By name: fraud-risk-assessment description: > Fraud risk assessment engine following the COSO Fraud Risk Management Guide. Builds fraud risk universes, maps anti-fraud controls, identifies red flags, designs data analytics detection programs, and evaluates anti-fraud program maturity. USE THIS SKILL when the user mentions fraud risk, anti-fraud controls, fraud detection, red flags, whistleblower program, fraud investigation, Benford's law, fraud triangle, fraud schemes, asset misappropriation, financial statement fraud, corruption, cyber fraud, or anti-fraud program assessment. Covers the full anti-fraud lifecycle from prevention through investigation readiness.
Fraud Risk Assessment
Required Inputs
- Organization: Company name, industry, size (revenue, employees), and organizational structure.
- Business Processes: Key revenue, procurement, payroll, treasury, and financial reporting processes.
- Control Environment: Existing internal controls, segregation of duties, approval authorities.
- Prior Fraud History: Known fraud incidents, investigation outcomes, losses incurred.
- Regulatory Context: Industry-specific anti-fraud requirements (SOX, FCPA, UK Bribery Act, etc.).
- Whistleblower Program: Current hotline/reporting mechanism details.
- Data Availability: Access to transactional data for analytics (ERP, accounting, procurement, HR systems).
Execution Steps
1. Fraud Risk Universe
Define the complete taxonomy of fraud schemes relevant to the organization.
Fraud Scheme Taxonomy (ACFE Classification)
| Category | Scheme | Description | Typical Perpetrator | Avg. Loss Range |
|---|---|---|---|---|
| Asset Misappropriation | ||||
| Cash Theft — Skimming | Removing cash before recording | Cashiers, front-line employees | $10K-$100K | |
| Cash Theft — Larceny | Removing cash after recording | Accounts receivable, cash handlers | $25K-$250K | |
| Billing Schemes | Fictitious vendor, personal purchases, inflated invoices | Procurement, AP staff | $50K-$500K | |
| Payroll Fraud | Ghost employees, falsified hours, commission manipulation | HR, payroll, managers | $25K-$250K | |
| Expense Reimbursement | Fictitious expenses, inflated amounts, duplicate claims | All employees, executives | $10K-$100K | |
| Check/Payment Tampering | Forged checks, altered payee, unauthorized disbursements | AP staff, signers, treasury | $50K-$500K | |
| Inventory/Asset Theft | Theft or misuse of inventory, equipment, supplies | Warehouse, operations staff | $25K-$500K | |
| Financial Statement Fraud | ||||
| Revenue Recognition | Premature recognition, fictitious revenue, channel stuffing | Senior management, sales | $1M-$100M+ | |
| Expense/Liability Manipulation | Understating expenses, hiding liabilities, improper capitalization | Senior management, accounting | $1M-$100M+ | |
| Asset Overstatement | Inflating asset values, improper impairment avoidance | Senior management, accounting | $500K-$50M+ | |
| Improper Disclosures | Omitting material information, misleading footnotes | Senior management, legal, accounting | $1M-$50M+ | |
| Corruption | ||||
| Bribery | Payments to influence decisions (commercial or government) | Sales, executives, agents | $50K-$10M+ | |
| Conflicts of Interest | Undisclosed relationships benefiting decision-maker | Procurement, management, board | $50K-$5M | |
| Illegal Gratuities | Payments for favorable past decisions | Sales, management | $10K-$500K | |
| Economic Extortion | Demanding payments under threat | Vendors, partners (external) | $25K-$1M | |
| Bid Rigging | Colluding to predetermine contract award | Procurement, contractors | $100K-$10M+ | |
| Cyber Fraud | ||||
| Business Email Compromise (BEC) | Impersonating executive/vendor to redirect payments | External actors (targeting finance) | $50K-$5M | |
| Account Takeover | Compromising credentials to authorize fraudulent transactions | External actors (targeting any) | $25K-$1M | |
| Invoice Fraud (cyber-enabled) | Compromised vendor emails requesting payment changes | External actors (targeting AP) | $50K-$2M | |
| Data Theft for Fraud | Stealing PII/credentials for identity fraud | Internal or external actors | $100K-$10M+ | |
| Cryptocurrency/Payment Fraud | Manipulating digital payment systems | Technical insiders, external actors | $25K-$5M |
2. Fraud Triangle / Pentagon Analysis
Assess organizational exposure through the lens of fraud motivation theory.
