Fraud risk assessment as a pillar of modern governance, risk management, and compliance

By: Nana Yaa Konadu ADADZI, Esq.

Fraud remains one of the most significant threats to public and private organizations in the global economy, including Ghana. Whether it manifests through financial statement manipulation, corruption, procurement fraud, or sophisticated cyber-enabled schemes, fraud undermines organizational integrity and destabilizes growth.

The financial costs are substantial, but the damage to governance and organizational credibility can be even more profound and enduring. In an increasingly complex regulatory and technological environment, organizations must move beyond reactive investigation and adopt proactive mechanisms designed to prevent misconduct before it occurs. One of the most important tools in this preventive framework is fraud risk assessment.

Fraud risk assessment has evolved from a narrow accounting function into a core component of modern governance, risk management, and compliance (GRC) systems. Leading regulatory and governance frameworks, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework, the U.S. Sarbanes–Oxley Act (SOX), and international anti-corruption initiatives such as the OECD Anti-Bribery Convention, highlight the importance of identifying and managing fraud risk as part of effective corporate governance. When integrated properly into an organisation’s decision-making, fraud risk assessments enable organizations to identify vulnerabilities, strengthen internal controls, and cultivate ethical corporate cultures.[i]

In investigating cases involving procurement irregularities, abuse of office, and illicit financial flows, one can observe that many corruption schemes arise from systemic weaknesses in oversight and compliance structures. This underscores the need for robust fraud risk assessment frameworks capable of identifying vulnerabilities before they are exploited.

This article argues that fraud risk assessment is an essential governance mechanism for institutional accountability and not a mere compliance exercise.

Fraud Risk

Fraud risk is defined as the vulnerability an organization faces from any intentional act or omission designed to deceive others, resulting in the victim suffering a loss or the perpetrator achieving a gain.[ii] Understanding fraud risk requires examining both behavioral and institutional factors that enable misconduct. One of the most influential theoretical models is Donald Cressey’s Fraud Triangle, which explains that three elements typically converge in cases of fraud: pressure, opportunity, and rationalization.[iii]

Pressure may arise from financial incentives, personal financial distress, or unrealistic performance expectations within an organization. Opportunity to commit fraud emerges when internal controls are weak, oversight mechanisms are ineffective, or individuals have unchecked authority over financial processes. Rationalization allows perpetrators to justify their actions, often convincing themselves that the misconduct is temporary or harmless.

Although the Fraud Triangle focuses on individual motivations, it also highlights structural vulnerabilities within organizations because fraud is a symptom of broader institutional weaknesses.

Empirical research reinforces this reality. According to the Association of Certified Fraud Examiners (ACFE) 2024 Report to the Nations, organizations worldwide lose an estimated five percent of their annual revenue to fraud, with the median loss per case exceeding $117,000.[iv]

It has also been observed that, in many cases, fraud persists for more than 12 months before detection, underscoring the importance of proactive risk management mechanisms.

Fraud risk can arise from both internal and external actors. Employees may engage in asset misappropriation or financial manipulation, while vendors, customers, or third parties may exploit procurement systems or contractual relationships. In an increasingly digital economy, cyber-enabled fraud, including hacking, payment diversion schemes, and data manipulation, has become a growing concern.

Inherent and Residual Fraud Risk

A critical aspect of fraud risk assessment is distinguishing between inherent risk and residual risk. Inherent risk refers to the level of exposure that exists before internal controls are implemented. For example, if a single employee is responsible for receiving, recording, and depositing payments, the inherent risk of embezzlement is significant.

Residual risk refers to the risk that remains after preventive and detective controls have been implemented. Measures such as segregation of duties, supervisory review, automated monitoring systems, and internal audits can significantly reduce exposure to fraud. However, no internal control system is foolproof. Collusion among employees, management override of controls, and technological manipulation may still circumvent existing safeguards.

For governance bodies such as boards of directors and audit committees, understanding this distinction is essential. Effective oversight requires evaluating whether existing controls reduce fraud risk to an acceptable level. Moreover, because organizations constantly evolve through restructuring, technological adoption, or changes in operational processes, fraud risk assessments must be conducted continuously rather than as isolated compliance exercises.[v]

Categories of Fraud Risk

For more efficient fraud risk assessments, the potential misconduct under inherent and residual risk must further be categorized into several major areas: fraudulent financial reporting, asset misappropriation, and corruption.

• Fraudulent financial reporting involves the intentional manipulation of financial information. This may include overstating revenues, understating liabilities, or presenting misleading disclosures to investors and regulators. Such misconduct can distort financial markets and undermine investor confidence.
• Asset misappropriation refers to the unauthorized use or theft of organizational resources, including cash, inventory, equipment, or intellectual property. According to the ACFE, asset misappropriation is the most common form of occupational fraud, accounting for approximately 86 percent of reported cases, although it generally involves smaller individual losses.[vi]
• Corruption-related misconduct includes bribery, kickbacks, and illegal gratuities offered or received by employees, agents, or third parties. In cross-border business environments, corruption risks are particularly significant and are usually subject to enforcement under domestic anti-corruption laws with extraterritorial legislation, such as the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act.[vii]

External fraud risks must also be considered. These include vendor overbilling, procurement collusion, fraudulent customer payments, and cybercrime. In many cases investigated by enforcement agencies, fraudulent schemes involve collaboration between internal employees and external actors, highlighting the importance of comprehensive risk assessments.

The Strategic Value of Fraud Risk Assessment

Fraud risk assessment provides a structured process for identifying and prioritizing vulnerabilities within an organization. Rather than focusing exclusively on investigating misconduct after it occurs, the assessment process seeks to anticipate where fraud is most likely to arise and implement preventive controls.

