Fraud Risk Assessment Framework: COSO, ACFE & Indian Regulatory Context

Why Fraud Risk Assessment Matters for Indian Organisations

According to the ACFE Report to the Nations, organisations lose an estimated 5% of annual revenue to fraud. For Indian companies operating in a complex regulatory environment with multiple compliance overlays — Companies Act, GST, income tax, FEMA, SEBI — the fraud exposure surface is considerably larger than in simpler jurisdictions. At our forensic accounting practice, we observe that organisations which conduct structured fraud risk assessments detect fraud 50% faster and with 60% lower financial impact compared to those relying on ad hoc detection.

The regulatory imperative is equally compelling. The Serious Fraud Investigation Office (SFIO), empowered under Companies Act 2013 Section 212, has significantly expanded its investigation footprint. SEBI has intensified enforcement actions against listed companies for inadequate fraud prevention mechanisms. The RBI has mandated comprehensive fraud risk management frameworks for all regulated entities through its Master Direction on Frauds.

The COSO Internal Control Framework — Application to Fraud Risk

Component 1: Control Environment

The control environment sets the tone for the entire organisation regarding fraud risk. In our engagements, we assess the following elements within the Indian corporate governance context:

Board oversight and audit committee effectiveness: Under Companies Act Section 177 and SEBI LODR Regulation 18, the audit committee must oversee the vigil mechanism and review fraud-related matters. We evaluate whether the audit committee has independent access to information, whether it conducts private sessions with internal auditors, and whether management override instances are reported.

Tone at the top: This is the single most critical fraud risk factor. In our forensic investigations — many of which we discuss in our guide on forensic audit methodology — we consistently find that organisational fraud flourishes where senior management demonstrates tolerance for ethical shortcuts, aggressive revenue recognition, or circumvention of internal policies.

Organisational structure and authority lines: We map the actual decision-making authority against the documented delegation matrix. In Indian promoter-driven companies, the formal structure often diverges significantly from the informal authority structure, creating opportunities for fraud that cannot be detected through process-level controls alone.

Human resource policies: Background verification rigour, employee rotation in sensitive positions (treasury, procurement, accounts payable), mandatory leave policies, and exit interview processes all form part of the control environment assessment. We reference our experience with employee fraud in Indian SMEs to calibrate risk factors.

Component 2: Risk Assessment — The Fraud Risk Register

This is the core of the framework. We build the fraud risk register through a structured five-step process:

Step 1 — Fraud scheme identification: Using the ACFE Occupational Fraud Classification System (the “Fraud Tree”), we systematically identify all applicable fraud schemes across three major categories:

• Asset misappropriation: Cash theft, billing schemes, payroll fraud, expense reimbursement fraud, inventory theft, skimming, lapping
• Financial statement fraud: Revenue overstatement, expense understatement, improper asset valuation, undisclosed liabilities, improper disclosures — covered in detail in our article on financial statement fraud detection
• Corruption: Bribery, kickbacks, bid rigging, conflicts of interest, related party manipulation — see our guide on related party fraud detection

Step 2 — Inherent risk scoring: Each identified fraud scheme is assessed on two dimensions — likelihood (based on industry data, historical incidents, and environmental factors) and impact (financial, reputational, regulatory, operational). We use a 5×5 risk matrix producing inherent risk scores from 1 (negligible) to 25 (critical).

Step 3 — Control identification and mapping: For each fraud scheme, we identify existing preventive controls (which stop fraud from occurring) and detective controls (which identify fraud after it has occurred). Common preventive controls include segregation of duties, approval authorities, vendor verification processes, and system access restrictions. Common detective controls include reconciliations, exception reporting, data analytics, and surprise audits.

Step 4 — Control effectiveness testing: This is where most organisations fall short. Merely documenting controls is insufficient — we test whether controls actually operate as designed. Testing methods include transaction walkthroughs, re-performance of key controls, data analytics to identify control bypasses, and structured interviews with control operators.

Step 5 — Residual risk calculation and response: After assessing control effectiveness, we calculate residual risk scores. High residual risk areas require additional controls, enhanced monitoring, or targeted forensic procedures. The fraud risk register becomes a dynamic document reviewed quarterly.

Component 3: Control Activities

Based on the risk assessment, we design specific anti-fraud controls. In the Indian context, key control activities include:

GST compliance controls: Given the prevalence of input tax credit fraud, we design controls around vendor verification (GST registration validation, actual supply verification), invoice matching (3-way match with purchase order, goods receipt, and invoice), and GSTR-2A/2B reconciliation. Our experience with GST fraud defence informs the control design.