Fraud Triangle Factors
| Factor | Definition | Assessment Questions | Risk Level |
|---|---|---|---|
| Pressure / Motivation | Financial or personal pressure to commit fraud | ||
| Financial pressure on employees | Are employees under financial stress? Aggressive incentive targets? | [High/Med/Low] | |
| Organizational pressure | Are there unrealistic financial targets? "Make the numbers" culture? | [High/Med/Low] | |
| External pressure | Industry downturns? Competitive pressure? Covenant compliance? | [High/Med/Low] | |
| Opportunity | Ability to commit and conceal fraud | ||
| Weak internal controls | Are there gaps in segregation of duties, approvals, reconciliations? | [High/Med/Low] | |
| Override capability | Can management override controls without detection? | [High/Med/Low] | |
| Inadequate monitoring | Is there limited oversight of transactions, access, behavior? | [High/Med/Low] | |
| Complex transactions/structures | Are there complex related-party transactions, off-book entities? | [High/Med/Low] | |
| Rationalization | Ability to justify fraudulent behavior | ||
| Tone at the top | Do leaders model ethical behavior? Is there a "rules don't apply to me" attitude? | [High/Med/Low] | |
| Organizational justice | Do employees perceive fair treatment, compensation, recognition? | [High/Med/Low] | |
| Ethical culture | Is there a strong code of conduct? Is it enforced consistently? | [High/Med/Low] |
Extended Pentagon Factors (Beyond the Triangle)
| Factor | Definition | Assessment Questions | Risk Level |
|---|---|---|---|
| Capability | Skills and position to execute fraud | ||
| Technical knowledge | Does the individual understand systems well enough to exploit them? | [High/Med/Low] | |
| Authority level | Does the position carry sufficient authority to override or conceal? | [High/Med/Low] | |
| Coercion ability | Can the individual pressure others to assist or remain silent? | [High/Med/Low] | |
| Arrogance | Belief that rules do not apply | ||
| Entitlement | Does the culture tolerate "star performers" who bend rules? | [High/Med/Low] | |
| Ego / overconfidence | Do key individuals believe they are too smart to be caught? | [High/Med/Low] |
3. COSO Fraud Risk Management Guide Application
Apply the 5 COSO principles for fraud risk management.
COSO Fraud Risk Management Principles Assessment
| Principle | Description | Current Maturity (1-5) | Evidence | Gap |
|---|---|---|---|---|
| Principle 1: Fraud Risk Governance | Organization establishes and communicates a fraud risk management program that demonstrates expectations of the governing body and senior management and their commitment to high integrity and ethical values. | [1-5] | [Evidence] | [Gap] |
| Principle 2: Fraud Risk Assessment | Organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud risk management activities, and implement actions to mitigate residual fraud risks. | [1-5] | [Evidence] | [Gap] |
| Principle 3: Control Activities | Organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. | [1-5] | [Evidence] | [Gap] |
| Principle 4: Investigation and Corrective Action | Organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner. | [1-5] | [Evidence] | [Gap] |
| Principle 5: Fraud Risk Management Monitoring | Organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates fraud risk management program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management. | [1-5] | [Evidence] | [Gap] |
Maturity Scale for COSO Principles
| Level | Definition |
|---|---|
| 1 - Initial | No formal program. Fraud risk addressed reactively. |
| 2 - Developing | Some elements exist but not comprehensive. Limited documentation. |
| 3 - Defined | Formal program with policies, procedures, and assigned responsibilities. |
| 4 - Managed | Program actively monitored with metrics. Regular assessments conducted. |
| 5 - Optimized | Continuous improvement. Advanced analytics. Industry-leading practices. |
4. Fraud Risk Assessment Matrix
Map each fraud scheme to business processes, assess likelihood and impact.
