GOV-008 Fraud Risk Assessment
Description
The organization assesses the risk of fraud, including risks arising from misuse of system access and insider threats, as part of its risk management process. Fraud risk considerations are documented and inform the design of preventive and detective controls.
Rationale
Fraud risk is qualitatively different from operational risk — it involves intentional acts that can evade standard controls. Explicit assessment of fraud risk is required to design appropriate detective and deterrent controls.
Framework Mappings (3)
| 5.3 | Segregation of duties | partial |
| PM-12 | Insider Threat Program | partial |
| CC3.3 | COSO Principle 8: Assesses Fraud Risk | full |
Evidence (2)
Fraud risk assessment report documenting identified fraud scenarios, insider threat considerations, and resulting control recommendations.
Example: Fraud Risk Assessment Report or risk register extract (GRC platform / Google Drive), dated within the last 12 months, with sections covering misuse of system access, insider threat scenarios, likelihood and impact ratings, and detective/preventive control gaps identified.
Test: Request the most recent fraud risk assessment. Verify: (1) the assessment is dated within the defined interval, (2) insider threat and misuse-of-access scenarios are explicitly addressed, (3) likelihood and impact are rated, (4) control recommendations are documented, (5) assessment findings are traceable to the risk register or a remediation plan.
Documented anti-fraud or insider threat policy referencing the fraud risk assessment process and the controls designed in response.
Example: Insider Threat or Fraud Risk Management Policy (Confluence), approved by management, referencing: the assessment schedule, responsible roles, and the categories of preventive and detective controls required.
Test: Request the anti-fraud or insider threat policy. Verify: (1) fraud risk assessment is referenced as a required activity, (2) detective controls (e.g. access logging, anomaly detection) are listed, (3) the policy has a named approver and approval date within the last 12 months.
Questions (2)
Does your organization explicitly assess fraud risk, including risks arising from insider threat and misuse of system access, as part of its risk management process?
A fraud risk assessment should document insider threat and access-misuse scenarios with likelihood and impact ratings and link findings to detective and preventive controls.
Which of the following controls has your organization implemented in direct response to identified fraud risk?
The link between the fraud risk assessment findings and the controls designed in response should be documented.