Related party transaction controls: Section 188 of the Companies Act mandates specific approval processes for related party transactions. We design controls that go beyond statutory compliance — including beneficial ownership verification, arm’s length pricing validation through transfer pricing methodology, and periodic review of the related party universe.

Treasury and banking controls: Dual authorisation for payments above threshold, daily bank reconciliation, positive pay system adoption, vendor bank account change verification (call-back procedures), and treasury investment policy compliance monitoring.

Procurement and vendor management controls: Vendor onboarding due diligence (including beneficial ownership, PAN/GST verification, site visit for significant vendors), competitive bidding enforcement, purchase order to contract reconciliation, and vendor master file change monitoring.

Component 4: Information and Communication

The framework must include:

Whistleblower mechanism (Vigil Mechanism): Companies Act Section 177 mandates a vigil mechanism for listed companies and companies accepting public deposits. We design mechanisms that provide genuine anonymity (not just confidentiality), multiple reporting channels (hotline, email, web portal, physical drop box), and documented investigation and resolution protocols.

Fraud reporting protocols: Clear escalation matrices from first detection to board-level reporting. Under CARO 2020 clause (xi), statutory auditors must report fraud detected during audit. For banks, RBI mandates reporting of all frauds above Rs 1 lakh to the RBI within specified timelines.

Training and awareness: Anti-fraud training for all employees with role-specific modules for high-risk functions (procurement, treasury, revenue recognition). Annual fraud awareness sessions and periodic testing of reporting channel awareness.

Component 5: Monitoring Activities

Ongoing monitoring is critical for framework sustainability:

Continuous monitoring through data analytics: We implement automated analytics that test for fraud indicators on a continuous basis — Benford’s Law analysis on payment amounts, duplicate payment detection, vendor-employee relationship mapping, unusual journal entry testing, and revenue pattern anomaly detection.

Periodic fraud risk reassessment: Annual comprehensive reassessment with quarterly updates for high-risk areas. The reassessment incorporates new fraud schemes identified globally (through ACFE publications), regulatory changes, organisational changes, and any fraud incidents detected.

Internal audit integration: The fraud risk register informs the internal audit plan. High residual risk areas receive dedicated forensic audit procedures beyond standard internal audit testing.

The ACFE Methodology — Fraud Triangle in Practice

Pressure/Incentive Assessment

We assess pressure factors at three levels:

Organisational pressure: Aggressive revenue targets, market expectations for listed companies, covenant compliance requirements (debt-to-equity, DSCR), promoter pledge situations creating pressure to maintain share price, and tight liquidity conditions. These pressures are the primary drivers of financial statement fraud.

Individual pressure: Employee financial distress (which we assess through behavioural indicators, not intrusive personal investigation), performance-linked compensation creating incentive to manipulate results, and fear of job loss creating incentive to conceal problems.

Industry pressure: Sector-specific factors such as real estate (land acquisition irregularities), pharmaceuticals (regulatory compliance fraud), construction (sub-contractor billing fraud), and financial services (loan origination fraud).

Opportunity Assessment

Opportunity analysis focuses on:

Segregation of duties gaps: We map all critical transaction cycles (procure-to-pay, order-to-cash, hire-to-retire, record-to-report) and identify positions with conflicting duties. In Indian SMEs, we frequently find that the same person initiates, approves, and records transactions — a fundamental control failure.

Management override capability: SA 240 specifically identifies management override of controls as a fraud risk in every audit. We assess the extent to which management can bypass established controls — system override capabilities, unilateral approval authority, and access to make direct accounting entries.

Complex transaction structures: Related party networks, multi-layered holding structures, offshore subsidiaries, and complex financial instruments all create opportunity for fraud. We map the complete corporate structure and identify opacity points.

IT system vulnerabilities: System access controls, segregation of duties within ERP systems, audit trail integrity, and data modification capabilities. Many Indian organisations have ERP implementations with inadequate access controls, creating systemic fraud opportunity.

Rationalisation Assessment

Rationalisation is the most difficult element to assess but we evaluate through:

Ethical culture surveys: Anonymous surveys assessing employee perception of management integrity, willingness to report wrongdoing, and awareness of consequences of fraud.

Historical patterns: Review of past compliance violations, regulatory penalties, and management explanations for past irregularities. A history of explaining away compliance issues indicates an environment where rationalisation is easier.

Compensation structure: Excessive variable compensation without clawback provisions creates rationalisation — employees believe they are entitled to the rewards they helped create, even if the results are manipulated.

