Fraud Risk Management – Assessment and Confidence Building

Fraud Risk Management – Assessment and Confidence Building

In today’s risk landscape, organisations must navigate uncertainties in the external and internal environment.



The average revenue organisations lose to fraud each year.

*According to the Association of Certified Fraud Examiners’ (ACFE) 2020 Global Fraud Study.

More alarmingly, poor internal controls and an inadequate fraud risk management framework to prevent fraud contribute to nearly a third of global fraud cases.

In the fast-changing environment, where the risk of fraud is increasing and fraudsters are adopting new ways to scam, the importance of firms maintaining robust frameworks to detect and prevent material fraud from occurring is ever more apparent. There is also an increased focus and desire to strengthen the responsibility and accountability of those charged with governance of the prevention and detection of fraud by their respective organisations, the authorities and the regulators.

Against this backdrop, organisations are now increasingly considering how they can gain comfort over their fraud risk assessment and fraud risk frameworks to help protect against future financial loss and reputational damage.

This article will provide insights into the drivers for the increased appetite for effective fraud risk management and how to create increased levels of confidence over fraud risk frameworks, exploring the following areas:


Expectations of Boards and senior management on fraud risk management

In the current evolving economic climate, organisations may be more susceptible to fraud risk both internally and externally. This may be due to a desire to improve financial results in the aftermath of the COVID-19 pandemic or to the organisation using increasing levels of technology which fraudsters are seeking to exploit.

Against the backdrop of a constantly increasing number of fraud cases, higher focus on fraud by stakeholders and broader regulatory expectations for greater transparency in respect of fraud risks and mitigating controls, many organisations still lack adequate formal fraud risk management frameworks and are exposed to significant potential losses and regulatory scrutiny. However, the responsibilities of those charged with governance and management in relation to prevention and detection of fraud have not changed. The FCA handbook (Financial Crime Guide) states that the FCA expects (i) senior management to take clear responsibility for managing financial crime risks, which should be treated in the same manner as other risks faced by the business, and (ii) a firm to consider the full implications of the breadth of fraud risks it faces, which may have wider effects on its reputation, its customers and the markets in which it operates.

The FCA’s regulatory requirements are also supported by other guidance such as the COSO Fraud Risk Management Guide. Senior management has overall responsibility for the design and implementation of a Fraud Risk Management Programme, including setting the tone at the top that creates the culture for the entire organisation. The board establishes policies and procedures which explain how the board provides oversight, including defining expectations about integrity and ethical values, transparency, and accountability for the implementation and operation of the Fraud Risk Management Programme.

Key facts behind recent fraud cases

The risk of fraud is driven by a diverse set of factors. These include the risks inherent in the business model, the complexities of judgements in accounting, the employee mindset and incentives, as well as the exposure of business data to internal and external attacks.

The culture of the organisation, especially the tone at the top, is also a critical influencing factor for the fraud risk environment, as are the reinforcement of values through middle management and the robustness of the internal control environment.

The following are examples of different types of fraud recently perpetrated by fraudsters:

  • Employee fraud against employers

    – payroll fraud; bribe and kickback, falsifying expense claims; thefts of cash, assets or intellectual property (IP); false accounting.

  • Crimes by businesses against investors, consumers and employees

    – accounting/financial statement fraud; selling counterfeit goods as genuine ones; not paying over tax or National Insurance contributions paid by staff.

  • Crimes against financial institutions

    – using lost and stolen credit cards; cheque fraud; fraudulent insurance claims.

  • Crimes by professional criminals against major organisations

    – major counterfeiting rings; mortgage fraud; advance fee fraud; corporate identity fraud; money laundering.

  • E-crime by people using computers and technology to commit crimes

    – phishing; spamming; copyright crimes; hacking; social engineering frauds.

In the figure below we present some key thematic root causes of fraud based on a range of recent cases.


Why do people commit fraud?

There is no single underlying reason behind fraud. A useful model is the fraud triangle which is based on the premise that fraud is likely to result from a combination of three factors: motivation, opportunity, and rationalisation.

  • Motivation: Typically based on greed or need, e.g. financial stress, meeting targets.
  • Opportunity: Where there are weak internal controls, lack of oversight, little fear or lower likelihood of detection.
  • Rationalisation: Some may rationalise fraudulent actions as necessary, especially when considered relatively harmless to the business, or justified because the perpetrator has a sense of grievance.

