How to Perform Fraud Risk Assessments

By Charles Hall | Auditing

Oct 28

Many auditors struggle with fraud risk assessments. This article provides audit guidance for assessing fraud risk.

No appreciable change has occurred in the detection of fraud since the issuance of SAS 99, Consideration of Fraud. Why? I fear the problem lies in how we as auditors use the risk assessment standards.

I still hear auditors say, “we are not responsible for fraud.” But are we not?

Without question, auditing standards require that we perform particular fraud risk assessment procedures. And we also know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option.

fraud risk assessment

Picture is courtesy of

Why Auditors Don’t See Fraud Risk

Why do we not see fraud risks? Here are a few thoughts:

  • We don’t understand how fraud occurs, so we avoid it
  • We don’t know how to look for control weaknesses
  • We think our time is better spent in other areas (namely performing substantive procedures)
  • We still believe that a balance sheet approach to auditing is all we need

Signs of Weak Risk Assessments

So what are some signs of weak fraud risk assessments?

  • We ask just one or two questions about fraud
  • We limit our inquiries to as few people as possible (maybe even just one)
  • We discount the potential effects of fraud (even after a client tells us it has occurred)
  • We don’t perform walkthroughs
  • We don’t conduct brainstorming sessions
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files have vague responses to the brainstorming and risk assessment procedures (e.g., “no means for fraud to occur; see standard audit program”)

In effect, some auditors dismiss the fraud risk assessment process. And if we are not aware of fraud risks, we can’t adequately plan our responses. Put another way, if fraud risks are present, and we follow a standard audit program, are we responding to threats?

So how can we understand and respond to fraud risks? Here are a few thoughts.

Start with Potential Fraud Incentives

Fraud comes in two flavors:

  • Cooking the books (intentionally altering numbers)
  • Theft

Start your fraud risk assessment process by determining if there are any incentives to manipulate the financial statement numbers. Are there any bonuses or promotions based on profit or other metrics? Are there other potential motivations for playing with the numbers such as promotions? Cooking the books is more prominent in for-profit entities, but be aware that someone nonprofits also offer incentives based on financial statement targets.

Internal control weaknesses are the doorway to theft. Next, we’ll see how to find those defects in accounting systems.

Look for Fraud Opportunities

My go-to procedure in looking for fraud opportunities is to perform walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging.

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle and start at the beginning and follow the transaction to the end. Note who does what. Inspect the related documents.

Think of the accounting system as a story. Our job is to understand the narrative. As we (attempt to) describe the accounting system, we may find missing pieces. Sometimes we’ll need to go back and ask more questions to make the story flow from beginning to end.

The purpose of writing the storyline is to identify any “big, bad wolves.” The threats in our childhood stories were easy to recognize. Not so in the walkthroughs. It is only in connecting all the dots that the wolves materialize.

Picture is courtesy of

Picture is courtesy of

Our documentation of the walkthrough should be scalable. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more detail.

In documenting workflows for complex businesses, the old saying “How do you eat an elephant?” comes to mind. Break complicated systems into pieces, and you will understand them.

Observation of Control Weaknesses

The auditing standards require that we use the following:

  • Inquiry
  • Observation
  • Inspection

Audit standards state that inquiry alone is not sufficient for performing the risk assessment process. So we must marry inquiry with either observation or inspection or inquiry with both observation and inspection. May I suggest that you do the latter? Take pictures of your observations (use your smartphone) and make copies of documents you inspect. I like to write my narrative and then insert images into the “story.” (Tip: You can insert pictures in a Word document by clicking “Insert,” and “Object.” Then browse to the picture you desire to add.)

Our walkthroughs can include:

  1. Narrative
  2. Images
  3. Highlights of control strengths and weaknesses

I summarize the internal control strengths and weaknesses within the narrative and usually highlight the wording. For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that vendor without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then–when I am done–I can use the identified fraud opportunities to create audit procedures that are responsive.

Fraud-Related Inquiries

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

If management has no method of identifying fraud, might this be an indicator of a control weakness? Yes. It is management’s responsibility to develop control systems to lessen the risk of fraud. It is the auditor’s responsibility to review the accounting system to see if it is designed and operating appropriately.

Notice that in these inquiries, we are not only asking if fraud has occurred but does management have a prevention system in place? And does management communicate these processes to those charged with governance?

Planning Analytics

Another risk assessment procedure is the use of planning analytics. As we compare prior year numbers with current year numbers or as we compare budgeted numbers with current, we may see red flags. You can also use ratios in your hunt for potential risks.

As you review the preliminary numbers, ask, “do these numbers make sense in light of current operations?”

The audit standards state that there is a rebuttable presumption that revenues are overstated. Why? Because many past frauds were carried out by managers intentionally overstating income numbers. In some cases, management posted false journal entries at year-end to inflate income. Then in the following period, the entries were reversed.

