework.

Download our report to explore all the responses.

A proactive defense: A survey on the fraud risk assessment experience

The respondents who did not consider their FRAs to be effective said that the biggest reason their FRA was not effective was because it was treated as a ‘tick-the-box exercise’.

Setting up a fraud risk management framework

The FRA portion of a comprehensive fraud risk management program should be an ongoing process, and the process typically begins with the identification of fraud risk factors. After identifying fraud risk factors, the next step is to determine what the actual fraud risks are and what shape the associated fraud schemes might take. The list may be long, making it necessary to prioritize. Once prioritized, the next step is to identify and map, or link, existing internal controls to the prioritized fraud schemes, considering both preventive and detective controls.

Internal fraud—the areas of most concern

Our survey asked about instances of internal fraud, or fraud committed by employees, managers, and executives inside the organization. Against that backdrop, breaches of internal ethical or compliance policy are the most widespread concern, cited by 76% of respondents, followed closely by violations of laws and regulations. These two cover a wide variety of conduct that goes beyond direct asset misappropriation. An FRA can be a strong mitigating factor to internal misconduct. Although most of the respondents in our survey reported having an effective fraud risk framework in place, a non-trivial share said they don’t.

How are the current approaches working?

We asked respondents about their perceived effectiveness of both their organization’s fraud risk management framework and the FRA within that framework. In total, 81% of the respondents said their organization’s current fraud risk management framework is effective or very effective. The 19% who said it isn’t mentioned a variety of reasons, the most common being a limited understanding of emerging fraud risks among employees.

Of the 28% of respondents who did not consider their FRAs to be effective, we asked what was preventing their effectiveness. Most (64%) said the biggest reason their FRA was not effective was because it was treated as a ‘tick-the-box exercise’.

What your organization can do now

Organizations that are considering the design and implementation of their FRA as part of their broader fraud risk management program may consider the following activities in the near term:

  • Conduct robust FRAs as part of the overall enterprise-wide risk management processes (rather than just going through the motions).
  • Combat denial culture by educating employees and stakeholders to increase their understanding of fraud risks and the actions the organization has in place to prevent, detect, and deter fraud.
  • Involve appropriate and adequate personnel in the FRA process.
  • Consider historical fraud, industry fraud, and recent fraud trends as elements of an enterprise-wide FRA.
  • Use data analytics to proactively identify potential anomalies that could lead to potential fraud risks and to monitor known fraud risks.
  • Once fraud risks are determined, identify different types of fraud schemes and scenarios associated with the risks.
  • Deliver on the FRA through fraud controls and action plans.
  • Refresh the assessments periodically, including in response to both internal and external factors.
  • Communicate the results to organization management and those charged with governance.

Download the report to learn more about the results of the polling questions conducted during a webcast on this topic. If you’d like to discuss the responses and an FRA design and implementation plan for your organization, contact us.

Contact us

  Yes         No

Get in touch

Mike Brodsky
Managing Director
Deloitte & Touche LLP

Holly Tucker
Deloitte Financial Advisory Services LLP

Sofia Hussain
Senior Manager
Deloitte & Touche LLP

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?