Site icon BoardAndFraud

Fraud Risk Assessment – A Recipe for Greater Success!

Developed by Jonathan T. Marks, CPA for the AICPA


Risk assessments are part of the discipline of risk management, where enhanced frameworks and techniques have emerged. Risk management comprises the identification, assessment, and prioritization of risks followed by the coordinated and efficient use of resources to monitor, minimize, and otherwise control the impact of the risks on the organization.

Risks arise in many forms and can range from uncertainty in financial markets, operational failures, natural disasters, and pandemics, to legal liabilities and reputational harms.

This writing will focus on fraud risks, a subset of the overall risk universe of the organization.

We live in a disruption-intensive world, and complacency is no longer an option!

To support my statement is the DOJ and their writing on the Evaluation of Corporate Compliance Programs (“Evaluation”), which states “prosecutors should also consider ‘[t]he effectiveness of the company’s risk assessment and how the company’s compliance program has been tailored based on that risk assessment’ and whether its criteria are ‘periodically updated.’

(See, e.g., [Justice Manual]  9-47-120(2)(c); [Sentencing Guidelines] § 8B2.1(c) (‘the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement or modify each requirement [of the compliance program] to reduce the risk of criminal conduct.’”)

The Evaluation further states, “prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.

When the original Federal Sentencing Guidelines for Organizations (“the Sentencing Guidelines”) were issued in 1991, there was no mention of a risk assessment as part of compliance programs. It was not until the Sentencing Guidelines were amended in 2004 that this alarming omission was remedied. But even then, the risk assessment had not fully “arrived,” as some of the early compliance program requirements in FCPA settlements failed to include a risk assessment component.

As risks continue to expand and intensify, many struggle to ring-fence them and manage them appropriately. Relying on manual processes like spreadsheets, email, and other disparate methods, more likely than not, are not effective.

The recipe below must be adapted accordingly. Also, the risks identified during the risk assessment process need to be appropriately monitored. I suggest you strongly evaluate and consider automating, where possible, the management of risks and controls with the mindset of continuous improvement or tuning of the fraud risk management program.

Fraud Risk Assessment

In addition to establishing an ethical environment, board members and management must also take the lead in implementing and maintaining a formal fraud risk management program. One key element of such a program is a fraud risk assessment, which should be updated annually at a minimum or more frequently if conditions warrant, and they often do!

Recall that GRC means, Governance, Risk, and Compliance because it’s a waterfall concept – meaning that good governance includes risk management, and risk management should be driving the compliance initiative or program.  Why? Because how can you design an effective compliance program to deter and detect ethical breaches, or worse, fraud, including bribery and corruption, unless you understand the risks your organization faces.

The risk assessment, which some say is easy and I disagree, should focus on the possible bad actors or criminals and the crime (Advanced Meta-Model of Fraud shown below) and at a minimum identify the fraud schemes and the acts that could potentially occur, possible concealment strategies that could be used by the fraudster to avoid detection, possible conversion tactics, the individuals or gatekeepers who pose the highest risk of committing fraud, controls that are in place to deter or detect fraud and a list of warning signals or “red flags” that are useful in many ways, including assessing the design of controls.

The success of the fraud risk assessment process hinges on how effectively the results are reported and what the organization then does with those results – in other words, “How is it operationalized”? – See Practice Pointer below.

Developed by Jonathan T. Marks, CPA for the AICPA

Here is My Recipe or Methodology*

Having a documented risk-based methodology will help in many ways, including appropriately tailoring and enhancing your internal audit and compliance programs.

When assessing FCPA risk, many miss the mark here as they focus on sales/revenue. Sales volume and materiality shouldn’t matter – again, focus on foreign government touchpoints!

Advanced Meta-Model of Fraud Developed by Jonathan T. Marks, Richard Riley, and Scott Fleming 

When it comes to conversion, remember with few exceptions, perpetrators spend what they steal—because of this, looking at spending patterns is a primary investigation technique.



Lack of Controls


Also, use this exercise to ensure you have proper insurance coverages.


When reviewing or updating the fraud risk assessment during a crisis (depending on the severity of the crisis, the organization might be in business continuity mode), seek to understand how the event is impacting operations. Ask senior management, compliance, internal audit, legal, and other key stakeholders where the organization is vulnerable. Evaluate new or emerging risks carefully and close gaps quickly.

Practice Pointers

Compliance, internal audit, legal, and the organization’s stakeholders can use the results of, or operationalize, the fraud risk assessment, which includes the identified “red flags” to fine-tune or strengthen controls, policies, procedures, training, and testing strategies/programs.


Risk assessments are critical today more than ever, especially because they drive the compliance program.

Having a risk assessment may help in resource allocation and prevent punishment for areas not in scope.

Please reach out to me if you have any comments or questions.



Jonathan T. Marks, CPA, CFE


*Note: This is a standard approach. It has been customized and modified accordingly over the years. Also, for a complete assessment, there are other procedures that more likely than not need to be performed to assess the risk of bribery and corruption properly.


Advanced Metal Model of Fraud was modified to include Marks’ Fraud Pentagon™.  The original writing can be found here


Albrecht, W. Steve; Albrecht, Chad O.; Albrecht, Conan C.; Zimbelman, Mark F.. Fraud Examination 

Fraud Pentagon – 

Fraud Pentagon™
Please follow and like us:
Skip to toolbar