Fraud Risk Assessment Matrix
| Scheme ID | Fraud Scheme | Business Process | Likelihood | Impact | Inherent Risk | Existing Controls | Control Effectiveness | Residual Risk |
|---|---|---|---|---|---|---|---|---|
| FR-001 | Billing — Fictitious vendor | Procurement / AP | [1-5] | [1-5] | [1-25] | [Control descriptions] | [Strong/Moderate/Weak] | [1-25] |
| FR-002 | Payroll — Ghost employees | HR / Payroll | [1-5] | [1-5] | [1-25] | |||
| FR-003 | Revenue recognition — Channel stuffing | Sales / Revenue | [1-5] | [1-5] | [1-25] | |||
| FR-004 | BEC — Payment redirection | Treasury / AP | [1-5] | [1-5] | [1-25] | |||
| FR-005 | Bribery — Government official | Sales / Government relations | [1-5] | [1-5] | [1-25] |
Risk Scoring
Inherent Risk = Likelihood (1-5) x Impact (1-5)
Range: 1-25
Residual Risk = Inherent Risk x (1 - Control Effectiveness %)
Control Effectiveness: Strong = 80%, Moderate = 50%, Weak = 20%
Risk Classification:
Critical (20-25): Immediate action required
High (13-19): Remediation within 30 days
Medium (7-12): Remediation within 90 days
Low (1-6): Accept or monitor
5. Anti-Fraud Control Mapping
Map preventive, detective, and corrective controls to each fraud scheme.
Control Mapping Matrix
| Fraud Scheme | Preventive Controls | Detective Controls | Corrective Controls |
|---|---|---|---|
| Billing — Fictitious vendor | Vendor master approval workflow (dual approval); Vendor verification (TIN validation, address verification, bank account confirmation); Segregation of duties (requester ≠ approver ≠ payer) | Three-way match (PO-receipt-invoice); Vendor master analytics (duplicate addresses, P.O. boxes, employee address matches); Invoice analytics (round amounts, sequence gaps) | Vendor termination procedure; Loss recovery process; Disciplinary action per policy |
| Payroll — Ghost employees | New hire approval workflow with HR verification; Segregation of duties (hire ≠ approve pay); Annual headcount reconciliation | Payroll-to-HR master data reconciliation (monthly); Duplicate SSN/bank account detection; Terminated employee payroll audit | Overpayment recovery; System access termination; Law enforcement referral |
| Expense reimbursement | Written expense policy with limits; Pre-approval for expenses > threshold; Receipt requirements | Duplicate expense detection; Benford's law analysis on amounts; Supervisor review of all claims; Analytics for round numbers, weekend dates, split transactions | Reimbursement clawback; Policy violation consequences; Enhanced monitoring |
| Revenue — Premature recognition | Revenue recognition policy aligned with ASC 606/IFRS 15; Deal desk approval for non-standard terms; Contract review process | Revenue trend analysis (quarter-end spikes); Credit memo analysis post-quarter; Contract-to-revenue reconciliation; Side agreement audit | Revenue restatement process; Disclosure to audit committee; Regulatory notification if material |
| BEC / Payment fraud | Callback verification for payment changes (using independently sourced number); Email authentication (DMARC, SPF, DKIM); Wire transfer dual approval | Payment change audit trail review; Domain monitoring (lookalike domains); Unusual payment pattern detection | Immediate bank notification and recall; Law enforcement (FBI IC3); Insurance claim |
| Bribery / Corruption | FCPA/anti-bribery policy; Third-party due diligence; Gift and entertainment policy with pre-approval; Compliance training | Third-party payment analytics (round amounts, unusual destinations); Gift and entertainment log review; Whistleblower reports; Travel expense anomaly detection | Investigation protocol; Self-disclosure analysis (DOJ/SEC); Remediation and enhanced controls |
| Conflicts of interest | Annual COI disclosure requirement; Vendor relationship disclosure; Board member independence certification | COI disclosure vs. transaction analysis (undisclosed relationships); Related-party transaction review; Procurement award pattern analysis | Disclosure remediation; Recusal procedures; Contract renegotiation or termination |
6. Red Flag Indicators by Fraud Type
Behavioral Red Flags (Applicable Across All Fraud Types)
| Red Flag | Possible Indication | Follow-Up Action |
|---|---|---|
| Living beyond apparent means | Employee may be supplementing income through fraud | Discreet observation; if pattern persists, analytics on their transactions |
| Refusal to take vacation or share duties | Concealment risk — fraud may be discovered in their absence | Mandatory vacation enforcement; cross-training with job rotation |
