What is Residual Fraud Risk — and What Can Your Business Do About It?

Andy M. Haynie - CPA, CFE

Originally from Tangier Island, VA, Andy began working for Leatherbury-Broache and Company upon graduating from Salisbury University in 1998. He joined PKS in 2000, and became a Partner in 2012. Andy lives in Marion Station with his wife Amy and two sons, Thomas and Conner. Outside of work he loves spending time with his family. A typical weekend for Andy includes traveling for soccer with his boys or on a rare occasion going to the beach to relax. He is constantly listening to music, collects vinyl records (old and new) and will see as many live music shows in a year as possible. Andy is also an avid runner and participates in a number of regional races through the year with distances ranging from 5ks to 50ks.

By regularly analyzing risk, business owners and executives can better understand and manage the likelihood and potential impact of fraud. In general, there are two types of business risk: inherent and residual. Inherent risk is what exists before management takes steps to mitigate the organization’s exposure. Residual risk is what remains after management has implemented internal controls to reduce and manage threats.

Because no program of internal controls can possibly eliminate all threats, residual risk is always a reality. But there are ways to mitigate it.

4 Types of Internal Controls

Internal controls generally fall under one of the following categories:

  1. Detective. This type is designed to detect fraud already occurring. For example, you might generate a report that lists checks issued twice for the same invoice.
  2. Preventive. This control should deter unwanted activities. You might require your accounting department to reconcile purchase orders to invoices before issuing a payment.
  3. Directive. This type specifies actions to be taken to reach a desired outcome. For instance, your policy might call for blocking payment to a vendor that isn’t in your vendor master file.
  4. Corrective. This last form intends to correct risky activity uncovered by accident or by an existing control. So you might establish new policies and procedures to replace those that have been ineffective.

The bottom line: Internal controls exist to mitigate risk. Deploying them reduces inherent risk, but typically leaves an organization with some residual risk. You might say that residual risk equals inherent risk minus the impact of internal controls on inherent risk.

Dealing With the Problem

A risk assessment can help your business evaluate residual risk. Experts generally use a risk matrix, a visual tool to depict the likelihood and severity of risk, to identify threats requiring further examination.

Another option for dealing with residual risk is to transfer it to a third party, such as an insurer. As an example, your organization might buy an errors and omissions insurance policy to mitigate the risk of unintentional mistakes that could possibly have been prevented with more robust controls.

Sometimes, however, the cost to deploy additional controls or shift residual risk outweighs the benefit. Although it may be possible to reduce residual risk, installing additional controls may be too costly or add unnecessary administrative red tape that inconveniences employees and customers. In those cases, many businesses decide to allow residual risk to remain.

Contingency and Monitoring Plans

If you decide to leave residual risk, develop a contingency plan to help reduce potential damage. Suppose your business reconciles its bank accounts monthly, rather than daily or weekly. In this case, the residual risk is that you might not discover fraud until several weeks after it has occurred. A contingency plan could help by providing step-by-step policies (such as notify your bank immediately) to remediate any fraud.

It’s also smart to regularly review and monitor residual risk levels. To return to the previous example, if your organization performs reconciliations every month and then decides to increase the number of bank accounts it uses, residual risk may rise to unacceptable levels. At that point, you might want to start conducting reconciliations on a weekly or daily basis. Staying current with industry best practices and compliance standards can further help keep residual risk in check.

Essential Component

Monitoring residual fraud risk is an essential component of any company’s risk management program. Contact us for more information or to schedule a fraud risk assessment.



PKS & Company, P. A. is a full service accounting firm with offices in Salisbury, Ocean City and Lewes that provides traditional accounting services as well as specialized services in the areas of retirement plan audits and administration, medical practice consulting, estate and trust services, fraud and forensic services and payroll services and offers financial planning and investments through PKS Investment Advisors, LLC.


© Copyright 2023. All rights reserved.
Brought to you by: PKS & Company, P.A.

Get Updates From PKS & Company, P.A.

Enter your email address to get our monthly newsletter and important updates regarding financial advice, tax code changes and more. 





New Requirements for Long-Term, Part-Time Employees

For years, 401(k) plans have been able to follow the ERISA statutory provision that permits excluding employees who work less than 1,000 hours per y
Read Full Article

Douglas W. McCabe - CPA, Esq.


Does Your Business Have to Comply with New Corporate Reporting Rules?

Your business may soon have to comply with new reporting requirements that take effect on January 1, 2024. Under the Corporate Transparency Act (CT
Read Full Article

Andy M. Haynie - CPA, CFE


What is Residual Fraud Risk — and What Can Your Business Do About It?

By regularly analyzing risk, business owners and executives can better understand and manage the likelihood and potential impact of fraud. In gener
Read Full Article