Fraud Triangle

One of the most effective ways to tackle fraud is to adopt methods that will reduce the motivation and the opportunity. Rationalisation is personal to the individual and harder to combat although a strong organisational ethical culture and values can help. These methods and principles are covered later in the article.

Who commits fraud?

Fraudsters often fall into one of three categories:


Pre-planned fraudsters start out from the outset intending to commit fraud. These can be short-term players, like many of those who use stolen credit cards or false personal identification numbers (e.g. social security); or can be longer-term, such as bankruptcy fraudsters and those who execute complex money laundering schemes.


Intermediate fraudsters start off being honest but turn to fraud when times get hard or when life events, such as irritation at being passed over for promotion or the need to pay for care for a family member, change the normal course.


Slippery-slope fraudsters simply carry on trading even when, objectively, they are not in a position to pay their debts. This can apply to ordinary traders or to senior business managers.

In 2007, KPMG carried out research on the Profile of a Fraudster (KPMG survey) which highlighted the following characteristics in relation to fraudsters:

most fraudsters are aged between 36 and 55

median fraud losses caused by men are twice as high as those caused by women

losses caused by managers are generally more than double those caused by employees

longer term employees tend to commit much larger frauds

the majority of frauds are committed by men

a high percentage of frauds are committed by senior management (including owners and executives)

average losses caused by owners and executives are nearly 12 times those of employees

fraudsters most often work in the finance department, operations/sales or as CEO.

Develop a robust fraud risk management framework

As can be evident from the factors highlighted in the above root cause diagram, fraud risk can arise in a variety of ways, hence requiring a robust fraud risk management framework to protect organisations. With a constantly evolving fraud risk landscape in mind, organisations should ensure they have a fraud risk framework that:

a is integrated with enterprise risk management framework

b is embedded and visible within all areas of the organisation

c develops a culture which supports the prevention, detection, and deterrence of fraudulent behaviour.

d is regularly assessed, with controls redesigned where vulnerability to fraud is identified.

e is integrated with enterprise risk management framework

The above considerations are all important to enable the board and senior management to protect and sustain the business, discharge their duties, be alert to risks, intervene with strong controls, and adapt to changes in regulatory requirements.

Based on our experience, an effective framework should contain different components and the right mix of people, process, and technology. This is illustrated in the diagram below. Organisations should continually evaluate how their current framework is designed and operating in practice within a dynamic and evolving fraud risk environment.


Key steps for building confidence in fraud risk management

Both the government and regulators are placing increasing focus on fraud risk management. The current environment makes it an even greater priority for organisations to gain assurance over their fraud risk management frameworks.

Increasing confidence levels in the framework will better enable senior management to discharge their duties and be ready to respond to increased regulatory and stakeholder scrutiny in relation to fraud risk management. In the remainder of the article, we outline key steps for increasing levels of confidence over an organisation’s fraud risk management framework and how we (Xcina Consulting) can help organisations develop a robust fraud risk management framework.

Whilst we do not discuss the different approaches which organisations may ultimately use to gain assurance over their fraud risk management framework, we identify three main focus areas which organisations may consider focusing on namely, (i) framework review and assessment, (ii) framework development/enhancement and (iii) framework testing and maintenance.

These are briefly examined below.

FRM Cycle

  • Business environment

    – Identify, understand, and evaluate the company’s business, its strategy, and operating environment along with the pressures that exist.

  • Fraud risk assessment

    – Assess whether the environment exposes the organisation to new fraud risks or increases the threat of existing fraud risks.

  • Business operations and locations

    – Consider whether the fraud risk assessment is consistently applied across all business areas and locations.

  • Likelihood of Occurrence

    – Assign the probability of relevant fraud risks from remote to almost certain.

  • Assessment of Control Effectiveness

    – Assess and classify controls as ineffective to very effective.

  • Responsible Person

    – Determine who will implement controls and mitigation efforts.

  • Fraud Risk Response

    – After identifying a fraud risk, determine corrective action activities or additional controls that should be implemented.

  • Monitoring Activities

    – Establish monitoring activities that will be conducted and how frequently they will occur.