| Unusually close relationship with vendor/customer | Potential conflict of interest or kickback scheme | COI disclosure review; transaction analysis |
| Excessive overtime without clear business reason | Time theft or concealment activity requiring extra hours | Workload review; access log analysis |
| Resentment or complaints about perceived unfairness | Rationalization factor; may justify fraudulent behavior | Management attention; engagement assessment |
| Defensiveness when questioned about work | May indicate concealment | Supervisory review of work products |
| Known financial difficulties (garnishments, bankruptcy) | Pressure factor in fraud triangle | Heightened transaction monitoring |
Transactional Red Flags
| Fraud Type | Red Flag | Detection Method |
|---|---|---|
| Billing fraud | Vendor with P.O. box only; same address as employee; round-dollar invoices; sequential invoice numbers from different vendors; invoices just below approval thresholds | Vendor master analytics, invoice analytics |
| Payroll fraud | Employees with same bank account; employees with no tax withholding changes; overtime outliers; commission rate anomalies | Payroll analytics, HR-payroll reconciliation |
| Expense fraud | Expenses on weekends/holidays; round amounts; sequential receipt numbers; duplicate submissions; meals exceeding headcount | Expense report analytics, duplicate detection |
| Revenue fraud | Quarter-end revenue spikes > 40% of quarterly total; unusual credit memo volume post-quarter; large revenue reversals; channel inventory buildup | Revenue pattern analytics, credit memo analysis |
| Corruption | Payments to high-risk jurisdictions (CPI < 40); unusual commission structures; large cash payments; consultant payments without clear deliverables | Third-party payment analytics, due diligence |
| Cyber fraud | Email domain misspellings; payment instruction changes via email; unusual login locations; large transfers to new beneficiaries | Email security, payment verification, access analytics |
Analytical Red Flags
| Technique | What It Detects | Application |
|---|---|---|
| Benford's Law deviation | Fabricated numbers (natural datasets follow expected digit distribution) | Expense reports, vendor invoices, journal entries |
| Duplicate detection | Duplicate payments, invoices, or reimbursements | AP transactions, expense reports, payroll |
| Round number analysis | Fabricated amounts (fraudsters tend to use round numbers) | All financial transactions |
| Threshold analysis | Transactions structured just below approval limits | Purchase orders, expense claims, wire transfers |
| Gap/sequence analysis | Missing transactions, altered sequence numbers | Check numbers, invoice numbers, receipt numbers |
| Trend analysis | Unusual patterns over time | Revenue, expenses, vendor payments, payroll |
| Outlier detection | Statistical anomalies (Z-score > 3) | Any high-volume transaction dataset |
| Network analysis | Hidden relationships between entities | Vendor-employee, vendor-vendor, customer-vendor |
7. Whistleblower Program Assessment
Program Effectiveness Scorecard
| Element | Best Practice | Current State (1-5) | Gap |
|---|---|---|---|
| Reporting Channels | Multiple channels: phone hotline (24/7, multilingual), web portal, email, in-person, anonymous options | [1-5] | [Gap] |
| Independence | Managed by independent third party; reports to audit committee, not management | [1-5] | |
| Anonymity | Anonymous reporting available and assured; no caller ID, no IP tracking | [1-5] | |
| Non-Retaliation Policy | Written anti-retaliation policy; active enforcement; consequences for retaliation | [1-5] | |
| Awareness | Regular promotion (posters, training, intranet, onboarding); all employees know how to report | [1-5] | |
| Accessibility | Available to employees, contractors, vendors, customers; multilingual if applicable | [1-5] | |
| Triage Process | Documented triage criteria; timely acknowledgment; clear escalation paths | [1-5] | |
| Investigation Protocol | All reports investigated; qualified investigators; documented procedures | [1-5] | |
| Feedback Loop | Reporters receive status updates (while maintaining investigation integrity) | [1-5] | |
| Metrics and Reporting | Report volume, types, resolution time, substantiation rate tracked and reported to audit committee | [1-5] | |
| Benchmarking | Reports per 100 employees benchmarked against industry (ACFE median: 1.4 per 100) | [1-5] |
Whistleblower Program Maturity Score: Total / 55 = [X]%
| Score Range | Maturity Level | Action |