The Fraud Diamond — Adding Capability

The extended fraud diamond model adds a fourth element: the fraudster’s capability to execute the scheme. This encompasses:

Position and authority: Senior management with override capability, employees in trusted positions with access to assets or systems, and individuals with specialised knowledge (IT administrators, treasury staff).

Technical capability: Ability to manipulate accounting records, create fictitious documentation, exploit system vulnerabilities, or conduct complex financial structuring.

Coercion capability: Ability to involve others in the fraud through managerial authority, personal relationships, or intimidation. Many Indian corporate frauds involve collusion between management and subordinates, where the management’s capability to coerce participation is a critical factor.

Indian Regulatory Triggers for Fraud Risk Assessment

Companies Act 2013 Requirements

Section 134(5)(e) — Directors’ Responsibility Statement: Directors must state that they have laid down internal financial controls and that such controls are adequate and operating effectively. This implicitly requires a fraud risk assessment to support the adequacy assertion.

Section 143(12) — Auditor Reporting on Fraud: If the statutory auditor has reason to believe that an offence of fraud is being or has been committed against the company by its officers or employees, the auditor must report to the Central Government (for amounts above Rs 1 crore) or to the audit committee (for amounts below Rs 1 crore). This creates a regulatory consequence for fraud detection gaps.

Section 177 — Audit Committee and Vigil Mechanism: The audit committee must oversee the vigil mechanism and review findings. Listed companies must establish a vigil mechanism for directors and employees to report genuine concerns.

Section 212 — Investigation by SFIO: The Central Government may refer a matter to the Serious Fraud Investigation Office where fraud is suspected. SFIO investigation triggers significant compliance burden and reputational damage — a strong incentive for proactive fraud risk management.

SEBI Regulatory Framework

LODR Regulation 17(8) — CEO/CFO Certification: The CEO and CFO must certify that internal controls for financial reporting exist, are adequate, and operate effectively. This certification carries personal liability and must be supported by documented fraud risk assessment.

SEBI PFUTP Regulations 2003: The Prohibition of Fraudulent and Unfair Trade Practices regulations cover market manipulation, insider trading, and fraudulent inducement. Listed companies must have controls to prevent violations by their officers and connected persons.

SEBI Circular on Fraud Detection: SEBI has issued various circulars requiring stock exchanges and listed entities to implement fraud detection systems, particularly for related party transactions, insider trading, and revenue recognition manipulation.

RBI Framework for Banks and NBFCs

Master Direction on Frauds — Classification and Reporting: RBI has issued comprehensive directions requiring banks and NBFCs to establish fraud risk management frameworks, classify frauds by category and amount, report frauds to RBI within specified timelines, and implement Early Warning Signal (EWS) mechanisms. This is covered in our detailed article on bank fraud investigation under the RBI framework.

RBI Guidelines on Governance: The governance framework for banks requires board-level oversight of fraud risk management, a dedicated fraud monitoring group, periodic fraud vulnerability assessments, and root cause analysis of detected frauds.

SA 240 — The Auditor’s Responsibilities Relating to Fraud

Standard on Auditing 240, issued by ICAI and aligned with ISA 240, mandates that auditors:

• Maintain professional scepticism regarding the possibility of fraud throughout the audit
• Conduct specific fraud risk assessment procedures including management inquiry, analytical procedures, and assessment of fraud risk factors
• Presume fraud risk in revenue recognition (unless this presumption is rebutted with documented rationale)
• Test for management override of controls in every audit engagement
• Respond to assessed fraud risks with appropriate audit procedures

Building the Fraud Risk Assessment Framework — Step-by-Step

Phase 1: Scoping and Planning (Weeks 1-2)

We begin by understanding the organisation’s business model, industry, regulatory environment, and existing control infrastructure. This phase includes:

• Review of organisational structure, corporate group structure, and related party universe
• Analysis of industry-specific fraud risks using ACFE data and our own forensic experience
• Assessment of prior audit findings, regulatory observations, and known incidents
• Identification of key stakeholders for interview and documentation review
• Development of fraud risk assessment work programme tailored to the organisation

Phase 2: Fraud Scheme Identification (Weeks 2-4)

Using the ACFE Occupational Fraud Classification System as a base, we develop an organisation-specific fraud scheme inventory. This involves:

Process-level workshops: Facilitated sessions with process owners for each critical business process — revenue cycle, procurement, treasury, payroll, inventory, capital expenditure, and financial reporting. We use scenario-based techniques to identify how fraud could be perpetrated within each process.

