Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
.svg)
Subscribe now to join the Risk Register community:
Here's the problem with most fraud risk assessments: they look great in a binder but fall apart the moment someone asks hard questions.
A regulator wants to know why you missed the warning signs. Your audit committee wants specifics on control gaps. Legal counsel needs documentation that shows you did your diligence. And suddenly, that assessment you spent weeks on feels more like a liability than a defense.
We've seen this pattern repeatedly. Organizations check the compliance box with a fraud risk assessment, then discover it can't withstand scrutiny when they actually need it to.
The stakes are higher than ever. 76% of organizations experienced attempted or actual fraud in 2025, and companies worldwide lost 7.7% of their annual revenue on average to fraud over the past year. That's an estimated $534 billion.
Building an assessment that holds up requires more than templates and workshops. It requires thinking like someone who will challenge your work later.
Before you schedule your first fraud risk workshop, ask yourself who might eventually scrutinize this assessment.
Your external auditors will look for alignment with COSO framework principles. Regulators will want evidence you considered industry-specific schemes. If fraud occurs, plaintiff attorneys will examine whether your assessment was comprehensive enough to identify the risk.
This isn't about being defensive. It's about building something that serves its actual purpose: protecting your organization by identifying real vulnerabilities before they become real losses.
The assessment needs to answer specific questions:
What specific fraud schemes could target us? Generic categories like "asset misappropriation" won't cut it. You need to identify the actual schemes relevant to your operations, industry, and control environment.
How likely and significant is each risk? You need a rational basis for your risk ratings. Document your methodology and the factors you considered.
What controls exist today? Map existing controls to specific risks. Identify gaps where controls are missing, inadequate, or not operating effectively.
What are we doing about residual risks? Show decision-making around which risks you're mitigating, accepting, or monitoring differently.
These questions should drive your entire assessment process.
The weakest fraud risk assessments start with generic fraud trees copied from frameworks. The strongest start with understanding how fraud actually happens in your environment.
Look at where fraud attempts concentrate. Digital account creation saw 8.3% of attempts flagged as suspected fraud in 2025, making it the highest risk stage across the consumer lifecycle. Account takeover volume grew 21% from the first half of 2024 to the first half of 2025.
Your assessment should reflect these realities, not theoretical possibilities.
We map fraud schemes by asking internal audit teams and operational leaders three questions:
Where does money or value move in your processes? Follow the flow of payments, inventory, data, and anything else someone could steal or manipulate.
Where do controls depend on human judgment? Approval processes, exception handling, and manual reconciliations create opportunities for override or manipulation.
Where have you seen red flags or near-misses? Past incidents, audit findings, and whistleblower complaints reveal vulnerabilities even when fraud didn't occur.
Document specific schemes tied to your actual operations. If you process insurance claims, identify the specific ways someone could manipulate that process. If you manage construction projects, map the procurement and payment schemes relevant to that environment.
Specificity matters when someone later asks why you didn't anticipate a particular fraud.
Risk ratings often become the most scrutinized part of a fraud risk assessment. You rated cyberfraud as "medium" but it resulted in a seven-figure loss. Now explain your methodology.
The challenge is that fraud likelihood is inherently difficult to quantify. You're estimating the probability of intentional acts by people motivated to hide their behavior.
Research shows cyberfraud represented both the most likely and most significant fraud risk at U.S. public companies, while financial statement fraud was identified as least likely but with significant impact when it occurs.
Your assessment should consider both dimensions and document the factors driving your conclusions.
For likelihood, consider: Control strength in the area, complexity of the process, number of people with access, historical incidents or red flags, and industry trends showing where fraud is concentrating.
For impact, consider: Potential financial loss, regulatory consequences, reputational damage, and operational disruption.
Document your reasoning for each significant risk. When you rate vendor fraud as "high likelihood," note that your procurement process allows split purchases below approval thresholds and you've had three instances of duplicate payments in the past year.
This documentation becomes your defense when someone questions your risk ratings later.
The control evaluation is where many assessments lose credibility. Organizations list every control that exists, regardless of whether it effectively addresses the identified fraud risks.
Your assessment needs to show which controls actually mitigate which specific fraud schemes.
We've found the most defensible approach involves three steps:
First, identify the controls designed to prevent or detect each fraud scheme. Be specific about what the control does. "Segregation of duties" is too vague. "Payment approval requires a manager who doesn't have access to vendor master file maintenance" is specific.
Second, evaluate whether the control operates effectively. Does it happen consistently? Do people follow the procedure? Are exceptions documented and reviewed?
Third, identify gaps where controls are missing or inadequate. This is the uncomfortable part. You're documenting vulnerabilities. But that's the point of the assessment.
When fraud occurs, investigators will compare the scheme to your assessment. If you identified the risk but rated controls as "adequate" when they clearly weren't, that becomes a problem.
Better to document the gap and show you made a conscious decision about how to address it.
The assessment shouldn't end with a list of risks and gaps. It should show what you're doing about them.
This is where governance becomes visible. Someone needs to own each residual risk. Management needs to decide which gaps to remediate, which risks to accept, and what monitoring to implement.
Organizations with mature fraud risk programs use real-time dashboards showing high-risk areas, overdue actions, and patterns emerging across the organization. This demonstrates ongoing monitoring, not a point-in-time exercise.
Your assessment should document:
Who owns each significant fraud risk. Name a specific role or person responsible for managing the risk.
What actions you're taking to address gaps. Include timelines and resources required.
Which risks you're accepting and why. Sometimes the cost of additional controls exceeds the risk. Document that decision.
How you'll monitor residual risks. What indicators will you track? Who reviews them and how often?
This documentation shows you're managing fraud risk as an ongoing process, not checking a compliance box.
Before you finalize your fraud risk assessment, run it through a scrutiny test.
Imagine your external auditor asks why you didn't identify a specific fraud scheme. Can you explain your process and show it was reasonable?
Imagine a regulator questions your control evaluation. Can you demonstrate the basis for your conclusions?
Imagine you're in litigation and opposing counsel suggests your assessment was inadequate. Can you defend your methodology and show you exercised appropriate professional judgment?
The assessment should include:
Clear documentation of your methodology and the framework you followed (COSO is the recognized standard).
Evidence of who participated in the assessment and their relevant expertise.
Specific fraud schemes tied to your actual operations and industry.
Rational basis for risk ratings with documented factors considered. Honest evaluation of control effectiveness with identified gaps.
Clear ownership and action plans for residual risks.
If your assessment can answer the hard questions, it will hold up under scrutiny.
The value of a fraud risk assessment shows up in two scenarios.
First, when it actually helps you prevent or detect fraud. The assessment identified a vulnerability, you addressed it, and you avoided a loss.
Second, when fraud occurs despite your efforts and you need to demonstrate you exercised reasonable care. The assessment shows you identified relevant risks, evaluated controls, and made rational decisions about how to manage residual risk.
Neither scenario is served by a generic assessment that checks compliance boxes.
Internal audit teams face growing demands and increasingly sophisticated fraud threats. We've seen fraud tactics shift from high-volume, simple attempts to fewer but more sophisticated operations, with sophisticated fraud increasing 180% compared to 2024.
Your fraud risk assessment needs to anticipate these evolving threats and provide a defensible foundation for your anti-fraud program.
The question isn't whether you have a fraud risk assessment. The question is whether it will hold up when someone challenges it.
Build it with that standard in mind from the start.
Subscribe now to join the Risk Register community:
.png)
.jpg)