|---|---|---|
| 85-100% | Leading | Maintain; benchmark externally |
| 70-84% | Effective | Address specific gaps |
| 50-69% | Developing | Significant enhancement needed |
| < 50% | Inadequate | Program redesign required |
8. Data Analytics for Fraud Detection
Analytics Program Design
| Analytics Type | Frequency | Data Source | Fraud Schemes Detected |
|---|---|---|---|
| Continuous (automated, real-time) | Daily/weekly | ERP, payment systems | Duplicate payments, threshold splitting, unauthorized payments |
| Periodic (scheduled analysis) | Monthly/quarterly | ERP, HR, expense systems | Ghost employees, vendor anomalies, expense fraud, payroll anomalies |
| Ad Hoc (investigation support) | As needed | All available data | Specific allegation testing, relationship mapping |
Core Analytics Tests
| Test | Method | Target Data | Expected Output |
|---|---|---|---|
| Benford's Law | Compare first-digit frequency distribution against expected Benford distribution; chi-square test for significance | Expense reports, vendor invoices, journal entries | Digit frequency chart with conformity score; p-value < 0.05 flags non-conformity |
| Duplicate Detection | Match on amount + date, amount + vendor, invoice number across vendors, employee bank account matches | AP transactions, expense reports, payroll | List of potential duplicates with match criteria |
| Round Number Analysis | Flag transactions where amount ends in 00, 000, 0000; compare % round numbers to expected baseline (< 5%) | All disbursements | Percentage of round amounts; list of round-number transactions above threshold |
| Threshold Analysis | Identify transactions at 90-99% of approval thresholds; cluster analysis for split transactions | Purchase orders, expense claims, wire transfers | Transactions near thresholds; related transactions suggesting splitting |
| Vendor Master Analytics | Match vendor addresses/phone/bank accounts to employee records; identify P.O. box-only vendors; dormant vendor activity | Vendor master, HR master, AP transactions | Potential shell vendors, conflict of interest matches |
| Ghost Employee Detection | Compare active payroll to HR master; identify employees with no benefit elections, no tax changes, duplicate SSN/bank accounts | Payroll, HR, benefits data | Potential ghost employees for investigation |
| Journal Entry Testing | Identify manual entries posted on weekends/holidays, round amounts, by unusual users, to unusual accounts, near period-end | General ledger | Suspicious journal entries ranked by risk indicators |
| Payment Pattern Analysis | Identify new payees receiving large first payments, payments to high-risk jurisdictions, payments without PO/contract | AP disbursements | Anomalous payment patterns for review |
| Anomaly Detection (Statistical) | Z-score analysis on transaction amounts by vendor/employee/account; isolation forest for multivariate anomalies | Any high-volume transaction set | Transactions with Z-score > 3 or anomaly score above threshold |
| Network Analysis | Map relationships between vendors, employees, bank accounts, addresses, phone numbers to detect hidden connections | Vendor, employee, payment master data | Relationship graph; clusters of connected entities |
9. Investigation Readiness Framework
Investigation Readiness Checklist
| Element | Required | Status | Gap |
|---|---|---|---|
| Written investigation policy and procedures | Yes | [In place/Partial/Missing] | [Gap] |
| Qualified investigators (internal or retained external) | Yes | [Status] | |
| Forensic accounting firm on retainer | Recommended | [Status] | |
| Digital forensics capability (in-house or retained) | Yes | [Status] | |
| Outside counsel with investigation experience | Yes | [Status] | |
| Evidence preservation protocol (legal hold process) | Yes | [Status] | |
| Interview protocol (rights, documentation, witnesses) | Yes | [Status] | |
| Chain of custody procedures | Yes | [Status] | |
| Investigation reporting template | Yes | [Status] | |
| Board/audit committee investigation reporting protocol | Yes | [Status] | |
| Law enforcement referral criteria and procedures | Yes | [Status] | |
| Recovery and restitution procedures | Yes | [Status] | |
| Post-investigation control enhancement process | Yes | [Status] |
Investigation Decision Tree
Allegation Received
|
+--> Is it credible? (Initial assessment within 48 hours)
| NO --> Document assessment rationale; close with audit committee notification
| YES --> Proceed
|
+--> Does it involve senior management?
