Fraud Risk Assessment Tool

Module 3- Physical Controls to Deter Employee Theft and Fraud

Not
Yes No Applicable

Does the organization conduct pre-employment background

checks to identify previous dishonest or unethical behavior?
Comments:

Are there policies and procedures that address dishonest or

unethical behavior?
Comments:

Does management support the ethics and anti-fraud policies?

Comments:

Does the organization educate employees about the

importance of ethics and anti-fraud programs?
Comments:

Does the organization provide an anonymous way to report

suspected violations of the ethics and anti-fraud policies?
Comments:

Does the organization restrict access to areas containing

sensitive documents (such as invoices, receipts, journals,
ledgers, and checks) and maintain a system for providing an
audit trail of access?
Comments:

Does the organization restrict access to computer systems

with sensitive documents (such as accounting software,
inventory, and payroll) and create a system to provide an
audit trail of access?
Comments:

Page 1 of 7
 Fraud Risk Assessment Tool

Module 3- Physical Controls to Deter Employee Theft and Fraud

Not
Yes No Applicable

Does the organization restrict access to areas with high value

assets, such as shipping, receiving, storerooms, and cash?
Comments:

Does the organization use CCTV and recording equipment to

monitor entries, exits, areas with sensitive or high value
assets, and sales areas?
Comments:

Does the organization conduct random, unannounced audits

of inventory, cash, expense, purchasing, billing, and other
accounts by internal or external auditors?
Comments:

Does the organization use professional loss prevention or

security personnel to monitor physical controls?
Comments:

Does the organization promptly investigate incidents of

suspected or reported fraud?
Comments:

Has the organization segregated duties in areas that could

potentially be an opportunity for fraud to occur?
Comments:

Does the organization require the use of passwords to access

computer files?
Comments:

Page 2 of 7
 Fraud Risk Assessment Tool

Module 3- Physical Controls to Deter Employee Theft and Fraud

Not
Yes No Applicable

Does the organization require passwords to be changed

periodically and have a combination of letters, numbers, and
symbols?
Comments:

Does the organization have a strict policy against the sharing

of passwords between employees?
Comments:

Does the level of access controls appear to be adequate by an

impartial observer?
Comments:

Is there an ethical component in all policies,

communications, and decision-making?
Comments:

Does the organization prohibit the use of the same password

multiple times?
Comments:

Is there a written policy that restricts system access when

someone leaves the organization?
Comments:

Are non-employees required to sign a confidentiality

agreement if they have access to the system?
Comments:

Page 3 of 7
 Fraud Risk Assessment Tool

Module 3- Physical Controls to Deter Employee Theft and Fraud

Not
Yes No Applicable

Is access to the organization’s equipment available to

employees after business hours?
Comments:

Are company cars allowed to be used after business hours?

Comments:

Does management have and enforce a policy that requires

employees to log off computers after business hours or when
computers are unattended?
Comments:

Page 4 of 7
 Fraud Risk Assessment Tool

MODULE # 3 – Physical Controls to Deter Employee Theft and Fraud

The physical controls assessment questions are designed to assess the probability of a
fraudulent event occurring within the organization based on:

 Physical controls in place to control access to accounting records and information.

 Physical controls in place to protect the assets of the organization.

1. Does the organization conduct pre-employment background checks to identify previous

dishonest or unethical behavior?
Before offering employment to an applicant, a company should conduct a pre-
employment background check.

2. Are there policies and procedures that address dishonest or unethical behavior?
The company should document and implement policies and procedures that describe
(1) unethical conduct, (2) punishment for engaging in unethical conduct, and (3) how to
report unethical conduct.

3. Does management support the ethics and anti-fraud policies?

Senior management sets the tone for ethical conduct throughout the organization. The
tone should signal that fraud will not be tolerated.

4. Does the organization educate employees about the importance of ethics and anti-fraud
programs?
All employees should receive training on the ethics and anti-fraud policies of the
company. The employees should sign an acknowledgment that they have received the
training and understand the policies.

5. Does the organization provide an anonymous way to report suspected violations of the
ethics and anti-fraud policies?
Organizations should provide a system for anonymous reporting of suspected violations
of the ethics and anti-fraud policies.

6. Does the organization restrict access to areas containing sensitive documents (such as
invoices, receipts, journals, ledgers, and checks) and maintain a system for providing
an audit trail of access?
Access to areas containing sensitive documents should be restricted to those individuals
who need the information to carry out their jobs. Also, an audit trail of access should
be maintained.

7. Does the organization restrict access to computer systems with sensitive documents
(such as accounting software, inventory, and payroll) and create a system to provide an
audit trail of access?

Page 5 of 7
 Fraud Risk Assessment Tool

Access to computer systems should be restricted to those individuals who need the
information to carry out their jobs. Also, an audit trail of access should be maintained.

8. Does the organization restrict access to areas with high value assets, such as shipping,
receiving, storerooms, and cash?
Organizations should restrict access to areas with high value assets and should maintain
a log of persons accessing such areas.

9. Does the organization use recording equipment to monitor entries, exits, areas with
sensitive or high value assets, and sales areas?
Entries, exits, areas with sensitive or high value assets, and sales areas can be
monitored using CCTV and recording equipment.

10. Does the organization conduct random, unannounced audits of inventory, cash,
expense, purchasing, billing, and other accounts by internal or external auditors?
Random, unannounced audits help prevent fraud perpetrators from having time to alter,
destroy, and misplace records and other evidence of their offenses.

11. Does the organization use professional loss prevention or security personnel to monitor
physical controls?
Professional loss prevention or security personnel can be used to monitor physical
controls.

12. Does the organization promptly investigate incidents of suspected or reported fraud?
Promptly investigating incidents of suspected or reported fraud can minimize losses.

13. Has the organization segregated duties in areas that could potentially be an
opportunity for fraud to occur?
Organizations should segregate all activities that could potentially cause an employee
to commit fraud.

14. Does the organization require the use of passwords to access computer files?
Passwords should be required of anyone that has access to computer files.

15. Does the organization require passwords to be changed periodically and have a
combination of letters, numbers, and symbols?
Passwords that require a combination of letters, numbers, and symbols allow for an
extra layer of security in addition to requiring them to be changed periodically.

16. Does the organization have a strict policy against the sharing of passwords between
employees?
The organization should require that passwords not be shared between employees. The
organization should have this directive outlined in a company policy.

Page 6 of 7
 Fraud Risk Assessment Tool

17. Does the level of access controls appear to be adequate by an impartial observer?
Any objective observer should notice that access to data is secure and controlled.

18. Is there an ethical component in all policies, communications, and decision-making?

Ethics should be incorporated in all aspects of the organization including, written
policies, communications, and decision-making.

19. Does the organization prohibit the use of the same password multiple times?
The same password should only be used once.

20. Is there a written policy that restricts system access when someone leaves the
organization?
When someone leaves the organization there should be protocols in place that do not
allow them to access the system. Their user access should be terminated.

21. Are non-employees required to sign a confidentiality agreement if they have access to
the system?
Anyone who has access to the system should be required to sign a confidentiality
agreement.

22. Is access to the organization’s equipment available to employees after business hours?
Anyone who has access to the organization’s equipment after business hours should
have documented approval.

23. Are company cars allowed to be used after business hours?

Management should manage the extent of company car use to determine if it is being
used for personal reasons.

24. Does management have and enforce a policy that requires employees to log off
computers after business hours or when computers are unattended?
Employees should be required to log off computers when not attended and after
business hours to ensure that information on the computer is kept secure and only
accessed by authorized individuals.

Page 7 of 7