Management interviews: Structured interviews with senior management, internal auditors, compliance officers, and the audit committee. We use the ACFE interview methodology — open-ended questions, hypothetical scenarios, and calibration questions to assess honesty of responses.

Data analytics screening: Preliminary data analytics on financial transactions to identify anomalies that suggest fraud risk — unusual vendor patterns, round-amount transactions, transactions just below approval thresholds, weekend/holiday transactions, and journal entry anomalies.

Regulatory risk mapping: Identification of regulatory fraud triggers specific to the industry — GST input tax credit fraud for manufacturing, loan origination fraud for NBFCs, related party channeling for group companies, revenue channel stuffing for FMCG companies.

Phase 3: Risk Scoring and Prioritisation (Weeks 4-5)

Each identified fraud scheme is scored using our proprietary risk matrix:

Impact Score	Financial Impact	Regulatory Impact
1 — Negligible	Below Rs 1 lakh	No regulatory implication
2 — Minor	Rs 1 lakh to 10 lakh	Internal reporting only
3 — Moderate	Rs 10 lakh to 1 crore	Regulatory reporting required
4 — Significant	Rs 1 crore to 10 crore	Regulatory investigation likely
5 — Critical	Above Rs 10 crore	Criminal prosecution risk

Similarly, likelihood scores range from 1 (rare — less than once in 10 years) to 5 (almost certain — expected to occur within the year). The inherent risk score is the product of impact and likelihood.

Phase 4: Control Assessment and Gap Analysis (Weeks 5-7)

For each high and critical inherent risk scheme, we perform detailed control assessment:

Control design assessment: Does the control, as designed, adequately address the fraud risk? We evaluate whether the control is preventive or detective, automated or manual, and whether it addresses the root cause or merely the symptoms.

Control operating effectiveness: Does the control actually work as designed? We test through transaction sampling, re-performance, data analytics, and observation. Common findings include controls that exist on paper but are not consistently applied, automated controls that have been disabled or overridden, and detective controls whose outputs are not reviewed.

Gap analysis and remediation recommendations: Where controls are inadequate, we recommend specific improvements — additional controls, control redesign, technology solutions, or organisational changes. Each recommendation is prioritised by the residual risk it addresses and the implementation complexity.

Phase 5: Framework Documentation and Implementation (Weeks 7-10)

The final deliverables include:

• Fraud Risk Register: Comprehensive register of all identified fraud schemes with inherent risk scores, control mapping, control effectiveness ratings, and residual risk scores
• Fraud Risk Heat Map: Visual representation of fraud risks by business unit, process area, and risk category
• Control Gap Remediation Plan: Prioritised action plan with specific recommendations, implementation timelines, responsible owners, and success metrics
• Fraud Response Plan: Documented protocol for responding to detected fraud — investigation triggers, evidence preservation procedures, reporting requirements, and legal response
• Monitoring Dashboard: Key fraud risk indicators (KFRIs) for ongoing monitoring by management and the audit committee

Data Analytics in Fraud Risk Assessment

Modern fraud risk assessment relies heavily on data analytics to move beyond subjective risk scoring to evidence-based assessment. We deploy the following analytical techniques:

Benford’s Law Analysis: First-digit and second-digit distribution testing on payment amounts, journal entry amounts, and revenue transactions. Deviations from expected Benford’s distribution indicate potential manipulation — for instance, an unusual concentration of amounts just below approval thresholds.

Duplicate Detection: Exact and fuzzy matching algorithms to identify duplicate payments, duplicate vendor records, duplicate employee records, and duplicate invoices. In our experience, duplicate payment fraud is one of the most common and easily detectable schemes in Indian companies.

Relationship Mapping: Network analysis to identify hidden relationships between vendors and employees (shared addresses, phone numbers, bank accounts), between related parties and the company, and between counterparties in circular trading arrangements.

Trend and Pattern Analysis: Time-series analysis of key financial metrics to identify unusual patterns — revenue spikes at period-end (channel stuffing), expense deferrals, unusual seasonality in procurement, and cash flow anomalies that contradict reported profitability.

Stratification Analysis: Segmenting transactions by amount, timing, user, cost centre, and other dimensions to identify outliers and anomalies that warrant further investigation.

Industry-Specific Fraud Risk Considerations

Manufacturing Sector

Primary fraud risks include procurement kickbacks, inventory theft and fictitious inventory, GST input tax credit fraud through circular trading, capital expenditure inflation, and related party raw material supply at inflated prices. Our assessment incorporates physical verification procedures and production data analytics.