| YES --> Audit committee directs; outside counsel leads; do NOT notify subject
| NO --> Internal investigation team or outsource based on complexity
|
+--> Preserve evidence immediately
| +--> Implement litigation hold
| +--> Preserve electronic data (do NOT alert subject)
| +--> Secure physical evidence
|
+--> Scope the investigation
| +--> Who: Subjects, witnesses, affected parties
| +--> What: Transactions, time period, systems
| +--> Where: Locations, jurisdictions
|
+--> Execute investigation
| +--> Document review and data analytics
| +--> Witness interviews (peripheral witnesses first, subject last)
| +--> Expert analysis if needed (forensic accounting, digital forensics)
|
+--> Determine outcome
+--> Substantiated --> Disciplinary action, recovery, control enhancement, law enforcement referral
+--> Unsubstantiated --> Document findings, communicate to reporter, close
+--> Inconclusive --> Enhanced monitoring, periodic reassessment
10. Fraud Loss Quantification
Loss Quantification Framework
| Loss Category | Calculation Method | Example |
|---|---|---|
| Direct Loss | Sum of misappropriated funds/assets | $X in fraudulent payments identified |
| Investigation Cost | Internal hours + external fees (forensic, legal, consulting) | 500 hours x $150/hr + $200K external |
| Recovery Cost | Legal fees for recovery, insurance deductible, asset tracing | $X in legal fees; $X insurance deductible |
| System Remediation | Control enhancements, system changes, additional staff | $X in new controls, systems, and personnel |
| Regulatory Fines | Penalties from regulators for control failures | $X in SEC, DOJ, or other fines |
| Reputational Damage | Customer churn, revenue impact, recruiting difficulty | Estimated $X based on churn analysis |
| Opportunity Cost | Management time diverted, delayed projects | $X in estimated opportunity cost |
| Total Fraud Cost | Sum of all categories | $X total organizational impact |
Loss Multiple Analysis
Total Fraud Cost is typically 2x-5x the direct loss amount
Industry benchmarks (ACFE Report to the Nations):
Median loss per fraud case: $117,000
Mean loss per fraud case: $1,783,000
Median duration before detection: 12 months
Estimated total fraud loss: 5% of annual revenue (ACFE estimate)
11. Industry-Specific Fraud Schemes
Financial Services
| Scheme | Description | Key Controls |
|---|---|---|
| Rogue trading | Unauthorized trading positions exceeding limits | Position limits, independent P&L valuation, trade surveillance |
| Loan fraud | Fictitious borrowers, inflated collateral values | Independent appraisals, borrower verification, credit committee |
| AML failures | Structuring, layering, insufficient KYC | Transaction monitoring, CTR/SAR filing, enhanced due diligence |
| Insurance fraud | Fictitious claims, inflated losses, staged events | Claims investigation unit, analytics, SIU referrals |
Healthcare
| Scheme | Description | Key Controls |
|---|---|---|
| Upcoding | Billing for more expensive services than rendered | Claims data analytics, coding audits, compliance reviews |
| Phantom billing | Billing for services never provided | Patient verification, visit documentation, hotline |
| Kickbacks (Stark/Anti-Kickback) | Referral payments for patient volume | Fair market value assessments, compliance program, OIG exclusion checks |
| Diversion | Drug diversion by healthcare workers | Controlled substance tracking, discrepancy investigation |
Government / Public Sector
| Scheme | Description | Key Controls |
|---|---|---|
| Contract fraud | Bid rigging, change order abuse, cost mischarging | Competitive bidding, change order review, cost audit |
| Grant fraud | Misuse of grant funds, false progress reporting | Grant expenditure monitoring, progress verification |
