Fraud Risk Analysis
What is Fraud Risk Analysis?
It is an assessment of the likelihood of a fraud being committed, what can be done to stop it. and whether that action is commercial. Once has identified a risk of loss from fraud, and has ideas on how to prevent it, they must determine what controls to implement based on a cost/benefit analysis.
Before that decision can be made, the following questions must be answered:
1. Where is the greatest threat of fraud?
2. How likely is a loss from that threat?
3. What would be the greatest loss from that threat?
4. What are the costs involved in controlling that threat?
Risk assessment locates fraud risks and helps determine what controls should be implemented. It is similar to finding the biggest leaks and plugging them first.
Conducting a Fraud Risk Assessment
Seven actions or decisions are used to determine a level of risk, the likelihood of a loss, possible controls, and the cost of implementing these controls. This are:
1. Determine what threats face the business, in the different areas of the business;
2. Estimate the likelihood of a loss occurring from each particular threat;
3. Estimate the quantum of any loss from each particular threat;
4. Determine what control procedures could be applied to prevent or detect that particular threat;
5. Estimate the costs of implementing and maintaining each control;
6. Decide whether the cost of a control is worth the benefit of having the control;
7. Implement controls where cost / benefit assessment is favorable or desirable.
These actions or decisions can be grouped into four general steps. These four steps apply to fraud risk as much as they apply to any other risk analysis. They are:
1. Identify the possible threats
2. Estimate the risk of that threat occurring and the potential loss
3. Identify potential controls
4. Conduct a cost / benefit analysis
IDENTIFY THE POSSIBLE THREATS
What are the types of threats?
A whole range of threats face businesses, including:
(i) strategic threats;
(ii) operational threats;
(iii) financial threats; and
(iv) information threats.
Fraud is mainly associated with financial threats - including a direct loss of financial resources (money or assets); a loss of information (financial information, patents etc.); or the incurring of unnecessary costs (resulting from bribery etc.).
The methods of identifying threats are as varied as the ways of conducting business. Some questions that business owners should ask are:
(a) What assets does the business use (equipment, etc.) or trade in (stock, etc.)?
(b) How does the business provide and bill for its goods or services?
(c) How is the business paid (cash sales, trade debtors etc.)?
(d) How does the business order its purchases?
(e) How are payments made for goods and services?
Are all of these threats relevant to all businesses?
No, but most businesses will have one or more of these areas in its operations.
Most businesses will have a procedure for receiving payments from their customers and a procedure for paying bills. Most business will purchase and receive goods or services, and will take orders for and supply their goods or services. Business owners have to look at their procedures and determine what areas might be attacked by a dishonest employee and how those areas may be attacked.
ESTIMATE THE RISK OF A THREAT OCCURRING
The first step is estimating the likelihood of a loss from a particular threat. Some threats are either more likely to occur or will do more commercial damage if they do occur. Some threats are more likely to reoccur after an initial attack.
For example, we have identified an unlocked cash draw as a high potential threat. The losses from the theft of cash from the cash draw is something that has a high likelihood of reoccurring after the first instance, if no action is taken to prevent a recurrence.
Estimating the risk of a threat and turning that risk to a percentage chance of that threat occurring is difficult, and there are no rules. The process has to be done by instinct by someone that knows the business. Trying to estimate the probability of reoccurrence is even more difficult. Lets say that the likelihood of loss from our cash draw is 5%.
The next step is estimating the loss due to that threat. Keeping the same example, if the cash draw holds $200, the total estimated loss from theft may be that $200. To be conservative, the realistic maximum loss should be used. The loss in our example therefore would be $200, even though the theft of a lesser amount is possible.
Lastly, you must estimate the likelihood of a reoccurrence if no remedial action is taken after the first fraud. We have estimated that the attack is likely to happen 4 times in a given period.
The estimated loss is then a factor of (1) the likelihood of the threat happening, (2) the likelihood of reoccurrence and (3) the estimated loss. Going back to our cash draw example:
5% risk of occurring x 4 occurrences x $200 = a total estimated loss of $40
The potential loss from that threat is calculated at $40 in a given period.
IDENTIFY POTENTIAL CONTROLS
After locating threats, business owners will have to consider what controls are available and whether prevention or detection controls should be used. A control that prevents a fraud is better than a control that only detects it after it has happened and the loss has occurred. Knowledge that controls are in place and a fraud will be found will act as a deterrence - this is called the "perception of detection".
Going back to our example, there are two possible controls;
(1) putting a lock on the draw; and
(2) purchasing a safe.
But are these controls commercial?
CONDUCT A COST / BENEFIT ANALYSIS
Once potential threats have been identified, the likelihood of the threat occurring and the potential loss calculated, and possible controls to prevent or detect that threat have been considered - whether a control is worth the cost has to to be determined.
The last step is the cost / benefit analysis. It determines whether resources will be spent attempting to prevent a particular loss. Keeping to the example above, the estimated loss from the cash drawer is $40. If you could guard against that loss by putting the lock on the draw and only spending $10, the control would be practical and commercial. If the cost of buying the safe is $1000, this control would not be as commercial.
Business owners must also consider the practicality of a control. The cheapest and safest control for the cash example may be removing cash from the draw entirely. But staff may need access to that cash on a day to day basis and sales may be lost because staff cannot service customers. Controls must still allow the business to keep trade without undue interference.
SUMMARY
Risk Assessment is not an exact science and a good deal of "gut feeling" has to be used is estimating the levels and likelihood of threats.
The risk of loss from frauds is real. Complacency is not the answer. Armed with the results of the Risk Assessment, business owners will be able to initially direct their limited resources to areas where they will get the most benefit.
Disclaimer
The enclosed information is of necessity a brief
overview and it is not intended that readers should rely
wholly on the information contained herein. No warranty
express or implied is given in respect of the information
provided and accordingly no responsibility is taken by
Worrells or any member of the firm for any loss resulting
from any error or omission contained within this
fact sheet.
Acknowledgment
The material in this Fact Sheet was sourced from various
publications including those listed in the Reading List on
the Fraud Awareness page on this website.
Back to Fact Sheets
Last Updated: 26.3.2008