Financial Services (Banks, NBFCs)

Key risks include loan origination fraud (fictitious borrowers, inflated collateral valuations), ever-greening of non-performing assets, insider lending, treasury fraud, and customer identity fraud. The RBI framework provides specific assessment requirements as discussed in our bank fraud investigation guide.

Real Estate and Construction

Sector-specific risks include land acquisition irregularities (benami transactions), sub-contractor billing fraud, project cost inflation, revenue recognition manipulation (percentage-of-completion method abuse), and diversion of project funds to promoter entities.

Technology and IT Services

Risks include revenue recognition manipulation (timing of milestone recognition), fictitious subcontractor arrangements, intellectual property theft, expense misclassification (capitalising revenue expenditure), and related party technology licensing at inflated rates.

Healthcare and Pharmaceuticals

Specific risks include clinical trial data manipulation, regulatory compliance fraud (fabricated quality records), procurement fraud in medical equipment, insurance billing fraud, and related party API (Active Pharmaceutical Ingredient) supply manipulation.

Common Pitfalls in Fraud Risk Assessment

Based on our extensive forensic practice, we observe the following common failures:

Checkbox compliance approach: Treating fraud risk assessment as a regulatory exercise rather than a genuine risk management tool. The assessment document exists but is not used to drive actual control improvements.

Management bias in self-assessment: Allowing management to assess fraud risks in their own areas without independent validation. This creates inherent bias — no manager wants to report high fraud risk in their department.

Ignoring management override: Focusing exclusively on process-level controls while ignoring the risk that management can override any control. SA 240 specifically requires assessment of management override risk.

Static framework: Creating the assessment once and not updating it. Fraud schemes evolve, business models change, and new regulatory requirements emerge. An outdated framework provides false assurance.

Insufficient data analytics: Relying entirely on interviews and process walkthroughs without leveraging transactional data analytics. Data analytics provides objective evidence of fraud risk that subjective assessments cannot.

No follow-through on recommendations: The assessment identifies gaps and makes recommendations, but implementation is not tracked or enforced. Without accountability for remediation, the exercise has limited value.

Frequently Asked Questions

What is a fraud risk assessment framework?

A fraud risk assessment framework is a structured methodology to identify, assess, and mitigate fraud risks within an organisation. It combines the COSO Internal Control Framework with the ACFE fraud triangle methodology (pressure, opportunity, rationalisation) to create a comprehensive fraud prevention and detection system. In India, this framework must also incorporate Companies Act 2013 requirements, SEBI regulations, and RBI directions.

Is fraud risk assessment mandatory in India?

Yes, for listed companies, SEBI LODR Regulation 17(8) mandates the CEO/CFO to certify internal controls including fraud risk management. SA 240 requires auditors to assess fraud risk during every statutory audit. For banks, RBI Master Direction on Frauds mandates a comprehensive fraud risk management framework. Even for unlisted companies, Companies Act Section 134(5)(e) requires directors to certify adequacy of internal financial controls.

What is the difference between fraud risk assessment and internal audit?

Internal audit evaluates the effectiveness of internal controls across all business processes and provides assurance to the audit committee. Fraud risk assessment specifically focuses on identifying fraud schemes, evaluating fraud-specific controls, and producing a fraud risk register. While internal audit may incorporate fraud risk assessment elements, a standalone fraud risk assessment provides deeper and more specialised analysis using forensic accounting methodology.

How much does a fraud risk assessment cost?

For mid-sized Indian companies, a comprehensive fraud risk assessment typically costs between Rs 3-5 lakh. For large corporates with multiple business units, costs range from Rs 5-15 lakh. For banks and NBFCs, given the regulatory complexity, costs range from Rs 8-20 lakh. These are modest investments relative to the average fraud loss. Contact Virtual Auditor at +91 99622 60333 for a specific quotation.

How often should fraud risk assessment be updated?

Best practice recommends annual comprehensive reassessment with quarterly updates for high-risk areas. Additionally, fraud risk assessment should be updated whenever there is a significant organisational change (merger, new business line, major system implementation), regulatory change, or detection of a fraud incident. The fraud risk register should be a living document, not a one-time exercise.

Can the statutory auditor conduct fraud risk assessment?

While statutory auditors conduct fraud risk assessment as part of SA 240 procedures, a standalone comprehensive fraud risk assessment is best conducted by an independent forensic accounting firm. This avoids potential conflicts of interest (the statutory auditor may be reluctant to identify gaps that reflect on their own audit), brings specialised forensic methodology, and provides a fresh perspective that the regular auditor may lack after years of familiarity with the entity.