Contact Us

Join Thousands of Auditors, CPAs, Executives, Managers and Their Teams Who Have Achieved Greater Professional Success

The Role of Business Fraud Detection in Risk Management Response

Like any hidden business risk, fraud can be costly and embarrassing if not managed properly. So we’re clear, I’m talking about misconduct, wrongdoing, theft, lying, and outright fraud here. But regardless of what we call it, the three-level risk management response covered below—of which business fraud detection is an essential part—is exactly the same. 

Let’s examine what risk management response looks like and what specific steps to take for fraud detection… 

Level One – Fraud Deterrence and Prevention

The first part of the three-level risk management response is proactive deterrence and prevention. This is achieved through strong anti-fraud controls and especially through effective manager and staff daily behaviors. For a deeper dive into prevention, refer to my article titledBusiness Fraud Prevention: A Contrarian’s Take on Best Practices.”

At the risk of leaning too far into prevention (we’re talking about business fraud detection, after all), I offer my experience over four decades. What I’ve discovered is that in 90% of business fraud cases, the reason prevention failed was human. The controls in place were adequate in theory. However, inconsistent human execution of those controls was the primary reason the fraud occurred and went undetected for far too long.

Implicit in fraud detection is the assumption that prevention efforts failed, which leads us to the next fraud risk management level.

Level Two – Business Fraud Detection

Level two involves catching what slips through prevention defenses as fast as possible. Prompt detection when the cost is small, the reputation risks are low, and the efforts are modest is the goal when prevention efforts fail.

Ultimately, business fraud detection takes place through four simple actions.

  1. Ensure Expectations Are Clear

The first action is to get crystal clear on what’s expected of you and every employee. I suggest having a “Hey, Boss!” discussion as soon as you can get it scheduled. An upcoming staff meeting is a great opportunity to ask questions and have everyone on your team hear the answers.

For example…

“Hey, Boss, am I (or are we) expected to look for fraud and similar wrongful acts while performing our work?”

Assuming the answer is “yes” (as it should be), proceed to question two.

“What kind of fraud should we look for?”

Answers might include the following: 

Once clear on what to look for, it’s time for the third and more important question.

“Hey, Boss. How hard should we look?”

Let’s pause and clarify. The answers to these three questions will vary depending on who is asking.

Internal auditors and government auditors should ask during planning meetings on each and every audit by adding the words “on this project” to the end of each question. For example, “Hey, Boss, are we expected to look for fraud on this project? What kind should we look for on this project? How hard should we look on this project?”

With clear answers to these questions, auditors will be ready to build detection-based audit program steps, make sampling decisions such as the applicability of data analytics tools, create interview questions, and lay out the overall audit program for the project.

Likewise, employees, supervisors, and managers might ask, “Hey, Boss, am I expected to look for fraud in my daily work? If so, what kind should I look for? Please give me specific examples. And how hard should I look? Actively in each transaction? Passively as I perform other tasks? Please be clear on what you expect of me.”

  1. Identify Potential Indicators

The second step involves building a bridge from the risks specified in the “Hey, Boss” discussion above to the red flags, indicators, or other symptoms those risks would leave behind for us to see. This brainstorming asks and answers the question, “If this fraud was present, what would it look like in our records or the behaviors we could see?”

Here’s a tip for this phase that really sharpens focus. Ask, “If we knew this fraud scheme was happening to us right now, and if we were charged with proving it, what records would we pull? Who would we talk to and what would we ask? If we think from the perspective of the fraudster/thief, how might we get caught? What trail are we leaving behind?”

The end objective of fraud risk brainstorming is a robust list of red flags in manual documents, computerized records, and behaviors.

  1. Search for Red Flags 

In step three of business fraud detection, we go look for these red flags


With the appropriate authority, we might ask if they are aware of anyone breaking the rules. Detection-focused controls, audit steps, and interview questions are essential to step three.

  1. Determine the Root Cause of Red Flags

In step four, we examine any red flags found to determine their true root cause. Maybe it’s fraud, but maybe it’s a mistake or a plain old error. Formal root cause analysis and critical thinking are the keys to step four.

Granted, these four steps are simple in principle but can become a bit more complicated in application. That’s one great reason business fraud detection or detection of any other risk is best done in a team format. 

Here’s what these steps look like in sequence:

Level Three – Referral to the Experts

If the hair on your neck is standing up or you have that hollow feeling in your stomach, shift immediately to level three of risk management: referral to those skilled and authorized to handle suspected fraud incidents. One of the greatest dangers to the proper handling of fraud events is managers and auditors who investigate on their own. When in doubt, call for help. Don’t do it on your own.

Make Business Fraud Detection a Priority

Although each part of the three-level risk management response plays an important role, business fraud detection is especially important. By ensuring your team understands the expectations, can identify potential indicators, knows how to search for red flags, and is able to determine root causes, your organization will be much better off. You’ll be able to uncover fraud sooner and address it accordingly.