CFFE Notes – Fraud Risk Management KASNEB Notes




Complete copy of CFFE FRAUD RISK MANAGEMENT Study Notes is available in SOFT copy (Reading using our MASOMO MSINGI PUBLISHERS APP) and in HARD copy 

Phone: 0728 776 317



Following our continued effort to provide quality study and revision materials at an affordable price for the private students who study on their own, full time and part time students, we partnered with other team of professionals to make this possible.

Special appreciation and recognition to the lecturers who have helped in the development of our materials, These are: FA Kegicha William Momanyi (MBA Accounting, CPA, CISA and CCP), FA Bramwel Omogo ( Actuarial Science, CIFA, CIIA, CFA first level and ICIFA member, Johnmark Mwangi (MSc Finance, CPAK, BCom Finance),CPA Gregory Mailu (Bsc. Economics) CPA Dominic Rasungu and CPA Lawrence Ambunya among others.






This paper is intended to equip the candidate with knowledge, skills and attitudes that will enable him/her to develop and implement an effective fraud risk management program.



A candidate who passes this paper should be able to:

  • Identify, prioritise, evaluate, and treat fraud risks
  • Identify fraud related controls and evaluate their effectiveness
  • Analyse existing risk management frameworks and their application to manage fraud risk
  • Develop a fraud risk management program
  • Identify, assess, and manage fraud risks from all sources and support fraud risk management initiatives by establishing an anti-fraud culture and promoting fraud awareness throughout the organisation



  1. Introduction To Risk Management
    • Definitions of risk
    • Definition of fraud risk
    • Types of fraud risks
    • Definition of risk management
    • Principles and aims of risk management
    • Current state of risk management
    • Risk management frameworks
    • Risk management process
    • Fraud risk management- convergence of enterprise risk management and internal control


2.            Risk Governance/Responsibility

  • The Board of Directors
  • Board Audit and risk committee
  • Management
  • Risk and compliance functions
  • Internal audit
  • Legal department
  • Human resources
  • Information Technology
  • Investigation function
  • Employees
  • External Auditors
  • Regulatory Agencies
  • Anti-Corruption Agencies
  • Fraud Risk management team


3.            Fraud Risk Management

  • Definition of fraud risk management
  • The objectives of a fraud risk management program
  • Fraud risk management principles
  • Steps in developing a fraud risk management program – risk appetite, investment of anti-fraud controls, prevention of material fraud
  • Fraud risk management program components
  • Fraud risk policy components
  • Risk Management Frameworks – Integrating Anti-fraud initiatives into risk management

3.8       ISO 31000 2018

3.9       Use of data in managing fraud risks


4.            Fraud Risk Assessment

  • Definition of fraud risk assessment
  • Inherent and residual fraud risks
  • Factors that influence fraud risk
  • Objective of a fraud risk assessment
  • Why conduct a fraud risk assessment
  • Effective fraud risk assessment
  • Preventive and detective fraud controls
  • Fraud risk assessment frameworks
  • Tool for doing risk assessment – Risk register


5.            Fraud Risk Management Process

  • Risk identification- Identification of pertinent fraud schemes
  • Risk analysis – Establish weight of each identified fraud scheme
  • Risk Evaluation – Review effectiveness of existing controls
  • Risk treatment/Mitigation – Responding to residual fraud risks
  • Monitoring and Communication – Reporting and monitoring key risks
  • Designing a Fraud risk management plan/report


6.            Fraud Risk Register

  • Definition of a risk register
  • Designing a fraud risk register
  • Using a fraud risk register to manage risks
  • Designing a Key fraud risk register


7.            Case Study – Fraud Risk Management

Based on the case study

  • Identify various fraud risks
  • Analyze the identified fraud schemes using a risk matrix (Likelihood and Impact)
  • Identify the existing detective and preventive controls
  • Evaluate the effectiveness of the preventive and detective controls
  • Evaluate the level of the risks
  • Identify various responses for identified fraud risks

Develop fraud risk frameworks (1&2)





In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences. Many different definitions have been proposed. The international standard definition of risk for common understanding in different applications is “effect of uncertainty on objectives”.

