FRAUD RISK ASSESSMENT FORM
People Existing Anti- Controls
Identified Fraud risks and Residual Fraud Risk
Likelihood2 Significance3 and/or fraud Effectiveness
Schemes1 Risks7 Response8
Department4 Controls5 Assessment6
FINANCIAL REPORTING:
MISAPPROPRIATION OF
ASSETS:
CORRUPTION:
Page 1 of 2
�1. Identified Fraud Risks and Schemes: This column should include a full list of the potential fraud risks and schemes that may face the
organization. This list will be different for different organizations and should be formed by discussions with employees and management and
brainstorming sessions.
2. Likelihood of Occurrence: To design an efficient fraud risk management program, it is important to assess the likelihood of the identified fraud
risks so that the organization establishes proper anti-fraud controls for the risks that are deemed most likely. For purposes of the assessment, it
should be adequate to evaluate the likelihood of risks as remote, reasonably possible, and probable.
3. Significance to the Organization: Quantitative and qualitative factors should be considered when assessing the significance of fraud risks to an
organization. For example, certain fraud risks may only pose an immaterial direct financial risk to the organization, but could greatly impact its
reputation, and therefore, would be deemed to be a more significant risk to the organization. For purposes of the assessment, it should be
adequate to evaluate the significance of risks as immaterial, significant, and material.
4. People and/or Department Subject to the Risk: As fraud risks are identified and assessed, it is important to evaluate which people inside and
outside the organization are subject to the risk. This knowledge will assist the organization in tailoring its fraud risk response, including
establishing appropriate segregation of duties, proper review and approval chains of authority, and proactive fraud auditing procedures.
5. Existing Anti-fraud Internal Controls: Map pre-existing controls to the relevant fraud risks identified. Note that this occurs after fraud risks are
identified and assessed for likelihood and significance. By progressing in this order, this framework intends for the organization to assess
identified fraud risks on an inherent basis, without consideration of internal controls.
6. Assessment of Internal Controls Effectiveness: The organization should have a process in place to evaluate whether the identified controls are
operating effectively and mitigating fraud risks as intended. Organizations should consider and review what monitoring procedures would be
appropriate to implement to gain assurance that their internal control structure is operating as intended.
7. Residual Risks: After consideration of the internal control structure, it may be determined that certain fraud risks may not be mitigated
adequately due to several factors, including (a) properly designed controls are not in place to address certain fraud risks or (b) controls
identified are not operating effectively. These residual risks should be evaluated by the organization in the development of the fraud risk
response.
8. Fraud Risk Response: Residual risks should be evaluated by the organization and fraud risk responses should to address such remaining risk.
The fraud risk response could be implementing additional controls and/or designing proactive fraud auditing techniques.
Page 2 of 2
