Overview:
The entity considers the potential for fraud in assessing risks to the achievement of objectives.
Action Items:
1) Create a risk assessment policy and related procedures that outlines the organization's risk assessment approach and publish on the company intranet for employees to access and review.
2) Inspect the policies and procedures to determine that documented policies and procedures are in place to guide personnel in identifying the potential for fraud as part of the risk assessment process.
3) Inspect the most recent risk assessment to determine that a formal risk assessment is performed on an annual basis that considers the potential for fraud and that includes an evaluation of the Fraud Risk Triangle components (pressures, opportunities, and rationalization) as well as those risks introduced from the use of IT and access to information.
Related Documents:
1) Risk assessment policy
2) Sample of recent business risk assessments
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Considers Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
2) Assesses Incentives and Pressures—The assessment of fraud risks considers incentives and pressures.
3) Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity's reporting records, or committing other inappropriate acts.
4) Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.
5) Considers the Risks Related to the Use of IT and Access to Information—The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.
Article ID: 226
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-assessment-of-fraud-risks-principle-8-cc3-3-226.html