The understanding of risk, the methods of assessment and management, the descriptions of risk and even the definitions of risk differ in different practice areas business, economics, environment, finance, information technology, health, insurance, safety, security etc). This article provides links to more detailed articles on these areas. The international standard for risk management, ISO 31000, provides principles and generic guidelines on managing risks faced by organizations.


Definitions of risk

Firefighters are exposed to risks of fire and building collapse during their work

The Oxford English Dictionary (OED) cites the earliest use of the word in English (in the spelling of risque from its French original, ‘risque’) as of 1621, and the spelling as risk from 1655. While including several other definitions, the OED 3rd edition defines risk as:

(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.

The Cambridge Advanced Learner’s Dictionary gives a simple summary, defining risk as “the possibility of something bad happening”.

International Organization for Standardization.

The International Organization for Standardization (ISO) Guide 73 provides basic vocabulary to develop common understanding on risk management concepts and terms across different applications. ISO Guide 73:2009 defines risk as:

effect of uncertainty on objectives

Note 1: An effect is a deviation from the expected – positive or negative.

Note 2: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).

Note 3: Risk is often characterized by reference to potential events and consequences or a combination of these.

Note 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

This definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts. It was first adopted in 2002. Its complexity reflects the difficulty of satisfying fields that use the term risk in different ways. Some restrict the term to negative impacts (“downside risks”), while others include positive impacts (“upside risks”).

ISO 31000:2018 “Risk management — Guidelines” uses the same definition with a simpler set of notes.


Many other definitions of risk have been influential:

“Source of harm”. The earliest use of the word “risk” was as a synonym for the much older word “hazard”, meaning a potential source of harm. This definition comes from Blount’s “Glossographia” (1661) and was the main definition in the OED 1st (1914) and 2nd (1989) editions. Modern equivalents refer to “unwanted events”  or “something bad that might happen”.

“Chance of harm”. This definition comes from Johnson’s “Dictionary of the English Language” (1755), and has been widely paraphrased, including “possibility of loss” or “probability of unwanted events”.

“Uncertainty about loss”. This definition comes from Willett’s “Economic Theory of Risk and Insurance” (1901). This links “risk” to “uncertainty”, which is a broader term than chance or probability.

“Measurable uncertainty”. This definition comes from Knight’s “Risk, Uncertainty and Profit” (1921). It allows “risk” to be used equally for positive and negative outcomes. In insurance, risk involves situations with unknown outcomes but known probability distributions.

“Volatility of return”. Equivalence between risk and variance of return was first identified in Markovitz’s “Portfolio Selection” (1952). In finance, volatility of return is often equated to risk.

“Statistically expected loss”. The expected value of loss was used to define risk by Wald (1939) in what is now known as decision theory. The probability of an event multiplied by its magnitude was proposed as a definition of risk for the planning of the Delta Works in 1953, a flood protection program in the Netherlands. It was adopted by the US Nuclear Regulatory Commission (1975), and remains widely used.

“Likelihood and severity of events”. The “triplet” definition of risk as “scenarios, probabilities and consequences” was proposed by Kaplan & Garrick (1981). Many definitions refer to the likelihood/probability of events/effects/losses of different severity/consequence, e.g. ISO Guide 73 Note 4.

“Consequences and associated uncertainty”. This was proposed by Kaplan & Garrick (1981). This definition is preferred in Bayesian analysis, which sees risk as the combination of events and uncertainties about them.

“Uncertain events affecting objectives”. This definition was adopted by the Association for Project Management (1997). With slight rewording it became the definition in ISO Guide 73.

“Uncertainty of outcome”. This definition was adopted by the UK Cabinet Office (2002) to encourage innovation to improve public services. It allowed “risk” to describe either “positive opportunity or negative threat of actions and events”.

“Asset, threat and vulnerability”. This definition comes from the Threat Analysis Group (2010) in the context of computer security.

“Human interaction with uncertainty”. This definition comes from Cline (2015) in the context of adventure education.

Some resolve these differences by arguing that the definition of risk is subjective. For example:

No definition is advanced as the correct one, because there is no one definition that is suitable for all problems. Rather, the choice of definition is a political one, expressing someone’s views regarding the importance of different adverse effects in a particular situation.

The Society for Risk Analysis concludes that “experience has shown that to agree on one unified set of definitions is not realistic”. The solution is “to allow for different perspectives on fundamental concepts and make a distinction between overall qualitative definitions and their associated measurements.”