| Time and attendance | Falsified time records, no-show employees | Biometric timekeeping, supervisor verification |
| Procurement fraud | Favoritism, split purchases to avoid bidding | Vendor rotation analysis, threshold monitoring |
Retail
| Scheme | Description | Key Controls |
|---|---|---|
| POS fraud | Fictitious returns, void abuse, discount abuse | POS analytics, void/return review, exception reporting |
| Inventory shrinkage | Theft by employees or organized retail crime | Inventory counts, CCTV, loss prevention team |
| Gift card fraud | Fraudulent activation, balance draining | Gift card reconciliation, activation monitoring |
| Vendor allowance fraud | Fictitious deductions, unauthorized markdowns | Vendor allowance reconciliation, deduction analytics |
12. Anti-Fraud Program Maturity Model
Maturity Assessment
| Domain | Level 1: Reactive | Level 2: Basic | Level 3: Proactive | Level 4: Managed | Level 5: Optimized |
|---|---|---|---|---|---|
| Governance | No anti-fraud policy | Basic policy exists | Comprehensive policy; board oversight | Regular board reporting; fraud risk in ERM | Continuous program evaluation; industry leadership |
| Risk Assessment | No fraud risk assessment | Ad hoc assessment | Annual formal assessment per COSO guide | Assessment tied to business changes; scenario-based | Continuous reassessment; predictive risk modeling |
| Prevention | Minimal controls | Basic SOD and approvals | Comprehensive preventive controls mapped to schemes | Controls tested regularly; design kept current | Adaptive controls; AI-based prevention |
| Detection | Discovered by accident | Basic whistleblower hotline | Hotline + periodic data analytics | Continuous monitoring + advanced analytics | Real-time detection; machine learning models; full population testing |
| Investigation | Ad hoc, untrained investigators | Basic investigation process | Formal protocol; trained investigators; outside counsel retained | Structured program with metrics; lessons learned integration | Best-in-class capability; proactive intelligence |
| Response | Inconsistent consequences | Documented disciplinary process | Consistent enforcement; recovery pursued; law enforcement referral criteria | Root cause analysis; control enhancement post-incident | Comprehensive remediation; industry sharing; regulatory cooperation |
| Monitoring | No program monitoring | Annual review by management | Regular KPIs; audit committee reporting | Benchmarking against peers; program effectiveness metrics | Independent program assessment; continuous improvement cycle |
Maturity Score Calculation
Domain Score = Assessed Level (1-5)
Overall Maturity = Average of 7 Domain Scores
Target Maturity by Organization Profile:
Public company (SEC registrant): Level 4 minimum
Large private company: Level 3 minimum
Mid-market company: Level 3 target
Small/startup: Level 2 minimum, Level 3 target within 2 years
Government / regulated entity: Level 4 minimum
Output Template
## Fraud Risk Assessment: [Organization]
### Assessment Parameters
| Field | Detail |
|---|---|
| Organization | [Name] |
| Industry | [Industry] |
| Revenue / Size | [$X / # employees] |
| Assessment Date | [Date] |
| Methodology | COSO Fraud Risk Management Guide |
| Assessor | [Name/team] |
### Executive Summary
[Overall fraud risk profile, critical findings, top fraud risk scenarios,
anti-fraud program maturity score, priority recommendations]
### Fraud Triangle / Pentagon Assessment
| Factor | Risk Level | Key Drivers |
|---|---|---|
| Pressure | [High/Med/Low] | [Key drivers] |
| Opportunity | [High/Med/Low] | [Key drivers] |
| Rationalization | [High/Med/Low] | [Key drivers] |
| Capability | [High/Med/Low] | [Key drivers] |
| Arrogance | [High/Med/Low] | [Key drivers] |
