Headshot of Dannible & McKee Partner, Sean Daughton

Understanding Risk Assessment to Prevent Fraudulent Activity


There are many fraud prevention tools and techniques available to companies today. Yet, dollar for dollar, none may yield greater results for preventing occupational fraud and limiting losses than a corporate fraud risk assessment. It is the responsibility of business owners and managers to engage in such activities for the functionality and success of their business.

Risk assessments have become more prevalent in recent years, according to the Association of Certified Fraud Examiners’ (ACFE) Occupational Fraud 2022: A Report to the Nations, due in large part to inflation and the global pandemic. However, while almost 50% of businesses perform risk assessments (only 17% of businesses with less than 100 employees), many owners and managers continue to be unaware of the value of these procedures and how the assessment process works.


Overview of a Fraud Risk Assessment

A fraud risk assessment is a process for identifying risks and vulnerabilities of internal and external sources and developing a plan to mitigate these risks that can have a significant impact on a business. Assessments should be performed by management and managers responsible for each significant department or area within the organization.

You’ll want to start by looking for vulnerabilities within each department, particularly those that are due to recent changes, such as employee departures or the COVID-19 pandemic. Once you have gathered all the information, bring in an outside auditor or Certified Fraud Examiner (CFE) to conduct a professional, nonbiased assessment. Interview executives and managers to ensure they’re setting the right example with proper ethics. Also, confirm that you’ve allocated appropriate financial resources to preventing and fighting fraud. If you find weaknesses, address them by strengthening internal controls.

When Is the Right Time to Perform a Risk Assessment?

Fraud risk assessments generally are conducted by internal auditors, either on a standalone basis or as part of a comprehensive enterprise risk management program. You may want to conduct assessments annually or whenever there have been major organizational changes or disruptions. In addition, when new processes or procedures are put into action, a risk assessment should be performed to account for the hazards that could come along with the new procedures.

COVID-19 brought many different procedures to organizations in an attempt to maintain business and revenue influx. If not done already, such new procedures should be assessed with urgency, as the current economy has only heightened the need for money, which may lead to a higher motive for fraud.

Why Is This Important?

Performing regular fraud risk assessments is a small investment compared to the cost of fraudulent activity. As the ACFE’s Occupational Fraud 2022: A Report to the Nations shows, worldwide fraud schemes cause losses of more than $3.6 billion dollars annually, while the average loss per case is $1,783,000. The COVID-19 pandemic, along with the tough economic climate, has forced many into difficult times, giving people more incentive to steal. With no fraud risk management strategy in place, fraud has the potential to grow like a virus, destroying the health of businesses and causing greater and greater losses.

A fraud risk assessment is essential in helping businesses proactively identify external and internal risks before it does financial, reputational or legal damage. Due to recent times, risk assessments have become more crucial to keeping fraud at bay and businesses running smoothly. This is a powerful tool that creates the building blocks of internal controls for businesses to utilize and is the “checks and balances” for preventing fraudulent activity throughout an entire company. An annual risk assessment could end up saving your business millions if managed correctly.

Running the Risk Assessment

Risk assessments are tailored for an organization’s industry, risk tolerance and overall operational needs. Typically, the assessment starts in the areas where fraud is most likely to happen — such as accounts payable, cash, payroll, purchasing and IT. It is normally done by an outside auditor and then monitored by executives and upper-level accountants after the new controls are set in place by the external auditors. But it’s important not to stop there. If you close a door in only one department, those determined on committing fraud will find openings elsewhere to accomplish their goal. Perform the assessment in each significant area within your organization.

Reviewing your company’s internal controls is required to dissect how well-protected you are from a fraudulent attack. You will want to conduct your assessment by thinking like a dishonest employee to determine how they can exploit the controls and accounting system. During the fraud risk assessment, you would want to identify:

    • Internal and external vulnerabilities
    • Which employees put the company at the most risk?
    • Potential fraud schemes specific to your business
    • Who has financial incentives, pressures and opportunity?
    • Can management override any internal controls?
    • IT risks and vulnerabilities
    • Internal control weaknesses and proposed suggestions for system enhancement
    • Activities and transactions that are the most vulnerable
    • Red flags that may have gone unnoticed by management

You will want to address these issues at all levels, including owners and executives, in every department and for all types of fraud.

Payroll is often taken care of by an outside entity, which also will need to be accounted for in the assessment. This could uncover an employee who is making more than they should be or the external source taking proceeds from the company for personal use.

Reviewing bank statements for your company and executives is an easy way to catch fraud in the form of theft. Making sure bank deposits were fulfilled completely and money wasn’t skimmed is a great place to start if financials don’t balance.

Interviewing people at your company at all levels and in all departments will help you get a gauge of how effective things are being run. It will also provide hints to where more attention needs to be focused on in the assessment. Conversations with top executives will set the tone for the ethical receptiveness of the company.

Fraudulent activities that you will want to test for may include, but are not limited to:

    • Fraudulent financial reporting, i.e., improper revenue recognition and overstatement of assets
    • Misappropriation of assets, i.e., embezzlement or theft
    • Improper expenditures (bribes)
    • Fraudulently obtained revenue and assets (tax fraud)

These activities can be the result of need or greed. People tend to act out in times of need and heightened stress. A recent EY study found that the risk of fraud increases when nationwide or global events negatively affect a business, such as a pandemic like we have witnessed in the last two years.

Wrapping Up the Risk Assessment

The final step is to adjust your internal controls and implement new ones, if necessary, to address any fraud risks you’ve discovered. Compliance training for employees is extremely important for all employees to understand the role of the internal controls. Managers should oversee the internal controls and make sure everything is running smoothly – post-assessment.

Also, consider your company’s benefits. Job rotation and vacation time are two of the most effective anti-fraud controls. These benefits are shown to reduce fraud losses in companies already victimized by 54%. Both practices discourage fraudulent activities since employees know another person will soon be performing their duties, and the new person would be likely to discover any patterns of bad behavior.

Other anti-fraud controls include tip-offs or whistleblowers and bank reconciliations, many of which are caught by external auditors. And there is no better deterrent than an external auditor. Keep in mind this is millions of dollars at stake here, so do you want to carry that risk?

If you have questions about fraud prevention measures or other fraud and forensic financial investigation issues, please contact Sean T. Daughton, CPA, CFE, Audit Partner.

Contributing Author: Sean T. Daughton, CPA, CFE, is an audit partner with over 26 years of experience providing audit and advisory services to a variety of clients, including automotive dealers, manufacturers and retail corporations. For more information on this topic, you may contact Sean at sdaughton@dmcpas.com or (315) 472-9127.