  • Reporting

    – Understand the reporting that senior management receives on fraud risk management to enable informed decision making and to facilitate oversight and challenge. This exercise is a key step for identifying any (i) vulnerability to fraud, (ii) significant gaps in the control environment and (iii) suspicions of fraud incidence.

Develop / enhance the control framework

A review and assessment of the fraud risk management framework will provide a refreshed analysis of the adequacy of the control framework in terms of mitigating any heightened areas of fraud risk. This phase is critical as it reinforces the foundations of an adequate fraud risk management framework. The steps outlined below will help organisations in responding to gaps and enhancing the effectiveness of the framework. Organisations should involve different business areas and control functions when considering the following aspects:

  • Prioritisation – Identify which control gaps require immediate attention or expose the organisation to higher fraud risk.
  • Technology – Understand whether any smart technology, Machine Learning /Artificial Intelligence or other tools can be deployed to support fraud detection and prevention.
  • Plan – Evaluate the time required to address the gaps, implement new technologies and complete fraud-related investigations.
  • Subject matter specialists – Consider the need for a dedicated team specialising in fraud risk management or support from external specialists.
  • Communication & training – Assess how changes will be communicated and what training is needed to ensure that all staff are equipped and committed to fraud deterrence.
  • Evidence – Documentation of all existing and new products, processes and controls including an assessment of any new technological solutions relied upon to prevent and detect fraud.
  • Sustain – Assess the methods that should be used to embed the enhanced framework into the heart of the business and maintain it going forward. It is crucial that the control framework is consistently and accurately documented across the organisation, including a clear view of fraud risks and the preventative and detective controls in place.

Test and maintain the fraud risk framework continuously

Perpetrators’ tactics continually change; they become more sophisticated and find new methods to commit fraud. Hence, organisations should not become complacent after they have made what they consider to be the necessary improvements to their fraud risk framework. As fraudsters’ methods evolve, businesses should frequently assess where they may have vulnerabilities and address them, using internal control functions and external specialist teams to continuously monitor the performance of the framework and identify any gaps or ineffective processes.


Fraud will not simply go away. Organisations need to tackle it strategically and will benefit from being proactive rather than reactive, by preventing fraud before it can succeed. Furthermore, with new legislation and more intense public and regulatory scrutiny, it is essential for management to act now to ensure that fraud risk is appropriately identified, assessed, mitigated and reported, enabling the organisation to demonstrate how that its fraud risk management framework functions effectively.

Our Fraud Risk professionals are skilled in fraud risk advisory and assurance. Xcina Consulting supports organisations on their journey to develop and to gain assurance over their fraud risk management framework and fraud risk assessments. For more information or to set up a discussion with one of our specialists, please contact us at


FCG handbook

Fraud Risk Management

Will your organisation benefit from support with risk and regulatory compliance challenges?


    *Mandatory fields

    Xcina Consulting Limited is committed to safeguarding an individual’s personal and sensitive personal data and is bound to comply with the UK Data Protection Act 2018 (“DPA”) and General Data Protection Regulation (“GDPR”), along with similar and applicable laws in other countries around the world. This Privacy Notice forms part of XCL’s
    obligation to be fair and transparent with all individuals whose personal and sensitive personal data it processes, whilst visiting the XCL website, and to provide details around how it processes such data.

    You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

    By clicking submit below, you consent to allow Xcina Consulting to store and process the personal information submitted above to provide you with the requested content.

    We’d love to hear from you

    With a strong background in the banking industry, Ashish has a broad and diverse experience developed over more than 20 years across Internal audit, Credit risk, Operational risk, Fraud Risk management, Banking Operations, Credit assessment, Compliance, and Assets quality at an International Bank. He has helped organisations to successfully address the governance, risk management and compliance challenges fulfilling gaps in policies and processes across multicultural jurisdictions.

    To discuss how the areas highlighted in this post, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.

    If you have any questions or comments, or if there’s anything you would like to see covered, please get in touch by emailing Xcina Consulting at We’d love to hear from you.

    Ashish Jain

    Senior Consultant Risk and Assurance

    Speak to me directly by Email, or
    Telephone: +44 (0)20 3745 7825

    Subscribe to Updates

    Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

    Subscribe >>