### COSO Fraud Risk Management Maturity
| Principle | Score (1-5) | Key Gap |
|---|---|---|
| Principle 1: Governance | [1-5] | [Gap] |
| Principle 2: Risk Assessment | [1-5] | [Gap] |
| Principle 3: Control Activities | [1-5] | [Gap] |
| Principle 4: Investigation & Corrective Action | [1-5] | [Gap] |
| Principle 5: Monitoring | [1-5] | [Gap] |
### Fraud Risk Heat Map
| Risk Zone | Fraud Schemes | Residual Risk Score |
|---|---|---|
| Critical (20-25) | [Schemes] | [Scores] |
| High (13-19) | [Schemes] | [Scores] |
| Medium (7-12) | [Schemes] | [Scores] |
| Low (1-6) | [Schemes] | [Scores] |
### Anti-Fraud Control Gap Analysis
[Control mapping with identified gaps and remediation recommendations]
### Red Flag Monitoring Program
[Key red flags to monitor with detection methods and responsible parties]
### Data Analytics Program Design
[Recommended analytics tests with data requirements and implementation priority]
### Whistleblower Program Assessment
[Effectiveness scorecard with improvement recommendations]
### Investigation Readiness
[Readiness assessment with gaps and remediation plan]
### Anti-Fraud Program Maturity Scorecard
| Domain | Current Level | Target Level | Gap |
|---|---|---|---|
| Governance | [1-5] | [Target] | [Gap] |
| Risk Assessment | [1-5] | [Target] | [Gap] |
| Prevention | [1-5] | [Target] | [Gap] |
| Detection | [1-5] | [Target] | [Gap] |
| Investigation | [1-5] | [Target] | [Gap] |
| Response | [1-5] | [Target] | [Gap] |
| Monitoring | [1-5] | [Target] | [Gap] |
| **Overall** | [Avg] | [Target] | [Gap] |
### Remediation Roadmap
| Priority | Action | Owner | Timeline | Est. Cost |
|---|---|---|---|---|
| Immediate | [Action] | [Role] | 0-30 days | [$X] |
| Near-term | [Action] | [Role] | 30-90 days | [$X] |
| Medium-term | [Action] | [Role] | 90-180 days | [$X] |
| Long-term | [Action] | [Role] | 180-365 days | [$X] |
### Disclaimers
> This fraud risk assessment provides a framework for identifying and
> mitigating fraud risk. It does not guarantee the detection or prevention
> of all fraud. No system of internal controls can provide absolute
> assurance against fraud. This assessment should be updated annually or
> when significant organizational changes occur.
Quality Checks
- Fraud risk universe covers all 4 major categories (asset misappropriation, financial statement fraud, corruption, cyber fraud) with specific schemes relevant to the organization's industry.
- Fraud triangle/pentagon analysis assesses pressure, opportunity, AND rationalization (plus capability and arrogance for pentagon) with specific organizational evidence.
- COSO Fraud Risk Management Guide principles (all 5) are assessed with specific maturity scores and evidence.
- Fraud risk assessment matrix maps specific schemes to specific business processes with scored likelihood and impact.
- Anti-fraud controls are mapped as preventive, detective, AND corrective for each significant fraud scheme.
- Red flag indicators include behavioral, transactional, AND analytical categories with specific detection methods.
- Whistleblower program assessment covers all key elements (channels, independence, anonymity, non-retaliation, awareness, triage, investigation, feedback, metrics).
- Data analytics program includes specific tests (Benford's law, duplicate detection, anomaly detection) with data requirements, not just general descriptions.
- Investigation readiness framework includes both the readiness checklist and decision tree for investigation management.
- Fraud loss quantification covers direct losses AND indirect costs (investigation, remediation, regulatory, reputational).
- Industry-specific fraud schemes are included for the organization's industry.
- Anti-fraud program maturity model scores all 7 domains on a 5-level scale with defined level descriptions.