News Stay informed about the latest enterprise technology news and product updates.

Creating a fraud risk assessment policy

In this Ask the Expert Q&A, our security management expert provides our member with a series of fraud risk assessment factors to address before a policy is created.

We are performing a security and fraud risk assessment. Are there any methodologies you recommend?
First, it's important to understand that the audit committee's primary role is to address fraud risk levels, determine the level of risk posed by management if they override internal controls, and ultimately prevent this type of behavior.

The following are common types of management fraud:

  1. Premature revenue recognition or the creation of fictitious revenue.
  2. Overstating assets
  3. Misrepresenting expenses and liabilities

Below is a checklist containing questions that relate to factors that can increase management risk levels: incentives, opportunities and attitude. Understanding these factors can help auditors develop ways to prevent and respond to management override of internal controls.

Questions to ask regarding incentives, to gauge the level of pressure management may be under that would lead them to override internal controls.

  1. Is the organization financially stable or is the profitability threatened by conditions in the industry, economy or operating practices?
  2. Do outside parties pressure management to meet requirements connected to reporting negative financial results? Do they pressure management to provide information that is contrary to the scenarios the organization faces?
  3. Is their personal financial situation affected by the financial strength and performance of the organization? Is their personal financial situation affected or contingent upon achieving target goals?
  4. Are they pressured to meet target goals including, profitability, budgets or publicized projections?
  5. Are earnings expected to be handled in a manner that places pressure on lower level personnel to meet the expectations of those above them?
  6. Do lower level personnel believe there will be consequences if they fail to reach target goals?

Opportunities that can be exploited by management

  1. Is there an inherent opportunity in the way the organization conducts its operations that could be contusive to fraudulent behavior?
  2. Are unrealistic statistics used in lieu of actual results to create and report financial projections?
  3. Have monitoring management activities been ineffective? Does the complexity of the organization lead to a convoluted structure that creates instabilities?
  4. Does inadequate monitoring result in deficient internal controls?
  5. Have the apparent skill sets and capabilities of the accounting and finance units lead you to believe that they need improvement?

Attitudes exhibited by management

  1. Is it apparent that management is not upholding ethical standards?
  2. Is non-financial management excessively involved with determining accounting principles and projections in a manner that would create significant estimates?
  3. Has there been a known history of disregard or violation of laws?
  4. Have they demonstrated an excessive interest in increasing the organization's stock price?
  5. Does the management have a trend of committing to the goals of creditors, analysts or other third parties to achieve their unrealistic goals or aggressive forecasts?
  6. Have they failed to correct reportable conditions in a timely basis, either in the past or during this current yearly audit?
  7. Does management use inappropriate means to minimize reported earnings for tax-related reasons?
  8. Have they tried to justify inappropriate accounting?
  9. Have relations between auditors been strained as a result of frequent disputes, demands or restrictions?
  10. Have they failed to identify business risks in a timely and appropriate manner?
  11. Do they hesitate to address issues that result from potentially adjusted financial statements?
  12. Is a less than professional attitude pervasive among management, independent auditors and internal auditors when discussing internal controls?

Dig Deeper on Risk management frameworks, metrics and strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.