Home > Risk > How significant is the risk of fraud?

How significant is the risk of fraud?

The best resource for understanding the level of fraud risk is the Association of Fraud Examiners’ (ACFE) annual Report to the Nations, their global study of occupational fraud and abuse.

Their 2018 Report is now available and, as always, shares some useful and important insights. The ACFE analyzed 2,690 cases from January 2016 to October 2017 from around the world (48% from the USA, the rest evenly split among other regions).

As far as I can tell, the report did not include any thefts (usually of IP) through cyber breaches.

Here are some key facts:

  • The median loss was $130,000 but the mean was $2.75 million.
  • 22% of cases involved losses greater than $1 million. Clearly, there were a relatively small number of very large frauds, but the report sheds no additional light on the frequency or magnitude of significant frauds.
  • The median duration of a fraud was 16 months.
  • As in prior reports, tips by employees identified more frauds than any other mechanism. Internal audit found 15% and management 13%.
  • Financial statement frauds were the least common but the most costly (median loss of $800,000).
  • Owners and executives (down to manager level, apparently) were responsible for a small percentage of cases but the median loss was $850,000.
  • Fraud detection through analytics and surprise internal audits were the most effective internal control measures when it comes to fraud.
  • Only 4% of fraudsters had a prior fraud conviction.
  • Only 63% of organizations have a whistleblower hotline. Those that do not rely on telephone (42%), email (26%), and web-based (23%) mechanisms.
  • 85% of fraudsters displayed at least one behavioral red flag, with living beyond their visible means the most common (41%).
  • Only 65% of identified fraudsters are fired. 58% are prosecuted. Civil suits are litigated in 22% of cases.
  • In some cases, the victim organization as fined, with a median of $100,000 and 20% exceeding $1 million.


So what does this all mean?


I am a strong believer that the resources dedicated to addressing fraud risk (by management or by internal audit) should be commensurate with the level of risk.

Those organizations with high risk should allocate more resources. Those with lower levels of risk should spend their precious resources elsewhere – given a basic minimum to keep the risk low, such as a code of ethics with training and annual certification, a whistleblower hotline, and prompt and capable investigation of every allegation.


That brings us to the need for a fraud risk assessment.

  1. I believe that this should ideally be a management responsibility. The CRO can also take it on. But the internal audit team has the expertise to at least assist, at most complete the assessment on behalf of management.
  2. It should be updated at least annually and every time a fraud is detected.
  3. The fraud risk assessment for SOX should be focused on the potential for a deliberate material misstatement of the financial statements filed with the regulators. I prefer it being a separate document than the enterprise fraud risk assessment.
  4. Management should obtain assurance that the controls in place to keep fraud risk at or below desired levels are effective.


Some internal auditors feel it is their obligation to detect and investigate fraud. I agree with the second part for most organizations (some have a separate unit of fraud examiners), but not the first.

It is management’s responsibility to have appropriate controls in place to prevent and detect fraud, not internal audit.

However, the board or audit committee may decide it is better to charge internal audit with fraud detection. I am OK with that as long as it is in the audit department charter and they have additional resources (beyond what they need to address more significant risks).

Unfortunately, IIA guidance can be read to mean that fraud risk needs to be addressed in every audit. In fact, it only says that it should be considered. When it is not high risk or there are better ways to address the risk (such as by auditing how management addresses it), it should not be included in the scope of individual audits.


Recommended reading:


What do you think? Do you agree?

  1. John Byrd
    April 27, 2018 at 6:04 AM

    Like it or not, it will always be IA’s responsibility (as well as management) for not detecting even a smaller fraud. %$%^!, every time we have one in our organization I feel we should have caught it. That is human nature. That being said a portion of all IA budgets should be dedicated to fraud based on the fraud assessment and resources available. That is just due diligence and to say IA did something– we did not think the risk was high enough. We are dealing with one now. No one saw that one coming!

  2. Robert
    May 11, 2018 at 9:43 AM

    Great article Norman.
    Did you have any other thoughts on this statement:
    “As far as I can tell, the report did not include any thefts (usually of IP) through cyber breaches.”
    Do you have any books or articles you can suggest that covers this special type of financial fraud (i.e. via cyber breach / failure or lack of cybersecurity controls).

  1. April 26, 2018 at 7:24 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: