Fraud risk assessment – an effective anti-fraud tool for SMEs

By Yaw Appiah LARTEY, Nii Asafoatse ABBEY & Ewurakua ABRAHAM
Small and medium enterprises (SMEs) are vital for economic growth, especially in developing countries, but are particularly vulnerable to fraud.
A report by the Association of Certified Fraud Examiners (ACFE) 2024 highlights that smaller budgets and revenue make SMEs more vulnerable to the impact of fraud compared to larger organisations[1].
Small businesses are at higher risk of fraud due to their limited resources, relatively informal processes and lack of anti-fraud technology. To protect themselves, businesses can conduct a Fraud Risk Assessment (FRA), as recommended by the Chartered Institute of Management Accountants (CIMA)[2] and the Committee of Sponsoring Organisations (COSO)[3]. This assessment helps identify and manage fraud risks efficiently, even with limited resources.
This article will discuss how FRA can help small businesses in Ghana combat fraud. Future articles will cover additional components needed for a comprehensive fraud risk management programme for SMEs. Let’s start by defining fraud and its impact on SMEs.

Understanding fraud and its impact on SMEs
Fraud is a deliberate act of deception for personal or financial gain that harms others. Three main elements trigger fraud: pressure, opportunity and rationalisation. Opportunity arises from weaknesses in processes or systems that can be exploited for financial gain. Pressure can be driven by factors like greed, addiction, debt or financial stress. Rationalisation involves justifying fraud through reasons like “I’m doing it for my family”, “Everyone does it” or “I deserve it”.
SMEs face various types of fraud, including payroll fraud (such as timesheet manipulation and unauthorised wage increases), data breaches due to limited IT resources, use of fake currency, supply of fake or wrong products, incomplete supply of goods, cyber fraud and billing fake items. Many SMEs do not prioritise fraud risk assessment due to cost and lack of awareness among owners. While the financial losses from fraud can be significant for SMEs, the non-financial impacts can be equally devastating and have long-lasting consequences. These include:
  • Reputational damage: Fraud can erode trust with customers and stakeholders, leading to a loss of business and loyalty.
  • Distraction from core business: Dealing with fraud can divert time and energy away from focusing on business growth and development.
  • Difficulty attracting new customers: Negative information about fraud can deter potential customers from engaging with the company.
How businesses benefit from an effective FRA
Conducting a thorough fraud risk assessment is essential for a robust fraud risk management programme as it encourages a business to take a proactive approach to managing fraud. The assessment should cover key areas relevant to the organisation’s size, complexity, industry and objectives. Regular updates to the risk assessment are necessary to stay abreast with evolving fraud risks and vulnerabilities specific to the organisation.

A comprehensive fraud risk assessment should pinpoint the types of fraud the organisation is most vulnerable to, potential locations of fraud occurrence and methods of perpetration. Prioritising identified fraud risks based on their significance and likelihood is crucial, followed by implementing appropriate mitigation programmes and controls. This detailed approach enhances risk intelligence, promoting a well-informed, balanced and adaptable risk management strategy.
Areas for enhancing performance in fraud risk assessment may include:
  • Connecting risks to specific control measures
  • Involving personnel across all levels
  • Addressing the risk of management overriding internal controls
  • Conducting assessments for key business units and regions
  • Performing detailed assessments at the level of specific fraud schemes.
To maximise its effectiveness, fraud risk assessment should be conducted independently and regularly, overseen by a designated sponsor such as a board committee; and involve collaboration across departments to ensure comprehensive coverage.
Approach to FRA
Step 1: Identify inherent risks
Assessing inherent risks is crucial in determining an organisation’s vulnerability to fraud. Here are the steps to follow to identify inherent risks:
·           Share a Document Request List with stakeholders to gather initial information on product inventory and fraud risk practices.
·           Verify critical business information (such as customer count, fraud losses and transaction volume) through discussions with stakeholders.
·           Create detailed inherent risk scenarios based on customer segments, geographical locations or additional products.
·           Evaluate inherent risk scenarios based on impact, likelihood, speed of onset and vulnerability.
·           Understand and prioritise the types of fraud that pose the highest inherent risks.
Step 2: Assess capability maturity
Assessing capability maturity is essential for determining an organisation’s readiness to detect and prevent fraud. Here are the steps required:
·           Interview stakeholders (i.e. product and process owners) to understand fraud capabilities.
·           Collect evidence of the capabilities in practice through additional documentation requests (e.g. proof of multi-factor authentication).
·           Validate capability maturity scores with stakeholders through discussions and the Document Request List.
Step 3: Determine residual risks and action plan
Residual risk is the level of fraud risk that remains after considering the effectiveness of the organisation’s current internal controls. An action plan is a set of specific steps designed to enhance the organisation’s controls and minimise the likelihood of fraud. Residual risks and action plans are essential components of the fraud risk assessment process. To determine residual risks and develop an action plan:
·           Review assessment results with stakeholders.
·           Identify high residual risks and discuss recommendations to enhance capabilities and reduce remaining residual risk.
·           Stakeholders will develop an action plan to mitigate remaining residual risks.
Closing thoughts
Fraud is a significant threat to SMEs in Ghana, impacting their growth and stability. Regular fraud risk assessments are crucial for identifying and mitigating fraud risks that could harm a company’s brand, reputation and assets. SME owners in Ghana should consider engaging independent advisors to conduct thorough assessments, help them to establish controls and implement anti-fraud programmes to combat fraud effectively.
How Deloitte can help
Deloitte assists organisations in conducting a comprehensive periodic evaluation of anti-fraud controls with the help of fraud risk management tools that are tailored to an organisation’s processes and specific industry that help check the adequacy of your existing anti-fraud programmes and controls.
Deloitte’s Forensic practice in Ghana helps organisations protect their brand and reputation through proactive advice on their exposure to fraud, non-compliance, misconduct and other business risk issues. The practice also helps clients react quickly and confidently in an investigation, crisis or dispute scenario. We use our global network, deep industry experience and advanced analytical technology to understand and resolve/deal with all such issues. The team comprises of professionals who possess diverse skill sets to the practice.
About the authors
Yaw Appiah Lartey
Partner – Financial Advisory, Deloitte West Africa
Direct:   +233 302 775 355
Mobile:  +233 244 158 377
Email: [email protected]
Nii Asafoatse Abbey
Associate Director – Forensic, Deloitte West Africa
Direct:   +233 302 775 355
Mobile:  +233 277 313 053
Email: [email protected]
Ewurakua Abraham
Junior Consultant – Financial Advisory, Deloitte West Africa
Mobile: +233 500 434 986
Email: [email protected]
[1] Association of Certified Fraud Examiners Occupational Fraud 2024: A Report to The Nations,
[2] CIMA Fraud risk management: a guide to good practice,
[3] COSO/ACFE | Executive Summary | Fraud Risk Management Guide,—coso/fraud-risk-management-guide

Leave a Reply