From a governance perspective, this process enhances transparency and accountability. It encourages organizations to evaluate whether their internal controls are sufficient and whether certain operational processes create opportunities for misconduct.

Many corruption cases involve procurement processes are evidence of lack of sufficient oversight, weak internal compliance mechanisms, or conflicts of interest that were never properly assessed. In several investigations, institutions possessed formal policies on paper but lacked practical enforcement mechanisms capable of detecting irregular transactions or preventing abuse of discretion.

In such cases, the absence of proactive fraud risk assessment allows misconduct to flourish until it reaches a level requiring criminal investigation. It can be authoritatively stated that fraud and corruption within an organization often thrive not solely because of individual misconduct, but because organizations fail to address systemic vulnerabilities before they are exploited.

Consequently, fraud risk assessments serve both as internal governance tool and mechanism for protecting institutions from reputational damage, regulatory penalties, and financial losses.

Institutional Requirements for Effective Fraud Risk Assessment

The success of a fraud risk assessment depends largely on organizational leadership and institutional design.

First, strong leadership commitment, which is often described as “tone at the top” is essential. When senior executives and board members prioritize ethical conduct and transparency, employees are more likely to report concerns and participate honestly in risk assessments.

Second, those conducting the assessment must maintain independence and objectivity. Conflicts of interest or organizational bias may undermine the credibility of the process. In some cases, organizations engage external experts to provide independent evaluations.

Third, fraud risk assessment requires cross-functional collaboration. Since fraud risks often arise across operational, financial, and technological domains, effective assessments must involve professionals from finance, legal, compliance, operations, and information technology functions.

Finally, organizations must adopt analytical approaches that examine how fraud could realistically occur. This requires thinking from the perspective of a potential fraudster and identifying how existing controls might be bypassed.

Preventive and Detective Controls

Once fraud risks are identified, organizations must evaluate the controls designed to mitigate them. Preventive controls seek to stop fraud before it occurs. These include segregation of duties, employee background checks, ethics training programs, and strict access controls over sensitive systems. Detective controls are designed to identify misconduct once it has occurred. Examples include internal audits, transaction monitoring systems, reconciliations, surprise inspections, and whistleblower reporting mechanisms.

Technological innovation is increasingly transforming fraud detection. Data analytics and continuous auditing tools enable organizations to identify unusual transaction patterns and potential red flags more quickly than traditional audit methods.

Artificial intelligence systems can analyze large volumes of financial data to detect anomalies, suspicious payment patterns, or procurement irregularities in real time. Similarly, automated procurement platforms, digital audit trails, and biometric verification systems have also been instrumental in reducing opportunities for fraud.

Managing Residual Risk

Even with strong controls, some level of fraud risk remains. Organizations must therefore determine how to manage residual risk in a manner consistent with their governance objectives. Risk management strategies generally include avoiding high-risk activities, transferring risk through insurance, mitigating risk through additional controls, or accepting certain risks when potential losses are minimal.

Closely related to managing residual risks is fraud risk appetite. Organizations must determine their fraud risk appetite, that is, the level and type of fraud risk they are willing to tolerate in pursuit of institutional objectives. This is important because such determination helps the organization to align fraud risk management strategies to its broader institutional objectives.

Recommendations

To strengthen fraud risk management frameworks, organizations should institutionalize periodic fraud risk assessments across all high-risk operational areas. Internal audit functions must be adequately resourced and they must maintain operational independence to ensure objective oversight. Institutions should also strengthen whistleblower protection systems, implement regular ethics and compliance training, and adopt data analytics technologies capable of identifying suspicious transactions in real time.

In the public and private sectors, procurement transparency mechanisms should be enhanced through digital procurement platforms, stronger conflict-of-interest disclosure requirements, and improved oversight of contract administration processes. Additionally, governance bodies must ensure that fraud risk assessments are not treated as isolated compliance exercises but are integrated into broader accountability structures within the organizations.

Conclusion

In an era where institutional legitimacy increasingly depends on transparency and public trust, fraud risk assessment has become far more than a technical compliance function. It is now a strategic governance tool that enables organizations to proactively identify vulnerabilities and reduce their exposure to fraud and misconduct.

Although no control system can completely eliminate the risk of fraud, organizations that adopt robust fraud risk assessment processes are better positioned to protect financial resources, comply with regulatory obligations whilst cultivating ethical corporate cultures.

*Nana Yaa Konadu Adadzi is an experienced lawyer and Certified Fraud Examiner (CFE) with a strong background in public sector accountability and criminal justice. Her expertise spans trial preparation, case prosecution, and investigative strategy, with a focus on financial crimes and corruption-related offences. She is also skilled in legal research, drafting, and policy advocacy, working collaboratively with law enforcement, regulators, and judicial stakeholders to promote integrity and effective governance. Contact: Email: [email protected]; Tel: 0246366357.

[i] Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control—Integrated Framework (2013).

[ii] Supra

[iii] Donald R. Cressey, Other People’s Money: A Study in the Social Psychology of Embezzlement (Free Press, 1953).

[iv] Association of Certified Fraud Examiners (ACFE), Report to the Nations: Global Study on Occupational Fraud and Abuse (2024).

[v] COSO, Enterprise Risk Management—Integrating with Strategy and Performance (2017).

[vi] U.S. Department of Justice & Securities and Exchange Commission, A Resource Guide to the U.S. Foreign Corrupt Practices Act (2020); OECD, Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (1997).

[vii] Supra

Post Views: 39