Fraud Risk


Fraud Risk is the risk of unexpected financial, material or reputational loss as the result of fraudulent action of persons internal or external to the organization.


Fraud Risk is customarily split into internal and external fraud:

Internal Fraud is a recognized risk category in regulatory frameworks worldwide (Basel II/Basel III standards). The Basel II definition states more specifically: Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party.

External Fraud is the risk of unexpected financial, material or reputational loss as the result of fraudulent action of persons external to the firm. External Fraud is a recognized risk category in regulatory frameworks worldwide (Basel II/III standards). The precise Basel definition of external fraud reads: Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party.


Risk management

Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Risks can come from various sources including uncertainty in international markets, threats from project failures (at any phase in design, development, production, or sustaining of life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. There are two types of events i.e. negative events can be classified as risks while positive events are classified as opportunities. Risk management standards have been developed by various institutions, including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

Strategies to manage threats (uncertainties with negative consequences) typically include avoiding the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat to another party, and even retaining some or all of the potential or actual consequences of a particular threat. The opposite of these strategies can be used to respond to opportunities (uncertain future states with benefits).

Certain risk management standards have been criticized for having no measurable improvement on risk, whereas the confidence in estimates and decisions seems to increase.


Risk management appears in scientific and management literature since the 1920s. It became a formal science in the 1950s, when articles and books with “risk management” in the title also appear in library searches.[5] Most of research was initially related to finance and insurance.

A widely used vocabulary for risk management is defined by ISO Guide 73:2009, “Risk management. Vocabulary.”

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first. Risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss, versus a risk with high loss but lower probability of occurrence can often be mishandled.

Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost-effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity.

Opportunity cost represents a unique challenge for risk managers. It can be difficult to determine when to put resources toward risk management and when to use those resources elsewhere. Again, ideal risk management minimizes spending (or manpower or other resources) and also minimizes the negative effects of risks.

Risk is defined as the possibility that an event will occur that adversely affects the achievement of an objective. Uncertainty, therefore, is a key aspect of risk. Systems like the Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management (COSO ERM), can assist managers in mitigating risk factors. Each company may have different internal control components, which leads to different outcomes. For example, the framework for ERM components includes Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, and Monitoring.

Risks vs. opportunities

Opportunities first appear in academic research or management books in the 1990s. The first PMBoK Project Management Body of Knowledge draft of 1987 doesn’t mention opportunities at all.

Modern project management school does recognize the importance of opportunities. Opportunities have been included in project management literature since the 1990s, e.g. in PMBoK, and became a significant part of project risk management in the years 2000s, when articles titled “opportunity management” also begin to appear in library searches. Opportunity management thus became an important part of risk management.

Modern risk management theory deals with any type of external events, positive and negative. Positive risks are called opportunities. Similarly to risks, opportunities have specific mitigation strategies: exploit, share, enhance, ignore.

In practice, risks are considered “usually negative”. Risk-related research and practice focus significantly more on threats than on opportunities. This can lead to negative phenomena such as target fixation.


For the most part, these methods consist of the following elements, performed, more or less, in the following order:

  1. Identify the threats
  2. Assess the vulnerability of critical assets to specific threats
  3. Determine the risk(i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
  4. Identify ways to reduce those risks
  5. Prioritize risk reduction measures

The Risk management knowledge area, as defined by the Project Management Body of Knowledge PMBoK, consists of the following processes:

  • Plan Risk Management – defining how to conduct risk management activities.
  • Identify Risks – identifying individual project risks as well as sources.
  • Perform Qualitative Risk Analysis – prioritizing individual project risks by assessing probability and impact.
  • Perform Quantitative Risk Analysis – numerical analysis of the effects.
  • Plan Risk Responses – developing options, selecting strategies and actions.

Implement Risk Responses – implementing agreed-upon risk response plans. In the 4th Ed. of PMBoK, this process was included as an activity in the Monitor and Control process, but was later separated as a distinct process in PMBoK 6th Ed.



Complete copy of CFFE FRAUD RISK MANAGEMENT Study Notes is available in SOFT copy (Reading using our MASOMO MSINGI PUBLISHERS APP) and in HARD copy 

Phone: 0728 776 317


(Visited 258 times, 1 visits today)
Share this:

Written by