Video Concerning Fraud Risk Assessment

Here’s a video about how to perform fraud risk assessments:

Brainstorming and Planning Your Responses – My Next Post

Once you perform your risk assessment procedures, you are ready to brainstorm about how fraud will occur and then plan your audit responses. That’s the topic of our next post—so stay tuned. Subscribe to my blog (it’s free) to ensure that you see the next post (see below).

Consider reading this post again and think about how you use your audit forms to perform risk assessments. Understanding the process is 90% of the battle.

If you missed my first two posts in this series, check them out here:

Part 1: How to Perform Audit Risk Assessments

Part 2: How to Understand the Risk Assessment Process

Learn from the CPA Scribo newsletter!

Get my free weekly accounting and auditing digest with the latest content.

Powered by ConvertKit

About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses.He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events.Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.

  • armando balbin says:

    Very comprehensive. Thank you, Charles

  • Charles Hall says:

    Thank you Armando. This one took a while to write.

  • armando balbin says:

    In the old days we also performed the walkthrough, we just did not document it as required now. On each account audit program, we had a background briefly describing the system, procedures and controls (walkthrough), and then the strong and weak internal controls related to this area, and how we, as auditors, responded by performing pertinent audit procedures. In those older days, before the issuance of the SAS 99, we planned and searched for material fraud.

  • Benson you said, “Obtain independently the personal credit reports for these individuals and examine them for unusual entries. Complete a 100% detailed review of all compensation paid to these individuals. Inspect and audit 100% of all travel and entertainment reimbursement, stock option grants, asset transfers, etc. A sample is not good enough.”

    I think the “credit report” idea has merit. Also full disclosure of compensation to the governing body is another interesting thought. I just received a call about a small hospital CEO that was being paid over $500,000 per year; actual pay should not have exceeded $250,000. Transparency eliminates a lot of problems.

    I, like you, think small and large companies need to pay more attention to internal controls (and have those controls reviewed by external CPAs). But I think until businesses are legally required to meet some minimum threshold for review of controls, it won’t happen.

    Most companies don’t understand the gravity of weak controls until fraud occurs–then it becomes important (to them).

  • Benson Dana, CPA says:

    So what do I suggest if I think the triad of fraud “guidance” is a crock? Good question. In an accounting/auditing engagement, what would I recommend as guidance in considering the risk of fraud?

    First, I would create at least 2 major and wholly independent categories of fraud.

    Material, willful, financial statement fraud
    Isolated personal fraud

    The first category is the most serious. Think Enron, WorldCom, blah blah blah. It seems that current guidance and procedures should be EXPECTED to identify this category of fraud. If not, then the independent CPA and his or her audit opinion is virtually worthless. The fact that CPA firms continue to miss this means the status quo is not good enough. The AICPA needs a major initiative to revise, refine and redo the formal audit procedures for detecting this category of fraud. There are a lot of recent graphic examples on which to draw. Random testing is not good enough. Audit procedures should be directed at specifically and actively searching for fraud based on a risk analysis. Are inventories a big number? Search for inventory fraud ala Phar-Mor and other similar known audit failures. Capitalization of fixed assets a big number? WorldCom. Etc. These all included a large cast of co-conspirators and as such, should have been caught by the auditors. We need specific procedures designed to address this.

    I think the large national and international companies need to be brought to heel. They run roughshod over their auditors, over the regulators, over the tax authorities, over their shareholders, over everyone. Enough is enough.

    Now, for smaller companies, the issue of isolated personal fraud looms as perhaps a larger threat than full-blown financial statement fraud. The fact that these are isolated and personal does not mean that they do not present a financial statement risk. Dennis Koslowski at Tyco did tremendous damage to the stockholders’ value by his personal greed and fraud. We need to take this risk more seriously. As far as specific audit procedures, I offer these as a start:

    Identify any and all key executive staff who have positions of power and influence sufficient to bypass or corrupt standard internal controls. By default, this list must include the President, COO, CEO, Chief Financial Officer, any Executive Vice Presidents, Division or group presidents, and board chair.

    Complete a detailed internal control review over the span of influence and control exercised by these individuals. The control review needs to specifically target potential fraud vulnerabilities such as lack of segregation of duties, lack of effective review and approval, etc. Require that significant control weaknesses be remediated and re-examined for verification. The auditor should be in complete control over this. There should be zero tolerance for delay, denial, equivocation and whining from the audit client.

    Obtain independently the personal credit reports for these individuals and examine them for unusual entries. Complete a 100% detailed review of all compensation paid to these individuals. Inspect and audit 100% of all travel and entertainment reimbursement, stock option grants, asset transfers, etc. A sample is not good enough. This requires a complete census of transactions. Present the detailed results of this examination to the full board for review and approval.

    There is an awful lot more that can and should be added. This is just the beginnings of my own personal rant and is horribly incomplete and inadequate. But even given that, it’s a start in the right direction. And there is nothing to prevent a CPA firm from implementing these procedures unilaterally and immediately. At least, that’s what I think. I could be wrong, but I don’t think so.

  • >