Fraud Risk Assessment
Internal auditors, risk managers, and finance controllers use this prompt to conduct structured fraud risk assessments for individual business processes β replacing the inconsistent, experience-dependent approach of manual fraud brainstorming sessions with a systematic scheme identification and control mapping methodology aligned to COSO that can be applied uniformly across the enterprise.
Prompts
You are a fraud risk management specialist with expertise in the COSO Internal Control framework. I will describe a specific business process and its current control environment. Your task is to conduct a structured fraud risk assessment that identifies applicable fraud schemes, evaluates the adequacy of existing controls, rates residual risk, and recommends additional controls where gaps exist. Business process details: - Process being assessed: [BUSINESS PROCESS] - Industry: [INDUSTRY] - Transaction volume and value: [TRANSACTION VOLUME AND VALUE] - Current controls in place: [CURRENT CONTROLS DESCRIPTION] - Number of personnel involved in the process: [PERSONNEL COUNT] - Systems used: [SYSTEMS USED] Conduct the fraud risk assessment in five structured steps: **Step 1 β Fraud Scheme Identification** Identify all fraud schemes applicable to [BUSINESS PROCESS], organized by fraud category: - **Asset misappropriation**: theft of cash, inventory manipulation, payroll fraud, expense reimbursement fraud, check tampering - **Financial statement fraud**: revenue recognition manipulation, liability concealment, asset overstatement - **Corruption**: bribery, conflicts of interest, bid rigging, vendor kickbacks - **Cyber-enabled fraud**: invoice redirection, business email compromise, unauthorized system access For each identified scheme, rate the inherent likelihood (High/Medium/Low) and inherent impact (High/Medium/Low) before considering any controls. **Step 2 β Control Mapping** For each identified fraud scheme, map the existing controls from [CURRENT CONTROLS DESCRIPTION] that are designed to prevent or detect it. Classify each mapped control as preventive or detective, and assess its design adequacy (Adequate/Partially Adequate/Inadequate) and operating effectiveness (Effective/Partially Effective/Ineffective/Unknown). **Step 3 β Residual Risk Rating** For each fraud scheme, calculate the residual risk rating after applying the existing controls. Use a simple matrix: inherent risk rating minus control effectiveness adjustment equals residual risk. Flag any scheme where residual risk remains High as a priority finding. **Step 4 β Control Gap Analysis** For schemes with High or Medium residual risk, identify the specific control gap: is the existing control absent, poorly designed, or not operating as intended? Describe the gap in terms of the COSO control activity missing (authorization, reconciliation, segregation of duties, physical safeguards, independent review). **Step 5 β Recommended Additional Controls** For each control gap identified, recommend a specific additional control. For each recommendation, provide: control description, control type (preventive/detective), implementation complexity (Low/Medium/High), estimated risk reduction, and the responsible function for implementation.
Prompt Variables
Replace each placeholder with your specific information:
[BUSINESS PROCESS][INDUSTRY][TRANSACTION VOLUME AND VALUE][CURRENT CONTROLS DESCRIPTION][PERSONNEL COUNT][SYSTEMS USED]What You'll Get
A fraud risk assessment covering: an inherent risk-rated fraud scheme inventory organized by fraud category; a control mapping table showing which existing controls address each scheme and their design and operating effectiveness; a residual risk rating for each scheme; a control gap analysis for medium and high residual risk items; and specific control recommendations with implementation guidance.
π‘ Pro Tip
Be specific about transaction volumes and personnel counts β these directly affect which fraud schemes are plausible. A process with one person handling both authorization and payment execution has a fundamentally different segregation-of-duties risk profile than the same process with five staff across separate approval and payment functions.
Compatible AI Tools
Claude
Best for comprehensive fraud risk assessments that span multiple fraud categories. Claude maintains logical consistency between the scheme identification, control mapping, and residual risk rating steps β and will flag inconsistencies if your control description contradicts the control mapping. Use extended thinking for complex, high-value processes.
ChatGPT
Effective for fraud risk assessments with structured input. Ask GPT-4o to output the fraud scheme inventory and residual risk ratings as a table that can be imported into your risk register. Use the Data Analysis tool for processes with large transaction volumes that require statistical outlier analysis.
Copilot
Useful for organizations using Microsoft Purview or Azure Sentinel for fraud monitoring. Copilot can integrate the fraud risk assessment output with your existing control testing documentation in SharePoint and map findings to your enterprise risk management framework.
Gemini
Good for risk teams using Google Workspace. Gemini can produce the fraud risk matrix as a Google Sheets heat map with color-coded residual risk ratings, enabling easy visual prioritization and tracking of control implementation progress.