HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Home/ Insights/ Fraud and Investigation
Fraud and Investigation

Fraud Risk Assessment: What Internal Audit Must Do Beyond the Annual Risk Survey

Kamran Iqbal, CIA, CISA, CFE, CRMA June 2026 9 min read
Fraud is not a tail risk — an unlikely event that organisations can comfortably treat as low-probability. Across industries and regions, fraud represents a persistent, material drain on organisational resources, and the conditions that enable it are present in virtually every organisation to some degree. Internal auditors who conduct fraud risk assessment as a formality — checking the box on an annual survey — are not fulfilling their professional obligations. A rigorous fraud risk assessment changes what the audit plan covers, how fieldwork is conducted, and what findings the function brings to the Audit Committee.

What Fraud Risk Assessment Actually Requires

Fraud risk assessment is a distinct exercise requiring its own methodology. The general risk assessment identifies operational, financial, and compliance risks. The fraud risk assessment specifically identifies the circumstances in which individuals could commit fraud — the combination of opportunity (access to assets or information), incentive (motivation to misuse that access), and rationalisation (a mindset that makes fraudulent conduct seem acceptable). Understanding these three dimensions of the Fraud Triangle for each significant process and function is the analytical foundation.

GIAS 2024 requires internal auditors to have sufficient knowledge of fraud to identify indicators of potential fraud, understand the types of fraud that could occur in the areas being audited, and assess the adequacy of controls designed to prevent and detect fraud.

The Four-Step Fraud Risk Assessment Process

Step 1 — Scheme identification: systematically identifying the fraud schemes that could occur in each area of the audit universe. Go beyond generic categories to specific scenarios: fictitious vendor payments, collusion between procurement staff and vendors, expense claim inflation, payroll ghost employees, inventory theft, management override of financial reporting controls.

Step 2 — Assessment of likelihood and impact of each identified scheme. Likelihood should consider: incentive pressures (compensation targets that create pressure, financial stress); opportunity factors (weak controls, inadequate oversight, access to assets); and rationalisation factors (culture of shortcuts, normalisation of policy violations).

Step 3 — Control assessment: for each identified scheme, are there adequate controls to prevent or detect it? Fraud-specific controls — segregation of duties, mandatory vacation, job rotation, data analytics monitoring, anonymous reporting channels — may be absent in areas where general financial controls appear adequate. A well-designed approval process does not prevent fraud if the approver is the fraudster.

Step 4 — Audit plan implications: how does the fraud risk assessment change what internal audit covers, when, and how? Higher-risk fraud areas should receive more frequent coverage, more intensive testing (extending sample sizes), and more surprise elements (unannounced counts, unpredictable testing cycles). Higher-risk areas should also receive data analytics coverage — the ability to test 100% of a transaction population for fraud indicators is one of internal audit's most powerful fraud detection tools.

Insider Fraud: The Highest-Value Threat

Insider fraud by trusted, long-tenured employees is statistically the most common high-value fraud pattern. The employee trusted with responsibilities exceeding their oversight — the long-serving bookkeeper handling all financial processing, the procurement officer managing vendor relationships without independent review, the IT administrator with unrestricted system access — represents a concentrated fraud risk that organisations systematically underestimate because of the trust they have in these individuals. Auditors should specifically assess whether any roles concentrate excessive access without adequate compensating controls, regardless of the trustworthiness of the current incumbent.

Red Flags During Normal Audit Work

Common red flags include: employees who never take leave and resist job rotation; controls consistently overridden by the same individual; unusual volume of adjusting entries or reversals; vendors with addresses matching employee addresses; contracts awarded without competitive tendering for recurring procurement; expense claims with consistently round numbers; and management resistance to providing documentation that should be routinely available.

The professional obligation when fraud indicators are observed is clear: document the observation, conduct appropriate additional testing, and escalate to the CAE for a determination of whether further investigation is warranted. The obligation is not to investigate fraud personally — internal audit is not a forensic investigation function — but to identify indicators, escalate promptly, and ensure appropriate professionals conduct any warranted investigation.

Share

Request Training

CTC Global delivers expert-led training on Fraud and Investigation topics for corporate teams across all sectors.

Request Training Proposal View All Services

Related Publications

Deepen your knowledge with our practical books, revision kits, and toolkits.

Book
Fraud Indicators in Business ProcessesPractical, expert-led guidance for internal audit professionals.
 Browse All Publications →

About the Author

Kamran Iqbal is a seasoned internal audit and risk professional holding CIA, CISA, CFE, and CRMA credentials. He leads CTC Global's training and consultancy practice across Pakistan and the UAE.

View Full Profile →

Continue Reading

More practical insights from CTC Global on Fraud and Investigation and related topics.

← Back to All Articles & Insights