Happy Cow vs. Hedgehog: Getting Straight on Principle 8

Pamela Verick, Director Protiviti Forensic

In conjunction with International Fraud Awareness Week, we will be running a series of blog posts by our Investigations & Fraud Risk Management practice leaders. For more on the topic, and to listen to our recorded webinars, visit www.protiviti.com/internalinvestigations.


International Fraud Awareness Week provides the opportunity to have meaningful dialogue on a topic that often seems difficult for many executives to freely talk about, unless it’s at a designated time for “awareness” or “assessment.”

The topic is fraud risk.

Many organizations are now well into the adoption of COSO 2013 as their integrated control framework in complying with Sarbanes-Oxley Section 404 (SOX) and for other purposes, but are still struggling with Principle 8 – a critical part of the Risk Assessment component of COSO 2013. Principle 8 focuses on four types of fraud – fraudulent reporting, corruption, asset misappropriation, and management override of controls – and the potential for each risk to occur.

Some management teams seem clouded by a “No Fraud Here” mentality, in which fraud is simply not possible within their organization. In these cases, management often views a fraud risk assessment as a mere afterthought, “check the box” exercise, or even a “necessary evil.” Others don’t want to “plant ideas” in the minds of their employees. However, it’s important to remember that fraud is an inherent risk within every organization. Principle 8 is not about rooting out hidden fraud, it’s about taking a realistic and objective look at where fraud could occur, the likelihood and impact a fraud risk event could have on the financial, operational and reputational well-being of the organization, and ensuring that there are appropriate controls either to prevent or detect such risk.

Some organizations simply place all fraud risks in the “green zone” – all good! No yellow caution flags, or red danger signs, just one big field of green. I call it the “Happy Cow” syndrome – big happy cows unwittingly grazing in a wide green field with not a care in the world.

However, that’s not the world organizations live in today. Sadly, the potential for fraud is woven into the fabric of everyday business. Jim Collins, in his book Good to Great, extolled the virtues of good planning and a strong survival instinct over a reactive, “we’ll cross that bridge when we come to it” mentality. He equated planners with “hedgehogs,” after the 1950s business parable by philosopher Isaiah Berlin — which told the story of a frenetic fox who exhausted himself running from a wolf, while his companion, a hedgehog, mitigated risk with the simple strategy of presenting himself as a spiky ball.

When it comes to Principle 8, a hedgehog would:

  • Recognize that considerations of fraud are part of the overall risk assessment process, which also includes Principle 6 (defining risk objectives) and Principle 7 (identifying and analyzing risk)
  • Prioritize both inherent and residual risk
  • Consider various types of fraud (COSO Points of Focus 31), along with those which align with Cressey’s Fraud Triangle:
    • Fraud incentives and pressures (COSO Point of Focus 32)
    • Opportunities (Point of Focus 33)
    • Attitudes and rationalizations (Point of Focus 34)
  • Respond to fraud risk with a balanced approach to prevention and detection controls

In a world driven by SOX compliance in the United States and similar compliance regimes in other countries concerned with internal control over financial reporting, there is a tendency to focus fraud risk assessment activities on financial fraud. But recent events, such as allegations of fraudulent environmental impact statements, and the reputational damage caused by inflated resumes of top executives, illustrate the need for a clear-eyed evaluation of fraud risk beyond activities which specifically impact financial reporting.

From a practical standpoint, that means expanding the types of fraud considered within a risk assessment, greater inclusion of personnel from all departments, business units and locations, and the use of multiple techniques (brainstorming sessions, fraud risk workshops, interviews and employee surveys) to identify and validate potential vulnerabilities arising from fraud.

As we celebrate Fraud Awareness Week, let’s put to rest the defensive and dangerous doctrine of “No Fraud Here.” It’s time we all positively embraced the responsible and necessary action of a well-planned fraud risk assessment. And it’s time we stopped being happy cows with a comfortable but unrealistic outlook and became more like hedgehogs, who have considered the danger and are suitably prepared for it. Because that’s how, I think, we get not simply from good to great, but from good to exceptional!

Add comment